Advances in Information Security and Assurance: Third International Conference and Workshops, ISA 2009, Seoul, Korea, June 25-27, 2009. Proceedings ... Computer Science Security and Cryptology)

Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen University of Dortmund, Germany Madhu Sudan Massachusetts Institute of Technology, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany

5576

Jong Hyuk Park Hsiao-Hwa Chen Mohammed Atiquzzaman Changhoon Lee Tai-hoon Kim Sang-Soo Yeo (Eds.)

Advances in Information Security and Assurance Third International Conference and Workshops, ISA 2009 Seoul, Korea, June 25-27, 2009 Proceedings

13

Volume Editors Jong Hyuk Park Kyungnam University, Department of Computer Science and Engineering Masan, Kyungnam, Korea E-mail: [email protected] Hsiao-Hwa Chen National Sun Yat-Sen University, Institute of Communications Engineering Kaohsiung City, Taiwan E-mail: [email protected] Mohammed Atiquzzaman University of Oklahoma, School of Computer Science Norman, OK, USA E-mail: [email protected] Changhoon Lee Hanshin University, School of Computer Engineering Osan, Kyeong-Gi, Korea E-mail: [email protected] Tai-hoon Kim Hannam University, School of Multimedia, Daejeon, Korea E-mail: [email protected] Sang-Soo Yeo Mokwon University, Division of Computer Engineering, Daejeon, Korea E-mail: [email protected]

Library of Congress Control Number: Applied for CR Subject Classification (1998): C.2, D.4.6, K.6.5, H.2.7, K.4.4 LNCS Sublibrary: SL 4 – Security and Cryptology ISSN ISBN-10 ISBN-13

0302-9743 3-642-02616-8 Springer Berlin Heidelberg New York 978-3-642-02616-4 Springer Berlin Heidelberg New York

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com © Springer-Verlag Berlin Heidelberg 2009 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper SPIN: 12702749 06/3180 543210

Preface

Welcome to the Third International Conference on Information Security and Assurance (ISA 2009). ISA 2009 was the most comprehensive conference focused on the various aspects of advances in information security and assurance. The concept of security and assurance is emerging rapidly as an exciting new paradigm to provide reliable and safe life services. Our conference provides a chance for academic and industry professionals to discuss recent progress in the area of communication and networking including modeling, simulation and novel applications associated with the utilization and acceptance of computing devices and systems. ISA 2009 was a successor of the First International Workshop on Information Assurance in Networks (IAN 2007, Jeju-island, Korea, December, 2007), and the Second International Conference on Information Security and Assurance (ISA 2008, Busan, Korea, April 2008). The goal of this conference is to bring together researchers from academia and industry as well as practitioners to share ideas, problems and solutions relating to the multifaceted aspects of information technology. ISA 2009 contained research papers submitted by researchers from all over the world. In order to guarantee high-quality proceedings, we put extensive effort into reviewing the papers. All submissions were peer reviewed by at least three Program Committee members as well as external reviewers. As the quality of the submissions was quite high, it was extremely difficult to select the papers for oral presentation and publication in the proceedings of the conference. After extensive discussion and review, we finally decided to accept a total of 41 full papers for publication in LNCS volume 5576 from 137 submitted papers. We believe that the chosen papers and topics provide novel ideas on future research activities. It would have been impossible to organize our program without the help of many enthusiastic individuals. We owe special thanks to Sajid Hussain and Alan Chin-Chen Chang for serving as Workshop Co-chairs. We also thank all the members of the Program Committee (PC) who reviewed all of the papers submitted to the conference and provided their feedback to the authors. We appreciate the help of Hangbae Chang, Soo Kyun Kim, and Deok Gyu Lee for serving as the Local Chairs of the conference. They coordinated the use of the conference facilities and set up the registration website. And we would like to take this opportunity to thank all the authors and participants for their contributions to the conference.

VI

Preface

Finally, we acknowledge the work of Doo-soon Park as Honorary Chair and the members of our International Advisory Board who have provided long-term guidance for the conference.

Jong Hyuk Park Hsiao-Hwa Chen M. Atiquzzaman Changhoon Lee Justin Zhan Guilin Wang Sang-Soo Yeo

Organization

Organizing Committee Honorary Chair

Doo-soon Park (SoonChunHyang University, Korea)

General Chairs

Jong Hyuk Park (Kyungnam University, Korea) Hsiao-Hwa Chen (National Sun Yat-Sen University, Taiwan) M. Atiquzzaman (University of Oklahoma, USA)

International Advisory Board

Peng Ning (North Carolina State University, USA) Tai-hoon Kim (Hannam University, Korea) Kyo Il Chung (ETRI, Korea) Laurence T. Yang (St. Francis Xavier University, Canada) Stefanos Gritzalis (University of the Aegean, Greece) Alan Chin-Chen Chang (National Chung Cheng University, Taiwan) Sung-Eon Cho (Sunchon National University, Korea) Wai Chi Fang (National Chiao Tung University, Taiwan) Tughrul Arslan (University of Edinburgh, UK) Javier Lopez (University of Malaga, Spain) Hamid R. Arabnia (The University of Georgia, USA) Dominik Slezak (Infobright Inc., Canada)

Program Chairs

Justin Zhan (CMU, USA) Changhoon Lee (Hanshin University, Korea) Guilin Wang (University of Birmingham, UK)

Publication Chair

Sang-Soo Yeo (Mokwon University, Korea)

Program Committee Alessandro Piva Binod Vaidya Bo Zhu Boniface Hicks Byoungcheon Lee Chin-Chen Chang Chunming Rong Claudio Ardagna Dawu Gu

Dharma P. Agrawal Dieter Gollmann Dorothy Denning Duncan S. Wong Edward Jung Francesca Saglietti Gail-Joon Ahn George Ghinea Golden G. Richard III

Guojun Wang Hee-Jung Lee Ioannis G. Askoxylakis Isaac Agudo Jaechul Sung Jan deMeer Jeng-Shyang Pan Jianying Zhou Jie Li

VIII

Organization

Jongsung Kim Julio Cesar Hernandez-Castro Jung-Taek Seo Kevin Butler Konstantinos Markantonakis Kouichi Sakurai Kui Ren Lei Hu Liwen He Martin Loeb Michael Tunstall Michael W. Sobolewski Min-Shiang Hwang

Nancy Mead Ning Zhang Pierre Dusart Pierre-François Bonnefoi Raphael Phan Rui Xue Sara Foresti Seokhie Hong Serge Chaumette Shambhu Upadhyaya Shuhong Wang Soonseok Kim Sos Agaian Stephen R. Tate

Stephen Wolthusen Steven M. Furnell Swee Keow Goo Theodore Tryfonas Tieyan Li Vrizlynn L.L. Thing Wade Trappe Wei Yan Will Enck Willy Susilo Xuhua Ding Yafei Yang Yan Wang Yi Mu

Welcome Message from the MoWiN 2009 Organizers

We are happy to welcome you to the proceedings of the First International workshop on Mobile and Wireless Networks (MoWiN 2009). The symposium was held in conjunction with the Third International Conference on Information Security and Assurance ISA 2009), Seoul, South Korea, June 25–27, 2009. This workshop is intended to cover contributions on both the design and analysis of mobile, wireless, ad-hoc, and sensor networks. The goal of this workshop is to bring together researchers and practitioners from academia and industry to focus on advanced wireless and mobile computing concepts and to establish new collaborations in these areas. It is clear that the mobile and wireless networks technology has attracted increasing enthusiastic researchers from divers backgrounds, including computer sciences, computer engineering, communication engineering and others. We received 44 submissions overall, out of which 17 were accepted to be presented in the workshop. The submissions came from all over the world which reflects the value of the workshop as an international event. We were also pleased to see the broad range of subjects addressed by the submissions which covered the workshop interests. We sincerely hope MoWiN 2009 will be the first in a series of many such technical meetings and we hope the community is involved in organizing future MoWiN events. The AIRCC and Program Committee members and the referees deserve praise for providing timely and valuable reviews, and producing the excellent final program. We wish to thank the MoWiN 2009 Chairs, Co-chairs, for coordinating and organizing the review process. We would also like to thank the Workshop Chairs of ISA 2009 and the Organizing Committee for support given to MoWiN 2009. We believe this workshop complements perfectly the topic focus of ISA 2009 and provides additional breadth and depth to the main conference. Jacques Demerjian Balasubramanian K Natarajan Meghanathan Rajendra Akerkar Srini Ramaswamy

Welcome Message from the NASSUE-2009 Organizers

We would like to welcome you to the proceedings of the 2009 International Workshop on Network Assurance and Security Services in Ubiquitous Environments (NASSUE-2009) held in conjunction with the Third International Conference on Information Security and Assurance (ISA 2009) in Seoul, Republic of Korea. NASSUE-2009 focused on network assurance and security (NAS) measures, which has become an important research issue in ubiquitous environments. A large number of good papers were submitted to NASSUE-2009. All the submitted papers underwent a rigorous review process by the Technical Program Committee (TPC) members and some external reviewers. Only 17 high-quality papers were accepted for presentation and publication in the conference proceedings. We would like to sincerely thank all the people who contributed directly or indirectly to making NASSUE-2009 a grand success. We would like to express our appreciation to all TPC members and IAB members for the valuable time and their professional support of this workshop. Finally, we would like to show our gratitude to all the authors for choosing NASSUE-2009 as a forum to discuss their research contributions.

Binod Vaidya James B.D. Joshi Joel Rodrigues

NASSUE-2009 Organization

Organizing Committee Steering Chair Workshop Program Chairs

International Advisory Board

Jong Hyuk Park (Kyungnam University, Korea)

Binod Vaidya (Gwangju Institute of Science and Technology, Korea) James B.D. Joshi (University of Pittsburgh, USA) Joel Rodrigues (Instituto de Telecomunicações/University of Beira Interior, Portugal)

Dimitrios Makrakis (University of Ottawa, Canada) Elisa Bertino (Purdue University, USA) Pascal Lorenz (University of Haute Alsace, France) Yoshito Tobe (Tokyo Denki University, Japan)

Program Committee Abdelhamid Mellouk António Nogueira Bai Xiaoying Binod Vaidya Bo Zhu ByungRae Cha Chae Hoon Lim Eul Gyu Im Farid Farahmand Gail-Joon Ahn Hiroshi Yoshiura James B.D. Joshi

Jiankun Hu Joel Rodrigues Jorge Sá Silva Jouni Ikonen K. P. Chow Katsikas Sokratis Khaled Salah Mário Lemos Proença Junior Masato Terada Min-Shiang Hwang Ning Zhang

Niwat Thepvilojapanong Pascal Lorenz Paulo Salvador Pavel Gladyshev Seungjoo Kim Shiguo Lian Surya Nepal Tapio Frantti Willy Susilo Yafei Yang Yoshihiro Kawahara

Message from the IAWSN 2009 Workshop Chairs

It is our great pleasure to welcome you to the proceedings of the First International Workshop on Information Assurance in Wireless Sensor Networks (IAWSN 2009), which was held in conjunction with the Third International Conference on Information Security and Assurance (ISA 2009) Seoul, Korea. This workshop is intended to establish definitive areas of learning and development for further venturing into WSN security research areas. The recent widespread desire for connectivity has led to exponential advances in wireless communication. The ongoing IT revolution has changed the way we conduct our daily activities, business and communication. It is vital that network researchers and practitioners keep up with evolving technologies and infrastructure. Wireless sensor networks and their associated applications form a major part of this communication evolution. Advanced fundamental research in this domain puts security and assurance as the first priority. We imposed a very tight submission deadline, giving less than 8 weeks for the authors to prepare and submit the papers. We received 16 submissions overall, out of which 8 were accepted to be presented in the workshop. The quality of the submissions is excellent and reflects the broad range of subjects covered by the workshop. It is a challenge to organize such an international workshop under a tight timeframe. Many people contributed their time and effort to the success of IAWSN 2009. The Program Committee members deserve all the praise for providing timely and valuable reviews. Finally, we would like to express our sincere appreciation to all those who contributed to the success of this workshop. We hope you enjoy the workshop proceedings.

Firdous Kausar Farag Azzedin Ayesha Naureen

Welcome Message from the WNGS/CGMS 2009 Organizers

It is a great pleasure to welcome you to the proceedings of the WNGS/CGM 2009 workshop, which was held in conjunction with the Third International Conference on Information Security and Assurance (ISA 2009), at Korea University, Seoul, Korea. The workshops cover topics on computer graphics, multimedia and security and next-generation security systems. All submitted papers underwent a rigorous review process by the Technical Program Committee members and external reviewers. WNGS/CGM received 30 papers from 8 countries, and accepted 9 papers for the presentation track. WNGS/CGM aims at providing a forum for professionals from academia and industry to present their work and to exchange ideas. The workshop covers all technical aspects of security applications, including cryptographic and noncryptographic techniques. We would like to thank everyone who directly or indirectly contributed to the success of these workshops. In particular, we would like to thank Soo Kyun Kim and Deok Gyu Lee for coordinating WNGS 2009 and the TPC members for extending their professional support to the workshop. Last but not least, we would like to thank all authors of WNGS/CGM for supporting the workshop by choosing it as a forum for reporting their quality research results.

Deok Gyu Lee Sankar Kumar Pal Soo Kyun Kim Yan Zhang

WNGS/CGMS 2009 Organization

WNGS Organizing Committee International Advisory Committee

Workshop Chair

Kyo-Il Chung (ETRI, Korea) Im Yeong Lee (Soonchunhyang University, Korea) Heekuck Oh (Hanyang University, Korea) Chang Seop Park (Dankook University, Korea) Deok Gyu Lee (ETRI, Korea)

WNGS Program Committee Daniel Page Debra Lee Cook Dimitrios Katsaros Do-Woo Kim Gianluca Moro

Heang Suk Oh Jean-Henry Morin Jin Kwak Jong Wook Han Sajid Hussain

Seoung Hyeon Lee Tsuyoshi Takagi Hong Seung Ko Dongdai Lin Susan Pancho-Festin

CGMS Organizing Committee Workshop Chairs

International Advisory Committee

Sankar Kumar Pal (Indian Statistical Institute, India) Soo Kyun Kim (PaiChai University, Korea) Yan Zhang (Simula Research Laboratory, Norway)

Tai-hoon Kim (Hannam University, Korea) Jong Hyuk Park (Kyungnam University, Korea) Jianhua Ma (Hosei University, Japan) Edwin H-M. Sha (University of Texas at Dallas, USA)

CGMS Program Committee Fangguo Zhang Rui Zhang Francesco Masulli Kenneth Lam Pablo de Heras Hyun-Sung Kim MalRey Lee Fabrice Mériaudeau

Paolo Remagnino Joonsang Baek Ryszard Tadeusiewicz Swee-Huay Heng Yong Man Ro Jin Kwak Raphael C.-W. Phan Miroslaw Swiercz Bialystok

Karl Leung Hongji Yang Paolo D'Arco Salah Bourennane Mark Manulis Roman Neruda Jacques Blanc-Talon Gérard Medioni

XX

Organization

Stefan Katzenbeisser Abdelwahab Hamou-Lhadj Seenith Siva Mototaka Suzuki Jocelyn Chanussot Mei-Ling Shyu Christine Fernandez-Maloigne

Junzhong Gu Chi Sung Laih Young Ik Eom Hironori Washizaki Shu-Ching Chen Atsuko Miyaji Hiroaki Kikuchi Min Hong Sun-Jeong

Shin Jin Nikos Komodakis Lejla Batina Dieter Gollmann Andrzej Dzielinski Dimitris Iakovidis Kouichi Sakurai Yi Mu

Welcome Message from the SHCI 2009 Organizers

Welcome to the Proceedings of SHCI 2009. The fields of human-computer interaction (HCI) and ubiquitous computing (UC) focus on efforts to overcome obstacles between humans and computers. HCI is a discipline that studies the interaction between people and computers. Context-aware (CA) and ambient intelligence (AmI) are central issues in HCI, which consider the user context when creating user interfaces in ubiquitous environments. For this purpose, many technologies are involved including terminal technology, system technology, network technology, platform technology, application technology, artificial intelligence etc. However, users may get wrong results when there are many attackers present during the communication, and therefore security technology is needed for effective and reliable communication in HCI. This workshop allowed researchers in the field of security technology and HCI to present novel ideas, problems and solutions. Dr. Ko

SHCI 2009 Organization

Organizing Committee Organizers

Program Committee An Chen António Costa Carlos Ramos Haesuck Oh Goreti Marreiros Giyoung Kim Hoon Ko Hussein Khodr Joao Jose Pinto Ferreira JongMyoung Choi Jongjin Jung KyungSang Sung Ning Chen Yeonsuk Chang Yongtae Shin

Carlos Ramos (Institute of Engineering-Polytechnic of Porto (ISEP/IPP)) Hoon Ko (Institute of Engineering-Polytechnic of Porto (ISEP/IPP)) Goreti Marreiros (Institute of Engineering-Polytechnic of Porto (ISEP/IPP)) Ning Chen (Institute of Engineering-Polytechnic of Porto (ISEP/IPP)) Hussein Khodr (Institute of Engineering-Polytechnic of Porto (ISEP/IPP))

Table of Contents

Cryptographic Algorithms Update on SEED: SEED-192/256 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kitae Jeong, Joongeun Choi, Yuseop Lee, Changhoon Lee, Jaechul Sung, Haeryong Park, and Yeonjung Kang

1

A New Double-Block-Length Hash Function Using Feistel Structure . . . . Jesang Lee, Seokhie Hong, Jaechul Sung, and Haeryong Park

11

Authentication and Identity Management The Dark Side of Timed Opacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Franck Cassez

21

Certificateless Signature Scheme without Random Oracles . . . . . . . . . . . . . Yumin Yuan, Da Li, Liwen Tian, and Haishan Zhu

31

Authorization and Access Control Fine-Grain Access Control Using Shibboleth for the Storage Resource Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Vineela Muppavarapu and Soon M. Chung

41

Grouping Provenance Information to Improve Efficiency of Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Amril Syalim, Yoshiaki Hori, and Kouichi Sakurai

51

Tagging the Turtle: Local Attestation for Kiosk Computing . . . . . . . . . . . Ronald Toegl

60

Selective Regression Test for Access Control System Employing RBAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chao Huang, Jianling Sun, Xinyu Wang, and Yuanjie Si

70

Formal Verification for Access Control in Web Information Sharing System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Akihiro Sakai, Yoshiaki Hori, and Kouichi Sakurai

80

Biometrics and Computer Forensics Adaptive Iris Segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rahib Abiyev and Kemal Kilic

90

XXVI

Table of Contents

Recognizing Partially Occluded Faces from a Single Exemplar Image Per Person . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hamidreza Rashidy Kanan and M. Shahram Moin

100

Methodology and Tools of IS Audit and Computer Forensics – The Common Denominator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Magdalena Sze˙zy´ nska, Ewa Huebner, Derek Bem, and Chun Ruan

110

Cryptographic Protocols What about Vulnerability to a Fault Attack of the Miller’s Algorithm During an Identity Based Protocol? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nadia El Mrabet

122

A New Strongly Secure Authenticated Key Exchange Protocol . . . . . . . . . Qingfeng Cheng, Chuangui Ma, and Xuexian Hu

135

Improved Implementations of Cryptosystems Based on Tate Pairing . . . . Chang-An Zhao, Dongqing Xie, Fangguo Zhang, Chong-Zhi Gao, and Jingwei Zhang

145

Efficient Secure Multiparty Computation Protocol in Asynchronous Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Zheng Huang, Weidong Qiu, Qiang Li, and Kefei Chen

152

Data Integrity and Privacy Clustering-Based Frequency l-Diversity Anonymization . . . . . . . . . . . . . . . Mohammad-Reza Zare-Mirakabad, Aman Jantan, and St´ephane Bressan

159

Protect Disk Integrity: Solid Security, Fine Performance and Fast Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fangyong Hou, Nong Xiao, Yuhua Tang, Hongjun He, and Fang Liu

169

A Kademlia-Based Node Lookup System for Anonymization Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Benedikt Westermann, Andriy Panchenko, and Lexi Pimenidis

179

Key Management and Recovery A Computationally-Efficient Construction for the Matrix-Based Key Distribution in Sensor Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Abedelaziz Mohaisen, Nam-Su Jho, and Dowon Hong

190

Table of Contents

Key-Insulated Encryption Based Key Pre-distribution Scheme for WSN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Weidong Qiu, Yaowei Zhou, Bo Zhu, Yanfei Zheng, Mi Wen, and Zheng Gong

XXVII

200

Mobile and RFID Network Security Securing Mobile Phone Calls with Identity-Based Cryptography . . . . . . . Matthew Smith, Christian Schridde, Bj¨ orn Agel, and Bernd Freisleben On the Security Properties and Attacks against Mobile Agent Graph Head Sealing (MAGHS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Abid Khan, Qasim Arshad, Xiamu Niu, Zhang Yong, and Muhammad Waqas Anwar

210

223

Firewall, IDS, Anti-virus, and Other Security Products A New Approach to Malware Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hongying Tang, Bo Zhu, and Kui Ren ATTENTION: ATTackEr Traceback Using MAC Layer AbNormality DetecTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Yongjin Kim A Deployment Value Model for Intrusion Detection Sensors . . . . . . . . . . . Siraj A. Shaikh, Howard Chivers, Philip Nobles, John A. Clark, and Hao Chen

229

239

250

Internet and Web Services Security Security Evaluation of an Intrusion Tolerant Web Service Architecture Using Stochastic Activity Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Zahra Aghajani and Mohammad Abdollahi Azgomi

260

Counteracting Phishing Page Polymorphism: An Image Layout Analysis Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ieng-Fat Lam, Wei-Cheng Xiao, Szu-Chi Wang, and Kuan-Ta Chen

270

Cyber-attack and Cyber-terrorism Signaling-Oriented DoS Attacks in UMTS Networks . . . . . . . . . . . . . . . . . . Georgios Kambourakis, Constantinos Kolias, Stefanos Gritzalis, and Jong Hyuk-Park

280

XXVIII

Table of Contents

Detecting DDoS Attacks Using Dispersible Traffic Matrix and Weighted Moving Average . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tae Hwan Kim, Dong Seong Kim, Sang Min Lee, and Jong Sou Park

290

Attack Patterns Discovery by Frequent Episodes Mining from Honeypot Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ming-Yang Su, Kai-Chi Chang, and Chun-Yuen Lin

301

Other Security Research Efficient and Automatic Instrumentation for Packed Binaries . . . . . . . . . . Yanjun Wu, Tzi-cker Chiueh, and Chen Zhao

307

Secure Cover Selection Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hedieh Sajedi and Mansour Jamzad

317

Side-Channel Leakage in Masked Circuits Caused by Higher-Order Circuit Effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Zhimin Chen, Syed Haider, and Patrick Schaumont

327

Performance Analysis of Digital Secure Voice Transmission over HF Radio Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kihong Kim and Jinkeun Hong

337

Energy Analysis of Multimedia Video Streaming on Mobile Devices . . . . Chu-Hsing Lin, Jung-Chun Liu, Mao-Hua Cheng, Tsung-Che Yang, and Mei-Chun Chou

347

Combating Index Poisoning in P2P File Sharing . . . . . . . . . . . . . . . . . . . . . Lingli Deng, Yeping He, and Ziyao Xu

358

A Cryptanalytic View of the NSA’s Skipjack Block Cipher Design . . . . . . Jongsung Kim and Raphael C.-W. Phan

368

MinuCode: A Fixed-Value Representation of Fingerprint Minutiae for Biometric Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jinyang Shi and Kwok-Yan Lam

382

Self-initialized Distributed Certificate Authority for Mobile Ad Hoc Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Meng Ge and Kwok-Yan Lam

392

Design and Delivery of Undergraduate IT Security Management Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jemal H. Abawajy

402

Table of Contents

XXIX

MoWiN 2009 Secure Multi-party Computation Using Virtual Parties for Computation on Encrypted Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rohit Pathak and Satyadhar Joshi Using a Link Metric to Improve Communication Mechanisms and Real-Time Properties in an Adaptive Middleware for Heterogeneous Sensor Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Edison Pignaton de Freitas, Tales Heimfarth, Marco Aur´elio Wehrmeister, Fl´ avio Rech Wagner, Armando Morado Ferreia, Carlos Eduardo Pereira, and Tony Larsson

412

422

Performance Evaluation of DSR in Multi-services Ad Hoc Networks . . . . Ronald Beaubrun and Badji Molo

432

Implementation and Evaluation of WiMedia MAC LSI . . . . . . . . . . . . . . . . Kazuyuki Sakoda, Yuichi Morioka, Chihiro Fujita, Erica Tanimoto, Kenzoh Nishikawa, and Mitsuhiro Suzuki

438

A Reliable and Efficient Pedal Back Data Disseminating Scheme for Ad-Hoc WSNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nomica Imran and A.I. Khan Improved Location Acquisition Algorithms for the Location-Based Alert Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . So-Young Kang, Jin-Woo Song, Kwang-Jo Lee, Ju-Hee Lee, Ji-Hoon Kim, and Sung-Bong Yang An Enhanced Trust Center Based Authentication in ZigBee Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kyunghwa Lee, Joohyun Lee, Bongduk Zhang, Jaeho Kim, and Yongtae Shin Sensor Disposition Problem in Wireless Ad-Hoc Sensor Networks . . . . . . Takahide Yanaka, Toshihiko Sasama, and Hiroshi Masuyama

450

461

471

485

Performance Evaluation of Cost Effective Routing for Packet Transmissions in Mobile Ad Hoc Networks . . . . . . . . . . . . . . . . . . . . . . . . . . Kentaro Kishida, Toshihiko Sasama, and Hiroshi Masuyama

494

Energy Lesser Broadcasting Algorithms Using Adjustable Transmission Ranges in Mobile Ad Hoc Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Toshihiko Sasama, Yasuhiro Abe, and Hiroshi Masuyama

502

A Multi-Path Routing Supported Scheduling Algorithm for Multi-Channel Single-Transceiver Wireless Mesh Networks . . . . . . . . . . . . Chen Mei-Jhen and Yu Gwo-Jong

512

XXX

Table of Contents

Predictive Scheme for Location Service in Mobile Ad-Hoc Networks . . . . ´ Ebtisam Amar, Selma Boumerdassi, and Eric Renault An Efficient Hybrid Routing Approach for Hybrid Wireless Mesh Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Anh-Ngoc Le, Dong-Won Kum, and You-Ze Cho Relationship between Motivation and Satisfaction of Online Computer Games: Evidence from Adolescent Players Using Wireless Service in Taiwan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lily Shui-Lien Chen, Michael Chih-Hung Wang, and Yung-Hsin Lee DISHES: A Distributed Shell System for Ubiquitous Computing . . . . . . . Chih-Chung Lai and Ren-Song Ko Error Control Scheme of Hybrid ARQ Based on Majority Voting Bit by Bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hsin-Kun Lai, Chia-Chin Ma, and Erl-Huei Lu

522

532

543 553

563

Secure Error-Correction Network Coding in a Randomized Setting . . . . . Yejun Zhou, Hui Li, and Jianfeng Ma

570

Bayesian Approach Based Comment Spam Defending Tool . . . . . . . . . . . . Beatrice Cynthia Dhinakaran, Dhinaharan Nagamalai, and Jae-Kwang Lee

578

NASSUE 2009 An Improved Secure Identity-Based On-Line/Off-Line Signature Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jianhong Zhang, Yixian Yang, Xinxin Niu, Shengnan Gao, Hua Chen, and Qin Geng Honeybee-Based Model to Detect Intrusion . . . . . . . . . . . . . . . . . . . . . . . . . . Ghassan Ahmed Ali, Aman Jantan, and Abdulghani Ali

588

598

A Data Mining Framework for Building Intrusion Detection Models Based on IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Zenghui Liu and Yingxu Lai

608

FPGA Implementation of Elliptic Curve Point Multiplication over GF(2191 ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sameh m. Shohdy, Ashraf b. El-sisi, and Nabil Ismail

619

A Forward-Secrecy WTLS Handshake Protocol Based on XTR . . . . . . . . Bin Li Application of 2D Barcode in Hardcopy Document Verification System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mazleena Salleh and Teoh Chin Yew

635

644

Table of Contents

Protecting Global SOA from DoS and Other Security Threats . . . . . . . . . Deven Shah, Ashish Mangal, Mayank Agarwal, Mahendra Mehra, Tushar Dave, and Dhiren Patel CRYPTEX Model for E-Commercial Contract of Software Source Code Using Secrete Sharing Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ByungRae Cha and YoungIl Kim HOTP-Based User Authentication Scheme in Home Networks . . . . . . . . . Binod Vaidya, Jong Hyuk Park, and Joel J.P.C. Rodrigues

XXXI

652

662

672

IAWSN 2009 A Comparative Analysis of HC-128 and Rabbit Encryption Schemes for Pervasive Computing in WSN Environment . . . . . . . . . . . . . . . . . . . . . . Firdous Kausar and Ayesha Naureen A Comparative Analysis of PKC and Semi-PKC Based Key Management Schemes for Hierarchical Sensor Networks . . . . . . . . . . . . . . . Ayesha Naureen, Attiya Akram, Rabia Riaz, Ki-Hyung Kim, and H. Farooq Ahmed

682

692

A Mathematical Approach towards Trust Based Security in Pervasive Computing Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Naima Iltaf, Mukhtar Hussain, and Farrukh Kamran

702

A Secure Group Rekeying Scheme with Compromised Node Revocation in Wireless Sensor Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Asma Khalid and Mukhtar Hussain

712

Fault Tolerant Secure Routing in Cluster Based Mobile Sensor Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Usama Ahmed, Muhammad Arif Wahla, and Firdous Kausar

722

Hardware-Based Random Number Generation in Wireless Sensor Networks(WSNs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rabia Latif and Mukhtar Hussain

732

Authenticated Encryption in WSN Using eSTREAM Ciphers . . . . . . . . . . Shakil Ahmad, Arif Wahla, and Firdous Kausar

741

WNGS 2009 and CGMS 2009 Aggregate and Verifiably Encrypted Signatures from Multilinear Maps without Random Oracles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Markus R¨ uckert and Dominique Schr¨ oder

750

XXXII

Table of Contents

Device Authentication/Authorization Protocol for Home Network in Next Generation Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jong Sik Moon, Deok Gyu Lee, and Im-Yeong Lee

760

A Study on Feasibility and Establishment of a Security Grade Certification Scheme for the New IT Services . . . . . . . . . . . . . . . . . . . . . . . . Hangbae Chang, Jonggu Kang, and Hyukjun Kwon

769

Domain Specific Intended Use Evaluation Method: Intrusion Detection Specific Intended Use Evaluation Method . . . . . . . . . . . . . . . . . . . . . . . . . . . Albert Park

778

A Study of International Trend Analysis on Web Service Vulnerabilities in OWASP and WASC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Soonseok Kim, Haeyoung Han, Donghwi Shin, Inkyung Jeun, and HyunCheol Jeong Cryptanalysis of Secure Key Exchange Protocol between STB and Smart Card in IPTV Broadcasting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Song-Hee Lee, Nam-Sup Park, Soo-Kyun Kim, and Jin-Young Choi Free-Form Deformation Axis Aligned Bounding Box . . . . . . . . . . . . . . . . . . Sunhwa Jung, Min Hong, and Min-Hyung Choi

788

797 804

SHCI-ISA 2009 A Study on Mosaic Based CCTV System Using Localization . . . . . . . . . . Jong-Min Kim and Myung-A Kang

814

Selecting the Wireless Communication Methods for Establishing Ubiquitous City-Gas Facilities in Korea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jeong Seok Oh, Jang Sik Park, and Jeong Rock Kwon

823

Safety High Accuracy Context-Aware Matrix (CAM) Making Based on X.509 Proxy Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hoon Ko, Ning Chen, Goreti Marreiros, and Carlos Ramos

829

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

839

Update on SEED: SEED-192/256
Kitae Jeong1, Joongeun Choi1 , Yuseop Lee1 , Changhoon Lee2 , Jaechul Sung3 , Haeryong Park4, and Yeonjung Kang4 1

Center for Information Security Technologies(CIST), Korea University, Korea {kite,joongeun,yusubi}@cist.korea.ac.kr 2 School of Computer Engineering, Hanshin University, Korea [email protected] 3 Department of Mathematics, University of Seoul, Korea [email protected] 4 Korea Information Security Agency(KISA), Korea {hrpark,yjkang}@kisa.or.kr

Abstract. SEED is a 128-bit block cipher with a 128-bit secret key. Since it supports only a 128-bit secret key, it is difficult to apply this algorithm to various environments. In this paper, we propose SEED192/256 which support 192/256-bit secret keys, respectively. Also we evaluate the security these algorithms against well-known attacks and the software performance of them on PC environments. Keywords: Block Ciphers, SEED.

1

Introduction

Block ciphers are usually designed to have fixed block sizes, key sizes and round numbers. However, the computing landscape is being considerably extended to various environments, nowadays. Thus block ciphers like AES [6], Camellia [1] and ARIA [5] which use fixed block sizes but flexible key sizes had been proposed. Since these algorithms support 128/192/256-bit secret keys, they are implementable on a wide variety of platforms and applications. SEED is a 128-bit block cipher with a 128-bit secret key and 16 iterative rounds of Feistel structure [3]. It has been adopted as a national industrial association standard (TTAS KO-12.0004) at 1999 and ISO/IEC 18033-3 and IETF RFC 4269 at 2005. This algorithm has been adopted to most of security systems in Korea. It is designed to utilize S-boxes and permutations that balance with the current computing technology. It has the Feistel structure with 16 rounds, and is strong against differential cryptanalysis and linear cryptanalysis balanced with security/efficiency trade-offs. However, differently from AES, Camellia and ARIA, SEED supports only a 128-bit secret key. Thus it does not satisfy the flexibility on various platforms. So it is meaningful to design SEED which supports 192/256-bit secret keys.


This work was supported by the Korea Science and Engineering Foundation (KOSEF) grant funded by the Korea government(MEST) (No. 2009-0060420).

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 1–10, 2009. c Springer-Verlag Berlin Heidelberg 2009


2

K. Jeong et al. Table 1. Comparison between key schedules of SEED-128 and SEED-192/256 SEED-128 SEED-192(SEED-256) Number of registers 4 6(8) Operations 32-bit modular 32-bit modular to generate addition/subtraction, addition/subtraction, round keys G function G function, 32-bit XOR Rotation unit 64 bits 96(128) bits

In this paper, we update SEED block ciphers which support 192/256-bit secret keys. We call these algorithms SEED-192 and SEED-256, respectively. SEED with a 128-bit secret key is denoted by SEED-128 in this paper. Similarly to other block ciphers which use secret keys of various lengths, SEED-192/256 are the same as SEED-128 except the number of rounds (SEED-192/256 are 20/24round block cipher) and the key schedule. The key schedules of SEED-192/256 are designed by extending that of SEED-128. Compared to the key schedule of SEED-128, those of SEED-192/256 use only additional XOR operations. In [2], it had been shown that the key schedule of SEED-128 has a particular property which did not degenerate the security so far. So the additional operations improve the security without significantly degenerating the efficiency. We remove this property by adding XOR operations in SEED-192/256. Table 1 presents the comparison between key schedules of SEED-128 and SEED-192/256.

2

Description of SEED-128

In this section, we present SEED-128 briefly. Throughout this paper, the following notations are used. – – – –

&: bitwise AND
(): addition(subtraction) in modular 232 ≪ (≫)n: left(right) circular rotation by n bits ||: concatenation

The structure of SEED-128 is shown in Figure 1-a). A 128-bit plaintext is divided into two 64-bit sub-blocks (L0 , R0 ) and the right 64-bit block is an input to the round function F (See Figure 1-b)) with a 64-bit round keys generated from the key schedule. As shown in Figure 2, G function has two layers: a layer of two 8 × 8 Sboxes, S1 and S2 , and a layer of block permutation of sixteen 8-bit sub-blocks. For detailed descriptions of S-boxes, see [3]. In the second layer, m0 = 0xfc, m1 = 0xf3, m2 = 0xcf and m3 = 0x3f. Figure 3-a) presents the key schedule of SEED-128. It uses G function, addition, subtraction and left/right circular rotation. A 128-bit secret key is divided into four 32-bit blocks (A, B, C, D) and 64-bit round keys of the first round, (K01 , K11 ) are generated as follows. Here, round constants KCi are generated as follows: KC0 = 0x9e3779b9, KCi = (KC0 )≪i (i = 1, · · · , 15). K01 = G(A + C − KC0 ), K11 = G(B − D + KC0 ).

Update on SEED: SEED-192/256

3

Fig. 1. a) The structure of SEED-128 and b) F function

Fig. 2. G function

Round keys of the second and third rounds, (K02 , K12 ) and (K03 , K13 ) are generated as follows, respectively. The other round keys are generated iteratively. A||B ← (A||B)≫8 . K02 = G(A + C − KC1 ), K12 = G(B − D + KC1 ). C||D ← (C||D)≪8 . K03 = G(A + C − KC2 ), K13 = G(B − D + KC2 ).

3

SEED-192/256

We only focus on the encryption process in the description of SEED-192/256, because the decryption process is explained in the similar way to the encryption

4

K. Jeong et al.

Fig. 3. The key schedules of a) SEED-128, b) SEED-192 and c) SEED-256

process. SEED-192/256 encrypt 128-bit data blocks by iterating the round function F , which is the same as that of SEED-128, 20 and 24 times, respectively (See Figure 1). Considering the trade-off of security and efficiency as like as AES, we adopt 20/24 rounds for SEED-192/256, respectively. We followed the overall design rationale of original SEED-128 key schedule. The key schedule of SEED-192 generates 64-bit round keys (K0r , K1r ) for total 20 rounds by using a 192-bit secret key (r = 1, · · · , 20). Figure 3-b) shows two

Update on SEED: SEED-192/256

5

Table 2. The key schedule for the encryption process of SEED-192 K = (k191 , k190 , · · · , k0 ) = (A||B||C||D||E||F ); for (r = 1; r ≤ 10; r + +){ K02r−1 = G (((A + C) ⊕ D) − KC2r−2 ); K12r−1 = G (((B − E) ⊕ F ) − KC2r−2 ); if (r%3 == 1) A||B||C = (A||B||C)≫9 ; else if (r%3 == 2) A||B||C = (A||B||C)≫8 ; else A||B||C = (A||B||C)≫12 ;

}

K02r = G (((A + C) ⊕ D) − KC2r−1 ); K12r = G (((B − E) ⊕ F ) − KC2r−1 ); if (r%3 == 1) D||E||F = (D||E||F )≪9 ; else if (r%3 == 2) D||E||F = (D||E||F )≪8 ; else D||E||F = (D||E||F )≪12 ;

consecutive rounds in the key schedule of SEED-192. Here, “rot” means a rotation parameter. Table 2 presents the procedure of generating 20 round keys of SEED-192. At first, a 192-bit secret key K = (k191 , · · · , k0 ) is loaded to six registers (A, B, C, D, E, F ). Secondly, a round key (K01 , K11 ) for the first round is generated by using a round constant KC0 (= 0x9e3779b9) and G function. Generally, a round key (K0r , K1r ) for the r-th round is generated by using a round constant KCr−1 and G function. Here, KCi = (KC0 )≪i (i = 0, · · · , 19). Six registers are updated by rot-bit circular rotations. In odd rounds, registers A, B, C are updated and registers D, E, F are updated in even rounds. A rotation parameter rot(= 9, 8, 12) is used one and another to satisfy the on-the-fly encryption. The key schedule of SEED-256 is similar to that of SEED-192, as shown in Figure 3-c). It generates 24 round keys by using a 256-bit secret key. It consists of eight registers and a rotation parameter rot(= 9, 11, 12), which satisfies the on-the-fly encryption. Eight registers are updated by a rot-bit circular rotation of four registers. A round constant KCi is generated as follows; KCi = (KC0 )≪i (KC0 = 0x9e3779b9 and i = 0, · · · , 23).

4

Security Analysis

We analyze the security of SEED-192/256 against well-known cryptanalysis. As a result, we claim that SEED-192/256 is secure enough for cryptographic applications. 4.1

Existing Attacks on SEED-128 without Using its Key Schedule Algorithm

Until now, several attacks on SEED-128 such as differential cryptanalysis and linear cryptanalysis have been proposed. However they did not use the weakness of key schedule and were applied only the reduced version of SEED-128. For

6

K. Jeong et al.

example, a differential attack on a seven-round SEED-128 was proposed in [7]. It uses a 6-round differential characteristic with probability 2−124 . Since SEED192/256 are the same as SEED-128 except the number of rounds and the key schedule, we claim that SEED-192/256 are secure against attacks which do not use the weakness of key schedule. 4.2

Security of Key Schedule

Weak Keys. In [2,4], the security on key schedule of SEED-128 has been evaluated. They proved that SEED-128 does not have weak keys and equivalent keys. In the similar reason, we can prove that there do not exist them in SEED192/256. Key schedules of SEED-192/256 are constructed by using the similar design rationale on that of SEED-128. That is, key schedules of SEED-192/256 generate round keys by using simple operations (addition, subtraction and circular rotation) and G function. Thus we can construct equations in terms of registers, round constants and input values of G function. However, round constants for each round are different from each other and rotation parameters rot of SEED-192/256 are not 8 (SEED-128), but (9, 8, 12) and (9, 11, 12), respectively. Thus, input values of G function for every rounds are different from each other. It means that SEED-192/256 do not have weak keys and equivalent keys. The property in [2]. In [2], it has shown that it is possible to construct related-keys satisfying the following property; For i = 1, · · · , 16, we can construct 256 related-keys satisfying that all differences of K0i are zero. Similarly, we can produce other 256 related-keys satisfying that all differences of K1i are zero. However, since a secret key is randomly chosen, the probability that this event occurs is very low. In cases of SEED-192/256, these algorithms use additional XOR operations and different rotation parameters per 3 rounds to generate round keys. Thus it can be easily shown that SEED-192/256 do not hold the above property of SEED-128. Table 3. Top 10 differential characteristics for Mini-192 Secret key differences(A||B||C D||E||F ) Probability 0000||0000||0000 0100||0000||0000 2−14 0000||0000||0000 0000||0000||0001 2−18 0000||0000||0000 0001||0000||0000 2−18 0000||0000||0000 0010||0000||0000 2−18 0000||0000||0000 1000||0000||0000 2−18 0000||0000||0000 0000||0001||0000 2−20 0000||0000||0000 0000||0100||0000 2−20 0000||0000||0000 0100||0000||0100 2−20 0000||0000||0000 0000||0000||0100 2−22 0000||0000||0000 0000||0010||0000 2−22

Update on SEED: SEED-192/256

7

Difference Propagations. To evaluate the difference propagation in the key schedule, as a toy example, we consider mini-key schedules of SEED-192/256, Mini-192/256 which use 4-bit registers and do not use G function. If a rotation parameter rot of Mini-192 is 3, 2, 6 and a secret key difference is 0x000400, we can construct a differential characteristic for Mini-192 with maximal probability 2−14 . Here, we assume that the output difference of addition/subtraction operations has the minimal hamming weight. Table 3 presents top 10 secret key differences which construct difference characteristics for Mini192 with highest probability. As shown in Table 3, secret key differences, where the difference of registers (A, B, C) is zero and registers (D, E, F ) have 1-bit active differences, construct difference characteristics with high probability. Since registers D and F are used in XOR operations, active differences of these registers do not degenerate probabilities of difference characteristics. Thus, if there exists 1-bit active differences in registers (D, E, F ), we can construct a difference characteristic with high probability. Table 4 presents input differences of each round, given that secret key differences are 0x000400 and 0x000001, respectively. From this table, we propose the following two conditions in order to construct difference characteristics with high probability.

Table 4. Differential propagations of Mini-192 Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Prob.

Secret key differences(A||B||C D||E||F ) 0000||0000||0000 0100||0000||0000 0000||0000||0000 0000||0000||0001 0000||0000||0000 0100||0000||0000 0000||0000||0000 0000||0000||0001 0000||0000||0000 0100||0000||0000 0000||0000||0000 0000||0000||0001 0000||0000||0000 0000||0000||0010 0000||0000||0000 0000||0000||1000 0000||0000||0000 0000||0000||0010 0000||0000||0000 0000||0000||1000 0000||0000||0000 0000||0000||1000 0000||0000||0000 0000||0010||0000 0000||0000||0000 0000||0000||1000 0000||0000||0000 0000||0010||0000 0000||0000||0000 0010||0000||0000 0000||0000||0000 1000||0000||0000 0000||0000||0000 0010||0000||0000 0000||0000||0000 1000||0000||0000 0000||0000||0000 0000||0000||0001 0000||0000||0000 0000||0000||0100 0000||0000||0000 0000||0000||0001 0000||0000||0000 0000||0000||0100 0000||0000||0000 0000||0000||0100 0000||0000||0000 0000||0001||0000 0000||0000||0000 0000||0000||0100 0000||0000||0000 0000||0001||0000 0000||0000||0000 0001||0000||0000 0000||0000||0000 0100||0000||0000 0000||0000||0000 0001||0000||0000 0000||0000||0000 0100||0000||0000 0000||0000||0000 1000||0000||0000 0000||0000||0000 0000||0000||0010 0000||0000||0000 1000||0000||0000 0000||0000||0000 0000||0000||0010 0000||0000||0000 0000||0000||0010 0000||0000||0000 0000||0000||1000 0000||0000||0000 0000||0000||0010 0000||0000||0000 0000||0000||1000 0000||0000||0000 0000||1000||0000 0000||0000||0000 0010||0000||0000 0000||0000||0000 0000||1000||0000 0000||0000||0000 0010||0000||0000 −14 2 2−18

8

K. Jeong et al.

1. Many active differences happen in most significance bits of each register. 2. Few active differences happen in the register E. As shown in Table 4, 0x000400 and 0x000001 have active differences in most significance bits in six rounds. However, in the case of 0x000001, active differences in the register E happen in four rounds. On the other hand, in the case of 0x000400, active differences in the register E happen in two rounds and these active differences happen in only most significance bits. Thus, 0x000400 constructs a difference characteristic with higher probability. Since experimental results on Mini-192 are deduced by assuming that the output difference of addition/subtration operations has the minimal hamming weight, above two conditions are dependent on only bit positions happening active differences. Thus, we expect that these conditions are also applied to the key schedule of SEED-192. To evaluate the difference propagation on the key schedule of SEED-192, we consider total 192 cases where the difference of registers has only a 1-bit active difference. As the result, assuming that only registers (A, B, C) have a 1-bit active difference and G function is not considered, there exist 30 difference characteristics with probability 2−36 and the probability of other difference characteristics is 2−40 . Similarly, assuming that only registers (D, E, F ) have a 1-bit active difference and G function is not considered, there exist 30, 44 and 22 difference characteristics with probability 2−24 , 2−26 and 2−28 , respectively. Table 5 presents input differences of each round for secret key differences (1) and (2) which construct difference characteristics with probability 2−24 and 2−26 , respectively. 0x00000000||0x00000000||0x00000000||0x00000004||0x00000000||0x00000000.

(1)

0x00000000||0x00000000||0x00000000||0x00000000||0x00040000||0x00000000.

(2)

As shown in Table 5, two conditions of Mini-192 are also applied to the key schedule of SEED-192. That is, two secret key differences have the same active differences in the register E (the second condition) but the first secret key difference (1) has more active differences in most significant bits than the second one (the first condition). If there exist active input differences of G function, there exists at least one active S-box in G function. The maximal differential probability on S-box is 2−6 [4]. Thus we should consider probability 2−6 for each active S-box. If the hamming weight of secret key difference is 1, there exist total 20 active input differences of G function. It means that the key schedule of SEED-128 has enough security against the related-key attack. For example, considering a secret key difference (1), the maximal differential probability on the key schedule of SEED192 is 2−144 (= 2−24 · 2−6·20 ). Two conditions on the key schedule of SEED-192 are also applied to that of SEED-256. We consider total 256 cases where the difference of registers has only a 1-bit active difference. As the result, assuming that G function is not considered, there exist 12 difference characteristics with maximal probability 2−16 . These 12 secret key differences have a 1-bit active difference in registers (E, F, G, H). For these secret key differences, there exist total 24 active input differences of G function. It means that the maximal differential probability on

Update on SEED: SEED-192/256

9

Table 5. Differential propagations on the key schedule of SEED-192 Secret key differences(D||E||F ) 00000004x ||00000000x ||00000000x 00000000x ||00040000x ||00000000x 1 00000004x ||00000000x ||00000000x 00000000x ||00040000x ||00000000x 2 00000004x ||00000000x ||00000000x 00000000x ||00040000x ||00000000x 3 00000800x ||00000000x ||00000000x 00000000x ||08000000x ||00000000x 4 00000800x ||00000000x ||00000000x 00000000x ||08000000x ||00000000x 5 00080000x ||00000000x ||00000000x 00000008x ||00000000x ||00000000x 6 00080000x ||00000000x ||00000000x 00000008x ||00000000x ||00000000x 7 80000000x ||00000000x ||00000000x 00008000x ||00000000x ||00000000x 8 80000000x ||00000000x ||00000000x 00008000x ||00000000x ||00000000x 9 00000000x ||00000000x ||00000100x 01000000x ||00000000x ||00000000x 10 00000000x ||00000000x ||00000100x 01000000x ||00000000x ||00000000x 11 00000000x ||00000000x ||00010000x 00000000x ||00000000x ||00000001x 12 00000000x ||00000000x ||00010000x 00000000x ||00000000x ||00000001x 13 00000000x ||00000000x ||10000000x 00000000x ||00000000x ||00001000x 14 00000000x ||00000000x ||10000000x 00000000x ||00000000x ||00001000x 15 00000000x ||00000020x ||00000000x 00000000x ||00000000x ||00200000x 16 00000000x ||00000020x ||00000000x 00000000x ||00000000x ||00200000x 17 00000000x ||00002000x ||00000000x 00000000x ||00000000x ||20000000x 18 00000000x ||00002000x ||00000000x 00000000x ||00000000x ||20000000x 19 00000000x ||02000000x ||00000000x 00000000x ||00000200x ||00000000x 20 00000000x ||02000000x ||00000000x 00000000x ||00000200x ||00000000x 2−24 (Not including G function) 2−26 (Not including G function) Prob. −144 2 (Including G function) 2−146 (Including G function) ∗ Difference of registers (A, B, C) is zero. Round

the key schedule of SEED-256 is 2−160 (= 2−16 · 2−6·24 ). Therefore, SEED-256 has enough security against the related-key attack.

5

Software Implementation

We performed simulations on SEED-128/192/256 (along with AES-128/192/256) with the following platform: Intel personal computer, with an Intel(R) Core(TM)2 Table 6. Comparison of software performance between AES and SEED Algorithm AES-128 AES-192 AES-256 SEED-128 SEED-192 SEED-256

Key schedule Encryption/Decryption (cycles) cycles/byte Mbps 1022 16.9 1137.3 1201 20.1 957.0 1459 23.2 828.0 272 51.5 372.8 438 63.9 300.6 634 76.1 252.2

10

K. Jeong et al.

Quad CPU Q6600, 2.40 GHz clock speed, 2GB RAM, running Windows XP Professional Edition. Using MSVC/C++ 6.0, we executed 220 simulations. Table 6 presents results of simulations. Here, in the encryption/decryption process, the part of generating round keys is not included.

6

Conclusion

In this paper, we proposed 128-bit block ciphers SEED-192/256, which support 192/256-bit secret keys, and evaluated the security of them against well-known cryptanalysis. We anticipate that SEED-192/256 can be applied to various environments together with SEED-128.

References 1. Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: Camellia: A 128-bit Block Cipher Suitable Multiple Platforms - Design and Analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001) 2. CRYPTREC Evaluation Committee, SEED Evaluation Report (2002) 3. Korea Information Security Agency, SEED Algorithm Specification, http://www.kisa.or.kr/kisa/seed/down/SEED_Specification_english.pdf 4. Korea Information Security Agency, SEED Algorithm Self Evaluation, http://www.kisa.or.kr/kisa/seed/down/SEED_Self_Evaluation-English.pdf 5. Kwon, D., Kim, J., Park, S., Sung, S., Sohn, Y., Song, J., Yeom, Y., Yoon, E., Lee, S., Lee, J., Chee, S., Han, D., Hong, J.: New Block Cipher: ARIA. In: Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 443–456. Springer, Heidelberg (2004) 6. NIST, FIPS 197: Advanced Encryption Standard (2001) 7. Yanami, H., Shimoyama, T.: Differential Cryptanalysis of a Reduced-Round SEED. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 186– 198. Springer, Heidelberg (2003)

A New Double-Block-Length Hash Function Using Feistel Structure
Jesang Lee1 , Seokhie Hong1 , Jaechul Sung2 , and Haeryong Park3 1

Center for Information Security Technologies(CIST), Korea University, Korea {jslee,hsh}@cist.korea.ac.kr 2 Department of Mathematics, University of Seoul, Korea [email protected] 3 Korea Information Security Agency(KISA), Korea [email protected]

Abstract. We propose new double-block-length hash functions. Our approach for constructing collision-resistant double-block-length hash functions is to convert a blockcipher E with n-bit block length and 2n-bit key length to a 3-round Feistel cipher E ∗ with 2n-bit block length, and then to embed E ∗ in PGV compression functions. We prove that 12 hash functions with the group-1 PGV compression functions in which E ∗ is embedded are collision-resistant in the ideal cipher model. Furthermore, since our hash functions have the hash rate 2/3, they are more efficient than any other existing double-block-length hash functions in terms of the number of blockcipher calls required for processing messages.

Keywords: Hash Function, Double Block Length Hash Function, Block Ciphers.

1

Introduction

A cryptographic hash function is a function which maps an arbitrary-length input to a fixed-length output, and satisfies collision resistance, preimage resistance, and second-preimage resistance. The most popular method to construct a cryptographic hash function is the Merkle-Damg˚ ard construction which iterates a compression function mapping a fixed-length input to a fixed-length output. An approach designing a compression function is to use blockciphers to construct a compression function. Many existing hash functions follow this approach [1,3,4,6,8,9]. However, usually the block length of a blockcipher is too short to be used as a compression function because of the birthday paradigm. So, the hash functions whose output length is twice as the block length of the underlying blockcipher are being more researched. We call them double-block-length hash functions. Let a (κ, n)-blockcipher be a blockcipher with κ-bit key length and n-bit block length. When f : {0, 1}m → {0, 1}l (m > l) is a compression function composed


This work was supported by the Korea Science and Engineering Foundation (KOSEF) grant funded by the Korea government(MEST) (No. 2009-0060420).

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 11–20, 2009. c Springer-Verlag Berlin Heidelberg 2009


12

J. Lee et al.

of t (κ, n)-blockciphers, the hash rate of f is defined as R = (m − l)/tn. So far, double-block-length hash functions have been researched as follows. – In [5], Knudsen et al. showed that every double-block-length hash function composed of (κ, n)-blockciphers with κ ≤ n is not sufficiently resistant against preimage- and collision-finding attacks. They also remained it as an open question, the design of double-block-length hash function with a hash rate greater than 1/2. – In [3], Hirose proposed a large class of double-block-length hash functions with hash rate 1/2, which are composed of (2n, n) blockciphers. He showed that his hash functions are optimally collision-resistant in the ideal cipher model. However, his construction requires two independent blockciphers with fixed key bits. It makes the results less attractive. In [4], he proposed the improved versions but the hash rate of them is still 1/2. – In [8], Nandi et el. also proposed a double-block-length hash function with hash rate 2/3, which is composed of random functions mapping a 2n-bit input to a n-bit output. Its security bound against collision-finding attack is Ω(22n/3 ), which is worse than birthday bound. In this paper, we propose new double-block-length hash functions. We build a (2n, 2n)-blockcipher E ∗ with 3-round Feistel structure from a (2n, n)-blockcipher E, and then embed E ∗ in PGV compression functions [9]. Black et al. anlayzed collision resistance of Merkle-Damg˚ ard construction based on PGV compression functions in the ideal cipher model [1]. They showed that each of 12 PGV compression functions, called group-1, is collision-resistant and so its resulting hash function is, and that each of 8 PGV compression functions, called group-2, is not collision-resistant but its resulting hash function is collision-resistant. We prove that 12 hash functions with the group-1 PGV compression functions in which E ∗ is embedded are collision-resistant in the ideal cipher model. Our hash functions have the hash rate 2/3 and so, are more efficient than any other existing doubleblock-length hash functions in terms of the number of blockcipher calls required for processing messages. The following table summarizes our results comparing to Hirose’s [3,4] and Nandi et al.’s [8]. Table 1. Comparison with results of Nandi et al. and Hirose Hash function

Hash rate

Collision bound

Nandi et al.’s Hirose’s Ours

2/3, 1/3 1/2 2/3

Ω(22n/3 ) Ω(2n ) Ω(2n )

The rest of this paper is organized as follows. Section 2 gives some backgrounds of ideal cipher model, collision resistance, and PGV hash functions. Section 3 introduces a new hash function using Feistel structure. Section 4 describes the security results of our hash functions whose associated hash functions have optimal collision resistance. Finally section 5 concludes this paper with future work.

A New Double-Block-Length Hash Function Using Feistel Structure

2 2.1

13

Preliminaries Ideal Cipher Model

Let κ, n ≥ 1 be numbers. A blockcipher is a map E : {0, 1}κ × {0, 1}n → {0, 1}n where, for each k ∈ {0, 1}κ, the function Ek (·) = E(k, ·) is a permutation on {0, 1}n. Let Bloc(κ, n) be the set of all blockciphers E : {0, 1}κ × {0, 1}n → {0, 1}n. In the ideal cipher model, E is assumed to be randomly selected from Bloc(κ, n). We assume an adversary is given access to the encryption oracle E which on a query (k, x) (called E-query) returns the response y = Ek (x) (called E-response) and the decryption oracle E −1 which on a query (k, y) (called E −1 -query) returns x = Ek−1 (y) (called E −1 -response). It means that the random selection of E should be implemented before the adversary works. Alternatively, we can adopt ‘lazy sampling’ as follows. For the encryption oracle E, let (k1 , x1 ), · · · , (ki , xi ) be E-queries produced by the adversary and y1 , · · · , yi be the corresponding E-responses. If the adversary asks the (i + 1)-th E-query (ki+1 , xi+1 ) to the encryption oracle E, then it is checked whether it was queried before or not. If (ki+1 , xi+1 ) = (kj , xj ) for some j < i + 1, yj is returned. Otherwise, yi+1 is uniformly chosen at random from {0, 1}n \ {y1 , ..., yi } and returned. Similarly, for the decryption oracle E −1 , let (k1 , y1 ), · · · , (ki , yi ) be E −1 -queries produced by the adversary and x1 , · · · , xi be the corresponding E −1 -responses. If the adversary ask the (i + 1)-th E −1 -query (ki+1 , yi+1 ) to the encryption oracle E, then it is checked whether it was queried before or not. If (ki+1 , yi+1 ) = (kj , yj ) for some j < i+1, xj is returned. Otherwise, xi+1 is uniformly chosen at random from {0, 1}n \ {x1 , ..., xi } and returned. We assume any adversary can ask queries adaptively. We restrict the total number of E- or E −1 -queries by at most q. Define the complete list of queryresponse pairs (k1 , x1 , y1 ), · · · , (kq , xq , yq ) by the view of the adversary. Any output produced by the adversary should only depend on the view. We follow the additional conventions. Firstly, any adversary does not ask any oracle query in which the response is already known. Secondly, if M is one of the output(s) produced by an adversary, then the adversary should make necessary E- or E −1 -queries to compute H(M ) during the whole query process. 2.2

Collision Resistance

We follow statements in [1] for defining of collision resistance. We assume that E is randomly chosen from Bloc(κ, n). Let H E be a hash function composed a blockcipher E. An adversary is given oracles for E and E −1 and wants to find a collision for H E , that is, M, M  where M  = M  but H E (M ) = H E (M  ). We look at the number of queries that the adversary makes and compare this with the probability of finding a collision. Definition 1. (Collision resistance of a hash function [1]) Let H be a block-cipher-based hash function. H : Bloc(κ, n) × {0, 1}∗ → {0, 1}c and let A

14

J. Lee et al.

be an adversary. Then the advantage of A in finding collisions in H is the real number Advcoll H (A) = P r[E ←− Bloc(κ, n); (M, M  ) ← AE,E $

−1

:

M = M  ∧ H E (M ) = H E (M  )]. coll For q ≥ 1 we write Advcoll H (q) = maxA {AdvH } where the maximum is taken over all adversaries that ask at most q oracle queries. We also define the advantage of an adversary in finding collisions in a compression function f : Bloc(κ, n) × {0, 1}a × {0, 1}b → {0, 1}c.

Definition 2. (Collision resistance of a compression function [1]) Let f be a block-cipher based compression function. f : Bloc(κ, n) × {0, 1}a × {0, 1}b → {0, 1}c and let A be an adversary. Then the advantage of A in finding collisions in f is the real number Advcomp (A) = f P r[E ←− Bloc(κ, n); ((h, m), (h , m )) ← AE,E
 (h, m)  = (h , m ) ∧ f E (h, m) = f E (h , m ) $

−1

:

∨f E (h, m) = h0 ]. Here h0 is a fixed 2n-bit constant. For q ≥ 1 we write Advcomp (q) = maxA {Advcomp } where the maximum is taken f f over all adversaries that ask at most q oracle queries. 2.3

PGV Hash Functions

In [9], Preneel, Govaerts and Vandewalle suggested a general model(PGV hash functions) for single-block-length hash functions and discussed the security of them against several generic attacks. They concluded that 12 out of 64 hash functions are secure against the attacks. However, they did not provide any formal proofs. In [1], Black, Rogaway and Shrimpton presented a detailed investigation of provable security for PGV hash functions. The most important result in their paper is that the 20 hash functions including the 12 mentioned above are optimally collision-resistant. The PGV hash functions are defined as follows. Definition 3. (PGV hash functions [9]) Let E : {0, 1}κ × {0, 1}n → {0, 1}n be a blockcipher. Let H : ({0, 1}n)∗ → {0, 1}n be a hash function using a compression function f : {0, 1}n × {0, 1}n → {0, 1}n, derived from E. For a fixed n-bit constant v, PGV hash functions can be defined in the following way f (hi−1 , mi ) = Ea (b) ⊕ c (a, b, c ∈ {hi−1 , mi , hi−1 ⊕ mi , v}) ,

A New Double-Block-Length Hash Function Using Feistel Structure

15

where |v| = |hi−1 | = |mi | = n. Then the iterated hash of f is defined as follows: function Hf (m1 · · · ml ) for i ← 1 to l do hi ← f (hi−1 , mi ) return hl

3

A New Double-Block-Length Hash Function

In this section, we design a double-block-length cipher with 3R-Feistel structure using a blockcipher and then embed it into a compression function. Finally, to construct a hash function a compression function is used in an iterative manner. Definition 4. (A double-block-length cipher with 3R-Feistel structure) Let E : {0, 1}κ × {0, 1}n → {0, 1}n(κ = 2n) be a blockcipher. Let E ∗ : {0, 1}κ × {0, 1}2n → {0, 1}2n be a double-block-length cipher with 3R-Feistel structure induced by a blockcipher E. E ∗ (k, b0 b1 ) = (y ⊕ b1 ) (x ⊕ z ⊕ b0 ), where b = b0 b1 is a input value of Ek∗ , δ0 , δ1 , δ2 are distinct constants in {0, 1}2n and x, y, z satisfy the following equations. x = Ek⊕δ0 (b1 ) y = Ek⊕δ1 (b0 ⊕ x) z = Ek⊕δ2 (b1 ⊕ y). Now, we design a new hash function using the double-block-length cipher E ∗ specified in Definition 4. Definition 5. (New hash functions) Let E ∗ : {0, 1}κ × {0, 1}2n → {0, 1}2n be the double-block-length cipher specified in Definition 4 and then a compression function f : {0, 1}κ × {0, 1}2n → {0, 1}2n can be defined in the following way. f (hi−1 , mi ) = Ea∗ (b) ⊕ c (a, b, c ∈ {hi−1 , mi , hi−1 ⊕ mi , v}) , where v is a fixed 2n-bit string and |hi−1 | = |mi | = 2n. Then the iterated hash of f is defined as follows: function Hf (m1 · · · ml ) for i ← 1 to l do hi ← f (hi−1 , mi ) return hl Our compression functions are shown in Fig. 1 and are a general model which replaces a blockcipher E of PGV hash functions by a large cipher E ∗ specified in Definition 4.

16

J. Lee et al. b E*

b0

b1 E

x a ⊕δ 0

y

E

a ⊕ δ1 E

z a ⊕δ 2

cC

Fig. 1. Our compression functions : a, b, c ∈ {hi−1 , mi , hi−1 ⊕ mi , v} Table 2. 12 collision-resistant compression functions : We write wi for hi−1 ⊕ mi i 1 3 5 7 9 11

fi Eh∗i−1 (mi ) ⊕ mi Eh∗i−1 (mi ) ⊕ wi ∗ Em (hi−1 ) ⊕ hi−1 i ∗ Em (hi−1 ) ⊕ wi i ∗ Ew (mi ) ⊕ mi i ∗ Ew (mi ) ⊕ hi−1 i

i 2 4 6 8 10 12

fi Eh∗i−1 (wi ) ⊕ wi Eh∗i−1 (wi ) ⊕ mi ∗ Em (wi ) ⊕ wi i ∗ Emi (wi ) ⊕ hi−1 ∗ Ew (hi−1 ) ⊕ hi−1 i ∗ Ew (hi−1 ) ⊕ mi i

Since one can select for the inputs one of the four values : mi , hi−1 , mi ⊕ hi−1 , and a constant value v, there are 64 compression functions in our model. 12 of them are collision-resistant and are represented in Table 2. We only consider the security of the 12 hash functions in the following section and adapt the index of the 12 compression functions of Black et al.[1]. Every fi with i = 5 should use only (κ, n)-blockciphers with κ = 2n. However, f5 has a special feature that there is no restriction on κ, the key length of the underlying block cipher E. So, for κ = sn the hash rate of f5 composed of (κ, n)-blockciphers is generally written as s/3.

4

Security Analysis of New Hash Functions

In this section, we show that our 12 compression functions are collision-resistant in the ideal cipher model and use Merkle-Damg˚ ard paradigm to prove the collision resistance of our hash functions in the ideal cipher model. We begin with the following lemma. Lemma 1. Let fj (j ∈ {1, . . . , 12}) be a compression function specified in Definition 5. Assume n ≥ 1 and (hi−1 , mi )  = (hi−1 , mi ), then

A New Double-Block-Length Hash Function Using Feistel Structure

P r[fj (hi−1 , mi ) =

fj (hi−1 , mi )]

 ≤

1 n 2 −1

17

2 .

Proof. we prove only the case of f5 because other compression functions f1 , · · · , f4 , f6 , · · · , f12 can be proved similarly. The compression function f5 is depicted in Fig. 2. Clearly, f5 (hi−1 , mi ) = f5 (hi−1 , mi ) holds under (hi−1 , mi ) = (hi−1 , mi ) if and only if both of the following two equations hold: y ⊕ hi−1,0 ⊕ hi−1,1 = y  ⊕ hi−1,0 ⊕ hi−1,1 . 



x ⊕ z ⊕ hi−1,0 ⊕ hi−1,1 = x ⊕ z ⊕

hi−1,0

⊕

hi−1,1

(1) .

(2)

All the possible cases of (hi−1 , hi−1 , mi , mi ) for which we can expect f5 (hi−1 , mi ) = f5 (hi−1 , mi ) are as follows: 1. Case 1: hi−1  = hi−1 ∧ mi = mi (a) hi−1,0  = hi−1,0 , hi−1,1 = hi−1,1 , mi (b) hi−1,0 = hi−1,0 , hi−1,1  = hi−1,1 , mi  (c) hi−1,0  = hi−1,0 , hi−1,1  = hi−1,1 , mi  2. Case 2: hi−1 = hi−1 ∧ mi  = mi  (a) hi−1,0 = hi−1,0 , hi−1,1 = hi−1,1 , mi 3. Case 3: hi−1  = hi−1 ∧ mi  = mi  (a) hi−1,0  = hi−1,0 , hi−1,1 = hi−1,1 , mi (b) hi−1,0 = hi−1,0 , hi−1,1  = hi−1,1 , mi (c) hi−1,0  = hi−1,0 , hi−1,1  = hi−1,1 , mi

= mi = mi = mi = mi   mi = = mi  = mi 

hi −1 hi −1,1

hi −1,0 E

x

mi ⊕ δ 0

y

mi ⊕ δ1

z

mi ⊕ δ 2

E

E

hi −1,0 || hi −1,1

hi

Fig. 2. The compression function f5

18

J. Lee et al.

Let A be the event that condition of equation (1) holds and B be the event that condition of equation (2) holds. Since Pr[f5 (hi−1 , mi ) = f5 (hi−1 , mi )] = Pr[A ∧ B]

(3)

= Pr[A] · Pr[B|A] ,

(4)

we can complete the proof of this lemma by computing Pr[A] and Pr[B|A] for the above 7 cases. Table 3. Upper bound of Pr[A], Pr[B|A] and Pr[A ∧ B] in the cases 1-(a), ..., 3-(c) under f5 Case (a) hi−1 = hi−1 1

(b) mi =

mi (c)

hi−1 = hi−1 2

(a) mi = mi (a) hi−1 = hi−1

3

(b) mi =

mi (c)

hi−1,0 hi−1,1 mi hi−1,0 hi−1,1 mi hi−1,0 hi−1,1 mi hi−1,0 hi−1,1 mi hi−1,0 hi−1,1 mi hi−1,0 hi−1,1 mi hi−1,0 hi−1,1 mi

 hi−1,0 = = hi−1,1 = mi = hi−1,0 = hi−1,1 = mi = hi−1,0 = hi−1,1 = mi = hi−1,0 = hi−1,1 = mi = hi−1,0 = hi−1,1 = mi = hi−1,0 = hi−1,1 = mi = hi−1,0 = hi−1,1 = mi

Pr[A]

Pr[B|A]

Pr[A ∧ B]

1 2n −1

1 2n −1

( 2n1−1 )2

1 2n −1

1 2n −1

( 2n1−1 )2

1 2n −1

1 2n −1

( 2n1−1 )2

1 2n −1

1 2n −1

( 2n1−1 )2

1 2n −1

1 2n −1

( 2n1−1 )2

1 2n −1

1 2n −1

( 2n1−1 )2

1 2n −1

1 2n −1

( 2n1−1 )2

The only remained to us is the detail computation of Pr[A] and Pr[B|A] for each case. However we omit due to limited space. The results of the computation  2 are summarized in Table 3. Therefore we conclude Pr[A ∧ B] ≤ 2n1−1 . The following lemma states our compression functions satisfy collision resistance. Lemma 2. Let fi (i ∈ {1, . . . , 12}) be a compression function. For q, n ≥ 1,  2 (q − 2) · (q − 3) 1 comp Advfi (q) ≤ · . 2 2n − 1

A New Double-Block-Length Hash Function Using Feistel Structure

19

−1

Proof. Fix a constant h0 ∈ {0, 1}n. Let f = f5 . Let AE,E be an adversary attacking the compression function f . Assume that A asks its oracles a total of q queries. Let (k1 , x1 , y1 ), · · · , (kq , xq , yq ) be the complete list of query-response pairs by the view of the adversary. Let Cj be the event that A finds a colliding pair of the compression function for f with the j-th pair of queries. Three queries to the oracle E or E −1 are required to compute the output of f for an input. For this compression function, we claim that to compute first output of f we require three queries to the oracle E or E −1 , but the others be required at least one. By Lemma 1, we have  2 1 Pr[Cj ] ≤ (j − 3) · (j ≥ 3) . 2n − 1 Let C be the event that A finds a colliding pair of the compression function for f . For 3 ≤ j ≤ q, Pr[C] = Pr[C3 ∨ C4 ∨ · · · ∨ Cq ] ≤ Pr[C3 ] + Pr[C4 ] + · · · + Pr[Cq ]  2  2 1 1 ≤0· + 1 · 2n − 1 2n − 1  2  2 1 1 +2 · +3· 2n − 1 2n − 1  2 1 + · · · + (q − 3) · 2n − 1  2 (q − 2) · (q − 3) 1 = · . 2 2n − 1 The Merkle-Damg˚ ard construction has the property that the resulting hash function satisfies desired security properties such as collision resistance provided that the compression function does[2,7]. The following lemma shows this property and we omit the proof due to space restrictions. Lemma 3. Let fi (i ∈ {1, . . . , 12}) be a compression function and let Hi (i ∈ {1, . . . , 12}) be the iterated hash of fi . For q ≥ 1, coll AdvH (q) ≤ Advfcomp (q) . i i

The following theorem is our main result. Theorem 1. For n ≥ 1 and i ∈ {1, · · · , 12}, Let Hi be the iterated hash of fi . For any q ≥ 1  2 (q − 2) · (q − 3) 1 coll AdvH (q) ≤ · . 2 2n − 1 Proof. The proof is obvious from Lemmas 2 and 3.

20

5

J. Lee et al.

Conclusion

We proposed 12 double-block-length hash functions with the hash rate 2/3. Each compression function proposed by us is one of group-1 PGV compression functions with the (2n, 2n)-blockcipher E ∗ which consists of 3-round Feistel structure and a (2n, n)-blockcipher E. Collision resistance of our proposals is proved in the ideal cipher model. As a further work, we are also working about preimage resistance and second-preimage resistance of them as well as group-2 PGV compression functions with E ∗ .

References 1. Black, J., Rogaway, P., Shrimpton, T.: Black-Box Analysis of the Block-CipherBased Hash-Function Constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–325. Springer, Heidelberg (2002) 2. Damgard, I.B.: A Design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990) 3. Hirose, S.: Provably Secure Double-Block-Length Hash Functions in a Black-Box Model. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 330–342. Springer, Heidelberg (2005) 4. Hirose, S.: Some Plausible Constructions of Double-Block-Length Hash Functions. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 210–225. Springer, Heidelberg (2006) 5. Knudsen, L.R., Lai, X., Preneel, B.: Attacks on fast double block length hash functions. Journal of Cryptology 11(1), 59–72 (1998) 6. Lee, W., Nandi, M., Sarkar, P., Chang, D., Lee, S., Sakurai, K.: A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 212–223. Springer, Heidelberg (2004) 7. Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990) 8. Nandi, M., Lee, W., Sakurai, K., Lee, S.: Security Analysis of a 2/3-Rate Double Length Compression Function in Black-Box Model. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 243–254. Springer, Heidelberg (2005) 9. Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: A synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)

The Dark Side of Timed Opacity Franck Cassez
National ICT Australia & CNRS The University of New South Wales Sydney, Australia [email protected], [email protected] http://www.irccyn.fr/franck

Abstract. In this paper we extend the notion of opacity, defined for discrete-event systems, to dense-time systems. We define the timed opacity problem for timed automata and study its algorithmic status. We show that for the very restrictive class of Event Recording Timed Automata, the opacity problem is already undecidable leaving no hope for an algorithmic solution to the opacity problem in dense-time.

1

Introduction

Security issues have become increasingly important in the last decade with the development of the Internet. Various notions and theories have emerged to model, design and check that a given system is secure. These theories provide sound foundations for the analysis of security policies. For instance, many security policies like access control, channel-control can be formulated within the framework of transitive or intransitive non-interference (see [1] for an excellent introduction to the subject). Opacity. Non-interference cannot capture every type of security policies. Thus extension and generalization have been proposed to address relevant practical problems. Opacity was introduced in [2,3] to model leaks of information from a system to an attacker. The framework of opacity is the following: a (model of the) system A is given which generates sequences of actions over an alphabet Σ. A secret S is a subset of the sequences of actions generated by A. An attacker can only see the generated sequences through an interface which prevents the observation of some of the events: he has only a partial knowledge of the events generated by A and sees the projection of a sequence over an alphabet Σo ⊆ Σ. The secret S is opaque w.r.t. A and Σo , if for every observation w the attacker can make, he can never infer that this observation was produced by a secret sequence in S. Assume the system A can generate the sequences of events {ab, cb} and the attacker can only see Σo = {b}. Let S = {ab} be the secret. Then S is opaque


Author supported by a Marie Curie International Outgoing Fellowship within the 7th European Community Framework Programme.

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 21–30, 2009. c Springer-Verlag Berlin Heidelberg 2009


22

F. Cassez

w.r.t. A and Σo . Indeed the only observation the attacker can make is the sequence “b”, but then, he cannot know whether this observation is the projection of ab or cb and thus cannot know the secret. The opacity problem consists in checking b whether a secret is opaque for a model of a a system. Anonymity and non-interference can be reduced to opacity using a proper encodc ing [2]. If the system A is given by a finite transition system over an alphabet Σ, the seb cret S is a regular language included in Σ ∗ and the observation of an attacker is defined Fig. 1. The Automaton A by a projection over Σo ⊆ Σ, the opacity problem can be decided [2]. The previous introductory example can be modeled by the finite automaton A of Figure 1. Taking Time into Account. In the above mentioned framework, the attacker can only observe sequences of events but not the point in time at which they occur. But time could be an important information for an attacker. Indeed, assume the system generates {ab, cb} as before, but when it generates ab, then “b” occurs at (global) time 1, and when it generates cb then “b” occurs at (global) time 2 (for instance, the system is slower when doing the “c” action than doing the “b”). Using this timing information, and yet observing only “b”, an attacker can know whether an “a” or a “c” has occurred: if “b” occurs at time 1, the system generated ab, otherwise if “b” occurs at time 2, it generated cb. If the secret is ab as before, then it is no more opaque for an attacker who has a clock. Taking into account the ability of the attacker to measure time gives a more accurate and realistic model of the system. Whether it is dense-time of discretetime is important as it has been shown that the expressiveness of dense-time models (timed automata) is strictly larger than discrete-time ones [4]. In this paper we use timed automata [4] to model dense-time systems and study the opacity problem in this setting. Related Work. Formalizing security policies is an important issue and has been investigated a lot in the recent years. In these frameworks, a finite or discrete state model of the system is known, and the security policy is specified as a property of this model: see [1,5] for non-interference and [2,3] for opacity. Taking into account timing aspects in the model has been investigated for (strong non-deterministic) non-interference (SNNI) in [6,7] where it is shown that checking SNNI is decidable for deterministic timed automata. To our knowledge, the opacity problem for timed systems has not been studied and this is the contribution of this paper. We show that, although it is important to take into account in the model of the system the capability of an attacker to measure time, the problem of checking whether such a model is opaque is undecidable for a very restricted class of timed systems (Event Recording Automata). This leaves no hope for an algorithmic solution to this problem.

The Dark Side of Timed Opacity

23

Organisation of the Paper. Section 2 recalls the basics of timed languages and timed automata. Section 3 contains a formal definition of the opacity problem for dense-time systems. Section 4 is the main part of the paper and we prove that opacity is undecidable for timed automata. Finally, Section 5 gives a summary of the contribution of the paper.

2 2.1

Preliminaries Notations

In the sequel Σ is a finite alphabet. We let τ be the unobservable action, and let Στ = Σ ∪ {τ }. R is the set of real numbers and R≥0 is the set of nonnegative reals numbers. N the set of natural numbers, Z the set of integers and B = {true, false} is the set of boolean values. Let X be a finite set of clocks. We let C(X) be the set of convex constraints on X, i.e., the set of conjunctions of constraints of the form x  c with c ∈ Z and ∈ {≤, <, =, >, ≥}. A clock valuation is a mapping v : X → R≥0 . We let RX ≥0 be the set of clock valuations over X. We let 0X be the zero valuation where all the clocks in X are set to 0 (we use 0 when X is clear from the context). Given δ ∈ R, we let v + δ denote the valuation (v + δ)(x) = v(x) + δ. Given a constraint g ∈ C(X) and a valuation v, we write v |= g if g is satisfied by the valuation v. Given a set R ⊆ X and a valuation v of the clocks in X, v[R] is the valuation v[R](x) = v(x) if x  ∈ R and v[R](x) = 0 otherwise. The set of finite words over an alphabet Σ is Σ ∗ which contains the empty word ε. If w = a1 · · · an , |w| = n is the length of w, and we write w[i], 1 ≤ i ≤ |w| to denote the ith letter ai of w. A language L is any subset of Σ ∗ . A finite timed word over Σ is a word in (Σ × R≥0 )∗ i.e., over the (infinite) alphabet Σ × R≥0 . Thus a timed word is a pair w = (σ, t) with σ ∈ Σ ∗ , t ∈ R∗≥0 with |σ| = |t| and with the convention that event σ[i] occurs at global time t[i]. Hence we require the t[i]’s to form an increasing sequence. TW ∗ (Σ) is the set of finite timed words over Σ and again ε is the empty timed word. A timed language is any subset of TW ∗ (Σ). Given a timed language K, we let Unt(K) = {σ ∈ Σ ∗ | ∃t ∈ (R≥0 )∗ : (σ, t) ∈ K}. Given Σ  ⊆ Σ, the projection of (σ1 , t1 )(σ2 , t2 ) · · · (σn , tn ) is the timed word that comprises of the letters σi ∈ Σ  . For example π{a,b} ((a, 1)(c, 2.34)(τ, 2.986)(b, 3.146)(c, 4.16)) is (a, 1)(b, 3.146). π Σ
(K) = {πΣ
(w) | w ∈ K}. Let K ⊆ (Σ  )∗ . The inverse −1 ∗ projection π −1 Σ (K) is defined by: π Σ (K) = {w ∈ TW (Σ) | π Σ
(w) ∈ K}. 2.2

Timed Automata

Timed Automata (TA) were introduced in [8] to model real-time systems using dense-time. The fundamental results about timed automata can be found in [4]. Definition 1 (Timed Automaton). A Timed Automaton A is a tuple (L, l0 , X, Στ , E, F ) where:

24

F. Cassez

– – – – –

L is a finite set of locations; l0 is the initial location; X is a finite set of clocks; Σ is a finite set of actions; E ⊆ L × C(X) × Στ × 2X × L is a finite set of edges; in an edge (, g, a, r,  ), g is the guard, and r the reset set; – F ⊆ L is the set of final locations.


A state of A is a pair (, v) ∈ L × RX ≥0 . A run of A from (0 , v0 ) is a sequence of the form: δ

an−1

a

0 0 = (0 , v0 ) −→ (0 , v0 + δ0 ) −→ (1 , v1 ) · · ·

δ

n · · · −−−→ (n , vn ) −→ (n , vn + δn )

s.t. for every i ≥ 0 there is some edge (i , gi , ai , ri , i+1 ) ∈ E and: (i) vi + δi |= gi , (ii) vi+1 = (vi + δi )[ri ]. The set of finite runs from s = (, v) is denoted Runs(s, A) and we let Runs(A) = Runs((l0 , 0), A). We let last( ) = (n , vn + δn ). The trace, tr( ), of the finite run is the timed word (σ1 , t1 )(σ2 , t2 ) · · · (σn , tn )
with σi = ai−1 , 1 ≤ i ≤ n and ti = i−1 k=0 δk , 1 ≤ i ≤ n. For V ⊆ Runs(A), we let Tr(V ) = {tr( ) | ∈ V }, which is the set of traces of the runs in V . Let Tr(A) = Tr(Runs(A)) be the set of traces generated by A (note that this language is prefix-closed). A finite timed word w is accepted by A if it is the trace of a run of A that ends in an F -location i.e., last( ) ∈ F × RX ≥0 . L(A) is the set of traces of finite timed words accepted by A. Example 1. The automaton B of Figure 2 is a simple timed automaton with one clock x. It indicates that an “a” or a “c” can occur at time 0 and be followed either by a “b” at time 1 or a “b” at time 2. In this example we do not use strict constraints like 1 < x < 2. Thus automaton B can generate the following runs:

a; x = 0

1

b; x = 1

2

0 c; x = 0

3

b; x = 2

4

Fig. 2. The Automaton B

a

1

b

δ

c

2

b

δ

(0, x = 0) −−→ (1, x = 0) − → (1, x = 1) −−→ (2, x = 1) −−→ (2, x = 1 + δ) or (0, x = 0) −−→ (3, x = 0) − → (3, x = 2) −−→ (4, x = 2) −−→ (4, x = 2 + δ) with δ ≥ 0. The set of timed words generated by automaton B consists of two timed words and L(B) = Tr(B) = {(a, 0)(b, 1), (c, 0)(b, 2)}. ♦ A τ -edge in a timed automaton is an edge (, g, a, r,  ) with a = τ . A timed automaton (L, l0 , X, Στ , E, F ) is deterministic if: (i) it does not contain any τ edge and (ii) whenever two edges (, g1 , a, r1 , 1 ) and (, g1 , a, r2 , 2 ) are in E, then g1 ∧ g2 is equivalent to false. A is an Event Recording Automaton if: it is

The Dark Side of Timed Opacity

25

deterministic1 and (iii) each clock xa ∈ X is paired with an event a ∈ Σ, and (iv) if (, g, a, r,  ) ∈ E, then r = {xa }. We use the following classes of TA in the sequel: – the most general class [9] of TA with τ -edges given by Definition 1 is denoted τ NTA; – NTA is the sub-class of τ NTA which consists of non-deterministic TA with no τ -edges; – DTA is the sub-class of NTA which consists of deterministic TA; – ERA is the sub-class of DTA which consists of Event Recording Automata (ERA, see [10]); ERA are TA where each clock is associated with an event and when this event occurs the corresponding clock is reset. These classes of TA can be ordered according to the class of timed languages they accept. A class C is more expressive than C  if every timed language accepted by a TA of C  can be accepted by a TA of C. This defines a pre-order C   C (reads “C is more expressive than C  ”) on classes of TA. The expressive power of the different classes is strictly increasing in the following order (see [10,9]): ERA  DTA  NTA  τ NTA

(1)

One of the key result in the seminal paper of Alur and Dill [4] is that the universality problem for NTA, i.e., checking whether a NTA A accepts all timed words, is undecidable (notice that it is decidable for DTA [4]). 2.3

Product of Timed Automata

In the sequel we need to use the product of two TA to reduce the opacity problem to the L-opacity problem (section 4.2). Definition 2 (Product of TA). Let Ai = (Li , l0i , Xi , Στi , Ei , Fi ), i ∈ {1, 2}, be two TA such that X1 ∩ X2 = ∅. The product of A1 and A2 is the timed automaton A1 × A2 = (L, l0 , X, Στ , E, F ) given by: L = L1 × L2 , l0 = (l01 , l02 ), Σ = Σ 1 ∪ Σ 2, X = X1 ∪ X 2 , E ⊆ L × C(X) × Σ × 2X × L and ((1 , 2 ), g1,2 , σ, r, (1 , 2 )) ∈ E if: • either σ ∈ Σ1 ∩ Σ2 , and (i) (k , gk , σ, rk , k ) ∈ Ek for k = 1 and k = 2; (ii) g1,2 = g1 ∧ g2 and (iii) r = r1 ∪ r2 ; • or for k = 1 or k = 2, σ ∈ (Σk \ Σ3−k ) ∪ {τ }, and (i) (k , gk , σ, rk , k ) ∈ Ek ; (ii) g1,2 = gk et (iii) r = rk ; – F = F1 × F2 .


– – – – –

1

In their original paper [10], Alur et al. do not require that ERA be deterministic. Considering deterministic ERA is not a restriction since non-deterministic ERA are determinizable [10].

26

F. Cassez

A1 and A2 have no clocks in common, ans it is a well-known fact that: Lemma 1. L(A1 × A2 ) = L(A1 ) ∩ L(A2 ). Thus given two automata A1 and A2 that have no clocks in common, it is possible to construct the product A1 × A2 which accepts exactly the intersection of the two timed languages L(A1 ) ∩ L(A2 ).

3

Timed Opacity

In this section we give a formal definition of opacity for timed automata along with a small example. Assume we are given a timed automaton (L, l0 , X, Στ , E, F ) and a secret S ⊆ TW ∗ (Σ). Let Σo ⊆ Σ be a set of observable events. Opacity is a property which ensures that, if the system generates a timed word w, and an external observer, the attacker, can only see πΣo (w), he can never infer whether the original timed word w generated by A is in S or not. Let π be the projection over Σo . Two words w, w ∈ TW ∗ (Σ) are π-equivalent, denoted w ≡ w if π(w) = π(w ). Given w ∈ π(Tr(A)), we let [w] be the set of timed words of A the projection of which is w. Thus [w] = π−1 (w) ∩ Tr(A) i.e., [w] is the set of timed words generated by A which give the same trace when projected on Σo . We can define formally what is opacity for timed automata. The relational operator
is used to denote non inclusion: for two sets A and B, A
B stands for “A is not included in B”. Definition 3 (Opacity). The secret S is opaque w.r.t. A and Σo ⊆ Σ iff for each w ∈ π(Tr(A)), [w]
S.
The opacity problem is the following: Given a TA A, a secret S and Σo ⊆ Σ, is S opaque w.r.t. A and Σo ? Definition 3 defines opacity as a non-inclusion property. If [w]
S for w ∈ π(Tr(A)), it simply means that the observation w can be produced by at least two timed words w1 and w2 in A and at least one of them is not in S. Thus we cannot conclude by observing w that a word of S generated the observation w. Example 2. Assume Σ = {a, b, c} and Σo = {b}. Let S = {ab} be the secret and A be the finite automaton2 given in Figure 1 (all locations are accepting) in the introduction. S is opaque w.r.t. the automaton A and Σo because, if an attacker sees a “b”, he cannot infer what the preceding letter was and cannot know the secret ab: π −1 (b) ∩ Tr(A) = {ab, cb}
S. The timed automaton in Figure 2, page 24, generates the timed language L(B) = {(a, 0)(b, 1), (c, 0)(b, 2)}. Notice also that Unt(L(B)) = L(A). Define the secret by the timed language S  = {(a, t1 )(b, t2 )}, 0 ≤ t1 ≤ t2 . Assume now 2

A finite automaton is a timed automaton with no clocks.

The Dark Side of Timed Opacity

27

that an attacker can measure time with his own clock but can only observe Σo = {b}. Then S  is not opaque any more w.r.t. B and Σo : indeed, if the attacker sees “b” at time 1 he knows an “a” has occurred. Thus there is a timed word w = (a, 0)(b, 1) ∈ Tr(B) s.t. π Σo (w) = (b, 1) ∈ π Σo (Tr(B)) and  π −1 ♦ Σo ((b, 1)) = {w} ⊆ S which contradicts the requirement of Definition 3. In this sense timed opacity is an interesting generalisation of opacity as it takes into account the time-measuring capabilities of an external attacker which gives him additional observational power. Nevertheless, from an algorithmic viewpoint, timed opacity is hopeless as we will show in the next section.

4

Checking Timed Opacity

In this section we will prove that the simplest versions of the timed opacity problem are undecidable for timed automata. We first define a version of timed opacity where the secret is a set of states an automaton can be in. Let A = (L, l0 , X, Στ , E, F ) be a timed automaton where F is a set of secret locations. Let Σo ⊆ Σ and π be the associated projection. Given a word w ∈ TW ∗ (Σ), we let last(w) = {last( ) | ∈ Runs(A)∧tr( ) = w}; last(w) is the set of states A can be in after reading the timed word w. This extends trivially to sets of traces. 4.1

Checking Location-Based Opacity

We can now define a location-based version of timed opacity: Let A = (L, l0 , X, Στ , E, F ) be a timed automaton with secret locations F . Definition 4 (L-Opacity). F is L-opaque with respect to A and Σo ⊆ Σ iff for each w ∈ π(Tr(A)), last([w])
F .
The L-opacity problem asks the following: Given a TA A, a set of secret states F and Σo ⊆ Σ, is F L-opaque w.r.t. A and Σo ? A first negative result is easy to prove for L-opacity: Theorem 1. The L-opacity problem is undecidable for NTA. Proof. We reduce the universality problem for NTA, which is known to be undecidable [4], to the L-opacity problem for NTA. Let A = (L, l0 , X, Σ, E, F ) be a non-deterministic TA, with accepting locations F . The universality problem consists in deciding whether L(A) = TW ∗ (Σ). First thing we do is to complete A by adding edges from each location, with guard true, and fresh target location Bad which is not in F . Then we can assume that Tr(A) = TW ∗ (Σ). Note that it does not change L(A) as Bad is not accepting. L(A) is universal is equivalent to: ∀w ∈ TW ∗ (Σ), last(w)
L \ F

(2)

28

F. Cassez

Let Σo = Σ. L \ F is L-opaque w.r.t. A and Σ amounts to: ∀w ∈ π(Tr(A)), last([w])
L \ F

(3)

but as π(Tr(A)) = Tr(A) = TW ∗ (Σ) and [w] = w (no τ -edges), equation (2) is equivalent to equation (3). As universality is undecidable for NTA, the result follows.   Because τ NTA includes NTA, it follows that the L-opacity problem is also undecidable for τ NTA. To prove the previous result we did not need to take any particular strict subset of Σ. It turns out that, using this possibility to make the observable alphabet vary, we can prove that the L-opacity problem is also undecidable for DTA. Theorem 2. The L-opacity problem is undecidable for DTA. Proof. Let A = (L, l0 , X, Στ , E, F ) be a τ NTA. We show that F is L-opaque w.r.t. A and Σ if and only if F is L-opaque w.r.t. A and Σ, where A is a DTA. Assume the only non-determinism in A is on the τ -edges, i.e., A is deterministic for all the other actions in Σ. Then A has a finite number, say n, of τ -edges. Let {a1 , a2 , · · · , an } be fresh letters not in Σ. Order the τ -edges and replace the τ action in τ -edge k by ak . This gives a DTA A on the alphabet Σ ∪ {a1 , · · · , an }. It is easy to see that F is L-opaque w.r.t. A and Σ if and only if F is L-opaque w.r.t. A and Σ.   We now restrict our attention to ERA. It turns out that the L-opacity problem is also undecidable for ERA: Theorem 3. The L-opacity problem is undecidable for ERA. Proof. We reduce the L-opacity problem for DTA to an opacity problem on ERA. Let A = (L, l0 , X, Σ, E, F ) be a DTA. We let Σ(X) = {rx , x ∈ X} be a set of actions corresponding to each clock x in X. Also we define Xa = {xa , a ∈ Σ} to be a new set of clocks associated with actions in Σ. Let (, g, a, R, ) be an edge from E with R = {x1 , · · · , xk }. Consider the sequence of edges given in Figure 3. In this sequence, we reset the first clock (xa does not appear in any guard of A) xa and then use it to enforce the reset of the clocks in R within 0 time units. The set Ri is given by {xi , · · · , xk }. The sequence of transition given on Figure 3 fires only if g is satisfied (and the new clocks in Xa are not constraining g) and then resets the clocks in R without any time elapsing. Thus when  is reached, the values of the clocks in X have the same values as the ones they would have if firing (, g, a, R,  ). For an edge e ∈ E, denote κ(e) the associated set of edges as given in Figure 3. Let A = (L ∪ L , l0 , X ∪ Xa , Σ ∪ Σ(X), E  , F ) be the TA with L = L × 2X and E  comprises of all the edges κ(e), e ∈ E. First A is an ERA. Second F is opaque w.r.t. A and Σ if and only if F is opaque w.r.t. A and Σ. This completes the proof.  

The Dark Side of Timed Opacity (xa = 0, rx1 , {x1 })

(g, a, {xa })


29




(

, R1 )

(

, R2 )





(

, Rk )

(

, Rk−1 )

(g, a, R)



(xa = 0, rx1 , {xk })

(xa = 0, rxk , {xk−1 })

Fig. 3. Widget κ(e) for Encoding DTA L-Opacity into ERA L-Opacity

4.2

Checking Opacity

The initial version of opacity of Definition 3 can be reduced to L-opacity for secret languages S generated by deterministic timed automata, even ERA. This opacity problem has two parameters: the model of the system and the secret language. It follows that: Theorem 4. The opacity problem is undecidable for systems given by ERA and secrets given by ERA. Proof. We reduce opacity to L-opacity. Let A = (L, l0 , X, Σ, E, L) be an ERA and Σo ⊆ Σ. Assume the secret language S ⊆ L(A) is given by an ERA AS = (LS , l0S , XS , Σ, ES , FS ). Define the product A × AS and remind that the final locations are F × FS . Notice that the product of two ERAs is an ERA. By definition of A × AS , and Lemma 1, L(A × AS ) = L(A) ∩ L(AS ) = L(A) ∩ S. Consequently w ∈ L(A × AS ) if and only if w ∈ Tr(A) ∩ S. Thus last([w])
F × FS if and only if [w]
S. This completes the proof.   Remark 1. In the untimed case, for finite transition system, non-interference can be reduced to an opacity problem [2]. It should not be difficult to extend the reduction to timed automata. Thus it is not so surprising that opacity is undecidable for NTA because checking non-interference for NTA is undecidable [6]. What is surprising is that this result holds for very restrictive classes of timed automata like ERA, which usually have very nice closure and decidability properties [10]. ♦

5

Conclusion

In this paper we have addressed the opacity problem for timed systems. It turns out that the opacity problem is undecidable for the very restrictive class of ERA. Notice that our result carries over to other reasonable models of dense-time systems like Time Petri Nets (TPN), because TPN and τ NTA are equivalent w.r.t. timed language acceptance [11]. Our result is based on the undecidability of universality for NTA operating in dense-time. Considering a time domain like N (not dense) may render the opacity problem tractable.

30

F. Cassez

Acknowledgements. The author would like to thank J. Dubreil and H. Marchand for introducing the opacity problem to him.

References 1. Rushby, J.: Noninterference, Transitivity and Channel-Control Security Policies. Technical report, SRI International (2005) 2. Mazar´e, L.: Using unification for opacity properties. In: Proceedings of the 4th IFIP WG1.7 Workshop on Issues in the Theory of Security (WITS 2004), Barcelona, Spain, pp. 165–176 (2004) 3. Bryans, J., Koutny, M., Mazar´e, L., Ryan, P.Y.A.: Opacity generalised to transition systems. In: Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S. (eds.) FAST 2005. LNCS, vol. 3866, pp. 81–95. Springer, Heidelberg (2006) 4. Alur, R., Dill, D.: A theory of timed automata. Theoretical Computer Science (TCS) 126(2), 183–235 (1994) 5. Focardi, R., Gorrieri, R.: Classification of security properties (part I: Information flow). In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 331– 396. Springer, Heidelberg (2001) 6. Gardey, G., Mullins, J., Roux, O.H.: Non-interference control synthesis for security timed automata. In: 3rd International Workshop on Security Issues in Concurrency (SecCo 2005), San Francisco, USA. Electronic Notes in Theoretical Computer Science. Elsevier, Amsterdam (2005) 7. Benattar, G., Cassez, F., Lime, D., Roux, O.H.: Synthesis of Non-Interferent Timed Systems (submitted, 2009) 8. Alur, R., Dill, D.: Automata for modeling real-time systems. In: Paterson, M. (ed.) ICALP 1990. LNCS, vol. 443, pp. 322–335. Springer, Heidelberg (1990) 9. B´erard, B., Diekert, V., Gastin, P., Petit, A.: Characterization of the expressive power of silent transitions in timed automata. Fundamenta Informaticae 36(2–3), 145–182 (1998) 10. Alur, R., Fix, L., Henzinger, T.A.: Event clock automata: A determinizable class of timed automata. In: Dill, D.L. (ed.) CAV 1994. LNCS, vol. 818, pp. 1–13. Springer, Heidelberg (1994) 11. Cassez, F., Roux, O.H.: Structural translation from time petri nets to timed automata. Journal of Software and Systems 79(10), 1456–1468 (2006)

Certificateless Signature Scheme without Random Oracles
Yumin Yuan, Da Li, Liwen Tian, and Haishan Zhu Dept.of Mathematics and Physics, Xiamen University of Technology, P.R. China [email protected], [email protected], [email protected], [email protected]

Abstract. The only known construction of certificateless signature schemes that can be proven secure against a malicious Key Generation Center (KGC) requires the random oracle model to prove the security. In this paper, we present a certificateless signa ure scheme which is secure against malicious-but-passive KGC attack without random oracle. The security of our scheme based on our proposed complexity assumptions we call the Augmented Computational Diffie-Hellman (ACDH) assumption and 2-Many Diffie-Hellman (2-Many-DH) assumption. At the same time, we discuss the relationship between the new assumptions and some related problems. Keywords: Certificateless signatures, Random oracle, Malicious KGC attack.

1

Introduction

Al Riyami and Paterson [1] introduced the concept of certificateless public key cryptography (CL-PKC), which is intended to solve the key escrow problem in identity-based cryptosystem (ID-PKC) and eliminate the use of certificates in traditional public key cryptography (PKC). The CL-PKC system makes use of a trust third party called the key generating center (KGC), which is responsible for generating user’s partial private key based on his identity, that is, the partial private key of a user is known to the KGC. In such certificateless cryptosystem, a user’s actual key is not generated by the KGC alone. Instead, it consists of partial private key generated by the KGC and secret key generated by the user himself. Cryptographic operations can then be performed successfully only when both the user partial private key and the user secret key are known. Moreover, the user combines his secret information with the KGC’s public parameters to generate his public key, which is published by the user himself. Hence, CL-PKC achieves implicit certification while does not suffer from the inherent key escrow problem in ID-PKC.


This work was supported by the Natural Science Foundation of Fujian Province of China (Grant No. 2008J0208) and the Science Foundation of Education Department of Fujian Province of China (Grant No. JB06177).

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 31–40, 2009. c Springer-Verlag Berlin Heidelberg 2009


32

Y. Yuan et al.

In the past few years, research on certificateless signature schemes has been very active [1,2,3,4,5,6,7,8,9,10,11]. However, most of these schemes are only proven secure in the random oracle model. It has been shown that when random oracles are instantiated with concrete hash functions, the resulting scheme may not be secure [12,13]. On the other hand, many of the existing schemes only focus on the study of Type I security, but neglect the significance of the malicious KGC (Type II security)[11]. As a result, they are insecure against the malicious-butpassive KGC attack. Recently, Liu et al.[9] proposed a certificateless signature scheme which, to the best of our knowledge, is the first one in the standard model. Unformately, in 2007, Huang et al.[14] showed that Liu et al.’s scheme is insecure against malicious-but-passive KGC attack. That is, the malicious KGC can have its master public/secret key specifically generated so that the KGC can obtain the secret key of the victim user of the KGC’s choice. After obtaining the user’s secret key of the victim, the KGC can then decrypt all the ciphertexts for or generate any signature on behalf of the victim. Our Contributions. In this paper, we present a certificateless signature scheme based on the Waters identity-based encryption scheme[16], which is provably secure against malicious KGC attack without relying on the assumption of random oracles. The security of our scheme is based on our proposed problems called Augmented Computational Diffie-Hellman Problem (ACDHP) and 2-Many Diffie-Hellman Problem (2-Many-DHP). Besides, we will show that 2Many-DH problem is not easier than 3-Exponent Problem (3-EP) problem and ACDH problem is an extension of the CDH problem.

2

Preliminaries

In this section, we review the basic concept of bilinear maps and also state the complexity assumptions related to our scheme. 2.1

Bilinear Maps

Consider two multiplicative cyclic groups G1 and G2 of prime order p. A mapping e : G1 × G1 → G2 is called a bilinear map if it satisfies the following properties: 1. Bilinear: e(g a , hb ) = e(g, h)ab for all g, h ∈ G1 and all a, b ∈ Zp . 2. Non-degeneracy: There exists g, h ∈ G1 such that e(g, h)  = 1G2 . 3. Computable: There exists an efficient algorithm to compute e(g, h) for any g, h ∈ G1 . 2.2

Complexity Assumptions

Assume that G is a multiplicative cyclic group of prime order p. We need an extension of the Computational Diffie-Hellman (CDH) assumption.

Certificateless Signature Scheme without Random Oracles

33

Definition 1. Augmented Computational Diffie-Hellman Problem (AC-DHP ). Given (g, g a , g b ) ∈ G3 for unknown randomly chosen a, b ∈ Zp ,
2 compute c, g ad , g (b+c)d , g a(b+c)d for any c, d ∈ Zp . An algorithm A has an advantage
in solving ACDHP in G, if 
  ad (b+c)d a(b+c)d2  a b AdvACDH (A) = Pr A g, g , g = c, g , g ,g =
G We say that the (
, t)-ACDH assumption holds in G if no algorithm running in time at most t can solve the ACDHP in G with advantage at least
. Notice that the Computational Diffie-Hellman Problem (CDHP) is a special case of the ACDHP in which the algorithm outputs the choice d = 1 and c = 0. Hence, we have Theorem 1. ACDHP ⇒ CDHP. In the following, we define a new problem in G that we call 2-Many DiffieHellman Problem (2-Many-DHP). Definition 2. 2-Many Diffie-Hellman Problem (2-Many-DHP). Given 2 2 (g, g a , g b , g ab , g b ) ∈ G5 for unknown randomly chosen a, b ∈ Zp , compute g ab . An algorithm A has an advantage
in solving 2-Many-DHP in G, if     2 2 Adv2G-Many-DH (A) = Pr A g, g a , g b , g ab , g b = g ab =
We say that the (
, t)-2-Many-DH assumption holds in a group G if no algorithm running in time at most t can solve the 2-Many-DHP in with advantage at least
. Definition 3. k + 1 Exponent Problem (k + 1-EP)[16]. Given k + 1 values 2 k k+1 (g, g a , g a , . . . , g a ) ∈ Gk+1 for unknown randomly chosen a ∈ Zp , compute g a . It is not hard to prove the following theorem. Theorem 2. CDHP ⇒ 2-Many-DHP ⇒ 3-EP ⇒ · · · ⇒ k-EP ⇒ k + 1-EP.

3

Formal Model of Certificateless Signature Scheme

In this section, we give the definition of certificateless signature scheme. Then, we propose the security model for the scheme, based on [11]. Our adversarial model corresponding to Type II attack will capture malicious-but-passive KGC. 3.1

Formal Definition of Certificateless Signature

Definition 4 (CL-S). A certificateless signature scheme (CL-S) consists of five algorithms (Setup, ExtractPartPrivKey, UKeyGen, Sign, Verify). These algorithms are specified the follows:

34

Y. Yuan et al.

– Sup(k): This algorithm runs by a KGC. It takes as input k where k ∈ Z is a security parameter, and outputs a master public/secret key pair (mpk, msk). – ExtractPartPrivKey(mpk, msk, ID): This algorithm runs by a KGC. It takes as input mpk, msk and a user’s identity ID ∈ {0, 1}∗, and outputs a partial private key pskID for that ID. – UKeyGen(mpk): This algorithm runs by the user with identity ID. It takes as input mpk, and outputs a pair of matching public and secret keys (pkID , skID ) for that ID. – Sign(m, σ, mpk, ID, pkID ): It takes as input mpk, user’s identifier ID, user’s secret key skID , partial private key pskID and a message m, and outputs a signature σ on m. – Verify(m, σ, mpk, ID, pkID ): It takes as input mpk, user’s identifier ID, user’s public key pkID , message m and signature σ, and returns 1 or 0 for accept or reject, respectively. 3.2

Security Model for CL-S

Similar to the adversarial model for CL-S in [11] there are two types of adversaries with different capabilities for CL-S. Type I adversary, AI models a dishonest user, who can compromise signer secret key skID or replace his public key pkID , but can neither compromise master secret key msk, nor get access to signer partial private key pskID . However, Type II adversary, AII models a malicious-but-passive KGC or a colluder of the KGC, who can controls the generation of msk and mpk, and that of any user partial private key pskID , but cannot obtain user secret key skID or replace the user public key pkID . We define two games, one for AI and the other one for AII . Game I. The first game is performed between a challenger C and a Type I adversary AI for a certificateless signature scheme as follows. Initialization: The challenger C runs Setup algorithm and obtains a master public/secret key pair (mpk, msk). B gives mpk to AI . Queries: AI may adaptively issue the following queries to C. – Partial Private Key Extract: Given an identity ID, C returns AI the partial private key pskID by running ExtractPartPrivKey algorithm. – Extract Secret Key: Given an identity ID, C runs UKeyGen algorithm to get the secret key skID , and returns it to AI . – Public Key Queries: Given an identity ID, C runs UKeyGen algorithm to get the public key pkID , and returns it to AI . – Replace Public Key: Given an identity ID with a new public/secret key pair (pk  , sk  ), C updates the original user public/secret key pair of ID to the new (pk  , sk  ). – Signature Queries: Proceeding adaptively, AI can request signatures with respect to the identity ID for any messages m ∈ {0, 1}∗. C runs algorithm Sign on (m, mpk, ID, pskID , skID ) to get the signature σ on m, and returns it and the corresponding pkID to AI .

Certificateless Signature Scheme without Random Oracles

35

Output: Eventually, AI outputs (pkID∗ , σ ∗ , m∗ ), where m∗ is a message, and σ ∗ is a signature on the message m∗ with respect to the public key pkID∗ . AI wins the game if 1. AI has never been queried Partial Private Key Extract on ID∗ . 2. AI has never been queried Signature on (ID∗ , m∗ ). 3. Verify(m∗ , σ ∗ , mpk, ID∗ , pkID∗ ) = 1. Game II. The second game is performed between a challenger C and a Type II adversary AII for a certificateless signature scheme as follows. Initialization: The challenger C runs AII on k and a special tag Setup, and returns master public key mpk ∈MPK(k ) (MPK(k ) denotes the set of all possible the master public key generated by Setup(k )). Queries: In this phase, AII can adaptively access the Extract Secret Key oracle, Public Key Queries oracle and Signature Queries oracle which are the same as that in Game I. Output: Eventually, AII outputs (pkID∗ , σ ∗ , m∗ ), where m∗ is a message, and σ ∗ is a signature on the message m∗ with respect to the public key pkID∗ . AII wins the game if 1. AII has never been queried Extract Secret Key on ID∗ . 2. AII has never been queried Signature on (ID∗ , m∗ ). 3. Verify(m∗ , σ ∗ , mpk, ID∗ , pkID∗ ) = 1. We denote by Succcma Ai (k) the probability that Ai wins the game i, where i ∈{I, II}. Definition 5. A certificateless signature scheme is (t, qe , qk , qs ,
)-existentially unforgeable against Type I adversary under adaptively chosen message attack if Succcma AI (k) ≤
for all polynomial time Type I adversary AI running in time at most t and making at most qe partial private key queries, qk public/secret key queries, and qs signature queries. Definition 6. A certificateless signature scheme is (t, qk , qs ,
)-existentially unforgeable against Type II adversary under adaptively chosen message attack if Succcma AII (k) ≤
for all polynomial time Type II adversary AII running in time at most t and making at most qk public/secret key queries, and qs signature queries.

4

Our Proposed Scheme

Based on Waters’s scheme[15], we will describe our certificateless signature scheme without random oracle. It consists of the following algorithms: Setup(k): Given a security parameter k, the KGC performs as follows to generate master public key and master secret key: 1. Generate (G1 , G2 , e) where G1 and G2 are cyclic groups of prime order p and e : G1 × G1 → G2 is a bilinear map. 2. Choose a random α ∈ Z∗p and a random generator g ∈ G1 , and set g1 = g α .

36

Y. Yuan et al.

3. Choose cryptographic hash functions H1 : G21 → G1 , H2 : {0, 1}∗ → {0, 1}n , where n ∈ Z. 4. Choose random elements u , m ∈ G1 , and two random vectors (u1 , u2 , . . . , un ), (m1 , m2 , . . . , mn ) ∈ Gn1 . The master public key is mpk = {G1 , G2 , p, e, g, g1 , u , m , (u1 , u2 , . . . , un ), (m1 , m2 , . . . , mn ), H1 , H2 } and the master secret key is msk = g2α , where g2 = H1 (u , m ). ExtractPartPrivKey(mpk, msk, ID): The user with identity ID∈ {0, 1}∗ sub mits ID to KGC. KGC computes u = H2 (ID) and U = u i∈UID ui , where u[i] denotes the i-th bit of u and UID = {i|u[i] = 1, 1 ≤ i ≤ n}. Then KGC randomly selects r ∈R Z∗p , computes pskID = (g2α U r , g r ) = (psk1 , psk2 ), and sends the partial private key pskID to the user via a secure channel. The user with ID can verify the validity of pskID through the following equation: e(psk1 , g) = e(g1 , g2 )e(U, psk2 ) UKeyGen(mpk): The user randomly chooses x ∈ Z∗p as his secret key skID , and computes pkID = g1x as his public key. ∗ Sign(m, mpk, ID, pskID , skID ): To  sign a message m ∈ {0, 1} , the signer with   identity ID computes U = u i∈UID ui , and M = m i∈M mi , where m[i] denotes the i-th bit of m = H2 (m) and M = {i|m[i] = 1, 1 ≤ i ≤ n}. Then the signer randomly selects ru , rm , ∈ Z∗p and computes   2 2 −x rm −x σ = psk1x U ru M rm , (g2 U M )x , psk2x g ru pkID , g pkID = (V, R1 , R2 , R3 ) as the signature on the message m, where x = skID . Verify(m, σ, mpk, ID, pkID ): To verify a signature σ of a message m with signer ID’s public key pkID , the verifier performs thefollowing steps. 1. Compute U = u i∈UID ui , and M = m i∈M mi . 2. Verify whether e(pkID , g2 U M ) = e(R1 , g1 ). If not, then output ⊥ and abort. 3. Verify whether e(V, g) = e(R1 , pkID )e(U, R2 )e(M, R3 ). If this holds, then accepts it, otherwise, rejects it.

5

Analysis of the Proposed CL-S Scheme

In this section, we will prove the security of our scheme. Theorem 3. Suppose that the (
 , t )-ACDH assumption holds in a group G1 . Then the proposed certificateless signature scheme is (t, qe , qk , qs ,
)-existentially unforgeable against Type I adversary for any t and
satisfying
 ≥ and


16(qe + qs )qs (n + 1)2

t = t + O((qe n + 2qs n)tmult + (qe + qk + qs )texp )

where tmult and texp denote the times for a scale multiplication and exponentiation operation in G1 , respectively.

Certificateless Signature Scheme without Random Oracles

37

Proof. Using the same technique in [16], we assume there exists a Type I adversary AI with Succcma AI (k) =
, we are going to construct an algorithm B that makes use of AI to solve the ACDH problem with probability at least
 and in time at most t . Assume that the challenger B receives a random ACDH problem instance 2 (g, A = g a , B = g b ) ∈ G31 , his goal is to compute (c, g ad , g (b+c)d , g a(b+c)d ). Setup. Let lu = 2(qe + qs ) and lm = 2qs . We assume that lu (n + 1) < p and lm (n + 1) < p. B randomly selects two integers ku and km with 0 ≤ ku , km ≤ n. B also randomly selects x , x1 , x2 , . . . , xn ∈R Zlu , y  , y1 , y2 , . . . , yn ∈R Zp , z  , z1 , z2 , . . . , zn ∈R Zlm and w , w1 , w2 , . . . , wn ∈R Zp , and assigns the pub  lic parameters as g1 = A, u = g2−lu ku +x g y , ui = g2xi g yi (1 ≤ i ≤ n), m =   g2−lm km +z g w and mi = g2zi g wi (1 ≤ i ≤ n). Here g2 is regarded as B = g b . Then B gives to AI the master public key mpk. Note that  the master secret key is  msk = g ab . We define four functions J (ID) = x + ku , Ku (ID) = u i∈UID xi − lu  y  + i∈UID yi , Jv (m) = z  + i∈M zi − lm km and Kv (m) = w + i∈M wi , and   J (ID) Ku (ID) J (m) have U = u i∈UID ui = g2 u g and M = m i∈M mi = g2 v g Kv (m) . Queries: AI issues partial private key, secret key, public key, public key replacement, and signature queries. Since B can maintain tables to ensure that repeated queries are answered consistently, we assume without loss of generality that AI never queries on the same input twice. Partial Private Key Extract: B checks if Ju (ID) = 0 mod p. – If Ju (ID)  = 0 mod p, B randomly chooses r ∈ Zp and constructs the partial private key as:  − Ku (ID)  − 1 pskID = (psk1 , psk2 ) = g1 Ju (ID) U r , g1 Ju (ID) g r – If Ju (ID) = 0 mod p, B aborts. Extract Secret Key: B runs algorithm UKeyGen to generate a public/secret key pair and returns the secret key skID to AI . Public Key Queries: B runs the algorithm UKeyGen to generate a public/secret key pair and returns the public key pkID to AI . Replace Public Key: Suppose the query is to replace the public key for an   identity ID with any value (pkID , skID ) of its choice. B replaces the corresponding entry (pkID , skID ). Signature queries: For a given query of a signature on an identity ID and a message m, B responds as follows: – If Ju (ID) = 0 mod p and Jv (m) = 0 mod p, B aborts. – Otherwise, B obtains the current public/secret key pair (pkID , skID ) associated with ID by Extract Secret Key queries on ID, where the public key pkID may be replaced by AI . Without loss of generality, we assume that AI never issues such a signature query on message m for user ID under the public key pkID if pkID has been already replaced, the replaced public/secret key pair is not valid. Then, B proceeds as follows:

38

Y. Yuan et al.

• If Ju (ID)  = 0 mod p, B makes query Partial Private Key Extract oracle with respect to ID to obtain a valid partial private key. Then with (pkID , skID ) and pskID , B runs the Sign algorithm to create a signature σ on ID and m. • Otherwise, if Jv (m)  = 0 mod p, B randomly chooses ru , rm ∈R Zp and computes the signature σ = (V, R1 , R2 , R3 ) on m as  − x·Kv (m)  −x− x J (m) Jv (m) pkID v U ru M rm , (g2 U M )x , g ru (pkID )−x , g rm (pkID ) where x = skID . If we define r˜m = rm −

2 a · skID , we have Jv (m)


a·sk2  −skID −skID σ = g2 ID U ru M r˜m , (g2 U M )skID , g ru pkID , g r˜u pkID which shows that the signature generated in this way is indistinguishable to the real one. • B returns the signature σ to AI . Output: Eventually, with probability at least
, the adversary AI outputs a valid signature σ ∗ = (V ∗ , R1∗ , R2∗ , R3∗ ) on message m∗ for identity ID∗ with public key pkID∗ . If Ju (ID∗ )  = 0 mod p or Jv (m∗ )  = 0 mod p, B will abort. Otherwise, 2 pkID∗ = g1x , V ∗ = (g2 U ∗ M ∗ )ax (U ∗ )ru (M ∗ )rm , R1∗ = (g2 U ∗ M ∗ )x , R2∗ = g ru and ∗ R3∗ = g rm for some (unknown) x, ru , rm ∈ Zp . Since U ∗ = g Ku (ID ) and M ∗ = ∗ g Kv (m ) , B can extract g a(b+Ku (ID

∗

)+Kv (m∗ ))x2

=

V∗ ∗ (R2∗ )Ku (ID ) (R3∗ )Kv (m∗ )


2 B outputs c, g ax , g (b+c)x , g a(b+c)x , where c = Ku (ID∗ ) +Kv (m∗ ), as the solution to the ACDH problem instance. Probability of Success: Now, we evaluate the probability that B solves the given instance of ACDH problem. For the simulation to complete without aborting, we require that all partial private key extraction queries on an identity ID have Ju (ID)  = 0 mod p, and that all signing queries (m,ID), either have Ju (ID)  = 0 mod p or Jv (m)  = 0 mod p, and the forgery σ ∗ on message m∗ for ∗ ∗ identity ID have Ju (ID ) = Jv (m∗ ) = 0 mod p. Let ID1 , . . .,IDqI be all the deferent identities appearing in either partial private key extraction queries or signature queries not involving the challenge identity ID∗ , and let m1 , . . . , mqM be all the deferent messages appearing in signature queries not involving the message m∗ . Clearly, we have qI ≤ qe + qs and qM ≤ qs . Define the events Ai , A∗ , Bj and B ∗ as follows: Ai : Ju (IDi )  = 0 mod lu , A∗ : Ju (ID∗ ) = 0 mod p, where i = 1, . . . , qI Bj : Jv (mj )  = 0 mod lm , B ∗ : Jv (m∗ ) = 0 mod p, where j = 1, . . . , qM

Certificateless Signature Scheme without Random Oracles

39

It is easy to see

that Ju (ID) u (ID) = 0 mod lu . Therefore, J

∗= 0 mod p∗ implies qI qI we have P1 = Pr A = Pr[A ] · Pr i=1 Ai i=1 Ai . on the other hand, we have qI   P1 ≥ Pr [Ju (ID∗ ) = 0 mod lu ] · Pr[A∗ |Ju (ID∗ ) = 0 mod lu ] · 1− Pr[¬Ai |A∗ ] 1 1 ≥ lu n + 1

i=1

 qI 1− lu

M

Similarly, we can get Pr[ qj=1 B B ∗ ] ≥ (1/lm (n + 1))(1 − qM /lm ).

qI

∗ i

qM

Since the events ( i=1 Ai A ) and ( j=1 Bj B ∗ ) are independent, by combining the above result, we have the probability of the probability of B not aborting is Pr[B dose not abort] ≥ Pr

qI 

Ai



∗



A

i=1

Pr

M  q

Bj



B∗



j=1

 1 qs  qe + qs  ≥ 1− 1− 2 lu lm (n + 1) lm lu 1 = 16(qe + qs )qs (n + 1)2 Therefore, the probability
 that B can solves the given instance of ACDH problem is at least
 ≥


16(qe + qs )qs (n + 1)2



Theorem 4. Suppose that the (
 , t )- 2-Many-DH assumption holds in a group G1 . Then the proposed certificateless signature CL-S scheme is (t, qk , qe ,
)existentially unforgeable against Type II adversary for any t and
satisfying
 ≥ and

4
27(n + 1)2 qs2

t = t + O(qs ntmult + (qk + qs )texp )

Using a similar to the proof of the Theorem 3, we have Theorem 4. For the length restriction, we omit those details here.

6

Conclusion

In this paper, we present a concrete certificateless signature without random oracle, which is secure against malicious-but-passive KGC attack. The unforgeability against Type I and Type II adversaries of our scheme is based on the hardness of the Augmented Computational Diffie-Hellman Problem and 2-Many Diffie-Hellman Problem.

40

Y. Yuan et al.

References 1. Al-Riyami, S.S., Paterson, K.G.: Certificateless Public Key Cryptography. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 452–473. Springer, Heidelberg (2003) 2. Yum, D.H., Lee, P.J.: Generic construction of certificateless encryption. In: Lagan´ a, A., Gavrilova, M.L., Kumar, V., Mun, Y., Tan, C.J.K., Gervasi, O. (eds.) ICCSA 2004. LNCS, vol. 3043, pp. 802–811. Springer, Heidelberg (2004) 3. Huang, X., Susilo, W., Mu, Y., Zhang, F.: On the Security of Certificateless Signature Schemes from Asiacrypt 2003. In: Desmedt, Y.G., Wang, H., Mu, Y., Li, Y. (eds.) CANS 2005. LNCS, vol. 3810, pp. 13–25. Springer, Heidelberg (2005) 4. Li, X., Chen, K., Sun, L.: Certificateless Signature and Proxy Signature Schemes from Bilinear Pairings. Lithuanian Mathematical Journal 45, 76–83 (2005) 5. Gorantla, M.C., Saxena, A.: An Efficient Certificateless Signature Scheme. In: Hao, Y., Liu, J., Wang, Y.-P., Cheung, Y.-m., Yin, H., Jiao, L., Ma, J., Jiao, Y.-C. (eds.) CIS 2005. LNCS (LNAI), vol. 3802, pp. 110–116. Springer, Heidelberg (2005) 6. Yap, W.-S., Heng, S.-H., Goi, B.-M.: An Efficient Certificateless Signature Scheme. In: Zhou, X., Sokolsky, O., Yan, L., Jung, E.-S., Shao, Z., Mu, Y., Lee, D.C., Kim, D.Y., Jeong, Y.-S., Xu, C.-Z. (eds.) EUC Workshops 2006. LNCS, vol. 4097, pp. 322–331. Springer, Heidelberg (2006) 7. Hu, B.C., Wong, D.S., Zhang, Z., Deng, X.: Key Replacement Attack Against a Generic Construction of Certificateless Signature. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 235–246. Springer, Heidelberg (2006) 8. Zhang, Z., Wong, D.: Certificateless Public-Key Signature: Security Model and Efficient Construction. In: Zhou, J., Yung, M., Bao, F. (eds.) ACNS 2006. LNCS, vol. 3989, pp. 293–308. Springer, Heidelberg (2006) 9. Liu, J.K., Au, M.H., Susilo, W.: Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model. In: Proc. ACM Symposium on Information, Computer and Communications Security. ACM Press, New York (2007) 10. Huang, X., Mu, Y., Susilo, W., Wong, D.S., Wu, W.: Certificateless signature revisited. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 308–322. Springer, Heidelberg (2007) 11. Au, M.H., Chen, J., Liu, J.K., Mu, Y., Wong, D.S., Yang, G.: Malicious KGC attack in certificateless cryptography. In: Proc. ACM Symposium on Information, Computer and Communications Security. ACM Press, New York (2007) 12. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited (preliminary version). In: STOC, pp. 209–218 (1998) 13. Bellare, M., Boldyreva, A., Palacio, A.: An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 171–188. Springer, Heidelberg (2004) 14. Huang, Q., Wong, D.S.: Generic Certificateless Encryption in the Standard Model. In: Miyaji, A., Kikuchi, H., Rannenberg, K. (eds.) IWSEC 2007. LNCS, vol. 4752, pp. 278–291. Springer, Heidelberg (2007) 15. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005) 16. Zhang, F., Safavi-Naini, R., Susilo, W.: An efficient signature scheme from bilinear pairings and its applications. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 277–290. Springer, Heidelberg (2004)

Fine-Grain Access Control Using Shibboleth for the Storage Resource Broker Vineela Muppavarapu and Soon M. Chung Department of Computer Science and Engineering Wright State University Dayton, Ohio 45435, U.S.A. {muppavarapu.2,soon.chung}@wright.edu

Abstract. In this paper, we propose a fine-grain access control system for data resources in the Storage Resource Broker (SRB). The SRB is a Data Grid management system, which can integrate heterogeneous data resources of virtual organizations (VOs). The SRB stores the access control information of individual users in the Metadata Catalog (MCAT) database. However, because of the specific MCAT schema, this information can only be used by the SRB applications. If VOs also have many non-SRB applications, each with its own storage format for user access control information, it creates a scalability problem with regard to administration. To solve this problem, we use Shibboleth, which is an attribute authorization service. By using Shibboleth, the authentication and access control information of the user can be obtained from the user’s home institution. Thus, the administration overhead is reduced because the access control information of individual users is now managed by the user’s home institution alone, not by MCAT or applications. The use of Shibboleth allows access control decisions to be made based on the user attributes such as role memberships and institutional affiliation, instead of the identity. Thus, our system provides scalable and fine-grain access control and allows privacy protection. Performance analysis shows that our system adds only a small overhead to the existing security infrastructure of the SRB. Keywords: Storage Resource Broker (SRB); Data Grid; virtual organization (VO); Shibboleth; fine-grain access control.

1 Introduction Data Grid is an architecture for the access, exchange, and sharing of data in the Grid environment. It facilitates the coordination and sharing of a large number of geographically distributed heterogeneous data sets across different domains in a controlled and secure manner [5]. The Storage Resource Broker (SRB) [2, 12] was developed by the San Diego Supercomputer Center (SDSC) as a logical distributed file system based on client-server architecture. The SRB can be used as a Data Grid management system as it has features to support the management, collaboration, controlled sharing, publication, replication, transfer, attribute-based organization, data discovery, and preservation of distributed data. The SRB stores and manages the access control information of individual users in the Metadata Catalog (MCAT) database. However, because of the specific MCAT J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 41–50, 2009. © Springer-Verlag Berlin Heidelberg 2009

42

V. Muppavarapu and S.M. Chung

schema structure, this information can only be used by the SRB applications. If an organization has many non-SRB applications, each with its own storage format for user access control information, they cause substantial administration overhead because the system administrator has to manage them independently. Thus, multiple updates may be required if the access control information of a current user changes; and if new users are allowed to access many data resources, it can create a scalability problem with regard to administration. Additionally, as the access control information of each Grid user is maintained in the MCAT database, if users join/leave the organizations frequently, updating their access control information on an individual basis would be a difficult task. Moreover, a user may not want to reveal his/her personal information; hence, privacy protection becomes an important issue. The current identity-based access control mechanisms do not protect the privacy of the users. In our research, we developed a new access control mechanism which is not only scalable but also protects the privacy of users. In this paper, we propose a new fine-grain access control system for heterogeneous data resources in the SRB by using Shibboleth [4]. Shibboleth is an attribute authorization service and is designed to provide the user attributes, such as the role of the user, to the resources for access control, and it mainly targets the internet-based resources. We used the Core and Hierarchical RBAC profile of the eXtensible Access Control Markup Language (XACML) [9] to specify the access control policies. XACML is a standard of the Organization for the Advancement of Structured Information Standards (OASIS) for describing the access control policies uniformly across different security domains [10]. Our system is based on the Core and Hierarchical components of the ANSI-RBAC [15], and the Core and Hierarchical RBAC profile of XACML defines how they can be specified in XACML. Our system is scalable in terms of the number of access requests as well as the number of users; and it is robust as there is no single point of failure. It supports the management of privileges and fine-grain attribute release policy; and it provides privacy protection for users. The MCAT database needs to maintain only the mapping information from Grid user roles to local roles and local policies, thus their administration overhead is reduced. When users join/leave, the MCAT administrator does not have to bother about individually adding/removing their information in the MCAT database, because the local institution can directly grant/revoke the users’ memberships on the roles. We have implemented our proposed access control system and analyzed its performance. The SRB client has been modified to send the user’s Shibboleth proxy credential to the SRB server, instead of the proxy credential. The SRB server has been modified to obtain the user’s attributes from the Shibboleth service and then to map the user’s VO role to a local role by using the corresponding information in the MCAT database. Our performance analysis shows that the proposed system incurs a small overhead in setting up the security between the client and server. This overhead is quite acceptable when we consider the benefits of our system, such as scalability in managing access control policies and reduced administration overhead for the resource providers. This paper is organized as follows: Section 2 contains background information. In Section 3, we propose a fine-grain access control system using Shibboleth in the SRB,

Fine-Grain Access Control Using Shibboleth for the SRB

43

and also show how to specify the fine-grain access control policies using XACML. Section 4 describes the implementation details, and Section 5 describes the results of performance analysis. Section 6 contains some conclusions.

2 Background 2.1 The Storage Resource Broker (SRB) The SRB is a middleware that provides applications a uniform API to access heterogeneous distributed storage resources including file systems, database systems and archival storage systems [2]. The SRB, in conjunction with the metadata catalog (MCAT), supports location transparency by providing access to data sets and resources based on their attributes rather than their names or physical locations [13]. The SRB provides the following: (1) logical namespace to describe storage systems, digital file objects and collections; (2) specific features for digital libraries, persistent archive systems and collection management systems; (3) capabilities for storing replicas of data, authenticating users, controlling access to documents and collections, and auditing accesses; (4) user-defined metadata management at the collection and object level and search capabilities based on the metadata [13]. The SRB has two main components: the core SRB interfaces with the storage devices, and the MCAT holds the logical namespace and metadata of the system and stored data. The MCAT records location information for data objects and also stores metadata that are used for implementing access control. Usually a SRB system, called a SRB Zone or zone, consists of a single MCAT and one or more SRB servers and clients. When data collections and collaborations grow large with many users spread geographically, multiple SRB Zones, each with its own MCAT, can form a federated SRB system for additional performance and reliability. 2.2 Shibboleth Shibboleth [4] is an attribute authorization service developed by the Internet2 community for cross-organization identity federation [16]. Shibboleth provides the user attributes to the requested resources by using the Security Assertion Markup Language (SAML) [8] attribute statements. Shibboleth creates a distributed authorization infrastructure for Web resources, and simplifies the access control policies and their management [1]. Shibboleth allows pseudonymous interaction between users, thus protecting individual privacy while still providing basic security for the resource providers [16]. The Shibboleth service maps a user name and attributes onto a unique identifying handle. To protect the user’s privacy, the service can restrict the information about the holder of the handle, depending on who is asking for the information. For example, it does not release the user’s name except to those requestors who have been authorized [6]. A user could be issued a set of pseudonym identities [16], and he/she could be authenticated at different sites with different identities. The information that binds the set of pseudonym identities to the handle should be maintained securely and can be used when security violations occur.

44

V. Muppavarapu and S.M. Chung

1. Request user attributes

2. Query user attributes

Client

4. User attributes 8. Return the result to the user

Attribute space

Shibboleth 3. User attributes

5. User request with the user attributes 6. Request for the resource policy MCAT database

SRB 7. Return the resource policy Data resources (files, databases, archives, etc.)

Fig. 1. Proposed Architecture

3 Access Control System with Shibboleth for the SRB Our idea is to use the VO roles of the users provided by Shibboleth for access control, so that the MCAT database needs to maintain only a few roles, instead of all the user identities. This reduces the administration overhead of the MCAT administrator as he/she does not have to worry about individually adding/removing the user identities in the MCAT database. In our system, Shibboleth maintains the security policies of the VOs, grants the users’ memberships on VO roles, and then authorizes them to use the privileges of those roles. The data resource providers only need to maintain the mapping information from the VO roles to the local roles and local policies, thereby reducing the number of entries to be maintained in the MCAT database dramatically. Our system also allows the specification of policies at the VO level, thus if the users do not possess the required privileges, their access can be denied at the VO level. This eliminates unnecessary authentication, mapping and connection overheads on the resource providers. When users join/leave the VO, Shibboleth can just grant/revoke their memberships on the VO roles. Our system architecture is shown in Fig. 1. Shibboleth releases the attribute values related to the user. The SRB server obtains the user attributes released by Shibboleth, and then makes an authorization decision based on the user attributes and the corresponding resource policy information. Based on its decision, the SRB server either performs or denies the client’s request. Our system works in the push model, as the user can directly obtain the permissions from the authorization service and then pass them to the SRB server at the time of making a request. The SRB server then verifies the authenticity of the user and

Fine-Grain Access Control Using Shibboleth for the SRB

45

authorizes the user based on the permissions obtained, provided the authority that issued them is trustworthy. An advantage of the push model is that it allows the user to explicitly select a role from the set of roles he/she is entitled to. Additionally, the push model is inherently scalable because the SRB server does not need to contact the authorization service to obtain the user attributes for each access request. In case that the user and the authorization service belong to the same organization and are protected by a firewall, the push model should be deployed because the SRB server may not be able to contact the authorization service directly. In traditional systems, an organization’s entire security policy is managed by a single central authority; however, in a VO, its security policy is distributed across its member organizations. Thus, it may be necessary to manage the user attributes across different organizations and to aggregate them for an authorization decision. Shibboleth allows the VO to manage different subsets of its attribute space at different member organizations, as each member organization operates a Shibboleth service. Thus, distributed administration of the access control policies of a VO is feasible, while maintaining the local autonomy of each member organization. This also ensures the privacy of users, as the individual user information is solely administered at the user’s home organization. 3.1 eXtensible Access Control Markup Language (XACML) The Core and Hierarchical RBAC profile of XACML specification defines how ANSI core and hierarchical RBAC standard [15] can be specified in XACML. The Core and Hierarchical profile further defines the following components: (1) Permission (PPS) contains elements and associated with a given role. A PPS may also contain references to other PPSs associated with other roles that are junior to the given role, thereby allowing the role to inherit all the permissions associated with its junior roles. The elements and of the PPS describe the resources and the permissions on the resources along with any conditions on those permissions. (2) Role (RPS) associates a role with the corresponding PPS. Each RPS can only reference a single PPS. (3) Role Assignment (or ) defines which roles can be enabled or assigned to which subjects. 3.2 Specification of Access Control Policies Using XACML The specification of fine-grain access control policies for the VO roles can be done by the VO administrator using the XACML policy language. A single policy can include any number of decentralized rules, each managed by different organizations [7]. In multi-domain environments such as VOs, it is necessary to distinguish the user attributes in a VO from the user attributes in other VOs. For example, the employee role in the Accounting subgroup of the VO Alpha may have different permissions from the employee role in the Accounting subgroup of another VO Beta. Hence, when making an authorization decision, it is important to know not only the role name employee but also the VO name, either Alpha or Beta.

46

V. Muppavarapu and S.M. Chung

<Subjects> <Subject> <SubjectMatch MatchId="&function;anyURI-equal"> &roles;employee <SubjectAttributeDesignator AttributeId="&role;" DataType="&xml;anyURI"/> PPS:employee:role

Fig. 2. RPS of Employee Role

In order to manage and identify the attributes from different domains, Shibboleth uses scoped attributes, defined in SAML, which can include the domain name. A scoped attribute is a combination of a value and its scope. The scope identifies the domains and sub-domains in which the values are defined. An example scoped attribute is “[email protected]”, which identifies the value “faculty” in the scope “abcuniv.edu”. However, the XACML profile does not support the scoped attribute values for subjects such as roles. Mapping SAML to XACML allows the systems using XACML to store SAML attributes [11]. We can show how the scoped attribute values can be specified in the RBAC profile of XACML to represent the role names specific to VOs and VO subgroups. For example, the employee role in the Accounting subgroup of Alpha can be represented in XACML as shown in Fig. 2. The VO and subgroup names, “Alpha.Accounting”, represent the scope of the employee role.

4 Implementation Details Our proposed system with Shibboleth supports the push model, where the user directly obtains his/her authorization information, in terms of VO roles, from Shibboleth and passes them to the SRB server at the time of making a request. We have designed a new program, called Shibboleth interface program (SIP), which can be invoked by the user to obtain the authorization information from Shibboleth. This program creates a Shibboleth proxy credential by including the authorization information into the user proxy credential. The user proxy credential is formed by an X.509 certificate and the associated public/private keys. The X.509 certificate is issued by a certificate authority (CA) trusted by all entities in the Grid [3]. As the user proxy credential is valid for a limited period of time, 12 hours by default, so is the Shibboleth proxy credential. The SRB client delegates the Shibboleth proxy credential to the SRB server to request an access to a data resource. The SRB server-side has been extended to parse the user attributes in the new Shibboleth proxy credential to obtain the VO role of the user.

Fine-Grain Access Control Using Shibboleth for the SRB

47

4.1 Client-Side Implementation The SIP utilizes the Java GridShib SAML tools [14], capable of handling SAML attribute requests and responses. As shown in Figure 3, the SIP invokes the SAML attribute query client and passes the user proxy credential to it. The attribute query client then contacts Shibboleth at the designated URL. Shibboleth retrieves the user’s attributes and returns them in the form of a SAML assertion to the SIP. The SIP also utilizes the SAML X.509 binding tool to bind the SAML assertion as a non-critical extension to the user proxy credential. The new credential is called Shibboleth proxy credential.

Shibboleth interface program (SIP)

1. User proxy credential SAML attribute query client 4. Attribute assertion 5. Attribute assertion and user proxy credential

2. Attribute request Shibboleth 3. Attribute assertion SAML X.509 binding tool

6. Shibboleth proxy credential Fig. 3. Data Flow Involving the Shibboleth Interface Program (SIP)

4.2 Server-Side Implementation The SRB server has been modified to obtain the VO role of the user from the Shibboleth proxy credential. The SRB server tries to retrieve the user’s certificates from the credential presented. If a certificate exists, then the server tries to obtain the noncritical extension containing the SAML assertions from it. The Object Identifier (OID) of that non-critical extension is 1.3.6.1.4.1.3536.1.1.1.10. So, if a non-critical extension with that OID is present, then the server obtains the SAML assertions present in it. From the SAML assertions, the server obtains the attributes of the user, such as the user’s role name, and uses it to perform the role-mapping (from a VO role to a local role) and to make all the authorization decisions. If the server could not obtain the SAML assertions from the credential, then it performs the matching between the user’s distinguished name (DN) present in the certificate and the DN stored in the MCAT database. Our server-side implementation extends the San Diego Supercomputer Center (SDSC) Authentication/Integrity of Data (AID) library which integrates the Grid Security Infrastructure (GSI) into the SRB system. The AID library provides an API to the underlying Generic Security Services API (GSSAPI) package, shielding the application programmer from the complexities of the GSSAPI. It also supports Kerberos and the Distributed Computing Environment (DCE) security via GSSAPI.

48

V. Muppavarapu and S.M. Chung

5 Performance Analysis We implemented our proposed system and analyzed its performance in terms of the overheads incurred. Our implementation is compared with the existing implementation of SRB, which does not use Shibboleth for access control. For our implementation, we installed an MCAT-enabled SRB (MES) server on a SuSE Linux machine with a 2.6 GHz Intel Pentium IV processor and 1 GB RAM. SRB version 3.4.2 is used, and Oracle 9.0 is used to manage the MCAT database. To use the GSI, we installed Globus Toolkit 4.0.2. To serve the user requests, a non-MES server is installed on another SuSE Linux machine with a 1.6 GHz Intel dual-core processor and 2 GB RAM. Shibboleth identity provider (IdP) 1.3c was configured to run on the SSL-enabled Apache 2.2.0 and Tomcat 5.0.28 servers. Our MES and non-MES servers are connected to a Fast Ethernet LAN. For the purpose of analysis, the Sls command was invoked on the non-MES server, which is an SRB command line utility for listing the files/directories at a site in the SRB system. 5.1 Profiling Details For profiling the time taken by the Shibboleth interface program (SIP), a Java method System.currentTimeMillis() was used to get the time in milliseconds. Also, for the SRB system analysis, a C time function gettimeofday() was used to get the time in microseconds. For more accuracy, the servers were shutdown and restarted before each client invocation of the SIP and the Sls command, in order to minimize the caching effects. 300 290 Sls Execution Time

280 Time (ms)

270 260 250 240 230 220 210 200 Original

Modified

Fig. 4. Total Execution Time for the Sls Command

The calls made to the original implementation of the SRB server using the user’s proxy credential and the modified implementation of the SRB server using the user’s Shibboleth proxy credential, respectively, are profiled. In case of using the Shibboleth proxy credential, an overhead for invoking the SIP is incurred. The SIP obtains the attributes of the user, such as a VO role, in the form of an assertion from the Shibboleth, and then embeds the assertion into the user’s proxy credential. The total time for

Fine-Grain Access Control Using Shibboleth for the SRB

49

this process is approximately 6 seconds, and the default life time of the user’s proxy credential is 12 hours. However, this overhead is incurred only once before the requests are made by the user to the SRB server, and the user can make any number of requests before the proxy credential expires. The times taken to execute the Sls command with the original implementation and the modified implementation are shown in Fig. 4. The time difference between the original and modified implementations is about 20 milliseconds. So, we can claim that our system adds a very small overhead, compared to the total execution time required by the original SRB implementation.

6 Conclusion In this paper, we enhanced the access control mechanism of the SRB by using Shibboleth and XACML to support fine-grain access control policies. Our system allows quick and easy deployment, and provides privacy protection for the users. Furthermore, the users can be dynamically granted memberships on the VO roles. The administration overhead of the resource providers is reduced because the information about the VO roles and their mapping to local roles is maintained in the MCAT database, so the resource providers do not need to maintain the information about individual users and their access privileges. The specification of access control policies at the VO level eliminates unnecessary authentication, mapping and connections by denying invalid requests at the VO level. As our system uses the push model, the SRB server does not need to contact the attribute service to obtain the user information for each access request. So, it is more efficient in terms of performance when we have a large number of user requests. In Grids, as users and resources are dynamic, administrative scalability is also critical. As users join/leave the organization, the administrator may have to update the policies as well as the necessary permissions of individual users. Considering the frequency of these changes, our system has good administrative scalability because the administrator just needs to grant/revoke the role memberships of the users when they join/leave the system. Our performance analysis shows that the proposed system incurs a small overhead for authorizing the user. However, this overhead is quite acceptable when we consider the benefits of our system, such as the scalability in terms of the number of users, reduced administration overhead of the resource providers, and the fine-grain specification of the access control policies.

References 1. Baker, M., Apon, A., Ferner, C., Brown, J.: Emerging Grid Standards. IEEE Computer 38(4), 43–50 (2005) 2. Baru, C., Moore, R., Rajasekar, A., Wan, M.: The SDSC Storage Resource Broker. In: Proc. of Conference of the Centre for Advanced Studies on Collaborative Research (1998) 3. Butler, R., Welch, V., Engert, D., Foster, I., Tuecke, S., Volmer, J., Kesselman, C.: A National-Scale Authentication Infrastructure. IEEE Computer 33(12), 60–66 (2000)

50

V. Muppavarapu and S.M. Chung

4. Carmody, S.: Shibboleth Overview and Requirements. Shibboleth Working Group Document (2001), http://shibboleth.internet2.edu/docs/draft-internet2shibboleth-requirements-01.html 5. Foster, I., Grossman, R.L.: Data Integration in a Bandwidth-Rich World. Communications of the ACM 46(11), 50–57 (2003) 6. Humphrey, M., Thompson, M.R., Jackson, K.R.: Security for Grids. Proceedings of the IEEE 93(3), 644–652 (2005) 7. Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First Experiences Using XACML for Access Control in Distributed Systems. In: Proc. of the ACM Workshop on XML Security, pp. 25–37 (2003) 8. Organization for the Advancement of Structured Information Standards (OASIS), Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) v1.1, http://www.oasis-open.org/committees/tc_home.php? wg_abbrev=security 9. OASIS: Core and Hierarchical Role Based Access Control (RBAC) Profile of XACML v2.0, http://docs.oasis-open.org/xacml/2.0/access_control-xacml2.0-rbac-profile1-spec-os.pdf 10. OASIS: eXtensible Access Control Markup Language (XACML) v2.0, http://docs.oasis-open.org/xacml/2.0/access_control-xacml2.0-core-spec-os.pdf 11. OASIS: SAML 2.0 Profile of XACML v2.0, http://docs.oasis-open.org/xacml/2.0/access_control-xacml2.0-saml-profile-spec-os.pdf 12. Rajasekar, A., Wan, M., Moore, R., et al.: Storage Resource Broker – Managing Distributed Data in a Grid. Computer Society of India Journal 33(4) (2003) 13. Rajasekar, A., Wan, M., Moore, R.: MySRB & SRB: Components of a Data Grid. In: Proc. of the 11th IEEE Int’l Symposium on High Performance Distributed Computing, pp. 301–310 (2002) 14. Scavo, T., Welch, V.: A Grid Authorization Model for Science Gateways. In: Int’l Workshop on Grid Computing Environments (2007) 15. Secretariat of Information Technology Industry Council (ITI): American National Standard for Information Technology — Role Based Access Control (2003), http://csrc.nist.gov/rbac/rbac-std-ncits.pdf 16. Welch, V., Barton, T., Keahey, K., Siebenlist, F.: Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration. In: Proc. of the 4th Annual PKI R&D Workshop (2005)

Grouping Provenance Information to Improve Efficiency of Access Control Amril Syalim1 , Yoshiaki Hori2 , and Kouichi Sakurai2 1

Graduate School of Information Science and Electrical Engineering, Kyushu University, Fukuoka, Japan [email protected] 2 Faculty of Information Science and Electrical Engineering, Kyushu University, Fukuoka, Japan {hori,sakurai}@csce.kyushu-u.ac.jp

Abstract. Provenance is defined in some literature as a complete documentation of process that led to an object. Provenance has been utilized in some contexts, i.e. database systems, file systems and grid systems. Provenance can be represented by a directed acyclic graph (DAG). In this paper we show an access control method to the provenance information that is represented by a directed acyclic graph and a method to improve efficiency of access control by grouping the provenance information. The idea of our model is that by controlling access to nodes, edges and paths in the provenance graph we may build an expressive access control model to the provenance graph. We improve the efficiency of access control model by grouping some provenance information. In our model, the provenance information is stored in a relational database. Before explaining our idea, we describe provenance store, provenance representation, and how to store provenance graph in a relational database. Keywords: Data Provenance, Access Control.

1

Introduction

Provenance is defined in some literature as a complete documentation of process that led to an object [4,6,2,10,3]. Provenance has been utilized in some contexts, for instance in database systems, file systems and grid systems. In a database, provenance is a complete documentation of process that led to a record in the database. In a file system, provenance is a complete documentation of process that led to a file in the file system. In a grid system, provenance is defined as a complete documentation of process that led to an output of computation in the grid system. Provenance is important because if we know the track record of data, we will understand the value of data. The value of data with a complete provenance should be higher than than those of without any documentation of process that produce them. By knowing provenance we may reproduce the data when we need them. This is particularly important in the context of e-Science, when J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 51–59, 2009. c Springer-Verlag Berlin Heidelberg 2009


52

A. Syalim, Y. Hori, and K. Sakurai

we use computation resources for solving scientific problem. In the e-Science infrastructure, by knowing provenance the scientists can also easily verify the result of an experiment. There has been considerable interests on the method to record the provenance information. There are some research that focus on provenance store: a system that has interface to record and query provenance information [4]. The problem in building a provenance system are [6] (a) provenance modeling: that is how to represent the provenance information in a storage, (b) scalability: how to manage a huge amount of provenance information and (c) security: how to secure the provenance information. Security is an important issue in a provenance system. Tan et.al [11] emphasis seven security issues in a provenance system, one of them is enforcing access control over provenance information. The characteristic of provenance is different from regular data so that we cannot use access control model to regular data to control access to provenance information. Braun et al. identified some security issues in provenance [2]. They give a situation where a user has access to the final output of the provenance graph, but he/she does not have access to some or all of the nodes. They also give a situation where a user does not have access to the output of the provenance graph, but he/she does have access to some or all of the nodes. In this paper we discuss an access control model for the provenance information that is represented by the provenance graph. The idea of our model is that by controlling access to nodes, edges and paths in the provenance graph we may build an expressive access control model to the provenance graph. We improve the efficiency of access control model by grouping some related provenance information.

2

Problem Definition

There are two main problems discussed in this paper. The first problem is how to control access to the provenance information. Provenance has different characteristic from regular data so that it needs its own security model. Braun et.al. showed some situations where the provenance information has different sensitivity level from the data produced with the provenance [2]. An example is employee’s performance review where the employees are encouraged to read the data produced by the employee’s review process, but they are usually not told who had input in writing of the process. In this case, the sensitivity level of provenance is higher that sensitivity level of the data. Another example is the letter of recommendation, e.g. letter of recommendation for application to universities. In this case, the student who is recommended in the letter of recommendation does know the people who wrote the letter of recommendation, but the student is not allowed to open the envelope of the letter and read the letter. In this case, the sensitivity level of provenance is lower than the sensitivity level of the data. So the first problem is how to control access to the provenance information that in many cases has different sensitivity level from the associated data.

Grouping Provenance Information to Improve Efficiency of Access Control

53

The second problem is how to control access to the provenance graph efficiently. The provenance graph may involve many processes and data and the access control system to the provenance maybe not be efficient because the administrator should set access control policy for each entity and relationship in the provenance graph so that we need to improve the efficiency of the access control to the provenance graph. In this paper, we improve efficiency by grouping the provenance information, i.e. entities and relationships.

3 3.1

Provenance System and Provenance Representation Provenance Store and Provenance Representation

Main provenance systems use the concept of provenance store [6,7,10], that is a system that has interface to store and query provenance record (showed in the Figure 1). This architecture is much similar to the database system where a user can do query to the provenance store like the user of database system do query to data in a database.

Provenance Store

Query Interface

Recording Interface

Management Interface

Fig. 1. Provenance Store

There is no standard model of provenance although there is an attempt to develop the standard [8]. The EU provenance project develop model of provenance record using the concept of p-assertion [6]. They defined p-assertion as an assertion that is made by an actor and pertains to a process. The provenance (documentation of a process) consists of a set of p-assertions made by the actors involved in the process. Provenance can be represented by a directed cyclic graph (DAG) [2]. Each node in the graph represents an entity and each edge in the graph represents a causal relationship between two entities. Examples of entities include processes, people or data. In this paper we use an example of provenance in the Figure 2 below. In the example in the Figure 2, to produce data D3A we need to execute process PB with input data D0B and D0C and process PC with input data D0D. The output of process PB is data D1B and the output of process PC is data D1C. After then we execute process PE with input data D1B and data D1C. The output of process PE is data D2B. We get data D3A from the output of process PF with input data D2B.

54

A. Syalim, Y. Hori, and K. Sakurai Data D0A Process PA

Data D1A

Data D0B Process PB

Data D2A

Process PE

Data D2B

Data D1B

Data D0C Process PC

Process PD

Process PF

Data D3A

Data D1C

Data D0D

Fig. 2. Provenance Graph

To produce data D2A in the Figure 2, we execute process PA with input data D0A and D0B and process PB with input data D0B and data D0C. We send the result of process PA (data D1A) and the result of process PB (data D1B) to process PD. Data D2A is the output of computation on the process PD. 3.2

Storing the provenance information in a storage/database

To store the provenance persistently we need to store the provenance information (i.e. provenance graph, and data) in a persistent storage, e.g. database. We store the provenance information in a relational database using three tables: nodes, edges, and paths. The nodes table (Table 1) records the nodes in the provenance graph. The edges table (Table 2) contains all of edges between two nodes in the graph. The paths table (Table 3) lists all possible paths in the graph. There are 16 entities in the graph (10 data and 6 processes). So, the first table has 16 records. The second table records 16 edges (arrows) in the graph. The Table 1. Nodes id 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

name D0A D0B D0C D0D PA PB PC D1A D1B D1C PD PE D2A D2B PF D3A

type data data data data process process process data data data process process data data process data

Grouping Provenance Information to Improve Efficiency of Access Control

55

Table 2. Edges id parent child 0 0 4 1 1 4 2 1 5 3 2 5 4 3 6 5 4 7 6 5 8 7 6 9 8 7 10 9 8 10 10 8 11 11 9 11 12 10 12 13 11 13 14 13 14 15 14 15 Table 3. Paths id parent child 0 0 4 1 0 7 2 0 10 3 0 12 4 1 4 5 1 7 6 1 10 7 1 12 8 1 5 9 1 8 10 1 10 11 1 11 12 1 13 13 1 14 14 1 15 15 2 5

id parent child 16 2 8 17 2 10 18 2 12 19 2 11 20 2 13 21 2 14 22 2 15 23 3 6 24 3 9 25 3 11 26 3 13 27 3 14 28 3 15 29 4 7 30 4 10 31 4 12

id parent child 32 5 8 33 5 10 34 5 12 35 5 11 36 5 13 37 5 14 38 5 15 39 6 9 40 6 11 41 6 13 42 6 14 43 6 15 44 7 10 45 7 12 46 8 10 47 8 12

id parent child 48 8 11 49 8 13 50 8 14 51 8 15 52 9 11 53 9 13 54 9 14 55 9 15 56 10 12 57 11 13 58 11 14 59 11 15 60 13 14 61 13 15 62 14 15

parent is an entity where the arrow come out. The child is the entity that is destination of the arrow. For example the first edge is an arrow from data D0A (id=0) to process PA (id=4). The edge is shown in the table 2 as a record with id=0, parent=0 and child=4. The paths table list all of possible paths between two entities in the graph. For example, there are 4 possible paths from the node with id=0 (data D0A). They are (1) a path from node with id=0 (data D0A) to node with id=4 (PA),

56

A. Syalim, Y. Hori, and K. Sakurai

(2) a path from node 0 to node 7, (3) a path from node 0 to node 10 and (4) a path from node 0 to node 12.

4

Access Control to Support Expressive Security Policies to Provenance Information

In this section we show an access control model that support expressive access control policies to the provenance graph. In our model, access control to the provenance information is divided into three parts: 1. Access control to nodes table 2. Access control to edges table 3. Access control to the paths table Access control to the nodes table controls access to the entities in the provenance system. By setting policies to this table we may restrict access to the entities in the provenance system, so that we may restrict a user for example can only access an entity (result of the computation, i.e. data D3A), but cannot access any other entities. Access control to the edges table protects the relationship between entities. By setting policies to this table we may restrict access to relationship between entities, for example we may restrict a user can only view a part of relationship in the provenance graph. Access control to the nodes has higher priority than access control to the edges and paths. So that when a user is restricted to access a node, he/she is also restricted to access an edge that comes from or go to that node. Access control to the paths table protects the paths between entities in the provenance graph. By setting the policies to the paths table we may restrict access to some or all paths in the provenance graph. Access control to the nodes and edges have higher priority than access control to the paths that has exactly the same parent and child. So that, when there is any conflict occurs between these three access controls, access control with higher priority will take higher precedence. For example, access control to the edge with id 0 (parent=0, child=4) has higher priority than access control to the path with id 0 (parent=0, child=4) and access control to node with id=0 and id=4 has higher priority than access control to edge with id 0 (parent=0, child=4). Another example is access control to the edge with id 1 (parent=1, child=4) has higher priority than access control to the path with id 4 (parent=1, child=4).

Table 4. Access table userid username nodes edges paths 0 X 15,12 1 Y 0-11, 13, 14 * *

Grouping Provenance Information to Improve Efficiency of Access Control

57

To implement access control we use an access table that is a table that defines access of users to nodes, edges and paths. The table consist of 5 fields: userid is the number id of users, username is the name of users and nodes, edges, and paths fields are the nodes, edges and paths that can be accessed by the users. We show the access table in the Table 4. There are two users (X and Y). User X has access to the final output of the provenance graph (data D3A and D2A), but he/she does not have access to other nodes and edges. To implement this policy we simply put the id of D3A and D2A to the access table. User Y has access to all of the nodes, edges and paths, but does not have access to the final output of the provenance graph (data D3A and D2A). To implement this policy we put all nodes except D3A and D2A, all edges and all paths to the access table.

5

Improving the Efficiency of Access Control by Grouping

The problem with this access control model is that we should input all nodes, edges, and paths to the access table to give access to those nodes/edges/paths. This method is not efficient especially if there are many nodes, edges and paths in the provenance graphs. To improve efficiency we may create some group of entities so that instead of writing many entities, we may include the entities in a group and write the group in the access table. Grouping has been used extensively to improve the efficiency of access control. An example is the user groups in UNIX file system. By grouping we can improve the efficiency of access control in UNIX file system because we do not need to set access permissions to every user in a group. Instead, we set the permissions to a group and assign the users to the group. Another example is role-based access control. In the role-based access control role is a group of permissions and also a group of users.

Table 5. Group table groupid groupname type members 0 groupA user X, Y 1 nodeA node 0,1,2,3 2 output node 12,15 3 exceptOutput node 0-11, 13, 14 4 edgeA edge 0,1,2,3 5 pathA path 0,1,2,3

Table 6. Access table with group entry userid username nodes edges paths 0 X output 1 Y exceptOutput * *

58

A. Syalim, Y. Hori, and K. Sakurai

We may use the grouping method to improve the efficiency of access control to the provenance information. We may create a group of users, a group of nodes, a groups of edges and a group of paths. Table 5 is an example of a group table. There are 6 groups: 1 group of users, 3 groups of nodes, 1 group of edge and 1 group path. By using this group table, we may improve the efficiency of access control because in the access table (Table 6) we do not need to list all of the nodes that can be accessed by users X and Y. Instead, we just write the group name. This method is extremely important when there are many users with the same access rights. We just write the group name and no need to write all nodes that belong to that group.

6

Related Works

Braun et al. and Tan et al. have discussed security issues on provenance [2,11] although they did not propose any security system related to the issues. Braun et al. identified some of the security characteristics of provenance. The first is that provenance differs from data in that it forms a directed acyclic graph (DAG) so we need to have a security model for a directed acyclic graph (DAG). Second issue is that sensitivity level of data and its associated provenance may be different. It is possible that the provenance be more sensitive than data or vice versa. Tan et al. list six security issues in an SOA-Based provenance system [11]. These security issues are (1) enforcing access control over process documentation, (2) trust framework for actors and provenance stores, (3) accountability and liability for p-assertions, (4) sensitivity of information in p-assertions, (5) longterm storage of p-assertions, and (6) creating authorizations for new p-assertions. They emphasis that the first issue is unique to the provenance purposes because the requirements are different from regular data. Groth et al. have proposed an architecture of provenance system including the security architecture in an EU sponsored project [6]. They have implemented the architecture in an SOA-based provenance store. They suggested that access control should be specifiable at the level of individual p-assertions and at individual elements within p-assertion if needed. They also suggested to use role-based access control and content-based access control although no detail explanation and implementation of their proposal. A close related work is the work of Chebotko et al. [3]. They proposed a secure scientific workflow provenance querying with security view. Security view is a subset of data and processes. The main difference of their work with ours is that they emphasis the use of view to enforce access control policy. Another related work is the work Nagappan et al. nagappan1. They proposed a model of sharing confidential provenance information where an actor who are willing to share the provenance information can share the query for that provenance information.

Grouping Provenance Information to Improve Efficiency of Access Control

7

59

Conclusion

In this paper, we have described an access control model to the provenance graph and a method to improve efficiency of the access control. The idea of our model is that by controlling access to nodes, edges and paths in the provenance graph we may build an expressive access control model to the provenance graph. To improve efficiency of access control we include group capability to the access table, so that we do not need to write repeated entries on the access table.

Acknowledgment The first author is supported by the Japanese Government (Monbukagakusho) scholarship.

References 1. Bowers, S., McPhillips, T.M., Ludascher, B., Cohen, S., Davidson, S.B.: A Model for User-Oriented Data Provenance in Pipelined Scientific Workflows. In: Moreau, L., Foster, I. (eds.) IPAW 2006. LNCS, vol. 4145, pp. 133–147. Springer, Heidelberg (2006) 2. Braun, U., Shinnar, A., Seltzer, M.: Securing Provenance. In: Proceedings of the 3rd USENIX Workshop on Hot Topics in Security (HotSec), San Jose, CA (July 2008) 3. Chebotko, A., Chang, S., Lu, S., Fotouhi, F., Yang, P.: Secure Scientific Workflow Provenance Querying with Security Views. In: 9th International Conference on Web-Age Information Management (WAIM), pp. 349–356. IEEE press, Los Alamitos (2008) 4. Chen, L., Tan, V., Xu, F., Biller, A., Groth, P., Miles, S., Ibbotson, J., Luck, M., Moreau, L.: A Proof of Concept: Provenance in a Service Oriented Architecture. In: Proceedings of the Fourth All Hands Meeting (AHM) (September 2005) 5. Groth, P., Jiang, S., Miles, S., Munroe, S., Tan, V., Tsasakou, S., Moreau, L.: An Architecture for Provenance Systems — Executive Summary. Technical report, University of Southampton (February 2006) 6. Groth, P., Jiang, S., Miles, S., Munroe, S., Tan, V., Tsasakou, S., Moreau, L.: An Architecture for Provenance Systems. Technical report, University of Southampton (November 2006) 7. Groth, P., Miles, S., Moreau, L.: PReServ: Provenance Recording for Services. In: UK e-Science All Hands Meeting 2005, Nottingham, UK (September 2005) 8. Moreau, L., Freire, J., Futrelle, J., McGrath, R.E., Myers, J., Paulson, P.: The Open Provenance Model: An Overview. In: Second International Provenance and Annotation Workshop, IPAW 2008, Salt Lake City, UT, USA, June 17-18 (2008) 9. Nagappan, M., Vouk, M.A.: A Model for Sharing of Confidential Provenance Information in a Query Based System. In: Second International Provenance and Annotation Workshop, IPAW 2008, Salt Lake City, UT, USA, June 17-18 (2008) 10. Simmhan, Y.L., Plale, B., Gannon, D.: A Framework for Collecting Provenance in Data-Centric Scientific Workflows. In: Proceedings of the IEEE International Conference on Web Services, September 18-22, 2006, pp. 427–436 (2006) 11. Tan, V., Groth, P.T., Miles, S., Jiang, S., Munroe, S., Tsasakou, S., Moreau, L.: Security Issues in a SOA-Based Provenance System. In: Moreau, L., Foster, I. (eds.) IPAW 2006. LNCS, vol. 4145, pp. 203–211. Springer, Heidelberg (2006)

Tagging the Turtle: Local Attestation for Kiosk Computing Ronald Toegl
Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Austria [email protected]

Abstract. Public kiosk computers are especially exposed and the software running on them usually cannot be assumed to be unaltered and secure. The Trusted Platform Module (TPM) as a root of trust in an otherwise untrusted computer allows a machine to report the integrity and the configuration of a platform to a remote host on the Internet. A natural usage scenario is to perform such an Attestation prior to handling sensitive or private data on a public terminal. Two challenges arise. First, the human user needs to reach her trust decision on the basis of the TPM’s cryptographic protocols. She cannot trust the public machine to display authentic results. Second, there is currently no way for the user to establish that the particular machine faced actually contains the TPM that performs the Attestation. In this paper we demonstrate an Attestation token architecture which is based on a commodity smart phone and more efficient and flexible than previous proposals. Further, we propose to add a low-cost Near Field Communication (NFC) compatible autonomic interface to the TPM, providing a direct channel for proof of the TPM’s identity and local proximity to the Attestation token. Keywords: Trusted Computing, Kiosk Computing, Near Field Communication, Attestation.

1 Introduction Kiosk computers openly available in public places are highly exposed and threatened by a variety of software-based attacks in the form of viruses, key-loggers and root kits. They cannot be trusted to handle sensitive information such as account logins, passwords or other private data. The Trusted Computing Group (TCG) specified the Trusted Platform Module (TPM), a system component deeply embedded in a machine’s hardware and software architecture. One of its mechanisms, called Remote Attestation, reports the platform’s state to another host. This helps to establish cryptographically qualified and tamperevident assurance on the software configuration of a machine.


This work was supported by the European Commission through project OpenTC, FP-6, ¨ contract no. 027635 and by the Osterreichische Forschungsf¨orderungsgesellschaft through project acTvSM, FIT-IT no. 820848.

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 60–69, 2009. c Springer-Verlag Berlin Heidelberg 2009


Tagging the Turtle: Local Attestation for Kiosk Computing

61

As Attestation allows to determine the absence of malicious software, it is desirable for a user to perform it prior to entering sensitive or confidential data into a public kiosk. However, several challenges need to be overcome to allow Attestation in this scenario. The TPM does not offer a secure local display, so a malicious kiosk might display fake reports on its trustworthiness. McCune et al. [1] propose to equip the user with an ideal, axiomatically trustworthy device, the so-called iTurtle, which indicates the security of a device. A practical implementation for the kiosk scenario using smart phones is demonstrated by Garris et al. [2]. Also, the TCG’s Attestation scheme does not guarantee that the TPM is located within the machine the user faces. Parno [3] proposes a direct link between the user and the TPM. In this paper we build on these previous results and introduce two novel improvements. Firstly, considering the resource limitations of mobile devices, the proposed schemes are not flexible and scalable enough. We demonstrate an efficient solution based on smart phones and a trusted third party. Secondly, to include a proof-of-locality in the process, we propose to introduce Near Field Communication (NFC) in the TCG’s security architecture. Outline. The remainder of the paper is organized as follows. In Section 2, we outline Trusted Computing and NFC technologies, discuss related work and present the kiosk scenario we consider. In Section 3 we identify challenges specific to the kiosk scenario and present our Mobile Attestation Token Architecture, discuss integration of NFC in the TPM and present our prototype implementations. The paper concludes in Section 4.

2 Preliminaries 2.1 Trusted Computing The Trusted Computing Group1 has specified the Trusted Platform Module. Similar to a smart card, the TPM features cryptographic primitives, but it is physically bound to the main device. A tamper-resilient chip contains hardware primitives for public-key cryptography, key generation, cryptographic hashing, and random-number generation. With these components the TPM is able to enforce its security policies against any remote attacker. The TPM implements high level functionality such as reporting the current system state and providing evidence of the integrity and authenticity of this measurement, known as Remote Attestation. This is done with the help of the Platform Configuration Registers (PCRs), which can only be written to with the Extend Operation. A PCR with index i in state t is extended with input x by setting PCR t+1 = SHA-1(PCR ti ||x). i Before executable code is invoked, the caller computes the code’s hash value and extends a PCR with the result. In this way a chain of trust is built, starting from the BIOS, covering bootloader, kernel, system libraries, application code, etc. Ultimately, the exact configuration of the platform is mapped to PCR values. If such a system state 1

http://www.trustedcomputinggroup.org

62

R. Toegl

fulfills the given security or policy requirements, we refer to it as a trusted state. To analyze the so collected state information, a Stored Measurement Log (SML) is kept. When called to perform the Quote operation, the TPM signs the current values of the PCRs together with a host-supplied nonce. To protect the platform owner’s privacy, the unique Endorsement Key, typically injected by the TPM manufacturer, is not used for this signature. Rather, a pseudonym is used: an Attestation Identity Key (AIK). The authenticity of an AIK can either be certified by a Trusted Third Party (TTP), named PrivacyCA [4], or with the group-signature-based DAA scheme. The AIK certificate vouches that the private signature key is securely held by a standard conforming TPM. 2.2 Near Field Communication Near Field Communication (NFC) is a recent wireless technology which combines the advantages of passive RFID (Radio Frequency IDentification) systems and active wireless communication. The communication layer is standardized in ISO 18092 [5], ECMA 340 [6] and ECMA 352 [7]. It operates in the 13.56 MHz frequency range, supports data rates at 424kbit/s and uses Amplitude Shift Keying (ASK) modulation. The typical operating distance between two NFC devices is only a few centimeters. In passive mode, the reader device establishes a Radio Frequency (RF) field that is used by the passive participant to send data over the air interface. In active mode, both communication devices generate the field for data transfer. An NFC link is always established between an initiator and a target. In case of active-passive mode, the passive tag always acts as NFC target. NFC is also designed to be compatible with smart-card standards such as ISO 14443 A and B and Sony’s FeliCaTM technology. Additionally, NFC technology works together with the ISO 15693 standard for passively powered RFID tags. In contrast to other wireless communication technologies which are designed for a large communication range, NFC enables short-distance communication between electronic devices in a very intuitive way for the user, by simply bringing the devices close together (touching). It follows the very natural principle for communication between only two, locally present entities. The physical security is based on the small operating range of the devices: Communication is only possible in the immediate proximity of the reader with a read/write range of up to 10 cm. A fixed location of an NFC tag (passively or actively powered) can provide evidence whether a mobile NFC device (or its user) has been at that location. This allows advanced applications including electronic cash, credit-card payment, electronic key, and easy establishment of wireless communication networks like Bluetooth or IEEE 802.11. NFC is supported by most leading manufacturers of mobile consumer electronics (like mobile phones, PDAs, etc.). 2.3 Scenario We consider kiosk computers, as often found at shops, in hotel lobbies, transportation terminals or Internet caf´es. They are public terminals and provide applications like Web browsers or ticket-vending services. With TPM-based Attestation we desire to provide the user with means to establish trust in a kiosk, but of course we have to consider the limitations of TPM security: it is

Tagging the Turtle: Local Attestation for Kiosk Computing

63

not designed to protect against hardware attacks. We assume that the devices are unattended, but physically protected, i.e. by robust casings fixed to the ground, integrated keyboards and displays that prevent hardware based attacks. Also, we assume that the operator performs hardware and software maintenance on a regular basis, thus making most hardware attack schemes like adding devices to the casing impractical. However, also attackers can visit the kiosk repeated times during operation hours and pretend to be legitimate users. Attackers are assumed to have full control over the software running on the kiosk, thus software cannot be trusted at all and keyloggers and fake security tools must be assumed. We further assume that wireless communications can be eavesdropped. 2.4 Related Work To enable Remote Attestation [8], the TCG standards [9] describe a set of compact basic hardware building blocks that are designed to enable a host to measure the exact software binaries running on it and to report this result to another system on the internet. Operating systems that measure at least a partial chain-of-trust with the help of virtualization have been demonstrated under laboratory conditions, e.g. [10]. Using the quote result, a verifier is expected to come to a trust decision based on a measurement log that holds a list of binaries’ file names and their hash code. However, the number of possibly combinations of secure software configurations in today’s open system architectures is often too large in practice [11]. Alternative concepts like Property-based Attestation [12,13,14] delegate the state analysis to a Trusted Third Party (TTP) which issues certificates for specific properties. Another challenge of Attestation is to report the result to the user, even if the display the user faces cannot be trusted. [3] analyzes the Cuckoo-attack (also known as Mafia fraud attack or chess grandmaster problem) where malware on a compromised local machine relays TPM messages to another TPM on a remote machine which is in a trusted state. The author concludes that a local binding between user and TPM is needed. If the user is in possession of a trusted hand-held device, this can be achieved physically via a special hard-wired interface or cryptographically by providing users with a key by means of a sticker on the machine casing. Note, if the remote machine is under physical control of the attacker, a simple hardware TPM reset attack [15] would allow feeding fake measurements to the TPM, circumventing the chain of trust altogether. [1] propose the concept of an iTurtle device which can be trusted axiomatically. To achieve user-observable verification it should be as simple as possible, even without support for cryptography and thus easy to understand and certify. Envisioned is a USB device with LEDs indicating the trust status. The authors argue that integration in the TCG’s cryptographic scheme is too complex and that the challenges of state analysis on a restricted device remain. More powerful PDAs and smart phones have demonstrated [16,17] their applicability as trusted portable device to work in conjunction with a trusted server and an untrusted public terminal to act as a secure keyboard and GUI to the user. [18] demonstrate a mobile phone application which uses 2-D barcodes on stickers to identify a public key of devices like printers or IEEE 802.11 access points and also consider integration of

64

R. Toegl

TPM-based Attestation. This architecture does not guarantee the identity and standardconformance of the TPM, i.e. lacks the validation of AIK certificates. The specific case of attesting a public kiosk computer using a mobile phone has been studied in detail by [2]. A user wishing to use a kiosk first uses the camera of her smartphone to scan the barcode containing the hash of the AIK certificate of the kiosk. The phone then connects to the kiosk using Bluetooth. The kiosk now transmits a set of configurations it supports. The set is pre-defined and signed by the kiosk’s operator, which has to trusted. Now the user chooses a configuration and the kiosk reboots to build a fresh chain-of-trust. After it is online again, the phone performs an Attestation protocol, compares the reported configuration against the chosen one and validates that the TPM Quote result is indeed signed with the same AIK. The user is informed of the result, i.e. the trust status is displayed on her phone. She can then use the kiosk’s applications or even supply a private virtual machine image containing her private software and data, cf. [19]. In the end, the user logs out.

3 Local Attestation for Kiosks Based on the presented literature we identify the following additional challenges for the Attestation of kiosk computers, which occur due to the locality of the attestant. – Flexible and Scalable Trust decisions. The display of a public computer must not be trusted to securely show the trust decision. To convey the trust status to a user, a mobile Attestation token is needed that provides a suitable display and a secure communication channel to the TPM. Existing implementations not only display the result, but also perform the trust decision on the mobile Attestation device. The performance of these devices limits the size of the known-good-value repository and the complexity of the state analysis needed for the trust decision. Also, if only a small set of possible configurations is provided, none of them might match the specific security requirements of the user. A priori stored reference values also limit the flexibility in case of system updates, or when encountering terminals from unexpected operators. – Direct, Local Channel between User Token and TPM. Practical proposals have so far considered different interfaces such as Bluetooth or USB. However, as outlined in [3], both technologies require an honest software stack to forward their messages to the passive TPM device. A direct wired physical channel would require extensive changes to the TPM design and new standard plugs, both being expensive and impractical. Bluetooth has a long radio range and thus it could also connect to a neighboring kiosk. To prevent this, current proposals introduce stickers that identify TPM keys. However, stickers are easy to manipulate [20]. Foremost, it is extremely easy to copy them (with the attacker posing as a legitimate user, taking the photo with his mobile phone camera) and thus fake the identity of another kiosk. This is exactly the setting for the cuckoo attack we need to prevent. We now present two novel improvements which constitute our main contributions. In the next section we outline a kiosk Attestation architecture which is designed to be usercontrolled, flexible and scalable with regard to kiosk state analysis. In Section 3.2 we

Tagging the Turtle: Local Attestation for Kiosk Computing

65

detail how NFC can be integrated in Attestation, thus providing for direct user token to TPM communications. 3.1 Mobile Attestation Token In our scheme, three parties collaborate to perform a cryptographic protocol. The Kiosk contains a TPM and an operating system that offers a complete chain-of-trust and measurement services that allow the extraction of properties. Secondly, the Mobile Attestation Token (MAT) is the client the user installs on his mobile phone. Finally, we introduce a trusted third party, a Verification Server (VS). The protocol flow is shown in detail in figure 1. The user initiates Attestation with her MAT, providing the URL of the Verifications Server she intends to use and a nonce to provide freshness. The kiosk will then gather a Quote from the TPM and forward the result over a secure SSL connection to the VS. It analyzes the quote and stored measurement log of the kiosk and decides the trustworthiness according to the detailed requirements of the user, using its local or other available Known-Good-Value services or property extraction modules. The result is returned as a ticket. It contains a binary trust decisions (the trusted-bit) and a free text for additional messages. The ticket is validated on the MAT and the final result displayed. In our architecture there are no limitations on who operates this verification server. It could be the kiosk operator as well as the user or any commercial or open institution. This provides flexible adaption to changing profiles. Also we require the MAT only to validate the signature of the ticket, the nonce and the trusted bit. Thus, state analysis is not limited by the restricted resources on the mobile device.

7. Analyse configuration

VS

0. Certificates of VS

ext

)

5. SIGAIK(PCRs, Na)

6. S 8. T SL i ck et: K ( SI S IG GA VS ( IK (P tr u CR st e ,N d- b a ), it, N SM L, N a, S IG a) AIK (PC R,N a ), t

4. TPM_Quote(AIK, Na)

TPM Verification Server

3. Request Attestation, VS URL, N a 10. Ticket

Mobile Attestation Token

1. Establish connection 2. Generate nonce Na 11. Verify Ticket 12. Display trust status

9. Verify Ticket Kiosk

Fig. 1. Ticket-based Local Attestation scheme with MAT and trusted Verification Server

66

R. Toegl

Table 1. The TPM establishNonce NFC command establishes a shared nonce between remote NFC reader and TPM. The resulting nonce is not returned to the host machine but retained in the protection of the TPM. Incoming Parameter Size Type 1 2 TPM TAG 2 4 UINT32 3 4 TPM COMMAND CODE

Name tag paramSize ordinal

Description TPM TAG RQU COMMAND Total number of input bytes including paramSize and tag Command ordinal: TPM ORD establishNonce NFC

Outgoing Parameter Size Type 1 2 TPM TAG 2 4 UINT32 3 4 TPM RESULT 4 4 TPM COMMAND CODE

Name tag paramSize return code ordinal

Description TPM TAG RSP COMMAND Total number of input bytes including paramSize and tag The return code of the operation Command ordinal: TPM ORD establishNonce NFC

3.2 An NFC Interface for the TPM In this section, we outline how the TPM could be extended with an NFC interface to create a direct channel to the MAT. We believe that this will not require extensive changes to the TPM design. NFC has been designed to be integrated in small hardware solutions like smart cards, which are very similar to many TPM implementations. Furthermore, many of the challenges that have to be overcome in the design of passive NFC tags are not an issue with the TPM. For instance, the TPM has an active power supply and full cryptographic capabilities. Only a simple, passive RF-Interface is needed, and the antenna circuit could just be printed on the mainboard of the host machine2 . We believed, that it is cheaper than a proprietary wired interface, which would require modifications to TPM, board, casing and MAT. In this way it is possible to establish a direct link from the Attestation device to the TPM. Note that in our approach any software on the kiosk is circumvented, making software-based attacks on the connection impossible. New TPM Commands. Also changes to the TPM itself can be limited to a minimum. As a special purpose trusted component, it should not provide more features than necessary to perform its tasks and therefore should not operate as a full flexible NFC reader to the host. Also, changes to the TPM API should be minimal and not affect normal operations. For brevity, we only present the changes to the current TCG TPM specification [9] in this section. The RF interface is to be activated only in Enabled-Activated-Owned state of the TPM lifecycle and an owner-authorized call to TPM SetCapability is needed to activate the permanent flag enableNFCInterface that enables the following operations. We introduce a new command that allows the NFC reader and the TPM, which have no prior knowledge of each other’s identity, nor a shared key, to jointly establish a shared secret over the NFC channel. This secret can then be used as nonce in a single subsequent TPM operation. The TPM establishNonce NFC command is described in Table 1. It is important to notice that if the command returns with TPM SUCCESS, the nonce is not returned to the TPM’s host machine but retained in a special volatile 2

Assuming a non-shielded casing.

Tagging the Turtle: Local Attestation for Kiosk Computing

67

and protected register TPM NFC NONCE inside the TPM. This register can be readaccessed as if it was an additional PCR, but with one exception: it is always reset to zero after a read operation. If the protocol fails, or times out, appropriate error codes are returned. TPM establishNonce NFC does not require authorization, as it only stores the nonce. All commands, that use its result must be properly authenticated. The command itself performs a standard Diffie-Hellman key exchange. Minor changes are now needed for TPM commands that utilize this nonce, for instance, TPM Quote. It is called with a TPM PCR SELECTION that indicates the PCR registers to consider. The behavior is extended as follows: TPM NFC NONCE is selected like other PCRs with index: number of normal PCRs + 1. If TPM NFC NONCE is zero, the command terminates with error code TPM NO NFC NONCE, else its value is hashed together with the PCRs and signed with the provided AIK. The values of all used registers are returned to the host. The TPM NFC NONCE register is then set to zero. This way, the quote result depends on the TPM NFC NONCE that was previously agreed upon by the NFC reader, i.e. the Mobile Attestation Token and the TPM. As the Quote result is signed with an AIK, this links TPM NFC NONCE to an authentic TPM. Each nonce can only be used once, thus guaranteeing freshness. Other commands which access PCRs can be adapted in a similar way, without changing their signature. NFC Security Considerations. The security of NFC is mainly based on the physical characteristics of the electromagnetic near field, which limit the operational range to about 10 cm. It should be noted, especially as the physical layer is typically not encrypted, that eavesdropping might be possible, even at a distance. Still, classical Manin-the-Middle Attacks can be prevented in active-passive mode due to the characteristics of transmission parameters, which allow the reader to sense manipulations in field [21]. However, on RFID-systems closely similar to NFC, relay attacks have been demonstrated [22] using custom built hardware. Since then a number of proposals have presented various Distance Bounding Protocols [23,24,25] which allow to prevent relay attacks. Commonly, they utilize a pre-shared key KDBP and play a challenge-response protocol based on it to measure the message runtime. KDBP could be easily and securely distributed [26] to the parties in our Attestation scheme. Yet, due to the small distance in NFC the distance bounding protocols are a challenge to implement, with proposals requiring different modulation schemes, UWB channels and high-precision clocks. Thus, distance bounding implementations are more expensive than standard NFC and not generally available yet. 3.3 Implementation Details We base our prototype implementation on commodity hardware and on platformindependent software. On the Kiosk and on the Verification Server, Java SE is used. The verification server stores reference Known-Good-Values in a rational MySQL database, which is accessed using Hibernate. We supply a GUI tool to allow the user to collect reference measurements. On the Kiosk, we currently collect binary measurements, and accept plug-ins for trust property analysis. The TPM can be accessed using IAIK jTSS3 . 3

http://trustedjava.sf.net/

68

R. Toegl

Fig. 2. The Mobile Attestation Token software informs the user on the result of the Attestation process in a comprehensible way

The Mobile Attestation Token is built as applet for Java ME, MIDP 2.0, extended with JSR 82 (Bluetooth/OBEX support), JSR 75 (PDA profile) and JSR 257 (NFC support). For cryptographic support we use IAIK JCE ME on all hosts. The MAT software is thus compatible to NFC-enabled phones such as the Nokia 6212. Figure 2 shows a typical screenshot on the MAT. As no NFC-enabled TPM is currently available in hardware, we simulate all communications using Bluetooth only.

4 Conclusions In this paper we consider challenges that arise to the Attestation of public kiosk computers. We extend on previous proposals to provide more scalability considering the limited computational power and memory of mobile devices, and improve flexibility by moving the complex kiosk state analysis to a trusted third party. While it does not overcome all complexities of Attestation, our scheme allows for full user control over security requirements and trust policies. Furthermore, we propose to add a direct, affordable interface to the TPM. With Near Field Communication, a proof of locality can be included in the Attestation process. We also discuss the security implications of using NFC. The presented extension allows us to completely circumvent any malicious software and thus prevent ”Cuckoo” attacks on kiosk computers. Acknowledgements. The author thanks Manuel Schallar and Herwig Guggi for assisting with the implementation of the MAT, Daniel M. Hein for valuable comments and Michael Hutter and Martin Feldhofer for insightful discussions on NFC.

References 1. McCune, J.M., Perrig, A., Seshadri, A., van Doorn, L.: Turtles all the way down: Research challenges in user-based attestation. In: Proceedings of HotSec. USENIX Association (2007) 2. Garriss, S., C´aceres, R., Berger, S., Sailer, R., van Doorn, L., Zhang, X.: Trustworthy and personalized computing on public kiosks. In: MobiSys, pp. 199–210. ACM Press, New York (2008) 3. Parno, B.: Bootstrapping trust in a ”trusted” platform. In: Proc. of HotSec. USENIX (2008)

Tagging the Turtle: Local Attestation for Kiosk Computing

69

4. Pirker, M., Toegl, R., Hein, D., Danner, P.: A PrivacyCA for anonymity and trust. In: Chen, L., Mitchell, C.J., Martin, A. (eds.) Trust 2009. LNCS, vol. 5471, pp. 101–119. Springer, Heidelberg (2009) 5. Iso/iec 18092:2004 – near field communication – interface and protocol (nfcip-1). International Organization for Standardization (2007) 6. ECMA: ECMA-340: Near Field Communication — Interface and Protocol (NFCIP-1). European Association for Standardizing Information and Communication Systems (2004) 7. ECMA: ECMA-352: Near Field Communication Interface and Protocol-2 (NFCIP-2). European Association for Standardizing Information and Communication Systems (2003) 8. Coker, G., Guttman, J., Loscocco, P., Sheehy, J., Sniffen, B.: Attestation: Evidence and trust. In: Chen, L., Ryan, M.D., Wang, G. (eds.) ICICS 2008. LNCS, vol. 5308. Springer, Heidelberg (2008) 9. Trusted Computing Group: TCG TPM specification version 1.2 revision 103 (2007) 10. Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and implementation of a tcg-based integrity measurement architecture. In: Proc. of Security 2004. USENIX (2004) 11. England, P.: Practical techniques for operating system attestation. In: Lipp, P., Sadeghi, A.R., Koch, K.-M. (eds.) Trust 2008. LNCS, vol. 4968, pp. 1–13. Springer, Heidelberg (2008) 12. Sadeghi, A.R., St¨uble, C.: Property-based attestation for computing platforms: caring about properties, not mechanisms. In: Hempelmann, C., Raskin, V. (eds.) NSPW. ACM Press, New York (2004) 13. Chen, L., Landfermann, R., L¨ohr, H., Rohe, M., Sadeghi, A.R., St¨uble, C.: A protocol for property-based attestation. In: Proccedings of STC. ACM Press, New York (2006) 14. K¨uhn, U., Selhorst, M., St¨uble, C.: Realizing property-based attestation and sealing with commonly available hard- and software. In: Proccedings of STC. ACM Press, New York (2007) 15. Kauer, B.: Oslo: improving the security of trusted computing. In: Proceedings of 16th USENIX Security Symposium, pp. 1–9. USENIX Association (2007) 16. Oprea, A., Balfanz, D., Durfee, G., Smetters, D.K.: Securing a remote terminal application with a mobile trusted device. In: Yew, P.-C., Xue, J. (eds.) ACSAC 2004. LNCS, vol. 3189. Springer, Heidelberg (2004) 17. Sharp, R., Scott, J., Beresford, A.: Secure mobile computing via public terminals (2006) 18. McCune, J., Perrig, A., Reiter, M.: Seeing-is-believing: using camera phones for humanverifiable authentication. In: 2005 IEEE Symposium on Security and Privacy (2005) 19. C´aceres, R., Carter, C., Narayanaswami, C., Raghunath, M.: Reincarnating PCs with portable soulpads. In: Proc. of MobiSys, pp. 65–78. ACM Press, New York (2005) 20. Lindner, F.: Toying with barcodes. In: 24th Chaos Communication Congress (2007) 21. Haselsteiner, E., Breitfuss, K.: Security in near field communication (nfc). In: Workshop on RFID Security (2006) 22. Hancke, G.: A practical relay attack on iso 14443 proximity cards. Technical report, University of Cambridge (2005) 23. Tu, Y.J., Piramuthu, S.: Rfid distance bounding protocols. In: First International EURASIP Workshop on RFID Technology (2007) 24. Reid, J., Nieto, J.M.G., Tang, T., Senadji, B.: Detecting relay attacks with timing-based protocols. In: Proceedings of ASIACCS 2007, Singapore, pp. 204–213. ACM Press, New York (2007) 25. Munilla, J., Peinado, A.: Distance bounding protocols for RFID enhanced by using voidchallenges and analysis in noisy channels. In: Wirel. Commmun. Mob. Comput. 2008, vol. 8, pp. 1227–1232. Wiley Interscience, Hoboken (2008) 26. Toegl, R., Leung, A., Hofferek, G., Greimel, K., Phan, R., Bloem, R.: Formal analysis of a TPM-based secrets distribution and storage scheme. In: Proceedings of TrustCom 2008. IEEE Computer Society Press, Los Alamitos (2008)

Selective Regression Test for Access Control System Employing RBAC Chao Huang, Jianling Sun, Xinyu Wang, and Yuanjie Si College of computer, Zhejiang University J3 Building, 1, Road 8, Xiyuan, West Lake Science & Technology Economic Park, Hangzhou, China, 310030 [email protected], [email protected], [email protected], [email protected]

Abstract. To provide a selective regression test method for the access control systems which employ role based access control (RBAC) policy. Access control regression test is always tedious and error-prone for financial systems involving complicated constraints, like separation of duty and cardinality constraints. We give the formal definition of RBAC policy change then we propose a test selection framework via policy change and change propagation analysis. Our method provides the confidence that it’s only necessary to exercise the selected test cases to guarantee the access control of the system is not broken for the new release. We also describe SACRT, an access control regression test tool which realizes our framework. According to our practical application experience in the realistic financial systems, SACRT demonstrates the effectiveness in reducing the size of the access control regression test suite. Keywords: RBAC, regression test, test selection, security, policy verification.

1 Introduction With the increase in information and data sharing, there is a growing concern for security and privacy of data. Numerous studies have shown that unauthorized access could cause great loss, particularly in financial software [1][4]. Access control becomes more and more essential for safe and secure access to software and hardware resources. The implementation of an access control policy is responsible for granting or denying authorizations to the authenticated users. Role based access control (RBAC) model, which was proposed by Ferriaiolo and Sandhu at the 90s of last century [2][3], provides a promising approach to satisfy the access control requirements. RBAC supports fine grained control over the privilege and inherent richness in modeling role hierarchical, separation of duty, cardinality and dependency constraints. Furthermore, RBAC is capable of modeling a wide range of access control policies including discretional access control (DAC) and mandatory access control (MAC). It’s important to verify the software has implemented a RBAC policy correctly, especially for the financial software, which involves many complicated access control constraints, like separation of duty (SOD) and cardinality constraints, and any violation of these constraints may lead to fraud, which could cause serious loss[1][4]. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 70–79, 2009. © Springer-Verlag Berlin Heidelberg 2009

Selective Regression Test for Access Control System Employing RBAC

71

Any faults in the access control implementation could jeopardize the effectiveness of access control policy. Thus it becomes critical to make sure that the underlying implementation conforms to RBAC policy. Via sending the authorization requests and checking the denying or granting response against the policy specification, access control testing could verify the desired access control specification. As the software evolves, regression test is unavoidable. Regression test is applied to modified software to provide confidence that the changed parts behave as intended and the unchanged parts have not been adversely affected by the modification. Although regression test for access control policy is important to the security of the software, it is tedious and expensive [5], since testers have to exercise the same test cases again and again to verify the access control policy which may be intact in the new release version. Selective regression test techniques are sound methods to improve the efficiency and reduce the cost of regression test through reusing the existing test cases and selecting the really required test cases to execute. Many regression-test-selection techniques have been developed for use in testing procedural languages [7][9] and for use in testing object-oriented languages [8][11]. However software access control testing differs from the software functional testing. Access control test has no clearcut fulfillment criterion, and there are always frequently limited resources available to do the access control test [6][10]. In this paper, point to the above problems, we analyze the impact of the RBAC policy changes to the access control test cases and propose a selective regression test framework for the access control system which employs RBAC. We present SACRT, a regression test selection system that implements our framework, and a set of empirical studies that demonstrate the effectiveness in reducing the size of the regression test suite. The rest of the paper organized as followings, we give the formal definition for the policy change in section 2; we introduce selection framework in section 3; SACRT and empirical studies are presented in section 4. Last we give the conclusion and future work is outlined.

2 Policy Changes RBAC policy of a system is an access control specification which defines users, roles, permissions, relations of them, and constraints on them. It is served as the fundamental basis for the access control testing. Definition 1: RBAC policy An RBAC policy is a 7-tuple (U, R, P, RH, RP, UR, C): • •

U, R, P are, respectively, finite sets of users, roles, and permissions, wherein P is defined as P = 2Operations ×Objects . RH: role hierarchy is a partial order relation defined on role sets, RH ⊆ ( R × R) , if (r1 , r2 ) ∈ RH , r1 is a senior role whereas r2 is junior role, and r1 inherits all the

•

permissions of r2 .The relation can also be expressed as: r1 r2 . RP: role-permission is a relation defined on role set and permission set, RP ⊆ (R × P) .

72

• •

C. Huang et al.

UR: user-role is a relation defined on the user set and role set, UR ⊆ (U × R) . C: is the constraint set defined on the above entity and relation sets, including the separation of duty and cardinality constraint.

Functions: • • • • • • •

senior : R → 2R , mapping each role to a set of roles, which are senior to the role. role _ u : R → 2U , mapping each role to a set of users who own the role, including the ones who own the role via role hierarchy. role _ p : R → 2 P , mapping each role to a set of permissions which are assigned to the role, including the ones which are inherited from senior roles. user _ p : U → 2 P , mapping each user to a set of permissions which are owned by the user. user _ r : U → 2 R , mapping each user to a set of roles which are assigned to the user. pms _ u : P → 2U , mapping each permission to a set of users who owns the permission. pms _ r : P → 2 R , mapping each permission to a set of roles, which have the permission.

Separation of duty is a fundamental technique to prevent fraud and errors. There are three kinds of separation of duty in RBAC, permission separation SOD-P, role separation SOD-R and user separation SOD-U. Definition 2: Separation of Duty 1) SOD-P SOD-P is the finest grained control of separation of duty, which specifies the exclusive set of permission. SOD − P ⊆ 2P × N , which satisfies the following conditions: (wherein N stands for natural numbers)

∀n ≥ 2, ∀( ps, n) ∈ SOD − P, ∀p ⊆ ps | p |> n ⇒ ∩ per∈ p pms _ u ( per ) = ∅ . If n = 1 , we can use ( p1 , p6 ) ∈ SOD − P for simplicity. 2) SOD-R SOD-R is the constraint over the role set, which specifies the user could not be assigned the exclusive roles in the meanwhile. SOD − R ⊆ 2R × N , which satisfies the following conditions:

∀n ≥ 2, ∀(rs, n) ∈ SOD − R, ∀s ⊆ rs | s |> n ⇒ ∩ r∈s role _ u(r ) = ∅ . The simplified expression can be written as (r1 , r2 ) ∈ SOD − R when n = 1 . 3) SOD-U SOD-U is the third form of separation of duty, which specifies that only one of the two users could be assigned the certain role. SOD − U ⊆ 2U × R , which satisfies the following conditions:

Selective Regression Test for Access Control System Employing RBAC

73

∀({u1 , u2 }, r ) ∈ SOD − U ⇒ r ∉ user _ r (u1 ) ∩ user _ r (u2 ) Besides the above SOD constraints, cardinality constraint (CC) is also one of the most important constraints in RBAC. Cardinality constraint regulates that at the given time, there is only one user can be assigned as the certain role. Definition 3: Cardinality Constraint (CC) 1) CC-P CC-P constraint restricts the certain permissions which can be assigned to role only once. CC − P ⊆ P , which satisfies the following condition:

∀p ∈ CC − P, ⇒| pms _ r ( p) |≤ 1 . 2) CC-R CC-R constraints limits that the specified role can only be assigned to one user. CC − R ⊆ R , which satisfies the following condition:

∀r ∈ CC − R, ⇒| role _ u(r ) |≤ 1 . Definition 4: Policy Change RBAC policy change (PC) is a 7-tuple (UC, RC, PC, RHC, RPC, URC, CC):

Change mode M = { ADD, DEL, CHG} , ADD, DEL and CHG mean there are element additions, deletions, and changes in the new version respectively. UC ⊆ (M × U ) , like (ADD, user1) means user1 is a new user added in the new version of policy compared to the old one. The definition of other elements in PC is similar to above UC.

• • •

3 Access Control Regression Test Selection Access control regression test selection shares the essential similarity with the functional regression test selection. Both of them involve two issues: • •

Selecting test cases from an existing test suite. Determining which additional test cases are required.

3.1 Access Control Testing

There are two types access control testing, functional access control testing and adversarial access control testing as following: • •

Functional access control testing: to determine whether access control implementation are enforced and configured according to the policy specification. Adversarial access control testing: to determine whether the software contains access vulnerabilities via simulating an attacker’s illegal attempt.

74

C. Huang et al.

For access control regression test selection, we only focus on the functional access control testing, which produces more determined test results and provides the fundamental confidence that there is no access control policy violation after the changes. RBAC Policies

Change Analysis

…. .. … .. ….. Version X.1

Locate

Test Case Selection Strategy Ignore

Update TSL Select Modify

Identify

…. .. … .. …... Version X.2

Log Selection

Action Add/Delete

Propagation

Add/Delete

Test Suites Library (TSL)

Fig. 1. Framework of access control regression test selection

3.2 Framework of Access Control Regression Test Selection

Fig.1. shows the framework of access control regression test selection, the first step is the analysis of the policy changes, with two different access control policies in form of XML file or table data in relation database, the comparison will be conducted to get the PC as in Definition 4. With policy change information, the propagation analysis will cover all the possible impact part via these changes. Propagation in access control policy means certain changes of some elements will have impact on other element. Thus propagation is great important and essential for the success of access control regression test selection. After the change analysis, according to the predefined rule, a change will be ignored or will trigger further actions like test case selection or test deletion or addition. Some change needs no action for testing, like although very rare if adding a new permission with no assignment to any roles, then it’s not necessary to do any test against this, however, the change which is ignored will be logged to provide the evidence for future analysis. The last step is to update the test suite library for maintenance. 3.3 Change Analysis

Change analysis takes the two version policies as input, and compares the two policies to locate and identify the policy changes which will be further investigated for the propagation. Then the propagated policy changes will be used for the test case selection. 3.3.1 Change Identification RBAC policy can represented as XML file, or extensible access control markup language (XACML), or even table data in relation database, the changes can be obtained via following algorithm as Fig.2. shows:

Selective Regression Test for Access Control System Employing RBAC

75

The algorithms to generate the RC, PC, RHC, RPC, URC, and CC are similar to algorithm 1. Algorithm 1. policy changes identification Input: RP1 = {U1, R1, P1, RH1, RP1, UR1, C1} and RP2 = {U2, R2, P2, RH2, RP2, UR2, C2} Output: PC 1 foreach u2 in U2 2 if ( u2 is in U1 ) 3 if( u1.attributes != u2.attributes) 4 add (CHG, u2) to UC 5 else 6 add (ADD, u2) to UC 7 foreach u1 in U1 8 if ( u1 is in U2 ) 9 continue; 10 else 11 add (DEL, u2) to UC 12 if ( u1 is in U2 ) 13 continue; 14 else 15 add (DEL, u2) to UC Fig. 2. Policy changes identification algorithm

3.3.2 Change Propagation Based on the information gained in the change identification phase, the change propagation will be conducted to spread the changes. Since modifying the elements of a RBAC policy usually will incur a chain of modifications. Like the permissions’ changes always will cause the change of the roles which has been assigned the change permissions. And via the transitive kind of relation, the permission’s change may also have impact on the SOD-R constraint, thus the test cases which testify against the constraint should be selected for the retesting to provide the confidence that the permission’s change doesn’t break the constraint. Table 1 lists all the changes and the propagations, and the table could be regarded as a rule set for the implementation usage. 3.4 Test Cases Selection

Once the change propagation is obtained, it’s easy to do the test case selection, and for flexibility, the selection strategy may be specified on the fly, like ignore some changes. According to the different change mode, the test selection can be done: • • •

ADD: for the changes and the propagation whose change mode is ADD, it is necessary to create new test cases for the added elements in new policy. DEL: for the changes whose mode is DEL, the corresponding test cases can be deleted safely in the new version test suite. CHG: changes whose mode is CHG mean that the elements exist in both old and new version, which indicates the old corresponding test cases are useful to do the regression test, so those test cases can be reused with proper modifications.

76

C. Huang et al. Table 1. Change Propagation

Change

Permission (P)

User (U)

Role (R) RP

RH

UR

SOD-U

SOD-P

SOD-R

CC-P

CC-R

Mode ADD DEL CHG ADD DEL CHG ADD DEL CHG ADD DEL CHG ADD DEL CHG ADD DEL CHG ADD DEL CHG ADD DEL CHG ADD DEL CHG ADD DEL CHG ADD DEL CHG

Propagation RP, SOD-P, CC-P RP, SOD-P, CC-P R, RP, SOD-P, CC-P UR, SOD-U UR, SOD-U SOD-U RH, SOD-R, CC-R RH, SOD-R, CC-R UR, SOD-R, CC-R RH, CC-P, SOD-P RH, CC-P, SOD-P RH UR, SOD-R UR, SOD-R UR SOD-R, SOD-U SOD-R, SOD-U SOD-U SOD-R, UR N/A SOD-R, UR SOD-U, SOD-R SOD-U, SOD-R SOD-R UR N/A UR CC-R, RP, SOD-P CC-R, RP, SOD-P CC-R UR N/A UR

4 Empirical Evaluations To demonstrate the application of access control regression test selection, we build a selective regression test tool and perform the case studies with realistic systems in State Street Corporation (SSC). SSC is a global corporation providing IT financial services, whose IT development and support is distributed in the whole world. The financial system always involves the most complicated access control policies. As the collaboration and communication is going to globalization, the security becomes more and more important, and the access control regression test is essential for the security of software systems.

Selective Regression Test for Access Control System Employing RBAC

77

4.1 Software Subjects

•

• • •

TAS: is a trading audit system. Auditing is a critical function for the financial systems, since without auditing it’s hard to trace the business process, especially when there are some financial frauds. TAD is widely used in SSC for a lot of trading systems including the foreign exchange and stock trading. GDMS: is a global software development management system. In bank B, the development teams are distributed worldwide, American, China, Japan, etc; SDMS is used for the software management throughout the entire stages. FXLS: is a foreign exchange limit order management system. Foreign exchange system deal with a great amount of complicated business rule, which involves many access control roles to guarantee the successful processing of the order. RPS: is a resource planning system for the employees to manage the resources. The most complicated part of RPS is the reporting module which will show the report criteria fields according to the different user roles.

The number of the access control test cases for the above four systems are more than 3500, 2300, 1900, and 1200 respectively. 4.2 Selective Access Control Regression Test Tool

As Fig. 3 shows, we have built a selective access control regression test tool (SACRT) which implements the framework in Fig. 3 and the test case selection rule in Table 1. It is programmed with Java and Swing is chosen for the GUI part. The major function of the SACRT is as following: • • • • •

Access control test case management: SACRT utilizes the Excel to do the test case management, and access via Apache POI. Access control policy tracking: currently SACRT can only tracks the policies which are represented as XML file. Policy change detection: intelligent policy change detection which will minimize the changes via detection the policy sequence modification and ignore such kind of changes. Test case selection: after the policy change propagation analysis, SACRT could do the test case selection, and also the possible deletion or addition of test case will be marked. Selection statistics: SACRT has been integrated with a simple statistics processor, which could provide an intuitive graph for the percent of the selected test cases.

4.3 Studies

With SACRT, we do the access control test case selection experiments on the four projects in 4.1. All of the four projects have been developed for more than two years. We choose the stable versions or the formal release for the projects and mainly focus on the percent of the selected test cases. The test results are shown as Fig. 4. which shows that the SACRT can reduce the size of the access control regression test cases in most situations, which is an effective evidence for our approach.

78

C. Huang et al.

Fig. 3. Snapshot of the SACRT

Fig. 4. Selection results for the four systems

5 Conclusions We propose a test selection framework via policy change and change propagation analysis. Our method provides the confidence that it’s only necessary to exercise the selected test cases to guarantee the access control of the system is not broken for the new release. We also present our practical application experience in the realistic financial systems via SACRT tool which demonstrates the effectiveness in reducing the size of the access control regression test suite. Integration with the functional test selection tool and more grained control over the change propagation are our future work.

Selective Regression Test for Access Control System Employing RBAC

79

References 1. Ferraiolo, D.F., Chandramouli, R., Ahn, G., Gavrila, S.I.: The role control center: features and case studies. In: Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies SACMAT 2003 (2003) 2. Sandhu, R.: Role Based Access Control. Adv. in Computer Science 48, 38–47 (1998) 3. Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001) 4. Schaad, A., Moffett, J., Jacob, J.: The role-based access control system of a European bank: a case study and discussion. In: Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies. SACMAT 2001, Chantilly, Virginia, United States, pp. 3–9. ACM, New York (2001) 5. Thompson, H.H.: Why Security Testing Is Hard. IEEE Security and Privacy 1(4), 83–86 (2003) 6. Martin, E.: Testing and Analysis of Access Control Policies. In: Companion To the Proceedings of the 29th international Conference on Software Engineering, May 20 - 26 (2007) 7. Ball, T.: On the limit of control flow analysis for regression test selection. In: ACM Int’l Symp. on Softw. Testing and Analysis, pp. 134–142 (March 1998) 8. Harrold, M.J., Jones, J.A., Li, T.A.: Regression test selection for Java software. In: Proceedings of the 16th ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages, and Applications, OOPSLA 2001, Tampa Bay, FL, USA, October 14 18, 2001, pp. 312–326. ACM, New York (2001) 9. Vokolos, F., Pythia, P.F.: A regression test selection tool based on text differencing. In: International Conference on Reliability, Quality, and Safety of Software Intensive Systems (May 1997) 10. Pretschner, A., Mouelhi, T., Traon, Y.L.: Model-Based Tests for Access Control Policies. In: Proceedings of the 2008 international Conference on Software Testing, Verification, and Validation, pp. 338–347 (November 2008) 11. Zheng, J., Robinson, B., Williams, L., Smiley, K.: Applying regression test selection for COTS-based applications. In: Proceedings of the 28th international Conference on Software Engineering, ICSE 2006, Shanghai, China, May 20-28 (2006)

Formal Verification for Access Control in Web Information Sharing System Akihiro Sakai1 , Yoshiaki Hori2 , and Kouichi Sakurai2 1

Graduate School of Information Science and Electrical Engineering, Kyushu University 2 Faculty of Information Science and Electrical Engineering, Kyushu University

Abstract. When we write access-control description of the Web Applications using the group and the role, there is a problem that it is difficult for a user to decide the joint ownership partner of data. Therefore, there are the trials for describing access-control using social networks. However, unexpected defects might sneak in this description if it is marked in a careless manner. In this paper, we propose the formal definition of the access-control description consist of the first-order predicate logic for the automatic checking.

1

Introduction

There are many Web Services in today, as the Internet has become widely used. In many cases, digital information including this have confidential information such as personal information and secret information. Therefore, access control technology attracts attention to keep their information from the unauthorized access. Up to now, various technologies have been researched as for the access control. Discretionary Access Control (DAC)[2], Mandatory Access Control (MAC)[2] and Role Based Access Control (RBAC)[2][7][9] are the typical example. RBAC enabled to give only the permissions of the least privilege by abstracting an actual role in the organization in shape of roll according to the role, and enabled the permission to be adjusted only by the putting replacement of the roll when user’s role changed. However, it is known that is difficult to just use these access control technologies for the current Web system[11]. For example, in social networking service (SNS), we decide access permission by a unit called the friend. Only by the appointment of the group, it is difficult to explain a fellow worker belonging to the same society or the thing such as a person belonging to the same post of the company. This problem begins in closing of the concept of the role limited within the organization up to now and the idea. Therefore, in recent years, there are researches which express the model of the real world in ways of thinking such as the Semantic Web, and perform access control[4][11]. In addition, there is a case that not an administrator of Web J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 80–89, 2009. c Springer-Verlag Berlin Heidelberg 2009


Formal Verification for Access Control in Web Information Sharing System

81

Services but a user writes the permission on the system such as SNS. Therefore, when users who don’t without knowing all the system write a permission, they need to work according to the user’s intention. However, there is no framework that formally examines these access controls, and when users cannot express relation between the users in the real world, it will make the access control that the user doesn’t hope. In this paper, we propose a framework of validation method of social networks based access control description that modeled in concept of ontology to enforce access control according to the intention of the user. It consists of the following two layers and focuses attention on relation between users and access control policy. Each layer subdivide problem into well-formdness check and validity check. Relation between users By this inspection, analyse the relation between two people’s. For example, when describe an access control by transitive law such as friend of a friend, the user can’t review easily all of users that assigned the premission to objects. Therefor, there is the case the information is disclosed to user who does not want to show. In other words, access control doesn’t work correctly when the definition of the relations between users in a social network is insufficient, we detect an error by this inspection. Access control policy By this inspection, analyse that what kind of operation for the object is allowed to the user. For example, there are problems in permission assignment, and it cause to make incorrect access control descriptions, we detect an error by this inspection. The rest of the paper is organized as follows. Section 2 we describe social network, social network based access control and related work, and propose validation framework in section 3. Section 4 we conclude this paper.

2

Access Control of Social Network

In this section, the example and the problem of the access control based on an existing social network are arranged. 2.1

Explain Relation between Users

In the access control based on a social network, how to explain the social relationship of the real world in the system becomes important. In this paper, we describe it as the Friend of a Friend[3]. In FOAF, writing the information of people as RDF[8] document enable to analyze it by the computers. Figure1 shows an example of FOAF description. In the FOAF, describe friend relationship as knows property. This property is a symmetric property. For

82

A. Sakai, Y. Hori, and K. Sakurai Example of FAOF Jack /* (a) */ Bob /*(b)*/ Bob /* (a') */ Jack ・・・ ・・・

Fig. 1. Example of Friend of a Friend

example, when (a) Jack knows Bob, (a’) Bob also has to know Jack. Next, there is the made property for explain the object who created. This figure explains that Jack and Bob are friends and Jack owns the object FileA. Figure2 explains RDF description of FOAF including relation of Jack and Bob as the graph. In this example, (c) Alice is Bob’s friend, therefore Alice is Jack’s friend of friend. Thus, FOAF can explain friends network including in transitive relationship. 2.2

Example of SNS Service

There is SNS service that enforces access control by human relationship such as friend. For example, we apply the permission that can read owner’s friend and friend of a friend to the objects such as personal information of the user and user’s diary, and the user who is matching the friend relation can access to the object. For example, think about access control in figure2, and set permission to read access of FileA by friend of a friend. In this case, if Jack doesn’t notice about knows property in (d), and Jack doesn’t want to show it to Tom (Jack thinks that Tom is not including in my friend of a friend.). However, read operation of FileA by Jack is allowed because (a) and (d) relation.

Formal Verification for Access Control in Web Information Sharing System

(a) Jack

83

(c) Bob

(d)

Alice

FileA

Ada

Tom

knows made Fig. 2. Knows relation graph in Friend of a Friend

As the result, challenges of access control consist of social networks as follows: Including transitive relation The expression such as friend of a friend is an expression method between the users who used transitional relations. However, there is no relation between both in the real world. Thus, We may show the information in the range that does not expect when used only one time of transitional relations. Handling groups We described the difficulty point of handling the group in social network, but there is a case that easy for the description to be simplified by using the concept of the group (often called community) to describe the access control. For example, some SNS service is available to control the information flow as unit of community. In this case, it is difficult to understand that specific of person who can access object actually when think and operate access control about multiple relations between the community. For example, “Post B of company A’s community” and “family” community are existing, and enforce access control of the information for read access allow by family of B’s worker. In this case, to review the permission of the object between people who belong to each community, it is necessary to analyse all the relations between the community, and thus it is hard to review permission assignment by visual inspection. 2.3

Related Work

In the research that verifies the access model in a formal way, some methods have been proposed up to now. Zao et al.[10] have worked on the formal verification of RBAC, and describe and verify the schema of RBAC96 with Alloy. They show that Alloy is effective as the specification description of the access control system. Alloy is a specification

84

A. Sakai, Y. Hori, and K. Sakurai

language based on the first-order predicate logic, is appropriate for the static structural verification. However, we cannot verify constraint that gives from system administrators automatically, because these paper support only consistency checks of accesscontrol descriptions. Moreover, so far the above mentioned researches present an inspection framework of access control, and do not support access control in web information common systems, which are contained in this paper’s scope. The analysis of complicated social relationship between two people, which introduces the inspection of the relationship between users, is supported in this paper. In addition, Maruokaet al.[6] proposed a new RBAC model on the P2P overlay network. In this model, groups are classified into society and local layer. However, there was no evaluation method of access control specification in formal approach. 2.4

Motivation

In this paper, to solve these problems, we propose automatic validation method of access control description that satisfy the property that it should satisfy and satisfy the security property of the organization. Furthermore, when found the problem in the access control description, feedback the counter example enable us to know how defects may be occurring. In other words, evolution the access control description for work according to the intention by the counter example which was derived at automatically.

3

2 Layers Validation Framework

In this section, we describe about framework of validation of access control description for solve the problem. 3.1

Inspection of Relation of Society

In this section, we formalize the inspection method by arranging the content of the inspection which should be done as the inspection of relation between users. The inspection is performed by two steps, including well-formedness and validity inspection, which will be explained as follows. know(jack,bob). % (a) know(bob,jack). know(bob,alice). object(jack,fileA). % (b) isFriend(A,B) :- % (c) know(A,B), know(B,A). isFriendOfFriend(A,B) :- %(d) isFriend(A,A’), isFriend(A’,B).

Formal Verification for Access Control in Web Information Sharing System

85

Jack Bob Bob FOAF doesn't satisfy two-way property Jack Bob

FOAF doesn't satisfy uniqueness property Fig. 3. Incorrect example of FOAF description

In the Well-formedness inspection, checking the FOAF description fulfills standard specifications in RDF statements. For example, figure3 show incorrect examples of FOAF description. First, knows property in the FOAF have to satisfy two-way property that described in the previous part. Second, FOAF identifies an individual by mail address, thus m-box property need to have uniqueness. Moreover, automatic inspection is supported by Prolog that programming language ia based on the first order predicate logic. Prolog code of Well-formedness inspection of figure1 and figure2 as follows :

donot_know(jack,tom). isNotFriend(A,B) := \+ isFriend(A,B). isNotFriendOfFriend(A,B) := \+ isFriendOfFriend(A,B). assert(User1,User2) := donot_know(User1,User2), isFriend(User1,User2) assert(User1,User2) := donot_know(User1,User2), isFriendOfFriend(User1,User2)

86

A. Sakai, Y. Hori, and K. Sakurai Table 1. Constraint in relation of society

Constraint Description friend(U1 ,U2 ,n) There is a knows relation by n level transitive law between U1 and U2 ¬friend(U1 ,U2 ,n) There isn’t any knows relation by n level transitive law between U1 and U2 Community level member(R1 ,U1 ) U1 is belong to community R1 ¬member(R1 ,U1 ) U1 isn’t belong to community R1 isa(R1 ,R2 ) Local community R1 is included into the society community R2 ¬isa(R1 ,R2 ) Local community R1 isn’t included into the society community R2 Human level

In this code, (a) and (b) are the facts that known property of RDF description. In addition, (c) is the predicate that known property has to satisfy, and (d) is the transitive relation of explain the friend of a friend. We also describe about validity inspection. In this inspection use to understand the relation between users is done before writing access control. For example, to explicitly check that Jack and Tom are not the friend of a friend, the code is following : In this code, assert indicates the RDF properties requirement that made from constraint ¬friend(Jack,Tom,1) in table1.1 To find a conflict in relation between Jack and Tom, input this asserting code and structure code, and run in Prolog. Thus, in this validity inspection, give the conditions from outside that the matter that wants to explicitly check.

3.2

Inspection of Access Control Policy

In this section, we formalize the inspection method by arranging the content of the inspection which should be done as the analysis of access control policy. The inspection is performed by two steps, including well-formedness and validity inspection, which will be explained as follows.

premission(fileA, read, User) :object(fileA, Owner), isFriend(Owner, User). premission(fileA, read, User) :object(fileA, Owner), isFriendOfFriend(User).

1

We describe about community in the section3.3.

Formal Verification for Access Control in Web Information Sharing System

87

donot_know(jack,tom). assert(File, Owner, Actor) object(File, Owner), havePremission(File, read, Actor), donot_know(Owner, Actor).

Table 2. Constraint in access control descriptions Constraint Description allow(U1 ,P1 ,n) There is a permission P1 in users knows relation by n level transitive law from U1 ¬allow(U1 ,P1 ,n) There is not any permission P1 in users knows relation by n level transitive law from U1 Community level allow(G1 ,P1 ) There is a permission P1 in community G1 ¬allow(G1 ,P1 ) There isn’t any permission P1 in community G1 Human level

Well-formedness inspection is the check that examines if the inputted accesses control description is conformed to the standard definition. In this paper, the access control description defines who can do what kind of operation to a certain object, but it is necessary to inspect partial order relation of the inheritance implication between communities. The previous example of access control description written in Prolog is shown below. In the above code example, the first predicate shows that all of Jack’s friends can read fileA, and the second predicate represents that Jack’s friend of a friend can read fileA. Although permission should be expressed as a fact essentially, the assignment of permission is determined by the relationship between users, expressed as a predicate in the beginning. Thus, the permission is written as a predicate as the above example shows. The validity inspection is described as follows. In the validity inspection, it detects the description which obeys the consistency property but does not conform to the intention of the access control describer. Generally, the intention changes according to the environment of the user who describes it, and it is impossible to inspect it from an access control description alone. In other words, it is necessary to add the security requirements in addition to the access control description as an input in the validity inspection. For example, the next example expresses that Tom cannot read the file owned by Jack. In ths above code, assert indicates the security requirement made from ¬allow(Jack,ReadPermission,1) in table2 If we insert the code after the description related to the user and the access control description. This havePermission predicate is prepared for review the permissions. When execute the inspection, any counterexample will be showed if it exists.

88

A. Sakai, Y. Hori, and K. Sakurai

3.3

Relation between the Communities

There is a concept of group when think about abstractions of permission assignment from user. In the web service, Community is used as set of humans. In addition, it is difficult to explain cross over the organization by simple communities. Thus, we separate communities into society level and local level[6]. Society level community. Society level community has global scope in the system such as Company A and Labolatory B. Local level community. Local level community is belonged to specific organization described society level community Thus, scope of local level community is in society level community that it is defined. Definition of communities and inspection. To detect the conflict such as relationship between community, we make RDF specification as follows : Community: Definition of community is either Society level or Local level. User assignment to community: member(R1 ,U1 ) means the user U1 is belonged to the community R1 . Relation between the communities: Define the relation between the communities. For example, local level community and society level community can explain by isa(R1 ,R2 ) that means local community R1 is belonged to R2 Permission assignment to community: Permission assignment is the relation between community(both level) and object. When permissions are assigned to society level community, all local communities belong to it are also assigned. To inspection of relation of society, give RDF description of community, user assignment and communities relationship. Next, to inspection of access control policy, give result of the inspection and permission assignment description. In addition, by make first-order predicate logic from RDF description, these inspections are able to run automatically. For example, Tom is assigned to community LabM1. The last line of this code means that all users of member of the community labM1 must have a read permission to the object fileA. There is not any counterexample when run only this code, however add code in foregoing section, you can find counter-example about that Tom can read fileA. Therefore, this approach is effective to find conflict between relation of users and communities. community(labM1). member(tom,labM1). premission(fileA, read, labM1). assert(File, Owner, Actor) :object(File, Owner), havePremission(File, read, Actor), member(Actor, labM1).

Formal Verification for Access Control in Web Information Sharing System

4

89

Conclusion

There are several problems in considering the traditional access control approach in web applications such as SNS service, because the subject is limited within the organization. In this paper, we introduce the examples of unexpected defects in access control description of web services. In addition, we propose these defects are able to find in the formal approach, and it can encode with Prolog. In our future work, we apply this approach to real Web2.0 applications and evaluate the capability in the viewpoint of ability for description and computation speed.

Acknowledgment This research was partially supported by a grant for Kyushu University Global COE Program, “Center for Math-for-Industry,” from the Ministry of Education, Culture, Sports, Science and Technology of Japan.

References 1. eXtensible Access Control Markup Language, http://www.oasis-open.org/committees/xacml/repository/ cs-xacml-core-01.doc 2. Ferraiolo, D., Kuhn, D., Chandramouli, R.: Role-Based Access Control, 2nd edn. Artech House (2007) 3. Friend of a Friend, http://xmlns.com/foaf/spec/ 4. Goecks, J., Mynatt, E.: Leveraging Social Networks for Information Sharing. In: Proc. Workshop on Social Networks, CSCW 2004 (2004) 5. Jackson, D.: Software Abstractions: Logic, Language, And Analysis. MIT Press, Cambridge (2006) 6. Maruoka, M., Nemati, G., Barolli, V., Enokido, T.: Role-based Access Control in Peer-to-Peer (P2P) Societies. In: Proc. 22nd International Conference on Advanced Information Networking and Applications - Workshops, pp. 495–500 (2008) 7. Role-Based Access Control, ANSI INCITS 359-2004, American National Standard for Information Technology (2004) 8. RDF, http://www.w3.org/RDF/ 9. Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996) 10. Zao, J., Wee, H., Chu, J., Jackson, D.: RBAC Schema Verification Using Lightweight Formal Model and Constraint Analysis. MIT, Cambridge (2002) 11. Junichiro, M., Yutaka, M., Tatsuhiko, S., Mitsuru, I.: Real-world oriented Information Sharing System. In: The 19th Annual Conference of the Japanese Society for Artificial Intelligence (2005) (in Japanese)

Adaptive Iris Segmentation Rahib Abiyev and Kemal Kilic Dept. of Computer Engineering, Near East University, Nicosia, Cyprus [email protected], [email protected]

Abstract. In this paper an adaptive iris segmentation algorithm is presented. In the proposed algorithm Otsu Threshold value, average gray level of the image, image size, Hough-Circle search are used for adaptive segmentation of irises. Otsu threshold is used for selecting threshold value in order to determine pupil location. Then Hough circle is utilized for pupillary boundary, and finally gradient search is used for the limbic boundary detection. The algorithm achieved 98% segmentation rate in batch processing of the CASIA version 1 (756 Images) and version 3 (CASIA-IrisV3-Interval, 2655 Images) databases.

1 Introduction Iris recognition is one of the most reliable and accurate biometrics that plays an important role in identification of individuals [1]. Iris region is the part between the pupil and the white sclera. The iris texture provides many minute characteristics such as freckles, coronas, stripes, furrows, crypts, etc [2]. These visible characteristics are unique for each subject. Also the human iris is immutable over time. From one year of age until death, the patterns of the iris are relatively constant [1, 3]. Because of uniqueness and immutability, iris recognition is accurate and reliable. Iris recognition process can be separated into these basic stages: iris capturing, preprocessing and recognition of the iris region. Each of these steps uses different algorithms. Pre-processing includes iris localization, normalization, and enhancement. In iris localization step, the detection of the inner and outer circles of the iris and the detection of the upper and lower bound of the eyelids are performed. The inner circle is located on the iris and pupil boundary, the outer circle is located on the the sclera and iris boundary. Today researchers follow different methods in finding pupillary and limbic boundaries. For these methods, the important problems are the accuracy of localization of iris boundaries, preprocessing speed, robustness [3, 27]. For the iris localization step, several techniques have been developed. Dougman [3, 4, 5, 6] used integro-differential operator to detect inner and outer boundaries of the iris. In [7], first derivative of image intensity and Hough transform methods are proposed for localization of iris boundaries. In [8] using edge detection, the segmentation of iris is performed. In [9] Circular Hough transform is applied to find the iris boundaries. In [10, 11] gray-level information, Canny edge detection and Hough transform applied for iris segmentation. Iris locating algorithm based on the gray distribution of the features is presented in [11]. In [12], authors used a method that can locate a circle given three non-linear points. This is used for finding relatively accurate location of the circle, then the gradient decompose of Hough transform is applied for the accurate location of pupil. In [13] authors used J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 90–99, 2009. c Springer-Verlag Berlin Heidelberg 2009


Adaptive Iris Segmentation

91

Sobel operator and applied circle detection operator to locate the pupil boundary. In [14] using threshold value, Canny operator and Hough transform the inner circle of iris is determined, then edge detection operator is used for outer circle. Pupil has dark color, but in certain non ideal conditions because of specular reflections it can be illuminated unevenly. For such irregular iris images, researchers used intensity based techniques for iris localization [15, 16]. In [16] two stage iris segmentation algorithm is used. In the first stage, iris boundaries are estimated by using elliptical model. In the second stage Mumford-Shah function is used to detect exact boundaries. In [33] authors explained robust automatic segmentation algorithm. One of the most important characteristics of iris localization system is its processing speed. Sometimes for the iris localization it may not be possible to utilize any method involving floating-point processing. For example if we have small embedded real-time system without any floating-point processing part, operations involving kernel convolutions will be unusable, even if they may offer more accurate results. Detailed discussions on the issues related to performance of segmentation methods can be found in [17], and in [18]. A categorization along with the references on the iris segmentation can be found in [19, 20]. Iris localization generally takes nearly more than half of the total processing time in the recognition systems, as pointed in [18]. Of course further research will show us whether this is due to the nature of the algorithms or there exist improvements for the localization process that are still yet to be found. With this vision, we tried to develop general, fast segmentation algorithm that requires not many floating-point processing like convolution. After the preprocessing stage feature vectors of iris images are extracted. Theses feature vectors are used for recognition of irises. Image recognition step basically deals with the ”meaning” of the feature vectors, in which classification, labeling, matching occur. Various algorithms have been applied for feature extraction and pattern matching processes. These methods use local and global features of the iris. Among many methods used for recognition today, these can be listed: Phase based approach [3, 4, 5, 6, 12, 21, 22], wavelet transform, zero crossing approach [8, 23, 24, 25], and texture analysis [7, 10, 11, 26, 8]. In [28, 29] independent component analysis is proposed for iris recognition. Analysis of previous research demonstrated that the efficiency of personal identification system using iris recognition is determined by the fast and accurate recognition of the iris patterns. Great portion of the recognition time is spent on the localization of iris boundaries. Accuracy of recognition depends on the accuracy of iris localization and on the accuracy of classification. Some methods for iris localization are based on selecting threshold value for detecting pupil boundaries. Experiments on the CASIA Version 1 and Version 3 iris databases showed to us that segmentation algorithms sometimes may require intervention from researchers, for example fixing a certain threshold value for all the images. But this does not give good results, since many iris images captured under different illumination conditions and some of them contain noises. For example CASIA Version 1 and CASIA Version 3 databases have different illumination properties and CASIA Version 3 database iris images contain specular highlights in the pupil regions. These specular highlights pose difficulties for any algorithm that assumes pupil pixels having form of disc with the darkest pixels in the central region of the image. In

92

R. Abiyev and K. Kilic

this paper an adaptive iris segmentation algorithm is proposed. The algoritm can find the image specific segmentation parameters from iris images. The segmentation algorithm utilizes Otsu thresholding, Hough circle search for pupillary boundary detection and gradient search method for limbic boundary detection. This paper is organized as follows. In section 2 the description of the algorithm used in iris pre-processing step which includes iris localization, normalization and enhancement is described. Section 3 presents experimental results. Conclusion and future work are given in sections 4 and 5, respectively.

2 Overview of the Algorithm An eye image contains not only the iris region but also some parts that need to be separated from iris, such as the pupil, eyelids, sclera. For this reason, at the first step, segmentation should be done to localize and extract the iris region from the eye image. A number of algorithms have been developed for iris localization. In this paper CASIA Version 1 and CASIA Version 3 iris databases are used for iris segmentation experiments. There are number of localization algorithms based on thresholding for detecting iris and pupil boundary. These algorithms can be efficiently used for detecting iris boundaries. In [19] black-box searching algorithm is utilized for fast and accurate localization of iris boundaries. But when iris images contain specular highlights detection of pupil region is subjected to some difficulties. In CASIA Version 3 database, iris images have specular highlights in the pupil region. These specular highlights pose difficulties for any algorithm that assumes pupil pixels having form of disc with the darkest pixels in the central region of the image. In such cases one useful method is the utilization of Hough transformation that searches for circles in the image in order to detect pupillary boundary. Experiences on the CASIA Version 1 and Version 3 iris databases showed to us that segmentation algorithms sometimes may require intervention from researchers, for example fixing a certain threshold value. But sometimes it is necessary to use an automatic algorithm that will decide on such parameters depending on the certain image characteristics (i.e. size, illumination, average gray level, etc...). In this paper the combination of thresholding and Hough circle method is used for detecting pupil boundaries. The pseudo code of the algorithm can be seen in algorithm 1. Below, explanations on the motivations and reasons for the steps involved in the algorithm is given. Generally iris databases created under different illumination settings. For each one selecting a good threshold value by programmer is possible only after some experimentation. Furthermore different images from the same database can be captured under different illumination settings. So finding an automatic thresholding method is essential to overcome such difficulties when thresholding is necessary to separate object (iris or pupil) and background. In the algorithm proposed in this paper, Otsu thresholding [30] is used for this purpose. Experiments with Otsu Thresholding have demonstrated that a thresholding process for detecting iris boundaries can be automated. In that way, instead of using programmer given threshold value, the process of extracting it from the image can be automated. Several experiments showed that half of the Otsu threshold value, perfectly fits for this purpose (Step 1-2 in our algorithm, see algorithm 1). Figure 1(a) shows sample eye image before any processing. The process of selecting

Adaptive Iris Segmentation

93

Algorithm 1. Finding Iris Band 1: Finding Otsu threshold value of the Original Image 2: Thresholding Original Image with the half of the Otsu value 3: Dilating and Eroding (Opening) Half-Otsu thresholded image Generate two instances of the resulting image: Inst1, Inst2 4: Performing Canny-Edge Detection on the thresholded image Inst1 5: Counting black pixels on the thresholded image Inst2 Estimating expected pupil radius (rexpected ) on the thresholded image Inst2 6: Searching for Circles in Hough Space on the thresholded image Inst1 Searching circles with radius = [rexpected ± ∆r ] 7: For Pupillary Boundary Finding the best match : The Hough circle that covers pupil edges best on the Inst1 8: Median Filtering Original Image Performing Gradient Search for limbic boundary on the Median Filtered Image 9: Extracting Normalized Image from the Original image 10: Background Subtraction and Bicubic scaling for the Normalized Image 11: Return Scaled and Enhanced Iris Band

Otsu threshold value is given in figure 1(b). Here right vertical line demonstrates Otsu threshold value, and the left vertical line demonstrates half of Otsu threshold value. In some cases of thresholding, Otsu value by itself separates sclera from the rest of the eye in the image. So taking half of the Otsu value is a good approximation (also good heuristics) for separating pupil from the sclera region. Here multi-level Otsu methods can be utilized for better thresholding, which can be computationally more expensive. Interested readers can find good reviews and surveys on thresholding and segmentation methods in [31, 32]. Separating pupil region from the image can let us to find certain characteristic of the pupil, at least approximate radius size when the ”pupil pixels” are counted. Of course any thresholding that can separate pupil will also separate dark eye brows too (figure 2(a)). But again here all is needed is an approximate radius plus or minus ”delta”. In other words small range for Hough circle search. That is rexpected ± ∆r . This information is valuable in searching circles in the Hough space having radius in the range of [rexpected ± ∆r ]. Better and more efficient results from the Hough circle search can be obtained by reducing the radius range. It can be seen from the figure 2(a) and figure 2(b) that thresholding can give us good approximation for the pupil region. The formula for the area of a disc is used for finding the approximate pupil radius. But before that one has to ”clean” isolated black pixels and avoid counting them along with the black pixels that may remain on the borders. For the first problem, morphological operators with 3x3 rectangular structuring element, like in-place erode (where central pixel replaced by the minimum in the 3x3 neighborhood) and in-place dilate (where central pixel replaced by the maximum in the 3x3 neighborhood) (Step 3 in algorithm 1) on the thresholded binary image (white 0 and black 1) is used. Erosion is to clean isolated black pixels and dilation to ”shrink” the regions that may remain in the pupil area due to specular highlight. Especially CASIA V3 database images acquired with camera having leds. The specular highlight in the CASIA V3 images makes simple thresholding methods unusable for finding pupillary boundary. For the second problem it helps to focus on the smaller central region on the image, assuming that the pupil is

94

R. Abiyev and K. Kilic

(a) Original Image

(b) its Histogram

(c) and its Canny Edges

Fig. 1. (a) Original image (b) Half-Otsu (leftmost line) and Otsu values marked on the histogram of the Original Image

in the central region of the image, which is the case for CASIA databases used in the experiments (Step 5 in algorithm 1). In the algorithm Hough circle searching function is used in finding limbic boundaries, which given radius range and several other parameters, returns the list of possible circles on the input image (Step 6 in algorithm 1). Thresholded (with half of the Otsu value) and morphologically processed image is given as an input to this function. In this case the function will be more focused on finding pupil boundary, which can be assumed as a circle (figure 2(c)). After Canny edge detection, function searches for the circles on the edge pixels. But one has to devise scoring method for finding the best matched circle for pupillary boundary. For this the circles returned by Hough circle search function are scored, based on the number of overlapped pixels with the Canny edge pixels. So the algorithm used separate copy of the Canny edge image from the same image that is given as an input to the Hough circle function (Step 4 in algorithm 1). For overlapping ”relaxed” counting is used (Step 7 in our algorithm, see algorithm 1). Every pixels on the edge image that falls into the 3x3 neighborhood of each circle pixels is counted (marked them to avoid double counting), instead of looking for ”strict” overlapping. This has to be done since the pupillary boundary is not a perfect circle most of the time. After finding pupillary boundary, simple gradient search is utilized in both left and right directions, where differences of average gray level of the two consecutive windows (size is adjusted according to the image size and average gray level) observed on the median filtered image. Here the algorithm needs to find the point where the gray level starts increasing, in other words where the scleral region (generally whiter than the iris region) starts (Step 8 in our algorithm, see algorithm 1). Doing such a search on the original image can not give good results, as the histogram of the central (passing from the center of the pupil) line (band in fact, 3-pixel wide) of the original image may contain little ”spikes” (see figure 3). These ”spikes” may be problem in finding the ”real” place where the gray level starts increasing (0 is black and 255 is white). To overcome this difficulty median filtering is used, since median filtering preserves edges and smooths boundaries without being computationally very expensive. The sample result of this search can be seen in figure 3, where the center of the best matched circle is marked with little star and it is drawn in gray color over the black pixels of the edges. In this type of search method, crucial parameters are the width of the windows and the threshold value that will determine the actual place where the gray level increases. The

Adaptive Iris Segmentation

(a) Otsu thresh.

(b) Half-Otsu thresh.

(c) After ”Opening”

(d) Otsu thresh.

(e) Half-Otsu thresh.

(f) After ”Opening”

95

Fig. 2. 1st row : Otsu Thresholded image (a) and effect of ”Opening” (c) (eroding and dilating black pixels) on Half-Otsu Thresholded image (b). 2nd row : Canny Edges of the; Otsu thresholded (d), Half-Otsu Thresholded (e), and after ”Opening” (f).

window size is adjusted according to the image width and also the threshold is adjusted according to the average gray level of the image. The idea here is that, in bright images sclera can be found with threshold value greater than the ones where you have darker image. So smaller threshold values are used for darker images. The algorithm infact does not separate images into dark or light. To do better parameter calculations, small fuzzy-logic front-end is added to the algorithm which it was not included on the flow-chart (see algorithm 1). Basically we utilized the information acquired in the experiments. In the experiments it has been seen that setting global (for all images in the database) values for certain parameters, like thresholds, does not give good results. So in the algorithm the idea of adjusting them according to certain image characteristics is practised, as it is said above. The algorithm groups images according to their gray level averages. For example images having average gray level less than 100 can be classified as very dark images. Based on this the algorithm formed several groups based on the several ranges of the average gray level: [0..99], [100..140], [141..170], [171..200], [201..255]. Five groups are formed, which can be named as very dark, dark, middle, bright, very bright. For each group the algorithm adjusted certain parameters accordingly, also considering image size and expected radius of the pupil (which is calculated in step 5 of the algorithm, see algorithm 1). Finally in steps 9 and 10 (see algorithm 1) using ”homogeneous rubber sheet” [6] segmented (see figure 3 for the iris band marked on the image) iris images are normalized (figure 3). After background subtraction is made followed by bicubic scaling and histogram equalization (figure 3). Every iris band that are segmented scaled to the uniform size of 360x64.

96

R. Abiyev and K. Kilic

Fig. 3. Best-match Hough circle (left top) and detected limbic boundaries shown on the image (left bottom) and on the histogram of the central band (from the Median filtered image, left middle). Spikes on the histogram of the central (passing from the pupil center) band from Original image (right middle). Detected iris band marked on the original image (right bottom). Normalized iris band (right uppermost). Scaled-Enhanced Normalized iris band (right second from the top).

3 Results In order to see the performance of the proposed algorithm, experiments performed in which, CASIA1 version 1 and version 3 iris image databases are used. Currently these databases are one of the largest iris databases available in public domain. CASIA version 1 image database contains 756 eye images from 108 different people, CASIA version 3 (Interval) database contains 2655 eye images from 249 different people. ExR periments were performed on Intel
Quad Core 2.4GHz machine with openSUSE 11.0 Linux system and Intel C/C++ (V11.0.074) compilers with OpenCV (V1.0) and IPP (V6.0) libraries were used (all in 64 bit). IPP optimized mode is utilized for OpenCV, since IPP library can provide speedups up to 3.84x for multi-threading on a 4-core processor2. The implemented algorithm can extract iris band in about 0.19 sec. This roughly equals to 5 fps processing speed (for 320x280 resolution), with on line camera. The segmentation results for both databases are given in the table 1. 1 2

http://www.cbsr.ia.ac.cn/IrisDatabase.htm http://fsa.ia.ac.cn/files/OpenCV China 2007June9.pdf

Adaptive Iris Segmentation

97

Table 1. Segmentation Results for CASIA V1 (all) and V3 (CASIA-IrisV3-Interval) Version Images Segmented Percent Avg (sec) V1 756 748 98.94 0.18 V3 2655 2624 98.83 0.19

We believe the proposed algorithm can be used for on line iris extraction with an acceptable real-time performance. After segmentation we have checked extracted iris images visually to see if there is any extracted image that can not be suitable input for any classification method. Total 7 images rejected after inspection, from the CASIA V3. In the case of CASIA V1 images we did not see any unsuccessful segmentation.

4 Conclusion For the sake of brevity results from the initial versions of the algorithm were not tabulated. But in the experiments with the algorithm in which programmer sets certain parameters (like global thresholding value that can be used for all images in the database), max segmentation rates about 95% achieved. Also in the initial versions of the algorithm, original image was given as input to the Hough circle search. But doing such Hough circle search can not be very effective (see difference between figure 1(c) and figure 2(f)). So the algorithm was modified to find edges on the Half-Otsu thresholded image (after morphological operations, see figure 2(c)), in which pupillary boundaries already determined by thresholding (see figure 2(b)) and smoothed by morphological processing (see figure 2(c)). These edges used in scoring the circles that are found in the Hough circle search for the best overlap (see step 7 in the algorithm 1). Also HalfOtsu thresholded image was given (after morphological processing, see figure 2(c)) as an input to Hough circle search. Algorithm with these modifications exhibited better edge detection (Hough circle function finds edges first) and more focused Hough circle search. In addition to these, effort had been made in making the algorithm more adaptive. At the end the successful segmentation result increased to 98%. Also it can be seen from the table 1 that existence of specular highlight in CASIA V3 database did not affect the performance of the segmentation algorithm, when results from both databases are considered. The other issue related to the algorithm is the speed of segmentation, which was already mentioned in the Results section above. Interested readers can compare results in this work with the automatic algorithm proposed in [33]. Authors did not include any timing information in the paper, but the proposed algorithm achieved 97% successful segmentation rate for CASIA-IrisV3-Interval database.

5 Future Work To increase successful segmentation rate, we are planing to provide better fuzzy front end for setting parameters automatically in the future. We believe segmentation time can be improved with more optimizations. The average segmentation time in our case was about 0.19 sec. Some operations can be parallelized by using openMP directives on

98

R. Abiyev and K. Kilic

multi-core CPU systems. This of course requires further experimentation to see speed ups that may come from the parallel versions of the algorithm. We are also working on finalizing the recognition step.

References [1] Jain, A., Bolle, R., Kanti, S.P.: Biometrics: Personal Identification in a Networked Society. Kluwer, Dordrecht (1998) [2] Adler, F.: Physiology of the Eye: Clinical Application, 4th edn. The C.V. Mosby Company, London (1965) [3] Daugman, J.: Biometric Personal Identification System Based on Iris Analysis. US Patent no. 5291560 (1994) [4] Daugman, J.: Statistical richness of visual phase information: Update on recognizing persons by iris patterns. Int. Journal of Computer Vision (2001) [5] Daugman, J.: Demodulation by complex-valued wavelets for stochastic pattern recognition. Int. Journal of Wavelets, Multiresolution and Information Processing (2003) [6] Daugman, J.: How iris recognition works. IEEE Transactions on Circuits and Systems for Video Technology 14(1), 21–30 (2004) [7] Wildes, R.: Iris recognition: An emerging biometric technology. Proc. of the IEEE 85(9), 1348–1363 (1997) [8] Boles, W., Boashash, B.: A human identification technique using images of the iris and wavelet transform. IEEE Trans. on Signal Processing 46(4), 1185–1188 (1998) [9] Masek, L.: Recognition of Human Iris Patterns for Biometric Identification. BEng. Thesis. School of Computer Science and Software Engineering, The University of Western Australia (2003) [10] Ma, L., Tan, T., Wang, Y., Zhang, D.: Personal identification based on iris texture analysis. IEEE Trans. Pattern Anal. Mach. Intelligence 25(12), 1519–1533 (2003) [11] Ma, L., Wang, Y.H., Tan, T.N.: Iris recognition based on multichannel gabor filtering. In: Proc. of the Fifth Asian Conference on Computer Vision, Australia, pp. 279–283 (2002) [12] Tisse, C., Martin, L., Torres, L., Robert, M.: Person identification technique using human iris recognition. In: Proc. of Vision Interface, pp. 294–299 (2002) [13] Kanag, H., Xu, G.: Iris recognition system. Journal of Circuit and Systems 15(1), 11–15 (2000) [14] Yuan, W., Lin, Z., Xu, L.: A rapid iris location method based on the structure of human eyes. In: Proc. of 27th IEEE Annual Conferemce Engineering in Medicine and Biology, Shanghai, China, September 1-4 (2005) [15] Daugman, J.: New methods in iris recognition. IEEE Trans. Syst., Man, Cybern. B, Cybern. 37(5), 1168–1176 (2007) [16] Vatsa, M., Singh, R., Noore, A.: Improving iris recognition performance using segmentation, quality enhancement, match score fusion, and indexing. IEEE Trans. on Systems, Man, and Cybernetics Part B: Cybernetics 38(4), 1021–1035 (2008) [17] Liu, X., Bowyer, K., Flynn, P.: Experiments with an improved iris segmentation algorithm. In: Fourth IEEE Workshop on Automatic Identification Advanced Technologies, vol. 1718, pp. 118–123 (2005) [18] Cui, J., Wang, Y., Tan, T., Ma, L., Sun, Z.: A fast and robust iris localization method based on texture segmentation. In: Proc. SPIE, vol. 5404, pp. 401–408 (2004) [19] Abiyev, R., Altunkaya, K.: Neural Network Based Biometric Personel Identification with fast iris segmentation. Int. Journal of Control, Automation and Systems. 7(1) (2009)

Adaptive Iris Segmentation

99

[20] Abiyev, R., Altunkaya, K.: Iris recognition for biometric personal identification using neural networks. In: de S´a, J.M., Alexandre, L.A., Duch, W., Mandic, D.P. (eds.) ICANN 2007. LNCS, vol. 4669, pp. 554–563. Springer, Heidelberg (2007) [21] Daugman, J., Downing, C.: Recognizing iris texture by phase demodulation. In: IEEE Colloquium on Image Processing for Biometric Measurement, vol. 2, pp. 1–8 (1994) [22] Miyazawa, K., Ito, K., Aoki, T., Kobayashi, K., Nakajima, H.: An effective approach for iris recognition using phase-based image matching. IEEE Trans. on Pattern Analysis and Machine Intelligence 30(10), 1741–1756 (2008) [23] Sanchez-Avila, C., Sanchez-Reillo, R.: Iris-based biometric recognition using dyadic wavelet transform. IEEE Aerospace and Electronic Systems Magazine, 3–6 (2002) [24] Noh, S., Bae, K., Kim, J.: A novel method to extract features for iris recognition system. In: Proc. 4th Int. Conf. Audio and Video Based Biometric Person Authentication, pp. 838–844 (2003) [25] Mallat, S.: Zero crossings of a wavelet transform. IEEE Trans. Inf. Theory 37(4), 1019– 1033 (1992) [26] Park, C., Lee, J., Smith, M., Park, K.: Iris based personal authentication using a normalized directional energy feature. In: Proc. 4th Int. Conf. Audio- and Video-Based Biometric Person Authentication, pp. 224–232 (2003) [27] Lim, S., Lee, K., Byeon, O., Kim, T.: Efficient iris recognition through improvement of feature vector and classifier. ETRI J. 23(2), 61–70 (2001) [28] Wang, Y., Han, J.Q.: Iris feature extraction using independent component analysis. In: Proc. 4th Int. Conf. Audio and Video Based Biometric Person Authentication, pp. 838– 844 (2003) [29] Wang, Y., Han, J.Q.: Iris recognition using independent component analysis. In: Proc. of the Fourth Int. Conf. on Machine Learning and Cybernetics, Guangzhou (2005) [30] Otsu, N.: A threshold selection method from gray-level histograms. IEEE Trans. Sys., Man., Cyber. 9, 62–66 (1979) [31] Sezgin, M., Sankur, B.: Survey over image thresholding techniques and quantitative performance evaluation. Journal of Electronic Imaging 13(1), 146–165 (2004) [32] Trier, I.D., Taxt, T.: Evaluation of binarization methods for document images. IEEE Trans. on Pattern Analysis and Machine Intelligence (1995) [33] Zuo, J., Schmid, N.: An Automatic Algorithm for Evaluating the Precision of Iris Segmentation. In: IEEE Second Int. Conf. on Biometrics Theory, Applications and Systems (BTAS 2008), September 29 - October 1 (2008)

Recognizing Partially Occluded Faces from a Single Exemplar Image Per Person Hamidreza Rashidy Kanan1,2 and M. Shahram Moin2 1

Electrical and Computer Engineering Department, Islamic Azad University, Qazvin Branch, Qazvin, Iran 2 Multimedia Systems Research Group, IT Faculty, Iran Telecom Research Center, Tehran, Iran, 1439955471 {rashidykanan,moin}@itrc.ac.ir

Abstract. Despite remarkable progress on human face recognition, little attention has been given to robustly recognizing partially occluded faces. In this paper, we propose a new approach to recognize partially occluded faces when only one exemplar image per person is available. In this approach, a face image is represented as an array of Patch PCA (PPCA) extracted from a partitioned face image containing information of local regions instead of holistic information of a face. An adaptive weighting technique is utilized to assign proper weights to PPCA features to adjust the contribution of each local region of a face in terms of the richness of identity information and the likelihood of occlusion in a local region. The encouraging experimental results using AR face database demonstrate that the proposed method provides a new solution to the problem of robustly recognizing partially occluded faces in single model databases. Keywords: Face Recognition; Patch PCA; Weighted Matching; Partial Occlusion; Single Model Database.

1 Introduction Automatic human face recognition has received significant attention for decades due to its numerous potential applications including personal identification, bankcard verification, automated surveillance and intelligent human-computer interaction. Despite remarkable progresses so far, general face recognition task is still a challenging problem. Face recognition is a difficult problem in uncontrolled environment, particularly when the face image is partially occluded. Some methods have been proposed to deal with partially occluded faces. Martinez [1] proposed a local probabilistic approach to recognize partially occluded faces from a single sample image per person. In his method, the face image is divided into 6 local parts and the subspace of each local part is estimated by means of a mixture model of Gaussians using the Expectation-Maximization algorithm. Finally, the eigen-representation of each local part is calculated within their own subspace and each sample image is represented as a mixture of Gaussians in each of these eigenspaces. In the identification stage, a test image J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 100–109, 2009. © Springer-Verlag Berlin Heidelberg 2009

Recognizing Partially Occluded Faces from a Single Exemplar Image Per Person

101

is also divided into 6 local parts which are then projected onto the above computed eigenspaces. A probabilistic approach is used to measure the similarity of two faces. In [2], an unsupervised and nonparametric method has been proposed to overcome the weakness of mixture of Gaussians in [1] which is a parametric method. A SelfOrganizing Map (SOM) is used instead of a mixture of Gaussians to learn the subspace representing each individual. In this paper, we propose a novel approach using Adaptive Weighted Patch PCA Array (AWPPCAA) to recognize partially occluded faces from a single exemplar image per person. In this approach, a face image is represented as an array of Patch PCA (PPCA) extracted from a partitioned face image containing information of local regions instead of holistic information of a face. In order to perform matching based on the different contributions made by different local regions and to handle the partial occlusion problem, an adaptive weighting scheme is utilized to weight the PPCA features extracted from local regions, based on the significance of the information they contain and their changes compared to the corresponding local regions in the general face image. Moreover, unlike neural network based approaches which require multiple gallery images per person to train the system, the proposed method can perform well using only a single exemplar image per person. A feasibility and effectiveness investigation for the proposed method is conducted using the standard AR face database [3] which contains images of the frontal view faces of 126 subjects. The system performance is compared with the performances of three benchmark approaches. Our experimental results indicate that the proposed approach can improve the performance of single model-based face recognition system when the input face image is partially occluded. The outline of the paper is as follows: Section 2 describes the proposed patch PCA array face representation method. An adaptive weighting technique is introduced into the similarity matching procedure, which combines the contribution map and the adaptive occlusion map to weight the patch PCA features. In Section 3, the proposed method is evaluated and compared with three benchmark approaches. Finally, the paper concludes in Section 4.

2 The Proposed Adaptive Weighted Patch PCA Approach As illustrated in Figure 1, there are three main steps in the proposed approach: (1) image partitioning and feature extraction, (2) creation of adaptive weight map and (3) adaptive weighted matching. In this algorithm a face image is divided into a set of equal-sized patches in a non-overlapping way. Then each patch of partitioned face image is projected into eigenspace using Patch PCA (PPCA) feature extractor which will be concatenated to form a Patch PCA Array (PPCAA) of the face image. On the other hand, an Adaptive Weight Map (AWM) is obtained from the input face and the PCA subspace of the database face images which will be used to weight the extracted PPCAA in the matching process. Finally, the input face image can be recognized using Adaptive Weighted PPCAA (AWPPCAA) matching score. The following subsections will describe the algorithm in detail.

102

H.R. Kanan and M.S. Moin

Input Face Image PPCA Feature Extractor

Partitioning

PPCAA

Adaptive Decision Weighted Matching

Adaptive Weight Map Creator

PPCAA Adaptive Weight Map

PCA Subspace Projection

Dataset of Faces

Dataset of Face Features

Fig. 1. Schematic illustration of the proposed approach

2.1 Patch PCA (PPCA) Algorithm PCA has been extensively used for face recognition [1, 4-7]. However, due to utilizing only the holistic information of face images, this method is not effective under partial occlusion. In this paper, we propose Adaptive Weighted Patch PCA approach which is based on Sub-Pattern PCA algorithm [8] and performs on a partitioned image to form a PPCA array of the face image. In the Patch PCA (PPCA) algorithm, a face image is divided into a set of equalsized patches in a non-overlapping way. Assume that the dimension of each face image f ( x, y) is N × N and the size for each patch is W × W . Therefore, the number of patches for a face image is

(

N

) . These patches can be mathematically defined as: 2

W

f p,q ( a, b) = f (W ( p − 1) + a, W (q − 1) + b )

(1)

where f p ,q ( a, b) denotes a patch at the position of ( p, q ) . a and b are integers ranging from 1 to W while p and q are integers ranging from 1 to N

W

.

2

These patches can be represented as a vector of dimension W . The mean patch of patches at the position of ( p, q ) in the gallery set images is computed as:

f pmean ,q ( a , b ) = where

1 M

M

∑ f ( a, b ) i =1

i p ,q

(2)

f pi ,q ( a, b ) denotes a patch at the position of ( p, q) in the ith gallery image

and M is the number of images in the gallery set. The next step is to normalize each patch by subtracting it from the corresponding mean patch as:

Recognizing Partially Occluded Faces from a Single Exemplar Image Per Person

103

N A pi ,q ( a, b ) = f pi ,q ( a, b ) − f pmean , i = 1, 2,..., M ,q ( a, b ) p , q = 1, 2,..., W

(3)

From all normalized patches at the position of is computed as:

C p ,q =

1 M

( p, q) , the covariance (scatter) matrix

M

∑ A ( a , b ) . A ( a, b ) i =1

i p ,q

i T p ,q

(4)

where C p , q and T denote the covariance matrix of patches at the position of

( p, q )

and the transpose operator respectively. After finding the eigenvectors of each C p , q that are associated with the

M ′ largest eigenvalues, the patch f p ,q ( a, b ) is pro-

jected into eigenspace by the following equation:

(

PPCA ( f p ,q ( a , b ) ) =W p ,qT f p ,q ( a , b ) − f pmean (a,b ) ,q

)

(5)

where the columns of W p , q are the eigenvectors of C p , q . Finally, all projected patches in each face image will be concatenated to form a PPCA Array (PPCAA) of the face image as:

N ⎫ ⎧ PPCAA ( f ( x , y ) ) = ⎨PPCA ( f p ,q ( a , b ) ) p , q = 1, 2,..., ⎬ W ⎭ ⎩

(6)

2.2 Creating Adaptive Weight Map (AWM) In the proposed approach, to perform matching based on the different contributions made by different local regions and to handle the partial occlusion problem, an adaptive weighting scheme is utilized to weight the PPCA features extracted from local regions. The proposed Adaptive Weight Map (AWM) combines the Contribution Map (CM) which includes the significance of the information that a PPCA contains and the Adaptive Occlusion Map (AOM) which includes the similarity of each patch in the face image to the corresponding patch in its reconstructed version obtained using the PCA subspace of the database face images. The details of the proposed AWM are discussed as follows. 2.2.1 Contribution Map (CM) Based on Shannon theory [9], the amount of information of a discrete random variable X ( x1 , x2 ,..., xs ) with a probability described by entropy

H ( x) as follows:

P( x) ( p ( x1 ), p ( x2 ),..., p( xs ) ) can be

104

H.R. Kanan and M.S. Moin s s ⎛ 1 ⎞ = − H (x ) = ∑ p (x i ) log ⎜ p (x i ).log ( p (x i ) ) ⎟ ∑ i =1 i =1 ⎝ p (x i ) ⎠

For a digital image

(7)

f ( x, y) , entropy can be defined as: s

H ( f ( x , y ) ) = −∑ p i log( p i )

(8)

i =1

where

pi is the probability of the ith gray level value in the image and s is the total

number of gray level values. Local entropy in an image region provides a quantitative measure of the information contained in the region, which indicates the importance of local identity information in a face image. In the proposed method, the Contribution Map (CM) of a face image is computed by applying Equation (8) to each patch. The value of each patch in the Contribution Map (CM) is written as:

CM p ,q ( a , b ) = H ( f p ,q ( a , b ) ) where p and q are integers ranging from 1 to

(9)

N . W

2.2.2 Adaptive Occlusion Map (AOM) Human face recognition is a difficult problem in uncontrolled environment, particularly when the face image is partially occluded. In this paper, in order to handle the partial occlusion problem, we use a local based method. The general concept behind the proposed algorithm relies on the observation that occlusions appear as local distortions away from a general face representing human population. These distortions can be quantified by comparing each local region in the input face image with the corresponding local region at the same position in the general human face image. In this research, the general face image is provided using Eigenface approach [7] and the Distance Map (DM) of a face image is defined as:

DM ( x, y) = f ( x, y) − g ( x, y) where f ( x, y ) denotes the input face and written as:

(10)

g ( x, y) representing the general face is K

g ( x, y ) = m( x, y ) + ∑ aiVi ( x, y )

(11)

i =1

where

m( x, y) denotes the mean face, Vi ( x, y ) i = 1, 2,..., K are the eigenfaces

corresponding to the K largest eigenvalues of covariance matrix obtained from the training image set, and each ai which describes the contribution of corresponding

Recognizing Partially Occluded Faces from a Single Exemplar Image Per Person

105

eigenface in representing the input face image, is obtained by projecting the ( f ( x, y ) − m( x, y)) onto the corresponding eigenface Vi ( x, y ) . The degree of an occlusion at each patch in the input face image can be quantified by the average value of DM in the patch. Therefore, the value of each patch in the Occlusion Map (OM) is computed as:

OM p ,q ( a , b ) =

1 W2

W

W

∑∑ DM (W ( p − 1) + x ,W (q − 1) + y )

(12)

x =1 y =1

Since each patch in the AOM should show the degree of similarity instead of dissimilarity between the corresponding patches in the input face and the general face, we define the value of each patch in the AOM as follows: N ⎫ ⎧ AOM p ,q ( a , b ) = max ⎨OM p ,q ( a , b ) p , q = 1, 2,..., ⎬ − OM p ,q ( a, b ) W ⎭ ⎩

(13)

The obtained AOM is normalized to the range of [0, 1] for weighting purpose. 2.2.3 Combining Contribution Map and Adaptive Occlusion Map In order to find the appropriate Adaptive Weight Map (AWM) to weight the PPCAA by combining both CM and AOM, we consider simple rules as follows: ™ If

AOM p ,q ( a, b )

is

AOM p ,q ( a, b )

is

AOM p ,q ( a, b )

is

AOM p ,q ( a, b )

is

large

CM p , q ( a, b )

is

large

then

and

CM p , q ( a, b )

is

small

then

and

CM p , q ( a, b )

is

large

then

and

CM p , q ( a, b )

is

small

then

and

AWM p ,q ( a, b ) should be very large. ™ If

large

AWM p ,q ( a, b ) should be large. ™ If

small

AWM p ,q ( a, b ) should be small. ™ If

small

AWM p ,q ( a, b ) should be very small.

From the above rules, it is evident that in the AWM, the contribution from the AOM should be more than that from the CM. Therefore, we combine CM and AOM using the following fuzzy-like operator:

AW M p ,q ( a, b ) = ( AOM p ,q ( a, b ) ) ⋅CM p ,q ( a, b ) 2

(14)

Figure 2 displays three sample face images and their EMs, CMs, reconstructed face images, AOMs and AWMs computed in our experiments. All maps indicated in Figure 2 have been scaled to the range of [0, 255] for displaying purpose. Note that, in

106

H.R. Kanan and M.S. Moin

(a)

(b)

(c)

(d)

(e)

Fig. 2. Original face images and their CMs, reconstructed face images, AOMs and AWMs. (a) original face images; (b) CMs (W=8); (c) reconstructed face images (W=8 and K=50); (d) AOMs (W=8); (e) AWMs.

AWMs a brighter intensity means a larger weight and on the contrary a darker intensity indicates a smaller weight. AWMs will be utilized for weighting the PPCAA extracted from the input and the model face images in the matching step. 2.3 Classification Using above image representation, a face is described by a feature vector PPCAA associated with an AWM. For a given query face, the face recognition process creates the feature vector of the query face and calculates the distance between the query feature vector and the model feature vector in the database which is weighted using AWM of query face as: JJJJJJJJJJJJJJJJJJJJJJJJJJJK JJJJJJJJJJJJJJJJJJJK JJJJJJJJJJJJJJJJJJJK Dw ( f (x , y ), h ( x , y ) ) = A W ⎡⎣ PPCA A ( f (x , y ) ) ⎤⎦ • PPCAA ( f (x , y ) ) − PPCAA ( h (x , y ) )

(

where

)

(15)

f ( x, y) and h( x, y ) are the query and the model faces respectively, symbol

• denotes Hadamard product and AW ⎡⎣ PPCAA ( f ( x, y ) ) ⎤⎦ is given as: N ⎫ ⎧ A W ⎡⎣ PPCAA ( f ( x , y ) ) ⎤⎦ = ⎨ AW M p ,q ( a , b ) p , q = 1, 2,..., ⎬ W ⎭ ⎩ where

(16)

AWM p ,q ( a, b ) denotes the value of patch at the position ( p, q) in the

AWM. The model in the database with minimum distance is considered as the correct return.

Recognizing Partially Occluded Faces from a Single Exemplar Image Per Person

107

3 Experimental Results In order to evaluate the effectiveness of the proposed approach, we used the standard AR face database [3] which contains images of the frontal view faces of 126 people. Each person has 26 images captured in two different sessions (separated by two-week time interval). Those images with frontal illumination and different occlusions are selected for the test described in this paper; that is a total of 5 images per person. The different occlusions are: “sun glasses” and “scarf” face. For the experiments reported below, 50 individuals were randomly selected from this database. In all the experiments, a preprocessing of face localization was applied. Original face images were first normalized (in scale and orientation) such that the two eyes were aligned roughly at the same positions with a distance of 80 pixels. Then they were cropped to the size of 160×160 pixels for recognition. These images for one subject in the database are displayed in Figure 3.

(a)

(b)

(c)

(d)

(e)

Fig. 3. Samples of AR cropped faces. (a) neutral face under controlled/ideal condition taken in the first session; (b) and (c) faces with different partial occlusions taken in the first session; (d) and (e) faces with different partial occlusions taken in the second session.

In all of the following experiments, we used a single model based identification scheme, in which the neutral face images taken in the first session (e.g. Fig. 3(a)) were used as the gallery images and the two occluded face images taken in the first session (Fig. 3(b) and (c)), and duplicate occluded faces (Fig. 3(d) and (e)) taken in the second session were used as the probe images. The performances of the proposed method are compared with three benchmark approaches, i.e. eigenface [7] which is a widely used baseline approach, the Modular PCA [10] and Sub-pattern PCA [8] which are local-based algorithms. Our preliminary experiments indicate that the patch size in the Modular PCA, SubPattern PCA and the proposed approach affects their classification performance. So, this parameter for these three methods is set to W=8 which has been optimized as much as possible to obtain their best performances Experimental results are shown in Table 1. It is found that the proposed method significantly outperformed the eigenface, Modular PCA and Sub-Pattern PCA methods under sun glass and scarf occlusions. It should be noted that when the duplicate images were presented to the system, as Table 1 shows, the proposed approach outperformed the eigenface and Sub-pattern PCA methods under sun glass and scarf occlusions and Modular PCA under scarf occlusion.

108

H.R. Kanan and M.S. Moin Table 1. Performance comparison for sun glass and scarf occluded faces Approach The Proposed Approach Sub-Pattern PCA [8] Modular PCA [10] PCA

Recognition Rate (%) First Session Second Session Sun Glass Scarf Sun Glass Scarf 44 76 22 58 30 36 20 30 26 30 22 22 20 16 12 10

Fig. 4. Recognition rate of the proposed approach, obtained for sun glass and scarf occluded faces

Figure 4 also shows the recognition rate of the proposed method in cumulative match score curve for occluded face images from the first and the second sessions. As we expected, the results of the proposed algorithm reveal that the identification of occluded faces with scarf is easier and more accurate than that with sun glasses. These results are in consistence with the human intuitions fact that the eye regions include more identity information than mouth and nose regions of an individual’s face.

4 Conclusions In this paper, we have presented a new approach to recognize partially occluded faces from one exemplar image per person. The proposed approach represents a face image as an array of patch PCA extracted from a partitioned face image which contains information of local regions instead of holistic information of a face image. An adaptive weighting method is also designed to assign proper weights to each PPCA to adjust the contribution of each local region of a face in terms of the richness of identity information and its changes compared to the corresponding local region in the general face image. The algorithm has been evaluated and compared with three benchmark approaches using AR face database under two typical partial occlusion conditions (i.e. sun glasses and scarf). Experimental results demonstrate that the proposed approach significantly outperformed the eigenface method, the most widely used baseline for face recognition, Modular PCA and Sub-Pattern PCA algorithms.

Recognizing Partially Occluded Faces from a Single Exemplar Image Per Person

109

Acknowledgments. The authors would like to thank Iran Telecommunication Research Center (ITRC) for supporting this research.

References 1. Martínez, A.M.: Recognizing Imprecisely Localized, Partially Occluded, and Expression Variant Faces from a Single Sample per Class. IEEE Trans. Pattern Anal. Mach. Intell. 24(6), 748–763 (2002) 2. Tan, X., Chen, S., Zhou, Z.H., Zhang, F.: Recognizing partially occluded, expression variant faces from single training image per person with SOM and soft k-NN ensemble. IEEE Trans. Neural Networks 16(4), 875–886 (2005) 3. Martinez, A.M., Benavente, R.: The AR Face Database, CVC Technical Report No. 24, (June 1998), http://rvl1.ecn.purdue.edu/~aleix/aleix_face_DB.html 4. Kirby, M., Sirovich, L.: Application of the Karhunen-Loeve Procedure for the Characterization of Human Faces. IEEE Trans. Pattern Analysis and Machine Intelligence 12(1), 103–108 (1990) 5. Moghaddam, B., Pentland, A.: Probabilistic Visual Learning for Object Representation. IEEE Trans. Pattern Analysis and Machine Intelligence 19(7), 696–710 (1997) 6. Sirovich, L., Kirby, M.: A Low-Dimensional Procedure for the Characterization of Human Faces. J. Optical Soc. Am. A 4(3), 519–524 (1987) 7. Turk, M., Pentland, A.: Eigenfaces for Recognition. J. Cognitive Neuroscience 3(1), 71–86 (1991) 8. Chen, S., Zhu, Y.: Subpattern-based principle component analysis. Pattern Recognition 37(5), 1081–1083 (2004) 9. Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27, 379-423, 623–656 (1948) 10. Gottumukkal, R., Asari, V.K.: An Improved Face Recognition Technique Based on Modular PCA Approach. Pattern Recognition Letters 25(4), 429–436 (2004)

Methodology and Tools of IS Audit and Computer Forensics – The Common Denominator Magdalena Szeżyńska1, Ewa Huebner2, Derek Bem2, and Chun Ruan2 1

Warsaw University of Technology, Faculty of Electronics and IT [email protected] 2 School of Computing and Mathematics, University of Western Sydney Penrith Campus, Locked bag 1797, Penrith South DC NSW 1797, Australia {e.huebner,d.bem,c.ruan}@uws.edu.au

Abstract. Information system audit and computer forensics each developed its own set of standards based on a separate discipline of knowledge. In this paper we analyse the tools and methodology used by IS auditors and computer forensic experts in the contemporary world, with the focus on emerging similarities between their needs and goals. We demonstrate the benefits which could be derived from the increased convergence of tools and methodology used in both areas, and we discuss possible modifications to existing tools and methodology to fulfill this goal. Keywords: IS audit guidelines, computer forensics tools, IS audit tools.

1 Introduction Information system auditing and computer forensics investigations are generally viewed as independent disciplines, with separate sets of standards, tools and methodology. The Committee on National Security Systems [1] provides a definition of an IS audit as: Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures. The most commonly quoted definition of computer forensics is the one from The Australian Institute of Criminology [2], which states: Computer forensics is the process of identifying, preserving, analysing and presenting digital evidence in a manner that is legally acceptable. These definitions seem to address two fields requiring a different set of knowledge, tools and methodology. This may be the legacy of the origins of computer forensics, when it dealt mostly with the post mortem analysis of systems and recovery of data. Nowadays computer forensics experts no longer limit their activities to permanent storage, but also use volatile data and live systems analysis. One reason is that volatile storage and data streaming over the network is a source of information not available elsewhere. Also in many cases it is not possible to seize the suspect computer equipment. Such actions may deprive a victim of a crime of their information systems, and potentially cause more harm than the criminal activity itself. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 110–121, 2009. © Springer-Verlag Berlin Heidelberg 2009

Methodology and Tools of IS Audit and Computer Forensics

111

This resembles the environment of an IS audit, where stopping the audited system is not an option. It was always a common practice in IS audit to deal with live production systems. Careful planning of an audit and selection of tools is crucial for the relevance of audit evidence, reliability of conclusions and system diagnosis, as well as appropriateness of recommendations. Despite that the tools and methodology for IS audit depend on the preferred practices of individuals, as long as they adhere to the audit contract. These standards are expressed not in technical terms, but rather in management terms defining the outcomes but not the means to achieve them. In contrast, the technical specifications of tools used in computer forensics are central in the successful investigation producing court admissible evidence. As a result various unwritten standards developed in some jurisdictions, and the evidence obtained with some tools is perceived as more reliable. These differences appear to be the consequence of different terminology and the professional milieu of computer forensics and IS audit specialists. Both activities have a common overarching principle: to find reliable information about a computer system and its usage. The findings in both cases are used for a different purpose; the forensic expert will look for criminal activity, while an IS auditor will look for compliance with policies. Still they may both use similar tools and methodology while conducting the analysis. The convergence of the tools and methodology used by both groups of specialists would be mutually beneficial, and respond to a need for more sophisticated tools adequate to meet the new challenges in the future [3]. The growing demand for professional services of both IS auditors and computer forensics experts is matched by a rapid development of software tools, advertised with terms like ethical hacking, penetration tests, data recovery, IS audit and computer forensics. In reality they often concentrate on gathering or recovery of information without sufficient attention paid to the impact these tools have on the state of the system under investigation and the possibility of falsifying the evidence obtained.

2 Standards and Guidelines 2.1 ISACA Computer Forensics Guidelines for IS Auditors ISACA sets standards for information governance, control, and security, followed by professionals around the world [4]. ISACA “IS Standards, Guidelines and Procedures for Auditing and Control Professionals” [5] guideline G28 Computer Forensics offers a set of guidelines and advice for auditors on matters related to computer crime. With the high likelihood of an audit to involve forensic issues these guidelines do not go far enough. The definition of computer forensics in guideline 2.1.1 refers to “proven forensic best practices”, while in reality no such globally accepted set exists. What is considered the best practice may vary depending on the local jurisdiction. Guideline 2.1.2 lists the challenges of computer forensics as “actually finding this data, collecting it, preserving it and presenting it in a readable manner that is acceptable in a court of law”. An even greater challenge is to prove that the electronic evidence is identical to the original.

112

M. Szeżyńska et al.

Guideline 2.1.3 provides a list of goals in a computer forensics investigation, amongst them to “provide a conclusive investigation of all activities for the purpose of complete attack verification and enterprise and critical infrastructure information restoration”. This limits the scope of computer forensics to crimes committed against computer systems. No security breach takes place on computer systems owned by criminals and used in criminal activities. In such case security measures may obstruct the investigation by preventing access to information by using passwords, cryptography and steganography. The guideline makes an important point by stating that digital data has to be made “suitable and persuasive for introduction into a criminal investigative process”. Guideline 6.1 deals with data protection. It states that “It is critical that measures are in place to prevent the sought information from being destroyed, corrupted or becoming unavailable”. This is too general to ensure forensically sound handling of digital data. There are two key elements of computer forensic investigation: a tamperproof method of capture, and maintaining the chain of custody. A number of software and hardware tools have been developed to ensure that the process of data acquisition is forensically sound, and the safe custody of this data is documented to form an uninterrupted chain. Guideline 6.1.3 stating that “Response and forensic investigation capability should be in place prior to an incident or event.” deserves a particular mention. Few organizations have a computer forensics plan in place. This is surprising since many organisations prefer to handle incidents internally to prevent bad publicity. All G28 Computer Forensics guidelines on reporting are relevant, but too general. In particular timing and time relationship amongst investigative activities are very important in the computer forensics process. All actions and events should be time stamped in the investigator’s notes and the final report. 2.2 ISO Standards for Information Security Incident Management ISO/IEC TR 18044:2004 [6] is a Type 3 technical report, therefore it is not subject to a planed review, and is not intended to become a standard. It describes the organizational side of the information security incident management process. It acknowledges the place of forensic analysis as a part of the Use and Review stages of this process. This report illustrates gaps of understanding of the computer forensics discipline in the information systems management community even in relation to processes where it is highly relevant. For example, forensic analysis is one stage of the computer forensic process. It follows identification and preservation, and it cannot succeed without all preceding stages being forensically sound. Although the report gives guidelines for how data should be gathered and preserved, it does not ensure that this data can be guaranteed against tampering or other mishandling. Another example is an assumption that there exist accepted standards for forensic software and certifications for forensic investigators. This is generally not so, and the jurisdictions in many countries treat each case on its merit. The detailed discussion of the issues of incident response management is beyond the scope of this paper, but the examples above show that there is not sufficient communication and understanding amongst various groups of professionals who have to

Methodology and Tools of IS Audit and Computer Forensics

113

deal with computer crime, i.e. the information systems managers, the judiciary and the computer forensic specialists. It is therefore not surprising that there is so little cross-pollination of ideas and approaches between the IS auditors and computer forensics specialists. 2.3 Daubert Test - Relevance and Reliability Although there is no universally agreed set of best practices in computer forensics, there are general rules for testing relevance and reliability of evidence based on forensic science, the so called Daubert test [7]. In 1993 a legal precedent was set by the U.S. Supreme Court regarding the admissibility of expert witnesses' testimony, known as the Daubert test. In the Daubert ruling four criteria were set for determining whether science used in obtaining evidence was admissible: • Is the evidence based on a testable theory or technique? • Has the theory or technique been peer reviewed? • In the case of a particular technique, does it have a known error rate and standards controlling its operation? • Is the underlying science generally accepted? When dealing with complex technical issues the Daubert test can only be a general guide. While it helps to assess the suitability of computer evidence, it leaves many questions unanswered. Further, the Daubert test provides guidelines for admissibility of an expert witness. Again the test is applied as a set of questions: • What is the expert's qualifications and stature in the scientific community? • Does the technique rely upon the special skills and equipment of one expert, or can it be replicated by other experts elsewhere? • Can the technique and its results be explained with sufficient clarity and simplicity so that the court and the jury can understand its plain meaning? Again the rules are general, and the determination of suitability has to be made in each individual case. This is the indication of the lack of generally accepted specialist certification in computer forensics.

3 IS Audit versus Computer Forensics The McKemmish definition lists four major stages of a computer forensics investigation: identification, preservation, analysis, and presentation. We match these stages with corresponding stages of an IS audit to highlight the similarities and differences in two processes. One stage not listed in the McKemmish definition is the initial planning, but it is included in other definitions, e.g. [8]. We will discuss five stages, namely: Purpose and Planning, Identification, Preservation, Analysis, and Presentation. Purpose and planning: All IS audit activities have to be preceded by establishing the purpose of the audit and forming a plan of audit activities. An audit charter or an engagement letter is prepared which clearly states what are the rights and obligations of the auditor, what is the purpose and scope of the audit, and what is the plan of audit

114

M. Szeżyńska et al.

activities. The depth of subsequent examination may be in some areas limited by this initial document. A computer forensic investigation is always conducted with one purpose i.e. finding evidence of criminal activity in computer systems and other electronic repositories of data. Before an investigation takes place a court order is issued which allows the search of computer equipment or capturing the network data. Alternately the owner of the computer systems may request a forensic investigation of their property. In such case it is advisable to produce a written agreement including a plan and scope of such investigation. A plan of specific activities should be in place before any investigative events take place, and the general rules and procedures for activities at the scene of crime should be adhered to precisely. When applied to investigation, the order of volatility [9] for computer storage should be followed by searching the most volatile media first, for example the memory image should be taken before permanent storage. Unlike in an IS audit where the scope may not include in-depth analysis of some objects, the objects of computer forensics investigation are analysed exhaustively. Identification: This phase deals with identification of the potential sources of evidence. A computer forensics expert is limited to computer systems, other electronic devices and digitally stored information. Naturally this may constitute only a part of evidentiary material in any specific legal case, and other experts will be involved to deal with non-computer evidence. In contrast an IS auditor identifies and collects evidence form wider sources such as: hard copy documents, for example system documentation, written policies and procedures for managing information, event logs, human resources, personal interviews and questionnaires, as well as penetration tests conducted on the production systems. For the sake of this discussion we are only concerned with electronic sources and digital information, for example system and application logs, relevant files, e-mail repositories etc. In this sense the activities undertaken by a forensic investigator and an IS auditor are similar, and they could use the same software tools and methodology to achieve their respective goals. Acquisition and preservation: The methodology for acquisition and preservation of evidence is where current computer forensics and IS audit practices and procedures differ most. When dealing with electronic evidence in an IS audit it is sufficient for documents to be electronically signed and time-stamped. In a computer forensic investigation it is mandatory to maintain a chain of custody for any physical object. The permanent storage devices have to be protected with write blockers before bit-by-bit images are obtained. These images are proven to be accurate by calculating before and after hash values. With the observed growth of computer crime it may be necessary for IS auditors to adopt these aspects of forensic methodology to ensure that any computer crime detected in the course of an audit can be successfully prosecuted. These different approaches converge to some extent where live system is investigated in a forensic acquisition process. There are no physical objects which may be acquired; moreover it is not possible to guarantee that the system under investigation will not be modified. Instead the live system investigative activities are time-stamped and recorded in the investigator’s logbook, documenting every command issued from the system console, and all output obtained from the computer system. This is similar to the IS audit practices recommended by existing standards.

Methodology and Tools of IS Audit and Computer Forensics

115

Analysis: Since the digital data collected by a forensic investigator and IS auditor comes from similar sources and have the same format it would be natural to apply the same tools and methodology in their analysis. This is not the case. There are considerable differences between IS auditing and computer forensics in tools and methodology used in this phase. The data collected in the previous phase by an IS auditor come from different sources, not all electronic, and there are no prescribed tools that an IS auditor has to use. Each auditor selects tools suitable for the particular audit, depending on their professional experience and style of operation. In contrast a computer forensics specialist typically uses dedicated forensic software, accepted and previously applied in legal proceedings in their local jurisdiction. Introduction of any new tool requires a justification which would convince the court that the evidence shown is reliable. The credibility of findings can be reinforced by showing that the same conclusion can be reached by applying two different methods of analysis or two different tools. In both fields the process of analysis has to be repeatable. In an IS audit this repeatability is based on audit documentation, while in computer forensics it is based on the ability to repeat the analysis on the originally preserved data. Presentation: The presentation of the results of the IS audit takes the form of a report, which reflects the structure of the standards and practices within the scope of this audit. The specific content and form of the report will depend on the original agreement, and it is expressed in terms of the information management systems, not including technological aspects of methodology. In a computer forensics the presentation may take the form of a court appearance or a written report. In both cases it is expected that not only the facts dealing with the legal case will be presented, but the methodology and the tools used will be explained and justified. It is necessary to present complex technical issues in a language understandable to a lay audience, with all technical terms adequately explained. The onus here is on the computer forensics expert to make the findings clear to the legal personnel. The IS auditor who functions within the limits of the structure of a company can expect that the reader of the report will be familiar with this organisation. This phase reflects the ultimate difference of goals in an IS audit and a computer forensic investigation, and as such despite superficial similarities will remain specific to a particular domain.

4 Issues in IS Audit An IS auditor usually starts not knowing where to find relevant information unless the audit is the result of some events of a well defined nature. The duty of the auditor is to create a plan of audit and to select appropriate tools which will achieve the purpose of the audit. The auditor has to consider the possibility that circumstances may arise resulting in discovery of relevant facts which are beyond the scope of the audit. Such discoveries may include evidence of wrong-doing, either in a legal sense or in terms of company policies, and may warrant a forensic investigation. In such case the conduct of the audit, in terms of tools and methodology, will affect the success or failure of this investigation as shown in the examples below, both derived from the professional practice of the authors.

116

M. Szeżyńska et al.

Case 1: In an IS audit conducted for a large company, one of the investigated areas are the contracts for outsourcing some of the IT services. The auditor receives the contracts in electronic form recorded on a CD. The text format used allows for change tracking, and the complete history of changes was recorded. The auditor discovers that some changes took place at night and carry a suspicious user id. The auditor knows that time synchronization on all office workstations is correct and that the security policy of the company forbids working on these types of documents at home. The auditor informs the management suggesting a separate investigation to examine abnormal nightly activities. The most significant difficulty for the computer forensic expert, with a brief to investigate this case, is the fact that the only firm evidence is a copy of the contract on the CD. This copy by itself without the knowledge of how it was acquired and preserved may not be sufficient for criminal proceedings. Firstly the expert would have to determine the source of data by identifying the physical computer system and disk storage. The standard procedure is to take a bit by bit image of the disk partition containing the suspect files. Any subsequent investigation is then conducted using the copy of this image, verified by the hash value. This procedure can not be applied in reverse. With the passage of time, the content of the disk partition would have changed, and he system log files may no longer contain information on relevant events, depending on the security procedures. If the files on the CD cannot be positively cross-checked against their copies on the original disk, less direct means could be used to answer the following questions: • How was the CD copy obtained? What system utilities were used? • Are the originals reliable? Or have they changed since the copy to CD was performed? Are system logs available to confirm that the relevant events took place? • Can the chain of custody for the originals and copies be derived? • Were any invasive audit techniques applied to the systems since the copy was obtained? Unless provable answers to all the above questions can be obtained, the CD by itself may not have sufficient weight in the court of law to achieve conviction. It would be easy to show that the files on CD could have been modified to implicate any user. Case 2: An IS audit is being conducted in a company because of uncontrolled leakage of confidential information. The engagement letter specifies that COBIT [10] standards are to be applied. The COBIT processes to be analysed include DS5 Ensure System Security. The auditor focuses on searching for internal sources of leakage keeping in mind the appropriate preservation of evidence in case the employees of the company are involved. While performing audit activities the auditor discovers that the system is under intense attack from outside. It turns out that these attacks are penetration tests ordered by the same company, and are a part of a second audit conducted in parallel. Some of the penetration tests manage to break the system security. In this situation all evidence collected by the first auditor loses credibility, because the environment in which it was collected has been seriously disturbed. This case is more complex, as it also shows a lack of understanding of the audit process by the company, but it is a good illustration of the misuse of penetration testing. In general if the auditor decides to include invasive tests and examination of

Methodology and Tools of IS Audit and Computer Forensics

117

dynamic content of the system, all related threats and consequences should be considered, and the associated risk estimated. The documented methodology for IS audit does not provide an in-depth treatment of this issue, and only offers generic advice. Even the ISACA guideline G13 Use of Risk Assessment in Audit Planning is limited to three classic audit risks: Inherent risk (IR), Control risk (CR), and Detection risk (DR). The guideline focuses on risk minimisation understood as the risk of drawing wrong conclusions from the audit. The wrong conclusions are those which do not correspond to the factual state of the system, which may be much worse than shown by the audit. What is missing is the risk introduced by the invasive tools and methodology used by the auditor. As a result less experienced practitioners not aware of this risk may over-use invasive tests, while experienced auditors may consciously abandon the examination of some aspects of the system. This way a dilettante may discover some facts which will escape the scrutiny of an experienced professional, but their findings may not be useful in a legal setting.

5 Tools of Trade for IS Audit and Computer Forensics The goal of this paper is not to rank the available tools, nevertheless it will be useful to provide a brief discussion of typical tools used by IS auditors and computer forensics experts. Such tools can be divided into two major groups: tools for acquisition and analysis of evidence, and tools for supporting the management of activities. The appropriate selection of the latter group of tools may be significant for systematic handling of the collected data and orderly referencing of evidentiary materials, but it is the former group which allows an in-depth examination of the system security, computer systems and networks. These tools come in four broad categories: inbuilt mechanisms for recording events in the system, application or device, security scanners and other software products activated in the environment of a live system, blockers protecting the media from writing and enable the acquisition of the exact copy, and off-line analysis tools. The write blockers and off-line analysis tools belong to the standard tool kit of a computer forensics expert, but are used only infrequently by IS auditors. On the other hand security scanners are a common tool for an IS auditor, but their applicability to a computer forensic investigation is doubtful. And last but not least, system and application logs as well as event diaries are an invaluable source of evidence for both groups of specialists. 5.1 Off-Line Analysis Tools and Hardware Support In conventional computer forensics all analysis of data acquired from permanent storage media is performed on bit-by-bit copies, not the original data. There is never any risk of corrupting the evidence, only the copy, and the same analysis can be repeated. The data is analysed in a laboratory with no pressure to hurry the activities. There are well established forensic software tools, both open source and commercial, to aid in this analysis. Examples of these tools are: the classic Coroner’s Toolkit TCT [11], the Sleuth Kit and Autopsy Browser [12] – current version of TCT, Linux Security Live CD distributions – BackTrack [13], INSERT Rescue Security Toolkit [14], Helix [15], DEFT

118

M. Szeżyńska et al.

[16], etc., EnCase® by Guidance Software [17], ProDiscover® Forensics by Technology Pathways [18] (Basic Edition is freeware), FTK™ Forensic Toolkit by AccessData [19], X-Ways Forensics by X-Ways Software Technology AG [20], Paraben Forensics by Paraben Corporation [21], NTI Computer Incident Response Suite by Armor Forensics [22]. Sometimes the court admissibility of evidence obtained with open source tools is questioned, and indeed there are commercial tools which are almost an accepted standard in some jurisdictions. This approach is not followed uniformly, as it can be argued that the ability to examine the source programs adds to the credibility of the tools. Also the recent practice is to use two different analysis tools to obtain the same evidence, further confirming the reliability of findings. The tools listed above could be made useful in an IS audit. To avoid situations similar to the one in Case 1, the auditor should obtain forensically valid images of all hard storage of the computer systems covered by the audit. This approach may appear unnecessarily time and work intensive. An experienced auditor may reduce the amount of time and effort by careful selection of storage media subject to this procedure. The forensic software products also include the utilities for analysis of systems logs, recreating the timeline of system events, analysis of network traffic, and tools for live system analysis. All these can be directly applicable to an IS audit. 5.2 Security Scanners and Penetration Testing Tools Software security scanners are mostly used by IS auditors, and again both open source and commercial products are available. The typical products are: Nessus™ Vulneralibity Scanner [23] – once open source, now closed but still free to use, Metasploit Framework [24] – open source platform for developing and using exploit code, Nmap Network Mapper [25] – popular utility for network exploration or security auditing, The Security Auditor's Research Assistant (SARA) [26], Retina® Network Security Scanner by eEye Digital Security [27], GFI LANguard Network Security Scanner (N.S.S.) by GFI Software [28], ISS Internet Scanner [29], SAINT® Network Vulnerability Scanner [30], etc. The scanners are software products for detection and analysis of errors in host security systems and computer networks, and they focus on detecting vulnerabilities, not on preservation of evidence. For this reason such tools in their current form are not recommended for computer forensics investigations. A relatively recent concept is penetration testing, also referred to as ‘pen-testing’, ‘active security assessment’ or ‘ethical hacking’. The concept is similar to security scanning, however it is typically more aggressive. A penetration test is a process of using known vulnerabilities for an intrusion into the system. While some security scanners may attempt to test for known vulnerabilities, the unique approach of penetration testing is to perform full intrusion in controlled conditions. As these tools are not specifically designed towards the preservation of the original system status (often they require rebooting of the tested system) they are not suitable for computer forensics investigations. These software products could find application in forensics if they were used not against original systems, but their copies, for example recreated in a virtual environment. The ongoing research in application of virtual systems in forensic analysis indicates that such an approach is theoretically possible, although it is hampered by various protective mechanisms [31].

Methodology and Tools of IS Audit and Computer Forensics

119

5.3 Advanced Analysis Tools The advanced analysis tools based on preinstalled servlets, also called passive agents, are the most recent addition to the computer forensics software. The concept is related to typical system services like system log and security log used in operating systems and security devices. Such tools enable both local and remote analysis of evidence. The examples currently available on the market are EnCase® Enterprise or the ProDiscover® family of products. The claim is that such a tool will obtain a complete image of the system without any disturbance to its activity on condition that the servlets are installed on the system before the incident. The servlets can perform a bit-bybit copy of the disk storage, and also a complete dump of physical memory. Servlet based analysis tools although developed primarily for computer forensics could perform some auditing activities, for example extraction of network packets. It is evident that the market is developing increasingly sophisticated tools for both IS audit and computer forensics. This trend will continue, because of the growing importance of both fields in today’s world dependent on information technology. At the moment the tools for both fields are mostly separate although ultimately they serve finding the truth about the computer system. It seems that if the tools for one field were developed with the awareness of the requirement of the other, both the IS audit and computer forensics would benefit. For example security scanners could have a forensic mode paying more attention to preservation of evidence. This is the area which requires significant further research to design and build audit tools capable of gathering forensically valid data, and operating systems with appropriate support for both auditing and forensic activities [32, 33].

6 Conclusions and Recommendations The objective of an IS audit and a computer forensic investigation is to gather information about the past and present usage of a computer system, or a network of computer systems. Although this information will be used for a different purpose, the collection and analysis of data is a common process, and can be served by a similar set of tools and methodology. In the process of an IS audit the auditor may come across some evidence which warrants a proper computer forensic investigation. The frequency of occurrence of such cases will likely grow because of the increasing pervasiveness of information technology in everyday life. For this reason the tools and methodology used by auditors to obtain evidence from live production systems should become more similar to those used in computer forensics. For the IS audit to be effective it needs to include evidence from transient and volatile data. This process necessitates using invasive tools and methodology, and carries the risk of distorting the evidence collected. Contemporary audit mechanisms should be built so that the acquisition and preservation of evidence are conducted in a way which is forensically sound, making this evidence legally admissible. These mechanisms should not be limited to hardware solutions or software applications, but also affect the evolution of modern operating systems.

120

M. Szeżyńska et al.

References 1. CNSS: National Information Assurance Glossary. The Committee on National Security Systems (2006) 2. McKemmish, R.: Report No. 118: What is Forensic Computing? In: Trends & Issues in Crime And Criminal Justice. Australian Institute of Criminology (1999) 3. Hinson, G.: Top Information Security Risks for 2008, CISSP Forum (2007), http://www.iso27001security.com/ (accessed October 6, 2008) 4. Solms, B.v.: Information Security governance: COBIT or ISO 17799 or both? Computers & Security 24, 99–104 (2005) 5. ISACA: IS Standards, Guidelines and Procedures for Auditing and Control Professionals (2008), http://www.isaca.org/AMTemplate.cfm?Section=Standards2&Templ ate=/ContentManagement/ContentDisplay.cfm&ContentID=39354 (accessed December 15, 2007) 6. ISO/IEC TR 18044: Information security incident management, ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) (2004) 7. SKAPP: Daubert:The Most Influential Supreme Court Ruling You’ve Never Heard Of. In: The Project on Scientific Knowledge and Public Policy. Tellus Institute (2003) 8. Mandia, K., Prosie, C., Pepe, M.: Incident Response & Computer Forensics, 2nd edn. McGraw-Hill/Osborne, Emeryville (2003) 9. RFC 3227: Guidelines for Evidence Collection and Archiving, Internet RFC/STD/FYI/BCP Archives (2002), http://www.faqs.org/rfcs/rfc3227.html (accessed April 14, 2008) 10. ISACA: Control Objectives for Information and related Technology (COBIT®) (2008), http://www.isaca.org/ (accessed February 15, 2008) 11. Farmer, D., Venema, W.: The Coroner’s Toolkit (TCT) (2008), http://www.porcupine.org/forensics/tct.html (accessed March 10, 2008) 12. Carrier, B.: The Sleuth Kit (2007), http://www.sleuthkit.org/sleuthkit/desc.php (accessed February 10, 2007) 13. Remote-Exploit.org (2007), http://www.remote-exploit.org (accessed February 2, 2008) 14. Inside Security, I.T.: Consulting GmbH (2007), http://www.inside-security.de/ (accessed March 13, 2008) 15. E-fense: The HELIX Live CD Page (2007), http://www.e-fense.com/helix/ (accessed February 9, 2007) 16. Digital Evidence & Forensic Toolkit DEF (2007), http://deft.yourside.it (accessed, November 30, 2007) 17. EnCase® Forensic Modules (2007), http://www.guidancesoftware.com/products/ef_modules.asp (accessed January 25, 2007) 18. ProDiscover Technology Pathways (2007), http://www.techpathways.com/ (accessed January 2, 2008) 19. Access Data Forensic Toolkit ® 2.0 (2008), http://www.accessdata.com/Products/ftk2test.aspx (accessed April 14, 2008)

Methodology and Tools of IS Audit and Computer Forensics

121

20. X-Ways Forensics: Integrated Computer Forensics Software (2008), http://www.xways.net/forensics/ (accessed February 5, 2008) 21. Paraben Corporation (2008), http://www.paraben-forensics.com (accessed January 12, 2008) 22. NTI Software Suites (2008), http://www.forensics-intl.com/ (accessed February 12, 2008) 23. Tenable Network Security, Inc. (2008), http://www.nessus.org/ (accessed April 14, 2008) 24. The Metasploit Project (2008), http://www.metasploit.org (accessed December 15, 2007) 25. Insecure.Org - Nmap Free Security Scanner, Tools & Hacking resources (2007), http://nmap.org/ (accessed December 10, 2007) 26. Security Auditor’s Research Assistant (SARA), Advanced Research Corporation® (2008), http://www-arc.com/sara/ (accessed March 4, 2008) 27. eEye Digital Security, http://www.eeye.com/html/products/retina/ (accessed April 10, 2008) 28. GFI Software (2008) http://www.gfi.com/lannetscan/ (accessed April 12, 2008) 29. IBM Internet Security Systems (2007), http://www.iss.net (accessed April 8, 2008) 30. SAINT Corporation (2008), http://www.saintcorporation.com/products/vulnerability_scan/ saint/saint_scanner.html (accessed March 30, 2008) 31. Bem, D.: Open Source Virtual Environments in Computer Forensics. In: Proceedings of the 1st Workshop on Open Source Software for Computer and Network Forensics, Milan, pp. 1–13 (2008) 32. Buchholz, F., Spafford, E.H.: Run-time label propagation for forensic audit data. Computers & Security 26, 496–513 (2007) 33. Huebner, E., Henskens, F.: The Role of Operating System in Computer Forensics. ACM SIGOPS Operating Systems Review 42(3), 1–3 (2008)

What about Vulnerability to a Fault Attack of the Miller’s Algorithm During an Identity Based Protocol? Nadia El Mrabet LIRMM Laboratory, I3M, CNRS, University Montpellier 2, 161, rue Ada, 34 392 Montpellier, France [email protected]

Abstract. We complete the study of [16] and [20] about the Miller’s algorithm. The Miller’s algorithm is a central step to compute the Weil, Tate and Ate pairings. The aim of this article is to analyse the weakness of the Miller’s algorithm when it undergoes a fault attack. We prove that the Miller’s algorithm is vulnerable to a fault attack which is valid in all coordinate systems, through the resolution of a nonlinear system. We show that the final exponentiation is no longer a counter measure to this attack for the Tate and Ate pairings. Keywords: Miller’s algorithm, Identity Based Cryptography, Fault Attack.

1

Introduction

In 1984, A. Shamir challenged the cryptographer community to find a protocol based on the user’s identity [18]. This challenge was issued almost ten years later by D. Boneh and M. Franklin. In 2003, D. Boneh and M. Franklin created an identity-based encryption scheme based on pairings [4]. The general scheme of an identity based encryption is described in [4]. The important point is that to decipher a message using an Identity Based Protocol, a computation of a pairing involving the private key and the message is done. The particularity of Identity Based Cryptography is that an attacker can know the algorithm used, the number of iterations and the exponent. The secret is only one of the arguments of the pairing. The secret key influences neither the execution time nor the number of iterations of the algorithm. Fault attack against pairing based cryptography were first developed three years ago ([16], [19] and [20]). In [16], D. Page and F. Vercauteren introduce a fault attack against the Duursma and Lee algorithm. The fault attack consists in modifying the number of iterations of the algorithm. We complete this idea in order to apply it to the Miller’s algorithm, and we describe a way to realise this fault injection. In [20], C. Whelan and M. Scott present a fault attack against the Weil and Eta pairings. They consider the case when exactly the last iteration is modified by a fault injection. They deduce that the Miller’s algorithm is not vulnerable J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 122–134, 2009. c Springer-Verlag Berlin Heidelberg 2009


What about Vulnerability to a Fault Attack of the Miller’s Algorithm

123

to a fault attack, because the system obtained after the fault attack is nonlinear and then impossible to solve. In [19] they conclude that if the secret is used as the first argument of the pairing computation, then it cannot be found. Contrary to their conclusion, we show that even if the secret is the first argument of the pairing, we can discover it with a fault attack, and solve the nonlinear system obtained after the fault attack on the Miller’s algorithm. Moreover, we generalise the fault attack to every iteration of the algorithm, not only the last one. Both articles considered affine coordinates. We show that in every coordinate systems, our attack will give us the result. Our contribution is to generalise the fault attack to the Miller’s algorithm, not only for the last iteration, but for every possible iterations; and to demonstrate that for all the coordinate systems (affine, projective, Jacobian, and Edwards coordinates) a fault attack against the Miller’s algorithm can be done through the resolution of a nonlinear system. This demonstration will be followed by discussion about the weakness to this fault attack of pairings based on the Miller’s algorithm. We show that the Weil pairing is directly sensitive to the fault attack described. Some methods to override the final exponentiation are given, and then, for a motivated attacker, the final exponentiation will no longer be a natural counter measure for the Tate and Ate pairings [6]. The outline of this article is as follow. First we will give a short introduction to pairing and to the Miller’s algorithm in Section 2. Section 3 presents our fault attack against the Miller’s algorithm, Section 4 analyses the vulnerability of pairings using the Miller’s algorithm as a central step, finally, we give our conclusion in Section 5.

2 2.1

Pairings and the Miller’s Algorithm Short Introduction to the Pairing

We will consider pairings defined over an elliptic curve E over a finite field Fq , for q a prime number. In the case where q is a power of a prime number, while the equations are a slightly different the same scheme can be applied. We describe the attack for calculations in Jacobian coordinates. The affine, projective and Edwards coordinates cases can be treated by the same way. We will consider the Weierstrass elliptic curve in Jacobian coordinates : Y 2 = X 3 + aXZ 4 + bZ 6 , with a and b ∈ Fq . Let l ∈ N∗ , and k be the smallest integer such that l divides (q k − 1), k is called the embedding degree. Let G1 ⊂ E(Fq ), G2 ⊂ E(Fqk ), G3 ⊂ F∗qk , be three groups of order l. Definition 1. A pairing e : G1 × G2 → G3 .

is

a

bilinear

and

non

degenerate

function:

The most useful property in pairing based cryptography is bilinearity: e([n]P, [m]Q) = e(P, Q)nm . Four different pairings are used in cryptography, and three of them are constructed in the same way. The Miller’s algorithm [15] is the central step for Weil, Tate and Ate pairings computations.

124

2.2

N. El Mrabet

Miller’s Algorithm

The following description of the Miller’s algorithm is referenced in [7, chapter 16]. The Miller’s algorithm is the most important step for the Weil, Tate and Ate pairings computation. It is constructed like a double and add scheme using the construction of [l]P . The Miller’s algorithm is based on the notion of divisors. We only give here the essential elements for the pairing computation. The Miller’s algorithm constructs the rational function FP associated to the point P , where P is a generator of G1 ⊂ E(Fq ); and at the same time, it evaluates FP (Q) for a point Q ∈ G2 ⊂ E(Fqk ). Algorithm 1: Miller(P, Q, l) Data: l = (ln . . . l0 )(radix 2 representation), P ∈ G1 (⊂ E(Fq )) and Q ∈ G2 (⊂ E(Fqk )); Result: FP (Q) ∈ G3 (⊂ F∗qk ); 1:T ←P 2 : f1 ← 1 3 : f2 ← 1 for i = n − 1 to 0 do 4 : T ← [2]T , where T = (X, Y, Z) and [2]T = (X2 , Y2 , Z2 ) 5 : f1 ←− f1 2 × h1 (Q), h1 (x) is the equation of the tangent at the point T if li = 1 then 6 : T ←T +P 7 : f1 ←− f1 × h2 (Q), h2 (x) is the equation of the line (P T ) end

end return f1 Algorithm 1 is a simplified version of the Miller’s algorithm (see [3]). The original algorithm is given in Appendix A.1. Without loss of generality we can consider this simplified Miller’s algorithm. We will see in Section 4.1 that the conclusions for the original algorithm are the same.

3

Fault Attack against the Miller’s Algorithm

From here on, the secret key will be denoted P and the public parameter Q. We are going to describe a fault attack against the Miller’s algorithm. We assume that the algorithm is implemented on an electronic device (like a smart card). We restrict this study to the case where the secret is used as the first argument of the pairing. If the secret is used as the second argument, the same attack can easily be applied as it is explained in Section 3.3. Thus whatever the position of the secret point, we can recover it. The goal of a fault injection attack is to provoke mistakes during the calculation of an algorithm, for example by modifying the internal memory, in order

What about Vulnerability to a Fault Attack of the Miller’s Algorithm

125

to reveal sensitive data. This attack needs a very precise positioning and an expensive apparatus to be performed. Nevertheless, new technologies could allow for this attack [10]. 3.1

Description of the Fault Attack

We complete the scheme of attack described in [16] to use it against the Miller’s algorithm. In [16] the attack consists in modifying the number of iterations. We complete the idea of [16] by giving a precise description of the attack, by computing the probability of finding suitable number of iterations and by adapting it to the Miller’s algorithm case. We assume that the pairing is used during an Identity Based Protocol, that the secret point P is introduced in a smart card or an electronic device as the first argument of the pairing. If the secret key is the second argument, then it is easier to find it, as it is explained in Section 3.3. The aim of the attack is to find P in the computation of e(P, Q). We assume that we have as many public point Q as we want, and for each of them we can compute the pairing between the secret point P and the point Q. In order to find the secret P , we modify the number of iterations in the Miller’s algorithm by the following way. First of all, we have to find the flip-flops belonging to the counter of the number of iterations (i.e. l) in the Miller’s algorithm. This step can be done by using reverse engineering procedures. In classical architecture, the counter is divided into small piece of 8 bits. We want to find the piece corresponding with the less significant bits of the counter. To find it, we make one normal execution of the algorithm, without any fault. Then we choose one piece of the counter, and provoke disturbances in order to modify it and consequently the number of iterations of the Miller’s algorithm. For example the disturbance can be induced by a laser [2]. Lasers are today thin enough to make this attack realistic [10]. Counting the clock cycles, we are able to know how many iterations the Miller loop has done. If the difference between the new number of iterations and the number of non modified iterations is smaller than 28 , then we find the correct piece. If not, we repeat this manipulation until we find the piece of the counter corresponding to the less significant bits. Once the less significant bits are found, we make several pairing computations and for each of them we modify the value of the counter. Each time, we record the value of the Miller loop and the number of iterations we made. The aim is to obtain a couple (d, d + 1) of two consecutive values, corresponding to d and d + 1 iterations during the Miller’s algorithm, we give the probability to obtain such couple in Section 3.2. 3.2

The dth Step

We execute the Miller’s algorithm several times. For each execution we provoke a disturbance in order to modify the value of l, until we find the result of the dth and (d + 1)th iterations of Algorithm 1. We denote the two results by Fd,P (Q)

126

N. El Mrabet F

(Q)

and Fd+1,P (Q). To conclude the attack, we consider the ratio Fd+1,P 2 . By d,P (Q) identification in the basis of Fqk , we are lead to a system which can reveal the secret point P , which is described in Section 3.3. The Probability. The important point of this fault attack is that we can obtain two consecutive couples of iterations, after a realistic number of tests. The number of picks with two consecutive number is the complementary of the number of picks with no consecutive numbers. The number B(n, N ) of possible picks of n numbers among N integers with no consecutive number is given by the following recurrence formula: ⎧ ⎨ N ≤ 0, n > 0, B(n, N ) = 0, ∀N, n = 0B(n, N ) = 1  n ⎩ B(n, N ) = N j=1 k=1 B(n − k, j − 2). With this formula, we can compute the probability to obtain two consecutive numbers after n picks among N integers. This probability P (n, N ) is P (n, N ) = 1 −

B(n, N ) n Cn+N

The probability for obtaining two consecutive numbers is sufficiently large to make the attack possible. In fact, for an 8-bits architecture only 15 tests are needed to obtain a probability larger than one half, P (15, 28) = 0.56. Finding j. After d iterations, if we consider that the algorithm 1 has calculated [j]P then during the (d + 1)th iteration, it calculates [2j]P and considering the value of the (d + 1)th bit of l, it either stops, or it calculates [2j + 1]P . Q has order l,( as P and Q have the same order). By counting the number of clock cycles during the pairing calculation, we can find the number d of iterations. Then reading the binary decomposition of l gives us directly j. We consider that at the beginning j = 1, if ln−1 = 0 then j ← 2j, otherwise j ← 2j + 1, and we continue, until we arrive at the (n − 1 − d)th bit of l. For example, let l = 1000010000101 in basis 2, and d = 5. At the fifth iteration j = 65. 3.3

Curve and Equations

In [16] and [20], only the affine coordinates case is treated. In this case, a simple identification of the element in the basis of Fqk gives the result. We demonstrate that for every coordinate systems, the fault attack against the Miller’s algorithm is efficient. We describe it for example in Jacobian coordinates. The difference with the cases described in [16] and [20] is that we solve a nonlinear system. The Embedding Degree. In order to simplify the equations, we consider case k = 4. As the important point of the method is the identification of the

What about Vulnerability to a Fault Attack of the Miller’s Algorithm

127

decomposition in the basis of Fqk , it is easily applicable when k is larger than 3. k = 3 is the minimal value of the embedding degree for which the system we obtain in Section 3.3 can be solve ”by hand”, without the resultant method described in Section 3.3. We use k = 4 in order to make the demonstration easier. √ √ We denote B = {1, ξ, ν, ξ ν} the basis of Fqk , this basis is constructed by a tower extensions. P ∈ E(Fq ) is given in Jacobian coordinates, P = (XP , YP , ZP ) and the point Q ∈ E(Fqk ) is in affine coordinates. As k is even, we can use a classical optimisation in pairing based cryptography which consists in using the √ twisted elliptic curve to write Q = (x, y ν), with x, y and ν ∈ Fqk/2 and √ ν ∈ Fqk , for more details we refer the reader to [3]. The equations of the function h1 and h2 in the Miller’s algorithm are the following: ⎧ P = (XP ,√YP , ZP ), ⎪ ⎪ ⎪ ⎪ Q = (x, y ν) ⎪ ⎪ ⎪ ⎪ T Z) ⎪ ⎪ √ = (X, Y, √ ⎪ 2 ⎪ h (x, y ν) = Z Z y ν − 2Y 2 − ⎨ 1 3 3(X − Z 2 )(X + Z 2 )(xZ 2 − X), ⎪ ⎪ with√Z3 = 2Y Z√in step 5, ⎪ ⎪ ⎪ ⎪ h (x, y ν) = Z3 y ν − (YP Z 3 − Y ZP3 )x ⎪ 2 ⎪ ⎪ ⎪ −(Xp Y Zp − XYP Z), ⎪ ⎪ ⎩ with Z3 = ZZP (XP Z 2 − XZP2 ) in step 7. As we make random modifications of l during the fault attack, we suppose that we stop the Miller’s algorithm at its dth step. Moreover, as the point P is of order l, it is sufficient to observe what happens for d < l, because: [j + ρl]P = [j]P for ρ ∈ N, so we consider 1 ≤ d < l. Case 1: ld+1 = 0. We know the results of the dth and (d + 1)th iterations of the Miller’s algorithm, Fd,P (Q) and Fd+1,P (Q). We examine what happens during the (d + 1)th iteration. At the step 4 of the Miller’s algorithm we calculate [2j]P = (X2j , Y2j , Z2j ) and store the result in the variable T . The coordinates of [2j]P are given by the following formula: ⎧ X2j = −8Xj Yj2 + 9(Xj − Zj2 )2 (Xj + Zj2 )2 , ⎪ ⎪ ⎨ Y2j = 3(Xj − Zj2 )(Xj + Zj2 )× (4Xj Yj2 − X2 ) − 8Yj4 , ⎪ ⎪ ⎩ Z2j = 2Yj Zj . where we denote [j]P = (Xj , Yj , Zj ). Step 5 then gives: 2 Fd+1,P (Q) = (Fd,P (Q)) ×   √ Z2j Zj2 y ν − 2Yj2 − 3(Xj − Zj2 )(Xj + Zj2 )(xZj2 − Xj ) . As we suppose that ld+1 = 0, the additional step is not done. The return result of the Miller’s algorithm is Fd+1,P (Q). We dispose of Fd,P (Q), Fd+1,P (Q) and

128

N. El Mrabet

√ the point Q = (x, y ν), with x and y ∈ Fq2 . Recall that the coordinates of Q can be freely chosen. F (Q) We can calculate the value R ∈ F∗qk of the ratio (Fd+1,P(Q))2 , d,P

√

√ R = R3 ξ ν + R2 ν + R1 ξ + R0 , where R3 , R2 , R1 , R0 ∈ Fq . √ √ Moreover, we know the theoretical form of R in the basis B = {1, ξ, ν, ξ ν} which depends of coordinates of [j]P and Q: √ R = 2Yj Zj3 y ν − 3Zj2 (Xj2 − Zj4 )x − 3Xj (Xj2 − Zj4 ) − 2Yj2 . √ As the point Q = (x, y ν) is known, we know the decomposition of x, y ∈ Fqk/2 , x = x0 + x1 ξ, y = y0 + y1 ξ, where (1, ξ) defines the basis of Fqk/2 , and the value of x0 , x1 , y0 , y1 . Furthermore, Xj , Yj , and Zj are in Fq . Consequently, with the exact value of R in Fqk , the coordinates of point Q and the theoretical expression of R depending on the coordinates of P and Q, we obtain the following system of equations in Fq , by identification in the basis of Fqk . ⎧ 2Yj Zj3 y1 = R3 , ⎪ ⎪ ⎨ 2Yj Zj3 y0 = R2 , 2 2 (−3Zj (Xj − Zj4 ))x1 = R1 , ⎪ ⎪ ⎩ 2 2 4 (−3Zj (Xj − Zj ))x0 − 3Xj (Xj2 − Zj4 ) − 2Yj2 = R0 . This system can be simplified to the following (where we know value of λ0,1,2 ): ⎧ 3 ⎪ λ2 ⎪ ⎨ Yj2Zj = 2 Zj (Xj − Zj4 ) = λ1 ⎪ ⎪ 3Xj (Xj2 − Zj4 ) + 2Yj2 = λ0 ⎩

(1) (2) (3)

This nonlinear system can be solve by the following way. Equation (1) gives Yj as a function of Zj , then equation (2) gives 3(Xj2 − Zj4 ) as a function of Zj . Substituting this expression in equation (3) gives Xj as a function of Zj , substituting this expression of Xj in equation (2), we obtain a degree 12 equation in Zj : (λ20 − 9λ21 )Z 12 − (4λ0 λ22 + 9λ31 )Z 6 + 4λ41 = 0 This equation in Zj admits by construction the point P as a solution. As the degree is even, this equation admits automatically at least an other solution, and at worst 12 solutions. We can use the function factorff in PariGP, a software for mathematical computation [17], to obtain the factorization of the equation in Zj in Fq , and consequently the solutions of this equation. Using equation (2) we can express Xj in Zj , and the first equation gives Yj . Solving the equation in Zj , we find at most 24 = 12 × 2 × 1 possible triplets (Xj , Yj , Zj ) for the coordinates of the point [j]P . In practice we find at most eight possible solutions for Zj , one example is given in Annex B. Once we have the coordinates of [j]P , to find

What about Vulnerability to a Fault Attack of the Miller’s Algorithm

129

the possible points P , we have to find j  the inverse of j modulo l, and then calculate [j  ][j]P = [j  j]P = P . Using the elliptic curve equation, we eliminate triplets that do not lie on E. Then we just have to perform Miller’s algorithm with the remaining points and compare with the result obtained with the secret point P . So we recover the secret point P , in the case where ld+1 = 0. Case 2: ld+1 = 1. In this case, the (d + 1)th iteration involves the addition in the Miller’s algorithm. The doubling step is exactly the same, for the addition step, we have to consider [2j + 1]P = (X2j+1 , Y2j+1 , Z2j+1 ) knowing that [j]P = (Xj , Yj , Zj ), [2j]P = (X2j , Y2j , Z2j ) and P = (XP , YP , ZP ). As we have that √ 3 h2 (X, Y ) = Z2j+1 y ν − (YP Z2j − Y2j ZP3 )x − (XP Y2j ZP − X2j YP Z2j ), only the coordinate Z2j+1 appears in Step 7 of algorithm 1, and Z2j+1 = 2 ZP Z2j (XP Z2j − X2j ZP2 ). At the (d + 1)th iteration we have to calculate: 2

Fd+1,P (Q) = (Fd,P (Q)) × h1 (Q)h2 (Q). This time, the unknown values are Xj , Yj , Zj and XP , YP , ZP in the ratio R = h1 (Q)h2 (Q). With the value of R and Q, and the theoretical expression of R, by identification we obtain four equations in the six unknown value. The elliptic curve equation will give us two others equation, as P and [j]P ∈ E(Fq ). ⎧ W1 (XP , YP , ZP , Xj , Yj , Zj ) = λ1 , ⎪ ⎪ ⎪ ⎪ W2 (XP , YP , ZP , Xj , Yj , Zj ) = λ2 , ⎪ ⎪ ⎨ W3 (XP , YP , ZP , Xj , Yj , Zj ) = λ3 , ⎪ W4 (XP , YP , ZP , Xj , Yj , Zj ) = λ4 , ⎪ ⎪ ⎪ ⎪ YP2 − XP3 + 3XP ZP4 − bZP6 = 0 ⎪ ⎩ Yj2 − Xj3 + 3Xj Zj4 − bZj6 = 0 Where, W{1,2,3,4} () is a polynomial and λ{1,2,3,4} ∈ Fq . We get then a slightly more difficult system to solve, but giving us the coordinates of P directly, as coordinates of P are solution of the system. We can use the resultant method to find the coordinates of the point P . Considering two polynomials S1 (X, Y ) and S2 (X, Y ), if they are seen as polynomials in X with coefficients in Fq [Y ], then the resultant of S1 and S1 is a polynomial in Y whose roots are solution of the system composed with S1 (X, Y ) and S2 (X, Y ). A succession of resultant will give an equation in only one unknown value. Experiments show that this equation is of degree 48, but this equation have at most 8 solutions. We can use the function polresultant in PariGP to compute the resultant. When the Secret is the Second Argument of the Pairing. If the point Q is secret during the pairing computation, all the system written above are linear in Q coordinates, so it can be recover very easily, by identification in the base of Fqk .

130

4

4.1

N. El Mrabet

Vulnerability of Pairings Based on the Miller’s Algorithm Weil Pairing

The Weil pairing is directly sensitive to the attack, as it is composed of two Miller’s algorithm executions. P (Q) Indeed, the Weil pairing is defined as eW (P, Q) = F FQ (P ) . We consider that the same modified l is used for the Miller Lite and the Full Miller part. We can apply the attack described above, we describe it with the simplified version of the Miller’s algorithm, the equations with the original Miller’s algorithm A.1 are similar. Let H1 and H2 be the equations used in the steps 5 and 7, in the Full Miller part. For example, H1 (P ) is the equation of the tangent at point T in the Full Miller’s algorithm, and at this moment T = [2j]Q. h1 (Q) The ratio R between the result of two consecutive iterations is then H = R, 1 (P ) the system obtained after the identification of the element in the basis of Fqk is composed of 4 equations with 6 unknown values. Using the elliptic curve equation it can be solved with the resultant method exactly as in Section 3.3. 2 (P ) If the original algorithm is employed, the ratio R becomes: hh12 (Q)H (Q)H1 (P ) , and the same method can be applied. 4.2

Tate and Ate Pairings

The Tate and Ate pairings are constructed on the same model, one execution of the Miller’s algorithm plus a final exponentiation, for example the Tate pairing qk −1

is eT (P, Q) = (FP (Q)) l . The first difficulty in attacking these two pairings k with our scheme is to find a ( q l−1 )th root of the result. The conclusion in [20] was that the final exponentiation is a natural countermeasure to the fault attacks. However, several method exist in literature in the microelectronic community to read the intermediary result during a computation on a smart card, or to override the final exponentiation. We describe one of them, the scan attack against smart card, presented by D. Ellie and R. Karri in [8]. This scan attack consists of reading the intermediary state in the smart card. All smart cards contains an access, the scan chains, for testing the chip, which allows for this scan attack. The method of a scan attack is to scan out the internal state in test mode. This scanning gives us all the intermediary states of the smart card. So if the computation are stopped exactly before the exponentiation, a scan attack can give the result of the Miller’s algorithm. Other attacks to override the final exponentiation exist, they are quitte difficult to realise but not unrealistic. For exemple, the under voltage technique [2] or the combination of the cipher instruction search attack realised by M. Khun and described in [2] which consists in recognizing enciphered instructions from

What about Vulnerability to a Fault Attack of the Miller’s Algorithm

131

their effect and the use of a focused ion beam workstation to access the EEPROM. A taxonomy of attackers has been done in [1], to realise the fault attack describe above, we consider that we were a class II attacker (knowledge insider). In order to perform the scan, under voltage and cipher instruction search, the attacker must be a class III, i.e. a funded organisation. Some material counter measures exist to prevent the modification of the memory by light or electromagnetic emissions, e.g. a shield. It is also possible to add a Hamming code at the end of the register to detect the fault [13], or to use an asynchrone clock.

5

Conclusion

We have presented in this paper the vulnerability to a fault attack of the Miller’s algorithm when it is used in an Identity Based Protocol. The attack consists in modifying the internal counter of an electronic device to provoke shorter iterations of the algorithm, we consider all the possible iterations. We describe precisely the way to realise this fault attack. We give the probability of obtaining two consecutive iterations, and we find out that a small number of tests are needed to find two consecutive results. We consider the case when the point P , the first argument of the Miller’s algorithm, is secret. The result of the fault attack is a nonlinear system, whose variables are coordinates of P and Q. We describe the method to solve this nonlinear system. If the secret is the second point Q, our scheme is also applicable and the nonlinear system becomes a linear system, which is easier to solve. Thus, whatever the position of the secret point, our fault attack will recover it. Moreover, we have described the resolution in Jacobian coordinates, but the scheme is the same in affine, projective and Edwards coordinates and we explain how to solve it. Then, we have analised the weakness to this fault attack of pairing based on the Miller’s algorithm. The Weil pairing is directly sensitive to this attack. The Tate and Ate pairings present a final exponentiation which previously protect them against this fault attack. We introduce attacks used for a while in the microelectronic community to override the final exponentiation in the Tate and Ate pairings. The scan attack, the under voltage attack and the cipher instruction search are three different attacks which allow the attacker to get the result of the Miller iteration before the final exponentiation. As a conclusion, we can say that the fault attack is a threat against the Miller’s algorithm, and consequently to pairings based on the Miller’s algorithm.

References 1. Abraham, D.G., Dolan, G.M., Double, G.P., Stevens, J.V.: Transaction Security System. IBM Systems Journal 30, 206–229 (1991) 2. Anderson, R., Kuhn, M.: Tamper Resistance – a Cautionary Note. In: The Second USENIX Workshop on Electronic Commerce Proceedings, Okland, California, pp. 1–11 (1996)

132

N. El Mrabet

3. Bajard, J.C., El Mrabet, N.: Pairing in cryptography: an arithmetic point de view. In: Advanced Signal Processing Algorithms, Architectures, and Implementations XVI, part of SPIE (August 2007) 4. Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001) 5. Brier, E., Joye, M.: Point multiplication on elliptic curves through isogenies. In: Fossorier, M.P.C., Høholdt, T., Poli, A. (eds.) AAECC 2003. LNCS, vol. 2643, pp. 43–50. Springer, Heidelberg (2003) 6. Boneh, D., DeMillo, R., Lipton, R.: On the importance of checking cryptographic protocols faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997) 7. Cohen, H., Frey, G. (eds.): Handbook of elliptic and hyperelliptic curve cryptography. Discrete Math. Appl. Chapman & Hall/CRC, Boca Raton (2006) 8. Yang, B., Wu, K., Karri, R.: Scan Based Side Channel Attack on Dedicated Hardware Implementation of Data Encryption Standard. In: Test Conference 2004, proceedings ITC 2004, pp. 339–344 (2004) 9. Edwards, H.: A normal Form for Elliptic Curve. Bulletin of the American Mathematical Society 44(3) (2007) 10. Habing, D.H.: The Use of Lasers to Simulate Radiation-Induced Transients in Semiconductor Devices and Circuits. IEEE Transactions On Nuclear Science 39, 1647–1653 (1992) 11. Ionica S., Joux A.: Another approach to pairing computation in Edwards coordinates. In: INDOCRYPT 2008 [11], pp. 400413 (2008), http://eprint.iacr.org/2008/292 12. Koblitz, N., Menezes, A.J.: Pairing-based cryptography at high security levels. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 13–36. Springer, Heidelberg (2005) 13. Macwilliams, F.J., Sloane, N.J.A.: The Theory of Error-Correcting Codes II. NorthHolland Mathematical Library, vol. 16. North-Holland, Amsterdam (1998) 14. Menezes, A.: An introduction to pairing-based cryptography. Notes from lectures given in Santander, Spain (2005), http://www.cacr.math.uwaterloo.ca/~ ajmeneze/publications/pairings.pdf 15. Miller, V.: The Weil pairing and its efficient calculation. Journal of Cryptology 17, 235–261 (2004) 16. Dan, P., Frederik, V.: Fault and Side Channel Attacks on Pairing based Cryptography. IEEE Transactions on Computers 55(9), 1075–1080 (2006) 17. PARI/GP, version 2.1.7, Bordeaux (2005), http://pari.math.u-bordeaux.fr/ 18. Shamir, A.: Identity Based Cryptosystems and Signature Schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985) 19. Whelan, C., Scott, M.: Side Channel Analysis of Practical Pairing Implementation: Which Path is More Secure? In: Nguyˆen, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 99–114. Springer, Heidelberg (2006) 20. Whelan, C., Scott, M.: The Importance of the Final Exponentiation in Pairings When Considering Fault Attacks. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 225–246. Springer, Heidelberg (2007)

What about Vulnerability to a Fault Attack of the Miller’s Algorithm

A

133

Pairing Algorithm

A.1

Original Miller’s Algorithm

Algorithm 2: Miller(P, Q, n) Data: n = (nl . . . n0 )(radix 2 representation), P ∈ G1 (⊂ E(Fp )) and Q ∈ G2 (⊂ E(Fpk )); Result: FP (Q) ∈ G3 (⊂ F∗pk ); T ←P f1 ← 1 f2 ← 1 for i = l − 1 to 0 do 1 T ← [2]T f1 ←− f1 2 × h1 (Q) f2 ←− f2 2 × h2 (Q) (where Div( hh12 ) = 2(T ) − ([2]T ) − P∞ ) 2 if ni = 1 then T ←T ⊕P f1 ←− f1 × h1 (Q) f2 ←− f2 × h2 (Q) (where Div( hh12 ) = (T ) + DP − ((T ) ⊕ DP ) − P∞ ) end end return ff12

B

Example

We compute this exemple using PariGP [17]. k=4 p = 680241220348515477477949259894191902369939655 391504568151207016994661689050587617052536187229749 (319 bit) E : Y 2 = X 3 + 3XZ 4 card(E(F p)) = 68024122034851547747794925989419190236993 9655390338170945836123217606411022317222264735061564936 (319 bit) l = 1166397205370893777055276948271688598347500051217 (160 bit) P = [12, 48, 2] To construct Fqk , we use the element a ∈ Fqk such that a4 = 2 Q = [a2 , 10051291662999945753408354793254190036729474358 2692206264363320753064855041994266311971573488636 ∗ a] We stop the Miller’s algorithm at the 46th iteration.

134

N. El Mrabet

The ratio R is: 33725958646808068348839953904622987479597324232233 9094577672485334431934756557508827 480079490557 × a2 + 62475206273985700946754583669539512 7071983321507188174321543153770228940196002139337802972603156×a+2904662950 149156985601567743940464818069284748735166316768106 92056674915620683567856541417846103

Written down the equations we obtain the following system: ⎧ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎨

Yj Zj3 = λ2 = 52642153715028659889670329848 3149985967580207398544590133171776 285079049014186714839235255813297 3Zj2 (Xj2 − Zj4 ) = λ1 = 47514830941754363936962131134 6136013833460391400891264127160029 381884835668719747434801612007813 ⎪ ⎪ ⎪ ⎪ 3Xj (Xj2 − Zj4 ) − 2Yj2 = λ0 = 389774925333599778917792485 ⎪ ⎪ ⎪ ⎪ ⎪ 50014542056301118051798793647439 ⎪ ⎪ ⎪ ⎪ 6324937986773429904049195994769383646 ⎪ ⎩

(λ20 − 9λ21 )Z 12 − (4λ0 λ22 + 9λ31 )Z 6 + 4λ41 = 0 The function factorff(f(Z),p) in PariGP gives six different solutions in Z. [M od(1660728175872055618509152840075099142307465465155823285225045 17934359493296306626253218820537301, p), M od(18612943962395238829049904990 175006578277838877750622865464857 922468703654633140744590802 2796608, p), M od(3280389631373575273365349259849319 223564147200984160109740 53919835615159207949583353409343895840, p), M od(3522022 572111579501414143339092 599800135249352930885571771530971590465298426380336991 26843333909, p), M od(494111 78072456308918745020999244183658716126661399833949655 843776997465250425620960662 8164433141, p), M od(51416840276130991562703397588668198 813919310887592223962870249 9060302195754280990799317366692448, p)] Among all the possible triplet the six are on the elliptic curve. We find the inverse modulo p of 46 and compute the six possibilities for P . Then we just have to perform six Miller’s algorithms and compare with the result obtained with the secret point P .

A New Strongly Secure Authenticated Key Exchange Protocol Qingfeng Cheng, Chuangui Ma, and Xuexian Hu Zhengzhou Information Science and Technology Institute, Zhengzhou, P. R. China {qingfengc2008,chuanguima}@sina.com, xuexian [email protected]

Abstract. In 2007, LaMacchia et al. proposed the extended CanettiKrawczyk (eCK) model, which is currently regarded as the strongest security model for authenticated key exchange (AKE) protocols. In the eCK model, the adversary can reveal a party’s ephemeral private key or static private key on the test session, but can’t reveal the ephemeral value which was computed using ephemeral private key and static private key. In this paper, we first present the modified eCK (meCK) model by adding a new reveal query. The adversary can reveal all ephemeral secret information of the test session according to the meCK model’s freshness definition. Then we propose a new strongly secure AKE protocol, called E-NAXOS, and prove its security in the meCK model under the random oracle assumption and the gap Diffie-Hellman assumption. Keywords: Extended Canetti-Krawczyk model, Gap Diffie-Hellman assumption, Random oracle model, Authenticated key exchange.

1

Introduction

Since Bellare and Rogaway [1] presented the first formal security model for authenticated key exchange (AKE) protocols in 1993, many formal security models have been proposed. The most famous one of these models is Canetti-Krawczyk (CK) model [2], which was proposed by Canetti and Krawczyk in 2001. But the CK model didn’t cover key compromise impersonation attacks or the leakage of ephemeral private keys. So an AKE protocol proven to be secure in the CK model might still have some issues. In order to cover these attacks, LaMacchia, Lauter and Mityagin [3] proposed the extended Canetti-Krawczyk (eCK) model in 2007, which is currently regarded as the strongest security model. In the eCK model, the adversary can make reveal queries on the test session according to the freshness definition, and reveal both ephemeral private keys, both static keys, or one of each from the two different parties. But the adversary can’t reveal the secret information that was computed using the ephemeral private key and static private key of a party. Since many applications will boost protocol performance by pre-computing ephemeral pair (H(esk, sk), g H(esk,sk) ) for later use in the protocol, and these stored pairs are more vulnerable to leakage than static private key, which Krawczyk pointed out in [4]. Consequently, there are several classes of attacks on AKE protocols that lie outside the scope of the eCK model. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 135–144, 2009. c Springer-Verlag Berlin Heidelberg 2009


136

Q. Cheng, C. Ma, and X. Hu

In recent three years, there are many AKE protocols proven to be secure in the eCK model, which we shall not attempt to survey here. We mention here just a few of AKE protocols that are most relevant to this paper. The NAXOS protocol [3] is the first AKE protocol whose security is established in the eCK model. Then Ustaoˇglu [5] presented CMQV protocol that achieves both efficiency and security, compared to NAXOS protocol. In 2007, T. Okamoto [6] proposed the first PKI-based AKE protocol in the standard model under three standard assumptions, but his protocol requires 8 exponentiations per party. In 2008, Lee and JH Park [7] proposed NAXOS+ protocol, one shortcoming of which is less efficiency compared to NAXOS and CMQV protocols. Soon later, Lee and CS Park [8] presented NETS protocol, which only requires 3 exponentiations per party. More recently, Huang and Cao [9] present a new AKE protocol based on the computational Diffie-Hellman assumption. But it is worth noting that most of these protocols proven to be secure in the eCK model can be broken if an adversary can reveal ephemeral hash keys of the parties by a temporary break-in into a computer system or the malicious action of an insider. In this paper, we first modify the eCK model by adding a new reveal query. In the meCK model, the adversary may reveal any subset of {eski , eskj , ski , skj , H1 (eski , ski ), H1 (eskj , skj )} on the test session, which does not contain both the ephemeral private key and static private key of one of the parties. Informally speaking, the only corruption powers that the adversary is not allowed for in the meCK model are those that would trivially break an AKE protocol. Then we present a new AKE protocol E-NAXOS, and prove its security in the meCK model. The ENAXOS protocol is still secure even if all ephemeral secret information has been revealed. Moreover, we can enhance efficiency by pre-computing ephemeral pairs, and do not need to worry about the security of the E-NAXOS protocol. The rest of this paper is organized as follows. In Section 2, we present a formal description of the meCK model. In Section 3, we describe the E-NAXOS protocol, and prove its security in Section 4. Finally, the conclusions will be given in Section 5.

2 2.1

Preliminaries Assumption

Let p and q be primes, where q|p−1. Let G =< g > be a multiplicative subgroup of Zp∗ , of prime order q. – Computational Diffie-Hellman (CDH) Problem: Given U = g u , V = g v ∈ G, where u, v were drawn at random from Zq , compute W = g w ∈ G, such that CDH(U, V ) = W . That is, compute g w = g uv mod p. – Decisional Diffie-Hellman (DDH) Assumption: Given U = g u , V = g v , W = g w ∈ G, where u, v, w were drawn at random from Zq , determine whether DDH(U, V, W ) = 1 or not. That is, determine whether w = uv mod q or not.

A New Strongly Secure Authenticated Key Exchange Protocol

137

– Gap Diffie-Hellman (GDH) Problem: Given U = g u , V = g v ∈ G, where u, v were drawn at random from Zq , as well as an oracle that solves the DDH problem on G, compute g w = g uv mod p. 2.2

Modified eCK Model

The meCK model is mainly based on the eCK model. However, the adversary M has stronger powers via an additional EphemeralHkeyReveal query in the meCK model. M using this reveal query can learn some secret information, which is prohibited to reveal in the eCK model. For more details on the original eCK model, we refer to [3,5,9]. Parties. Fixing a set of n parties P = {P1 , P2 , · · · , Pn }, each of which is modeled by a probabilistic polynomial time (PPT) Turing machine, we assume that each party Pi stores a static public/private key pair (pki , ski ) together with a certificate that binds the public key to that party, where pki is computed as g ski . However, we do not assume that certification authority (CA) requires parties to prove possession of their static private keys. sid Session. Each party Pi can be activated to execute an instance Πi,j of the protocol called a session, which is identified via a session identifier sid = (Pi , Pj , m1 , m2 , · · · , ml ), where Pi is the initiator of the session and Pj is the responder of the session.

Adversary Model. The adversary M is modeled as a PPT Turing machine and has full control of all communications. We assume that the adversary M is allowed to make the following queries: – StaticKeyReveal(Pi ).The adversary M learns the static private key of the party Pi . – EphemeralKeyReveal(Pi , sid). The adversary M can obtain the ephemeral private key of the party Pi , associated with the session sid. – EphemeralHkeyReveal(Pi , sid). The adversary M can learn party Pi ’s ephemeral secret information, which is computed using the ephemeral private key and static key and associated with the session sid. – SessionKeyReveal(sid). The adversary M learns a session key of a completed session sid. – EstablishParty(Pi ). The adversary M can arbitrarily register a legal user on behalf of the party Pi and totally control the party Pi . Parties are called honest if M does not issue this query to them. – Send(sid, m). The adversary M sends the message m to the session sid and gets a response to the protocol specification. Experiment. Initially, the adversary M is given a set P of honest parties. M can make any sequence of the oracle queries described above. At any time in the experiment, M selects a complete session sid owned by an honest party and makes a query Test(sid), and is given a challenge value κ. On the test query,

138

Q. Cheng, C. Ma, and X. Hu

that is made only once during the experiment, a coin b ∈ {0, 1} is uniformly tossed, and the experiment answers are given κ = SessionKeyReveal(sid) if b = 1 and a random value uniformly chosen κ ∈ {0, 1}k if b = 0. M continues the experiment after the test query. At the end of the experiment, M guesses whether the challenge κ is random or not. We say the adversary M wins the experiment if the test session is freshness and he guesses the challenge correctly. ∗

sid sid Definition 1 (Matching session). Two sessions Πi,j and Πj,i are said to be matching sessions, if the following two conditions hold:

– Both sessions have accepted the same session key; – Session identifiers sid and sid∗ are equal. sid Definition 2 (Freshness). Let instance Πi,j be a completed session, which sid was executed by two honest parties Pi and Pj . We define Πi,j to be fresh if none of the following three conditions hold: sid sid – The adversary M reveals the session key held in Πi,j or Πj,i if the latter exists. sid – A matching session Πj,i exists and M reveals [ski and eski ] or [skj and eskj ]. sid – A matching session Πj,i does not exist and M reveals [ski and eski ] or skj sid before the completion of session Πi,j .

Definition 3 (meCK security). The advantage of the adversary M with AKE protocol Π is defined as AKE AdvΠ (M) = 2 Pr[M wins] − 1.

We say that the AKE protocol Π is secure in the meCK model if matching sessions compute the same session keys and no PPT adversary M has more than a negligible advantage in the above experiment.

3

E-NAXOS AKE Protocol

Let k be the security parameter. The AKE protocol E-NAXOS uses a group G =< g > of prime order q such that the GDH assumption holds, and two hash functions H1 : {0, 1}k × Zq∗ → Zq∗ and H2 : {0, 1}∗ → {0, 1}k , where Zq∗ = Zq \{0, 1}, k is a constant such that q = O(2k ), and H1 and H2 are modeled as independent random oracles. Since E-NAXOS protocol involves only two parties, we use A and B instead of Pi and Pj to establish a shared session key. Also, in the following description we alternate between instructions for the sender A and for the responder B. The protocol proceeds as follows: 1. Party A randomly chooses eskA ∈ Zq∗ , computes x = H1 (eskA , skA ), X1 = g eskA , X2 = g x and sends (X1 , X2 ) to B. Similarly, B chooses eskB ∈ Zq∗ at random, computes y = H1 (eskB , skB ), Y1 = g eskB , Y2 = g y and sends (Y1 , Y2 ) to A.

A New Strongly Secure Authenticated Key Exchange Protocol

139

2. Upon receiving the message (X1 , X2 ), party B verifies whether X1 , X2 ∈ G∗ , if not, B aborts the session. Then B sets the session identifier to be sid = (A, B, X1 , X2 , Y1 , Y2 ), computes session key K = H2 ((pkA X1 X2 )skB , (X1 )eskB , (pkA )y+eskB , sid). 3. Similarly, based on the message Y1 , Y2 ∈ G∗ , party A computes session key K = H2 ((pkB )(x+eskA )+skA , (Y1 )eskA , (Y1 Y2 )skA , sid), where sid = (A, B, X1 , X2 , Y1 , Y2 ). Protocol Comparison. In Table 1, we compare the efficiency and security of the E-NAXOS protocol with five other AKE protocols, which are proven to be secure in the eCK model. As usual Efficiency is given as the number of exponentiations executed by each party. RO denotes random oracle model and Standard denotes standard model. Table 1. Protocol comparison Protocol NAXOS[3] Okamoto[6] NAXOS+[7] NETS[8] Huang-Cao[9] E-NAXOS

4

Efficiency 4E 8E 5E 3E 5E 5E

Model eCK eCK eCK eCK eCK meCK

Assumptions GDH, RO DDH, πPRF, Standard CDH, RO GDH, RO CDH, RO GDH, RO

Security of E-NAXOS Protocol

In this section, we present a formal security proof of our E-NAXOS protocol under the GDH assumption and the random oracle assumption. Theorem 1. If H1 (·) and H2 (·) are two random oracles, and G is a group where the GDH assumption holds, then the proposed E-NAXOS protocol is secure in the meCK model. Proof. Let M who activates at most n(k) honest parties and s(k) sessions in honest parties be a polynomially bounded E-NAXOS adversary. Assume that the adversary M succeeds with non-negligible probability in distinguishing the session key K = H2 (σ) from a randomly chosen key only if M is able to obtain non-trivial information about the session key. Since H2 (·) is modeled as a random oracle, after M queries test oracle, it can only distinguish a session key from a random string in one of the following ways: – Event1 Guessing attack: The adversary M correctly guesses the session key. – Event2 Key replication attack: The adversary M forces the establishment of a non-matching session with the test session to have the same session key. In this case, M can simply get the test session key by querying the nonmatching session.

140

Q. Cheng, C. Ma, and X. Hu

– Event3 Forging attack: At some point, the adversary M queries H2 (·) on the same 9-tuple σ. The probability of guessing the output of H2 (·) is O(1/2k ), which is negligible, thus Event1 can be ruled out. The input to the key derivation function H2 (·) includes all information contained in the session identifier. Since two non-matching sessions can’t have the same communicating parties and ephemeral secret information, Event2 is equivalent to finding a collision for H2 (·). Therefore, Event2 occurs with negligible probability O(s(k)2 /2k ). It remains to consider Event3. The rest of this section is mainly devoted to the analysis of Event3. In the event, according to freshness definition, we consider separately the following complementary two cases: – CASE1: The test session has a matching session owned by another honest party. – CASE2: No honest party owns a matching session to the test session. 4.1

The Analysis of CASE1

In this case, according to the freshness definition, the adversary M mainly has four ways to mount the attacks. CASE1.1: The adversary M makes ephemeral key query and ephemeral hash key query to both the test session and the matching session of the test session. Given the CDH instance U, V ∈ G, the task of solver S is to solve the CDH problem. With probability at least 1/n(k)2 , S guesses that M will select one party denoted by A as the owner of the test session and the other party denoted by B as the peer. S sets A’s public key to be U , B’s public key to be V and assigns the static public/private pairs for the remaining n(k) − 2 parties. The remaining problem is that S has to simulate a protocol executing environment. When M activates a party whose static key S possesses, S follows the protocol description. We next discuss the action of S when the adversary M makes queries related to party A and B. StaticKeyReveal(C): If C = A or C = B, then S aborts its simulation. Otherwise, S submits the static private key that S generated in the initialization phase. EphemeralKeyReveal(C, sid): S submits the value eskC selected for sid. EphemeralHKeyReveal(C, sid): computed for sid.

S

submits

the

value

H1 (eskC , skC )

SessionKeyReveal(sid): S submits the value K selected in the following ways: – If sid is not owned by A or B and the peer is not B or A, then S is able to compute the input σ such that K = H2 (σ). Then S computes H2 (σ) following the recipe of H2 (·). – If sid is owned by A or B and the peer is not B or A, then S checks if there is a previous session with the same transcript as sid, in which case the previous session key is selected as K.

A New Strongly Secure Authenticated Key Exchange Protocol

141

– Otherwise, let sid = (A, C, X1 , X2 , Y1 , Y2 ). Then the session key should be computed as K = H2 (σ), where σ = (CDH(pkA X1 X2 , pkC ), CDH(X1 , Y1 ), CDH(pkA , Y1 Y2 ), sid). S checks if H2 (·) was queried with (W1 , W2 , W3 , sid) such that DDH(pkA X1 X2 , pkC , W1 ) = 1, DDH(X1 , Y1 , W2 ) = 1 and DDH(pkA , Y1 Y2 , W3 ) = 1, in which case the answer to that query is selected as the session key. If no such query was made, then S assigns a random value to K. For the case sid = (C, A, X1 , X2 , Y1 , Y2 ), (C, B, X1 , X2 , Y1 , Y2 ) and (B, C, X1 , X2 , Y1 , Y2 ), K is selected in the analogous way. The simulation of random oracle H1 (·). S maintains an initially empty list H1list with entries of the form ((eski , ski ), hi1 ) for the simulation of random oracle H1 (·). Then S responds to the query as follows: – If there has an entry ((eski , ski ), hi1 ) in list H1list , then S replies with the stored value hi1 . – Otherwise, S chooses hi1 ∈ Zq∗ at random, inserts ((eski , ski ), hi1 ) into H1list and responds with hi1 . Moreover, since S does not know the static private key of A and B in the case, S can’t compute the value H1 (eskA , skA ) and H1 (eskB , skB ). We handle such a problem by independently maintaining another two lists H1listA and H1listB beside H1list for the computation needed for simulating A and B’s action. The maintenance of H1listA . S maintains an initially empty list H1listA with entries of the form (eski , hi1 ) for the computation needed in A. Then S responds to the query as follows: – If there has an entry (eski , hi1 ) in H1listA , then S answers with the stored value hi1 . – Otherwise, S randomly chooses hi1 ∈ Zq∗ , inserts (eski , hi1 ) into H1listA and responds with hi1 . The maintenance of H1listB is in the same way as the maintenance of H1listA . The details are omitted. The simulation of random oracle H2 (·). S maintains an initially empty list H2list with entries of the form (W1 , W2 , W3 , sid, hsid 2 ). S responds to these queries in the following ways: – If (W1 , W2 , W3 , sid, hsid 2 ) is already there, then S responds with stored value hsid . 2 – If σ = (W1 , W2 , W3 , A, C, X1 , X2 , Y1 , Y2 ), then S checks if session key reveal was queried such that DDH(pkA X1 X2 , pkC , W1 ) = 1, DDH(X1 , Y1 , W2 ) = 1, and DDH(pkA , Y1 Y2 , W3 ) = 1, in which case H2 (σ) is set to be the session key. For the case sid = (C, A, X1 , X2 , Y1 , Y2 ), (C, B, X1 , X2 , Y1 , Y2 ) and (B, C, X1 , X2 , Y1 , Y2 ), H2 (σ) is set to the session key in the analogous way.

142

Q. Cheng, C. Ma, and X. Hu

– Otherwise, S chooses a value hsid ∈ {0, 1}k at random, sends it to M and 2 list stores the new tuple (W1 , W2 , W3 , sid, hsid 2 ) in H2 . Now S perfectly simulates the M’s environment. If M wins in the forging attack, he must query H2 (·) with the value σ that contains CDH(U, V ) as a substring. It implies that S can solve the CDH problem. The only remaining possibility that we should exclude is that M solves the discrete logarithm. We assume that Adv DLOG (T ) denotes this probability. Therefore, the success probability of S in this case is estimated as Adv GDH (S) ≥

1 · p1 (k) − Adv DLOG (T ), n(k)2

(1)

where p1 (k) is the probability of the event that CASE1.1 occurs and M succeeds in this case. CASE1.2: The adversary M makes static key query and ephemeral hash key query to the test session and makes ephemeral key query and ephemeral hash key query to the matching session of the test session. In this case, given challenges U, V ∈ G, the task of solver S is to solve the CDH problem. With probability at least 1/s(k)n(k), S guesses that the adversary M will select the session sT as the test session, the owner of which is denoted by A and the other party denoted by B as the peer. S sets A’s ephemeral public key to be U , B’s public key to be V and assigns the static public/private pairs for the remaining n(k) − 1 parties. When the adversary M activates a party whose static key S possesses, S follows the protocol description. The simulation of all queries is made in the analogous way to CASE1.1. The details are omitted. The success probability of S in this case is estimated as Adv GDH (S) ≥

1 · p2 (k) − Adv DLOG (T ), n(k)s(k)

(2)

where p2 (k) is the probability of the event that CASE1.2 occurs and M succeeds in this case. CASE1.3: The adversary M makes ephemeral key query and ephemeral hash key query to the test session and makes static key query and ephemeral hash key query to the matching session of the test session. The simulation and the success probability of S are same to that of CASE1.2. The details are omitted. CASE1.4: The adversary M makes static key query and ephemeral hash key query to both the test session and the matching session of the test session. Given challenges U, V ∈ G, we construct a solver S of CDH(U, V ) problem. With probability at least 1/s(k)2 , S guesses that the adversary M will select the session sT as the test session, the owner of which is A and owner of matching session is B. S sets ephemeral public key of the test session owned by A to be U and of its matching session to be V . As S knows all parties’ static private key, the simulation of all queries is made in the analogous way to CASE1.1.

A New Strongly Secure Authenticated Key Exchange Protocol

143

The simulation of random oracle H1 (·). S maintains an initially empty list H1list with entries of the form ((eski , ski ), hi1 ). Then S responds to the query as follows: – If there has an entry ((eski , ski ), hi1 ) in list H1list , then S replies with the stored value hi1 . – Otherwise, S randomly chooses hi1 ∈ Zq∗ , inserts ((eski , ski ), hi1 ) into H1list and responds with hi1 . The simulation of random oracle H2 (·). S maintains an initially empty list H2list with entries of the form (W1 , W2 , W3 , sid, hsid 2 ). S responds to these queries in the following ways: – If (W1 , W2 , W3 , sid, hsid 2 ) is already there, then S responds with stored value hsid 2 . – Otherwise, S chooses a value hsid ∈ {0, 1}k at random, sends it to M and 2 list stores the new tuple (W1 , W2 , W3 , sid, hsid 2 ) in H2 . Based on the simulation of the two oracles H1 (·) and H2 (·), S can handle all the queries made by M. If M succeeds in the test session, then he must have queried H2 (·) oracle with the values σ which contains the substring CDH(U, V ). It implies that S can solve the CDH assumption. The only remaining possibility that we should exclude is that M solves the discrete logarithm. We assume that Adv DLOG (T ) denotes this probability. Therefore, the success probability of S in this case is estimated as Adv GDH (S) ≥

1 · p3 (k) − Adv DLOG (T ), s(k)2

(3)

where p3 (k) is the probability of the event that CASE1.4 occurs and M succeeds in this case. 4.2

The Analysis of CASE2

Consider the following two subcases: CASE2.1: The static private key owned by A has never been revealed by M. Note that in this case, according to the freshness definition, M may reveal party A’s ephemeral private key and ephemeral secret in the test session. So the simulation of A and B is similar to that of CASE1.1. The details are omitted. CASE2.2: At some point, the static private key owned by A has been revealed by the adversary M. Note that in this case, according to the freshness definition, M is not permitted to reveal A’s ephemeral private key and B’s static private key. So the simulation of A and B is similar to that of CASE1.2. The details are omitted. If the adversary M succeeds with non-negligible probability in CASE1 or CASE2, we can also solve the GDH problem with non-negligible probability, which contradicts the assumed security of GDH problem. So we complete the proof of Theorem 1.

144

5

Q. Cheng, C. Ma, and X. Hu

Conclusion

We propose the meCK model by modifying the eCK model. In the meCK model, the adversary has stronger powers, and can learn all ephemeral secret information. Then we present the E-NAXOS protocol, a modification of the NAXOS key agreement protocol, and prove its security in the meCK model under the random oracle assumption and the gap Diffie-Hellman assumption. Compared to other AKE protocols, such as NAXOS, NAXOS+ and NETS protocols, ENAXOS protocol has stronger security. Moreover, when we want to enhance its efficiency by pre-computing, we need not worry about the security. As future works, we will design some high efficiency protocols that have the same security with the E-NAXOS protocol.

Acknowledgment This work was supported in part by the National High Technology Research and Development Program of China (No. 2007AA01Z431) and the China Postdoctoral Science Foundation Project (No. 20080441323). The authors would like to thank the anonymous referees for their helpful comments.

References 1. Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994) 2. Canetti, R., Krawczyk, H.: Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001) 3. LaMacchia, B., Lauter, K., Mityagin, A.: Stronger Security of Authenticated Key Exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007) 4. Krawczyk, H.: HMQV: A High-Performance Secure Diffie-Hellman Protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005), http://eprint.iacr.org/2005/176 5. Ustaoˇ glu, B.: Obtaining a Secure and Efficient Key Agreement Protocol from (H)MQV and NAXOS. Designs, Codes and Cryptography 46(3), 329–342 (2008) 6. Okamoto, T.: Authenticated Key Exchange and Key Encapsulation in the Standard Model. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 474–484. Springer, Heidelberg (2007) 7. Lee, J., Park, J.H.: Authenticated Key Exchange Secure under the Computational Diffie-Hellman Assumption, http://eprint.iacr.org/2008/344 8. Lee, J., Park, C.S.: An Efficient Authenticated Key Exchange Protocol with a Tight Security Reduction, http://eprint.iacr.org/2008/345 9. Huang, H., Cao, Z.: Strongly Secure Authenticated Key Exchange Protocol Based on Computational Diffie-Hellman Problem, http://eprint.iacr.org/2008/500

Improved Implementations of Cryptosystems Based on Tate Pairing Chang-An Zhao1 , Dongqing Xie1,
, Fangguo Zhang2,

, Chong-Zhi Gao1 , and Jingwei Zhang2 1

School of Computer Science and Educational Software, Guangzhou University, Guangzhou 510006, P.R. China [email protected], [email protected], [email protected] 2 School of Information Science and Technology, Sun Yat-sen University, Guangzhou 510275, P.R. China [email protected], [email protected]

Abstract. Hu et al. first studied pairing computations on supersingular elliptic curve with odd embedding degree k = 3 and applied them to Identity-based cryptosystems. In this paper, a careful analysis of the pairing computation on this family of supersingular curves is given. Some novel improvements are presented from different points of view and hence speed up the implementation of Identity-based cryptosystems. Keywords: Tate pairing, elliptic curves, Identity-based cryptosystems, efficient algorithms.

1

Introduction

Identity-based cryptosystems can be applied for end to end mobile security since the public personal information is directly regarded as the encryption key. Nowadays Identity-based cryptosystems are efficiently implemented only by pairings on elliptic curves [6]. It should be remarked that the efficiency of these cryptosystems mainly depends on the speed of pairing computations. In cryptographic applications, the Tate pairing and its variants can be evaluated in polynomial time by Miller’s algorithm [14]. Many significant techniques have been developed for speeding up the pairing computations. The reader is referred to [8] for a theoretical summary on pairing computations. One of the most elegant technique is to reduce the number of the Miller iteration loop [1,11,15,18,12]. With the condition that the embedding degree of elliptic curve






The corresponding author acknowledges National Natural Science Foundation of China (No. 60673156) and National Natural Science Foundation of Guangdong Province of China (Grant No. 8151007101000021). This work is supported by National Natural Science Foundation of China (No.60773202, 60633030).

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 145–151, 2009. c Springer-Verlag Berlin Heidelberg 2009


146

C.-A. Zhao et al.

is two or three, the order of ground field q modulo the order of the elliptic curve subgroup r(i.e. q mod r) approximately equals r. Thus the trick of reducing the number of the Miller loop using Frobenius endomorphism has not improved the efficiency of the pairing computation in this case. We mainly consider the pairing computation on supersingular curves with embedding degree k = 3. Hu et al. first suggested that a family of supersingular elliptic curves with odd embedding degree k = 3 be used in the implementation of Identity-based cryptosystems [9]. Moreover, the value of the Tate pairing on the corresponding curves can be compressed efficiently [10]. These results show that supersingular elliptic curves with embedding degree k = 3 have good properties and can be used in pairing based cryptosystems. In this paper, we optimize the main results in [9] from different points of view. Note that Miller’s algorithm are mainly determined by the double-and-line evaluation and add-and-line evaluation. Our basic idea is to replace the standard line evaluation by the new fast line evaluation. This saves several multiplications in each Miller loop and hence speeds up the pairing computations efficiently. The remainder of this paper is organized as follows. Section 2 gives the background on pairing computations. Section 3 optimizes the line evaluation in Miller’s algorithm. Section 4 propose the novel algorithm and gives efficiency comparisons. We draw our conclusions in Section 5.

2 2.1

Mathematical Preliminaries Elliptic Curve and Tate Pairing

For keeping the consistency, we use the same notation in [9] throughout the paper. Let p be a large prime such that p ≡ 11( mod 12). Note that x2 + 1 is an irreducible polynomial of degree two over Fp . Let α be a root of x2 + 1, then Fp2 can be written as: Fp2 = {uα + v|u, v ∈ Fp }. Let ρ = α + u0 where u0 is a very small integer such that x3 − ρ is irreducible over Fp2 . Let β be a root of x3 − ρ in Fp6 . So Fp6 can be written as: Fp6 = {a0 + a1 β + a2 β 2 |a0 , a1 , a2 ∈ Fp2 }. Let E be a supersingular elliptic curve over Fp2 whose Weierstrass equation is defined as follows E/Fp2 : y 2 = x3 + ρ2 . The order of E(Fp2 ) is p2 − p + 1 and hence the embedding degree of E(Fp2 ) is k = 3. The distortion map [17] over E/Fp2 is given as follows: φ : E/Fp2 → E/Fp6 , (x, y)  → (aβxp , by p ), where a = ρ−(2p−1)/3 ∈ Fp2 , b = ρ−(p−1) ∈ Fp2 , and β ∈ Fp6 . Let l be a large prime which satisfies l|p2 − p + 1 and l
pi − 1 with 1 ≤ i ≤ 5. The l-torsion group of E(Fp2 ) is denoted as E(Fp2 )[l]. Let P and Q be two arbitrary points in E(Fp2 )[l] and O be the point of E at infinity. Let fP be a rational function on E with its divisor [16] (fP ) = l(P ) − l(O) disjoint from (Q) − (O). Then the modified Tate pairing [7] is a mapping defined as follows:

Improved Implementations of Cryptosystems Based on Tate Pairing

147

el : E(Fp2 )[l] × E(Fp2 )[l] → µl 6

el (P, Q) = fP (φ(Q))p

−1/l

where µl is the l-th roots of unity group in Fp6 . 2.2

Finite Fields Arithmetic

In this subsection, we give the cost of finite field arithmetic for the following efficiency analysis. Let M be the cost of a multiplication in Fp . We denote Mi and Si as a multiplication and a squaring respectively in Fpi with i = 2, 6. Here we neglect the cost of multiplications by small integers. Since ρ = u + α and ρ2 = (u2 − 1) + 2uα where u is a very small integer, we also neglect the cost of multiplications with nonzero elements ρ or ρ2 in the efficiency consideration. A multiplication and a squaring in Fp2 require 3M and 2M respectively due to Karatsuda trick [13]. A multiplication in Fp6 requires five multiplications in Fp2 using Toom-Cook trick(see §4.3.3 of [13]). A squaring in Fp6 requires four squaring and one multiplication in Fp2 following the work of Chuang and Hasan [4]. Therefore, we have 1M6 = 5M2 = 15M and 1S6 = 4S2 + 1M2 = 11M . 2.3

Miller’s Algorithm in Projective Coordinate Systems [9]

We briefly recall the main algorithm in [9] for computing the Tate pairing el (P, Q) in projective coordinate systems. For the following convenient discussion, we restate it as Algorithm 1 here. Let φ(Q) = (¯ x, y¯) and V be a register for a scalar multiple of P . The projective coordinate of V is (XV , YV , ZV ). Algorithm 1: Main algorithm for computing the Tate pairing in [9]
n Input: l = t=0 lt 2t where lt ∈ {0, 1}, P, Q ∈ E(Fp2 )[l] and φ(Q) = (¯ x, y¯). Output: el (P, Q) 1. Set V ← P , f0 ← 1, f1 ← 1 2. For i = n − 1 down to 0 do f0 ← f02 (3XV2 (¯ x · ZV − XV ) − 2YV ZV (¯ y · ZV − YV )) V ← 2V f1 ← f12 (¯ x · ZV − XV ) If li = 1 then do f0 ← f0 ((YV ZP −YP ZV )(¯ x · ZV −XV )−(XV ZP −XP ZV )(¯ y · ZV −YV )) V ←V +P f1 ← f1 (¯ x · ZV − X V ) 3. Compute f ← f0 /f1 4. Compute f ← f

p6 −1 l

and return f

148

3

C.-A. Zhao et al.

New Line Evaluation in Projective Coordinate Systems

In the following, the cost of the doubling and addition part of the main algorithm in [9] are given, then some improvements are explored which save a few multiplications in each Miller loop. On the basis of the new observations, we propose a modified Miller’s algorithm which is more efficient than Algorithm 1. 3.1

Improvement of Point Doubling and Line Evaluation for Algorithm 1

Let V = (XV , YV , ZV ) and 2V = (X2V , Y2V , Z2V ) be the projective coordinates of V and 2V in E(Fp2 ) respectively. The point doubling formulae [5] which require 6M2 + 4S2 are given as follows: X2V = 2h · s, Y2V = w · (4B − h) − 8(YV s)2 , Z2V = 8s2 · s where w = 3XV2 , s = YV · ZV , B = XV · (YV · s), h = w2 − 8B. Let lV,V be the tangent line through point V and let φ(Q) = (¯ x, y¯) = (x0 β, y0 ) where x0 , y0 ∈ Fp2 . The evaluation of the line equation lV,V at φ(Q) = (¯ x, y¯) is given as follows: 3XV2 · (ZV · x0 β − XV ) − (2YV ZV ) · (y0 · ZV − YV ) =(3XV2 · ZV · x0 )β − 3XV2 · XV − (2YV ZV ) · (y0 · ZV − YV ). It is easy to check that the cost of the above line evaluation requires 5M2 . Notice that XV2 and YV ZV have been computed in the point doubling formulae. Therefore, the total cost of point doubling and line evaluation in Algorithm 1 is 11M2 + 4S2 = (11 · 3 + 4 · 2)M = 41M . New Point Doubling and Line Evaluation. We expand the line evaluation lV,V (φ(Q)) as follows: lV,V (φ(Q)) =(3XV2 · ZV · x0 )β

−3XV3 − 2YV ZV2 y0 + 2YV2 ZV .

(1)

Because XV3 = YV2 ZV − ρ2 ZV3 using the equation of E in projective coordinates systems, we simplify (1) into lV,V (φ(Q)) =3XV2 · ZV · x0 β − YV2 ZV + 3ρ2 ZV3 − 2YV ZV2 y0 =ZV (3XV2 x0 β − YV2 + 3ρ2 ZV2 − 2YV ZV y0 )

(2)

Since ZV ∈ F∗p2 and (p2 − 1)|( p l−1 ), ZV can be eliminated from (2) which does not change the value of the Tate pairing due to the final exponentiation. Therefore, we obtain a new line evaluation 6

(3XV2 · x0 )β − YV2 + 3ρ2 ZV2 − 2(YV ZV ) · y0 .

(3)

Improved Implementations of Cryptosystems Based on Tate Pairing

149

Notice that YV2 and ZV2 are required in the new line evaluation. Therefore, we can precompute YV2 and ZV2 in the point doubling formulae. We give a new modified formulae for point doubling as follows: X2V = 2s · h, Y2V = 3X2 · (B − 2h) − E2 , Z2V = 2S2 · s where X2 = XV2 , Y2 = YV2 , Z2 = ZV2 , w = X22 , s = 2YV ZV = (YV + ZV )2 − Y2 − Z2 , S2 = s2 , E = 2YV s = (YV + s)2 − Y2 − S2 , E2 = E 2 , B = 8XV YV2 ZV = (XV + E)2 − X2 − E2 , h = 9w − B. Although the cost of the new point doubling formulae is 3M2 + 9S2 , the new formulae have computed all the coefficients in the new line evaluation (3) . Since computing 3XV2 x0 = 3X2 ·x0 and 2YV ZV y0 = s·y0 requires 2M2 , the total cost of the new point doubling and line evaluation is 5M2 +9S2 = (5·3+9·2)M = 33M . 3.2

Improvement of Point Addition and Line Evaluation for Algorithm 1

Let V = (XV , YV , ZV ), P = (XP , YP , ZP = 1), and V+P = (XV+P , YV+P , ZV+P ). The mixed point addition formulae [5] which require 9M2 + 2S2 are given as follows: XV +P = vA, YV +P = u(v 2 XP ZV − A) − v 3 YP ZV , ZV +P = v 3 ZV ,

(4)

where u = YV − YP ZV , v = XV − XP ZV , A = u2 ZV − v 3 − 2v 2 XP ZV . The line evaluation lV +P at φ(Q) is (YV − YP ZV )(ZV x0 β − XV ) − (XV − XP ZV )(ZV y0 − YV ) =(YV −YP ZV ) · ZV · x0 β −(YV −YP ZV ) · XV −(XV −XP ZV ) · (ZV · y0 −YV ). A straightforward computation for the above line evaluation requires 5M2 . The total cost of point addition and line evaluation is 14M2 + 2S2 = (14 · 3 + 2 · 2)M = 46M . New Point Addition and Line Evaluation. We observe that lV,P passes through points V and P . Hence the equation of the line lV,P is determined by its slope m and the point P = (xP , yP ) in affine coordinate systems, i.e., lV,P = (y − yP ) − m(x − xP ). A new line evaluation lV,P at φ(Q) in projective coordinate systems is presented as follows lV,P (φ(Q)) =(YV −YP ZV )(ZP · x0 β−XP )−(XV −XP ZV )(ZP y0−YP ) =(YV −YP ZV )(x0 β−XP )−(XV −XP ZV )(y0−YP ) Notice that the last equality in the above holds because of ZP = 1. The new line evaluation saves 2M2 compared to the previous one. The total cost of the new point addition and line evaluation is 12M2 + 2S2 = (12 · 3 + 2 · 2)M = 40M .

150

4 4.1

C.-A. Zhao et al.

Proposed Algorithms and Efficiency Comparison Improved Algorithm for Computing the Tate Pairing

On the basis of the above observations, we easily obtain the following new algorithm. Note that points P and Q is contained in E(Fp2 )[l] and the distortion map makes Q to be in E(Fp6 )[l]. Algorithm 2: Improved algorithm for computing the Tate pairing
n Input: l = t=0 lt 2t where lt ∈ {0, 1}, P, Q ∈ E(Fp2 )[l] and φ(Q) = (¯ x, y¯) = (x0 β, y0 ). Output: el (P, Q) 1. Set V ← P , f0 ← 1, f1 ← 1 2. For i = n − 1 down to 0 do f0 ← f02 ((3XV2 · x0 )β − YV2 + 3ρ2 ZV2 − 2(YV ZV ) · y0 ) V ← 2V f1 ← f12 (¯ x · ZV − XV ) If li = 1 then do f0 ← f0 ((YV − YP ZV )(x0 β − XP ) − (XV − XP ZV )(y0 − YP )) V ←V +P f1 ← f1 (¯ x · ZV − XV ) 3. Compute f ← f0 /f1 4. Compute f ← f

4.2

p6 −1 l

and return f

Efficiency Comparison

The cost of the double-and-line evaluation and the add-and-line evaluation in Algorithm 1 and Algorithm 2 are summarized in Table 1. It is shown that the new double-and-line evaluation and add-and-line evaluation are more efficient than the previous ones. Table 1. Comparisons of costs for doubling part and addition part in Algorithm 1 and Algorithm 2 Algorithms Double-and-line evaluation Add-and-line evaluation Algorithm 1 41M 46M Algorithm 2 33M 40M

5

Conclusion

In this paper, some novel observations for pairing computations on supersingular elliptic curves with k = 3 are given. The new simple line evaluation speeds up the Tate pairing computation significantly and may be attractive for Identity-based cryptosystems.

Improved Implementations of Cryptosystems Based on Tate Pairing

151

Acknowledgements The authors thanks the anonymous referees for their careful comments and suggestions.

References ´ Eigeartaigh, ´ 1. Barreto, P.S.L.M., Galbraith, S., Oh C., Scott, M.: Efficient pairing computation on supersingular Abelian varieties. Designs, Codes and Cryptography 42(3), 239–271 (2007) 2. Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairingbased cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–368. Springer, Heidelberg (2002) 3. Blake, I.F., Seroussi, G., Smart, N.P.: Elliptic Curves in Cryptography. Cambridge University Press, New York (1999) 4. Chung, J., Hasan, M.A.: Asymmetric squaring formulae (2006), http://www.cacr.math.uwaterloo.ca/ 5. Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 51–65. Springer, Heidelberg (1998) 6. Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. SIAM Journal of Computing 32(3), 586–615 (2003) 7. Frey, G., R¨ uck, H.-G.: A remark concerning m-divisibility and the discrete logartihm in the divisor class group of curves. Math. Comp. 62(206), 865–874 (1994) 8. Galbraith, S.D.: Pairings - Advances in Elliptic Curve Cryptography. In: Blake, I., Seroussi, G., Smart, N. (eds.). Cambridge University Press, Cambridge (2005) 9. Hu, L., Dong, J.-W., Pei, D.-Y.: An implementation of cryptosystems Based on tate pairing. Journal of Computer Science and Technology 20(2), 264–269 (2005) 10. Hu, L.: Compression of Tate Pairings on Elliptic Curves. Journal of Software in China 18(7), 1799–1805 (2007) 11. Hess, F., Smart, N.P., Vercauteren, F.: The Eta pairing revisited. IEEE Transactions on Information Theory 52, 4595–4602 (2006) 12. Lee, E., Lee, H.-S., Park, C.-M.: Efficient and generalized pairing computation on abelian varieties. IEEE Transactions on Information Theory 55(4), 1793–1803 (2009) 13. Knuth, D.E.: Seminumerical algorithms. Addison-Wesley, Reading (1981) 14. Miller, V.S.: Short programs for functions on curves (Unpublished manuscript) (1986) 15. Matsuda, S., Kanayama, N., Hess, F., Okamoto, E.: Optimised versions of the Ate and twisted Ate pairings. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 302–312. Springer, Heidelberg (2007) 16. Silverman, J.H.: The arithmetic of elliptic curves. Graduate Texts in Mathematics, vol. 106. Springer, Heidelberg (1986) 17. Verheul, E.: Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 195–210. Springer, Heidelberg (2001) 18. Zhao, C.-A., Zhang, F., Huang, J.: A note on the Ate pairing. Internationl Journal of Information Security 7(6), 379–382 (2008)

Efficient Secure Multiparty Computation Protocol in Asynchronous Network Zheng Huang
, Weidong Qiu, Qiang Li, and Kefei Chen Institute of Information Security and Engineering, ShangHai JiaoTong University, Shanghai 200030, P.R. China {huang-zheng,qiuwd,qiangl,kfchen}@sjtu.edu.cn http://cis.sjtu.edu.cn

Abstract. This paper proposes an efficient secure multiparty computation protocol among n players resilient to t < n4 players in asynchronous model. We use Batch Secret Sharing [9] as building blocks. The construction of our protocol is along the line of [7] and [2] which work in synchronous model. The execution of our protocol can be divided into two phases: Pre-computation phase and the Circuit evaluation phase. The pre-computation phase needs to communicate O(n4 lg |F| + mn2 log |F|) bits and Broadcast O(n2 lg |F|) bits, where m is the number of multiplication gates in the circuit and the circuit is over a finite field F. The circuit evaluation phase needs to communicate O(n3 lg |F|+n4 lg n+mn2 lg |F|) bits and Broadcast O(n2 lg n) bits. Compared with the well-known secure multiparty computation protocol in asynchronous model [4] which needs to communicate O(mn4 lg |F|+mn4 lg n) bits and broadcast O(mn4 lg n) bits, our protocol is quite efficient. Keywords: Secure Multiparty Computation, Asynchronous Network.

1

Introduction

Secure multiparty computation protocol allows a set of n players to compute an arbitrary agreed function of their private inputs in a secure way, even if an adversary may corrupt up to some arbitrary players. Players in secure multiparty computation protocol are connected by a network. The network could be synchronous or asynchronous. In a synchronous network, there is a global clock. Message sent in the synchronous network will be guaranteed to be received in the next clock tick. While in an asynchronous network, there is no global clock. Message sent in the asynchronous network could be arbitrarily delayed. Compared with synchronous network, the asynchronous network is more like the Internet and the Ad hoc Networks, where message sent could also be arbitrarily delayed. Therefor, studying the protocols in the asynchronous network is more practical.


This work has been supported by NSFC under the grant 60803146 and Hi-Tech 863 fund under the grant 2007AA01Z456.

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 152–158, 2009. c Springer-Verlag Berlin Heidelberg 2009


Efficient Secure Multiparty Computation Protocol in Asynchronous Network

1.1

153

Related Works

Secure multiparty computation (short for MPC ) in synchronous network has been widely studied. The classical results for the information-theoretic model due to Ben-Or, Goldwasser and Wigderson [5] states that every function can be securely computed. However, there is little study in secure multiparty computation in asynchronous network. Canetti studies MPC in asynchronous network in his PhD thesis [6]. M.Ben-Or shows in [4] that perfect asynchronous secure multiparty computation is possible in the information security setting if and only if t < n4 . This protocol requires O(mn4 lg |F | + mn4 lg n) bits communication and broadcasts O(mn4 lg n) bits, where F is the domain of the agreed function, m is the number of multiplication gates in the circuit that calculate the function and n is the number of players. In [8], Srinathan provides an more efficient secure multiparty computation protocol in asynchronous model resilient to t < n4 corrupt players with communications of O(mn3 lg |F | + mn3 lg n) bits and broadcasts O(mn2 ) bits. In [9], we proposed an Batch Secret Sharing Protocol in asynchronous network which could be used as building blocks for MPC. 1.2

Contributions of this Work

In this paper, we propose an efficient secure multiparty computation protocol in asynchronous model which is resilient to t < n4 corrupt players. The adversary in our protocol is active adversary and the computation power of the adversary is unbounded. In synchronous model, secure multiparty computation has been thoroughly studied to eliminate its communication complexity. In [7], Hirt provides an efficient multiparty computation protocol in the synchronous model. It is an open problem in [7] that if this efficient protocol can be applied to asynchronous model. This paper will answer the open question in the affirmative and provides the protocol that works in the asynchronous model along the line of [7] and [2]. The execution of our protocol can be divided into two phase: Pre-computation phase and the Circuit evaluation phase. The pre-computation phase shares enough random numbers among playes using Batch Secret Sharing Protocol [9] and needs to communicate O(n4 lg |F | + mn2 lg |F |) bits and Broadcast O(n2 lg |F |) bits. The circuit evaluation phase needs to communicate O(n3 lg |F | + n4 lg n + mn2 lg |F |) bits and Broadcast O(n2 lg n) bits. Compared with other existing protocols in asynchronous model, our protocol is quite efficient.

2

Models

The model used in our protocol could be described as follows. The participants of the protocol are the set P = {P1 , ..., Pn } of n players, each player is associated with a non zero value αi ∈ F . The players are connected by bilateral asynchronous secure channels. Broadcast channels are not assumed to be available. Let f : F n → F be the agreed function that the players want to evaluate. We assume that the players have an arithmetic circuit computing f ; the circuit

154

Z. Huang et al.

consists of linear combination gates and multiplication gates of in-degree 2. The circuit is over a finite field F with |F | > n. The number of inputs to the circuit is n. All the computations in the sequel are done in F . In our model, we consider asynchronous network where every two parties are connected via a reliable and private communication channel. Messages sent on a channel can be arbitrarily delayed; however, each message sent is eventually received.

3

Primitives

In this section, we describe the primitives used in our protocol. 3.1

Agreement on a Common Subset (ACS)

In an asynchronous computation, the players in P often need to decide on a common subset of players that satisfy some property. The common set is of size at least n − t,where n = |P|. We need Agreement on a Common Subset (ACS ) protocol [6] to achieve this purpose. Let Q be a predication that assigns a binary value to each player Pi , denoted Q(i), based on whether Pi has satisfied the specified property (eg. whether completes the Broadcast Protocol).Note that Q(i) is dynamic which means that not all the players need to be assigned at the same time. When a player Pi is assigned his value, denoted by Q(i), it is guaranteed that all the players will eventually know this value. Let P be the set of players and t be the maximum number of corrupt players in P. Theorem 1. Protocol ACS[Q, P, t] let the players to agree on a common subset of players, denoted by C such that |C| ≥ (|P| − t). Moreover, Q(j) = 1 for every Pj ∈ P. The ACS protocol has to do O(|P|) Byzantine Agreement. 3.2

Asynchronous Verifiable Secret Sharing (AVSS )

Like Verifiable Secret Sharing (VSS ) in synchronous network, AVSS scheme consists of two sub-protocols: a sharing sub-protocol: AV-Share, in which a player acts as dealer to share a secret among the other players, and a Reconstruction sub-protocol, in which the players reconstruct the secret from their shares. For the definition and the implementing of AVSS scheme, we also adopt directly the scheme presented in [3] which is resilient to n4 corrupt players. Let P denote the set of all players, P denote the dealer, t be the maximum number of corrupt players in P and s be the secret to be shared. Theorem 2. AV − Share[P, t, P, s] protocol lets the dealer P to share the secret s with the following holds: Termination: 1. If P is honest, then every honest player will eventually complete the AV-Share Protocol. 2. If some honest player has completed AV-Share protocol, then all the honest players will eventually complete the AV-Share protocol.

Efficient Secure Multiparty Computation Protocol in Asynchronous Network

155

Correctness: Once a honest party has completed AV-Share protocol then there exists a unique value,r, such that: 1. all the honest players output r. 2. If P is honest,then r = s. Secrecy: If P is honest and no honest player has begun Reconstruction protocol, then the bad parties have no information about the shared secret s.

4

Protocol Construction

We give an overview of the proposed protocol. Our protocol proceeds in two phases: the first is a Pre-computation phase and the second is a circuit evaluation phase. The Pre-computation phase can be performed as a pre-computation independent of the circuit evaluation. In the Pre-computation phase, m random triples (a(i) , b(i) , c(i) ) (for i = 1, ..., m) with c(i) = a(i) b(i) are shared among the players. We use Batch Secret Sharing Protocol [9] to share the m random triples. Dishonest players will be eliminated from P in Batch Secret Sharing Protocol and the sharings are only among the set P  ⊆ P of the remaining players. Sharing secrets in batch mode will be more efficient than that of using secret sharing protocol several times. The Pre-computation phase is very simple and the detailed information on Batch Secret Sharing Protocol could be found in [9]. The circuit evaluation phase evaluate the circuit using the triples generated in the Pre-computation phase. The outline of the circuit evaluation phase follows: First each player secret shares his input to the circuit using the AV − Share protocol. Then, the players agree on a common Set C of players that have successfully shared their input using ACS Protocol. The input values of the players not in C are set to a default value. After that, the players evaluate the given circuit gate by gate. The linear gate is evaluated without communication and the multiplication gate is evaluated using the multiplication protocol shown in next section. Finally, the players invoke the Reconstruction protocol to get the final result.

5

Circuit Evaluation Phase

The evaluation of the circuit is along the lines of the protocols of [2]. The difference is that the degree t of the sharings and the upper bound t on the number of corrupt players need not to be equal. The computation phase processes as follows: 1. Every player Pi shares his input to the agreed circuit using the Input Sharing protocol. 2. Every player Pi evaluates the circuit gate by gate using the Circuit Evaluation protocol. 3. Every player Pi invokes the Reconstruction protocol to get the final result.

156

Z. Huang et al.

Note that from the Pre-computation phase, we have m random triples (a(i) , b(i) , c(i) ) with c(i) = a(i) b(i) where the sharings are of degree t among the set P  of players. The number of corrupted players in P  is at most t with 2t < n − t − t, where n = |P  |. This is needed for robust evaluation the circuit. 5.1

Input sharing

Every player secret-shares his input among the all the players. Note that the player who has been eliminated from the Pre-computation Phase could also participates in this protocol to send input to the calculated function. The dealer who want to share his input is denoted by P , and the input value to be shared by s. The protocol proceeds as following: 1. Every player Pi who has input value acts as a dealer. The dealer P initiates AV − Share[P, t, P, s] protocol to share his input value. 2. Execute protocol ACS[Q, P, t] in all the players with the boolean predicate: Q(j) = 1 if Pj has completed AV − Share protocol successfully. Let C be the Common Set that outputted by the ACS protocol. 3. Every player sets his share of the input of Pi with (Pi ∈ C) as the output of AV − Share protocol when Pi acts as dealer and sets his share of the input of Pi with (Pi ∈ / C) to a default value. 5.2

Reconstruction

In order to reconstruct a shared value s towards player P , the players do the following: 1. Every player in P  sends his share of s to P . 2. This step is carried out by P only. Wait until P has received n − t shares, P applies error-correction and interpolation to compute the shared value s. The reconstruction of one shared value requires n field elements of communication and no broadcast. 5.3

Circuit Evaluation

The circuit is evaluated gate by gate. Linear gates can be evaluated without any communication because of the linearity of the sharing protocol used. Multiplication gates are evaluated according to [2] and [7]. Here we provide the protocol evaluating a multiplication gate. Assume that the factors are x and y are t-shared among the players. a t-shared triple (a, b, c) is used to evaluate the gate. The product xy can be write as follows: xy = ((x − a) + a)((y − b) + b) = ((x − a)(y − b) + (x − a)b + (y − b)a + c) The players in P  call reconstruct protocol to reconstruct the differences dx = x − a and dy = y − b. The reconstruction does not leave any information about x

Efficient Secure Multiparty Computation Protocol in Asynchronous Network

157

or y because a and b are random. Then, the following equation is used to calculate the product: xy = dx dy + dx b + dy a + c. This equation is linear in a, b and c, and we can compute linear combinations on shared values without communication. This means that the players can compute the above linear combination without communication after the reconstruction of dx and dy . Assume that the factors of a multiplication gate are x and y, the share hold by Pi is xi and yi . The multiplication gate in the circuit is associated with a pre-generated triple. The associated triple used to evaluate the gate is (a, b, c) and the share hold by Pi is ai , bi and ci . The protocol evaluate a multiplication gate can be described as follows: 1. Every player Pi in P  calculates his shares of dx and dy as dxi = xi + ai and dyi = yi + ai . 2. Every player Pi in P  invokes the Reconstruction protocol to reconstruct dx and dy . 3. Every player Pi in P  computes his share of the product xy as (xy)i = dx dy + dx bi + dy ai + ci . Evaluating a multiplication gate requires to invoke 2n Reconstruction protocol, that means every players have to send their shares to other players. The communication costs per multiplication gate are 2n2 field elements. Broadcast is not needed.

6

Complexity Analysis

Here we give a brief complexity analysis of our protocol. We use M C to denote the complexity of the message that sent via secure channel and use BAC denote the complexity of the message that sent by using Broadcast protocol. First, we analysis the complexity of the Pre-computation phase. The triples are generated in a block manner. The total message of the Pre-computation phase is that M C = O(n4 lg |F | + mn2 lg |F |) and BAC = O(n2 lg |F |). Then, we will analysis the message complex of the circuit evaluation phase. Input Sharing: The AV-Share protocol has message complexity M C = O(n2 lg |F | + n3 lg n) and BAC = O(n lg n). In the input sharing phase, the AV-Share protocol will run n times followed by an ACS protocol. Hence the message complexity in this phase is that:M C = O(n3 lg |F | + n4 lg n) and BAC = O(n2 lg n). Reconstruction: In order for a player P to reconstruct a secret, all the other players will send his share to P . The message complexity is that M C = O(n lg |F |). The reconstruction protocol will run n times, thus the whole message complexity is M C = O(n2 lg |F |). Circuit Evaluation: To evaluate a multiplication gate, the players will invoke 2n Reconstruction Protocol. There are m multiplication gates in the circuit. The message complexity of the Circuit Evaluation phase is M C = O(mn2 lg |F |). The total message complexity of the computation phase is that M C = O(n3 lg |F | + n4 lg n + mn2 lg |F |) and BAC = O(n2 lg n)).

158

7

Z. Huang et al.

Conclusion

In this paper, we study the secure multiparty computation protocol in the asynchronous model. The message complexity of the general purpose MPC protocol is the bottle neck to its implementation. By dividing the computation into two phase and using the Pre-computation, we improve the efficiency of secure multiparty computation protocol in the asynchronous network.

References 1. Blahut, R.E.: Theory and proctice of Error Control Codes. Addison-Wesley, Reading (1984) 2. Beaver, D.: Efficient multiparty protocols using circuit randomization. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 420–432. Springer, Heidelberg (1992) 3. Ben-Or, M., Kelmer, B., Rabin, T.: Asynchromous secure computation with optimal resilience. In: Proceedings of 13th ACM PODC, pp. 183–192 (1994) 4. Ben-Or, M., Cannetti, R., Goldreich, O.: Asynchromous secure computations. In: Proceedings of 25th ACM STOC, pp. 52–61 (1993) 5. Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness Theorems for Noncryptographic Fault-Tolerant Distributed Computations. In: Proc. 20th Annual Symp. on the Theory of Computing, pp. 1–10. ACM Press, New York (1988) 6. Canetti, R.: Studies in secure multiparty computation and applications. PhD Thesis, Dept. of Computer Science and Applied Mathematics, Weizmann Institute of Science (May 1995) 7. Hirt, M., Mauren, U.: Robustness for Free in Unconditional Multiparty computation. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 101–118. Springer, Heidelberg (2001) 8. Srinathan, K., Pandu Rangan, C.: Efficient Asynchronous Secure Multiparty Distributed Computation. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 117–130. Springer, Heidelberg (2000) 9. Zheng, H., Zheng, G., Qiangp, L.: Batch Secret Sharing for Secure Multiparty Computation in Asynchronous Network. Journal of Shanghai Jiaotong University 14(1) (2009)

Clustering-Based Frequency l-Diversity Anonymization Mohammad-Reza Zare-Mirakabad1, Aman Jantan2 , and St´ephane Bressan3 1,2 1,3

School of Computer Sciences, Universiti Sains Malaysia, Malaysia School of Computing, National University of Singapore, Singapore [email protected], [email protected], [email protected], [email protected]

Abstract. Privacy preservation is realized by transforming data into kanonymous (k-anonymization) and l-diverse (l-diversification) versions while minimizing information loss. Frequency l-diversity is possibly the most practical instance of the generic l-diversity principle for privacy preservation. In this paper, we propose an algorithm for frequency ldiversification. Our primary objective is to minimize information loss. Most studies in privacy preservation have focused on k-anonymization. While simple principles of l-diversification algorithms can be obtained by adapting k-anonymization algorithms it is not straightforward for some other principles. Our algorithm, called Bucket Clustering, adapts k-member Clustering. However, in order to guarantee termination we use hashing and buckets as in the Anatomy algorithm. In order to minimize information loss we choose tuples that minimize information loss during the creation of clusters. We empirically show that our algorithm achieves low information loss with acceptable efficiency.

1

Introduction

Privacy preservation is the prevention of cross-references and inferences that could reveal confidential information in published data. Anonymity and diversity are the two main facets of privacy preservation. Anonymity provides a relative guarantee that the identity of individuals and objects cannot be discovered. We speak of k-anonymity, where individuals are undistinguishable in a crowd of size k. Diversity is a relative guarantee that sensitive information about individuals and objects cannot be inferred. We speak of l-diversity, where l is a measure of “well-represented”-ness of sensitive values. This l-diversity principle [8] is instantiated in various forms for different definitions of l-diversity. In this paper, we are concerned with frequency l-diversity: one can not associate quasi-identifiers with sensitive information with a probability larger than 1/l. This is a common instance of the l-diversity principle used in [8,3,11] among other works, without referring to it as frequency l-diversity. k-anonymity and l-diversity are realized by modifying data before publication: values are generalized, data are suppressed, tables are decomposed, etc. The J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 159–168, 2009. c Springer-Verlag Berlin Heidelberg 2009


160

M.-R. Zare-Mirakabad, A. Jantan, and S. Bressan

process of transforming data into k-anonymous and l-diverse data are called kanonymization and l-diversification respectively. These transformations bear two costs: the time it takes to process the data and the information loss. Algorithms for these transformations need to find a trade-off to minimize these costs. Most recent studies on privacy have focused on devising k-anonymization algorithms [1,7]. The algorithms proposed for l-diversification in its various instances of the principle [3,11] leverage and adapt the techniques devised for kanonymization. Indeed, the authors of [8] suggests that to any k-anonymization algorithm corresponds an l-diversification algorithm simply obtained by checking both l-diversity and k-anonymity criteria wherever k-anonymity alone was checked . This is straightforward, effective and efficient for the simplest form of diversity, distinct l-diversity (one cannot associate a quasi identifier with less than l-distinct values) [1,9]. For frequency l-diversity, however, this adaptation must be done with care. The resulting algorithm may not successfully terminate or results to high information loss. This is because, adding a tuple to an already frequency l-diverse cluster may result in a set which is no longer l-diverse. In a nutshell, we propose an adaptation of k-member Clustering [1] to frequency l-diversity anonymization. The algorithm, called Bucket Clustering, constructs clusters that contain at least l tuples with different sensitive value. Unsuccessful termination is avoided by using hashing and buckets for the selection of tuples as in the Anatomy algorithm [3]. Information loss is minimized by a careful choice (instead of a random one as in Anatomy) of tuples from the largest buckets (thus the name). We show that the algorithm obtained is more effective yet achieves acceptable efficiency. The remainder of this paper is organized as follows. In section 2 we survey related work with a focus on frequency l-diversity. In section 3 we recall the definition and properties of frequency l-diversity. We present our proposed algorithm in section 4. The results of an empirical and comparative performance evaluation that quantifies the trade-off achieved are presented and discussed in section 5. Finally we conclude in section 6.

2 2.1

Related Work Anonymity and Diversity

Quasi-identifiers are sets of attributes that can be cross-referenced in foreign and sovereign sources. They can potentially identify some individuals and objects whose privacy is to be protected. Sensitive attributes are attributes that contain private information. k-anonymity, as introduced by Samarati and Sweeney [5], ensures that any tuple in the released data is indistinguishable from at least (k-1) other tuples with respect to their quasi-identifiers. Each equivalence class of tuples (the set of tuples with the same values for the attributes in the quasi-identifier) has at least k tuples. In other words, an individual is hidden in a crowd of size k. Subsequent works on k-anonymity mostly propose algorithms for k-anonymization [7].

Clustering-Based Frequency l-Diversity Anonymization

161

While k-anonymity prevents identification disclosure, l-diversity [8] aims at protecting sensitive information. Many different instances of this principle, together with the corresponding transformation processes, have been proposed. The simplest one, proposed in [10], is distinct l-diversity. A table T is distinct l-diverse if and only if each equivalence class in T has at least l distinct values for each of its sensitive attributes. Distinct l-diversity may not be a very robust protection against inferences. Indeed, although there might be many different distinct values for sensitive attribute, some may be rare and some may be frequent, thus allowing unwanted inferences. Hence the sensitive value distribution has to be considered. The authors of [8] propose entropy l-diversity and recursive (c,l)-diversity. They argue that entropy l-diversity is too strong requirement. Recursive (c,l)diversity also assures that “the most frequent value of sensitive attribute in each equivalence class is not too frequent, and the less frequent doesn’t appear too rare”[8] but is more flexible. The authors of [3] present an instance of l-diversity as a trade-off between other instantiations. Such a l-diversity principle expresses that in each equivalence class at most a 1/l fraction of tuples can have same value for the sensitive attribute. This definition is most popular in recent works like [11]. We refer to this as frequency l-diversity. (α,k)-anonymity, introduced in [9] uses similar frequency requirements to selected values of the sensitive attributes known to be sensitive values. Confusingly, the name l-diversity is sometimes used by authors to refer to any of the above instances rather than to the general principle. 2.2

Anonymization and Diversification

k-anonymization and l-diversification are the processes transforming data into k-anonymous and l-diverse data, respectively. One simple way of transforming Algorithm k-member(r(Q) , k) Output: Clusters with at least k members and lowest information loss 01. if(|r| ≤ k) return r end if 02. r’= ∅ 03. t = a random picked tuple from r 04. while( |r| ≥ k ) 05. t = furthest tuple from t 06. r = r - t 07. c = t 08. while( |c| < k ) 09. t = find-best-tuple( r, c ) 10. r=r-t 11. c=c∪t 12. r’ = r’ ∪ c /* adding remained tuples (at most k-1)to clusters */ 13. while( |r| > 0 ) 14. t = a randomly picked up tuple from r 15. r = r - t 16. c = find-best-cluster( r’ , t ) 17. c = c ∪ t 18. return r’ Fig. 1. k-member Clustering algorithm[1]

162

M.-R. Zare-Mirakabad, A. Jantan, and S. Bressan

data into k-anonymous data is to cluster them into clusters of k or more tuples in which quasi-identifiers are transformed to be identical. The transformation of quasi-identifiers (for instance by generalizing values) losses information. This information loss can be measured and quantified. The efficient algorithm is one that minimize the information loss is resulted by generalization. Figure 1 outlines the algorithm of k-member Clustering given in [1]. The only criterion for choosing a tuple to add to a cluster is that its addition minimizes information loss (line 9). The only condition for finalizing the construction of a cluster is that it contains k members (line 4). The authors of [8] have remarked that l-diversification algorithms can be obtained by adapting k-anonymization algorithms. This is straightforward, effective and efficient for distinct l-diversity. For example the algorithm above can be simply modified by extending the condition of line 5 and adding the requirement that the cluster contains l different values for the quasi-identifier. Unfortunately, a similar algorithm for frequency l-diversity, which we refer to as Optimistic Clustering, may not terminate successfully. It may not be able to find a set of clusters that are frequency l-diverse. Indeed, unlike k-anonymity and distinct l-diversity, adding a tuple to an already frequency l-diverse cluster may result in a set which is no longer frequency l-diverse. Anatomy [3] is a l-diversification algorithm that achieves frequency l-diversity by partitioning and decomposition. After partitioning tuples in several quasiidentifier groups, the original table is split into two tables, rq and rs. rq stores

Algorithm Anatomy(r(Q, s) , l) Output: anatomized tables rq and rs 01. rq = ∅; rs = ∅; gcnt = 0 02. hash the tuples in r by the values of their sensitive attribute /*Lines 3-8 are the group-creation step*/ 03. while there are at least l non-empty hash buckets 04. gcnt = gcnt + 1; QIgcnt = ∅ 05. S = the set of l largest buckets 06. for each bucket in S 07. remove an arbitrary tuple t from bucket 08. QIgcnt = QIgcnt ∪ t /*Lines 9-12 are the residue-assignment step*/ 09. for each non-empty bucket 10. t = the only residue tuple of the bucket 11. S’ = the set of QI-groups that do not contain the value t.s 12. assign t to a random QI-group in S’ /*Lines 13-18 populate rq and rs */ 13. for j = 1 to gcnt 14. for each tuple t ∈ QIj 15. insert tuple (t.Q, j) into rq 16. for each distinct value v in QIj 17. cj (v) = the number of tuples in QIj with s value v 18. insert tuple (j, v, cj (v)) into rs 19. return rq and rs Fig. 2. The Anatomy algorithm[3]

Clustering-Based Frequency l-Diversity Anonymization

163

the quasi-identifier and a join attribute and rs the sensitive values and a join attribute. A common join attribute is used to identify the group in which data are partitioned and to allow re-composition by natural join. A key feature of Anatomy is the way it uses the eligibility condition to partition data. Figure 2 outlines the Anatomy algorithm. It first creates buckets by hashing tuples on their sensitive values (line 2). Then it finds the l largest buckets and creates a new group (QI-group), by selecting one tuple from each bucket (while loop at line 3). The remaining tuples (at most l-1) are assigned to a random group having no tuple with that sensitive value (loop of line 9). Finally, a join index is created based on the groups, and the table r is decomposed into qr and sr (for loop at line 13).

3

Frequency l-Diversity

Assume an instance r1 of a relation R2 and a set of attributes Q ⊆ R. We consider the sets of tuples that “have the same values for the attributes in Q”. We call such sets equivalence classes. The notion induces a partitioning of r and is used in [1,9] among others. Definition 1 (Equivalence class with respect to a set of attributes). Given an instance r of a relation R and a set of attributes Q ⊆ R; e ⊆ r is an equivalence class with respect to Q if and only if e is the multi-set of tuples in r that agree on the values of their attributes in Q. We ignore the empty equivalence class. l-diversity is defined with respect to sensitive attributes. Without loss of generality we consider a single sensitive attribute. In this paper we write r(Q, s) to refer to the instance r of R in which s ∈ R is the sensitive attribute, Q ⊆ R is the set of non-sensitive attributes and s  ∈ Q. Frequency l-diversity requires that each value of the sensitive attributes in each equivalence class e appear at most |e|/l times in e. Definition 2 (Frequency l-diversity) [3]. An instance r(Q, s) of a relation R is frequency l-diverse if and only if for each equivalence class e with respect to Q, each possible value v ∈ adom(s), p(e, v) ≤ 1/l, where adom(s), the active domain of s, is {v|v ∈ dom(s) ∧ ∃t(t ∈ e ∧ t.s = v)} and where p(e, v) = |{{t|t ∈ e ∧ t.s = v}}|/|e| (note that e is a multi-set). Note: Since the minimum p(e, v) belongs to most frequent s value (v) in e, the condition also can be expressed as “if for each equivalence class e with respect to Q and most frequent value v ∈ adom(s), p(e, v) ≤ 1/l”, as is used in some other studies. This definition has been given in [3] and used in [11] as the general definition of l-diversity (without calling it frequency l-diversity). The protection that frequency l-diversity provides is that the probability that t.s=v for any individual 1 2

r is a multi-set (i.e. it can contain duplicates). R is both the name of a relation and its schema (i.e. a set of attributes).

164

M.-R. Zare-Mirakabad, A. Jantan, and S. Bressan

t ∈ r is less than 1/l. In other words one cannot associate a quasi identifier with sensitive information with a probability larger than 1/l. Proposition 1 (eligibility condition). If r(Q,s) is frequency l-diverse, then at most |r|/l tuples can have the same value of s. Proof. Assume r(Q,s) contains m equivalence classes namely ei (1 ≤ i ≤ m) and Ci (v) is the multiplicity of the sensitive value v of adom(s). According to the definition, as r is frequency l-diverse, for each equivalence class ei and each value v of s, we have Ci (v) ≤ |eli | , where Ci (v) = |{{t|t ∈ ei ∧ t.s = v}}| (cardinality of the multiset). By summing both sides of the inequality for all i, we obtain: m
|ei | m
i=1 Ci (v) ≤ . Hence the multiplicity of each value v of s in r is less than l i=1 or equal to |r|/l. This proposition has been expressed in [8] and referred to as eligibility condition in [3,11]. We can therefore compute the maximum l for which a relation r(Q, s) can be frequency l-diverse. We call this value lmax . It depends on the multiplicity of the |r| most frequent value of the sensitive attribute s, i.e. lmax = Maxv (|{{t|t∈r∧t.s=v}}|) Proposition 2. Given a positive number l, r(Q,s) has at least one frequency l-diverse generalization if and only if l ≤ lmax . Proof. The proof has two steps: i) if there is a generalization of r satisfying frequency l-diversity then l ≤ lmax , and ii) if l ≤ lmax then there is at least one possible generalization for r satisfying l-diversity. For step i, we already presented and proved the eligibility condition proposition which exactly expresses that r (or any modification of r by generalizing its quasi-identifier and retaining s values) can not be frequency l-diverse with l > lmax . For step ii, we give a very naive possible generalization of r by generalizing quasi-identifier of all tuples to a same value. This is at least one possible solution for generalization satisfying frequency l-diversity. The two propositions show that any modification of a given table cannot result in a frequency l-diversity with l larger than lmax and meanwhile for any eligible l (l ≤ lmax ) there is at least one possible generalization guarantees frequency l-diversity. Intuitively, if a table is l-diverse it is l -diverse for any l < l.

4 4.1

Bucket Clustering Rationale of the Algorithm

In this section we present an adaptation of k-member Clustering for frequency l-diversity anonymization that favors effectiveness, i.e. minimizes information loss. We call the algorithm Bucket Clustering. A naive adaptation of k-member Clustering [1] to frequency l-diversification is not satisfactory. Specifically, the Optimistic Clustering algorithm discussed

Clustering-Based Frequency l-Diversity Anonymization

165

in section 2.2 may not terminate successfully. The Algorithm that we propose, Bucket Clustering, differs from a naive adaptation of k-member Clustering in the selection of the next tuple to be added to the cluster being created. Indeed, termination can be guaranteed by organizing tuples into buckets according to their sensitive value and choosing tuples from the largest buckets as proposed in [3] for the Anatomy algorithm. We use the ideas of hashing and bucket from the Anatomy algorithm. New tuples to be added to the cluster are selected from the l largest buckets where a bucket contains all tuples with the same sensitive value. Yet our objective is to further improve effectiveness and reduce information loss. This is achieved by carefully selecting the best tuple, one that minimizes information loss, from the largest buckets (instead of a random one, as in Anatomy). To minimize information loss as much as possible, we only consider selection from biggest buckets if the eligibility condition for the remaining tuples is violated. It means we select next tuple from largest eligible candidates to achieve least information loss. 4.2

Algorithm

The Bucket Clustering algorithm, outlined in Figure 3, first creates buckets by hashing all tuples according to their sensitive value (line 3). Then, it selects one tuple from the biggest buckets as the cluster center. Actually we do this same as k-member Clustering by selecting farthest tuple from previous cluster center. It, then, calls find-best-diverse-tuple (line 9) to guarantee l-diversity principle protection with least information loss and simultaneously termination condition. By selecting next tuple from largest buckets, as shown in [3], we can insert all, except of at most l − 1, tuples to clusters with exactly l members and yet loyal to frequency l-diversity. Then the algorithm adds the remaining tuples to the best cluster (cluster adds less information loss) satisfying l-diversity principle (line 16). Again [3] shows that at least one cluster exist that satisfy l-diversity constraint. The function find-best-diverse-cluster finds and returns the best (with lowest information loss) cluster between eligible (clusters not containing tuple with same sensitive value of this tuple) clusters. We don’t bring these functions here for the sake of space limitation. The key differences of our proposed algorithm are in the find-best-diversetuple function for selecting next tuples, comparing to finding best tuple in kmember Clustering, as follows. First, we count and store number of each sensitive value and make buckets of tuples. It is updated in the each function call. Second we check whether the next candidate tuple is from one of the l biggest buckets or not. To select best tuple from as many as possible candidates, we check the eligibility condition of frequency l-diversity for remained tuples. If it is met, we are not forced to select best tuple from biggest bucket in this step. Third, we check if this tuple is legal for the current cluster according to frequency ldiversity. Finally we compute the amount of information loss this tuple adds to current cluster (same as k-member Clustering) to find best between candidates satisfying three previous conditions.

166

M.-R. Zare-Mirakabad, A. Jantan, and S. Bressan

Algorithm Bucket Clustering (r(Q, s), l) 01. compute lmax for r 02. if( l > lmax ) return r end if 03. hash the tuples in r by s values 04. r’= ∅ 05. while(|r| ≥ l ) 06. t = first-tuple-from-largest-bucket(r) 07. r = r - t , c = t 08. while( |c| < l ) 09. t = find-best-diverse-tuple( r, c ) 10. r=r-t 11. c=c∪t 12. r’ = r’ ∪ c /*adding at most l-1 remained tuples to legal clusters */ 13. while( |r| > 0 ) 14. t = a randomly picked up tuple from r 15. r = r - t 16. c = find-best-diverse-cluster( r’ , t ) 17. c = c ∪ t 18. return r’ Fig. 3. Bucket Clustering algorithm

For computing information loss, we use the definition given in [1]. Assume the schema of r contains m numeric attributes (Ni , i = 1..m) and n categorical attributes (Cj , j = 1..n). We replace each value of numeric attribute in each equivalence class e with its min and max interval (say [M inNi , M axNi ]) for generalization. For categorical attributes, however, each value is replaced with set of all values in that equivalence class or their lowest common ancestor in Domain Hierarch Graph (DGH) [1,4], if any.
 For E, a set of generalization clusters, the total information loss, , is λ(e) e∈E

where λ(e) = |e| ∗ D(e) is the individual information loss of each cluster with D(e) =

m n
M axNi − M inNi
H(∧(∪Cj )) + , |Ni | H(TCj ) i=1 j=1

and H(∧(vi , vj )) is the height of sub-tree rooted at the lowest common ancestor of vi and vj where vi and vj are two value of a categorical domain, and H(T) is the height of tree.

5

Performance Evaluation

We now evaluate the performance of our algorithms with the publicly available Adult data set from the UC Irvine Machine Learning Repository [12]. It has become a de facto benchmark for privacy preservation algorithms. As other authors [1,7,6,2]), we remove those tuples with missing values. The cleaned data

Clustering-Based Frequency l-Diversity Anonymization

167

set contains 30165 tuples. For the sake of simplicity we keep the following eight attributes: {age, work class, education, status, race, sex, country, occupation}. The first seven attributes are considered as quasi identifiers and the last one (occupation) as the sensitive attribute. The sensitive attribute has 14 distinct values. The most frequent occupation appears 4038 times. Therefore the maximum l for which the data can become frequency l-diverse by any generalization of the quasi-identifiers is 30162/4038 = 7. We run the experiments on a Pentium V computer equipped with Intel(R) 2.4 GHZ and 1GB RAM. The operating system is Microsoft Windows XP and the code of the algorithms is written in Java, Standard Edition 5. In addition to proposed algorithm (Bucket Clustering) and Anatomy, we implemented the naive adaptation of k-member Clustering that we call Optimistic Clustering. We compare the three algorithms, Bucket Clustering, Optimistic Clustering and Anatomy, for different values of l. We quantify their effectiveness by measuring information loss. Also their efficiency is quantified by measuring their running time. Note that we compute the information loss of the Anatomy algorithm by considering the generalization of values for the quasi identifiers in each cluster, although Anatomy does not explicitly perform such generalization but rather a decomposition of the table. The graph in Figure 4 is the information loss for l varying from 1 to 7 (the maximum possible value). The graph shows that both Bucket and Optimistic Clustering yield a significantly lower information loss than Anatomy. Interestingly, Optimistic Clustering is only marginally more effective that Bucket Clustering. Incidentally, the reader notices that Optimistic Clustering is unable to find a solution for l=7. As discussed in previous sections, it cannot terminate successfully. The graph in Figure 5 gives the running time for l varying from 1 to 7 (the maximum possible value). It shows that, as expected, Bucket Clustering is slower than Anatomy, but faster than Optimistic Clustering. Bucket Clustering is therefore a practical option when the trade-off between effectiveness and efficiency should favor the former.

Fig. 4. Comparison information loss

Fig. 5. Comparison runtime

168

6

M.-R. Zare-Mirakabad, A. Jantan, and S. Bressan

Conclusion and Future Work

A naive adaptation of k-member Clustering to distinct l-diversification is straightforward, effective and efficient. For frequency l-diversification, although a naive adaptation, that we call Optimistic Clustering, may be effective, it may not be able to successfully terminate. We propose an adaptation of k-member Clustering to frequency l-diversification by using ideas from the Anatomy algorithm and by making use of the eligibility condition. The algorithm we propose, called Bucket Clustering, always successfully terminates and yields very lower information loss than Anatomy. It is almost as effective as the Optimistic Clustering when the latter terminates. Because our design choice is to favor effectiveness, by trade-off, the algorithm is less efficient than Anatomy. The algorithm, however, is more efficient than the Optimistic Clustering.

References 1. Byun, J.-W., Kamra, A., Bertino, E., Li, N.: Efficient k-Anonymity Using Clustering Technique. In: CERIAS Tech Report 2006-10, Center for Education and Research in Information Assurance and Security, Purdue University (2006) 2. Bayardo, R.J., Agrawal, R.: Data Privacy through Optimal k-Anonymization. In: 21st International Conference on Data Engineering (ICDE) (2005) 3. Xiao, X., Tao, Y.: Anatomy: Simple and Effective Privacy Preservation. In: Very Large Data Bases (VLDB) Conference, pp. 139–150 (2006) 4. Sweeney, L.: k-Anonymity: A Model for Protecting Privacy. International Journal on Uncertainty, Fuzziness and Knowledge-based Systems 10, 557–570 (2002) 5. Samarati, P., Sweeney, L.: Protecting Privacy when Disclosing Information: kAnonymity and its Enforcement through Generalization and Suppression. In: Technical Report SRI-CSL-98-04, SRI Computer Science Laboratory (1998) 6. Iyengar, V.: Transforming Data to Satisfy Privacy Constraints. In: SIGKDD, pp. 279–288 (2002) 7. LeFevre, K., DeWitt, D. J., Ramakrishnan, R.: Mondrian Multidimensional kAnonymity. In: 22nd International Conference on Data Engineering (ICDE) (2006) 8. Machanavajjhala, A., Kifer, D., Gehrke, J., Venkitasubramaniam, M.: l-Diversity: Privacy beyond k-Anonymity. In: IEEE 22nd International Conference on Data Engineering (ICDE 2006) (2006) 9. Wong, R. C.-W., Li, J., Fu, A. W.-C., Wang, K.: (alpha, k)-Anonymity: An Enhanced k-Anonymity Model for Privacy Preserving Data Publishing. In: 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD) (2006) 10. Li, N., Li, T., Venkatasubramanian, S.: t-Closeness: Privacy Beyond k-Anonymity and l-Diversity. In: IEEE 23rd International Conference on Data Engineering (ICDE), 106–115 (2007) 11. Ghinita, G., Karras, P., Kalnis, P., Mamoulis, N.: Fast Data Anonymization with Low Information Loss. In: Very Large Data Bases (VLDB) Conference. ACM Press, New York (2007) 12. Blake, C., Merz, C.: UCI Repository of Machine Learning Databases (1998)

Protect Disk Integrity: Solid Security, Fine Performance and Fast Recovery Fangyong Hou* , Nong Xiao, Yuhua Tang, Hongjun He, and Fang Liu 1

School of Computer, National University of Defense Technology, Changsha, China [email protected]

Abstract. Hash tree based verification can give solid data integrity protection to disk data; however, it suffers from performance penalty and consistency difficulty. AFI-HTree is proposed to solve such problems. To optimize performance, it utilizes hot-access-windows to buffer the frequently used hash tree nodes to quicken the checking speed. To maintain consistency without compromising security and performance, it fixes the structure of hash tree to make it very regular; then, it applies incremental hash to reduce the update cost of synchronization between the tree and the data; at the end, it records any possible inconsistent states to make fast recovery. In such way, AFI-HTree realizes both high performance and fine consistency, while preserving the required security at the same time. Related approach is elaborated, as well as experiment result. Theoretical analysis and experimental simulation show that it is an optimized way to protect disk data integrity. Keywords: disk, integrity, hash tree, performance, consistency.

1 Introduction Two fundamental data security properties are data confidentiality and integrity. Confidentiality means protection of data from unauthorized disclosure, and integrity requires detection of unauthorized data modification. Confidentiality protection is a relative straightforward process, which is often implemented through secret key cryptography (like block cipher of AES) for mass data protection. However, integrity protection is an intractable task lacking satisfiable solutions, especially when online mode and resistance against replay attack are required. Online integrity checking means to detect integrity violation before it could cause damage to the system, such as detecting malicious replacement of binary executables at the time they are read (for executing) and hence can prevent execution immediately. Resistance against replay attack is to prevent adversary from replacing the current data value with an old copy. In this paper, we try to provide a method suitable for ensuring the integrity of stored data, with the concrete case of locally connected disk device. *

This work is supported by our school (grant JC08-06-01), Hi-Tech Research and Development Program of China (grant 2009AA01Z428, grant 2006AA01Z446), and National Natural Science Foundation of China (grant 60736013).

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 169–178, 2009. © Springer-Verlag Berlin Heidelberg 2009

170

F. Hou et al.

To provide data integrity, MAC (Message Authentication Code) is commonly used. However, MAC is brittle to replay attack, as adversary can replace the (message, MAC) pair with earlier stores without being detected. LHash/H-LHash [1] can find such replay attacks, but they give offline checking to leave a time-window of vulnerability. To provide both resistance against replay attack and online checking ability, hash tree (or Merkle tree [2]) is an overwhelmingly used way. It regards all the protected data as one continuous set of data to maintain a single (all of the data, hash) pair. Relying on its trusted root, an arbitrarily large storage can be verified. There exist many systems/techniques to protect disk data (or file system) integrity. Tripwire [3], as well as NGSCB [4], uses the principle of MAC to check the integrity of files; SFSRO [5] uses hash of a file-data block to guarantee the integrity of content data; SUNDR [6] uses a hash of a block and hash tree to provide file system integrity; TDB [7] integrates encryption and hashing with a low-level data model that protects data and metadata uniformly; PFS [8] protects data integrity at the block level without integrated into the file system, while Arbre [9] builds hash tree into file system tightly; many others can be listed here, such as Plutus [10], Pletka [11] and Oprea [12]. Noticeably, several important standards/products to protect the locally connected disk have been established; for examples: Windows-Vista BitLocker [13], IEEE P1619.x [14]. But nearly all of them have certain limitations. For example, Tripwire cannot prevent from replay attack; TDB needs to write a big map containing hash tree to disk at a time to incur performance degradation; Arbre inherits limitations of treestructured file systems to make synchronization requirement performs poorly; BitLocker only makes pseudo authentication; authenticated encryption of IEEE P1619.x cannot directly prevent from replay attack. To inspect these existing systems/techniques, we can realize that, in any aspects, hash tree is perhaps the only feasible way to achieve solid integrity protection for mass data storage. Here, “solid” means detect any data tampers including replay attack with online mode. Although hash tree fulfills the security requirement, there are two crucial factors must be solved to make hash tree an available way for disk data protection: one is performance, and the other is consistency. As naive hash tree will make the system too slow to use, optimizing measures must be applied. Beside performance, it must be able to maintain a consistent status between the authentication result of hash tree and the protected data. Such consistency is necessary for permanent data storage like disk. The most mature and popular optimizing method is to buffer the needed nodes of the tree like CHTree [15]. However, CHTree based method just buffers the frequently used tree nodes without regularized control rules, so it will inevitably make tracing and synchronizing node updates to be a complicated work to hurt performance. The problems of performance and consistency afflict most of the existing secure disk systems. Solving them is the main purpose and the challenge of our design. In this paper, we propose AFI-HTree (Access-window, Fixed-structure and Incremental Hash Tree) as a fundamental approach to optimize hash tree checking process and to maintain the consistency between tree and the protected data. Through accesswindows, it utilizes local characteristic of hard disk access to optimize hash tree checking process adequately to achieve fine performance. At the same time, an incremental authentication mechanism works well upon its regular structure to maintain consistency to realize fast recovery in the event of system crash.

Protect Disk Integrity: Solid Security, Fine Performance and Fast Recovery

171

The rest of this paper is organized as follows. Section 2 elaborates the method of AFI-HTree. Section 3 makes performance simulations. Section 4 concludes this paper.

2 AFI-HTree Approach 2.1 Model and Motivations The considered protection requirements are just like the security concerns listed in the standard documents of IEEE P1619.x, or suggested by the so called “cool disk / data at rest” protections. Disk is assumed to be vulnerable to attack. AFI-HTree runs within the trust boundary (such boundary is treated to lie between the disk and the host) to execute: (i) to sign any data evicted from host to be stored into disk, (ii) to use the signing code to check that the value loaded from a particular location of disk is the most recent value stored to the same place. We want AFI-HTree has the following merits: − High security assurance. It realizes high intensity of security, including resistance against intractable replay attack. − Good performance. It must not impose too great a performance penalty to make related protection to be worthwhile. − Consistency and fast recovery. Applied for permanent storage device, it should maintain a consistent state between the contents of data and its signature in the event of a system crash. Additionally, recovery from the crash should be fast, which is important for time critical applications. 2.2 Access-Windows and Fixed-Level Tree We use the special hash tree with access-windows and fixed-level to construct AFIHTree. Such tree is introduced by Hou [16]. A concise description is shown as Fig. 1.

Fig. 1. Hash tree with access-windows and fixed-levels. Performance is optimized by node buffering, and its irregular structure facilitates consistency maintaining.

In Fig. 1, a hash tree covers the protected data space to verify the needed data integrity. The entire hash tree is divided into a series of hash sub-trees, which are called as access-windows. Those frequently accessed access-windows are hot-access-windows (such as hotWin1), while others are cool-access-windows. The

172

F. Hou et al.

total tree has three levels. The lowest-level nodes are leaf nodes, which are created from the corresponding protected data region. Each middle-level node (such as h5) is the hash result of the concatenation of the leaf nodes affiliated with it (such as h1, h2, h3 and h4). The root node lies in the uppermost-level, which is created from hashing the result that concatenates all the middle-level nodes. Such tree operates as (related details should refer to Hou [16]): At initialization, system pre-builds the entire tree, saves top-nodes permanently, stores root node permanently and securely. At the very beginning of system starting, those top-nodes are filled into working buffer to quicken the checking processes. For a hot-access-window, not only the top-node but also the leaf nodes are created and buffered. So, verifying a read or updating a write in hot-access-window will be accelerated by these buffered nodes. Even in cool-access-windows, checking can also become quicker because accesses to the original data space are reduced. 2.3 Synchronization through Incremental Hash Applying the above tree to disk verification, it must solve the problem of consistency maintaining, while preserving its fine performance at the same time. For such purpose, we improve AFI-HTree by employing incremental hash, instead of traditional hash functions like MD5 or SHA-1, to update tree nodes. Consistency can be maintained as long as any update of (the protected data, and the root node of hash tree) is synchronous (other nodes of hash tree except the root node, can all be rebuilt). Such synchronization requires AFI-HTree firstly to recalculate the top-node, and then to re-generates the root node, for each data modification. Although calculating the hashes in system memory can be completed much quickly compared with the speed of disk I/O, it will still influence performance when the number of the affiliated nodes of root/top nodes is large. One possible way to decrease this cost is to create multiple hash trees to decrease the fan-out number of root/top nodes, but it requires more secure and non-volatile memory to store more root nodes. Here, we use incremental hash function to dramatically reduce such cost of hashing and node-updating. Incremental hash can calculate the authentication result for a large, dynamic data set using only a small, constant amount of memory [17, 18, 19]. The property of them useful for AFI-HTree is that root/top nodes updating won’t requires all the affiliated nodes. Here, we use GMAC [18] (Galois Message Authentication Code) to be the required incremental hash function (it is really an incremental MAC function, which is more secure in real usage). Its incremental property can be expresses as: GMAC ( MNEW ) = GMAC ( M ) .xor. GMAC ( M .xor. MNEW )

(1)

In Equation (1), “.xor.” is the operation of Exclusive OR; “M” is the original message, while “MNEW” is its modified value. So, the result of “(M .xor. MNEW)” actually gets the modified part of the entire data. Applying incremental function, it only needs the modified part of the data to produce the new authentication result for the whole protected data set. In this sense, no extra disk I/O is required to complete data signing (which should be executed upon the entire disk) after each data modification (which is changed for one disk sector). Although these incremental algorithms don’t run fast for read operation (for example,

Protect Disk Integrity: Solid Security, Fine Performance and Fast Recovery

173

GMAC needs to read all the protected data set to check one data block to be valid), this won’t affect their usages in AFI-HTree. AFI-HTree only checks root node once at the starting time. During working time, root node is just updated. The case of top nodes is similar. One top node needs to be verified only once at the time of building hash sub-tree of the related hot-access-window; then, it is just updated as long as the same hot-access-window remains. According to the Equation (1), bigger size of the data set of “M” (or “MNEW”) won’t burden the GMAC function more. So, AFI-HTree can have big fun-out number for root/top nodes, which also means that AFI-HTree needn’t have to have many levels to reduce the workload for each step of “hash calculation”. As AFI-HTree is fixed to be three levels, each update along the leaf node to reach the root node is easy to be managed; also, the related calculating processes are regular to be convenient for execution. According to the specific fan-out values, we can apply incremental hash function to: (i) root node, if there are a lot of access-windows; (ii) top nodes, if the hash subtree of access-window has many leaf nodes; (iii) both root node and top nodes. 2.4 Fast Recovery Applying incremental node updating to the tree, a consistent state can be maintained with low running cost. However, recovery must read all the protected data to rebuild the valid hash tree, to check the top-nodes by matching the root node, and to fill them into working buffer (only root node is updated and preserved in non-volatile memory at any moment; top nodes are resided in working buffer, or RAM memory, at the running time). Thus, recovery may become a time-consuming process to be unacceptable for time-critical applications. To overcome this problem, we propose the following method. To realize fast recovery, a WinStateQueue is maintained in the non-volatile memory (such as HHD/Hybrid Hard Driver [20]; it needn’t to be secure, as tampering to them will incur validation at later time). Each recorder of WinStateQueue contains one win_flag and one win_number. The win_flag indicates that if the top node of one access-window has been changed (“Y” for changed), and the win_number indicates the corresponding of access-window. WinStateQueue Recording. During working time, it executes as: 1. For a update, writes the win_number of the access-window and the win_flag of “Y” to the WinStateQueue; 2. When the WinStateQueue is fully filled or system has spare time, writes the top nodes of those access-window listed in WinStateQueue to their permanent storage place; then, clear WinStateQueue. Recovery from WinStateQueue. Fast recovery is executed as: 1. Reads the protected data to rebuild the top nodes if the corresponding accesswindows are listed in WinStateQueue; otherwise, fetches the top nodes from their permanent storage place directly; 2. Matches the root node using all the top nodes obtained in (1). 3. Reads all the protected data to rebuild the valid hash tree, only if it fails in step 2.

174

F. Hou et al.

This cost of fast recovery is far smaller than scan the entire protected disk space. Additionally, recording WinStateQueue during the working time only occurs occasionally and related operations are lightweight (pining it into NVRAM/Flash quipped by HHD disk, access latency is much smaller than ordinary disk [20]). Hence, fast recovery proposed here can fit the cases that recovery time is crucial. 2.5 Further Improving As introduced by nearly all the hash tree optimizing approaches, asynchronous checking is applied to smooth the checking latency. For this purpose, a queue is allocated in system memory to hold some data values to let data fetching start following the last one immediately without waiting the result of integrity verification, until the queue is full. Asynchronously, AFI-HTree takes out data from this queue and checking their integrity one by one. In such way, it can decrease the influence to the system caused by the delay of integrity verification when disk accesses are bursting or when system is very busy. It is different from the pure offline verifications, as the length of the queue is limited to a relative small value. If necessary, system can disable this queue temporarily to achieve strict online checking for crucial code/data execution. AFIHTree only allows asynchronous checking for read operations to minimize read latency incurred by verification, because it may introduces inconsistency if used for disk write operations (additionally, read latency affects performance more than write latency). Another effective improving is to treat the current cool-access-window as a potential hot-access-window. AFI-HTree also buffers its leaf nodes. Thus, the subsequently continuous checking in the same cool-access-window or converting it to hot-accesswindow (if necessary) needn’t to read disk again.

3 Performance Experiments 3.1 Experiment Framework We build the prototype of AFI-HTree into a LG R400 Laptop equipped with HHD disk (Intel T5600 processor, 512MB DDR2 SDRAM, 80GB HHD disk). A “Sector Driver” is integrated into Linux kernel to manipulate the interface of disk. All the buffers/queues are created in system memory. NVRAM is accessed through the disk interface as defined in ATA8. AFI-HTree covers the whole of the protected data space. Because protecting directly on disk sector can protect any data in disk to give a unified and transparent protection to any systems, we set one leaf node to be just created from one protected disk sector. To set the upper nodes of hash tree, one optional parameter is the width of access-window. A wider value will facilitate the process of hashing all the top nodes of access-windows to match the root node, because their number is decreased; but it burdens more cost on hashing all the leaf nodes of one access-window to match its top node. On the other hand, a narrower width can give more proper coverage on disk regions that are frequently accessed, but need more buffer to hold more top nodes of access-windows. We use a compromised selection to set the width to cover a region

Protect Disk Integrity: Solid Security, Fine Performance and Fast Recovery

175

of 64 continuous disk sectors of 32KB (512B*64), which makes matching the top node of access-window can be completed quickly, covering on disk is reasonable, and the number of access-windows won’t be too large. Another parameter is how many hot-access-windows should be maintained. More of them can speed checking more, but it requires more buffers to hold more leaf nodes. For the common case, maintaining 2K or 2048 hot-access-windows should be enough (at any time, disk regions covered by hot-access-windows is 32KB*2K = 64MB ). To create leaf node, we use MD5 hash function to produce the 128bit result. Although MD5 has flaw, it can still be treated as secure for common cases, especially when it can be keyed in real usage. GMAC acts as the said “incremental hash” of root/top nodes update of AFI-HTree, and it is also set to be 128bit. (Although certain secret key is required, we neglect the key management in this paper). To make the alteration of the original disk to be as little as possible, we set a separate and fixed disk physical region as Fig. 2 to store hash tree nodes together. In such way, any data structure and layout of the original disk can hold to be un-changed. Additionally, Fig. 2 also presents the realization logic of AFI-HTree system.

Fig. 2. System structure of AFI-HTree. It shows the physical layout of the protected disk, as well as the logical components of data checking realization.

According to the structure of Fig. 2 and the related parameters listed above, for a 10GB protected data space, we can calculate that: (i) the number of access-window is (10GB/32KB ≈ 320K); (ii) storage of top-nodes is (320K*128bit = 5MB); (iii) root node requires a secure and non-volatile memory of 128bit; (iv) buffering all of the top-nodes and the leaf nodes of hot-access-windows requires (5MB + 32*128bit*2K = 6MB); (v) asynchronous queue is set to be 32KB; and (vi) WinStateQueue requires a Flash device of (320K * (1bit + 20bit of number) ≈ 0.82MB). So, we can see that: − Disk occupation is (5MB / 10GB ≈ 0.05%); − Memory occupation is ((6MB + 32KB) / 512MB ≈ 1.18%). Such cost should be relative small.

176

F. Hou et al.

3.2 Performance Results To test for different usages, we use three kinds of disk-traces to imitate real disk accesses. Trace-A is captured from Andrew [21] benchmark (gotten from I/O monitoring when running it on the same original PC), while Trace-B and Trace-C are edited from HP-Labs TPC-C and TPC-D trace files separately (using cut some segments and make appropriate compilation). After the trace is fed into our simulation framework, additional latencies to each disk access incurred by protection are cumulated; then, the result is compared with the original time that the trace should be finished to get the performance result. Each trace sample compares with itself, and the performance result without protection is set to be “1.0”. Simulation results are shown in Fig. 3 and Fig. 4.

Fig. 3. Baseline performance results (64-sector access-window width, 2048 hot-access-window number, 32KB asynchronous checking queue)

Fig. 3 shows that there is a very slight performance penalty (about 2~3%) for common cases (i.e., Trace-A and Trace-B). Even Trace-C (reflecting the disk usage of Decision Support System that doesn’t always have strong physical locality) performs well too.

Fig. 4. Results of different parameters. (a) 16-, 64-, 256-sector per access-window; same buffer capacity for leaf nodes; (b) 512, 2048 and 4096 hot-access-windows, for 64-sector accesswindow width; change node buffer size.

Different parameter selections can give different results from Fig. 3. Intuitively, more hash throughput, more number of hot-access-windows and more long asynchronous checking queue, can improve performance. Fig. 4 (a) tells that too big width of access-window isn’t a good select. With bigger access-window, constructing the hash

Protect Disk Integrity: Solid Security, Fine Performance and Fast Recovery

177

sub-tree in it requires to read more disk data. Additionally, it may give poor coverage of those disk regions that are frequently accessed. Fig. 4 (b) shows that maintaining more hot-access-windows will increase the run-time speed, but it requires more cost to buffer more hash leaf nodes (which may make other applications to be slow down).

4 Conclusions AFI-HTree can efficiently optimize the performance of hash tree based disk integrity verification. By utilizing hot-access-windows, most of the checking processes can be completed quickly without additional disk accesses. At the same time, its optimizing processes are very regular, which makes it appropriate for maintaining consistency. With incremental hash, it can reduce the cost of synchronization between the tree and the data space; through updating flags, it can identify the inconsistent states to make fast recovery. The logic cost of AFI-HTree realization is very small, as it occupies a little system memory. Simulation results show that performance penalty is only about 2~3% for common cases. As we have demonstrated and discussed, AFI-HTree should be an optimized method to protect disk integrity.

References 1. Suh, G.E., Clarke, D., Gassend, B., van Dijk, M., Devadas, S.: Hardware Mechanisms for Memory Integrity Checking. Technical report, MIT LCS TR-872 (2003) 2. Merkle, R.C.: Protocols for public key cryptography. In: IEEE Symposium on Security and Privacy, pp. 122–134. IEEE Press, Los Alamitos (1980) 3. Tripwire, http://www.tripwire.org 4. Security Model for the Next-Generation Secure Computing Base. Microsoft white paper (2003) 5. Kevin Fu, M., Kaashoek, F., Mazieres, D.: Fast and secure distributed read-only file system. ACM Transactions on Computer Systems 20, 1–24 (2002) 6. Mazires, D., Shasha, D.: Don’t trust your file server. In: Workshop on Hot Topics in Operating Systems, pp. 113–118 (2001) 7. Maheshwari, U., Vingralek, R., Shapiro, W.: How to build a trusted database system on untrusted storage. In: Symp. Operating System Design & Implementation (OSDI), San Diego, p. 10 (2000) 8. Stein, C.A., Howard, J.H., Seltzer, M.I.: Unifying file system protection. In: USENIX Annual Technical Conference, pp. 79–90 (2001) 9. Tomonori, F., Masanori, O.: Protecting the integrity of an entire file system. In: Workshop on Information Assurance (IWIA), Darmstadt, Germany, pp. 95–105 (2003) 10. Kallahalla, M., Riedel, E., Swaminathan, R., Wang, Q., Fu, K.: PLUTUS: Scalable secure file sharing on untrusted storage. In: USENIX Conference on File and Storage Technologies (FAST), San Francisco, pp. 29–42 (2003) 11. Pletka, R., Cachin, C.: Cryptographic security for a high-performance distributed file system. In: Mass Storage Systems and Technologies (MSST), San Diego, pp. 227–232 (2007) 12. Oprea, A., Reiter, M.K.: Integrity checking in cryptographic file systems with constant trusted storage. In: USENIX Security Symposium, Boston, pp. 183–198 (2007) 13. Ferguson, N.: AES-CBC + Elephant diffiuser, A Disk Encryption Algorithm for Windows Vista Bitlocker. Technical report, Microsoft (2006)

178

F. Hou et al.

14. IEEE P1619, .x. IEEE Security in Storage Workgroup, http://ieee-p1619.wetpaint.com/ 15. Gassend, B., Suh, G.E., Clarke, D., van Dijk, M., Devadas, S.: Caches and hash trees for efficient memory integrity verification. In: International Symposium on High-Performance Computer Architecture (HPCA), Anaheim, CA, pp. 295–306 (2003) 16. Hou, F., He, H., Wang, Z., Dai, K.: An Efficient Way to Build Secure Disk. In: Chen, K., Deng, R., Lai, X., Zhou, J. (eds.) ISPEC 2006. LNCS, vol. 3903, pp. 290–301. Springer, Heidelberg (2006) 17. Clarke, D., Suh, G.E., Gassend, B., Sudan, A., van Dijk, M., Devadas, S.: Towards constant bandwidth overhead integrity checking of untrusted data. In: IEEE Symposium Security and Privacy, pp. 139–153. IEEE Press, Oakland (2005) 18. McGrew, D.: Efficient authentication of large, dynamic data sets using Galois/Counter Mode (GCM). In: IEEE International Security in Storage Workshop, San Francisco, pp. 88–94 (2005) 19. Phan, R.C.-W., Wagner, D.: Security considerations for incremental hash functions based on pair block chaining. Computers & Security 25, 131–136 (2006) 20. Bisson, T., Brandt, S.A.: Reducing Hybrid Disk Write Latency with Flash-Backed I/O Requests. Technical report, TR UCSC-SSRC-07-03, University of California (2007) 21. Howard, J.H., et al.: Scale and performance in a distributed file system. ACM Transactions on Computer Systems (TOCS), 51–81 (1988)

A Kademlia-Based Node Lookup System for Anonymization Networks Benedikt Westermann1 , Andriy Panchenko2, and Lexi Pimenidis3 1

Center for Quantifiable Quality of Service in Communication Systems
NTNU, 7491 Trondheim, Norway [email protected] 2 Computer Science Department, Informatik IV, RWTH Aachen University, D-52074 Aachen, Germany [email protected] 3 Chair for IT Security University of Siegen, Siegen, Germany [email protected]

Abstract. Node lookup mechanisms constitute an integral part of any overlay network, and hence also of anonymous communication networks. Today, most anonymizers use centralized directories, which leads to scalability problems in the long run. Additionally they require the user to trust the directory provider. In this paper we revisit the concept of distributed hash tables to address these issues. We propose a scalable node lookup system based on Kademlia and show how it notably hardens the eclipse attack and node fingerprinting. Additionally we provide comparative scalability analyses for our approach and Tor’s directory protocol.

1

Introduction

Anonymous communication techniques are a fundamental building block for privacy-friendly web browsing as well as privacy-aware identity management, eGovernment, eCommerce and eHealth technologies. While cryptography can protect the integrity and confidentiality of the data part of the packets, everyone along a route can still observe the addresses of the communicating parties. Anonymous communication deals with hiding relationships between communicating parties. Currently, the most popular and widespread anonymous communication network is Tor [1]. The Tor network itself is a circuit switched, low-latency anonymization network which targets on providing protection at the network layer against a non-global adversary. Currently, the number of Tor servers is about two thousand1 [2], whereas the number of users is estimated to be hundreds of thousands. On the one hand this large user base is seen as one of Tor’s


1

“Center for Quantifiable Quality of Service in Communication Systems, Center of Excellence” appointed by The Research Council of Norway, funded by the Research Council, NTNU and UNINETT. http://www.q2s.ntnu.no As in February 2009.

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 179–189, 2009. c Springer-Verlag Berlin Heidelberg 2009


180

B. Westermann, A. Panchenko, and L. Pimenidis

strengths, since the degree of anonymity is usually linked to the number of active users. On the other hand this is a problem at the same time for the directory: in Tor every user knows about every router. Clearly, this limits scalability. In this paper, we address the problem of distributing information about the identity of anonymizing networks’ servers to its clients by revisiting the distribution via a distributed hash table. Similar to most low-latency anonymization networks, which are build to withstand a local (active) attacker, this work will focus on the same attacker model.

2

Related Work

Most deployed anonymous communication networks, e.g. AN.ON/JAP [3] and Tor [1], use a centralized directory service. They require each user to know all nodes in the network. This has several advantages, among others: users are able to make their decision based on the same knowledge base; also a number of attacks are made more difficult [4]. However, approaches enforcing users to know every node in the network entail scalability problems. Moreover, the usage of central directories requires users to trust the directory provider. In Tor, an onion proxy2 (OP) creates circuits by selecting three suitable onion routers3 (ORs) from a list of all currently available ORs, the directory. To this end, certain trusted Tor nodes provide the directory service by serving signed documents containing information about the available ORs. Such a network status document contains router descriptors of all currently known ORs, including meta information describing their current status. Due to scalability issues stemming from an increased growth of the Tor network, there have been several changes in the directory protocol since its initial release. Today, Tor is already using the third version of the directory protocol. The authors admit in the design document that requiring each Tor node to know all about all other Tor nodes is maybe not a viable solution in the long run [5]. In the first version of Tarzan its authors [6,7] propose the use of a DHT to distribute network information. Due to security problems with respect to their attacker model this approach was later replaced by a gossiping protocol. In their original approach, each peer is represented by a key which is the cryptographic hash of its IP address. By searching for a random lookup key, a peer can discover a random host’s IP address together with its public key. However, the authors have not proposed any mechanism to check the integrity of a reply. In its second version, similar to Tor, Tarzan also requires all nodes to know about all other nodes. To achieve this, the authors proposed a simple gossiping protocol, which is described on a high level only. MorphMix [8] requires each user to possess information only about a limited amount of other users, even during the operational phase of the MorphMix protocol. For the circuit setup so-called witness nodes are used to facilitate the selection of nodes for circuit extension; this is a unique feature in MorphMix, 2 3

The client-side. The server-side.

A Kademlia-Based Node Lookup System for Anonymization Networks

181

as in most other networks the users choose the path themselves for security reasons. In order to facilitate possible security issues arising from this feature, MorphMix uses a collusion detection mechanism to detect malicious nodes that misbehave by offering other colluded nodes for traversal. The detection bases on the hypothesis that colluding nodes have a different behavioral pattern and that this can be pinpointed on the long run. However, this protection scheme has been shown to be broken [9]. Salsa [10] is a DHT which was specially developed for anonymization networks. The identities are based on hashes of the nodes’ IP addresses which are organized in a tree structure. Redundancy and bound checking are used while doing lookups in order to prevent malicious nodes from returning false information. According to simulations, the scheme prevents attackers from biasing the path selection as long as the fraction of malicious nodes in the system does not exceed 20%. However, further analysis has shown [11] that even in this case Salsa is less secure than previously thought: if the number of corrupt nodes is below 20%, still more than a quarter of all circuits are compromised because of the information leak.

3

Attacker Model

In this section we describe the assumptions on our attacker model. We consider a local attacker with the following capabilities: – Passively observe some portion of network traffic; – Actively operate its own nodes or compromise some fraction of honest nodes; – Actively delete, modify and generate messages. Further we assume that the adversary cannot break cryptographic primitives. We also assume that a client knows at least one semi-trustworthy4 entry point in the network which is not corrupt. Please note, that this is a weaker assumption than the assumption of a single semi-trusted third party everybody needs to trust. The latter is an assumption of Tor and AN.ON respectively.

4

Protocol Description

The scalability problems regarding centralized approaches for network information distribution constitutes an incentive to study decentralized alternatives. Therefore, we have applied a distributed hash table (DHT) to implement a network information service. A DHT has a set of attractive features: distributed data storage, scalability, load balancing, and fault tolerance. In our approach we have used the Kademlia DHT [12] which is based on the XOR-metric5 . In Kademlia, objects and nodes are represented by 160-bit identities (IDs). Below, we use the term nodeID to refer to an ID that represents a node, while 4 5

I.e. trusted with respect to node lookups. The larger the XOR of two identities is the more far away are the identities from each other.

182

B. Westermann, A. Panchenko, and L. Pimenidis

objectID denotes an ID that refers to an object. Every node provides four remote procedures callable by other nodes: findnode, findvalue, ping and store[12]. Nodes in Kademlia are found by a local procedure called nodelookup. A nodelookup returns the k closest nodes w.r.t. a XOR-metric and a given 160-bit word. The parameter k is a global parameter in the network. A node picks the k closest locally known nodes to start the nodelookup. From this selected set the node picks α different nodes on which it calls the findnode procedure. Every call returns again the k closest nodes known by the queried node. Similarly, in the next iteration, a set of α from the k closest nodes, which have not been contacted yet, will be queried. This repeats until the closest node remains the same. In the following step all k closest nodes not queried yet will be queried. Finally, the k closest nodes will be returned. In our approach, an object in the DHT represents a detailed description of a network node. This object is called a descriptor. It contains not only mandatory contact information (IP address, port), but also a public key as well as a signature to prevent malicious modification of the descriptor during its transfer. The descriptor can also be equipped with additional information. The objectID of a descriptor equals the nodeID of the network node described by the descriptor. All servers have a unique nodeID, which equals a cryptographic fingerprint of their public key. Hence it is legitimate to assume that nodeIDs are uniformly distributed in the 160-bit space. Only servers which provide the anonymization service are members in the DHT. Clients are not registered as members, and thus end-users cannot be found by issuing a nodelookup6 . To execute queries, a user maintains encrypted connections to a few (at least one) semi-trusted servers it knows and forwards all requests to these servers. The servers execute the queries and then send the results back to the user. In the remainder of the text we implicitly assume this behavior for clients, whereas servers directly execute their queries. This procedure aims to harden fingerprinting attacks [13]: Due to the encryption a local attacker observing the link between the node and client can not gather information about the client’s local directory. It is not required that users must know about all nodes in the network (i.e., lookup all descriptors). To build geographically widespread circuits containing nodes from the whole network we randomly search for nodes. This can be done by executing a nodelookup for a random 160-bit word. The result of this nodelookup is the set of nodeIDs which are closest to the generated word. The procedure findvalue issued on one of these nodeIDs will return the corresponding descriptor, since each node stores its own descriptor under his nodeID. This facilitates the search for nodes. The results of a sequence of searches will be stored in a local database on the client’s side. This information will later be used to build up a connection over a subset of servers in the directory. This caching prevents an attacker to gather information on the initiator of a path due to time correlations.

6

This makes it hard to enumerate all users of the system.

A Kademlia-Based Node Lookup System for Anonymization Networks

Server Certificate

refers to & verified by

contains Server Public Key

signs

DHT Public Key belongs to DHT Private Key

SHA1 of

183

NodeID = ObjectID

contains & verified by signs Node Descriptor

belongs to Server Private Key

Fig. 1. Relationship between DHT Keys and Server Certificates

As mentioned above the descriptor is a signed document. The public key used to verify the signed descriptor is shipped together within the signed descriptor. On the first glance this does not help to protect against malicious modification, since a attacker can simply generate a valid signature by replacing the original public key and signature with its own. However, this attack as well as a set of other attacks (like MitM) are prevented due to the tight connection (see Figure 1) between nodeIDs, objectIDs and the used keys in the certificates. In our design, the nodeID is equal to the SHA1 hash of the DHT public key of the node. This limits the attacker’s ability to freely choose its position in the DHT. Additionally, this also prevents an attacker from placing the same descriptor various times under different IDs. Lastly, this also hinders him from updating the DHT with erroneous descriptors for already existing honest nodes7 . The private key used for signing the descriptor (the DHT key) is also used for signing the server certificate which is used during the establishment of an encrypted connection (e.g., TLS encryption) to the anonymizing node. This ensures a one-to-one mapping between a descriptor and the corresponding server certificate (c.f. Figure 1). The corresponding TLS public key is stored within the server certificate. By verifying the server certificate with the public key of the descriptor (DHT public key), the client can check if the server is the one referenced within the descriptor.

5

Security Analysis

One of the most serious threats against distributed hash tables are eclipse attacks [14]. These attacks aim to “eclipse” parts of the network or the information within it. In our setup a successful eclipse attack enables an adversary to prevent a node to find honest nodes. This results in a higher percentage of malicious nodes being present within the local lists of the honest nodes than in the whole network. Whereby the attacker increases his probability to identify a user in an anonymization process. We assume that a good8 strategy to reach the attacker’s objective is, to be uniformly distributed over the whole key space. To this end the attacker 7

8

Note that every server stores its own descriptor because the nodeID equals the objectID. We do not claim this is an optimal strategy.

184

B. Westermann, A. Panchenko, and L. Pimenidis

1 alpha=1 alpha=5 alpha=15 optimum case

p in local directory

0.8

0.6

0.4

0.2

0 0

0.2

0.4 0.6 p in global directory

0.8

1

Fig. 2. Fraction of malicious nodes depending on alpha (n = 5000, k = 20)

generates nodeIDs as a normal honest user would do. We also assume that only the attacker knows the identity of the malicious nodes within the DHT. Moreover the attacker returns only malicious nodes whenever a findnode request on one of its nodes is triggered. This increases his chances to be in the client’s local list. In our simulation we use a simplified Kademlia protocol. Therefore our simulation does not cover optimizations or caching functions [12]. We simulated directory lookups as follows: in one run we want to find 100 disjoint descriptors. In order to do this, at least 100 searches are required. For each search we select a random honest node that executes the search for one random ID. In order to reduce the results’ variance, each run (finding 100 disjoint random IDs) was repeated 100 times. Figure 2 presents the influence of α – lookup redundancy factor – in a DHT of n = 5000 nodes (k = 20). The x-axis shows the fraction of malicious nodes in the DHT. The y-axis plots the fraction of malicious nodes in the client’s found list. Figure 3 depicts the influence of an increasing number of users on the result. Both figures show that the attacker’s chances increase if either the total number of nodes grow (and the attackers fraction remains constant) or the attacker increases the amount of malicious nodes. It is also possible to see that α can be used to decrease the influence of the attacker. A second dangerous attack on clients in a DHT is fingerprinting [13]. One possibility to collect information about the client’s view is to observe the queries in the DHT. If this holds, the attacker is able to partially reconstruct the victim’s local directory and use this knowledge to reduce the anonymity set of the users. We propose that clients do not execute requests directly on their own, but rather forward encrypted requests to at least one semi-trusted server. Therewith the attacker is not able to gather information about the content of a client’s directory by eavesdropping the connection between the client and semi-trusted server. Moreover, since we are not dealing with a global attacker, colluding DHT nodes have no guarantee to observe every request (originating from the semi-trusted

A Kademlia-Based Node Lookup System for Anonymization Networks

185

1 alpha=5, p=0.1 alpha=10, p=0.1 alpha=5, p=0.2 alpha=10, p=0.2 optimum p=0.1 optimum p=0.2

0.8

P(X)

0.6

0.4

0.2

0 0

10000

20000

30000 #Nodes (total)

40000

50000

Fig. 3. Fraction of malicious nodes depending on n (k = 20)

hosts). Since several users use the same nodes for their lookups, the uncertainty about client’s directory is further increased. Please note that this procedure neither protects against denial of service attacks nor Sybil attacks. However, to the best of our knowledge, Sybil attacks [15], as well as (distributed) denial of service attacks, constitute unsolved problems for most of the other approaches to network anonymity, too.

6

Scalability Analysis

In Kademlia nodes present leafs in a binary tree. We assume the height of this binary tree to be in O(log(n)), where n is the number of nodes. This is reasonable due to our assumption of the uniform distribution of the IDs. The number of steps for a nodelookup in Kademlia is h − log(k)[12], where h is the height of the binary tree. Since we call α many nodes per step which each return k nodes, a nodelookup is bound by a function of the order O(α · k · log(n)). To find a random descriptor a user needs to generate a random 160-bit binary word and perform a lookup for it. As a result the user gets a set of k nodeIDs (together with the contact addresses) that are closest to the generated word. This set also includes the requested word, if it happens to be an existing nodeID. After the lookup procedure is performed, the user needs to query one of the nodes from the previously returned set to download a descriptor9 . The cost of downloading a descriptor is bounded by the order O(1), and, therefore, the overall costs of finding and fetching a single descriptor is in O(α · k · log(n)). Further, we assume that a user wants to find c different descriptors (1 <
n c ≤ n). The expected number of queries to do that is ci=0 n−i [16]. For small values of c (c  n), this roughly equals to c. In case when c → n (note, that this is the worst case), this problem is equivalent to the classical coupon collector 9

Every node stores at least its own descriptor.

186

B. Westermann, A. Panchenko, and L. Pimenidis

problem [16], and therefore the expected number of searches is c · Hc , where Hc is the c-th harmonic number. Hc can be approximated by (ln(c) + γ) where γ ≈ 0.577 is the Euler-Mascheroni constant. Thus, the expected number of search queries is bounded by a function in O(c · log(c)). If we assume that k,α ∈ O(log(n)) and due the fact that a single search is bounded by O(α · k · log(n)), we can conclude that the expected costs for  a user to find c randomly chosen descriptors is bounded by a function in O c · log3 (n) · log(c) . Let m be the number of users in the whole network. Therefore, the expected costs for the total network distribution process in the whole network are  bounded by O m · c · log(c) log3 (n) . Because of the load-balancing properties of the Kademlia DHT, and also assuming uniform distribution of the nodeIDs, the expected network information distribution costs for a single node is bounded   3 by O m n · c · log(c) · log (n) . If we assume, that the users need to find only a constant number of descriptors (c is constant in this case), the expected costs for a single node is bound by a function in: m  O · log3 (n) ⊂ O(m). (1) n In case that every user wants to find every descriptor within the DHT (c = n), the expected costs are bound by a function in:   O m · log4 (n) . (2) However, since every query returns the k closest nodes to a given ID, possibly there are better strategies for finding every node, e.g., a DHT walk along the whole ID space. Please note that every node returns k closest nodes. In the following, we compare our network information distribution approach to the one used in Tor. To this end, we analyze the latest version of the Tor directory protocol (version 3) [5]. Due to the nature of Tor’s directory approach, the information about the descriptors needs to be refreshed at regular time intervals. In our analysis, we assume that the redistribution procedure needs to be repeated within a constant time interval. This is realistic, considering that every Tor descriptor needs to be updated not later than within 18 hours [5]. In the Tor network there is a differentiation between Directory Authorities (DA) and Directory Caches (DC). DAs are “semi-trusted” servers that must be operated by a Trusted Third Party (TTP). In contrast, a DC can be operated by any volunteering user. As mentioned above, Tor also distinguishes between the ORs (relaying servers) and the OPs (the client application). Let n be the number of ORs and m the number of OPs. For the sake of simplicity we assume that the set of directory servers (DA and DC) is distinct from the set of ORs. This does not reflect the real world, but the influence of our analysis is neglible, since the number of DAs and DCs is much less than n. Let a > 1 be the number of DAs and b ≥ 1 be the number of DCs within the network. Briefly, the third version of the directory protocol in Tor works as follows: first, every OR uploads its descriptor to every locally known DA. Second, all DAs participate in a consensus protocol to create a consistent view over the

A Kademlia-Based Node Lookup System for Anonymization Networks

187

network. This view is represented by a so-called consensus document, signed by every DA. In the next step every DC downloads this consensus document as well as every missing descriptor from the DAs. Finally, a regular fetching of the network status occurs. After that each OP downloads updated or missing descriptors from one of the DCs10 . Because every OR uploads its descriptor to all known DAs, the cost of the first step of the distribution process can be estimated with a function in O(n) (for a single DA). Note, that the size of a descriptor does not depend on the size of the network and therefore does not appear in the O notation. In the second protocol step, every DA sends its complete view on the network to every other DA. The size of this information is bound by O(n). Therefore, for a single DA, the costs of consensus are bound by a function in O(n·a). The result of the consensus protocol run is saved in a so-called consensus document. This document is periodically downloaded by all DCs. After processing the consensus document, DCs download missing and outdated descriptors from the authorities. For this procedure the costs for a single DA is bound by O( n·b a ), under the assumption of uniformly distributed load over all DAs. After this step, the consensus document and all descriptors are mirrored at every DC. The clients (OPs) download the consensus document directly from the DCs if they know any DC. If this is not the case, the OPs download the consensus document from one of the DAs. For the benefit of Tor, we assume that an OP knows at least one DC. In this case, the overall costs for a DA can be bound by a function in:    b O n· 1+a+ . (3) a Next, we analyze the costs for a single DC. As mentioned above, the function for every DC – to download the consensus document – is bounded in size by O(n). Further, the consensus document and the missing/updated descriptors are downloaded by every OP from the DCs. We also assume this process to take place uniformly distributed among all DCs. Then, the costs for a single DC are bounded by a function in O( m·n b ), and thus the overall costs for a DC under our assumptions are bound in:  m · n O n+ . (4) b If we assume that the number of DAs are in O(log(n)) and the number of DCs grows linearly with the number of ORs (both assumptions roughly reflect current state of the Tor network), we get the results shown in Table 1. Note that in the case of our approach the numbers in the table reflect the situation where every user wants to find a constant number of descriptors within the DHT. The costs, when every user wants to find every descriptor is bounded according to Formula 2. The presented analysis shows that the bottlenecks in the network information distribution process in Tor are the DAs. The analysis of our approach shows 10

Please check [5] for more information about the directory protocol.

188

B. Westermann, A. Panchenko, and L. Pimenidis Table 1. Comparison of Distribution Costs Tor Our approach DA DC  2  n Costs/Server O log(n) O (m + n) O (m)

that even if k and α depend on the network size to harden eclipse attacks, our approach is able to provide a good scalability.

7

Conclusion and Discussion

Although the distribution of network information and the anonymization process are mutually disjoint, the network information distribution has, however, an implicit impact on the anonymization process. Information leakage in the distribution process can be used to reduce or even revoke the anonymity on the network layer. We find it challenging to make further steps towards the application of distributed methods and provide incentives for the community to advance the research in this topic. We showed that Kademlia can be suitable for the distribution of network information with respect to a local attacker. However, a number of open issues with using a DHT remain, especially regarding protection against several attacks like the sybil attack or denial of service attacks. Especially the Sybil attack represents a serious challenge. Another question is, if there are more efficient strategies for a local attacker to mount an eclipse attack. In [4,17] attacks on the route selection were shown where users posses only a partial knowledge about the network. This is also the case in our approach, since the user’s local directory may only contain a subset of a whole directory. However, as all clients’ requests to the DHT are done through server over encrypted connections, it is not trivial for an adversary to determine the local view of a client in the network and hence the attacks described in [4,17] cannot be mounted easily. Often the security properties of a DHT are considered inferior compared to a central directory approach. However, our eclipse attack analysis indicates that Kademlia can withstand a significant fraction of malicious nodes. In addition, our approach has some major advantages: we showed that it scales significantly better than the centralized directory approach of Tor. Also, by changing α in a nodelookup we can trade-off the probability of a successful eclipse attack with the costs of doing a nodelookup. This gives us a flexible possibility to adopt our approach to our assumptions about the attacker, and the network.

References 1. Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. In: Proceedings of the 13th USENIX Security Symposium (2004) 2. Tor Network Status, https://torstatus.kgprog.com/

A Kademlia-Based Node Lookup System for Anonymization Networks

189

3. Berthold, O., Federrath, H., K¨ opsell, S.: Web MIXes: A system for anonymous and unobservable Internet access. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 115–129. Springer, Heidelberg (2001) 4. Gogolewski, M., Klonowski, M., Kutylowski, M.: Local View Attack on Anonymous Communication. In: de Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 475–488. Springer, Heidelberg (2005) 5. Dingledine, R., Mathewson, N.: Tor Directory Protocol Specification, https://www.torproject.org/svn/trunk/doc/spec/dir-spec.txt 6. Freedman, M.J., Morris, R.: Tarzan: A Peer-to-Peer Anonymizing Network Layer. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002), Washington, DC (November 2002) 7. Freedman, M.J., Sit, E., Cates, J., Morris, R.: Introducing Tarzan, a Peer-to-Peer Anonymizing Network Layer. In: Druschel, P., Kaashoek, M.F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 121–129. Springer, Heidelberg (2002) 8. Rennhard, M., Plattner, B.: Introducing MorphMix: Peer-to-Peer based Anonymous Internet Usage with Collusion Detection. In: Proceedings of the Workshop on Privacy in the Electronic Society, Washington, DC, USA (November 2002) 9. Tabriz, P., Borisov, N.: Breaking the collusion detection mechanism of morphmix. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 368–383. Springer, Heidelberg (2006) 10. Nambiar, A., Wright, M.: Salsa: a structured approach to large-scale anonymity. In: CCS 2006: Proceedings of the 13th ACM conference on Computer and communications security, pp. 17–26. ACM, New York (2006) 11. Mittal, P., Borisov, N.: Information leaks in structured peer-to-peer anonymous communication systems. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), Alexandria, Virginia, USA, pp. 267– 278. ACM Press, New York (2008) 12. Maymounkov, P., Mazires, D.: Kademlia: A peer-to-peer information system based on the xor metric. In: Druschel, P., Kaashoek, M.F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 53–65. Springer, Heidelberg (2002) 13. Danezis, G., Clayton, R.: Route fingerprinting in anonymous communications. In: Peer-to-Peer Computing, pp. 69–72. IEEE Computer Society, Los Alamitos (2006) 14. Singh, A., Ngan, T.W., Druschel, P., Wallach, D.S.: Eclipse attacks on overlay networks: Threats and defenses. In: INFOCOM. IEEE, Los Alamitos (2006) 15. Douceur, J.: The Sybil Attack. In: Druschel, P., Kaashoek, M.F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, p. 251. Springer, Heidelberg (2002) 16. Motwani, R., Raghaven, P.: Randomized Algorithms. Cambridge University Press, Cambridge (1995) 17. Danezis, G., Syverson, P.: Bridging and fingerprinting: Epistemic attacks on route selection. In: Borisov, N., Goldberg, I. (eds.) PETS 2008. LNCS, vol. 5134, pp. 151–166. Springer, Heidelberg (2008)

A Computationally-Efficient Construction for the Matrix-Based Key Distribution in Sensor Network
Abedelaziz Mohaisen, Nam-Su Jho, and Dowon Hong

Cryptography Research Team, Information Security Division Electronics and Telecommunication Research Institute Daejeon 305-700, Korea {a.mohaisen,nsjho,dwhong}@etri.re.kr

Abstract. Key pre-distribution in wireless sensor network is aimed at delivering keys to sensor networks at the low expense of computation, communication, and memory while providing a high degree of security expressed by network resiliency to node capture. In this paper, we introduce a computationally efficient construction for the symmetric matrix-based key distribution. Particularly, this work introduces an original modification over the well known DDHV scheme (by Du et al.). Our modification shows that using a specific structures for the public matrix instead of fully random matrix with elements in Zq can reduce the computation overhead for generating the key information and the key itself at the expense of small memory overhead. Our modification guarantees the same level of security for restricted network size. We show an extensive security analysis of the provided scheme in different settings and compare to the relevant works in the literature to demonstrate its merit. Keywords: wireless sensor network, key distribution, computation efficiency, security.

1

Introduction

The security of wireless sensor network (WSN) is a challenging issue where both asymmetric (public) and symmetric key based algorithms are considered as possible solutions. However, because the public key based algorithms on the typical sensor nodes still require considerable amount of computation that is translated into processing time, symmetric key based algorithms that utilize the same key at the side of the sender and the receiver are favored for security the WSN. Particularly, these algorithms are shown to be computationally light and appropriate for sensors nodes. To use such algorithms in WSN, symmetric keys need to be distribution among the legitimate nodes in the network. However, because of the




This work was supported by the IT R&D program of MIC/IITA. [2005-Y-001-05, Development of next generation security technology]. Corresponding Author.

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 190–199, 2009. c Springer-Verlag Berlin Heidelberg 2009


A Computationally-Efficient Construction

191

WSN’s frail infrastructure, traditional symmetric key distribution schemes that utilize key distribution centers (KDC) or trust third part (TTP) are obviously infeasible. To make the use of these algorithms in WSN possible, the concept of key pre-distribution (KPD) has emerged. In KPD, set of keys or keying materials are assigned to each node and used at the running time of the network to ensure secure communication. Several KPD schemes have been introduced in the literature for securing WSN. These schemes range from the graph-based cryptographic keys assignment such like the works by Eschenauer et al. in [1], Chan et al in [2], Hwang et al. in [3], C ¸ amtepe et al. [4] and Mohaisen et al. in [5] to the more sophisticated online key generation schemes such like works by Du et al in [6], Liu et al. in [7] and [8], Mohaisen et al in [9] and [10], among others. In this paper, we review some of these schemes and provide a construction based on one of it to reduce its resources’ consumption while maintaining the same level of security and connectivity. Our original contribution in this article is a construction based on DDHV scheme [6] to reduce the used computation overhead at the expense of small communication and memory overhead. Our contributions therefore are summarized as follows: (1) We introduce a special construction for the public matrix used in [6] that reduces the computation overhead with a small additional communication and memory overhead which are yet comparable to other schemes. (2) We show a concrete evaluation for the soundness of the scheme, the security achieved and the resources evaluation. (3) To show a comparison between the modified DDHV scheme (OR-DDHV) and the original work, we introduce an extensive study that compares both schemes along with a few others from the literature with instantiated network scenarios and parameters. The rest of this paper is organized as follows: section 2 introduces an overview of DDHV scheme followed by our scheme in section 3, section 4 introduces the analysis of both schemes where we show the overhead evaluation in terms of communication, computation and memory followed by the security analysis. Finally, section 5 draws a concluding remarks.

2

Overview of DDHV Scheme

The DDHV scheme in [6] utilizes Blom’s linear construction in [11] with Eschenauer and Gligor’s random key assignment concept in [1]. Both DDHV and Blom’s schemes are based on the symmetry property of matrices to provide symmetric pairwise keys for the pairs of communicating nodes. DDHV scheme differs from the Blom scheme in that it utilizes multiple spaces for generating the key. In this paper, we will explain the discuss the symmetric matrix-based component of DDHVsince our modification is directly related to it. Also, modifications applied on the core of DDHV scheme can be utilized for the multiple space case. Basically, a symmetric matrix of size N × N can be used for storing the different N 2 keys used for securing communication within the entire network of size N where each node si can have a row in that matrix. If two nodes si and sj would like to communicate securely, they use the corresponding elements to

192

A. Mohaisen, N.-S. Jho, and D. Hong

their identifier in their rows for encrypting and decrypting the communication traffic between them symmetrically. That is, in relation with the global matrix, the element Eij is used by si and the element Eji is used by sj where both elements are equal because of the symmetry of the main matrix. To reduce the memory requirements, a linear algebraic-based construction is introduced where the size of matrices is determined by λ
N . Particularly, the following matrices are defined: a public matrix G of size (λ+1)×N and a private symmetric matrix D of size (λ + 1) × (λ + 1) where elements of G and D are randomly generated in the finite field Zq . Also, a matrix A is defined and computed as A = (DG)T which is of size N × (λ + 1). For any node si , the corresponding row Ar (i) from A and the corresponding column Gc (i) from G are selected and loaded in the node’s memory. When si and sj need to communicate securely, they exchange Gc (i) and Gc (j) respectively and then kij = Ar (i) × Gc (j) is computed in the side of si and kji = Ar (j) × Gc (i) is computed in the side of sj . Obviously, the resulting keys are equal due to the symmetry property of the matrix D. To reduce the communication overhead, DDHV scheme introduced the a construction of G based on Vandermonde matrix which can be represented as in (1) where each node stores the corresponding field element in the matrix and generates the whole column from that value. To construct corresponding column from the given value, λ number of multiplications over Zq are required. Similarly, to generate the key by multiplying Ar by Gc , another λ number of multiplications over Zq are required.1 ⎡ ⎤ 1 1 1 ... 1 ⎢ s (s2 ) (s3 ) . . . (sN ) ⎥ ⎢ 2 2 2 3 2 ⎥ N 2⎥ ⎢ G = ⎢ s (s ) (s ) . . . (s ) ⎥ (1) ⎢ .. .. .. . . .. ⎥ ⎣ . . . . . ⎦ sλ (s2 )λ (s3 )λ . . . (sN )λ

3

Modified Scheme DDHV Scheme (OR-DDHV)

Our modification for the DDHV scheme relies on reducing the computation overhead at the expense of additional communication and memory overhead while maintaining the same security level and connectivity. That is, we re-design the public matrix G so that to maximize the number of zeros in it while maintaining the linear independence between columns (or rows). Used columns or rows from our design will require less computation overhead to perform the inner product with a random row (or column) to generate a key. Let the matrix in (2) be the typical GT in which each row has only two nonzero values (a special type of orthogonal matrix in [12]). According to the DDHV scheme, each node has a column in G (i.e., row GT ) in represented by 1

Though a single seed can be used, an allotted memory space is still needed for storing a full column at the running time. To generate a key from the corresponding column and row costs same computation as of fully random column.

A Computationally-Efficient Construction

193

two non-zero values. Given the structure of GT , we define the offline and online phases in the following two sections. ⎡

g11 g12 ⎢ 0 g22 ⎢ ⎢ .. .. ⎢ . . T ⎢ G =⎢ 0 0 ⎢ ⎢ 0 ga1 a2 ⎣ .. .. . .

⎤ 0 ... 0 0 g23 . . . 0 0 ⎥ ⎥ .. . . .. .. ⎥ . . . . ⎥ ⎥ 0 . . . ga0 a0 ga0 a1 ⎥ ⎥ 0 . . . 0 ga1 a1 ⎥ ⎦ .. . . .. .. . . . .

(2)

where a0 = λ − 1, a1 = λ − 1, and a2 = λ − 1. 3.1

Offline Phase

The offline phase of the OR-DDHV scheme resembles the offline phase of the DDHV scheme to a great extent and consists of three steps shown in Fig. 1. 1. The administrator generates a symmetric matrix D of size λ × λ with elements in Zq and the public matrix G of size λ × N with elements in Zq where G satisfies the above restrictions. 2. The administrator computes A = GT D. The resulting A is of size N × λ and therefore its elements are in Zq . 3. For each node si , the administrator assigns the row with index i from the matrix A (e.g., Ar (i)) and column with index i from matrix G (i.e. Gc (i)). Fig. 1. The offline phase of the OR-DDHV

3.2

Online Phase

The online phase of the OR-DDHV scheme is depicted in Fig. 2.

4

Analysis

In this section we analyze OR-DDHV scheme. We first introduce our insight on the network size’s limitations. We then introduce a basic proof for the equivalence of the used keys followed by resources overhead and security analysis. Finally, we compare our scheme with other related works in literature. 4.1

Limitations on the Network Size

The maximum supported network size in our scheme is merely dependent on the parameters N and λ. In order to avoid a possible collision and maintain λ vectors (i.e., rows or columns) of G linearly independent, maximum network size is determined to N = 2 × λ for safety. Though, careful assignment for higher network size might satisfy collision-free criteria.

194

A. Mohaisen, N.-S. Jho, and D. Hong

1. Firstly, two nodes si and sj exchange their public columns Gc (i) and Gc (i) which can be represented as two non-zero values in Zq and denoted as g1i , g2i , g1i , g2j . 2. In a vector Gc (j) with zero elements, the node si sets the received g1i and g2j from the node sj with the identifier j into following positions in Gc (j): Gc (j)[j

mod λ] ← g1j .

(3a)

Gc (j)[(j + 1)

mod λ] ← g2j .

(3b)

3. Similarly, the node sj reconstruct Gc (i) by plugging the received values g1i , g2i in the following positions: Gc (i)[i

mod λ] ← g1i

(4a)

Gc (i)[(i + 1)

mod λ] ← g2i

(4b)

4. The node si computes kij = Ar (i)Gc (j). 5. The node sj computes kji = Ar (j)Gc (i). Fig. 2. The online phase of the OR-DDHV

4.2

Equivalence of Keys

We can simply show that the generated key are equal. That is equivalent to showing that if D symmetric then B = GT DG is also symmetric and therefore the resulting keys are equal at both sides of si and sj . To show the symmetry  T of B, it is enough to demonstrate that B = BT . That is, BT = GT AG =  T GT GT A = GT AT G = GT AT G = B. Since both kij and kji are elements in B which is symmetric, both keys are equal. Let aij , dij and gij be the (i, j) elements in the matrices A, D and G respectively. Also, let A = (DG)T . From which we would like to show that kij = Ar (i)Gc (j) and kji = Ar (j)Gc (i) are equal. We can write aij with corresponding to its multipliers as follows: aij = ( λk=1 dik gki )T = ( λk=1 dik gki ) From which we can write

Ar (i) = [a1i , a2i , . . . ] =

λ 

d1k gki ,

k=1

λ 

d2k gki , . . .

(5)

k=1

Since Gc (j) = [(g1j , g2j , . . . )], we can write Ar (i) × Gc (j) as follows: Ar (i)Gc (j) =

λ λ   l=1

 dlk gki

glj

(6)

k=1

λ λ Similarly, we can show that Ar (j)Gc (i) = l=1 ( k=1 dlk gkj )gli . Now, we would like to check whether Ar (j)Gc (i) = Ar (i)Gc (j) for any i  = j. That is, we would like to show the following equality.

A Computationally-Efficient Construction

λ λ   l=1

 dlk gki

?

glj =

k=1

λ λ   l=1

195

 dlk gkj

gli

(7)

k=1

By Taking the right side in (7) and change the index of the summa λ λ λ λ tions we get the that: l=1 ( k=1 dlk gkj )gli = k=1 ( l=1 dkl gli )gki = λ λ ( d g )g . k=1 l=1 lk li ki symmetric, gli = gil , therefore the above can be rewritten as: λBecause D is λ d g g + l=1 l1 lj 1i l=1 dl2 glj g2i + · · · = (d11 g1j g1i + d21 g2j g1i + d31 g3j g1i + . . . ) + (d12 g1j g2i + d22 g2j g2i + d32 g3j g2i + . . . ) + (d13 g1j g3i + d23 g2j g3i + d33 g3j g3i + . . . ) + . . . . By resuming and arranging the terms we get the following: g1j

λ  k=1

d1k gki + g2j

λ 

d2k gki + · · · =

k=1

λ  l=1

glj

λ 

dlk gki =

k=1

λ λ   l=1

 dlk gki

glj

k=1

(8) From (6) and (8), we get that (7) always holds. 4.3




Resources Overhead

Communication overhead: The communication overhead required in the ORDDHV scheme is 2 log2 2q = 2 × q while it is q bits in the DDHV scheme when transferring a single field value from which the corresponding column in A is generated. Computation overhead: The computation overhead in DDHV and ORDDHV is two parts. The first part is required for reconstructing the public information from the field element and the second part is required for computing the inner product to generate the symmetric key. – Column’s reconstruction computation: The computation required in OR-DDHV scheme to reconstruct the corresponding column is negligible while it is λ number of multiplications in the field Zq in DDHV scheme. That is, when λ is large, the number of computations over q will be also large. To illustrate how the reconstruction works for the case of DDHV scheme, given si , any element in the column is the result of multiplying the two previous elements. That is, si = 1 × si , (si )2 = si × si and so on. – Computation for inner product: The computation for the inner product between the column from G and the row from A to obtain the symmetric key is 2 multiplications in our scheme since only two values are non-zero in G’s corresponding column. On contrast, λ number of multiplications in the field Zq are required in the case of DDHV scheme. To sum up, the required computation overhead in term of multiplications in Zq is 2 multiplications for OR-DDHV and 2λ multiplications for DDHV.

196

A. Mohaisen, N.-S. Jho, and D. Hong

Table 1. Comparison between DDHV and OR-DDHV in term of the used resources where communication and memory are in bit per node and computation is in term of multiplications in the finite field Zq Scheme Communication Computation Memory DDHV log 2 q 2λ (λ + 1) log 2 q OR-DDHV 2 log2 q 2 (λ + 2) log 2 q

Memory overhead: Memory overhead is required for storing private and public information at each sensor. For storing the corresponding row in A for the node si , λ × q bits are required (for both of DDHV and OR-DDHV). However, our scheme requires 2q bit for storing its public information per node while DDHV scheme requires on q bits. Here we should emphasize on the fact the λ elements are to be stored for DDHV scheme at the running time of the algorithm after column reconstruction while our scheme requires space for 2 elements only. A summary of the comparison in terms of the required resources is shown in Table 1. Note that though the communication overhead in OR-DDHV is higher than in DDHV, it is still constant since q is fixed to accumulate the proper length of key. On the contrary, the computation in the OR-DDHV is constant while it increase linearly according to the security parameter λ in DDHV. 4.4

Security Analysis

The security analysis follows the analysis shown in DDHV and Blom works. That is, the system is λ-secure which means that an adversary needs to know λ number of different and linearly independent vectors (i.e., rows or columns) from the key generation construction to be able to know the keys between uncompromised nodes. Recall G in (2), A, and D defined above. Also recall that aij and dij are the (i, j) elements of A and D respectively. Now we can define Ar (i) as  T   λ λ Ar (i) = [ ai1 ai2 . . . aiλ ] where aij = d g = d g . The ik ki ik ki k=1 k=1 above A can be rewritten as: ⎡ ⎤ (g11 d11 + g12 d21 ) (g11 d12 + g12 d22 ) . . . ⎢ ⎥ A = ⎣ (g22 d21 + g23 d31 ) (g22 d22 + g23 d32 ) . . . ⎦ (9) .. .. .. . . . An adversary who would like to attack the above linear system must first reconstruct the proper D. Since D is in Zλ×λ , λ2 number of linear equations are required for reconstructing it. That is, given that G, the systematic structure of A and G, and the symmetric property of D is publicly known information to the adversary, the adversary can obtain λ different linear equations by attacking a single node and reconstructing the different equations representing the row Ar (i). For instance, by attacking the nodes with an identifier 1, the attacker will have the a11 = g11 d11 + g12 d21 , a12 = g11 d12 + g12 d22 , a13 = g11 d13 + g12 d23 , . . . .

A Computationally-Efficient Construction 20 10

197

4

18 Multiplications in the finite field q

Communication Overhead

16 14 12 10 8 6 4

10

10

10

3

2

1

2 0

GBS

3D−GBS

Plat−based

HGBS

DDHV

10

OR−DDHV

0

GBS

(a) Communication

3D−GBS

Plat−based

HGBS

DDHV

OR−DDHV

(b) Computation

4

2.5

x 10

1 0.9 0.8 0.7 Connectivity

Requred memory (bit)

2

1.5

1

0.6 0.5 0.4 0.3

0.5

0.2 0.1

0

GBS

3D−GBS

Plat−based

HGBS

DDHV

OR−DDHV

0

(c) Memory

GBS

3D−GBS

Plat−based

HGBS

DDHV

OR−DDHV

(d) Connectivity

Fig. 3. Comparison between our scheme and set of the related schemes: GBS, 3DGBS, Plat-based, HGBS, and DDHV. For all of the above comparisons, α = 1, q = 10, N = 1000.

By repeating the physical attack to λ different nodes, the adversary can construct λ2 linear equation with λ2 variables that can be solved to recover the whole private matrix D and construct any pairwise key between any pair of uncompromised nodes by just observing their public information. Note that the existence of multiple zeros in the G will not reduce the hardness of solving the above linear system since the different elements of the matrix D always exist in the resulting linear construction in A. In DDHV scheme, however, all variables (represented by the different d’s) appear in each equation rather than the two variables that appear in each equation in our construction. 4.5

Comparison with Related Works

In addition to the brief comparison between the OR-DDHV and the DDHV scheme shown in Table 1, we introduce a detailed comparison between the DDHV and a set of selected related works from the literature. Particularly, we compare the OR-DDHV to the grid-based scheme [8], 3D-GBS [8], Platbased [10], HGBS [9], and DDHV [6]. The compared features are the communication (bit overhead), memory (bit storage), computation (multiplications over Zq ), and connectivity. In DDHV and OR-DDHV, we set λ = αN to enable a fair comparison with other schemes. Also, for the connectivity alpha is made large enough so that the maximum possible connectivity is realized. Table 2 shows the detailed comparison.

198

A. Mohaisen, N.-S. Jho, and D. Hong

Table 2. Comparison between our scheme and other schemes from the literature in terms of computation, communication, and memory

GBS 3D-GBS Plat-based HGBS DDHV OR-DDHV

Comm. Memory Computation Connectivity 2 log2 N 32 log2 N + (αN + 1) log 2 q 2αN + 1 N 1/2 −1 1/3 1/3 3 2 log2 N 2 log 2 N + 3(αN + 1) log2 q 2αN + 1 N 2/3 +N 1/3 +1 2/3 2/3 3 3 3 log N log N + 3(αN + 1) log q 2αN + 1 2 2 2 2 2 N 1/3 log2 N log2 N + 2(αN + 1) log2 q 2αN + 1 1 log 2 q (αN + 1) log2 q 2αN 1 2 log2 q (αN + 2) log2 q 2 1 3 2

To instantiate the above general comparison on a typical sensor network in order to measure the sensible merit of each scheme, we consider a network of size N = 1000, a field size q = 102 , security parameter α = 1, space for representing node identifier is log2 1000 ≈ 10. Fig. 3 shows a comparison between the different schemes in the above features (i.e. communication, computation, memory, and connectivity). Particularly, Fig. 3(a) shows the comparison of communication overhead, Fig. 3(b) shows the comparison of computation overhead, Fig. 3(c) shows the comparison of memory overhead, and Fig. 3(d) shows the comparison of connectivity overhead. In these figures, we observe the following: – While the advantage of the HGBS, DDHV, and OR-DDHV is the perfect connectivity at the expense of high memory consumption, the OR-DDHV scheme is the only one that provides such connectivity at the lower required computation. – The computations provided in Fig. 3(b) are on the scale of log10 . That is, other schemes require hundreds of time computation more than ORDDHV scheme. – Though the communication overhead of the OR-DDHV scheme is more than the required by the DDHV, this overhead is comparable to that of the HGBS at lower computations and memory overheads for same connectivity.

5

Conclusion

In this paper we introduced a construction for the matrix-based key predistribution scheme which is utilized in DDHV [6] and Blom’s work [11]. We demonstrated that using an orthogonal matrix instead of fully random matrix with elements in Zq as a public keying material will lead to a great reduction in the overhead represented by computation required for generating the key material and the key itself. While providing high connectivity, the introduced scheme has a comparable memory overhead to other schemes in the literature. In the 2

Strictly stated, q must be large enough to accumulate reasonable key size. However, in this experiment q = 10 for all schemes to demonstrate relative advantage while not taking the key size into account.

A Computationally-Efficient Construction

199

near future, we will study the construction of other public matrices that maintain security of the system while being at resources feasible (memory, computation, and communication). As the introduced scheme limits the maximum number of nodes possible in the network to 2λ, we will investigate the cost of scalablity using the provided constructions. Acknowledgment. The authors would like to thank Ku Young Chang and Ik Rae Jeong for their comments on earlier version of this work. We also would like to thank the anonymous reviewers for their comments.

References 1. Eschenauer, L., Gligor, V.D.: A key-management scheme for distributed sensor networks. In: ACM CCS, pp. 41–47 (2002) 2. Chan, H., Perrig, A., Song, D.X.: Random key predistribution schemes for sensor networks. In: IEEE Symposium on Security and Privacy, p. 197 (2003) 3. Hwang, J., Kim, Y.: Revisiting random key pre-distribution schemes for wireless sensor networks. In: SASN, pp. 43–52 (2004) 4. C ¸ amtepe, S.A., Yener, B.: Combinatorial design of key distribution mechanisms for wireless sensor networks. IEEE/ACM Trans. Netw. 15(2), 346–358 (2007) 5. Mohaisen, A., Nyang, D., AbuHmed, T.: Two-level key pool design-based random key pre-distribution in wireless sensor networks. TIIS 2(5), 222–238 (2008) 6. Du, W., Deng, J., Han, Y.S., Varshney, P.K., Katz, J., Khalili, A.: A pairwise key predistribution scheme for wireless sensor networks. ACM Trans. Inf. Syst. Secur. 8(2), 228–258 (2005) 7. Liu, D., Ning, P., Sun, K.: Efficient self-healing group key distribution with revocation capability. In: ACM Conference on Computer and Communications Security, pp. 231–240 (2003) 8. Liu, D., Ning, P., Li, R.: Establishing pairwise keys in distributed sensor networks. ACM Trans. Inf. Syst. Secur. 8(1), 41–77 (2005) 9. Mohaisen, A., Nyang, D.: Hierarchical grid-based pairwise key predistribution scheme for wireless sensor networks. In: R¨ omer, K., Karl, H., Mattern, F. (eds.) EWSN 2006. LNCS, vol. 3868, pp. 83–98. Springer, Heidelberg (2006) 10. Mohaisen, A., Maeng, Y., Nyang, D.: On the grid based key pre-distribution: Toward a better connectivity in wireless sensor networks. In: SSDU, pp. 527–537 (2007) 11. Blom, R.: An optimal class of symmetric key generation systems. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 335–338. Springer, Heidelberg (1985) 12. Mohaisen, A., Hong, D.: Mitigating the ica attack against rotation based transformation for privacy preserving clustering”. ETRI Journal 30(6), 868–870 (2008)

Key-Insulated Encryption Based Key Pre-distribution Scheme for WSN* 1

Weidong Qiu1, Yaowei Zhou1, Bo Zhu2, Yanfei Zheng1, Mi Wen3, and Zheng Gong4 1 School of Information Security Engineering Shanghai Jiao Tong University, Shanghai 200240, P.R. China 2 Dept. of Computer Science and Engineering Shanghai Jiao Tong University, Shanghai 200240, P.R. China 3 School of Computers and Information Engineering Shanghai University of Electric Power, Shanghai 200090, P.R. China 4 Faculty of EWI, University of Twente, Netherlands [email protected]

Abstract. In wireless sensor network (WSN) security is as important as performance and energy efficiency for many applications. Key pre-distribution is a good approach to solve the key agreement problem in the WSN. Based on the Key-Insulated Encryption, a new key pre-distribution scheme, KIE-WSN scheme, is proposed in this paper. The proposed scheme has two important security properties: semantically security and optimal KIE-(N-1, N) safety, which means that even if N-1 nodes are compromised, there are no security threatens to the left network. Compared with the existed schemes, the proposed KIEWSN scheme has better performance in the storage and communication cost. Keywords: Wireless Sensor Network, Key pre-distribution, Key-Insulated Encryption.

1 Introduction With the improvement of sensor’s performance and technology, wide-spread deployment of wireless sensor networks (WSN) is on the horizon [1]. Sensor networks are being deployed for a wide variety of applications [2], including military sensing and tracking, smart environment monitoring, real-time polluting monitoring, etc [1]. When sensor networks are deployed in a hostile environment, security becomes extremely important, as they are prone to different types of malicious attacks. To provide security, communication should be encrypted and authenticated. The open problem is how to build secure communication between sensor nodes, i.e. how to set up pair-wise key between communication nodes. Many key pre-distribution schemes have been presented in WSN. Eschenauer and Gligor[3] proposed a random key pre-distribution scheme: before deployment, each sensor node receives a random subset of keys from a large key pool; to agree on a key *

This work has been supported by National High Technology Research and Development project of China under Grant No. 2007AA01Z456 and NSFC under Grant 60703030.

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 200–209, 2009. © Springer-Verlag Berlin Heidelberg 2009

Key-Insulated Encryption Based Key Pre-distribution Scheme for WSN

201

for communication, two nodes find one common key within their subsets and use that key as their shared secret key. Based on this scheme, Chan, Perrig, and Song [4] proposed a q-composite random key pre-distribution scheme, which increases the security of nodes to achieve a high probability of compromising communication. The difference is that q common keys (q>1), instead of just a single one, are needed to establish secure communication between a pair of nodes. It is shown that by increasing the value of q the network resilience against node capture is improved. With the improvement of sensor performance, there are some key pre-distribution schemes based on the public key scheme. In 2004, Gaubatz and Kap [5] proposed a public key cryptography in sensor networks. At the same time, based on elliptic curve cryptography, Malan and Welsh [6] proposed a public-key infrastructure for key distribution in TinyOS. In Eurocrypt’02, Dodis[7] et.al. firstly introduced a paradigm named key-insulation to deal with the key-exposure problem for public key encryption system. Concretely, in a key-insulated system, the life time of the system is broken into discrete time periods, while the private key is split into two parts: a temporary key, hold by the user on a powerful but insecure device (e.g. a mobile device), and a helper key, stored in a physically-secure but computationally-limited device named “helper”. The public key remains unchanged throughout the lifetime of the system, while the temporary private key is refreshed at every period via the interaction between the user and the helper. Decryption operations in a given period only involve the corresponding temporary private key without further access to the helper. Exposure of the temporary private keys at some periods will not compromise the security of the remaining periods. Even if the help key is compromised the security is still ensured as long as none of the temporary key is exposed. As a result, the damage caused by key-exposure is minimized. Base on the key-insulated encryption, a WSN key pre-distribution is proposed in this paper. In the scheme, every Sensor node in the network owns a private key related to his ID, while share one public key. There is a simple way for nodes to build their common pair-wise key.

2 Preliminaries 2.1 Notations Throughout this paper, let Z p denote the set {0,1, 2,

, p − 1} , and Z *p denote Z p \ {0} .

R

For a finite set S , x ← S means choose an element x from S with randomly. 2.2 Bilinear Diffe-Hellman Assumption Decision Diffe-Hellman is Easy. The Decision Diffe-Hellman problem (DDH) in G1 is to distinguish between the distributions < P , aP, bP , abP > and < P , aP , bP , cP > where a, b, c are random in Z q* and P is random in G1* . Joux and Nguyen [8] point out that

DDH in G1 is easy.

202

W. Qiu et al.

Bilinear Diffe-Hellman Problem (BDH). Let G1 , G2 be two groups of prime order q . Let eˆ : G1 × G1 → G2 be an admissible bilinear map and let P be a generator of G1 . The BDH problem in < G1 , G2 , eˆ > is as follow: Given < P , aP, bP , cP > for some a, b, c ∈ Z q* compute W = eˆ( P, P ) abc ∈ G2 . An algorithm A has advantage ε in solving

BDH in < G1 , G2 , eˆ > if Pr[Φ ( P, aP, bP, cP ) = eˆ( P , P ) abc ] ≥ ε

(1)

Here the probability is over the random choice of a, b, c ∈ Z q* , the random choice of P ∈ G1* , and the random bits of A . BDH Parameter Generator. We say that a randomized algorithm ς is a BDH pa-

rameter generator if (1) ς takes a security parameter k ∈ Z + , (2) ς runs in polynomial time in k , and (3) ς outputs a prime number q , the description of two groups G1 , G2 of order q , and the description of an admissible bilinear map eˆ : G1 × G1 → G2 . We denote the output of ς by ς (k ) =< q, G1 , G2 , eˆ > . The security parameter k is used to determine the size of q . For i = 1, 2 we assume that the description of the group Gi contains polynomial time algorithms for computing the group action in Gi and contains a generator of Gi . The generator of Gi enables us to generator uniformly random elements in Gi . Similarly, we assume that the description of eˆ contains a polynomial time algorithm for computing eˆ . BDH Assumption. Let ς be a BDH parameter generator. We say that an algorithm A

has advantage ε (k ) in solving the BDH problem for ς if for sufficiently large k : ⎡ < q, G1 , G2 , eˆ >← ς (1k ) ⎤ Advς , A ( k ) = Pr ⎢ A( q, G1 , G2 , eˆ, P, aP, bP, cP) = eˆ( P, P) abc ⎥ ≥ ε (k ) P ← G1* , a, b, c ← *q ⎥⎦ ⎢⎣ (2)

We say that ς satisfies the BDH assumption if for any randomized polynomial time algorithm A we have Advς , A ( k ) that is a negligible function. When ς satisfies the BDH assumption we say that BDH is hard in groups generated by ς .

3 KIE-WSN Key Pre-distribution Scheme 3.1 KIE-WSN Model

There are some different ways [9-11] to constructor a KIE scheme after Dodis’s introduction of the idea of Key-Insulated Encryption. In our paper, taking the wireless sensor network’ special into account, we will constructor the KIE-WSN key predistribution scheme based on the SKIE-OT scheme [11]. In our KIE-WSN scheme, there are four polynomial-time algorithms.

Key-Insulated Encryption Based Key Pre-distribution Scheme for WSN

203

PG. The PG algorithm takes as input a security parameter k . It generates the system parameters ps =< q, G1 , G2 , eˆ, P, H1 , H 2 > : Step 1: Input a security parameter k , run a polynomial-time algorithm ℑ(k ) → (q, G1 , G2 , eˆ) : the safe prime q , two cyclic multiplicative groups G1 , G2 , and the bilinear map eˆ : G1 × G1 → G2 ; R

Step 2: Chooses n , and a random generator of the group G1 , P ← G1 ; Step 3: For the given n , chooses two cryptography hash function. H 1 :{0,1}* → G1* , H 2 : G2 → {0,1}n ;

KG. The KG algorithm takes as input every sensor node’s ID. It generates the system public key and the sensor’s private key. R

Step 1: Choose a random s ← Z q* , generate the public key Ppub = sP , where s is the system security parameter; Step 2: Input sensor ID = i , and then compute the private key ski = s ⋅ Qi = s ⋅ H1 (i ) ; Enc. The Enc algorithm takes as input the randomly chosen pair-wise key and the other node’s ID. It generates the cipher-text of this secret key. R

Step 1: Choose a random symmetric key K ← M as their pair-wise key between node A and node B. Step 2: Suppose node B’s ID = i , compute Qi = H1 (i ) ; R

Step

3:

Choose

a

random

r←

* q

,

compute

the

cipher

C =< U , V >=< rP , K ⊕ H 2 ( g ) > , where g i = eˆ(Qi , Ppub ) ; r i

Dec. The Dec algorithm takes as input the cipher and the private key, and then output the pair-wise secret key. If the input is the right private key corresponding to the node ID, it will get the correct K ; otherwise it will get the white space ⊥ . The Dec algorithm is like below: K ′ = V ⊕ H 2 (eˆ( ski ,U )) = K (3) The correctness of decryption is proved as follow: ∵ eˆ( ski ,U ) = eˆ( sQi , rP ) = eˆ(Qi , P ) sr = eˆ(Qi , sP ) r = eˆ(Qi , Ppub ) r = g ir ∴ K ′ = V ⊕ H 2 (eˆ( ski , U )) = K ⊕ H 2 ( g ir ) ⊕ H 2 ( g ir ) = K

(4)

3.2 Key Pre-distribution Scheme

Based on the KIE-WSN model, we proposed our KIE-WSN key pre-distribution scheme, which consists of two phases, namely system parameters pre-distribution and secret key agreement. System Parameters Pre-distribution. It consists of three off-line steps, namely generation of the system parameters and of sensor private keys, and loading the parameters into the sensor nodes.

204

W. Qiu et al.

Step 1: Run the PG algorithm of KIE-WSN model to get the system parameters ps =< q, G1 , G2 , eˆ, P, H1 , H 2 > ; Step 2: Run the KG algorithm to get the parameters p =< s, Ppub > . As we know, every node has a distinguish ID, which can be used to generate the private key skID ; Step 3: Loading the < P , Ppub , sk ID > and save it to the sensor node. Secret Key Agreement. This phase takes place when two nodes want to obtain a secret pair-wise key to build a security connection. We suppose there are two node A and B, whose ID are IDA = i and IDB = j . Once node A want to communicate with node B with a common secret key, the whose key agreement process is as follows: R

Step 1: Node A chooses a random key K ← M as the secret pair-wise key; Step 2: Node A obtain node B’s ID by broadcasting the request, then call the Enc algorithm to compute the cipher C =< U , V >=< rP , K ⊕ H 2 ( g ir ) > ; Step 3: Node A sends the cipher-text to node B; Step 4: Node B receives the cipher-text C =< U , V > , call the Dec algorithm to get the secret pair-wise key K ; Step 5: Both node A and B obtain this pair-wise key to build a security connection between them, which is only known to themselves. 3.3 Security Analysis KIE-(t, N). In the KIE scheme, if there are only t period private key compromised, the left N − t periods private key are still safe. Optimal KIE-(t, N). In a KIE-(t, N) safety scheme, if it has an optimal threshold, which means that we don’t need to set the size of N , we call it optimal KIE-(t, N) safety. In our scheme, we will prove that the KIE-WSN scheme has the optimal KIE(N-1, N) security, which means that even if N-1 node’s private key has been compromised the left one node private key is still security, at the same time, the threshold N is optimal. KIE-WSN Semantic Security. We define semantic security for KIE-WSN schemes using an IND-WSN-CPA game. The game is identical to the IND-CPA game. We say that KIE-WSN scheme is semantically secure if no polynomial bounded adversary A has a non-negligible advantage against the Challenger in the following IND-WSNCPA game: Setup. The challenger takes a security parameter k and run the PG and KG algorithm. It gives the adversary the resulting system parameters ps =< q, G1 , G2 , eˆ, n, P, H1 , H 2 , Ppub > and keeps the system security parameter s to itself. Phase 1. The adversary issues private key extraction queries ID1 ,

, IDm . The chal-

lenger responds by running KG algorithm to generate the private key ski . It sends ski to the adversary. These queries may be asked adaptively.

Key-Insulated Encryption Based Key Pre-distribution Scheme for WSN

205

Challenge. Once the adversary decides that Phase 1 is over it outputs two equal length plaintexts K 0 , K1 ∈ M and a public key ID on which it wishes to be challenged. The only constraint is that ID did not appear in any private key extraction query in Phase 1.The challenger picks a random bit b ∈ {0,1} and sets C = Enc( Ppub , ID , M b ) . It

sends C as the challenge to the adversary. Phase 2. The adversary issues more extraction queries IDm +1 ,

, IDn . The only con-

straint is that IDi ≠ ID,(1 ≤ i ≤ n) . The challenger responds as in Phase 1. Guess. Finally, the adversary outputs a guess b′ ∈ {0,1} and wins the game if b = b ′ . We refer to such an adversary A as an IND-WSN-CPA adversary. As we did above, the advantage of an IND-WSN-CPA adversary A against the KIE-WSN scheme ε is the following function of the security parameter k :

Advε , A (k ) = Pr[b = b′] −

1 2

(5)

The probability is over the random bits chosen by the challenger and the adversary. The following theorem shows that KIE-WSN is a semantically secure key-insulated encryption scheme (IND-WSN-CPA) where assuming BDH is hard in groups generated by ς . Theorem 1. Suppose the hash functions H1 , H 2 are random oracles. The KIE-WSN is a semantically secure key-insulated encryption scheme assuming BDH is hard in groups generated by ς . Concretely, suppose there is an IND-WSN-CPA adversary A

that has advantage ε (k ) against the scheme KIE-WSN. Suppose A makes at most qE > 0 private key extraction queries and q H 2 > 0 hash queries to H 2 . Then there is an algorithm B that solves BDH in groups generated by ς with advantage at least: Advς , B (k ) ≥

2ε ( k ) e ⋅ qE ⋅ q H 2

(6)

Here e ≈ 2.71 is the base of the natural algorithm. The running time of B is O(time( A)) . Basic-BF-IBE. To prove the theorem we first define a basic Public Key Encryption scheme of the BF-IBE [12] scheme, namely the Basic-BF-IBE described by three algorithms: Setup, Encrypt and Decrypt. Setup. Given a security parameter k ∈ Z + , the algorithm works as follows: Step 1: Run ς on input k to generate two prime order groups G1 , G2 . Choose a ran-

dom generator P ∈ G1 ; Step 2: Choose a random s ∈ QID ∈ G ; * 1

* q

, compute the Ppub = sP , and choose a random

206

W. Qiu et al.

Step 3: Choose n and a cryptography hash function H 2 : G2 → {0,1}n ; Step 4: Output the public key < q , G1 , G2 , eˆ, n, P , Ppub , QID , H 2 > . The private key is sk ID = sQID ∈ G1* .

Encrypt. To encrypt K ∈ {0,1}n choose a random r ∈

* q

and set the cipher-text to be:

g = eˆ(QID , Ppub ), C =< U , V >=< rP , K ⊕ H 2 ( g r ) >

(7)

Decrypt. Let C =< U , V > be a cipher-text created by < q , G1 , G2 , eˆ, n, P , Ppub , QID , H 2 > .

Decrypt it using the private key sk ID ∈ G1* : K ′ = V ⊕ H 2 (eˆ( sk ID ,U )) = K

(8)

This completes the description of Basic-BF-IBE. We now prove Theorem 1 in two steps. We first show that an IND-WSN-CPA attack on KIE-WSN can be converted to an IND-CPA attack on Basic-BF-IBE. This step shows that the private key extraction queries do not help the adversary, which also means that the leak private key information of the compromised sensor node do not help the attack. We then show that BasicBF-IBE is IND-CPA secure if the BDH assumption holds. Lemma 1. Let H1 be a random oracle {0,1}* → G1* . Let A be an IND-WSN-CPA adversary that has advantage ε (k ) against KIE-WSN scheme. Suppose A makes at

most qE > 0 private key extraction queries. Then there is an IND-CPA adversary B that has the advantage at least ε (k ) / eqE against Basic-BF-IBE, whose running time is O(time( A)) . Lemma 2. Let H 2 be a random oracle G2 → {0,1}n . Let A be an IND-CPA adversary that has advantage ε (k ) against Basic-BF-IBE. Suppose A makes at most q H 2 > 0

queries to H 2 . Then there is an algorithm B that solves the BDH problem for ς with advantage at least 2ε ( k ) / qH 2 and a running time O(time( A)) . Proof of Theorem 1. The theorem follows directly from Lemma 1 and Lemma 2. Composing both reductions shows that an IND-WSN-CPA adversary on KIE-WSN with advantage ε (k ) at least 2ε ( k ) / e ⋅ q E ⋅ q H 2 , as required. Theorem 2. The KIE-WSN scheme has the optimal KIE- (N-1, N) secure. Proof. From the Lemma 1, we know that the private key extraction queries do not help the adversary. Then, the leak of private key information of compromised sensor node will bring no security threaten to the wireless sensor network. This shows that the KIE-WSN scheme has the (N-1, N) security. And also, in the IND-WSN-CPA game, we have no limitation on the choice of the threshold N. This shows that our KIE-WSN scheme has the optimal KIE- (N-1, N) security, as required.

Key-Insulated Encryption Based Key Pre-distribution Scheme for WSN

207

3.4 Performance Analysis Resilience: We evaluate the KIE-WSN key pre-distribution scheme in terms of its resilience against node capture. Our evaluation is based on two metrics: (1) When x nodes are captured, how many secret keys will be leaked. (2) When x nodes captured, what affection will be on the other nodes’ current secret key connectivity? From Theorem 2, we know that even if N-1 nodes are captured, these leaked private key have no security threaten on the left node, which means that the attacker can’t obtain any useful information from these broken private keys. In other side, the pairwise key among sensor nodes are chosen randomly, which are only known by themselves. Therefore, the compromised node will only leak his private key and the pairwise key, which have no security threaten on the other nodes. We compare the fraction of compromised keys vs. compromised nodes of the popular key pre-distribution schemes including the E-G scheme (N=20,000, p=0.33)[3], q-composite scheme [4], Du scheme [14], LU scheme [15] and our KIE-WSN scheme. The figure 2 clearly shows that our scheme has better key safety efficiency compared with others.

Fig. 1. Fraction of compromised keys vs. numbers of compromised nodes [18]

Fig. 2. The probability of re-establish a key vs. number of compromised nodes [18]

208

W. Qiu et al.

And also, we compare these schemes on the probability of re-establish a key. When a node is captured, we need to rebuild the secret connection among the left nodes. Wen [13] analyze the probability of re-establish keys of Du’s scheme under the assumption that compromised keys of nodes are invalid while every node having C=200keys and connectivity degree d=30, and the network size is N=20,000. The figure 3 shows the relationship between the probabilities of re-establish a key and the compromised nodes. Memory complexity. In our KIE-WSN key pre-distribution scheme, we only need to load the < P , Ppub , ski > , which are all the element of the group G1 . So our KIE-WSN scheme has the constant performance in the memory usage, which can largely enhance the scalability of sensor network. Compared with other public cryptography algorithm, ECC has performance advantage under the same security requirement. The security of ECC-160 and ECC-224 are same to the RSA-512 and RSA-1024. Let the element length of G1 be 160bit, and then the memory usage of our scheme will only be 480 bit. Communication complexity. During the key agreement phase, our KIE-WSN scheme only needs to transfer the cipher-text C =< U , V > to the other node. As we know that U is the element of the group G1 and the length of V is n , the communication traffic

will be equal to n + 160 if we let the group G1 bit length be equal to 160. It is natural to set the n = 64 thinking that we will use the symmetric cryptography algorithm to encrypt the message among nodes in the wireless sensor network. Therefore, the communication traffic of our KIE-WSN scheme is only 224 bit.

4 Conclusion We have presented a new key pre-distribution scheme KIE-WSN for wireless sensor network, based on which we constructor the KIE-WSN key pre-distribution scheme. Our scheme has a number of appealing properties. First, our KEI-WSN scheme has the semantic security and optimal KIE-(N-1, N) secure, which simplify the keyrevocation for the compromised node having no security threaten to the left network. Second, our scheme is scalable and flexible also for the optimal KIE-(N-1, N) secure, which means that we have no limit on the threshold N. Third, the memory and communication complex of our scheme are constant.

References 1. Akyildiz, I.F., Su, W., Samkarasubramaniam, Y., Cayirci, E.: Wireless sensor network. A survey Computer Networks 40(8), 102–114 (2002) 2. Manges, W., Allgood, G., Smith, S.: It’s Time for Sensors to Go Wireless. Part 1: Technological Underpinnings. Sensors Magazine (April 1999) 3. Eschenauer, L., Gligor, V.D.: A key management scheme for distributed sensor networks. In: Proc. of the 9th ACM Conference on Computer and Communication Security, pp. 41–47. ACM Press, New York (2002)

Key-Insulated Encryption Based Key Pre-distribution Scheme for WSN

209

4. Chan, H., Perrig, A., Song, D.: Random key pre-distribution schemes for sensor networks. In: Proc. of IEEE Symposium on Security and Privacy, pp. 197–213. IEEE Computer Society, Berkeley (2003) 5. Gaubatz, G., Kaps, J., Sunar, B.: Public keys cryptography in sensor networks-Revisited. In: Castelluccia, C., Hartenstein, H., Paar, C., Westhoff, D. (eds.) ESAS 2004. LNCS, vol. 3313, pp. 2–18. Springer, Heidelberg (2005) 6. Malan, D.J., Welsh, M., Smith, M.D.: A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography. In: Proc. of the 1st IEEE Int’l Conf. on Sensor and Ad-Hoc Communication and Networks, pp. 71–80. IEEE Press, Los Alamitos (2004) 7. Dodis, Y., Katz, J., Xu, S., et al.: Key-Insulated Public Key Cryptosystems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 65. Springer, Heidelberg (2002) 8. Joux, A., Nguyen, K.: Separating Decision Diffie-Hellman from Diffiie-Hellman in cryptographic groups. Cryptology 16(4), 239–247 (2003) 9. Bellare, M., Palacio, A.: Protecting against key-exposure: Strongly key-insulated encryption with optimal threshold. In: AAECC, vol. 16, pp. 379–396 (2006) 10. Weng, J., Liu, S., Chen, K., Zheng, D., Qiu, W.: Identity-Based Threshold Key-Insulated Encryption without Random Oracles. In: Malkin, T.G. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 203–220. Springer, Heidelberg (2008) 11. Hanaoka, G., Hanaoka, Y., Imai, H.: Parallel Key-Insulated Public Key Encryption. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 105–122. Springer, Heidelberg (2006) 12. Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003); Preliminary version, Kilian, J. (ed.): CRYPTO 2001. LNCS, vol. 2139. Springer, Heidelberg (2001) 13. Mi, W.: Study on key technology for the security of wireless sensor network. Thesis, Shanghai Jiao Tong University (2008) 14. Du, W., Deng, J., Han, Y.S., et al.: A pair-wise key pre-distribution scheme for wireless sensor networks. In: Proc. of the 10th ACM conf, on Computer and Communications Security, pp. 42–51. ACM Press, New York (2003) 15. Choi, S.J., Youn, H.Y.: An efficient key pre-distribution scheme for secure distributed sensor networks. In: The 2005 IFIP International Conference on Embedded and Ubiquitous Computing (EUC 2005), pp. 1088–1097. Springer, Nagasaki (2005)

Securing Mobile Phone Calls with Identity-Based Cryptography Matthew Smith, Christian Schridde, Bjorn ¨ Agel, and Bernd Freisleben Department of Mathematics and Computer Science, University of Marburg Hans-Meerwein-Str. 3, D-35032 Marburg, Germany {matthew,schriddc,agel,freisleb}@informatik.uni-marburg.de

Abstract. In this paper, an identity-based key agreement system and its implementation for mobile telephony in GSM and UMTS networks is presented. The use of telephone numbers as public keys allows the system to piggyback much of the security overhead for key management to the existing GSM or UMTS infrastructure. The proposed approach offers solutions to the problems of multi-domain key generation, key distribution, multi-domain public parameter distribution and inter-domain key agreement. The feasibility of the approach is illustrated by presenting experimental results based on a Symbian implementation running on N95-1 and N82-1 Nokia smartphones.

1 Introduction In mobile phone networks, eavesdropping on a call is easy, even for non- governmental forces. Since the encryption schemes in GSM (2G) and UMTS (3G) only encrypt calls between the mobile phone and the base station, an attacker positioned anywhere in the network between the two base stations can usually intercept calls without great difficulty. Furthermore, since GSM base stations are not authenticated, an attacker can pose as a base station and intercept phone calls in the vicinity. Due to backwards compatibility and UMTS coverage issues, most UMTS devices allow network fallback to GSM, opening up UMTS devices to the same man-in-the-middle attacks that afflict GSM networks. While it is possible to implement end-to-end encryption of mobile phone calls based on a Public Key Infrastructure (PKI), the complexity of setting up and using a PKI is prohibitive, especially since many users of mobile phones are not well versed in cryptographic procedures and are quickly overwhelmed when confronted with public and private keys, certificates, signatures and revocation lists. Identity-based cryptography (IBC) promises to offer an approach to end-toend encryption for mobile telephone calls in which the telephone numbers of the call participants are used as the public keys to secure the communication channel, thus making the cryptographic security procedure as easy as making a telephone call. The use of telephone numbers as public keys has two major benefits. Firstly, since the caller knows the number to be called, the caller also automatically knows the public key and does not need a separate public key J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 210–222, 2009. c Springer-Verlag Berlin Heidelberg 2009


Securing Mobile Phone Calls with Identity-Based Cryptography

211

look-up or certification infrastructure. Secondly, telephone numbers are easy to understand and users are confident in using them, such that there is no need to educate users to understand the link between a telephone number, a public key and/or its certificate, thus significantly lowering the complexity threshold of phone call encryption. Several solutions have been proposed which allow multiple identity private key generator (ID-PKGs) to interoperate [1,2,3], but these systems require either cooperation between the ID-PKGs or a hierarchical approach with a trusted party at the top. Both of these approaches are difficult to use in the area of mobile telephony due to organizational difficulties and conflicting business interests. As demonstrated by approaches based on a Certificate Authority (CA), there will always be competing organizations offering the same service for the same protocol (e.g. signing RSA public keys) without wanting to cooperate on the corporate level. Thus, to successfully deploy IBC in mobile telephony, the IBC system must be able to cope with the real world network issues, such as allow competing organizations to operate their ID-PKG independently of other ID-PKGs, roaming and changing providers while still enabling cross-domain execution of the IBC protocols for their customers. In this paper, a new multi-domain identity-based key agreement system is introduced which focuses on the issues to be solved when implementing IBC for mobile telephony. The proposed approach is realized using standard telephone numbers as public keys with multiple security domains (i.e. mobile telephony providers). It utilizes the mathematics also used in the traditional Diffie-Hellman [4] key agreement and Rivest-Shamir-Adleman (RSA) [5] public key cryptography approaches. Solutions to the problems of multi-domain key generation, key distribution, multi-domain public parameter distribution and inter-domain key agreement are presented. The paper is organized as follows. Section 2 presents the problem statement. Section 3 gives an overview of the proposed identiy-based key agreement protocol. Section 4 addresses real world problems occuring during the implementation. Section 6 discusses related work. Section 7 concludes the paper and outlines areas for future research.

2 Problem Statement In GSM networks, communication between a mobile system (MS) (i.e. a mobile phone) and a base transceiver station (BTS) is encrypted using the A5 [6] cryptographic protocol. Due to design flaws, A5 is vulnerable to cryptoanalysis such that hackers can eavesdrop on the communication. Updates to the A5 protocol have been proposed to hinder further attacks, and the UMTS standard has replaced A5 by a more secure (and open) protocol, making cryptographic attacks less of a concern. A simpler attack is to subvert the communication setup before encryption. To allow a MS to authenticate itself to the network provider, it gets a subscriber authentication key (SAK). The SAK is stored both on the SIM card of the MS

212

M. Smith et al.

Fig. 1. IMSI Catcher Attack

and in the Home Location Register (HLR) of the provider. The BTS are connected to a Base Station Controller (BSC) that in turn is connected to a Mobile Switching Center (MSC) and a Visitor Location Register (VLR). These in turn are connected to the HLR and the Authentication Center (AuC) that give access to the SAK of the MS. During the authentication process, a 128-bit random number is generated which using the A3 [7] is combined with the SAK to create a 32-bit authentication key called SRES. The SRES key is then sent to the BTS. The SRES key is then compared to the SRES* key that is computed by the AuC of the provider also using the A3 algorithm and the HLR SAK. If the two values match, the MS is authenticated and may join the network. The BTS does not authenticate itself to the MS. This opens up the possibility of a Man-in-the-Middle (MITMA) attack. Using an IMSI catcher [8], an attacker can pose as a BTS and intercept calls in the vicinity by broadcasting a strong base station signal. Figure 1 shows the procedure. MS are programmed to connect to the strongest BTS signal, thus if the IMSI catcher has the strongest signal they serve their current BTS connection (1) and will connect to the IMSI catcher (2) no questions asked (3). Since the BTS is also responsible for selecting the security mechanism, the IMSI catcher can then force the MS to turn off or select an insecure encryption algorithm (4) and thus allow the MITMA to operate. The downside to this attack is that the IMSI catcher cannot function as a real BTS since it is not connected to the main phone network and must forward calls using its own MS and SIM (5). However, since the SIM in the IMSI catcher cannot register itself as the target SIM (due to the authentication of the MS), the attacked MS is not registered at any BTS and is not reachable while it is connected to the IMSI catcher. Thus, only outgoing calls can be intercepted, since the network cannot reach the attacked MS. Furthermore, the IMSI catcher is not a targeted attack. It affects all MS in its vicinity all of which are not reachable while they are connected to the IMSI catcher and whose calls would need to be forwarded if the IMSI catcher is not to become noticeable. While this attack should not be taken lightly, there are some real world problems in its execution.

Securing Mobile Phone Calls with Identity-Based Cryptography

213

A much simpler attack is enabled by cost saving measures in common practice when setting up base stations. Since connecting all BTS to a secured wired network is costly, BTS can also be connected to the main network via a directed microwave link. This microwave signal is sent without encryption and can easily be intercepted, giving an attacker clear text access to all calls going via this link without leaving a physical trace. But even a wired connection is not safe if an attacker is willing to apply a physical tap to the line. These link taps are particularly relevant since they can be used without affecting the rest of the network and thus cannot be easily detected. They also allow a large number of calls to be tapped simultaneously. For instance, a BTS located near a firm, government building or celebrity house can be tapped, thus, making all mobile calls made to and from that location available to the attacker. Since the equipment needed to execute such a tap is becoming more portable and cheaper at a rapid rate, this kind of attack will rapidly gain in relevance. To prevent the above attacks, end-to-end protection of phone calls is required. However, the solution must be able to be deployed in a multiorganization environment and be usable by non-tech savvy users. As stated in the introduction, conventional PKI based solutions are too complex both for the network providers and for the users. A simple approach is required which can be implemented by network providers independently of each other and which does not introduce added complexity for end users. In the next section, an algorithm will be presented that fulfills these requirements. The algorithm allows two MS to perform a session key-agreement over an unsecured channel and between different providers using telephone numbers as public keys. Using the created session key, a symmetric encryption of all call data can be performed. The algorithm prevents MITMA attacks and offers perfect forward security.

3 Algorithms 3.1 Algorithmic Overview The identity-based key agreement protocol SSF (Secure Session Framework) consists of four main algorithms: Setup, Extract, Build SIK, and Compute. 3.2 Key Agreement The Setup algorithm (Fig. 2) is executed by the ID-PKG. This part of the key agreement protocol is only performed once and creates both the master secrets P and Q as well as the public parameters. Public, Shared Parameters. The public, shared parameters (PSP) of a domain D of the key agreement protocol SSF is the quadruple PSP = (N, G, R, H(·)). The Extract algorithm (Fig. 3) creates the identity key (i.e. the private key) for a given identity. This algorithm is executed by the ID-PKG. If all IDs are known and the range is not too big (e.g. a Class B or C subnet of the Internet),

214

M. Smith et al.

Setup - The Setup algorithm is executed by the ID-PKG. Input: k ∈ N Step 1: Choose an arbitrary integer R > 1 from Z+ . Step 2: Generate two primes, P and Q, of bit length k with the following properties: 1. The prime factorization of (P − 1) contains a large prime P 2. The prime factorization of (Q − 1) contains a large prime Q 3. gcd(ϕ (PQ), R) = 1, where ϕ (·) is the Totient Function. Step 3: Compute the product N = PQ Step 4: Choose a generator G of a subgroup G of ZN whose order contains at least one of the primes P or Q such that the Computational Diffie Hellman Assumption (CDHA) [9] holds in G. Step 5: Choose a cryptographic collision-resistant hash function H : {0, 1}∗ → ZN . Output: PSP = (N, G, R, H(·)), SP = {P, Q} Fig. 2. Setup algorithm Extract - The Extract algorithm is executed by the ID-PKG. Input: PSP, SP, ID Let ID be a given identity. The algorithm computes dID ≡ H(ID)1/R teger dID is called the identity key and is given to the entity EID . Ouput: dID

(mod N). The in-

Fig. 3. Extract algorithm

it is possible to execute this step for all IDs offline, and the master secrets can then be destroyed, if required. The Build SIK algorithm (Fig. 4) is executed by the devices taking part in the key agreement.

Build SIK - The Build SIK algorithm is executed by the entity EID Input: PSP, dID Step 1: Choose a random integer rID from Z+ . Step 2: Compute SIKID ≡ GrID · dID (mod N). SIKID is the SIK (session initiation key) for the identity string ID that belongs to entity EID . Output: SIKID Fig. 4. Build SIK algorithm

The random integer rID is generated with a secure number generator to make rID unpredictable. The private identity key is used in combination with this randomly chosen integer and the generator in such a way that it is not possible to extract the identity key from the SIK. This is due to the fact that the multiplications are performed in the ring ZN and the result set of a division in the ring ZN is so large that the extraction of the identity key is infeasible. The SIK is then

Securing Mobile Phone Calls with Identity-Based Cryptography

215

sent over an unsecured channel to the other party and vice versa. The SIK must be greater than zero to prevent a trivial replacement attack where an attacker replaces the SIKs with zero which in turn would make the session key zero as well. Any other replacement attacks lead to invalid session keys. The final step of the key agreement process is the computation of the session key using the Compute algorithm (Fig. 5) which is executed by the devices taking part in the key agreement. By applying the inverse of the hash value of the opposite’s identity, the involved identity key is canceled out. Only if both endpoint addresses match their identity keys, a valid session key is created.

Compute - The Compute algorithm is executed when two parties are performing a key agreement. Input for EID1 : EID2 , PSP, SIKID2 , rID1 Input for EID2 : EID1 , PSP, SIKID1 , rID2 When EID1 receives the session initiation key from EID2 , it calculates (SIK2R · H(ID2 )−1 )rID1 ≡ ((GrID2 · dID2 )R · H(ID2 )−1 )rID1 ≡ GRrID1 rID2 ≡ S mod N When EID2 receives the session initiation key from EID1 , it calculates (SIK1R · H(ID1 )−1 )rID2 ≡ ((GrID1 · dID1 )R · H(ID1 )−1 )rID2 ≡ GRrID1 rID2 ≡ S mod N Output: H(S), the common session key for EID1 and EID2 . Fig. 5. Compute algorithm

The key distribution system proposed by Okamoto[10] extracts its identity information in a similar manner as in our scheme, but does not address the case of key agreement between different domains. 3.3 Key Agreement between Different Domains The ID-PKG determines the public, shared parameters, and all entities that receive their identity key for their IDs from this generator can establish a key agreement among each other. In practice, it is very unlikely that all phones will receive their identity key from the same security domain, since this would imply the existence of a third party trusted by all with a secure communication link to all devices. Since telephone network providers are in charge of managing the MS information of their customers autonomously, it is desirable that they also manage the security information autonomously, meaning that they must be allowed to operate their own ID-PKG without having to cooperate with other providers. The management infrastructure, such as HLRs and AuC, can then simply be extended by the required additional data. We now show how cross-domain key agreement can be achieved such that only the public parameters must be distributed (which will be discussed in section 4). Each device only needs a single identity key, and the ID-PKGs do not

216

M. Smith et al.

need to agree on common parameters or participate in any form of hierarchy. In the following, we assume without loss of generality, that there are two domains D1 and D2 . Their public parameters are (N1 , G1 , R1 , H1 (·)) and (N2 , G2 , R2 , H2 (·)), respectively. Every parameter can be chosen independently. The case that (R2 , ϕ (N1 )) > 1 or (R1 , ϕ (N2 )) > 1 is not critical, since no R-th roots must be computed regarding the other domain’s modulus. The two moduli N1 and N2 were chosen according to the requirements stated in the Setup algorithm, i.e. the computation of discrete logarithms is infeasible in ZN1 and ZN2 , respectively. Consequently, an algorithm such as the Pohlig-Hellman algorithm [11] cannot be applied and Pollard’s P− 1 factoring algorithm [12] will not be a threat. Thus, a random non-trivial integer has a large order in ZN1 N2 with an overwhelming probability, and the computation of discrete logarithms is infeasible in ZN1 N2 . In the following, an entity EID1 from D1 wants to communicate with EID2 from D2 . The algorithm for cross-domain key extension is shown in Fig. 6.

Cross-Domain Key Extension (from the view of participant EID1 ) Executes: Query rPSP, Extend IK and Build eSIK Input: PSP1 , PSP2 , dID1 Step 1: Calculate the common, shared, public parameters: PSP1,2 = (N1 · N2 , G1 · G2 , R1 · R2 , H2 (·)). Step 2: Use the Chinese-Remainder Theorem to calculate the integer d
ID1 : d
ID1 ≡ dID1 mod N1 and d
ID1 ≡ 1 mod N2 1 (ID): Step 3: Use the Chinese-Remainder Theorem to calculate the integer H 1 (ID1 ) ≡ H1 (ID1 )R2 mod N1 and H 1 (ID1 ) ≡ 1 mod N2 H (1,2)

Step 4: Build eSIK via eSIKID1 ≡ (G1 · G2 )rID1 d
ID1 mod N1 N2 (1,2)

Output: eSIKID1 , the cross-domain session initiation key. Fig. 6. Cross-Domain Key Extension algorithm

Cross-Domain: Compute SK algorithm (1,2) 2 (ID2 ) Input for EID1 : ID2 , PSP(1,2) , eSIKID2 , rID1 , H (1,2) 1 (ID1 ) Input for EID2 : ID1 , PSP(1,2) , eSIKID1 , rID2 , H When EID1 receives the session initiation key from EID2 , it calculates  rID 1 2 (ID2 )−1 ((G1 · G2 )rID2 d
ID )R1 ·R2 H ≡ (G1 · G2 )R1 R2 rID1 rID2 ≡ S mod (N1 · N2 ) 2

When EID2 receives the session initiation key from EID1 , it calculates  rID 2 1 (ID1 )−1 ((G1 · G2 )rID1 d
ID1 )R1 ·R2 H ≡ (G1 · G2 )R1 R2 rID1 rID2 ≡ S mod (N1 · N2 ) Output: S, the common session key for EID1 and EID2 Fig. 7. Cross-Domain Compute SK algorithm

Securing Mobile Phone Calls with Identity-Based Cryptography

217

In step 1 of the cross-domain key agreement algorithm, the common shared public parameters are the element-wise product of both sets of domain parameters. In step 2, entity EID1 extends its identity key using the Chinese-Remainder Theorem. In step 3, entity EID1 extends its hash identifier also using the ChineseRemainder Theorem. The procedure for entity EID2 is analog, only the indices change from 1 to 2. Key agreement is then performed using the extension of the original algorithm shown in Fig. 7. For a more information on the SSF protocol, the reader is referred to [13].

4 Implementation Issues In the following, several issues for deploying the proposed system in practice are discussed. It will be shown how the public parameters and the identity keys are distributed in multi-provider scenarios and how telephone number expiry is handled. One of the important issues of any multi-organizational cryptographic system is the distribution of the public parameters and keys. It should be noted that a main requirement is to try to minimize the number of global distribution steps in favor of local distribution steps, since this distributes the workload and reduces the risk of a global compromise. In a scenario with N providers, each with M customers where M >> N, we have N · M customers in total. This means that N · M private/identity keys need to be distributed. In a PKI, in the worst case in which everybody wants to communicate with everybody else, (N · M − 1) · (N · M) public keys need to be exchanged and managed. In our system, only the public parameters of the N providers need to be exchanged. This reduces the number of transfers from N · M local and (N · M − 1) · (N · M) global transfers to N ·M local transfers and only N global transfers, and since M >> N, this is a large saving. Even using traditional key distribution mechanisms, our system offers a significant saving compared to a PKI in key escrow mode. In the following, further optimizations of the distribution process which are possible due to the network centric approach of our solution will be suggested. 4.1 Distribution of Shared, Public Parameters Like most other IBC approaches, our system also uses shared public parameters. In a single domain scenario, the distribution of the public parameters is not a problem. However, if each network provider runs its own ID-PKG, the number of public parameters and the binding between public parameters and identity keys becomes more complex. As stated above, this distribution problem is still much smaller than the distribution problem for traditional public keys where each entity has its own public key that needs to be distributed. Of course, traditional PKI technology can be used to distribute the public parameters, but a more suitable solution is to integrate the public parameters into the GSM/UMTS lookup mechanism and carry the information over the SS7 [14] protocol. Since there already is lookup functionality to locate the HLR of a MS and the current location of the MS, a flag can be attached to the request message, stating that the public parameters of the MS should be sent piggybacked

218

M. Smith et al.

to the response. The flag is used, since the public parameters only need to be queried for the very first call to a MS of a particular provider. All subsequent calls to the same or other MS of the same provider do not need a further public parameter lookup. In the case of UMTS, this is reasonably secure since the BTS must authenticate itself to the MS and thus an active MITMA is prevented that could otherwise tamper with the public parameters. The passive MITMAs still possible with UMTS are not a danger to the transfer of the public parameters since they are public anyway. In the case of GSM, this form of public parameter distribution holds the risk of an attacker with an IMSI catcher replacing the public parameters with his own on the first call made to a provider by a MS. However, this attack only works on the very first call ever placed to a provider and will be detected as soon as the MS calls someone else at the same provider after the attack due to a public parameter mismatch. To summarize, this form of public parameter distribution is not a problem in UMTS networks and if the slight security risk in GSM networks is unacceptable, a traditional CA based signing approach can be added to prevent tampering with the public parameters. 4.2 Distribution of the Identity Keys The most critical element in all IBEs or PKIs in key escrow mode is the distribution of the identity keys (private keys) and the prevention of identity misbinding. In a mobile phone scenario, identity keys can be placed on the SIM card during manufacturing. Since the deployment process of SIM cards is already set up to include sensitive personal information, adding the identity key to the SIM is not difficult. If there is no requirement for key expiration, this is most likely the best solution, since the identity key is never transmitted over a public network and thus the risk of compromise is minimized. However, if a more flexible online system is required, the novel structure of the presented algorithm allows this as well. If the public parameters of the provider for a MS can be placed on the SIM during manufacturing, the presented system offers a secure way to transmit identity keys securely over an insecure network. When a MS first connects the the network, it requests its identity key from its home provider. Since this message exchange is security critical, the messages must be protected. To this end, the client creates a session key that is encrypted using the public parameter N (N can be used in the same way as an RSA public key) of the provider. The session key can only be decrypted by the provider who then uses the session key to encrypt the identity key of the MS using AES, and sends it to the client. Since even an active MITMA cannot compromise this message exchange, because it is not in possession of the P and Q to decrypt the session key, the transfer of the identity key is secure. This novel online distribution of identity keys allows key expiration (see below) to be implemented without a significant overhead, since no further security infrastructure or out-of-band communication is required. The algorithm implemented for this approach is shown in Fig. 8.

Securing Mobile Phone Calls with Identity-Based Cryptography

219

Identity Key Request and Submit. Input: PSP ∈ N Step 1 (EID ): Choose an arbitrary integer w from Z+ . Step 2 (EID ): Compute c ≡ wR (mod N). Step 3 (EID ): Send c to ID-PKG. Step 4 (ID-PKG): Compute D ≡ R−1 (mod ϕ (N)) Step 5 (ID-PKG): Compute cD ≡ w (mod N). Step 6 (ID-PKG): C ← AESenc (w, dIDA ). Step 7 (ID-PKG): Send C to entity EID . Step 8 (EID ): dIDA ← AESdec (w,C) Output: dIDA Fig. 8. Identity Key Request and Submit algorithm

4.3 Key Expiration Another practical issue of mobile phone call encryption is the fact that telephone numbers are reused. In a PKI or CA based solution, this creates several problems, since the central PKI must be updated or the CA must be contacted to resign public keys as the MS swap telephone numbers. Certificate Revocation Lists can be used to accomplish this, however the solutions tend to become quite complex. In particular, public key caching mechanisms can lead to problems. In the presented identity-based solution, natural key expiration techniques can be used to cope with telephone number reuse. Boneh et al. [15] Table 1. Performance Measurements (milliseconds) (a)

(b)

512-Bit Modulus bitsize of rID

3 38 86 156 324

64-Bit 128-Bit 256-Bit 512-Bit

17 45 86 166 335

R 513 65537 47 51 82 92 161 167 318 325

(c) 2048-Bit Modulus R bitsize of rID 3 17 513 64-Bit 622 670 670 128-Bit 1192 1186 1208 256-Bit 2320 2421 2334 512-Bit 4577 4559 4582

1024-Bit Modulus R bitsize of rID 3 17 513 64-Bit 161 174 172 128-Bit 305 316 316 256-Bit 620 618 629 512-Bit 1219 1237 1240

65537 180 311 625 1244

(d) 4096-Bit Modulus R bitsize of rID 65537 3 17 513 700 64-Bit 2354 2485 2566 1169 128-Bit 4586 4594 4734 2435 256-Bit 8813 9280 9153 4575 512-Bit 17641 18514 17497

65537 2680 4842 9100 17749

220

M. Smith et al.

showed how keys can be given a lifetime, which allows natural expiration of the identity key. This is done by the internal concatenation of the ID, in our case the telephone number, with a date. The same technique can be used in our solution. Thus, when a customer releases a telephone number and it is reused, the next customer will have a different identity key based on the current date. Since telephone number reuse is time-delayed in any case, this time frame can be used as the key lifetime to ensure that each successive owner lies in a new lifetime slot. With the techniques introduced in this paper, a frequent automatic in-band key distribution can be safely executed and thus key renewal is far less of a problem. Additionally, key expiration also reduces the risk of identity key theft, since the attack window is restricted to a small time interval.

5 Experimental Results In this section, experimental results of the presented identity-based cryptographic security solution for mobile phone key agreement are presented. The experiments were run on a Nokia N82-1 and a Nokia N95-1 both with an ARM11 CPU with 330 MHz running Symbian 9.2 FP1. Both the performance of the key agreement and the ensuing symmetric AES encryption were measured. To gain a robust mean, all experiments were performed 100 times. For the key agreement, the following parameters were examined: the modulus - with N = 512, 1024, 2048 and 4096 Bit, the random exponent - with rID = 64, 128, 256 and 512 Bit and the chosen public parameter R = {3, 17, 513, 65537}. The numbers chosen for R were selected to give an overview of the performance of the algorithm based on the size of R. R can be chosen arbitrarily by the ID-PKG according to the setup algorithm (Step 2.3). Each of the following tables contains the mean time for the key agreement operations of the 100 trial runs computed using a fixed modulus with rID and R in the rows and columns. It is evident from the tables that the main contribution to the computational time is the modulus and the random exponent. The public random number R selected by the provider does not have a significant effect due to the fact that the computational time of the algorithm depends on the number of 1 s in the binary representation of the number and the used random numbers all contain two binary 1 s. The random number R is not security critical for R > 3. While the time needed for key agreement using a 4096-bit modulus and a 512-bit random exponent is too long for current devices, key agreement with a 2048-bit modulus and 128 or 256-bit random exponents has acceptable run times. Once a session key has been established, a symmetric encryption of the call using AES 256 is executed. The encoding block was set to 4096 Byte which contains at least 256 ms (depending on the compression) of audio data. On the N95-1 and N82-2 it only takes an average of 24.1 ms to encrypt the block, so the phones can easily cope with the real time encryption of the voice data.

Securing Mobile Phone Calls with Identity-Based Cryptography

221

6 Related Work Kumar et al. [16] present an IBC based approach to mutual authentication and key agreement for GSM networks. Unlike our proposal, Kumar et al. use the IMSI number as the public identity key. The security of the protocol relies on a secure channel to the HLR and VLR (Phase 1, Steps 2 and 3). Both these design decision have drawbacks. Firstly, using the IMSI as the public key means the users must trust the infrastructure to show them the correct binding between telephone number and IMSI number, since most users do not know their own IMSI, let alone the IMSI of other users. Secondly, the communication channels between the MS and the HLR and VLR are not considered to be secure and must be handled by the presented solution. There are other approaches such as the Cryptophone [17] that applies the ZFone [18] VoIP security mechanism to mobile phones. ZFone executes a standard Diffie-Helmann key agreement (which is vulnerable to an active MITMA), but then displays a hash of the generated session key to both users. One user must then read out the hash to the other user, who can then see if the key agreement was compromised, since if a MITMA attack has taken place, the hash values are different. While preventing simple MITMAs, the ZFone solution is somewhat cumbersome, since users must read out hash values to each other. It also does not prevent impersonation attacks or voice based MITMA attacks. The key distribution system proposed by Okamoto [10] extracts its identity information in a similar manner as in our scheme, but does not address the case of key agreement between different domains.

7 Conclusions In this paper, an identity-based key agreement system for mobile telephony in GSM and UMTS networks was presented. All attacks presented in the paper can be successfully prevented by the identity-based cryptographic solution. The use of telephone numbers as public keys reduced the complexity of the security management framework and well as the usage complexity for phone call encryption. The approach offers solutions to the real world problems in realizing an identity-based security framework for mobile phone call encryption, namely multi-domain key generation, key distribution, multi-domain public parameter distribution and inter-domain key agreement. Experimental results based on a Symbian implementation for the Nokia smartphones N95-1 and N82-1 were presented showing that current smartphones are powerful enough to run the presented system. Future work will include simulated large scale deployment and scalability studies to quantitatively evaluate the administrative benefit of using the presented identity-based approach compared to a traditional PKI. The proofof-concept solution will also be ported to further platforms beyond Symbian. Finally, user-studies will be performed to further evaluate the benefits to the non-tech savvy end user.

222

M. Smith et al.

References 1. Horwitz, J., Lynn, B.: Toward Hierarchical Identity-Based Encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 466–481. Springer, Heidelberg (2002) 2. McCullagh, N., Barreto, P.: A New Two-Party Identity-Based Authenticated Key Agreement. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 262–274. Springer, Heidelberg (2005) 3. Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical Identity Based Encryption with Constant Size Ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005) 4. Diffie, W., Hellman, M.E.: New Directions In Cryptography. IEEE Transactions On Information Theory 6, 644–654 (1976) 5. Rivest, R.L., Shamir, A., Adleman, L.: A Method For Obtaining Digital Signatures And Public-Key Cryptosystems. Communications Of ACM 1(2), 120–126 (1978) 6. Petrovic, S.: An improved Cryptanalysis of the A5/2 Algorithm for Mobile Communications. In: Proceedings of the IASTED International Conference on Communication Systems and Networks, pp. 437–444 (2002) 7. Clavier, C.: An Improved SCARE Cryptanalysis Against a Secret A3/A8 GSM Algorithm. In: McDaniel, P., Gupta, S.K. (eds.) ICISS 2007. LNCS, vol. 4812, pp. 143–155. Springer, Heidelberg (2007) 8. Meyer, U., Wetzel, S.: A Man-In-The-Middle Attack on UMTS. In: WiSe 2004: Proceedings of the 3rd ACM Workshop on Wireless Security, pp. 90–97. ACM, New York (2004) 9. Bao, F., Deng, R.H., Zhu, H.: Variations of Diffie-Hellman Problem. In: International Conference on Information and Communications Security, pp. 301–312 (2003) 10. Okamoto, E.: Key Distribution Systems Based on Identification Information. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 194–202. Springer, Heidelberg (1988) 11. Pohlig, S., Hellman, M.: An Improved Algorithm for Computing Logarithms over GF(p) and its Cryptographic Significance, pp. 106–110 (1984) 12. Pollard, J.: Theorems of Factorization and Primality Testing. Mathematical Proceedings of the Cambridge Philosophical Society 76, 521–528 (1974) 13. Schridde, C., Smith, M., Freisleben, B.: An Identity-Based Key Agreement Protocol for the Network Layer. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 409–422. Springer, Heidelberg (2008) 14. Dryburgh, L., Hewett, J.: Signaling System No. 7 (SS7/C7): Protocol, Architecture, and Applications. Cisco Press (2003) 15. Boneh, D., Franklin, M.: Identity-Based Encryption from the Weil Pairing. SIAM Journal of Computation 32(3), 586–615 (2003) 16. Kumar, K.P., Shailaja, G., Kavitha, A., Saxena, A.: Mutual Authentication and Key Agreement for GSM. In: ICMB 2006: Proceedings of the International Conference on Mobile Business, p. 25. IEEE Computer Society, Washington (2006) 17. Cryptophone, http://www.gsmk.de/ 18. ZFone, http://zfoneproject.com/

On the Security Properties and Attacks against Mobile Agent Graph Head Sealing (MAGHS) Abid Khan1,3, Qasim Arshad1,2, Xiamu Niu3, Zhang Yong3, and Muhammad Waqas Anwar1 1

Department of Computer Science, COMSATS Instiutute of Information Technology, Islamabad, Pakistan 2 New Jersey Science and Technology University(NJIT), N.J, USA 3 Department of Computer Science &Technology, Harbin Instiute of Technology, Shenzhen Graduate School, Shenzhen, P.R. China [email protected], [email protected], [email protected], [email protected], [email protected]

Abstract. Mobile Agents (MAs) are not fully adopted for implementing distributed system especially in e-commerce application. The main reason is the security issues associated with use of MAs. Providing integrity of execution is considered as the most challenging problem in MAs. Mobile agent Graph Head Sealing (MAGHS) is a technique that aims towards providing integrity of execution. This paper discusses the attacks that can be launched against MAGHS technique and how the security properties for MAs data integrity are fulfilled. We try to model the behavior of a malicious host by launching a series of passive attacks against mobile agent and then see to what extent the security properties for mobile agent can be achieved. The experimental results suggest that MAGHS framework can be used to protect the computations results of mobile agents. Keywords: Mobile Agent security, Graph head Sealing, execution integrity, active attacks, security properties, malicious hosts.

1 Introduction A Mobile Agent (MA) is a program that can perform a task on behalf of a user or an application. Over the years MAs have been extensively employed in a variety of applications such as information retrieval, network management, distributed collaboration etc. But e-commerce seems to be an ideal application of MA. Security of MA can be divided into types: the security of the static code and security of the dynamically changing state. A malicious host can tamper with the code to transform it into a malicious agent or it can modify the state of the agent to gain unfair advantage as well as preventing agent from fulfilling its designated task. The use of Graph Head sealing for protecting the computations results of mobile agent was proposed in [10]. Here we present security analysis of the scheme proposed in [10]. We try to analyze MAGHS in the presence of a malicious host. In particular we discuss a set of security properties that can be achieved by using this method. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 223–228, 2009. © Springer-Verlag Berlin Heidelberg 2009

224

A. Khan et al.

This paper is organized as follow: In section 2 we discuss the previous related work. In section 3 proposed method is illustrated .In section 4 security attacks are discussed. In Section 5 we discuss how the security properties are achieved in the presence of attacks from a malicious host. At the end Section 6 gives a conclusion.

2 Related Work In [9] the results of an agent’s computation at each host are encapsulated using (MAC). The result of an agent’s execution combined with MAC of the results is called PRAC. In [8] partial results are chained to the identity of the next host in the itinerary. This method allows the originator to determine where exactly the chaining is broken by a malicious host. In [11] each host exchanges a secret key with the originator. This key is used to calculate MAC on its results. A ring signature [12] in which “no prior setup process and no group manager are necessary, which can be considered as a special form of generalized group signature”. According to [12] two additional properties, forward privacy and publicly verifiable forward integrity can co-exist by using ring signature. The idea of using multi-agent architecture was proposed by [13].This idea used different classes of agents like task agent, data collection agent and data computation agent. Roth [14] proposed the idea of transferring commitments to other cooperating agent doing tasks like storing, gathering and verifying the information. The underlying principle is the generalization of the trusted third party. The idea of cryptographic traces [15] is based upon the execution tracing and cryptography.

3 Proposed Method MAGHS [10] is a technique for protecting the execution results of MAs by using object sealing and aliasing. “When MA executes on a platform it produces some result(s) which can be represented by a dynamic data structure like a graph or link list or even by a Planted Plane Cubic Trees (PPCT)”. Then we can seal (encrypt) the head of whatever structure is used (Link List/graph/PPCT) using java’s object sealing ability. Given any serializable object one can create a SealedObject that encapsulates the original object in a serialized format and seals its serialized contents using a cryptographic algorithm like AES or DES to protect its confidentiality [17]. For key transfer there are many efficient key transfer algorithms available like ElGamal or DiffieHellmann Key Exchange algorithm [19]. The details of MAGHS can be found in [20]. MAGHS is implemented in a ticket booking system using IBM Aglets [17] in Windows based environment. There were 5 hosts to which the mobile agents were sent and one of them was designed as a malicious host.

4 Security Attacks Active attacks (insertion, deletion and modification) are the most important and challenging attacks for MAs. We try to model the time effort spent by an attacker to manipulate an offer. This type of modeling of attack is not easier to do because this time may vary from attacker to attacker [6,7]. To our knowledge there is very little work done on the

On the Security Properties and Attacks against Mobile Agent Graph Head Sealing

225

modeling of attacks for mobile agent [1- 5]. Attack on a MA is a random process. Each outcome of the random process is independent from each other so we can say that our attack process follows a binomial distribution. But the probability of successful attack is very small in case of MAGHS so we use Poisson distribution b(n; x, p ) , when p the probability of success is very small but n the number of trials is so large that the product n p = µ is of moderate size. If we assume that n goes to infinity and p approaches to zero in such a way that µ = n p remains constant, then the limiting form of binomial distribution is in equation (1) below Where x = 0,1, 2,..., ∞

b ( x; n , p ) =

µ xe−µ

(1)

x!

In order to get the expected frequencies, the Poisson distribution is multiplied by N, the number of experiments and the resulting distribution is known as Poisson frequency distribution. That is given in equation (2) below

f ( x) = N .

µ xe− µ

(2)

x!

5 Security Properties A set of security properties were defined by Karjoth [8], these properties are considered as the basic guidelines for the data integrity mechanism in mobile agent. Here we took the liberty of modifying the original text slightly. While defining these properties Karjoth assumed that a malicious host has captured the agent containing a set of encapsulated offers O 1 , O 2 , . . . . . , O m where m ≤ n and Om is the last host visited by the agent before being captured. Attacker’s effort is modeled as random function over time. We believe that if this time effort is large then it means that it requires a lot of time for an attacker to succeed. 5.1 Forward Integrity According to forward integrity none of the partial results collected prior to a malicious host can be modified without being detection. As defined by Yee [9], if a mobile agent visits a set of hosts S 1 , S 2 , ...., S n (Fig.1) and the first malicious host is after S m

where 1 ≤ m ≤ n − 1 , then none of the partial results collected at

hosts S i ( i ≤ m ) can be undetectably modified by the malicious hosts.

s1 o1

s2

o2

s3 o3

sn−1 on−1

Fig. 1. Mobile agent collecting offers

sn on

226

A. Khan et al.

Fig. 2:(a) Time effort to modify offer(s), (b) Poisson frequency distributions comparison for successful modification, (c) Time effort to insert offer(s), (d) Poisson frequency distributions comparison for successful insertion, (e) Time effort to insert offer(s), (f) Poisson frequency distributions comparison for successful deletion

In the experiment to prove that forward integrity is satisfied 5 tests were carried out and in every test an attempt was made by a malicious host to modify an offer. Although the attacker is able to modify an existing offer but this can be detected by agent owner. Fig. 2(a) shows the time effort spent by an attacker to modify an offer. A comparison of expected and actual frequency distribution for successful modification is shown in Fig. 2(b)

On the Security Properties and Attacks against Mobile Agent Graph Head Sealing

227

5.2 Insertion Resilience Offers can only be added by the authorized hosts. In case of graph head sealing this property is easily accomplished because the home platform shares a secret key with every visiting host so only the host that are authorized can insert an offer and the rest of the hosts cannot. Even if some malicious host is able to insert some offer this is easily detected by the home platform. Fig.2(c) shows the Time effort to insert offer(s), Fig. 2(d) Poisson frequency distributions comparison for successful insertion 5.3 Truncation Resilience Truncation resilience means that the chain of offers cannot be deleted by any unauthorized host. In previous work [8] the authors have pointed out to the existence of a chaining mechanism which helps in obtaining truncation resilience. In our approach it is extremely difficult for an attacker to truncate the offers from the chain of offers In case mobile agent watermarking[16,20,21] offers were deleted but in this case since the results are in encrypted sealed form so it is even further difficult for an attacker to truncate an offer. Fig. 2(e) shows the time effort to truncate offer(s), while Fig. 2(f) shows a comparison of expected and actual Poisson frequency distribution 5.4 Non-repudiation Non-repudiation means that a host Si cannot deny submitting an O i offer once S 0 receive O i . In case of MAGHS this property is fulfilled because there is a shared secret key between the visiting hosts and the origin host.

6 Conclusions In this paper the security properties of MA data integrity mechanism are discussed. The possible attacks that can be launched by a malicious host are analyzed. It can be seen that (MAGHS) provides a stronger ability to detect any malicious changes or modification made to collected data by a malicious host. It is resilient enough against truncation attacks and also against repudiation attacks. The reason for this is that it combines cryptographic methods of head sealing with object aliasing. The only overhead that is involved is that it requires every host to share a secret key with the home platform.

References 1. Ma, C., Concepcion, A.: A security evaluation model for multi-agent distributed systems. In: Technologies for Business Information Systems, pp. 403–415. Springer, Heidelberg (2007) 2. Tsai, J.P., Ma, L.: Security modeling of mobile agent systems. Journal of Ubiquitous Computing and Intelligence 1, 73–85 (2007) 3. Kannammal, A., Ramachandran, V., et al.: Reliable multiagent system for e-business applications. Academic Open Internet Journal 18 (2006)

228

A. Khan et al.

4. Jonsson, E., Olovsson, T.: A quantitative model of the security intrusion process based on attacker behavior. IEEE Transactions on Software Engineering 23(4) (1997) 5. Pleisch, S., Schiper, A.: Fault tolerant mobile agent execution. IEEE Transaction on Computers 52(2) (2003) 6. Hohl, F.: A model of attacks of malicious host against mobile agents. In: Demeyer, S., Bosch, J. (eds.) ECOOP 1998 Workshops. LNCS, vol. 1543, p. 299. Springer, Heidelberg (1998) 7. Chan, A.H.W., Lyu, M.R.: Security modeling and evaluation for mobile code paradigm. In: Thiagarajan, P.S., Yap, R.H.C. (eds.) ASIAN 1999. LNCS, vol. 1742, pp. 371–372. Springer, Heidelberg (1999) 8. Karjoth, G., Asokan, N., et al.: Protecting the computation results of free-roaming agents. In: Rothermel, K., Hohl, F. (eds.) MA 1998. LNCS, vol. 1477, p. 195. Springer, Heidelberg (1998) 9. Yee, B.: A sanctuary for mobile agents. In: Vitek, J. (ed.) Secure Internet Programming. LNCS, vol. 1603, pp. 261–273. Springer, Heidelberg (1999) 10. Khan, A., Niu, X., et al.: Mobile agent computation results protection with head sealing. IJCSES 2(1), 13–18 (2008) 11. Loureiro, S.: Mobile code protection. Ph.D thesis, ENST Paris / Institut Eurecom (2001) 12. Lin, H.-C., et al.: Protection of mobile agent data collection by using ring signature. In: Proceedings IEEE International Conference on Networking, Sensing & Control (2004) 13. McDonald, J.T., Yasinsac, A., et al.: Mobile agent data Integrity using multi-agent architecture. In: Proceedings of the (PDCS 2004), pp. 14–17 (2004) 14. Roth, V.: Mutual protection of co-operating agents. In: Vitek, J. (ed.) Secure Internet Programming. LNCS, vol. 1603, pp. 275–285. Springer, Heidelberg (1999) 15. Vigna, J.: Cryptographic traces for mobile agents. In: Vigna, G. (ed.) Mobile Agents and Security. LNCS, vol. 1419, pp. 137–153. Springer, Heidelberg (1998) 16. Esparza, O., et al.: Mobile agent watermarking and fingerprinting: tracing malicious hosts. In: Mařík, V., Štěpánková, O., Retschitzegger, W. (eds.) DEXA 2003. LNCS, vol. 2736, pp. 927–936. Springer, Heidelberg (2003) 17. Lange, D.B., Oshima, M.: Programming and deploying Java mobile agents with Aglets. Addison Wiley (1998) 18. Gong, L., Schemers, R.: Signing, Sealing, and Guarding Java Objects. In: Vigna, G. (ed.) Mobile Agents and Security. LNCS, vol. 1419, p. 206. Springer, Heidelberg (1998) 19. Oppliger, R.: Contemporary Cryptography. Artech House Computer Security (2005) 20. Khan, A., Niu, X., Yong, Z.: A hybrid approach for mobile agent security using reversible watermarking and dynamic data structure. IJCSES 1(1), 48–53 (2007) 21. Khan, A., Niu, X., Yong, Z.: Protecting mobile agent computation results with reversible watermarking and digital signature. In: IEEE Third International Conference on Intelligent Information Hiding and Multimedia Signal Processing. IEEE Computer Security, Los Alamitos (2007)

A New Approach to Malware Detection
Hongying Tang1 , Bo Zhu1 , and Kui Ren2 1 2

Concordia Institute for Information Systems Engineering, Concordia University {hongy ta,zhubo}@encs.concordia.ca Department of Electrical and Computer Engineering, Illinois Institute of Technology [email protected]

Abstract. Malware has become one of the most serious threats to computer users. Early techniques based on syntactic signatures can be easily bypassed using program obfuscation. A promising direction is to combine Control Flow Graph (CFG) with instruction-level information. However, since previous work includes only coarse information, i.e., the classes of instructions of basic blocks, it results in false positives during the detection. To address this issue, we propose a new approach that generates formalized expressions upon assignment statements within basic blocks. Through combining CFG with the functionalities of basic blocks, which are represented in terms of upper variables with their corresponding formalized expressions and system calls (if any), our approach can achieve more accurate malware detection compared to previous CFG-based solutions.

1 Introduction Malware is a type of programs that contain malicious codes, and is one of the most common and serious types of attacks on the Internet. A recent study shows that the annual worldwide economic damages due to malware (e.g., viruses, Trojan horses, and worms) exceed $13 Billion in 2006 [1]. Therefore, effective countermeasures have to be taken to mitigate the damages caused by malware. There has been extensive research in malware detection. The countermeasures proposed so far can be divided into two categories: static analysis [2,3,4,5,6,7,8,9] and dynamic analysis [10,11,12]. They offer different but complementary information about malware detection. The approach proposed in this paper falls into the category of static analysis. Early static analysis mechanisms are based on syntactic signatures, which are basically string patterns representing the characteristics of a specific malware instance. This type of detection mechanisms can be easily bypassed by malware using simple obfuscation techniques [13], such as junk insertion, instruction substitution, instruction reordering, and variable substitution. The readers are referred to [14] for more details about program obfuscation. To address this issue, some researchers proposed mechanisms that make use of the internal structure, i.e., Control Flow Graph (CFG), as the signature of a malware instance [8]. In addition, CFG was combined with the classes of instructions of basic


This work is supported in part by the National Sciences and Engineering Research Council of Canada under the Discovery Grants (Individual) program.

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 229–238, 2009. c Springer-Verlag Berlin Heidelberg 2009


230

H. Tang, B. Zhu, and K. Ren Table 1. An Example of False Positive in [5,6] code fragment one code fragment two PUSH DI PUSH BX PUSH SI MOV AX,0 MOV AL,[BX+14] MOV CX,100 MOV CX,0004 MOV SI,0 BB:MOV SI,CX BB: ADD AX,CX DEC SI INC SI CMP [SI+0176],AL CMP AX,2000 JZ CC JNB CC LOOP BB LOOP BB MOV CL,3 MOV BX,SI JMP AA JMP AA CC:MOV CL,[SI+017A] CC:MOV BX,AX AA:POP SI AA:POP BX POP DI

blocks [5,6] to increase the accuracy of malware detection. The basic idea behind these schemes [5,6] is that it is more difficult for attackers to modify the structure of malware instances than to modify the string patterns (syntactic signature), while achieving the malicious objective at the same time. However, these schemes include only coarse information, such as classes of instructions within a basic block. In some cases, a normal program, which has the same CFG and the same classes of instructions of each basic block as those of a specific malware instance, may be incorrectly marked as malicious codes, i.e., false positive [5,6]. An example of false positive is described in Table 1. Code fragment one is extracted from a virus called Monk, while code fragment two is a simple valid accumulation program. The two code fragments have the same CFGs and the same class of instructions for each basic block. Hence, Code fragment two is incorrectly detected as a variant of the Monk virus when the schemes proposed in [5,6] are used. To overcome this limitation, we propose a new approach to malware detection that combines the functionality of each basic block with the structure (i.e., CFG) of a program. In our approach, we generate formalized expressions upon assignment statements within a basic block, which are critical in defining the functionality of a basic block. As a result of the formal and more accurate representation of basic blocks’ behavior, our approach can address the false positive [5,6] issue in previous work.

2 Overview of the Proposed Approach Our approach is based on the observation that, whatever obfuscating transformations are performed on malware, the same functionality that the adversary intends to achieve should be performed in the transformed malware. In our work, we assume that the targeted executable is correctly disassembled, and that the disassembled executable is translated into intermediate representation and a CFG is generated to represent the structure of the executable. In particular, we assume that the intermediate representation is produced using SSL (Semantic Specification

A New Approach to Malware Detection

231

Language) [15], which fully captures instruction semantics. Thus, in our approach, a basic block contains only assignment statements and system calls (if any) represented with semantics. Our main contributions include: 1) define the format of formalized bitwise expressions and arithmetic expressions of assignment statements in a basic block, which are the crucial part of functionality of a basic block; 2) design the calculation rules that convert any expression into the formalized format; 3) propose an algorithm that detect variants of malware based on the similarity in the functionality of each basic block and the structure (i.e., CFG) between a suspected program and a malware instance. The core design of our approach is the mechanism that can unambiguously define the functionality of a basic block, given that there is no instruction substitution that is performed across basic blocks. Towards this goal, we first define the format of formalized expressions that can uniquely represent the function of assignment statements contained in a basic block. Afterwards, a set of rules are designed, and by applying these rules, the formalized expressions can be obtained. In a basic block, an upper variable of a basic block is defined as the left-hand-side variable of the assignment operator (i.e., :=), which is not used by other variables in the same basic block. For example, given that a basic block only contains the following statements: A := B + C; D := C ∗ 10; E := A − 20, variable A, D, and E are the left-hand-side variables, while only variable D and E are upper variables of this basic block. The functionality of a basic block, which captures the behavior of a basic block, is defined as the combination of the following two parts: 1) upper variables with their corresponding expressions, in which the values of variables are updated through propagation; 2) the system calls (if any) of a basic block. The detection of malware is performed based on both the internal structure (i.e., CFG) of the program and functionalities of the corresponding basic blocks. Given a suspected program A and a specific malware B, if the CFGs of A and B match, and the functionality of each basic block in B is the subset of functionality of the corresponding (according to CFG) basic block in A, A is identified as a variant of B.

3 Formalization of Expressions In this section, we present the formalization of two types of expressions: arithmetic expressions and bitwise expressions. In our approach, the expression of any assignment statement falls into one of these two types. 3.1 Definition Let [m]0 denote a memory variable or stack variable with the address m. Let EAX, EBX, ECX, . . . represent all the registers that can be an operand in any assignment statement. In the following, we present the definitions of the sets of variables and constants, which will be used in the latter formalization procedure. 1. R1 = {EAX, EBX, ECX, . . .} 2. R2 = {!EAX, !EBX, !ECX, . . .} 3. R3 = {−EAX, −EBX, −ECX, . . .}

232

H. Tang, B. Zhu, and K. Ren

4. R4 = {1/EAX, 1/EBX, 1/ECX, . . .} 5. C is the set of all the constants. 6. M is the set of the memory variables and stack variables, defined as follows: ∀m ∈ M : m = [r + c]0 , or m = [c]0 (r ∈ R1 , c ∈ Z)

(1)

To achieve the uniqueness of formalized expressions, we introduce the concepts of index and index second to reorder the operands of assignment statements. In particular, the latter is useful in computing the index values of elements in M . In Table 2, we define the values of index and index second of previously defined sets except M . More specifically, ∀ r ∈ R1 ∪ R2 ∪ R3 ∪ R4 , the value of index second is the same as that of index. ∀ c ∈ C, the value of index second is corresponding to the constant. Table 2. index and index second name index index second EAX 0 0 !EAX 1 1 -EAX 2 2 1/EAX 3 3 EBX 4 4 ... ... ... ... q − 1 q−1 C q c

As to the elements in M , the computation of their index values is more complicate. Again, we first need to reorder the elements in M . According to previous definition in (1), for any two elements m1 and m2 in M can be represented as follows: m1 = [r1 + c1 ]0 or m1 = [c1 ]0 m2 = [r2 + c2 ]0 or m2 = [c2 ]0 where (r1 ∈ R1 , r2 ∈ R1 , c ∈ Z). The following are rules for comparing the index value of m1 and m2 : 1. index(r1 ) < index(r2 ) ⇒ index(m1 ) < index(m2 ) 2. index(r1 ) > index(r2 ) ⇒ index(m1 ) > index(m2 ) 3. index(r1 ) = index(r2 ) and index second(c1 ) > index second(c2 ) ⇒ index(m1 ) > index(m2 ) 4. index(r1 ) = index(r2 ), and index second(c1 ) < index second(c2 ) ⇒ index(m1 ) < index(m2 ) 5. index(r1 ) = index(r2 ), and index second(c1 ) = index second(c2 ) ⇒ index(m1 ) = index(m2 ) For example, index([EAX + 5]0 ) < index([EBX + (−3)]0 ), and index([EAX + 5]0 ) < index([EAX + 6]0 ). The index value of the first element in M is set to follow that of C, i.e., q + 1. Then, the index values of other elements can be assigned accordingly based on the sequence and be increased by 1 per element.

A New Approach to Malware Detection

233

3.2 Formalization of Bitwise Expressions The format of bitwise expressions is defined as follows: e = p1 ∨0 p2 ∨0 . . . ∨0 pi ∨0 pi+1 ∨0 . . . ∨0 pn , pi = s1 ∧0 s2 ∧0 . . . ∧0 sj ∧0 sj+1 ∧0 . . . ∧0 sm

(2)

(e ∈ R1 ∪ M, sj ∈ R1 ∪ R2 ∪ M ∪ C, j ∈ [1, m]) where ∨0 and ∧0 are similar to bitwise-OR and bitwise-AND except that the commutativeness property is not satisfied. For example, EAX ∧0 EBX  = EBX ∧0 EAX. In our scheme, any bitwise assignment statement is converted into the format described in (2). For example, bitwise-XOR “EAXˆEBX” is replaced by (EAX ∧0 !EBX) ∨0 (!EAX ∧0 EBX). In addition, the following two ordering conditions should also be satisfied when formalizing bitwise assignment statements. 1. For any pi = s1 ∧0 . . . ∧0 sk ∧0 sk+1 ∧0 . . . ∧0 sl , the following condition should be satisfied: index(sk ) < index(sk+1 ), where sk ∈ R1 ∪ R2 ∪ M ∪ C and k ∈ [1, l − 1]. 2. Given any two adjacent sub-expressions of e: pi ∨0 pi+1 , where pi = s1 ∧0 s2 ∧0 . . . ∧0 sl and pi+1 = t1 ∧0 t2 ∧0 . . . ∧0 tx . Let index(si ) = yi and index(bi ) = zi . We define: index(pi ) = index(s1 ∧0 s2 ∧0 . . . ∧0 sl ) = y1 y2 . . . yl index(pi+1 ) = index(t1 ∧0 t2 ∧0 . . . ∧0 tx ) = z1 z2 . . . zx And the following condition should be satisfied: ⎧ index(pi ) < index(pi+1 ), when l = x ⎪ ⎪ ⎪ ⎪ ⎨ index(s1 ∧0 s2 ∧0 . . . ∧0 sx ) < index(pi+1 ), when l > x ⎪ ⎪ index(pi ) <= index(t1 ∧0 t2 ∧0 . . . ∧0 tl ), ⎪ ⎪ ⎩ when l < x

(3)

For example, for p1 = EAX∧0 EBX ∧0 EDX and p2 = EAX∧0 ECX∧0 EDX, we have index(p1 ) < index(p2 ). 3.3 Formalization of Arithmetic Expressions Similarly, The format of arithmetic expressions is defined as follows: e = p1 +0 p2 +0 . . . +0 pi +0 pi+1 +0 . . . +0 pn , pi = s1 ×0 s2 ×0 . . . ×0 sj ×0 . . . ×0 sm (e ∈ R1 ∪ M, sj ∈ R1 ∪ R3 ∪ R4 ∪ M ∪ C and j ∈ [1, m])

(4)

234

H. Tang, B. Zhu, and K. Ren

where +0 and ×0 0 are similar to arithmetic addition and arithmetic multiplication except that the commutativeness property is not satisfied. In our scheme, any arithmetic assignment statement is converted into the format described in (4). For example, “EAX − EBX” is replaced with “EAX +0 (−EBX)”. In addition, the following two ordering conditions should also be satisfied when formalizing arithmetic assignment statements. 1. For any pi = s1 ×0 . . . ×0 sk ×0 sk+1 ×0 . . . ×0 sl , the following condition should be satisfied: index(sk ) < index(sk+1 ), where sk ∈ R1 ∪ R3 ∪ R4 ∪ M ∪ C and k ∈ [1, l − 1]. 2. Given any two adjacent sub-expressions of e: pi +0 pi+1 , where pi = s1 ×0 s2 ×0 . . . ×0 sk ×0 sk+1 ×0 . . . ×0 sl and pi+1 = t1 ×0 t2 ×0 . . . ×0 tj ×0 tj+1 ×0 . . . ×0 tx . Let index(si ) = yi and index(ti ) = zi . We define: index(pi ) = index(s1 ×0 s2 ×0 . . . ×0 . . . ×0 sl ) = y1 y 2 . . . yl index(pi+1 ) = index(t1 ×0 t2 ×0 . . . ×0 . . . ×0 tx ) = z1 z2 . . . zx And the following condition should be satisfied: ⎧ index(pi ) < index(pi+1 ), when l = x ⎪ ⎪ ⎪ ⎪ ⎨ index(s1 ×0 s2 ×0 . . . ×0 sx ) < index(pi+1 ), when l > x ⎪ ⎪ index(pi ) <= index(t1 ×0 t2 ×0 . . . ×0 tl ), ⎪ ⎪ ⎩ when l < x

(5)

3.4 Calculation of Formalized Expressions In the following, we describe the rules of calculations that convert bitwise expressions and arithmetic expressions into the formalized ones. By designing the algorithms that implement these calculation rules and integrating them into the local optimization algorithms (i.e., overriding the corresponding operator algorithms), the functionalities of all basic blocks can be obtained by executing the modified local optimization algorithms together with propagation techniques, which remove the effects caused by the obfuscations performed in the malware instances. Calculation Rules for Bitwise Expressions. In order to convert any bitwise expressions into equivalent ones but satisfying format (2) and two ordering rules defined in section 3.2, we define a function FB () as follows: FB (p1 ∨ p2 ∨ · · · ∨ pi ∨ · · · ∨ pn ) = p
1 ∨0 p
2 ∨0 · · · ∨0 p
i ∨0 · · · ∨0 p
n

index(p
i )

<

index(p
i+1 )

i ∈ [1, n − 1]

(6)

A New Approach to Malware Detection

235

where p
i (i ∈ {1, 2, . . . , n}) are distinct elements chosen from set {p1 , p2 , . . . , pn }, each element of which is a formalized bitwise expression. We also define the following calculation rules, by applying these rules, any bitwise expression can be converted into the equivalent one but satisfying the formalization. 1. (p1 ∨0 p2 ∨0 . . . ∨0 pi ∨0 . . . ∨0 pn ) ∧ (q1 ∨0 q2 ∨0 . . . ∨0 qj ∨0 . . . ∨0 qm ) −→
FB ((p
1 ∧0 q1
) ∨ (p
1 ∧0 q2
) ∨ . . . ∨ (p
i ∧0 qj
) ∨ . . . ∨ (p
n ∧0 qm )), where p
i and

qj are distinct elements chosen from set {pi , qj } and index(pi ) < index(qj
). 2. (p1 ∨0 p2 ∨0 . . . ∨0 pn ) ∨ (q1 ∨0 q2 ∨0 . . . ∨0 qm ) −→ FB ((p1 ∨0 p2 ∨0 . . . ∨0 pn ) ∨ (q1 ∨0 q2 ∨0 . . . ∨0 qm )) 3. !(s1 ∨ s2 ∨ . . . ) = !s1 ∧ !s2 ∧ . . . −→ !s
1 ∧0 !s
2 ∧0 . . . ,where !s
1 and !s
2 are distinct elements chosen from set {!s1 , !s2 } and index(!s
1 ) < index(!s
2 ). 4. !(s1 ∧ s2 ∧ . . . ) = !s1 ∨ !s2 ∨ . . . −→ FB ( !s1 ∨ !s2 ∨ . . . ) 5. p1 ˆp2 = (p1 ∧ !p2 ) ∨ (!p1 ∧ p2 ) −→ FB ((p
1 ∧0 !p
2 ) ∨ (!p
1 ∧0 p
2 )), where p
1 and !p
2 are distinct elements chosen from set {p1 , !p2 }, and index(p
1 ) < index(!p
2 ). !p
1 and p
2 are distinct elements chosen from set {!p1 , p2 }, and index(!p
1 ) < index(p
2 ) Calculation Rules for Arithmetic Expressions. Similarly, we define a function FA () to convert any arithmetic expressions into equivalent ones but satisfying format (4) and two ordering rules defined in section 3.3.Let FA () be a function that satisfies: FA (p1 + p2 + · · · + pi + · · · + pn ) = p
1 +0 p
2 +0 · · · + p
i +0 · · · +0 p
n

index(p
i )

<

index(p
i+1 )

(7)

i ∈ [1, n − 1]

where p
i (i ∈ {1, 2, . . . , n}) are distinct elements chosen from set {p1 , p2 , . . . , pn }, each element of which is a formalized arithmetic expression. Similarly, we also define the calculation rules for the arithmetic expressions as follows: 1. (p1 +0 p2 +0 . . . +0 pi +0 . . . +0 pn ) × (q1 +0 q2 +0 . . . +0 qj +0 . . . +0 qm ) −→
FA ((p
1 ×0 q1
) + (p
1 ×0 q2
) + . . . + (p
i ×0 qj
) + . . . + (p
n ×0 qm )), where p
i and

qj are distinct elements chosen from set {pi , qj } and index(pi ) < index(qj
). 2. (p1 +0 p2 +0 . . . +0 pi +0 . . . +0 pn ) + (q1 +0 q2 +0 . . . +0 qj +0 . . . +0 qm ) −→ FA ((p1 +0 p2 +0 . . . +0 pi +0 . . . +0 pn ) + (q1 +0 q2 +0 . . . +0 qj +0 . . . +0 qm )) 3. −(s1 + s2 + . . . ) = (−s1 ) + (−s2 ) + . . . −→ FA ((−s1 ) + (−s2 ) + . . . ) 4. −((−s1 ) + (−s2 ) + . . . ) = s1 + s2 + . . . −→ FA (s1 + s2 + . . . ) 5. −(s1 × s2 × . . . × sn ) = (−s1 ) × s2 × . . . × sn −→ s
1 ×0 s
2 ×0 . . . ×0 s
n ), where s
1 , s
2 , . . . and s
n are distinct elements chosen from set {−s1 , s2 , . . . , sn }, and index (s
1 ) < index(s
2 ) < . . . < index(s
n ).

236

H. Tang, B. Zhu, and K. Ren

6. p1 − p2 = p1 + (−p2 ) −→ p
1 +0 p
2 , where p
1 and p
2 are distinct elements chosen from set {p1 , − p2 } and index(p
1 ) < index(p
2 ). 7. p1 ÷ (s1 × s2 . . . × sn ) = p1 × (1/s1 ) × (1/s2 ) × . . . × (1/sn ) −→

q1
×0 q2
×0 . . . ×0 qn+1 , where q1
, . . . , qn+1 are distinct elements chosen from set
{q1 , 1/s1 , 1/s2 , . . . , (1/sn )}, and index(q1
) < index(q2
) < . . . < index(qn+1 ).

4 The Detection Algorithm Local optimization techniques are very effective in terms of removing dead codes, propagating values, and merging the constants in a basic block. Our approach can be easily integrated into local optimization algorithm. By combining propagation with the integrated local optimization algorithm, the obfuscation such as instruction substitution, variable substitution, instruction reordering and junk insertion, will be removed, therefore keeping the functionality of each basic block unchanged. Once the functionality of each basic block of a suspected program A and a malware instance B are acquired through the integrated local optimization algorithm and propagation, such information together with the CFGs of A and B can be used to determine whether program A is a variant of malware instance B. The detection algorithm is described as follows: 1. If the functionality of the first basic block (say B1 ) of a malware instance is not included in any basic block of program A, the algorithm terminates and outputs NO. 2. Otherwise, let A1 denote the basic block in program A, the functionality of which contains that of B1 . Then, continue to check if the functionalities of B1 ’s immediate post-dominators (say B2 , B3 , . . . ) are included in that of A1 ’s corresponding immediate post-dominators (say A2 , A3 , . . . ). The same check is performed recursively, until all the basic blocks of the malware instance are examined. During this process, the algorithm terminates and outputs NO whenever there is a mismatch in the functionalities of the corresponding basic blocks. Otherwise, the algorithm outputs YES at the end, i.e., program A is detected as a variant of B. Now, we revisit the example shown in Table 1. Due to the limitation of the space, we look at only one pair of basic block that cause the false positive. Let B1 denote the basic block in code fragment one containing instructions “P U SH DI; P U SH SI; M OV AL, [BX +14]”. Let B1
denote the basic block in code fragment two containing instructions “P U SH BX; M OV AX, 0; M OV CX, 100; M OV SI, 0”. Using our approach, the functionalities of B1 and B1
are “AL = [BX + 14]; CX = 0004; [SP − 4] = SI; [SP − 2] = DI” and “AX = 0; CX = 0; SI = 0; [SP − 2] = BX”, respectively. In other words, our approach does not generate a false positive about code fragment two.

5 Related Work The first static analysis method for detecting obfuscated malware was proposed by Christodorescu and Jha [2]. In their work, the binary executable is transformed into

A New Approach to Malware Detection

237

an annotated CFG (i.e., an abstract representation of a program), and malicious code is represented with automaton (i.e., the abstract representation of the malicious code). A detector checks whether malicious code automaton appears in the abstract representation of the executable. If it is, the program is said to be malicious. In a later work [3], malicious behavior is modelled by templates, i.e., instruction sequences that contain variables and symbolic constants. If a suspected program contains a behavior specified by the malware template, it is determined to be malicious. An improvement on CFG-based methods [2,4] is to combine CFG with the classes of instructions of the basic blocks [5,6]. The class of instructions of a basic block is represented with colors in the form of a bit string. Each bit in the string is corresponding to a certain color/class of instructions. Given two sub-graphs extracted from a malware instance and a suspected executable, respectively, if they share the same CFG and the same colors of each corresponding basic block, this executable is said to be malicious. The detection method in [6] is more accurate than that of [5], because the representation of operational semantics for machine instructions is adopted in [6], and thus some syntactically different but semantically similar instructions are categorized into the same class. In terms of static analysis, another direction is to combine normalizer with malware detector. In [4], Christodorescu et al. presented methods of normalizing three types of obfuscation transformations: unneeded unconditional jump, junk insertion, and packing obfuscation. Later, Bruschi et al. normalized the targeted executable by using some compiler optimization techniques [7], and their work is built on top of “boomerang” [16], an open source decompiler. In [9], Jin et al. proposed the concept “standard instruction set” to normalize instruction substitution. There has also been extensive research in dynamic analysis. In paper [10], untrusted sources are tainted, and tainted data is tracked. The approach in this paper can detect overwrite attacks. In paper [11], the windows system calls and security-related API functions are monitored, modification to the windows registry and to the file system, etc. is reported. In paper [12], the sensitive information flow is tagged first, and then it is tracked when it is handled by web browser or BHO. This approach can detect which sensitive data is given out and where it goes.

6 Conclusion After identifying weaknesses in previous work that combines the structure of the executable with class of instructions of basic blocks, in this paper we proposed a new approach to malware detection. It combines the CFG with the functionality of each basic block, which is defined with the combination of upper variables with their corresponding formalized expressions and system calls (if any).

References 1. 2007 malware report: The economic impact of viruses, spyware, adware, botnets, and other malicious code. Comoputer Economics (June 2007) 2. Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th USENIX Security Symposium, pp. 169–186 (2003)

238

H. Tang, B. Zhu, and K. Ren

3. Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: Proceedings of IEEE Symposium on Security and Privacy (2005) 4. Christodorescu, M., Kinder, J., Jha, S., Katzenbeisse, S., Veith, H.: Malware normalization. Technical Report 1539, Department of Computer Sciences, University of Wisconsin, Madison (2005) 5. Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006) 6. Bruschi, D., Martignoni, L., Monga, M.: Detecting self-mutating malware using controlflow graph matching. In: B¨uschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 129–143. Springer, Heidelberg (2006) 7. Bruschi, D., Martignoni, L., Monga, M.: Using code normalization for fighting self-mutating malware. In: Proceedings of International Symposium on Secure Software Engineering (2006) 8. Bonfante, G., Kaczmarek, M., Marion, J.Y.: Control flow graphs as malware signatures. In: Proceedings of International Workshop on the Theory of Computer Viruses, TCV 2007 (2007) 9. Jin, R., Wei, Q., Yang, P., Wang, Q.: Normalization towards instruction substitution metamorphism based on standard instruction set. In: Proceedings of 2007 International Conference on Computational Intelligence and Security Workshops, pp. 795–798 (2007) 10. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2005 (2005) 11. Bayer, U.: TTAnalyze: A tool for analyzing malware. Master’s thesis, Technical University of Vienna (December 2005) 12. Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic spyware analysis. In: Proceedings of USENIX Annual Technical Conference, pp. 233–246 (2007) 13. Christodorescu, M., Jha, S.: Testing malware detectors. In: Proceedings of the 2004 ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2004), pp. 34–44 (2004) 14. Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical Report 148, The University of Auckland (1997) 15. Cifuentes, C., Sendally, S.: Specifying the semantics of machine instructions. In: Proceedings of the 6th International Workshop on Program Comprehension (IWPC 1998), pp. 126–133 (1998) 16. Boomerang: http://boomerang.sourceforge.net/

ATTENTION: ATTackEr Traceback Using MAC Layer AbNormality DetecTION Yongjin Kim 5775 Morehouse Drive, San Diego, California, U.S.A. [email protected]

Abstract. Denial-of-Service (DoS) and Distributed DoS (DDoS) attacks can cause serious problems in wireless multi-hop networks due to limited network and host resources. Attacker traceback is a promising solution to take a proper countermeasure near the attack origins, to discourage attackers from launching attacks, and for forensics. However, attacker traceback in wireless multi-hop networks is a challenging problem due to the dynamic topology, and limited network/host resources. In this paper, we introduce the ATTENTION protocol framework, which pays special attention to MAC layer abnormal activity under attack. For energy-efficient attacker searching, we also utilize small-world model. Our simulation analysis shows 97% of success rate in DoS attacker traceback and 83% of success rate in DDoS attacker traceback. Keywords: DoS, DDoS, Traceback.

1 Introduction Wireless multi-hop networks include Mobile Ad-hoc NETworks (MANET), wireless mesh networks, and wireless sensor networks, among others. Various types of wireless multi-hop networks have been under active research recently due to its numerous promising applications and practical deployment is near. However, in general, security issues are not properly addressed in the design of such networks. DoS/DDoS attack can cause serious problems in wireless multi-hop networks since (1) it is easy to perform attack using existing tools, and (2) in general, wireless multihop networks are severely limited in network resources (e.g., bandwidth) and host resources (e.g., battery, memory, etc.). The different types of DoS/DDoS attacks can be broadly classified into software exploits and flooding attacks. In software exploits, the attacker sends a few packets to exercise specific software bugs within the target’s OS or application, disabling or harming the victim. On the other hand, in flooding attacks, one or more attackers send incessant streams of packets aimed at overwhelming link bandwidth or computing resources at the victim. In this paper, we mainly focus on flooding-type DoS/DDoS attack since it cannot be fixed with software debugging. In flooding-type DoS/DDoS attack, attacker transmits a large number of packets towards victim with spoofed source address. In general, we can observe the following J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 239–249, 2009. © Springer-Verlag Berlin Heidelberg 2009

240

Y. Kim

characteristics of flooding-type DoS/DDoS attacks: (I) Traffic volume is abnormally increased during attack period. (II) Attackers routinely disguise their location using incorrect/spoofed addresses. (III) Such attacks may persist for tens of minutes and in some case for several days. There are several IP traceback schemes [1] proposed for the Internet such as packet marking [8], logging [7], ICMP traceback [2], etc [3][1]. Such traceback schemes developed for the fixed networks are not directly applicable to wireless multi-hop networks due to the following peculiar characteristics of wireless multi-hop networks: (1) In wireless multi-hop networks, there is no fixed infrastructure. Each node works as an autonomous terminal, acting as both host and router. (2) In general, network bandwidth and battery power are severely limited in wireless multi-hop networks compared to wired networks. (3) A node in wireless multi-hop networks has limited trust. To perform efficient DoS/DDoS attacker traceback under such a harsh environment in wireless multi-hop networks, we specially pay attention to MAC layer abnormal activity under attack. Under flooding-type DoS/DDoS attack, abnormal MAC layer activities (e.g., increased backoff time, increased number of frames, increased collision, etc) are observed by many overhearing nodes around the attack path. We statistically characterize the MAC layer abnormality and use the abnormality as attack signature for traceback. The attack signature is consistently observed on the attack path from attacker to victim, which enables us to track down attacker. The merits of MAC layer abnormality-based attacker traceback are multifold. First, we can track down attacker in spite of address spoofing using MAC layer abnormality-based attack signature. Second, the attack signature is observed by many neighbor nodes sharing the medium through overhearing. This overhearing can be efficiently used (i.e., majority voting) to filter out false/malicious reporting from compromised nodes or inside attackers. Third, it is robust against dynamic topology change. In wireless multi-hop networks, topology changes frequently. Hence, when a node that relayed attack traffic moves out or dies due to power outage, it is hard to trace back attack origin. In such a case, we can use MAC layer information from overhearing nodes that stay around attack path. We summarize the contributions of this paper as follows. •

• •

We propose a novel MAC layer abnormality detection mechanism that effectively uses as attack signatures with statistical characterizations. We provide mechanisms robust to address spoofing, intermediate node collusion and false reporting. We provide two classes of traceback schemes (i.e., coarse-grained and fine grained) that are effective in both DoS and DDoS attacker traceback with low communication/processing overhead. We perform extensive simulation, with a rich set of scenarios, to validate the effectiveness of proposed protocol framework. Our results show a very high traceback capability for DoS and DDoS attack.

The paper is organized as follows: In section 2, we briefly describe related IP traceback schemes. In section 3, we provide architecture overview of our proposal. In

ATTENTION: ATTackEr Traceback Using MAC Layer AbNormality DetecTION

241

section 4 and 5 we provide two classes of attacker traceback schemes: coarse-grained traceback and fine-grained traceback. Then, we present simulation results in section 6 and conclusion is provided in section 7.

2 Related Work The method in [3] using controlled flooding tests network links between routers to determine the origin of the attack traffic. Downstream node intentionally sends a burst of network traffic to the upstream network segments. At the same time, it checks incoming attack traffic for any changes. From the changes and frequency of the incoming attack traffic, the victim can determine which upstream router the attack traffic is coming from. The same process is continued a level higher until finally reaching the attacker. Since this is a reactive method, the trace needs to be completed before the attack is over. Packet marking [8], and ICMP Traceback Message (iTrace) [2] attempt to distribute the burden of storing state and performing computation for IP traceback at the end hosts rather than in the network. For instance, in ICMP-based notification, router generates ICMP message containing information regarding where each packet came from and where it was sent. Then, routers notify the packet destination of their presence on the route. Collection of these messages can be used to trace the attack origin. ICMP traceback message uses ICMP but limits to generating ICMP message for every 20,000 packets (recommended). In Probabilistic Packet Marking (PPM), routers insert traceback data into each packet probabilistically so the number of packets that are marked at each router is enough for the reconstruction of attack path at the victim. Logging scheme requires the routers to log meta-data in case an incoming packet proves to be offensive. Audited packet flow is logged at various points throughout the network and then used for appropriate extraction techniques to discover the packet’s path through the network. To reduce the size of packet log and provide confidentiality, hash-based logging is proposed [7]. The existing schemes developed for the Internet are not directly applicable to wireless multi-hop networks due to the following reasons: (I) Intermediate relay nodes in wireless multi-hop networks can move in/out and may fail due to power outage, frequently changing network topology. In addition, each node in wireless multi-hop networks has limited trust due to the autonomous nature of nodes. Hence, traceback schemes that purely rely on relay nodes are problematic in terms of robustness and trust. (II) Storage capacity of each node is limited in wireless multihop networks. In packet marking and logging, large amount of per-packet information needs to be stored at either end-host or inside the network. (III) Existing schemes incur high processing load for attack path reconstruction. For instance, in iTrace, end host first searches the database, which stores path information of packets. Then, based on the per-packet information, end-host should run reconstruction algorithm to find out attack path. (IV) Controlled flooding consumes a lot of bandwidth for traceback, which is highly undesirable in bandwidth-constrained wireless multi-hop networks.

242

Y. Kim

SWAT [6] is the first traceback protocol developed for wireless multi-hop networks. SWAT consists of two main building blocks: Traffic pattern/volume matching and small world construction. It uses Traffic Pattern Matching (TPM) and Traffic Volume Matching (TVM) techniques to deal with address spoofing problem. However, SWAT has the following drawbacks: (1) It cannot successfully trace back attacker when there exists high volume of background traffic. (2) SWAT fails to track down DDoS attackers. (3) SWAT also shows weakness under node collusion and dynamic topology change since it relies only on relay nodes of attack traffic.

3 Architecture Overview When DoS/DDoS attack is detected by intrusion detection system, a victim initiates traceback process. The first step of traceback process is to characterize attack signature. The attack signature is characterized by two classes: coarse-grained signature and fine-grained signature. In coarse-grained signature, attack is characterized by regional abnormality of MAC layer activity (increased busy time, increased frames, or increased collision, etc.). In fine-grained signature, attack signature is characterized by link-level abnormality using frame content information. There exists tradeoff between coarse-grained traceback (ATTENTION-CT) and finegrained traceback (ATTENTION-FT). In coarse-grained traceback, we ignore content-level details. The fundamental assumption in coarse-grained traceback is that during DoS/DDoS attacks the regional wireless medium around attack path is heavily and abnormally loaded. This is generally true in bandwidth-constrained wireless networks. The abnormality is statistically characterized as attack signature and used for traceback. The advantage of coarse-grained traceback is that it is simple and computationally light to analyze attack traffic and perform traceback. The disadvantage is that it does not work in case the regional wireless medium is not abnormally loaded. Especially, in DDoS attack case, regional abnormality is low near the attack origins since only small amount of attack traffic is generated by each distributed attacker. In fine-grained traceback, content information such as previous hop MAC address, and next hop MAC address is used for traceback to filter out background traffic that does not contribute attack traffic. The obvious advantage is that we can trace back attacker even if there is low regional abnormality. On the other hand, the disadvantage is that it requires more computation overhead and memory for traceback. Once the attack signature is characterized by the framework, victim node initiates efficient search process. By finding nodes in the neighborhood, which observe similar or the same attack signature, we can find the region that relayed the attack traffic. The process is continued from the neighbor nodes of victim back to the attack origin. For efficient attacker searching, we use small world model. Helmy [4] found that path length in wireless networks is drastically reduced by adding a few random links (resembling a small world). These random links need not be totally random, but in fact may be confined to small fraction of the network diameter, thus reducing the overhead of creating such network. The random links can be established using contacts [5]. We effectively extend the contact architecture adding security functionality. Contact nodes are a set of nodes outside the vicinity, which are used as

ATTENTION: ATTackEr Traceback Using MAC Layer AbNormality DetecTION

C2 R

C1 R

243

r B1

V : V i c t i m n o de C: Con t a c t n o de B : B or de r n ode R : Vi c i n i t y r a d i u s

B2 V R

B3

C3 R

Fig. 1. Each node has vicinity of radius R hops. A victim sends query with attack signature to its vicinity nodes and border nodes Bi. Then, the border nodes choose one of its borders Ci, to be the contact and sends query with attack signature.

short-cut to build small world and provide wide view on entire network to the victim. Our contact selection scheme follows [5]. However, the functionality of contacts in ATTENTION is distinct, which will be articulated in Sec.4, and Sec. 5. We show an example to illustrate the traceback protocol. As shown in Fig.1, victim node, V, sends queries with attack signature to its vicinity nodes (nodes within radius R) and contacts (C1, C2, and C3). To send to the contacts, the victim node chooses three borders, B1, B2 and B3, to which it sends the queries. The borders in turn choose three contacts at r hops away to which the borders forward the queries. If there is no node that observed (relayed or overheard) attack signature, it suppresses query. Otherwise, it sends next level query to the contact of contact. In doing so, we can perform directional search for DoS attacker traceback and multi-directional search for DDoS attacker traceback, where the search process has directionality towards attacker(s). Directional and multi-directional search significantly reduces communication overhead.

4 Coarse-Grained Traceback Coarse-grained traceback consists of two phases. (I) In the first phase, we statistically characterize MAC layer abnormality (e.g., increased backoff time, increased number of Data/ACK/RTS frames, increased collision, etc.), which is observed during attack. We define the abnormality as attack signature. The attack signature is consistently observed along the attack path from attacker to victim. (II) The second phase is an efficient search of intermediate nodes and attack origin with attack signature matching technique. 4.1 MAC Abnormality Characterization Process Once flooding-type DoS/DDoS attack is launched, a large volume of traffic is generated towards a victim to disable or harm network bandwidth or host resources. Consequently, we can observe abnormal MAC layer activity to capture medium and

244

Y. Kim

send large volume of packets. The abnormality is observed by neighbor nodes overhearing around the attack path. In this paper, we use 802.11 MAC mechanism, which is widely used for layer of wireless multi-hop networks and classify MAC layer activity into several components. Note that our scheme can be generally applied to other MAC protocols. We first define the abnormality of MAC activity as the value that is outside the normal interval. Each node samples the MAC activity information (e.g., increased collision, busy time, frames count, etc.) as time series data, (x1,x2,…,xn). Sampling number is chosen large enough to reflect the average network usage pattern. Unit time for abnormality monitoring is chosen as 10 seconds in our scheme. After reaching maximum sampling number, the sampling process wraps to zero and starts again. Based on the collected samples and using pivotal method, we calculate the normal interval with the confidence interval 100(1-α)% as follows.

x n ± zα / 2 (

σ n

) ≈ x n ± zα / 2 (

sn n

)

(Eq.1)

Where, x n is the sample mean and σ is the standard deviation. Since the value of σ is unknown, the sample standard deviation sn is used. When the value is outside the normal range, we define it as abnormality. The time series data, (x1,x2,…,xn) which is outside the normal range is defined as attack signature and used for traceback. Each node monitors MAC layer activity to detect the abnormality. Once the abnormality is observed, a node characterizes the abnormality as attack signature and logs it for traceback. 4.2 Abnormality Matching Using KS Test We are interested in using the Kolmogorov-Smirnov (KS) statistic Dn to test the hypothesis that the two abnormality, Fn(x), F0(x) is matching. F0(x) corresponds to reference abnormality, which is included in a query message, and Fn(x) is candidate abnormality observed by vicinity nodes around the attack path.

Dn = sup x [ | Fn ( x) − F0 ( x) | ]

(Eq.2)

H0 : Fn(x)=F0(x) Ha : Fn(x) ≠F0(x) We accept H0 if the distribution function Fn(x) is sufficiently close to F0(x), that is, if the value of Dn is sufficiently small. The hypothesis H0 is rejected if the observed value of Dn is greater than the selected critical value that depends on the desired significance level and sample size. When the H0 is accepted (sufficiently similar), we can infer that the abnormality is matching, meaning that the attack traffic is traversed the two contact region. In our scheme, when there are multiple matching results, we select the one, which shows the smallest Dn value as the attack traffic relay region. This process is performed continuously from level-1 contacts towards attack origin.

ATTENTION: ATTackEr Traceback Using MAC Layer AbNormality DetecTION

245

4.3 Attacker Searching Process We describe the DoS attacker traceback scheme as follows: (1) when a victim node, V, detects attack such as SYN flooding, it first extracts attack signature described by MAC layer abnormality. It then sends queries to the nodes within its vicinity and level-1 contacts specifying the depth of search (D) large enough to detect an attacker. The query contains sequence number (SN) and attack signature. (2) As the query is forwarded, each node traversed records the SN, and V. If a node receives a request with the same SN and V, it drops the query. This provides for loop prevention and avoidance of re-visits to the covered parts of the network. (3) In case KS test is passed (i.e., there exist vicinity nodes of contacts that observe similar attack signature), the first step of traceback is completed.

C_L2 b

C_L2 a

C_L2 c A

C_L1 a

V: Vi c t i m A: At t a c ke r C_L 1: Le v e l-1 c o n t a c t C_L 2: Le v e l-2 c o n t a c t -->Que r y - ->At t a c k r o u t e

V

C_L1 b v

C_L2 d

Fig. 2. Victim (V) sends queries with attack signature to the first level contacts, (CL_1a, CL_1b). Only CL_1b that observed matching traffic signature within vicinity sends next level queries to level-2 contacts (CL_2c, CL_2d). CL_1a suppresses further query. CL_2c sends final attack route to the victim.

For instance, victim (V) sends queries to the vicinity nodes and 2 level-1 Contacts (CL_1a and CL_1b) around the victim in Fig. 2 (transmission arrows to vicinity nodes by each contact are omitted in the figure). Then, one level-1 (CL_1b) contact reports to the victim that some of its vicinity nodes observed low Dn value in KS test. (4) Next, only the contact, CL_1b that observes traffic signature matching in its vicinity sends next level queries to level-2 contacts (CL_2c, and CL_2d) with the partial attack path appended to the query after reducing D by 1. This processing by contact is called in-network processing. Other contacts that do not have attack traffic observers in their vicinities, suppress forwarding the query (query suppression). This results in directional search towards the attacker. (5) When there is no more contact report or no other nodes outside the vicinity, the last contact (CL_2c) reports the complete attack route to the victim. Our scheme is based on majority voting. That is, even if some nodes move out from the attack route or are compromised by attackers, we can still find an attack route using available information from other good nodes staying in the vicinity. This

246

Y. Kim

majority voting becomes possible in ATTENTION since MAC layer abnormality is observed by many overhearing nodes around attack path.

5 Fine-Grained Traceback There are several drawbacks of coarse-grained traceback scheme. First, if the attack traffic does not show regional abnormality, it is difficult to trace back attacker using coarse-grained abnormality matching. Especially in DDoS attack, attacker orchestrates attack so that each distributed node contributes only small portion of attack traffic to the victim. Second, if there exists a large amount of background traffic, attack traffic shows low matching level (high Dn in KS test) along the attack path. The fundamental problem of coarse-grained traceback is that simple count information of regional MAC layer abnormality includes a lot of noise factors by background traffic. It is necessary to capture fine-grained traffic information to filter out the noise factors for more accurate traceback. We introduce fine-grained traceback scheme, which utilizes content information inside frame. Fine-grained traceback consists of two phases: (1) Link-level abnormality detection (2) Directional noise reduction. Each node monitors link-level abnormality instead of region-level abnormality. That is, a node monitors abnormality with the tuple (Src_addr, Dest_addr, Ф), where Src_addr is the MAC address of sender and Dest_addr is the MAC address of destination, which is observed by relay/overhearing nodes. Note that MAC layer information is not susceptible to network layer spoofing (e.g., source IP address) by attacker. We can safely assume that intermediate nodes, which only relay traffic, do not spoof its own MAC addresses. Ф is the time series of the number of frames (i.e., (N1,N2,…,Nt), Ni=the number of frames at time slot i) from Src_addr to Dest_addr during last time frame [0,t]. If one of links shows abnormality, which is outside the normal range, it logs the attack signature. Link-level abnormality has the following advantages: (I) It captures abnormality more sensitively compared to region-level monitoring since link-level traffic includes smaller background traffic. (II) The matching test shows more accurate result since noise factors caused by background traffic are reduced. In addition, fine-grained signature filters out directional noise, through relay continuity discovery. Relay continuity discovery is the process to find the list of continuous nodes that relayed attack traffic. Let (Src_addri, Dest_addri, Фi) be the observation by node i and (Src_addrj, Dest_addrj, Фj) be the observation by node j. When Src_addrj = Dest_addri and ξi≈ ξi, we can infer that attack traffic is relayed from node i to node j. The nodes that do not have continuity which ultimately end up at the victim are excluded in the traceback. Note that the continuity discovery process only checks local continuity. Hence, it does not completely exclude traffic that is not ultimately heading to the victim. However, we can reduce much noise by eliminating the links that do not have relay continuity. Under DDoS attack, attack traffic is merged in various parts of networks or at the victim. Hence, partial attack traffic should be detected for distributed attacker traceback. To find the partial attack traffic, we perform the following combinational matching test: Let Фi, Фj, and Фk be the time-series data, which shows abnormality

ATTENTION: ATTackEr Traceback Using MAC Layer AbNormality DetecTION

247

and has continuity to the victim. We call the time-series data, which shows abnormality, as candidate attack signature. Then, combinational abnormality matching test is performed between the time-wise summation of each combination of candidate attack signatures and attack signature ξ. There can be S number of combinations from K (3 in the example) candidate attack signatures as follows. K

S = ∑ K Ci

(Eq.3)

i =1

We find the distributed attack route by finding high matching level between each combination and attack signature (e.g., Фi+Фj ≈ξ). Since attack signature is formed by the partial attack traffic, background traffic is to be excluded through the combinational matching test. Overall fine-grained attacker traceback scheme to track down DDoS attackers is explained as follows. (1) First, a victim node identifies attack signature. Unlike DoS attack, attack signature of DDoS attack consists of multiple signatures that come from different neighbors of the victim. That is, the victim, identifies multiple attack signatures (Ф1, Ф2,…,Фn), which come from different sources (i.e., Src_addr1, Src_addr2,…, Src_addrn) during attack period t. (2) Once the attack signatures are identified, search process begins with relay continuity discovery. That is the victim sends attack signature matching query to its vicinity nodes and level-1 contacts. Candidate find-grained attack signatures that have continuity are returned to the victim. (3) Then victim performs attack signature matching test between the links that has continuity. Note that, unlike DoS attacker traceback, matching test should be done at the victim node. (4) If there exist multiple sender nodes that are sending abnormal traffic to the same destination, we can infer that attack traffic is merging and matching test should done between each combinations of candidate attack signature and attack signature. (5) The combination of candidate attack signature that shows the highest matching level becomes new branch attack signature. (6) The process is repeated towards attack origins Note that DoS attacker can also be traced back with fine-grained signature, which may increase traceback success rate. However, it incurs increased processing load and memory overhead.

6 Simulation Results We have performed extensive simulations using ns-2 to evaluate the effectiveness of the proposed traceback schemes, specifically coarse-grained traceback and finegrained traceback with various parameter spaces. Transmission range of each node is set 150m and networks size is 2750m×2750m. We repeated each simulation 10 times in random topology and calculated the average value. The evaluation metrics that we measured in the simulation are traceback success rate, false positive rate, and communication overhead. We set NoC (Number of Contacts) = 6, R (vicinity radius) = 3, r (contact distance) = 3, d (search depth) =5 for contact selection. DSDV is used as underlying routing protocol. DoS attacker is 17 hops away from victim, and DDoS attacker is 10 hops away from victim. Background traffic is generated with the

248

Y. Kim

volume of 7.5% of attack traffic (i.e., if attack traffic=500pps, then, background traffic=(7.5*500pps)/100≈38pps) from random nodes. Fig.3 shows DoS attacker traceback success rate in both ATTENTION-CT scheme and ATTENTION-FT scheme. ATTENTION-FT shows high success rate (Avg.97%). The improvement becomes significant as background traffic is increased. It is due to the noise reduction effect. Fig.4 shows DDoS attacker traceback success rate when 10% of nodes generate background traffic. SWAT shows very low success rate as the number of attackers is increased. It is because the abnormal characteristics of attack traffic are concealed by background traffic. ATTENTION-FT shows high success rate (Avg. 83%) since noise factors (by background traffic) are filtered out and abnormality of attack traffic can be effectively captured.

...

e t a r s s e c c u s k c a b e c a r T

1 0.8 0.6

A TTEN TIO N -C T A TTEN TIO N -FT

0.4 0.2 0 10% 20% 30% 40% 50% P ercentage of nodes that generate background traffic

Fig. 3. DoS attacker traceback success rate comparison

...

e t a r s s e c c u s k c a b e c a r T

1 0.8 0.6

SW AT A TTEN TIO N -FT

0.4 0.2 0 2

4

6

8

10

N um ber of attackers

Fig. 4. DDoS attacker traceback success rate comparison

ATTENTION: ATTackEr Traceback Using MAC Layer AbNormality DetecTION

249

7 Conclusion We proposed attacker traceback scheme, ATTENTION, which utilizes MAC layer abnormality as attack signature. Under flooding type DoS/DDoS attack, MAC layer abnormality is observed around attack path from the attack origin(s) to victim, which gives us a robust way for traceback. We verified that DoS attacker is successfully traced (Avg. 79%) using coarse-grained attack signature. In addition, with finegrained attack signature, DoS attacker is traced with Avg.97% of success rate and DDoS attacker is traced with Avg. 83% of success rate. The communication overhead reduction is significant compared with flooding-type attacker search (74% in DoS case and 41% in DDoS case).

References [1] Belenky, A., Ansari, N.: On IP Traceback. IEEE Communication Magazine (July 2003) [2] Bellovin, S.M.: ICMP Traceback Messages, IETF draft 2000, http://www.research.att.com/smb/papers/draft-bellovinitrace-00.txt [3] Burch, H., Cheswick, B.: Tracing Anonymous Packets to Their Approximate Source. In: Proc. 2000 USENIX LISA Conf., December 2000, pp. 319–327 (2000) [4] Helmy, A.: Small World in Wireless Networks. IEEE communication letters (2001) [5] Helmy, A.: Contact-extended Zone-based Routing for Transactions in Ad Hoc Networks. IEEE Transactions on Vehicular Technology (July 2003) [6] Kim, Y., Helmy, A.: SWAT: Small World-based Attacker Traceback in Ad-hoc Networks. IEEE/ACM Mobiquitous (2005) [7] Snoeren, A.C., et al.: Single-Packet IP Traceback. IEEE/ACM Trans. Net. (December 2002) [8] Yaar, A., Perrig, A., Song, D.: FIT: Fast Internet Traceback. In: IEEE INFOCOM 2005 (2005)

A Deployment Value Model for Intrusion Detection Sensors Siraj A. Shaikh1 , Howard Chivers1 , Philip Nobles1 , John A. Clark2 , and Hao Chen2 1

Department of Informatics and Sensors, Cranfield University, Shrivenham, UK {s.shaikh,h.chivers,p.nobles}@cranfield.ac.uk 2 Department of Computer Science, York University, York, UK {jac,chenhao}@cs.york.ac.uk Abstract. The value of an intrusion detection sensor is often associated with its data collection and analysis features. Experience tells us such sensors fall under a range of different types and are diverse in their operational characteristics. There is a need to examine some of these characteristics to appreciate the value they add to intrusion detection deployments. This paper presents a model to determine the value derived from deploying sensors, which serves to be useful to analyse and compare intrusion detection deployments.

1

Introduction

The value of an intrusion detection sensor is often associated with its data collection and analysis features. This is inevitable since so many of the sensors are designed with such characteristics in mind. Experience tells us such sensors fall under a range of different types and are diverse in their operational characteristics, some of which have been little studied. They offer a range of analytical abilities, with varying levels of efficiency, and incur a variety of costs. Hence, there is a need to examine these characteristics to appreciate the real value they add to sensor deployments. We present a model to help determine the benefit derived from deploying intrusion detection sensors at various locations in a network. The aim is to deploy sensors at locations in a systematic fashion such that maximum cumulative benefit is derived at a minimum cost. This builds on a broad characterisation of sensors identified in earlier work [1,2] which looks at sensor interaction abilities, locations in a network where such sensors could be placed, and costs involved in deploying and monitoring. Network locations are also characterised in terms of monitoring load incurred due to the amount of activity processed and cost of disruption due to extra installation required. The paper is organised as follows. Section 2 presents a characterisation of networks. Section 3 presents a characterisation of sensors. Section 4 presents the main contribution of this paper: a deployment value model to determine the benefit derived from placing a sensor at a location and a strategy to optimise the deployment of multiple sensors. Section 5 illustrates this using a case study. Section 6 discusses some related work and section 7 concludes the paper. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 250–259, 2009. c Springer-Verlag Berlin Heidelberg 2009


A Deployment Value Model for Intrusion Detection Sensors

2

251

Characterising the Network

We present network characteristics that help us to characterise the various deployment locations available in a network. Such locations are distinguished according to a variety of factors which affect sensor deployment. 2.1

Location Type

We specify three types of locations for sensor deployment: hosts (H), segments (S) and backbone (B) links. Each type provides different opportunities for placing a sensor and collecting some unique data: - Backbone links are the most commonly used location for this purpose where network traffic between hosts and parts of the network is monitored. - Segments allow such traffic to be monitored but are more useful for monitoring traffic within the same segment and link layer activity. - Hosts refer to clients or servers where process and application data is monitored. This is useful for detecting malicious code, including worms and viruses, system files, memory and processor utilisation, and logs. We use the three types of locations to classify sensors accordingly. LT and AT denote type for location L and sensor A respectively, and range over a given set of locations, LT , AT : {H, S, B}. Sensor A can be deployed over location L only if AT = LT . This ensures that sensors are deployed on compatible locations. 2.2

Load Factor

We specify load factor to denote the amount of processing due to monitoring involved at a location. For network links this corresponds to capacity and usage. Hosts are characterised by processing load in terms of processor and memory usage. Network locations where a high load factor is typical include - backbone links due to the amount of traffic that passes through, - network and application servers given the amount of processing involved both in offering services to a number of clients, and processing of data, - segments attached to busy servers or a large number of clients, and - gateways that serve to link the network to the outside world. We express load factor LF for a location L as LF (L) and restrict it to a range of values [1,10] to express relative load for different locations in a network. 2.3

Risk Profile

Chivers [3] introduces risk profiles for system components to characterise the risks to which a system is exposed to if the component is compromised. The notion could be applied to network nodes to denote the level of risk exposure for the network if particular nodes are compromised. This takes into account

252

S.A. Shaikh et al.

the value of a node as an asset, its location and the type of access it provides to penetrate further in a network, and the likelihood of intrusions targeting it. Risk profiles serve to highlight, for example, that web servers, critical to the operation of an organisation engaged in electronic commerce and likely to have more access to critical information, are at a higher risk than ordinary clients. We extend the notion to apply to segment and backbone links. A link provides an opportunity to detect compromise and a risk profile for a link is essentially a representation of the significance of such an opportunity. Calculation of risk profile also takes into account any preventative measures deployed to reduce risk exposure in parts of the network; the calculation includes - the aggregate risk profile of nodes attached, - the aggregate risk profile of other links attached, and - the risk reductive effect of any preventative measures deployed on the link. A risk profile for a location L is denoted as R(L) and expressed as a ratio relative to other locations within a network; the higher the R(L) the better the value of deploying a sensor at L. We restrict R(L) to a specific range [0,10]. 2.4

Disruption Cost

We identify disruption cost for locations to estimate the cost of deploying sensors. There are two factors to consider here. First, the cost of disruption at the location due to installation. This includes changes to configuration that may be necessary as a result of additional software or hardware deployed. Secondly, the critical importance of the location to the overall operation of the network. This represents the cost of disruption to the normal operation during installation. Such a cost is likely to manifest itself in terms of downtime, and a loss of services as a result. We denote disruption cost as D(L) for a location L and restrict it to a specific range [1,10], with a minimum such cost of 1.

3

Sensor Characteristics

We specify interaction abilities and efficiency, both of which are crucial to the capability of a sensor. Costs are also critical to assess the efficiency of a sensor. 3.1

Interaction Abilities

Individual sensors are represented in terms of their interaction abilities. This is the ability to understand and interact with protocol characteristics at various layers of the network. It may be limited to a single layer or span multiple service layers where at each layer a sensor may interact - to perform analysis using a range of data analysis techniques, - if need be, generate response to detect suspicious events, and - if possible, provide defense against such events. We use a range of values [1,10] to denote interaction AI for a sensor A. For each of the four service layers (Physical, Network, Transport and Application) it is assigned out of 2.50; AI is the cumulative total of values for each layer.

A Deployment Value Model for Intrusion Detection Sensors

3.2

253

Efficiency

Whereas interaction abilities are important to detecting various types of attacks, equally important is the performance of sensors to accurately detect events of interest. This could be expressed in terms of the likelihood of false positives and negatives. So, for example, a higher rate of false positives lowers the efficiency. We denote sensor efficiency AE for a sensor A as a fraction and restrict it to a particular range [0.1,1]. Since it serves to influence the interaction ability of a sensor, we use it to introduce a capability metric. Such a metric represents the effective monitoring capability of a sensor denoted as Cap(A) = AI × AE . 3.3

Costs

We take into account two different costs, deployment costs and monitoring costs. Deployment cost is a sum of both the cost CDep (A) of installing, configuring and maintaining a sensor A, and the cost D(L) of disruption at a location L. Network based sensors generally require minimal changes to network configuration; sensors placed inline require some rearrangements and may therefore be costlier. Host-based sensors are likely to be most costly to deploy given the disruption. Cost of deploying A over L is denoted CostD (A,L) = CDep (A) + D(L), where CDep (A) is restricted to a specific range [1,10]. Monitoring costs are to do with the use of a sensor to detect potentially suspicious events. For a given sensor A such costs include the human cost CMon (A) of manual engagement required for monitoring, and the load factor LF (L) for a location L monitored. Manual judgements required differs from sensor to sensor. Such effort is dependent on the load factor: the busier the location, the higher the levels of activity monitored, and therefore bigger the effort. The cost of monitoring using A at L is denoted CostM (A,L) = CMon (A) × LF (L), where CMon (A) is restricted to a specific range [1,10].

4

Deployment Value Model

We present a deployment value model for deploying a sensor in a network and present a strategy to optimally deploy a number of such sensors. 4.1

Deployment Value

Our characterisation of sensors and networks allows us to determine the value of sensors operating at particular locations in a network. The higher the capability deployed to mitigate the maximum risk, the higher the value of a deployment. For a sensor A and location L, assuming AT = LT , we denote deployment value V (A,L) for placing A over L as V (A, L) = (Cap(A) × R(L))/CostT (A, L) where CostT (A,L) denotes the total cost as a sum of deployment costs and monitoring costs for such a deployment CostT (A, L) = CostD (A, L) + CostM (A, L). Such a deployment is considered effective if V (A,L) ≥ 1, else it is deemed not to

254

S.A. Shaikh et al.

justify the costs involved. Note that the maximal value (120) for the total cost CostT (A,L) outweighs the maximal possible (100) for Cap(A) × R(L). This is acceptable since either the capability or the risk profile for a deployment should justify deployment costs at a minimum. 4.2

Deployment Strategy

We propose a deployment strategy to maximise deployment value of a set of sensors. We define a set of n sensors as SEN SORS = {ai | 0 ≤ i ≤ n} and a set of m locations as LOCAT ION S = {lj | 0 ≤ j ≤ m}. For some a ∈ SEN SORS and l ∈ LOCAT ION S we represent each placement, where a is placed at l, as a couple < a, l >. Given n sensors and m locations, a deployment is a set DEP of all such placements where the total number is equal to the lower of n and m. The challenge here is to determine the deployment value of a composition of sensors such that they are placed optimally, which, assuming all sensors are compatible with the location deployed at, ensures that placement is prioritised in terms of the maximum deployment value possible, while avoiding duplication of sensor capabilities at a location. Formally, DEP = {< ai , lj > | ∀ i, j • aiT = ljT ∧ai ∈ / {a1 , ..., ai−1 }∧lj ∈ / {l1 , ..., lj−1 }∧V (ai , lj ) ≤ V (ai−1 , lj−1 )} The construction of DEP ensures that for every placement -

location types of ai and lj are compatible aiT = ljT , sensor ai has not been deployed in a prior placement ai ∈ / {a1 , ..., ai−1 }, location lj does not appear in a prior placement, lj ∈ / {l1 , ..., lj−1 }, and deployment value of placing ai over lj is less than the deployment value of the previous placement V (ai , lj ) ≤ V (ai−1 , lj−1 )}.

The set DEP results in a list of compatible sensor-location pairings, all of which are unique and in descending order of deployment value. We check whether each individual deployment is of value 1 or more. A deployment value less than 1 represents an ineffective deployment where costs exceed the benefit. To factor it in we calculate the loss of benefit for each such deployment and offset it from the total deployment value. The deployment value operator is overloaded to extend over sets as V (DEP ) and represents the cumulative total value of all individual sensor placements such that if V (a, l) ≥ 1 then V (DEP ) = V (DEP ) + V (a, l), or if V (a, l) < 1, then V (DEP ) = V (DEP ) − (1 − (V (a, l)).

5

Case Study

We present an example network to demonstrate our model. Three different sensor deployment scenarios are chosen to reflect various host and network based sensors available. A list of sensors in Table 1 serves as a good variety some of which we use. It draws upon a characterisation of sensors from our earlier work [1,2], assigning capability and costs based upon use and experience.

A Deployment Value Model for Intrusion Detection Sensors

255

Table 1. A list of intrusion detection sensors Sensor (A) Type (AT ) Cap(A) CDep (A) CM on (A) Cisco IOS Port Security S 1.92 5 5 HP Virus Throttling H 6.39 8 2 Tripwire H 1.2 7 5 Auditd H 3.36 9 8 Snort S,B 6.72 8 3 Honeyd S,B 3.5 8 5 Nepenthes S,B 1.54 8 5 OSSEC H 4.32 10 3 IPFirewall (IPFW) S,B 2.8 6 4 Arpwatch S 0.48 2 5 Wireshark(Ethereal) S,B 2.75 2 9

5.1

Example Network

The network shown in Figure 1 comprises of two servers, on segment S1 , and two clients, on segment S2 . The backbone link B2 connects the two segments and the link B1 serves as the connection to the outside world. The two servers are labelled F T P and W W W to reflect the services they offer. They are the most significant asset to the network operator providing profitable services and incurring an expensive downtime, and are more likely to be targeted by intruders.

Fig. 1. An example network

256

S.A. Shaikh et al. Table 2. Risk, load and disruption cost assignments Location L LT R(L) LF (L) D(L) C1 H 1 1 1 C2 H 1 1 1 FTP H 5 7 8 WWW H 5 7 8 S1 S 4 7 6 S2 S 2 4 3 B1 B 9 9 9 B2 B 7 6 7

As shown in Table 2, we assign a risk profile of 5 to both servers and a 1 to both clients. The servers incur a disruption cost of 8 compared to the 1 for clients. The relative load factor for servers is also high, assigned a 7 to a 1 for clients. We assign a risk profile of 9 to B1 relatively higher to a 7 for B2 considering that B1 is exposed to externally sourced traffic which can potentially target servers or clients. Risk profiles 4 and 2 assigned to the two segments S1 and S2 respectively are due to the value of the hosts residing on them. The disruption costs 9 and 7 for B1 and B2 respectively reflect the level of disruption likely, while the load factor for the two locations has a similar ratio of 9 and 6 respectively. 5.2

Deployment Scenarios

We consider three possible deployment scenarios. Scenario 1 focuses on hostbased IDS solutions. Open Source Host-based Intrusion Detection System (OSSEC) is an open source solution that provides host-based intrusion detection and prevention. A total of four OSSEC clients are chosen to deploy at the four locations as shown in Table 3. Total deployment value adds up to -2.28. Sensors placed on the two servers add almost double the deployment value than the sensors placed on clients; such value is justified given that the servers are at a higher risk than clients despite higher costs. Deployment value indicates high costs of deploying an entirely host-based solution. Table 3. Deployment for Scenario 1 L A R(L) Cap(A) CostT FTP OSSEC 5 4.32 39 WWW OSSEC 5 4.32 39 C1 OSSEC 1 4.32 14 C2 OSSEC 1 4.32 14

V (A, L) 0.55 [-0.45] 0.55 [-0.45] 0.31 [-0.69] 0.31 [-0.69]

Scenario 2 focuses on network-based solutions. As shown in Table 4, two Snort sensors are deployed on the two most significant locations along with a switch port security mechanism on one of the segments. The total deployment value

A Deployment Value Model for Intrusion Detection Sensors

257

Table 4. Deployment for Scenario 2 L A R(L) Cap(A) CostT V (A, L) B2 Snort 7 6.72 33 1.43 B1 Snort 9 6.72 44 1.37 S1 Cisco IOS Port Security 4 1.92 46 0.17 [-0.83] Table 5. Deployment for Scenario 3 L A R(L) Cap(A) CostT V (A, L) B2 Snort 7 6.72 33 1.43 FTP HP VT 5 6.39 30 1.07 WWW HP VT 5 6.39 30 1.07

adds up to 1.97. The two Snort sensors are deployed on backbone links B1 and B2 , and the port security mechanism is deployed at S1 given the higher risk profile. The deployment value is significantly better than the first scenario. The second scenario benefits from a high capability sensor such as Snort deployed on the two most critical locations providing both near maximum visibility of the network at B2 , and monitoring traffic to and from the external gateway at B1 . Scenario 3 combines both types of sensors. As shown in Table 5 the two hostbased sensors are deployed on the two servers and a single Snort sensor is placed on the most significant link serving all externally sourced (and bound) traffic. The total deployment value is 3.56. Both backbone links are critical for monitoring both all traffic headed to and from the servers, and traffic passing in and out through the external gateway. While B1 provides visibility of all external traffic to and from the servers, it does not suffice as it fails to cover traffic between the internal segments. B2 provides good coverage but fails to offer any view of external traffic in and out of the clients on S2 . The Snort sensor is deployed on B2 given the better value compared to B1 ; this is primarily due to the higher cost incurred for deploying on B1 even though the risk profile for such a location is higher. The deployment value for the third scenario is almost double the value for second scenario. The deployment is designed such that the efficient host-based sensors are chosen for the two most valuable assets (servers), along with a single network-based sensor. The choice of deploying Snort on B2 over B1 is indicative of the costs involved with respect to the risk profile.

6

Related Work

Related work can be broadly divided in two categories: cost-benefit analysis of sensors taking into account efficiency and costs with disregard for the network deployed on [4,5,6], and placement of sensors in a given network characterised using system vulnerabilities but ignoring characteristics of sensors [7,8,9]. Lee et al [5] present a cost-benefit model deployments to evaluate data mining approaches to classifying and responding to intrusions in network traffic

258

S.A. Shaikh et al.

streams. They use various costs including intrusion damage, the type of response launched, and time and computational resources required for processing, to present a decision model for executing response to intrusions, where the lower the total cost the better the value. Factors such as detection efficiency and severity of configuration are not explicitly modelled; they are likely to impact response costs which determine consequential costs. Noel and Jajodia [7] present an approach for optimal sensor placement. They use attack graphs to represent possible paths taken by potential intruders to attack a given asset. Such graphs are constructed in a topological fashion taking into account both vulnerable services and applications that allow intruders to exploit nodes and use them as launch pads for further penetration, and protective measures such as firewalls deployed to restrict connectivity between nodes. Deployments are devised to monitor all paths using least number of sensors. This is dealt with as a set cover problem and a greedy algorithm is used: each router node allows for monitoring of certain graph edges and the challenge is to find a minimum set of routers that cover all edges. A vulnerability-driven approach [7] to deploying sensors overlooks factors such as traffic load on nodes. As a result the deployment is optimised such that the more paths that go through a node the more likely it is chosen for placement. The focus is limited on network-based sensors and sensor efficiency or costs are not modelled. Sheyner et al [9] present another approach based on attack graphs. They model networks as finite state machines and construct attack graphs using a symbolic model checker representing attacks as simple state transitions. Attack graphs produced in this way allow a network model to be automatically checked for a particular safety property given a set of permissible attacks. Minimisation techniques are used to deduce what attacks go undetected, what attacks should be prevented for the safety property to be satisfied, and using probabilistic information what is the likelihood of detecting particular attacks. The model [9] does not characterise the network or sensors; deployment value then becomes merely a measure of the likelihood of events being detected and prevented. Rolando et al [8] introduce a formal logic-based approach to describe networks, and automatically analyse them to generate signatures for attack traffic and determine placement of sensors to detect such signatures. Their notation to model networks is simple yet expressive to specify network nodes and interconnecting links in relevant detail. While there are advantages to using a formal model, such an approach may not be scalable. The formal notation allows for a more coarse-grained specification but it is not clear whether the resulting sensor configurations are even likely to be feasible for real environments. Moreover, the notation does not allow for modelling any system-level location or sensor characteristics. The approach is demonstrated for a limited class of attacks for which the logical predicates are simple to express. More complicated attacks will not be as simple to express and likely to incur considerable computational resources.

A Deployment Value Model for Intrusion Detection Sensors

7

259

Discussion

The deployment value model and strategy presented in this paper have been implemented using simple exhaustive search. Early results are promising for large scale deployments. Means to reason and compare intrusion detection sensor deployments are important to judge the ability of such sensors to make a difference individually or in combination. Our aim is to represent the complex relationship between the sensor and network characteristics in as simple a model as possible. The approach presented here has characterised a variety of features of sensors, and along with risk profiling and load characterisation for networks, such characteristics provide a system-smart view of sensor deployments. Work is underway to analyse large real deployments that serve to reflect on these aspects of the model. The current deployment strategy, adopted in Section 4.2, is designed to place sensors with a goal to maximise deployment value. Alternative strategies could be designed to emphasise risk reduction by improving the design of the network.

Acknowledgment This work is a joint effort by Cranfield and York universities, and funded by Engineering and Physical Sciences Research Council (EPSRC) (EP/E028268/1).

References 1. Shaikh, S.A., Chivers, H., Nobles, P., Clark, J.A., Chen, H.: Characterising intrusion detection sensors. Network Security 2008 (9), 10–12 (2008) 2. Shaikh, S.A., Chivers, H., Nobles, P., Clark, J.A., Chen, H.: Characterising intrusion detection sensors, part 2. Network Security 2008 (10), 8–11 (2008) 3. Chivers, H.: Security Design Analysis. York Computer Science Technical Report YCS 2006/06, University of York, UK (2006) 4. Cavusoglu, H., Mishra, B., Raghunathan, S.: The value of intrusion detection systems in information technology security architecture. Information Systems Research 16(1), 28–46 (2005) 5. Lee, W., Fan, W., Miller, M., Stolfo, S.J., Zadok, E.: Toward cost-sensitive modeling for intrusion detection and response. Journal of Comp. Sec. 10(1-2), 5–22 (1993) 6. Stakhanova, N., Basu, S., Wong, J.: A cost-sensitive model for preemptive intrusion response systems. In: 21st International Conference on Advanced Information Networking and Applications (AINA 2007), pp. 428–435 (May 2007) 7. Noel, S., Jajodia, S.: Optimal ids sensor placement and alert prioritization using attack graphs. Journal of Network and Systems Management 16(3), 259–275 (2008) 8. Rolando, M., Rossi, M., Sanarico, N., Mandrioli, D.: A formal approach to sensor placement and configuration in a network intrusion detection system. In: Proceedings of the 2006 International Workshop on Software Engineering for Secure Systems, pp. 65–71. ACM Press, New York (2006) 9. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 273–284 (May 2002)

Security Evaluation of an Intrusion Tolerant Web Service Architecture Using Stochastic Activity Networks Zahra Aghajani and Mohammad Abdollahi Azgomi ICT Group, E-Learning Center, Iran University of Science and Technology, Tehran, Iran Performance and Dependability Research Lab., Department of Computer Engineering, Iran University of Science and Technology, Tehran, Iran [email protected], [email protected]

Abstract. Today, security is an important quality of service attribute of information systems. In addition to countermeasures for detection and prevention of intrusions, dependable information systems should be able to tolerate them. Intrusion tolerant systems are those kinds of systems that are survivable and can continue their correct operation in spite of attacks and intrusions. In this paper we present a high-level stochastic activity network (SAN) model, which is constructed using Möbius modeling tool, to evaluate some important security measures of a multi-layer architecture for intrusion tolerant web services. Using analytic solvers of the tool, we have evaluated some security and survivability measures of the architecture. Keywords: Security, modeling, evaluation, intrusion tolerant web service (ITWS), stochastic activity networks (SANs).

1 Introduction A web service is any service that is available over the Internet, uses a standardized extensible markup language (XML) messaging system, and is not tied to any operating systems or programming languages. Interoperability, self-containing and self-describing are the main features of these services that make them suitable to implement complex and distributed service-oriented applications over the Internet [4]. Intrusion tolerance is similar to fault-tolerance in that both disciplines aim to have the system continue providing acceptable services in the presence of anomalies. Some of the key fault-tolerance concepts and approaches can be used as a basis for developing intrusion tolerant solutions. However, a fundamental premise of faulttolerance research is that the errors that may give rise to failures occur randomly. On the other hand, the security attacks on systems are intentional, systematic and repeatable [9]. We have recently introduced a multi-layer architecture for intrusion tolerant web services (ITWS), which uses a combination of single-version fault-tolerance techniques [1]. ITWS uses some traditional security and fault-tolerance techniques in five phases, including intrusion avoidance, intrusion detection and intrusion location, intrusion containment, intrusion prevention and intrusion recovery, to provide an J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 260–269, 2009. © Springer-Verlag Berlin Heidelberg 2009

Security Evaluation of an Intrusion Tolerant Web Service Architecture Using SANs

261

effective defense in depth strategy for achieving dependability in the face of attacks, failures or accidents. In order to be effective and generally applicable, a modeling scheme should have a formal basis that describes its primitives and behavior in an unambiguous way. A scheme must also be general enough to allow for easy representation of realistic systems, and formal enough to permit derivation of useful results [7]. Stochastic activity networks (SANs) are a stochastic extension of Petri nets. Using graphical primitives, SANs provide a high-level modeling formalism with which detailed performance, dependability and performability models can be specified [6]. In this paper, we present a SAN model, which is constructed by using the Möbius tool [5], to evaluate some security and survivability measures of ITWS. The rest of the paper is organized as follows. Section 2, gives an overview of the ITWS architecture. Section 3, describes the detailed description of a SAN model for the ITWS architecture. In section 4, the results of security evaluation are presented. Finally, section 5 concludes the paper.

2 An Overview of the ITWS Architecture Web services are software components defined by WSDL, registered by UDDI and invoked by SOAP protocols. Web services as fundamental building blocks for next generation distributed systems, play an important role in today enterprise application architectures. The flexibility and openness of the web services computing model can expose corporate data and business processes to security risks. To support critical applications, the existing web service models need to be extended to assure survivability. In [1], we have recently introduced a multi-layer architecture for intrusion tolerant web services (ITWS). The specific goal of the ITWS architecture is to use single-version software fault-tolerance techniques in case of failures caused by intrusions and malicious attacks. ITWS tries to add some functional capabilities to a single service implementation to build an intrusion tolerant web service. Four fundamental building blocks of ITWS architecture form different layers of security in key parts of the system to detect, prevent, confine and tolerate attacks. This architecture uses the simple primary and backup scheme. The primary and backup services have the same implementation and therefore they have the same vulnerabilities. Nevertheless, if we could prevent previously detected attacks from occurring continually on the system, we can use the benefits of single-version faulttolerance techniques even in case of malicious failures. The security modules used in ITWS are as follows: 1. Web Service Firewall: This module performs grammatical validations on SOAP messages to detect malicious requests and responses. The validation scheme is extracted from service description file (i.e. WSDL) and all suspicious and malicious requests are discarded before forwarding them to the services. It uses an attack pattern database. This database is updated by the patterns of malicious requests, which cause the active service to fail. 2. Intrusion Detection Module: This module is an application-level intrusion detection system (IDS) that uses acceptance tests to apply validity checks on

262

Z. Aghajani and M.A. Azgomi

responses and state transition machines to determine the next accepted state after running each method of service. It also does offline auditing on the request/response log file to detect malicious sequences. It is also responsible to check the integrity of service environment by using file-checking techniques. Detecting the conditions of denial of service (DoS) attacks, protecting and isolating legitimate traffic from huge volumes of DoS traffic is also done by this component. 3. Intrusion Containment Module: This module ensures that the damages caused by malicious requests will be restricted to a subset of the entire system. This module uses an intrusion graph and a service vulnerability-dependency matrix to confine spreading of failures. The intrusion graph is a directed graph, which represents the paths for the intrusion to spread from one service to its neighbours. The service vulnerability-dependency matrix is a predefined matrix and a comprehensive model that shows the effect of all known and unknown attacks on the system. The intrusion graph is created and updated by using this matrix. By announcing any new alerts for any compromisation, this module disables the suspicious services in order to confine the effects of the intrusions on the system. 4. Recovery and Reconfiguration Module: This module is responsible to return the system back to a healthy state. Unauthorized accesses to the system resources that try to violate the environment integrity policies are recovered by wrapping techniques [8]. Responding to the alerts from the Intrusion Detection Module or the Intrusion Containment Module (e.g. replacing the critical files that have been modified in an unauthorized manner), checking the level of service on the active primary, detecting faulty services by sending random requests and rejuvenating processes on the primary, are done by this module. For more information about ITWS, please see [1].

3 A SAN Model for the ITWS Architecture The aim has been to model and evaluate the ITWS architecture using a formal modeling language. After examining several formal modeling languages, we decided to use SANs and the Möbius tool [5] for this purpose. Fig. 1 shows the SAN model of the ITWS architecture. In this model, the Good, Vulnerable, GD, Failure, UC and Fail places are used to show the different security states of the architecture. These places are named according to the state transition model of the intrusion tolerant systems proposed in [2]. As the initial marking, there are two tokens in the Good and Standby places, which means that the primary is in a healthy sate and the backup is ready to continue the service if the primary fails. The Good place shows that there is not any exploited vulnerability on the primary, so the attackers may not be able to compromise the system. The Exp_new activity characterizes the attacker behavior on probing the system to find any new vulnerability. Every time an attacker is able to expose a vulnerability in the system, a token will be added to the Vulnerabilities place and hence the system enters to the vulnerable state.

Security Evaluation of an Intrusion Tolerant Web Service Architecture Using SANs

263

Fig. 1. SAN model for the ITWS Table 1. Gate table of the ITWS SAN model Gate

ig1 ig2 ig3 ig4 ig5

Predicate (Vulnerabilities->Mark()>0)&& (Good->Mark()==1) (Vulnerabilities->Mark()==0) &&(Vulnerable->Mark()==1) Vulnerabilities->Mark()< n Fixed->Mark()> Vulnerabilities-> Mark() Detect->Mark()> Vulnerabilities-> Mark()

ig6

(Fail->Mark()==0)&& (Failure-> Mark()==0)&& (Vulnerabilities->Mark()>0)&& (GD-> Mark()==0)

ig7

(Fail->Mark()==1)&&(Standby-> Mark()==1)

ig8

(GD->Mark()==1)&&(Standby-> Mark()==1)

ig9

(Repair->Mark()==1)

Ig10

(Failure->Mark()==1)&& (Standby-> Mark()==1)

Function Vulnerable-> Mark()=1;Good-> Mark()=0; Vulnerable->Mark()=0; Good-> Mark()=1; Vulnerabilities->Mark()++; Fixed->Mark()=Vulnerabilities-> Mark(); Detect->Mark()=Vulnerabilities-> Mark(); Resp->Mark()=0; Log->Mark()=0; I1->Mark()=0; UC->Mark()=0; Activate->Mark()=0; Vulnerable->Mark()=0; Good->Mark()=0; Reconfig->Mark()=1; Standby->Mark()=0; Fail->Mark()=0; Vulnerable->Mark()=1; Repair->Mark()=1; Standby->Mark()=0; GD->Mark()=0; Vulnerable->Mark()=1; Repair->Mark()=0; Standby->Mark()=1; Repair->Mark()=1; Standby->Mark()=0; Failure->Mark()=0; Vulnerable->Mark()=1;

264

Z. Aghajani and M.A. Azgomi

The system stays in this state as long as there are tokens in the Vulnerabilities place. By removing all known vulnerabilities, the ig1 gate becomes opened (enabled) and returns the system to the Good state. The Update activity is used to model the preventive mechanism of the architecture. Installing the security patches or improving the security configuration of the system may block or fix some of the known vulnerabilities of the system and helps the system to return to the Good state. Every time this activity fires, it removes a token from the Vulnerabilities place. The input gate ig3 works as an inhibitor gate to restrict the number of tokens in the vulnerabilities place to control the size of the state space of the model. The MR activity models the attacker’s behavior of attacking the system by sending malicious requests that exploit the system vulnerabilities. If the web service firewall detects the malicious requests, a token will be added to the Detect place and the system returns to the vulnerable state; otherwise, the system enters to the active attack state and a token will be added to the Active place and the primary machine starts to run the request. If the malicious request causes any failure on the primary, a token will be added to the Failure state otherwise the primary prepares the appreciate response which may cause unauthorized accesses or privacy violations. As said earlier, the web service firewall performs validations on the system responses, so it is possible that the firewall detects the malicious responses. The D_WSF activity models the behavior of web service firewall. If the firewall detects the malicious responses, it adds a token to the intermediate state I1; otherwise, it adds a token to the Log state. Detecting the malicious responses may cause the system to enter to a graceful degraded state, GD, or return to the Vulnerable state, depending on the impact of the attack. When an attack is detected, a token will be added to the Detect place, indicating that a new vulnerability of the system has been exposed and this will trigger the start of a vulnerability removal process. However, if the intrusion detection strategies fail to recognize the active attack state and limit the damage, the system enters to an undetected compromised UC state without any service assurance (as in [3]) and eventually enters to the Fail state. The Rej activity models the rejuvenation mechanism of the ITWS that is used to remove the effects of stealth attacks by rejuvenating the system processes. Therefore, if the system enters to the UC state and the Rej activity fires first, the system returns to the vulnerable state; otherwise, if the the To_Fail activity fires first, the system enters to the Fail state. In this model, there are three different processes to recover the system failures, which are represented by the RCFG, Fixed and to_Repair activities. The timed activity, RCFG, is used to recover the state of the failed nodes by reconfiguration. The Repair activity that is used to remove the faults or failures is fast and usually is done automatically (e.g., application-level server restart, computer restart or server replacements). When the Fix activity is fired, a token will be removed from the Detect place, which means that the detected vulnerability is fixed. Then, a token will be added to the Fixed place. Every time the instantaneous activity Remove fires, it removes the detected and fixed one from the system vulnerabilities by removing a token from the Vulnerabilities place. The CNTMNT activity is used to model the containment module of the ITWS. Each time a containment alert is generated, one of the compromised services of the system is disabled and the system enters to the GD state. But, if this service is one of the critical services, the system will not be able to provide its services (even in the

Security Evaluation of an Intrusion Tolerant Web Service Architecture Using SANs

265

degraded mode) and will fail. If the primary service fails, the ig7 gate will become enabled and will add a token to the Reconfig state. The RCFG activity performs the system reconfiguration and moves the system back to a healthy state by adding a token to the standby state. The two ig9 and ig10 gates replace the primary with the backup system. If the primary fails and the backup is not ready to be replaced, the system stays in the failed or degraded state until the backup is became ready.

4 Model Evaluation In this section, we use numerical solvers of the Möbius modeling tool to solve the SAN model. For this purpose, we assume that all timed activities are exponential with known mean time λ-1. In this case, the SAN model is changed to a solvable continuoustime Markov chain (CTMC) that lets us to use the numerical solutions to calculate the steady-state probabilities of each state. However, we should mention that in this model, some of the timed activities are modeled as instantaneous activities, since we are going to measure some security and survivability measure instead of performance measures. To evaluate each measure, we define an appropriate reward function [6], which permits us to compute the reward variables. 4.1 Security Evaluation of the ITWS Architecture Table 2 presents the assumed values of the parameters of the SAN model. As we mentioned earlier, the security attribute of the system is not compromised as long as the system stays in the Good or Vulnerable states, which means that there is not any vulnerabilities in the system or attackers have not exploited them. Therefore, the system integrity, confidentiality and availability (CIA) are preserved. Fig. 2 shows the security level of the ITWS architecture. In the diagram of Fig. 2(a), the x-axis, shows the attack rate varied from 0 to 20 per minutes and the y-axis shows the system’s security defined as the steady-state probability of the two Good and Vulnerable states. As it is shown, by increasing the Table 2. The first set of parameters for the SAN model Parameter

Exp 1

Exp 2

Exp 3

Exp_rate 1/1440 1/1440 1/1440 Fail_rate 0.1 0.1 0.1 Fix_rate 1/60 1/60 1/60 Reconfig_rate 0.001 0.005 0.01 Rej_rate 0.01 0.1 0.1 Repair_rate 1 1 1 Update_rate 0.05 0.05 0.05 netAttack_rate 0.1 0.1 0.1 Case Probabilities: Mal_Request_severity 0.5 0.5 0.5 WSFDetect_Req 0.7 0.7 0.7 WSFDetect_Resp 0.7 0.7 0.7 N 8 8 8 Reward Function: if ((SAN_Model->Good->Mark()==1)||(SAN_Model->Vulnerable->Mark()==1)) return 1;

266

Z. Aghajani and M.A. Azgomi Table 3. The second set of parameters for the SAN model Parameter Fail_rate Reconfig_rate Rej_rate WSFDetect_Req WSFDetect_Resp

Value

0.2 0.005 0.01 0.6 0.6

1

0.98

0.995

ITWS Security

ITWS Security

1 0.99

0.97 0.96 0.95

0.99 0.985 0.98 0.975 0.97

0.94

0.965

0.93

0.96

0.92

0

0

2

4

6

8

10

12

14

16

18

2

4

20

Experiment 2

Experiment 3

8

10

12

14

16

18

20

Attack rate

Attack Rate Experiment 1

6

Exp1; Standby=1

(a)

Exp 2 ; Standby=3

(b)

Fig. 2. Security level of ITWS: (a) using the parameters of Table 2, and (b) using different number of standby backups and the parameters of Table 3

attack rate, the security level decreases, but by improving the rejuvenation, repair and reconfiguration mechanisms, the system will stay in a more secure level. Fig. 2(b) shows the security level of ITWS with different number of standby backups. As it shows that increasing the number of standby nodes will improve the probability of successful replacement in the case of the primary failures and helps the system to return to the vulnerable state. Therefore, if it is not possible to improve the reconfiguration or repair mechanisms, we can increase the number of standby nodes to improve the security level of the ITWS. 4.2 Availability Evaluation of the ITWS Architecture The system will not be available if the primary node fails and the backup nodes are not ready for replacement (e.g., if their recovery process has not finished yet). Therefore, it will not be possible to replace the failed node with a healthy backup node and the system will remain in the failed state until one of the backup nodes become ready. Fig. 4 shows the availability level of the ITWS architecture in different attack rates and using the reward function of Fig. 3. Reward Function: if((SAN_Model->Failure->Mark()==1)||( SAN_Model->Fail->Mark()==1)) && ((SAN_Model->Reconfig->Mark()==1)||(SAN_Model->Repair->Mark()==1))

return 1;

Fig. 3. The reward function for measuring the availability of ITWS

Security Evaluation of an Intrusion Tolerant Web Service Architecture Using SANs

267

ITWS Availability

1 0.998 0.996 0.994 0.992 0.99 0.988 0.986 0

5

10

15

20

25

30

35

40

45

50

Attack Rate Exp 1

Exp 2

Fig. 4. Availability of ITWS using the parameters of Table 2 and the reward function of Fig. 3

As shown in Fig. 4, by improving the effectiveness of reconfiguration/ rejuvenation mechanisms and the detection techniques, will increase the mean-timeto-security-failure (MTTSF) and the availability level of the system. 4.3 Mean-Time-to-Security-Failure To calculate the mean-time-to-security-failure (MTTSF) we must change the SAN model to mark the two Fail and Failure places as absorbing states. In this case and after both primary and backup systems fail, the total system enters to the failed state and will not be returned to the healthy state anymore. In the other words, by removing the outgoing arcs from places Fail and Failure, all recovery mechanisms will become disabled. To evaluate the MTTSF measure of the resulted SAN model with absorbing states, we have used the accumulated reward solver (ARS) of the Möbius tool. Whenever the SAN model is in a non-failed state, the reward variable accumulates the value 1 and by running a time average evaluation, the result shows the MTTSF measure. However, we should notice that in the edited SAN model, if the replaced backup node enters to the degraded mode, the system will not move to any failed state and the reward value will be incremented until the end of the simulation time. Therefore, we should add a timed activity to the main SAN model in such a way that it fires after at random instant of time to model the failure of the degraded replaced backup system. As shown in Fig. 5, the MTTSF drops rapidly as the attack rate increases, but as the number of backup increases, the system will have a higher availability measure. Table 4. The third set of parameters for the SAN model Parameter Mal_Request_severity Reconfig_rate Rej_rate WSFDetect_Req WSFDetect_Resp Simulation interval

Value 0.300 0.005 0.010 0.900 0.900 [0,2000]

268

Z. Aghajani and M.A. Azgomi

Mean Time To Security Failure

25000 20000 15000 10000 5000 0 0

5

10

15

20

25 30

35

40

45

50

At t ack Rat e M TTSC, simulat ion t ime: 20000, st d1 M TTSC, simulat ion t ime: 20000, st d3

Fig. 5. MTTSF of ITWS using the parameters of Table 4 Table 5. The fourth set of parameters for the SAN model Parameter WSFDetect_Req WSFDetect_Resp Simulation interval

Exp 1 Exp 2 0.5 0.9 0.5 0.9 [0,2000]

4.4 Mean-Time-to-Security-Compromise

Mean Time To Security Compromise

By marking only the UC place as absorbing state, we can measure the mean-time-to security-compromise (MTTSC) of ITWS. Fig. 6 shows the MTTSC values for the ITWS architecture. As the attack rate increases, the MTTSC decreases, but it may decrease slowly if the IDS and the web service firewall can detect abnormal behaviors more accurately.

21500 20000 18500 17000 15500 14000 12500 11000 0

10

20

30

40

50

Attack Rate EXP 1

EXP2

Fig. 6. MTTSC of the ITWS using the parameters of Table 5

Security Evaluation of an Intrusion Tolerant Web Service Architecture Using SANs

269

5 Conclusions In this paper, we presented a high-level model based on stochastic activity networks (SANs) to capture the attacker behavior and the system responses of an intrusion tolerant web service architecture, called ITWS. We have used the Möbius tools to construct the model and define an appropriate reward function to calculate the steady sate probabilities of security states. Then, we have evaluated the following measures of the ITWS architecture: security level (i.e. CIA), availability, mean-time-tosecurity-compromise (MTTSF) and mean-time-to-security-compromise (MTTSC). As a future work, we are going to extend the model to estimate the attacker’s behaviors more precisely. In addition, we intend to use different distribution functions for modeling the timed activities in order to have evaluations that are more realistic.

References 1. Aghajani, Z., Abdollahi Azgomi, M.: A Multi-Layer Architecture for Intrusion Tolerant Web Services. Int’l Journal of u- and e- Services, Science and Technology 1, 73–80 (2008) 2. Goseva-Popstojanova, K., et al.: Characterizing Intrusion Tolerant Systems Using a State Transition Model. In: DARPA Information Survivability Conference & Exposition, pp. 211–221. IEEE Press, Los Alamitos (2001) 3. Wang, D., Madan, B., Trivedi, K.: Security Analysis of SITAR Intrusion Tolerance System. In: 2003 ACM workshop on Survivable and self-regenerative systems, pp. 23–32. ACM, New York (2003) 4. Cerami, E.: Web Service Essentials. O’Reilly, Sebastopol (2002) 5. Möbius, http://www.mobius.uiuc.edu/ 6. Möbius Manual, http://www.mobius.uiuc.edu/manual/MobiusManual.pdf 7. Sanders, W.H., Meyer, J.F.: Stochastic Activity Networks: Formal Definitions and Concepts. In: Brinksma, E., Hermanns, H., Katoen, J.P. (eds.) EEF School 2000 and FMPA 2000. LNCS, vol. 2090, pp. 315–343. Springer, Heidelberg (2001) 8. Koren, I., Krishna, C.M.: Fault-Tolerant Systems. Morgan Kaufmann, San Francisco (2007) 9. Stavridou, V., Dutertre, B., Riemenschneider, R.A., Saidi, H.: Intrusion Tolerant

Software Architectures. In: DARPA Information Survivability Conference and Exposition (DISCEX II 2001), pp. 230–241. IEEE Press, Los Alamitos (2001)

Counteracting Phishing Page Polymorphism: An Image Layout Analysis Approach Ieng-Fat Lam1 , Wei-Cheng Xiao1 , Szu-Chi Wang2 , and Kuan-Ta Chen1 1

2

Institute of Information Science, Academia Sinica Institute of Computer Science and Information Engineering, National Ilan University {iengfat,garry}@iis.sinica.edu.tw, [email protected], [email protected]

Abstract. Many visual similarity-based phishing page detectors have been developed to detect phishing webpages, however, scammers now create polymorphic phishing pages to breach the defense of those detectors. We call this kind of countermeasure phishing page polymorphism. Polymorphic pages are visually similar to genuine pages they try to mimic, but they use different representation techniques. It increases the level of difficulty to detect phishing pages. In this paper, we propose an effective detection mechanism to detect polymorphic phishing pages. In contrast to existing approaches, we analyze the layout of webpages rather than the HTML codes, colors, or content. Specifically, we compute the similarity degree of a suspect page and an authentic page through image processing techniques. Then, the degrees of similarity are ranked by a classifier trained to detect phishing pages. To verify the efficacy of our phishing detection mechanism, we collected 6, 750 phishing pages and 312 mimicked targets for the performance evaluation. The results show that our method achieves an excellent detection rate of 99.6%.

1

Introduction

As network services become popular, people can send and retrieve emails, search for information, and conduct commodity trading, stockjobbing, and financial management tasks. However, as the functions of the Internet become more diverse and powerful, if user credentials, such as usernames and passwords, are leaked, the damage could be severe. For example, if a miscreant could obtain details of a user’s online bank account, he could transfer the user’s money to another account. Since such activities can be highly profitable, miscreants will try various methods to steal users’ account details. One effective and popular way is called phishing. Phishing is a kind of semantic attack whereby phishers send potential victims fake emails that purport to be from the account holders’ banks or the banks’ websites. Such emails may request updated information or password confirmation, and the phishers try to trick the recipients into providing their usernames, passwords, credit card numbers, or other personal information on the phishing pages. Phishers usually build phishing websites by faking the target pages. If recipients open the phishing pages, they may be deceived into thinking the pages are authentic and J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 270–279, 2009. c Springer-Verlag Berlin Heidelberg 2009


Counteracting Phishing Page Polymorphism

271

provide the requested information. If successful, phishers may steal vast amounts of money themselves, or sell the users’ information to other miscreants. Phishing pages have to be quite similar to the authentic pages in order to deceive users. For this reason, phishers normally use a technique called visual deception [2]. Therefore, it should be possible to detect phishing pages by analyzing the visual similarity of a suspect page and the authentic webpage. However, to complicate and evade the detection process, phishers tend to use different representation techniques to create visually similar phishing pages. We call this kind of countermeasure phishing page polymorphism, after the polymorphism of computer viruses [3]. A polymorphic virus normally contains a variety of different encryption schemes that require different decryption routines. For example, virus programmers can add obfuscation codes to the original decryption function to alter the virus’s signature so that it cannot be detected; or they can mutually reorder independent instructions to generate viruses with different binaries but identical functionalities. Moreover, a polymorphic virus may even change its own signature, i.e., its binary pattern, every time it replicates itself and infects a new file. These techniques greatly increase the level of difficulty for anti-virus programs to detect polymorphic viruses. Similarly, phishing page polymorphism applies different representation techniques for typesetting webpages with similar appearances. More specifically, a phisher can easily produce visually identical webpages by using different HTML tags, images, Flash, ActiveX, or some other dynamic components. We use three examples to demonstrate phishing page polymorphism, as shown in Table 1. In case A, the phishing page is generated by copying the HTML codes of the sign-in page of eBay directly. The text on the page can be easily obtained by parsing the HTML codes. In case B, the text is replaced with images. Here, the HTML codes are quite different from those in case A. JavaScript is applied in case C to append content dynamically. Once the JavaScript function show content is called, the HTML codes that have been created will be loaded into a DIV element. Because the HTML codes are usually constructed and loaded dynamically in case C, it is almost impossible to obtain text on the page by parsing the HTML codes. Although the HTML codes in these cases are clearly different, the pages appear to be identical on users’ browsers. Therefore, a scheme based on HTML code similarity would fail to detect the polymorphic phishing pages in cases B and C, as they are visually similar to the genuine pages even though different representation techniques are used. As mentioned above, text on a page can also be displayed through images or dynamic components, in this case, the text cannot be obtained by parsing the HTML codes. Images are the most common substitution for textual content. Besides, most browsers now support the embedding of dynamic components, such as Flash objects; hence, if all or part of a phishing page is displayed by Flash, to users, the page may still be the same as the mimicked target. Therefore, a visual similarity analysis technique which is not based on parsing HTML codes is required to fight phishing page polymorphism. In this paper, we propose a layout-based mechanism for visual similarity analysis, and develop techniques for detecting polymorphic phishing pages based on

272

I.-F. Lam et al. Table 1. HTML codes and screenshots of the sign-in page of eBay.com

Method

HTML Codes

A

eBay User ID

Forgot your User ID?

B





C

(Call function show_content() through body onload attribute) function show_content() { e.innerHTML = "eBay User ID

Forgot your User ID?"; }

Screenshot

the mechanism. During the detection process, we take the whole page as an image instead of analyzing the HTML codes [1]. Therefore, even if phishers adopt techniques like unicode homograph attacks, replace text with images, or use dynamic components, we can still detect a phishing page if it looks similar to the authentic one. In our experiments, we used the proposed detection mechanism to analyze phishing pages collected on the Internet. We fetched 312 pages and 1, 531 corresponding phishing pages from 149 popular attack targets. The experiment results show that our mechanism achieves an accuracy rate of 99.6%, a false positive rate of 0.028%, and a false negative rate of 0.003%. The contribution of this work is threefold: 1. We propose an image-based mechanism for detecting polymorphic phishing pages. Unlike current HTML-based methods, our mechanism analyzes webpages as though they are images. Therefore, our mechanism can still achieve high detection accuracy, even if phishers create polymorphic pages by replacing text on the pages with non-HTML components, changing the structure of HTML codes, adding or removing some content, or applying unicode homograph attacks. 2. To analyze the visual similarity, we rely on the page layout rather than the page content ; that is, our mechanism is robust to changes in textual content, colors, and images. This makes our mechanism more flexible than the HTMLbased or other content-based methods. 3. We maintain a database of 6, 750 phishing pages collected from 149 websites between August 2007 and January 2008. The results of experiments run on these polymorphic phishing pages and their mimicked targets demonstrate the efficacy of the proposed phishing detection mechanism. The remainder of the paper is organized as follows. Section 2 contains a review of related works on phishing detection. In Section 3 we describe our layout-based phishing page detection mechanism in detail. Phishing detection experiments on extensive page samples are presented in Section 4 to evaluate the performance and accuracy of our mechanism. Then, in Section 5, we summarize our conclusions.

Counteracting Phishing Page Polymorphism

2

273

Related Work

Phishing pages and their targets are usually stored on different web servers. Therefore, we can protect users against phishing attacks if the authenticity of the web servers can be verified, and if users are allowed to sign in to the verified web servers only. Dhamija et al. [4] proposed Dynamic Security Skin, which enables web servers to prove their authenticity in a user-friendly fashion; while Tan et al. [5] proposed an ID-based SSL protocol based on the classic SSL protocol. Based on the protocol, users can verify the authenticity of a web server when establishing the SSL connections. Both of above the mechanisms allow users to determine whether the webpages they are browsing are genuine. Even so, these mechanisms are not popular, probably because some additional modules must be installed on both the server and the client. On the other hand, since the content of most phishing pages is similar to that of the mimicked targets, some researchers have proposed content-based phishing detection methods. For example, Zhang et al. [6] apply TD-IDF analysis to the text on a page to extract keywords, which are input to a search engine. Then, phishing sites are detected based on the site ranking in the search results. Liu et al. [7] proposed a phishing detection mechanism based on visual assessment. They analyzed the DOM structure of a webpage to obtain its visual characteristics to detect phishing pages. These characteristics include block similarity, layout similarity, and style similarity. However, the mechanisms in [6,7] can be rendered ineffective because phishers can easily rewrite the HMTL codes to create phishing pages similar to the authentic pages. To address this problem, Fu et al. [8] proposed an image-based phishing detection method that applies the Earth Mover’s Distance (EMD) algorithm to calculate the similarity between the genuine page and the suspect page. However, the EMD-based method has some shortcomings: 1) it can only be applied to webpages with equivalent width and height ratios; that is, if a phisher creates a phishing page with a ratio different from that of the authentic page, the EMD-based method will be ineffective; 2) EMD may mistake a genuine page for a phishing page when its color disposition is similar to that of another genuine page; and 3) The accuracy of the EMD algorithm may be impacted if a phisher creates a phishing page by adding or removing content from the corresponding genuine page. Although our mechanism and that in [6] both apply image-based phishing detecting algorithms, there are some differences: 1) we analyze the similarity of page layouts rather than pixel information like colors and contrast; and 2) we take partial similarity into consideration; that is, even if some blocks have been replaced, added, or removed, or the colors have been changed, our mechanism can still maintain high accuracy.

3

Phishing Detection

In this section, we introduce the proposed phishing detection scheme. In our scheme, first the layout similarity between an authentic page and a suspect page is analyzed. Based on the similarity score, we then determine whether or not the suspect page is a phishing page. The detail steps are described in the following subsections.

274

I.-F. Lam et al.

Fig. 1. A phishing page of eBay. Rectangles with bold edges are layout blocks obtained from the blobs

3.1

Page Layout Analysis

First, we treat both the authentic page and the suspect page as images and apply Otsu’s thresholding method [9] to transform them into black-and-white images. We examine the pixels of the images, take all adjacent pixels with identical colors as a blob, and record their size and location information. A blob is the most fundamental element in constructing a webpage, as the rectangular blocks with thin edges shown in Fig. 1. However, blobs may be very small that some of them even contain only a character, which is too small to be useful in layout analysis. Thus, based on the blob information, we divide the whole image into non-overlapped areas, called layout blocks, as the rectangles with bold edges shown in Fig. 1. The division process is performed as follows. For each blob, we find the minimum horizontal and vertical inter-space between the blob and all of its neighbors on the right-hand side. Next, the maximum of the minimal inter-spaces of all the blobs is selected. If it is larger than a threshold, the current block is divided into two sub-blocks at the midpoint of the maximum inter-space. Then, using the same procedure, we divide each subblock into smaller blocks iteratively. If a sub-block cannot be divided any further, it is treated as a layout block. The division process may cause severe fragmentation of layout blocks; for example, sometimes each line in a paragraph of text may form an individual layout block. Therefore, we apply the following heuristics in the division process: a) if the width or height of the inter-space is smaller than the average width or height of blobs in the sub-block, the division process will be terminated; and b) if the ratio of the size of the sub-image to that of the page is smaller than a threshold, the division process will also be terminated. 3.2

Layout Block Matching

Next, we compare the layout blocks of the suspect page with those of the authentic webpage to assess their similarity, as shown in Fig. 2. The matching process

Counteracting Phishing Page Polymorphism

275

Fig. 2. The matched pairs of an authentic eBay webpage (left) and its corresponding phishing page (right)

is applied as follows. We assume there are a suspect webpage A and an authentic webpage B that contain layout blocks a1 , a2 , a3 , ..., am and b1 , b2 , b3 , ..., bn respectively. First, we compare the sizes and locations of all block pairs (ai , bj ), i = 1 to m, and j = 1 to n. If the differences in the location, width, and height of a pair (ai , bj ) are smaller than certain thresholds, the pair will be tagged as a candidate matched pair, and the block similarity degree DBS will be calculated as the follows: |wai − wbj | |hai − hbj | |xai − xbj | |yai − ybj | DBS = mean( , , , ), Tw Th Tx Ty where Tw and Th are the respective thresholds of the width and height, Tx and Ty are the respective thresholds of the locations, i.e., the coordinates; and w, h, x and y are, respectively, the width, height, x-coordinate and y-coordinate of the top-left point of the layout block. Next, the block pair candidate with the highest block similarity degree is chosen as a matched pair. For a1 , if its block pair candidates are (a1 , b1 ) and (a1 , b2 ), and if (a1 , b1 ) leads to a higher block similarity degree, (a1 , b1 ) will be chosen as the matched pair of a1 . However, if for a2 , (a2 , b2 ) is the pair with the highest block similarity degree, and if the degree is higher than that of (a1 , b1 ), then we will take (a2 , b2 ) as the matched pair of a2 ; and take (a1 , b2 ), which achieves the second highest degree of a1 , as the matched pair of a1 . 3.3

Similarity Score Computation

Having applied the layout block matching, we calculate the similarity scores of the matched pairs which will be used in the classification step. The similarity scores are defined by the following metrics: 1. The average differences between the minimal x-coordinates, maximal xcoordinates, minimal y-coordinates, and maximal y-coordinates of the layout blocks in each matched pairs. 2. The average differences between the widths, heights, and areas of each matched pairs. 3. The difference between the number of layout blocks on the authentic page and the number on the suspect page.

276

I.-F. Lam et al.

4. The differences between the total areas of the layout blocks on the authentic page and the suspect page. 5. The ratio (0 − 1) of the number of blocks on the authentic page and the suspect page. 6. The ratio (0 − 1) of the total areas of the layout blocks on the authentic page and the suspect page. 7. The ratio of matched blocks to unmatched blocks: Here, we consider several characteristics, which are ratios related to the number of matched blocks. We assume that there are two webpages, A and B, which contain NA and NB blocks respectively, and that there are NM matched pairs between them. The following values are then used to calculate the layout similarity scores: – the match rate of webpage A: NM /NA , – the match rate of webpage B: NM /NB , – the match rate between the two pages: (NM × 2)/(NA + NB ). 8. The symmetry of the sizes and locations of the matched pairs: For each matched pair, we check whether the attributes, such as the size and location, of the pair and all the other pairs are symmetric. We use an example to illustrate the symmetry. Here we assume there are n matched pairs between webpages A and B, said (MA1 , MB1 ), (MA2 , MB2 ), ..., and (MAn , MBn ). For each MAi , i = 1 to n, we compare its coordinates, width, height, and area with those of all the other matched blocks MAk , k = 1 to n, i
= k. Our objective is to determine whether the comparison results are consistent with the results of the same comparison of each pair (MBi , MBk ). For example, if the width of MA1 is larger than that of MA2 and the width of MB1 is larger than that of MB2 , then the pairs (MA1 , MB1 ) and (MA2 , MB2 ) are symmetric in width. If for all k = 1 to n, i
= k, the pair (MAi , MBi ) and the pair (MAk , MBk ) are symmetric in width, then we say that the pair (MAi , MBi ) has symmetry in width. The truth values of the symmetry attributes are taken as the symmetry scores. The symmetry attributes include the area, width, height, the minimum and maximum of the x-coordinate and y-coordinate values. 9. Average of the block similarity degrees: Here, we take the average of the block similarity degrees of all matched pairs as a score. 10. Layout similarity degree: The layout similarity degree DLS of two webpages is defined as the average of the block similarity degrees of all matched pairs multiplied by the match rate:
NM DBSi 2NM DLS = i=1 × , NM NA + NB where NA and NB are the numbers of blocks on webpages A and B respectively, and NM is the number of matched pairs on the pages. DBSi is the block similarity degree of block i, i = 1 to NM . 3.4

Phishing Page Classification

We use a supervised learning approach to determine whether a suspect page is indeed a phishing page. Since phishers try to create fakes of authentic pages,

Counteracting Phishing Page Polymorphism

277

there should be high degree of similarity between the layouts of a phishing page and its mimicked target. Conversely, the layout similarity of two non-phishing pages should be lower. Therefore, we use the layout similarity scores introduced in Section 3.3 as the feature vector for each page pair. Each page pair must be in one of the two categories “phishing” and “non-phishing”. We use a number of phishing page pairs and non-phishing page pairs to train the classifier. Once the classifier is trained correctly, for any suspect page, we can simply calculate the layout similarity degree between the suspect page and an authentic page which is likely to be the attack target using classification. If the classification result falls in the category “phishing”, the suspect page will be taken as a phishing page; otherwise, it will be considered a non-phishing page of the authentic page.

4

Performance Evaluation

4.1

Experiment Setup

0.005

0.004

0.005

0.003

0.003

0.002 0.001

0.001 0.000

0.000 0.000 0.000

0.000

eB

ay

Pa

yP

al Na

es

tw

t

0.000

0.000

Bo

ide

A

Na

n tio

alw

ne

rO

arte

Ch

I

M&

SB

sT

yd

Llo

Top 10 phishing target sites

0.000

o arg

llsF

We

0.000

ia ov ch Wa

0.20

Our Approach EMD

0.212

0.136

0.10

0.005

0.005

False negative rate

0.007

0.050 0.040

0.036

0.039

0.039

0.035 0.025

0.00

0.008

Our Approach EMD 0.005

0.000

False positive rate

From August 2007 to January 2008, we used an in-house automated program to fetch phishing pages from PhishTankand Anti-Phishing Working Group (APWG) every day. We then analyzed the URLs and text content of the collected 6, 750 phishing pages to identify their mimicked targets. In addition, we manually collected 149 mimicked targets, which contained 312 authentic sign-in pages. The 6, 750 phishing pages and the 312 authentic pages were used as sample pages in our experiment. After extracting layout information from the collected pages, we computed the layout similarities of all the phishing pages and their mimicked targets. We obtained 1, 531 layout similarity scores for the “phishing” category. From the 312 authentic pages, we calculated the layout similarity scores of all possible pairs of the pages and obtained 48, 672 layout similarity scores for the “non-phishing” category. We set the thresholds to Tw = 800, Th = 600, Tx = 800, Ty = 600 in the block matching processes, and then applied a na¨ıve Bayesian classifier to categorize the pages based on their similarity scores. A ten-fold cross validation is performed in the evaluation of the phishing/non-phishing classification performance. We compared the performance of our mechanism with that of the EMD algorithm. For the EMD algorithm, we followed the method proposed by Fu

0.002

ay eB

0.002

al

yP

Pa

0.001

0.000

t

es

tw

Na

0.000

e

A

Bo

ne

lwid

na

tio

Na

0.000 0.001 0.000

0.000

rO

arte

Ch

I

M&

o

SB

sT

yd

Llo

0.000

0.000

arg

llsF

We

ia

ov

ch

Wa

Top 10 phishing target sites

Fig. 3. Comparison of the false positive rate and the false negative rate of the top 10 phishing target sites

I.-F. Lam et al. 0.5

1.2

0.94

0.94

0.94

0.92

0.8

0.79

0.4

0.6

0.69

0.2

Accuracy rate

0.436 0.97

0.89

Our Approach EMD

1.00

1.00

0.412

0.4

1.00

0.356 0.328

0.3

1.00 0.99

1.00

0.98

0.284 0.232

0.2

1.00

0.99

Computation time (sec)

1.0

Our Approach EMD 1.00

1.00

0.99

0.1

278

ay eB

al

yP Pa

tw Na

A Bo

na tio Na

e lwid

ne

erO

art

Ch

I

M&

sT

yd

Llo

Top 10 phishing target sites

rgo

SB

a sF

ll We

via

o ch Wa

0.024

0.032

0.040

0.044

0.048

0.0

0.0

0.020 t es

50

100

150

200

250

300

Number of target pages

(a) Comparison of the accuracy rate of the (b) Relationships between the computatop 10 phishing target sites tion time and the number of target pages Fig. 4. Performance of different phishing target sites and pages

et al. [8] and set the width and height of a webpage to 100, the color degrading factor (CDF) to 32, and α (the amplifier) to 0.5. The parameter |Ss |, which is the number of samples for signatures, was set to 20. The weight, p, of the Euclidian distances between the RGB values of colors was 0.5, and the weight, q, of the Euclidian distance between the centers of color distribution was also 0.5. After re-sizing the phishing pages so that they were the same as the nonphishing pages, we took the number of pixels and the centre coordinates of the major colors as the signatures. Then, for each phishing page, we used the EMD algorithm to calculate the EMD distance between the phishing page and its mimicked target. This yielded 1, 531 EMD distances for the “phishing” category and 48, 672 EMD distances for the “non-phishing” category. 4.2

Evaluation Results

We define the accuracy rate as the ratio of successful classifications in the experiment; the false positive rate as the ratio of non-phishing pages misclassified as phishing pages; and the false negative rate as the ratio of phishing pages misclassified as non-phishing pages. The experiment results of our method show that the average accuracy rate was as high as 99.6% with a false positive rate of 0.028% and a false negative rate of 0.003%. The comparative rates derived by the EMD algorithm were 85%, 16%, and 31% respectively. Figure 4a shows the accuracy rates of our scheme and the EMD algorithm for various phishing target sites. From the figure, we observe that our mechanism achieves higher stability and accuracy. Moreover, Fig. 3 shows that our mechanism performs much better than the EMD algorithm for all of the ten different phishing targets in terms of both the false positive and false negative rates. The main reason is that the EMD algorithm is not robust to the change of image aspect ratio because it requires that all the images being compared have the same width and height. Therefore, if a phisher changes the aspect ratio of a fake page, the effectiveness of the EMD algorithm would be reduced due to the displacement of the centroid of important colors. In addition, we compared the computation time of our mechanism with that of the EMD algorithm. The computation time is defined as the time used in image

Counteracting Phishing Page Polymorphism

279

capture, layout/image analysis, and page classification. Figure 4b shows that when the number of samples is 50, the computation time of our mechanism is only 1/10 that of the EMD algorithm. Moreover, as the number of authentic pages increases, the computation time of our mechanism only increases slightly. However, the increase in the computation time of the EMD algorithm is obvious. Therefore, our mechanism outperforms and is more efficient than the EMD algorithm.

5

Conclusion

In this paper, we have proposed a polymorphic phishing page detection mechanism based on layout similarity analysis. To cope with polymorphic counterattacks from phishers, we apply image processing techniques and analyze the layout of the page rather than the text content or the HTML codes. The image-based phishing detection mechanism is more robust than the HTML-based approach because it is more adaptable to phishing page polymorphism. In our experiments, 6, 750 phishing pages and 312 authentic pages were analyzed and evaluated. The results show that our mechanism achieves an accuracy rate of 99.6%, a false positive rate of less than 0.028%, and a false negative rate of less than 0.003%. Acknowledgements. This work was supported in part by Taiwan Information Security Center (TWISC), National Science Council under the grants NSC97-2219-E-001001 and NSC97-2219-E-011-006. It was also supported in part by Taiwan E-learning and Digital Archives Programs (TELDAP) sponsored by the National Science Council of Taiwan under the grants NSC98-2631-001-011 and NSC98-2631-001-013.

References 1. Chen, K.-T., Chen, J.-Y., Huang, C.-R., Chen, C.-S.: Fighting Phishing with Discriminative Keypoint Features of Webpages. IEEE Internet Computing (2009) 2. Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590 (2006) 3. Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley Professional, Reading (2005) 4. Halderman, J.A., Waters, B., Felten, E.W.: A convenient method for securely managing passwords. In: Proceedings of the 14th International Conference on World Wide Web, pp. 471–479 (2005) 5. Tan, C.H., Teo, J.C.M.: Protection AgainstWeb-based Password Phishing. In: Proceedings of the International Conference on Information Technology, pp. 754–759. IEEE Computer Society, Washington (2007) 6. Zhang, Y., Hong, J.I., Cranor, L.F.: Cantina: a content-based approach to detecting phishing web sites. In: Proceedings of the 16th International Conference on World Wide Web, pp. 639–648 (2007) 7. Liu, W., Deng, X., Huang, G., Fu, A.Y.: An Antiphishing Strategy Based on Visual Similarity Assessment. IEEE Internet Computing, 58–65 (2006) 8. Fu, A.Y., Wenyin, L., Deng, X.: Detecting Phishing Web Pages with Vi- sual Similarity Assessment Based on Earth Mover’s Distance (EMD). IEEE Transactions on Dependable and Secure Computing, 301–311 (2006) 9. Otsu, N., et al.: A threshold selection method from gray-level histograms. IEEE Transactions on Systems, Man, and Cybernetics 9(1), 62–66 (1979)

Signaling-Oriented DoS Attacks in UMTS Networks Georgios Kambourakis1, Constantinos Kolias1, Stefanos Gritzalis1, and Jong Hyuk-Park2 1

Laboratory of Information and Communication Systems Security Department of Information and Communication Systems Engineering University of the Aegean, GR-83200 Samos, Greece {gkamb,kkolias,sgritz}@aegean.gr 2 Department of Computer Science and Engineering, Kyungnam University, Korea [email protected]

Abstract. The Universal Mobile Telecommunication Standard (UMTS) is the Third Generation (3G) mobile technology with the widest public acceptance. Although, enhanced in matters of security, comparing to its predecessor i.e., the GSM, it still has vulnerabilities that can lead to security breach. In this paper we investigate the vulnerabilities of the UMTS architecture that can be exploited by a malicious entity to launch Denial of Service (DoS) attacks. We examine the methodologies that an attacker would possibly follow, as well as the possible outcome of such class of attacks. We also give some suggestions that would provide greater tolerance to the system against DoS attacks. Keywords: UMTS; Denial of Service; Signaling; Security.

1 Introduction Beyond doubt, handheld devices have changed the modern way of communication and information access. The increasing demand for high quality voice services along with the need for modern pervasive applications has given birth to the Universal Mobile Telecommunication System (UMTS). UMTS is the outcome of a collaborative effort of many international organizations gathered around the 3rd Generation Partnership Project (3GPP) consortium [1]. Today, 3rd Generation (3G) mobile networks based on the UMTS standard are deployed in Europe and USA (3GPP2) with great success [2]. Users of these networks benefit from the higher quality of voice and video calls, higher transfer rates, communication with the internet, and enjoy advance applications and value-added services such as e-commerce, e-banking etc. In the years to come, most people will use their handheld device to make wireless securitysensitive transactions like e-banking, stock trading, and shopping. Therefore, with the introduction of such new applications to the mobile world, security, now more than ever, is a crucial aspect. Nevertheless, the inherited weaknesses of the UMTS that derive mostly from its wireless nature and Second Generation (2/2.5G) networks make it prone to a substantial number of security threats. That is, even though UMTS is characterized by many security enhancements comparing to its 2G predecessor the J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 280–289, 2009. © Springer-Verlag Berlin Heidelberg 2009

Signaling-Oriented DoS Attacks in UMTS Networks

281

GSM it still presents architectural weaknesses that render it vulnerable to several security threats. The primary target of the designers of UMTS was to maintain maximum compatibility with the 2G systems. Additionally, its designers took into account the constraints in computational power of the various mobile devices, and for that reason they adopted relatively lightweight security techniques, such as symmetric encryption [3]. Until now, the majority of research in UMTS has focused on ways to preserve the privacy and confidentiality of the end users [4-6]. Although privacy and confidentiality are always of top priority in any wireless system, we believe that the availability of the services should not be neglected. Unfortunately, UMTS in its current form makes it easy for Denial of Service attacks (DoS) to be launched. A DoS attack is the type of attack preformed by a malicious entity in order to render a service unavailable to its intended users. Numerous attack incidents verify the catastrophic potential of this class of attacks [7], and several researchers characterize DoS attacks as the second most dangerous threat after viruses. The methodology and target of a DoS attack may vary spanning from simple DoS to well orchestrated distributed attacks able to paralyze entire network infrastructures. While this type of attacks has its roots on the Internet realm, its philosophy and purpose has derived to the GSM networks and lately to UMTS, since wireless communications offer a new challenging terrain for attackers. In this paper we particularly focus on signaling –oriented DoS attacks that can be launched against UMTS systems. We point out architectural and protocol vulnerabilities that can be exploited to unleash such attacks and give directions for possible improvements. The remainder of the paper is structured as follows: the next section gives background information regarding UMTS security architecture. Section 3 points out certain UMTS system vulnerabilities and discusses requirements and methodologies that can be exploited by an aggressor to achieve DoS. Section 4 presents our suggestions and gives pointers to future work. The last section draws a conclusion.

2 UMTS Security Architecture The UMTS security architecture defines a set of procedures that the user’s mobile equipment as well as the network should execute in order to receive increased confidentiality and integrity during their communication. In the heart of the UMTS security architecture lies the user authentication mechanism known as Authentication and Key Agreement (AKA) [8]. This mechanism is somewhat similar to the authentication in GSM. The idea to use public keys in the process of authenticating the users, was abandoned, mainly due to backwards compatibility (with GSM) and for performance considerations. The authentication in UMTS is based on a 128-bit symmetric secret key, namely Ki, which is stored in the user’s tamper-resistant Universal Integrated Circuit Card (UICC) and in the corresponding Home Subscriber Server (HSS) of the user’s Home Network (HN). The AKA scheme is a combination of the well known challenge response-protocol found in GSM and the authentication mechanism based on sequence number as defined by the ISO organization [9]. The network entities that take part in the user’s authentication procedure are:

282

• • •

G. Kambourakis et al.

The User’s Equipment (UE) and more specifically the USIM application stored in the UICC. The Serving GPRS Support Node (SGSN) of the HN or the Serving Network (SN). The HSS of the user’s HN.

The authentication procedure in UMTS is mutual, which means that both the network is authenticated to the UE and the UE is authenticated to the network. After successful authentication the two ends agree on the use of two additional 128-bit symmetric keys. These keys are derived from the master key Ki and renewed every time the user is authenticated. The procedure typically initiates after the MS attaches to the network and sends its identity. Note, that the user can be identified either by a permanent ID, i.e., the International Mobile Subscriber Identity (IMSI) or, usually, a temporary one known as Temporary Mobile Subscriber Identity (TMSI). During the process, the user’s ID is forwarded from the Radio Access Network sub-network to the core network, that is, the SGSN serving that particular area. In any case, the latter entity may send an authentication data request message to the HSS of the user’s HN in order to acquire Authentication Vectors (AV) required to authenticate the user. This happens only in cases that no AV for that particular user is available locally in the SGSN. For instance, the user attaches for the first time to this SGSN or the available in the SGSN AVs for that user have been already consumed. Since the HSS possesses the master key (Ki) for each user is capable of creating the corresponding Authentication Vectors (AV). The vectors are sent back to the SGSN in charge by making use of a control message known as authentication data response. A vector can be used only once except the case the SGSN does not receive an answer from the MS. After the SGSN in charge acquires some AVs (they are sent usually in batch), it sends an authentication request to the user. The request contains two parameters: (a) a RAND which is a random number and, (b) the AUTN, i.e., the authentication token. These parameters are transferred in the tamper resistant environment of the UICC/USIM and stored for further processing. The USIM is also aware of the Ki, and uses it along with the received parameters RAND and AUTN to perform a series of calculations similar to those that took place for the generation of the corresponding AV in the HN’s HSS. The outcome of this procedure enables USIM to verify that the AUTN parameter was indeed created by the HSS of the HN and also that it is fresh (i.e., it is not a message replay). In case that the above verifications have a positive outcome the RES (result) parameter is calculated and sent back to the corresponding SGSN by utilizing a user authentication response message. Upon that, the SGSN compares the received RES with the XRES (Expected Response) which is contained in the initial AV. If the two values match then the user is granted access to the network. Moreover, as already mentioned, two other keys that will be used for confidentiality and data integrity are calculated by the USIM. Using a security mode command the same keys, which are contained in the initial AV, are transmitted by the SGSN to the corresponding Radio Network Controller (RNC). These keys are known as CK (cipher key) and IK (Integrity Key). Note that while these keys are part of the

Signaling-Oriented DoS Attacks in UMTS Networks

283

Fig. 1. Start of Security services in UMTS

corresponding AV and thus immediately available to the SGSN, the USIM has to calculate them by itself. An overview of the authentication sequence described above is depicted in Figure 1. It is to be noted that this section presents only basic information on UMTS security architecture. For a more detailed analysis the reader may refer to [1,8].

284

G. Kambourakis et al.

3 DoS Attacks in UMTS In this section we shall describe some vulnerabilities of the UMTS architecture which can be exploited to launch DoS or more generally DoS-type attacks. Also take into account that this paper considers only signaling-oriented DoS attacks. Typically, an attacker would seek unprotected control messages which would attempt to modify in order to manipulate specific procedures or make them repeat. The expected outcome varies: from lower quality of service (QoS) that a specific user may experience to a massive denial of any underlying service. For example, in [10] the authors identify a critical vulnerability to UMTS architecture and exploit it to perform an HLR flooding. This is achieved by modifying a single message. In the attacks described below the attacker carries some special equipment, e.g., a false Base Station (BS) and/or a specially modified UE) with the help of which are able to perform as a man-in-the-middle entity. Having such equipment the attacker must be able to intercept a valid UE-to-BS session, analyze traffic, and modify the data of UMTS frames. Also in some cases it is important for the attacker to build a database of valid (intercepted) IMSIs. Research on the field [4,10] proves that this is a relatively straightforward procedure and, in some cases, requires equipment which is easy to obtain or self-fabricate. A very simple but primitive DoS attack unfolds as follows: An attacker with a false BS equipment moves close to its target victims. All users’s mobile terminals will deceived into connecting to the false BS if its signal is stronger than the legitimate BS. After the victim is connected to its fake equipment the attacker would simply drop every packet that is transmitted from and towards the UE. This is usually described as a black hole attack and could be considered as the higher layer equivalent of radio jamming. UMTS security architecture in its current form is not able to counteract these types of attacks [9]. On the other hand, an attacker would rarely adopt such methods to launch DoS attacks because: (a) the attack persists only when the attacker is active, (b) it affects only a small number of users, and (c) it cannot be directed to inflict specific targets (users) only, without affecting others as well. For these reasons it is likely that an attacker would seek more intelligent ways of launching DoS attacks. Hereunder we shall elaborate on more sophisticated attacks. 3.1 Dropping ACK Signal The protection of IMSI is considered a very important issue in UMTS. Therefore, an effort has been made by the designers of system in order for the IMSI to be transmitted and used as seldom as possible. Instead, as already mentioned, temporary identities known as TMSIs are distributed to the users and thereafter are used for all signaling communication. TMSIs are assigned to users, right after the initiation of ciphering. Also new TMSIs are assigned every time a user roams to an area monitored by a different SGSN. Although, a TMSI is transmitted encrypted to the UE the SGSN does not associate the IMSI with the TMSI unless it receives a TMSI Allocation Complete message from the MS. If this message never reaches the intended SGSN then both the associations {IMSI, TMSI_old} and {IMSI, TMSI_new} are considered valid by the SGSN in charge for uplink communication and the UE is free to use any of them. Contrariwise, for the downlink, the IMSI must be used because the network

Signaling-Oriented DoS Attacks in UMTS Networks

285

has no means to know which one of TMSI_new or TMSI_old is valid at the UE side at this particular moment. In this case, the SGSN will instantly instruct the mobile station to delete every available TMSI. In either of the two cases the network may initiate the normal TMSI allocation procedure. Of course, repeated failure of TMSI reallocation may be reported for further maintenance actions by the provider.

UE

SGSN 1. TMSI Allocation Command {TMSIn, LAIn }

2. TMSI Allocation Complete

Fig. 2. TMSI allocation procedure

In such an attack, the aggressor might wish to position his equipment to a strategic location, for instance circumferential to a given network cell (where typically new TMSIs are assigned to subscribers entering the cell after a hand-off). Then, he would monitor for TMSI Allocation Command messages and then drop any following TMSI Allocation Complete message as depicted in Figure 2. This would cause new TMSIs to be created repeatedly, which would be expressed as DoS to all the users entering the particular routing area. Although the creation of a new TMSI is a multi-step procedure it cannot be considered resource demanding. So, extending this attack to become a flooding attack is considered rather difficult. This attack however can be used to expose and collect a large number of IMSIs and then use them to launch more dangerous and persistent attacks like the one described further down in section 3.3. 3.2 Modifying Unprotected RRC Messages The Radio Resource Control (RRC) messages are considered vital for the smooth and normal operation of the UMTS system. Therefore, these signaling information messages are protected by integrity mechanisms, i.e., by applying a message authentication function. While this is true for most of the RRC messages exchanged between a mobile station and the corresponding RNC, many messages exist that are not integrity protected and therefore are vulnerable to manipulation. Table 1 presents some of the unprotected RRC messages. This might happen either because these messages are exchanged during the early stage of a connection - where the AKA procedure has not yet completed and thus an IK is not present -, or for reasons of efficiency. Modifying, dropping or substituting unprotected RRC messages is expected to cause general system instability, or at least commotion, which may lead to lower QoS or more probably DoS for the end user. Theoretically, the ways and possibilities to stress the system with this method are many. Let us consider the following example: an attacker would insert an RRC Connection Release message during a valid ongoing session. By acting the same way, an attacker could substitute a valid RRC Connection Setup Complete with a RRC Connection Reject message.

286

G. Kambourakis et al. Table 1. List of unprotected RRC messages Handover to UTRAN Complete Paging Type 1 Push Capacity Request Physical Shared Channel Allocation RRC Connection Request RRC Connection Setup RRC Connection Setup Complete RRC Connection Reject RRC Connection Release System Information (Broadcast Information) System Information Change Indication Transport Format Combination Control (TM DCCH only)

3.3 Modification of the Initial Security Capabilities of MS This is an extension of an attack already proposed in [10]. It involves the modification of an RRC Connection Request message and more specifically the field which defines the UE security capabilities. This message is not integrity protected since the MS and SGSN do not share a common IK yet. This happens because the AKA procedure takes place at a later stage. Any modification of this message will go unnoticed until eventually the AKA procedure completes and the Security Mode Command message is sent to the MS. This message includes the user’s equipment security capabilities as received from the RCC Connection Request message in order to be verified by the UE. In case of mismatch the connection will terminate, but during the process sufficient resources will have been already consumed at both sides. In such a scenario, the attacker aims to overstress the system by inducing a heavyweight repeating procedure. If successful, the system may become paralyzed being incapable of serving its legitimate users. Moreover, if the attacker has a large database of stolen IMSIs at hand he would be able to cause a much more serious damage compared to that caused by a single IMSI as the authors propose in [10]. By utilizing the proper equipment the attacker could create a very large number of simultaneous connection requests with bogus classmarks, thus causing steps 1 to 9 of Figure 1 to constantly repeat. Obviously, this would stress the system since many heavyweight procedures both bandwidth and computationally intense would a take place at the same time and for a large period of time. 3.4 DoS by Modifying Periodic Authentication Messages Periodic local authentication in UMTS is a procedure meant to provide an additional security mechanism. Potentially, it can provide some sort of integrity protection in the U-plane. According to this procedure the volume of data transmitted during the RRC connection is periodically checked by both the RNC and the UE. The system makes use of two variables to keep track of the user data transmitted from the mobile station towards the network. The first one namely Count-CUE tracks the volume of user data transmitted by the user equipment, while the other, known as Count-CRNC, stores the volume of user data actually received by the corresponding RNC. The value of these

Signaling-Oriented DoS Attacks in UMTS Networks

287

variables is cross-checked at regular intervals upon initiation by the RNC in charge. If a significant inconsistency is found then the RNC may decide to abruptly release the connection assuming that someone is injecting or dropping messages on the network. Assuming that the network provider supports this option, the aforementioned procedure is normally triggered when the value of the Count-CRNC variable reaches a predefined limit.

Fig. 3. UMTS Periodic authentication procedure

When this threshold is reached, the RNC sends a Counter Check message which contains the most significant bits of Count-C of each active radio bearer. The user equipment compares the Count-C value(s) received from the RNC with its local value of any matching active radio bearer, computes the difference, if any, and constructs a Counter Check Response message containing all differences. If one or more of the values contained in the Counter Check Response message is greater than 0 (null) then the RNC may decide to send a Release Connection message. Otherwise the procedure completes successfully. The above procedure is depicted in Figure 3. According to the UMTS specifications [1] all the messages described above are integrity protected. As a result, an attacker is not able to modify any of these messages (for example change the value(s) contained in a Counter Check Response message). If so, the system (RNC) will notice that the received message has been somehow tampered. At this point however, the specification does not define any steps that should be made if such a situation occurs. This would be interpreted as releasing the connection or waiting indefinitely for a valid Counter Check Response message to arrive. Without doubt, this issue is provider-specific which of course leaves room for possible errors or misconfigurations.

4 Suggestions and Future Work In any case the number of signaling messages that do not afford an integrity service must be limited. Signaling takes place at three different layers, i.e., RRC, Radio Link Control (RLC) and Medium Access Control (MAC). However, RRC layer signaling is the most sensitive one thus its integrity is protected by using the IK. On the other hand, RLC and MAC signaling is protected by means of encryption. Consequently, threats to signaling do exist especially for messages preceding the AKA procedure. In this context, an integrity mechanism should exist to protect all message exchanges before the IK is in place. As discussed in section 3.2 all RRC messages should also be

288

G. Kambourakis et al.

integrity protected; otherwise the attacker is equipped with the simplest means to launch a simple but effective DoS attack. Our ongoing and future work concentrates on two issues. First off, find an alternative way to provide an integrity mechanism for protecting the network against flooding attacks. Our intension is not to replace or patch the standard UMTS integrity protection but to provide a simple method to safeguard signaling before AKA execution. In this direction we are examining some variations of the client puzzle scheme [12-15]. This mechanism requires that every client (e.g., a mobile station) would have to solve a small cryptographic puzzle upon requesting services from the network. The basic idea is that the client should commit some of its resources first (do some cryptographic functions that require computational resources) before the server commits its own. The puzzles should be easy for the server to verify so that the server can do this process massively; while at the same time be computationally inefficient for the client for large numbers. By doing so, a potential attacker would be discouraged to massively make new connection requests. At the same time, we also working on the kind of actions, in terms of protocols, that should be executed when malicious traffic injects into the network, e.g., the received messages systematically do not pass the underlying integrity controls.

5 Conclusions Several known weaknesses in GSM seem to be now fixed in UMTS, through further study and investigation. Mobile station to network mutual authentication, stronger confidentiality provided in the U-plane, and the protection of signaling messages integrity seem to overhaul certain GSM security gaps towards making mobile communications safer, trustworthy, and thus, more attractive to consumers. Nevertheless, this might not prove adequate against serious attackers since several flaws are documented in the literature. In this paper we introduced some additional flaws that can be relatively easy exploited by attackers to launch dangerous DoS attacks. The inner workings of such an attack capitalize mostly on weaknesses found in signaling to achieve its goals. So, giving the fact that attackers become more and more resourceful there is an urgent need for more effective and carefully designed DoS countermeasures. This will allow the systems to deliver smooth and quality services to their subscribers.

References 1. 3GPP Organization, http://www.3gpp.org/ (accessed, 13/01/2008) 2. 3rd Generation Partnership Project 2, 3GPP2, http://www.3gpp2.org/ 3. Kazumi Algorithm Specification, ETSI TS 135 202 V7.0.0,

http://www.etsi.org/website/document/algorithms/ ts_135202v070000p.pdf (accessed, 13/01/2008) 4. Tang, C., Wu, D.O.: Mobile Privacy in Wireless Networks-Revisited. IEEE transactions on the wireless communications 7(3), 1035–1042 (2008) 5. Meyer, U., Wetzel, S.: A Man-in-the-Middle Attack on UMTS. In: WiSe 2004, Philadelphia, Pennsylvania, USA, October 1 (2004)

Signaling-Oriented DoS Attacks in UMTS Networks

289

6. Lin, Y.-B., Chang, M.-F., Hsu, M.-T., Wu, L.-Y.: One-Pass GPRS and IMS Authentication Procedure for UMTS. IEEE Journal on selected areas in communications 23(6) (June 2005) 7. Gibson, S.: DRDoS Distributed Reflection Denial of Service (2002), http://grc.com/dos/drdos.htm 8. ETSI TS 133 102 Security architecture (December 2006) 9. ISO/IEC 9798-4. Information Technology; Security Techniques; Entity Authentication Part 4: Mechanisms using a cryptographic check function (1999) 10. Khan, M., Ahmed, A., Cheema, A.R.: Vulnerabilities of UMTS Access Domain Security Architecture. In: 9th ACIS International Conference on Software Engineering, Networking, and Parallel/Distributed Computing, Phuket, Thailand (August 2008) 11. 3GPP TR 33.900 (1.2.0), A Guide to 3G Security (January 2000) 12. Feng, W., Kaiser, E., Feng, W., Luu, A.: The design and implementation of network puzzles. In: Proc. INFOCOM (2005) 13. Gligor, V.: Guaranteeing access in spite of service-flooding attacks. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2003. LNCS, vol. 3364, pp. 80–96. Springer, Heidelberg (2005) 14. Wang, X., Reiter, M.: Defending against denial-of-service attacks with puzzle auctions. In: Proc. IEEE Security and Privacy, pp. 78–92 (2003) 15. Waters, B., Juels, A., Halderman, J., Felten, E.: New client puzzle outsourcing techniques for DoS resistance. In: Proc. Computer and Communications Security, pp. 246–256 (2004)

Detecting DDoS Attacks Using Dispersible Traffic Matrix and Weighted Moving Average Tae Hwan Kim1, Dong Seong Kim2, Sang Min Lee1, and Jong Sou Park1 1

Dept. of Computer Engineering, Korea Aerospace University, Seoul, South Korea {thkim,minuri33,jspark}@kau.ac.kr 2 Dept. of Electrical and Computer Engineering, Duke University, Durham, USA [email protected]

Abstract. Distributed Denial of Service (DDoS) attacks have become significant threats on Internet according to the development of network infrastructure and recent communication technology. There are various types of DDoS attacks with different characteristics. These differences have made very difficult to detect such attacks. Furthermore, the sophisticated the evolution of DDoS attacks techniques and the enhanced scale of Botnet encourage attackers to launch DDoS attacks. The IP spoofing technique also makes difficult detect and traceback of DDoS attacks. In this paper, we propose a new detection model for spoofed DDoS attacks using dispersible traffic matrix and weighted moving average. This proposed detection model can not only visualize network traffic streams but also describe the dispersibility characteristics of DDoS attacks such as intensity, duration and rate of DDoS traffic. We carry out experiments on both DARPA 2000 dataset and real data in our network testbed environments so as to validate the feasibility of our approach. Our approach demonstrates that it effectively detects the DDoS attacks in the early stage and in very short time, even though DDoS attacks’ streams are low. Also, the proposed detection model shows a good performance in terms of detection accuracy, speed, and false alarms. Keywords: Distributed Denial of Service attacks, IP spoofing, Intrusion detection, Traffic matrix, Traffic visualization, Weighted moving average.

1 Introduction For several years now, society has been dependent on information and telecommunication technology such as Internet and e-commerce. As the network speed becomes faster, the amount of information which is interconnecting within networks has been increased tremendously. However, it has also resulted in frequent opportunities for intrusions and attacks so security analysis techniques are needed to prevent and protect networks and systems. Among the intrusions and attacks, in particular, Distributed Denial of Service (DDoS) attacks are very critical these days. DDoS attacks are a large-scale, coordinated attack targeting on the availability of services at a victim system or network resources. DDoS attack is launched by sending an extremely large volume of legitimate packets J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 290–300, 2009. © Springer-Verlag Berlin Heidelberg 2009

Detecting DDoS Attacks Using Dispersible Traffic Matrix

291

or malformed packets. DDoS attacks exploit the vulnerability of protocols to a target through the simultaneous cooperation of a large number of compromised hosts that are distributed throughout the Internet. DDoS attacks traffic consumes the bandwidth resources of the network or the computing resources at the target host, so that legitimate requests will be discarded. Moreover, DDoS attacks use IP spoofing to conceal their location and identity. In other words, attackers forge or spoof the source IP address of each packet they send to avoid the traceback of DDoS attacks [5, 10]. The ingress filtering technique [2] has been proposed to prevent spoofing but the attackers have devised more sophisticated techniques, such as subnet spoofing [6] that can avoid current defense approaches. The impact of these attacks can vary from minor inconvenience to the users of a web site, to serious financial losses to companies that rely on their on-line availability to do business [7, 8, 11]. To counteract them, a great number of approaches for recognizing DDoS attacks have already been proposed. Typical detection approaches [1, 3] relied on filtering based on packet type and rate. Essentially, the detection software attempts to correlate the type of packet used for the attack. While these techniques have reasonable success, they have several limitations. Firstly, they are not very flexible because they are typically customized for known attack patterns. Therefore, these techniques are likely to fail if a new type of packet is used or if the attack consists of a traffic pattern that is a combination of different types of packets. In such cases, packet profiling is defeated. Secondly, a large number of detection techniques use traffic logs to identify attacks. However, traffic logs generate a large amount of data even during normal operation so it is difficult and timeconsuming to scan traffic logs looking for patterns when the network is under attack. Finally, when the streams of packets on a network suddenly increase, it cannot still be sure that it is because of a DDoS attack in progress or FE(Flash Event; too many accesses of legitimated users). In this paper, we propose a novel approach to detect DDoS attacks using dispersible traffic matrix and weighted moving average. Our proposed approach can analyze the network traffic pattern with capturing the inbound traffic comes to the target host. The contributions of our approach are as follows; first, proposed model can present traffic’s dispersibility, intensity, duration and rate effectively through network traffic matrix in real-time. Second, the model can not only detect DDoS attacks fast but also visualize network traffic streams in a real time basis. Third, our detection model is not dependent on the type of protocols. Therefore, it can detect the sophisticated DDoS attacks which use several protocols together. Forth, our detection model that analyzes the network traffic pattern through the traffic matrix is lightweight so it consumes less resource to detect DDoS attacks. The remainder of the paper is organized as follows. Our proposed network traffic matrix and detection model are described in section 2. The evaluation of the proposed approach is presented in section 3. Finally, the paper concludes in section 4.

2 Proposed Approach 2.1 Overall Flow Proposed Approach An overall flow of proposed DDoS attack detection model is depicted in Figure 1. The 1st dotted line box represents the process of traffic matrix initiation and it is

292

T.H. Kim et al.

performed before network monitoring. The second dotted line box presents construction of a traffic matrix. This process is repeatedly performed after starting network monitoring. At first, a traffic matrix for the traffic pattern analysis should be initiated; as setting a matrix size and time window size are determined depending on the network environments. Next, inbound traffic packets are captured and then, a traffic matrix is constructed using the captured packets information. The process of traffic matrix construction is described in next section 2.2 in more detail. The packets are captured during a given period of time window size and the detection model analyzes the traffic matrix and check whether the rate of captured traffics are more greater than some predefined threshold value (e.g., 1000pps) or not. This is a pre-processing phase for filtering out the meaningless irrelevant network traffic pattern since DDoS attack traffics are normally more than the threshold value. If the rate of capture traffic is less than the threshold value, then they are filtered out. The filtered traffic cannot badly affect the target system because the amount of the packets is negligible. The detection model continues to monitor the traffic through the traffic matrix. If the rate of the captured traffics is over the threshold value, then the model computes the variance of the matrix and Weighted Moving Average (WMA). Finally, it judges whether it is a spoofed DDoS attack, based on the variance and WMA of traffic matrix.

Fig. 1. Overall Flow of Proposed Detection Model

2.2 Constructing Traffic Matrix In this section, we describe the process of constructing traffic matrix [9]. Figure 2 shows how to construct a traffic matrix using inbound traffic packets. Alphabets mean the packets that are coming from each different source IP addresses. ‘B’ packet is captured, the source IP address is divided into 4 octets and they are computed to determine the location of the matrix. Then, the value of location (i , j ) is incremented by 1. The value of a specific location (i , j ) becomes 4 by ‘B’ packets and the value of

Detecting DDoS Attacks Using Dispersible Traffic Matrix

293

the other location became 2 since two ‘A’ packets were already captured. One traffic matrix could be constructed during a given time window. This traffic matrix design makes the packets coming from same bandwidth be mapped into same column. It is the characteristic of subnet spoofing which spoofs a random address from the address space assigned to the compromised host's subnet to avoid the ingress filtering. Consequently, we can present spoofed DDoS attack patterns using the traffic matrix. The detail of matrix construction is as follows; in order to build traffic matrix, each IP address of a captured packet is divided four octets as described in Eq. 1.

IP 1 • IP 2 • IP 3 • IP 4

(1)

For an example, assuming that B packet has the source IP address which is 192.168.103.101, then it is divided as IP 1 = 192 , IP 2 = 168 , IP 3 = 103 , IP 4 = 101 . And then, the IP is processed using two operations again; the first one is placement of a packet in matrix. The second one is to store traffic rate information. When a packet is captured in a monitoring network, the packet is mapped into a specific location of the matrix, which is determined by the source IP address of the packet. A placement function is described in Eq. 2.

i = ( IP1 × IP 2) mod n

(2)

j = ( IP3 × IP 4) mod m

In Eq. 2, n and m indicate row and column of a matrix respectively. As the modular operations, the computed results of two IP octets; ( IP × IP ) , ( IP × IP ) , are within the range of n and m . Also, for storing traffic rate information, the value of that location (i, j ) is the amount of packets coming from the source IP address, and it is represented as a numerical value. 1

2

3

Packets coming from the network B

C

B

B

A

B

A

j Source IP address 1

IP1

i=

IP1

×

IP2

IP2

n

IP3

mod(N)

IP4

j=

IP3

i

×

IP4

mod(M)

4 2

(i j) Increment value of (i,j) in Traffic Matrix

N × M Traffic Matrix

Fig. 2. Constructing Traffic Matrix

4

294

T.H. Kim et al.

2.3 Variance of Traffic Matrix M and DDoS Attacks The source IP of attack traaffic which is arbitrarily generated by random generatoor is one of the representative characteristics c of spoofed DDoS attacks. In our propoosed approach, we construct a trraffic matrix with the source IP addresses and the num mber of packets to describe the dispersibility d of network traffic that can be presented by the variance according to locatiions and their values in the matrix. Therefore, DDoS atttack traffic is represented relatiively equally distributed by spoofed source IP addresss as depicted in Figure 6(a). Thee variance of traffic matrix is much lower than that of nnormal traffic. The computatio on of variance of Matrix is represented in Eq. 3.

V=

1 m n ( M (i, j ) − µ )2 ∑∑ ∑ k j =0 i =0

if

M (i , j ) ≠ 0

(3)

M ( i , j ) represents the vaalue of location (i, j ) in the matrix M. k represents the number of values which M ( i , j ) is not equal to 0, i.e., the number of sources com ming into hosts.

µ computed byy Eq. 4 is the average packet(s) per one traffic.

µ=

1 m n ∑∑ M (i, j ) k j =0 i =0

(4)

2.4 Moving Average and Weighted Moving Average According to the special network n state of the host, the variance of network traaffic matrix can be extremely varying v over time. The variance could be low when the amount of captured traffic data is small. For these two reasons, there are some reelatively low variances even th hough they are normal traffics in Figure 3. 100000

10000

Variance

1000

100

10

1

Variance

MA

WMA

Fig. 3. Variance, MA, WMA

It means that the numberr of packets should be enough to analyze the traffic patttern using the variance, i.e., un nless the number of packets is ensured, reliability of the variance can be degraded. For F reducing such false alarm, we propose to utilize M Moving Average (MA) and Weiighted Moving Average (WMA). MA and WMA can m make

Detecting DDoS Attacks Using Dispersible Traffic Matrix

295

the extreme variation of data mitigate. In Figure 3, we can see that MA and WMA keep up the value in the points that the variance falls down significantly. MA provides an advantage to reduce the false alarm with removing the significant variation of data. Mathematically, MA is the convolution of the data points with MA function in technical analysis. MA is the unweighted mean of the previous data samples. For example, if we have n data and the data are pM , pM − 1 , L , pM − ( n − 1) then the MA can be formulated as;

MA =

pM + pM − 1 + L + pM − n + 1 n

(5)

Where, pM is a variance during a given window size and n is the number of data for computing MA. If n is too large, it is difficult to present the accurate variation because of less influence of recent data. In order to cope with this problem of MA, WMA is adopted since it imposes more weight to the latest data. WMA is average that has multiplying factors to give different weights to different data points. WMA has the specific meaning of weights which decrease arithmetically. In an n-data, WMA the latest data has weight n, the second latest n-1, etc, down to zero.

WMA =

npM + (n − 1) pM − 1 + L + 2 pM − n + 2 + pM − n + 1 n + (n − 1) + L + 2 + 1

(6)

3 Evaluation In this section, we show the evaluation of proposed approach using DARPA 2000 data and real data from testbed. First, we start with matrix initialization that is represented as 1st dotted line box in Figure 1. It is important to determine the matrix size and time windows size of traffic matrix. We carry out experiment to determine them in next subsections. 3.1 Matrix Size If the matrix size becomes bigger, it can present a large amount of network traffic at once, but if the matrix size is too big, it is useless in some cases, so that it is desirable to find out suitable matrix size with respect to the network environment. In this subsection, we show how to determine the matrix size and to efficiently reduce the traffic matrix size. To reduce the matrix size, we use a hash function and we can reduce the instances that the packets of different source IP addresses are located in same location (i, j). For the matrix size, a 50×50 matrix can describe the maximum 2500 different traffics simultaneously. In this case, if 100,000 connections are tried, 40 traffics are able to be mapped into same location. In case of a 100×100 matrix, it is able to present 10000 different traffics and it can decrease the number of overlapped traffics to 10. It is quite important to reduce the overlapped traffics since it can be an error when we analyze the traffic pattern. Fig. 4 is the computed variance results with same network traffic data but three different matrix sizes; 100×100, 50×50 and 30×30. The big size of matrix can reduce the

296

T.H. Kim et al.

probability that packets com ming from the different source IP address are mapped iinto the same location. Thus, we w can see that the variance is low if the matrix size is bbig. Therefore, we need enough h matrix size to present the traffic pattern to detect appparently. However, if the mattrix size becomes bigger, we need more time and cost to analyze the traffic pattern. On the other hand, if the matrix size is too small, we ccannot analyze the traffic pattern accurately so it is important to determine the matrix ssize which is suitable for the network state of the host. As the results, the variances between 30×30 and 50×50 matrixes m have great differences in several times. Otherw wise, the differences between 50 0×50 and 100×100 are little. The traffic data presentedd in Fig. 6 is captured traffics going to web server in testbed networks. In this netw work environment, 50×50 matrix x is enough to present the traffic pattern. 100000

10000

Variance

1000

100

10

1

100×100

50×50

30×30

Fig. 4. Matrix size and variance

3.2 Window Size In this subsection, we show w how to determine window size. Traffic matrix M is cconstructed by traffic gathered d for a given time period, called “window size”, then the matrix variance, number off packets are measured after passing every window size [9]. The suitable window size with w the network state of the host can present traffic acccurately in traffic matrix. If th he window size is too large, traffic pattern is not descriibed apparently because a lot off characteristics of traffic are in one matrix. On the otther hand, if window size is too o small, it is difficult to decide the characteristics of traaffic pattern because of the smalll amount of traffic data. Fig. 5 shows the computted variance results with same network traffic data but ffour different window sizes; 0.1, 0.5, 1 and 2 second(s). When the window size is 0.1 second, there are so many meaningless values that the variance is 0 because of the small number of captured data. Otherwise, when the window size is 2 secondss, it cannot present the variation n of jumbled together. Thus, the reliability of variancee in real-time traffic pattern in detail d since a lot of network traffics are is degraded. Connsequently, in our experiment environments, we can see that if window size is 1 secoond, the variation of WMA is cllear and apparent, the noise is very small. Hence, it is aalso very indispensable to decidee the proper window size according to the traffic rate. We propose a victim bassed detection model which analyzes the network traffic ppattern representing the inbou und traffic comes to the host as a matrix. It can meassure traffic’s dispersibility, inten nsity, duration and rate effectively through the construccted

Detecting DDoS Attacks Using Dispersible Traffic Matrix

Variance

WMA

Variance

WMA

Variance

Window Size = 0.1sec

Window Size = 1sec

Window Size = 0.5sec

Variance

297

WMA

WMA

Window Size = 2sec

Fig. 5. Window size and variance

network traffic matrix. The next subsection presents the way to build a traffic matrix and how to interpret the built matrix. After determining the size and window size of traffic matrix, we perform experiments on DARPA 2000 dataset and real network dataset collected from a university. 3.3 Experiments with DARPA 2000 Dataset We used DARPA 2000 dataset as the first dataset to validate our approach. The 2000 DARPA Intrusion Detection Scenario Specific Data Set is used which includes a DDoS attack run by a novice attacker [12]. In phase. 5, even though DDoS attack time was few seconds, it is enough to verify the feasibility of our proposed detection model because the amount of data is enough. As it is very hard to collect DDoS attack type, DARPA 2000 dataset is used very commonly. Table 1 summarized the results of Table 1. DARPA dataset experiment result

Variance

Window Size: 1sec Window Size: 0.5sec Number of packets MS: 30×30 MS: 50×50 MS: 100×100

0.0~1.0

1.0~2.0

2.0~3.0

3.0~4.0

4.0~5.0

5.0~6.0

0~0.5 0.5~1.0 1.0~1.5 1.5~2.0 2.0~2.5 2.5~3.0 3.0~3.5 3.5~4.0 4.0~4.5 4.5~5.0 5.0~5.5 5.5~6.0 5280 6267 6218 6221 6080 2772 1887 3993 3328 2939 3288 2930 3513 2708 3442 2638 1746 1026 96.339 137.824 116.3250 117.8680 117.0730 27.811 17.033 42.147 43.696 36.095 32.296 29.542 42.669 25.608 44.069 24.822 12.220 5.7116 8.893 12.728 10.945 11.733 10.943 3.011 2.789 4.208 4.542 3.456 3.788 3.174 4.788 2.960 4.495 2.849 1.854 0.983 1.828 2.511 2.219 2.305 2.227 0.723 0.504 0.899 0.936 0.815 0.842 0.741 1.056 0.682 0.988 0.678 0.366 0.197

298

T.H. Kim et al.

experiments that use phase. 5 dataset. It presents the number of packets in each time and the variance of traffic matrix according to window size and matrix size. The variance when the matrix size is 30 is relatively higher than that in case of 50 and 100. This means the matrix size is not enough to present the traffic. Although the variance of normal network traffic is at least more than hundreds, the variance is less than maximum 13 when the matrix size is more than 50 in the experimental result. The results show that our approach is feasible. 3.4 Experiments in Testbed Network Figure 6(a) and 9(b) present two 50×50 matrixes for one second window size. Figure 6(a) shows a DDoS attack traffic matrix which the source IP addresses are spoofed by random generator. Figure 6(b) shows a normal traffic matrix of a busy web server in our testbed network. The location in a matrix is determined by the source IP address of packets and value of the location is computed by the amount of packets in that location. The value of each element of the matrix is represented as a white-gray-black level color. If the value is high, the color becomes black whereas the value is low, it becomes white. DDoS attack traffics are evenly distributed because the source IP addresses are spoofed randomly. Thus, we can recognize that the variance of the traffic matrix is very low. On the other hand, the legitimate traffic of the web server has relatively less traffic sources and the intensity of traffic concentrates to a few sources even though they have a large amount of traffic. Thus, we can figure out the high variance of the traffic matrix.

(a)

(b)

Fig. 6. DDoS attack traffic matrix(a) and normal web traffic matrix(b)

Our proposed approach is measured in real network. The traffic is captured in our testbed network and DDoS attack traffic is generated by several compromised hosts located in other networks. We carried out the experiments with changing the attack traffic rate, the number of compromised hosts and attack duration. Figure 7 presents the variation of variance of traffic matrix. We can see that WMA values of variance were going down below threshold value in few seconds after the host was attacked by DDoS attack. Even though the variance is below a threshold value in normal state, we can decrease such an error by using WMA. It means it is possible to detect accurately and reduce false alarm.

Detecting DDoS Attacks Using Dispersible Traffic Matrix 4000

4000

3500

3500

3000

3000

Occurrence of 1000pps DDoS attack

2000

2000

1500

1500

1000

1000

500

Threshold value = 400

0

Threshold value = 400

0

Variance

MA

WMA

Variance

(a) Occurrence of 1000pps DDoS attack

MA

WMA

(b) Occurrence of 3000pps DDoS attack

4000

4000

3500

3500

3000

3000

Occurance of 6000pps DDoS attack

Occurance of 10000pps DDoS attack

2500

Variance

Variance

2500

2000

2000

1500

1500

1000

1000

500

Occurance of 3000pps DDoS attack

2500

Variance

Variance

2500

500

299

500

Threshold value = 400

Threshold value = 400

0

0

Variance

MA

Variance

WMA

(c) Occurrence of 6000pps DDoS attack

MA

WMA

(d) Occurrence of 10000pps DDoS attack

Fig. 7. Experimental results according to attack traffic rate

The parameters and experimental results are presented in Table 2. It shows that DDoS attack can be detected within several seconds. If the rate of DDoS attack traffic is higher, the dispersibility of network traffic is more apparent so that it is possible to detect the DDoS attack in very short period of time with low false alarm. In general, the rate of DDoS attack is launched in the rates of several thousands, it is expected to detect DDoS attacks in more accurate. Table 2. The parameters and experimental results in real-networks (a)

(b)

(c)

(d)

10

20

30

50

1000pps

3000pps

6000pps

10000pps

Detection time(sec)

6

2

1

1

False positive

0.2045

0.0454

0.0227

0.0254

Number of compromised hosts Average of DDoS attack traffic rate

4 Conclusion In this paper, we have presented an efficient approach to detect DDoS attacks using traffic matrix and WMA. Considering the previous detection approach, there is commonly tradeoff between attack efficiency and cost [4]. Increasing the attack detection

300

T.H. Kim et al.

rate requires the increase of false alarm rate or increment of computational overheads or memory overheads. While detecting attacks as soon as possible is very important for preparing defense measures in DDoS attacks, most of the previous researches have been focused on the traffic generated by compromised host to extract detection parameters. However, our proposed detection model using traffic matrix can detect fast and decrease the false alarm through WMA. It is also efficient in terms of the cost. The contributions of our approach are (i) the network traffic analysis using traffic matrix can visualize the network traffic streams (ii) the traffic pattern analysis algorithm through the variance of traffic matrix is very efficient in terms of the cost (iii) fast detection of DDoS attack, so we can handle the DDoS attack proactively (iv) detection accuracy, speed and false alarm rate which have been validated through several experiments on DARPA 2000 dataset and real data in our testbed network environment. Acknowledgments. This research was supported by the Advanced Broadcasting Media Technology Research Center (ABRC) in Korea Aerospace University, Korea, under the Gyeonggi Regional Research Center (GRRC) support program supervised by Gyeonggi Province.

References 1. Bezeq, R., Kim, H., Rozovskii, B., Tartakovsky, A.: A Novel Approach to Detection of Denial of-Service Attacks via Adaptive Sequential and Batch equential Change-Point Methods. In: IEEE Systems Man and Cybernetics Information Assurance Workshop, pp. 1–7 (2001) 2. Ferguson, P., Senie, D.: Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing, RFC 2827 (2000) 3. Gil, T., Poletto, M.: MULTOPS: A Data Structure for Bandwidth Attack Detection. In: USENIX Security Symposium, Washington D.C (2001) 4. Lee, K., Kim, J., Kwon, K., Han, Y., Kim, S.: DDoS attack detection method using cluster analysis. In: Expert Systems with Applications, vol. 34, pp. 1659–1665. Elsevier, Amsterdam (2008) 5. Li, J., Mirkovic, J., Wang, M., Reiher, P., Zhang, L.: SAVE: Source Address Validity Enforcement Protocol. In: INFOCOM 2002, vol. 3, pp. 1557–1566 (2002) 6. Mirkovic, J., Reiher, P.: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms. In: SIGCOMM, vol. 34, pp. 39–53. ACM Press, New York (2004) 7. Mirkovic, J., Prier, G., Reiher, P.: Attacking DDoS at the Source. In: IEEE International Conference on Network Protocols, pp. 312–321 (2002) 8. Papadopoulos, C., Lindell, R., Mehringer, J., Hussain, A., Govindan, R.: COSSACK: Coordinated Suppression of Simultaneous Attacks. In: DARPA Information Survivability Conference and Exposition Washington DC, vol. 1, pp. 2–13 (2003) 9. Park, H., Lee, H., Kim, H.: Detecting Unknown Worms Using Randomness Check. IEICE Transactions on Communication E90(B4), 894–903 (2007) 10. Park, K., Lee, H.: On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets. In: ACM SIGCOMM (2001) 11. Zhang, G., Parashar, M.: Cooperative Defense Against DDoS Attacks. Journal of Research and Practice in Information Technology 38(1), 69–84 (2006) 12. MIT Lincoln Lab., DARPA intrusion detection scenario specific datasets (2000), http://www.ll.mit.edu/IST/ideval/data/2000/ 2000_data_index.html

Attack Patterns Discovery by Frequent Episodes Mining from Honeypot Systems Ming-Yang Su, Kai-Chi Chang, and Chun-Yuen Lin Department of Computer Science and Information Engineering, Ming Chuan University, Taoyuan, Taiwan 5 The Ming Road, Gwei Shan District, Taoyuan 333, Taiwan [email protected]

Abstract. The type of Probe/Exploit (hacking) intrusion can be regarded as a series of relevant actions that are occurred in some sequence. In frequent episodes mining, data is viewed as a sequence of events, where each event has an associated time of occurrence. So the mining technique has significant effect on discovering sophisticated Probe/Exploit intrusion attacks. Prior to deadly attacks to the victim computers, hackers must gather information about the victims and transfer instructions or files to the victims. The proposed method can be used to discover such abnormal episodes from the log files of honeypot systems. The proposed method can be applied to discover known or unknown attack episodes for any network services. In this paper, we focus on discovering attack episodes for SMB (Server Message Block) protocol, which is the most important one for Microsoft’s Windows Network. In the experiment, we successfully mined out a sophisticated intrusion episode. The proposed method can easily be modified to protect other network services. Keywords: Frequent Episodes Mining, Honeypot systems, Network Security.

1 Introduction Almost commercial intrusion detection systems are based on misuse detection and thus they all rely on definitions or rules update from vendors. How to discover a new attack episode as soon as possible is an important issue in the network security field. In the paper, we apply a modified frequent episode mining algorithm to discover attack episodes, especially for unknown or novel attack episodes, from log files of the KFsensor [1] which is a commercially famous honeypot system. After the mining of frequent episodes was first proposed by Mannila et al. [2] in 1997, there were several studies devoted to applying episodes in the designs of NIDSs [3, 4, 5, 6, 7]. They all belong to anomaly-based detections, which are expected to detect unknown attacks with a risk of high false positive rate. In the paper, we mine attack episodes from log files of the KFsensor [1] which is a commercially famous honeypot system, to discover unknown or novel attack episodes for network services. Since network services are varied, focused on Microsoft’s Windows Network, in this J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 301–306, 2009. © Springer-Verlag Berlin Heidelberg 2009

302

M.-Y. Su, K.-C. Chang, and C.-Y. Lin

study we address the SMB (Server Message Block) protocol which is the most important protocol among NetBIOS/NetBEUI protocols. We aim at the kinds of Probe/Exploit attacks which are difficult to be effectively resolved by firewalls and anti-virus software [8]. The remainder of the paper is organized as follows. Section 2 is the introduction of the frequent episode rules mining algorithm. Section 3 gives a brief introduction of SMP protocol over NetBIOS session services because it is addressed in the paper. Section 4 shows the system framework and some experimental results. Finally, the conclusion is Section 5.

2 Frequent Episodes Mining Episode is composed of a series of events. To find attack episodes is to find the relationship between the events. These relations can be effectively applied to analyze behaviors, interpret the reason of behaviors and forecast the coming events. Take the event sequence in Figure 1 as an example, <E, A, B> symbolizes a frequent episode, namely after E event, the A event occurs, and at last B event happens, and the probability of this episode is greater than a threshold. When the events and their occurring times are all taken into consideration, circumstances meet such condition can have many possibilities below: <(E, 1), (A, 2), (B, 4)>, <(E, 1), (A, 2), (B, 5)>, <(E, 10), (A, 11), (B, 12)>, <(E, 10), (A, 11), (B, 13)>, <(E, 16), (A, 17), (B, 18)>, <(E, 16), (A, 17), (B, 19)>, < (E, 26), (A, 27), (B, 29)>, and < (E, 26), (A, 28), (B, 29)>

Fig. 1. Event sequence

This also means that when event A and event E occurred in succession, the probability of occurrence of event B is higher than the threshold. There are many algorithms to mine frequent episode rules from the event sequence, the most famous are WINEPI and MINEPI presented by Mannila et al. [2] in 1997. Basically, WINEPI algorithm is used in this study, with some modifications to meet the demands of our NIPS design. The main difference is that in our implementation, the episode events must be consecutive, i.e., can’t mix other events in the episode. For example, the above <(E, 1), (A, 2), (B, 4)> could not be counted as an episode because there is a event C occurred between A and B. In the study, we assume all events related to an intrusion attack will be done consecutively. The followings are definitions and descriptions of some key terms, which make the modified WINEPI more clearly.

Attack Patterns Discovery by Frequent Episodes Mining from Honeypot Systems

303

(1) Event: event (A, t) denotes an A type of event occurs at time t. (2) E-type: collection of all event types in the event sequence; e-type = {A, B, C, ....}. (3) Event sequence: an event sequence s is usually associated with two times, denoted as (s, Ts, Te) = <(A1, t1), (A2, t2), …, (An, tn)>, where Ai ∈ e-type, 1 ≤ i ≤ n; tj ≤ tj + 1, 1 ≤ j ≤ n-1; Ts and Te represent the starting time and ending time of the event sequence, respectively, and Ts ti < Te, 1 ≤ i ≤ n.

≦

(4) Episode: a number of consecutive events. The number of events in the episode denotes the length of the episode. As shown in Figure 2, the episode patterns include serial episode, parallel episode and more complex episode with serial and parallel. Serial episode, referring to there is time sequence between events. For example, event A occurs first and then event B. Parallel episode means the time sequence between events is not important; for example, it is fine as long as events A and B occur within the specified time interval. More complex episode with serial and parallel has partial requirements on time sequence, e.g. events A and B must occur before event C, but there is no time sequence request for events A and B. Serial episode is addressed in this paper, because hackers’ attack actions have time sequences.

Fig. 2. Serial episode, parallel episode and more complex episode with serial and parallel

(5) Sliding window: A sliding window indicates the maximal time interval between related events. Hacker intrusion is the data flow of a time sequence. Therefore, a sliding window shall be defined. When search in the event sequence, this widow is slid from the first event to the last one. Only the events within the window are observed. Given an event sequence s = (s, Ts, Te), a sliding window w is associated with two times, denoted as (w, ts, te), where ts is the starting time of window event sequence, te is the ending time of window event sequence, and tsTs. That is, w = (w, ts, te) is composed of all the events between ts and te. As a window (w, ts, te), its width is win = te - ts. (6) Frequent episode: We use W(s, win) to denote the collection of window event sequences in the event sequence s and a sliding window with width win. The occurring frequency of an episode α in event sequence s is calculated by

304

M.-Y. Su, K.-C. Chang, and C.-Y. Lin

fr (α , s, win) =

{w ∈W (s, win) α occurs in w} W ( s, win)

.

The numerator represents the number of windows in which episode α occurs and the denominator represents the total window amount, which is equal to Te – Ts + win -1, i.e.,

W ( s, win) = Te − Ts + win − 1 . For example as shown in Figure 3, the length of event sequence is from 0 to 30 seconds, while the window width is five seconds, so s = (s, 0, 30), win = 5, the window total amount is 30 – 0 + 5 – 1 = 34. Window w = (w, 2, 6) marked in red dashed line in the diagram, contains the event sequence <(A,2), (C,3), (B,4), (B,5)>. Window is defined as semi-closed interval, so (E, 6) is not included in this window. A hacking attack is composed of series events which must be completed within a certain period of time. If the window width is too small, it may not be able to cover a full attack. On the other hand, if the window width is too large, it may generate excessive unnecessary frequent episodes.

Fig. 3. Window total amount and window event sequence

Basically, to find the frequent episodes is mainly used to generate candidate episodes sets, and pick up those episodes with frequencies greater or equal to the threshold min_fr into the frequent episodes sets. In this paper the “meaningful” episodes are mined from log files of the honeypot, instead of normal event sequence. In other words, we mine rules from abnormal event sequence because basically, the logs recorded by honeypot all belonged to attack events, the difference only lied in attacking intensity or the amount of the attacking steps. For Probe/Exploit attacks, a meaningful episode is a complete attack, namely an episode with longer length. So in this study, the threshold could be set as low as possible to mine more complete and complex, but rarely occurred, attacks. Usually the amount of data in logs of honeypot deployed in the Internet will accumulate very quickly. The goal of mining from such tremendous logs of honeypot is to find out meaningful attack episodes, i.e., discovering known or unknown attack episodes.

3 SMB Protocol over NBSS (NetBIOS Session Service) Since network services are numerous and varied, in this study we focus on SMB protocol (Server Message Block Protocol) on port 139 which is the most important

Attack Patterns Discovery by Frequent Episodes Mining from Honeypot Systems

305

protocol in MS Windows’ NetBIOS/NetBEUI services. The framework proposed in this paper can be easily transferred to protect other services with little modification. Most MS Windows systems are able to use NetBIOS/NetBEUI interfaces, and the most important up layer protocol is the SMB (Server Message Block Protocol). SMB provides a set of standard, comprehensive commands for communications between servers and clients. The command field in SMB header is a 16-bit code, different codes symbolize different events.

4 System Framework and Performance Evaluations First, honeypots have to install in the Internet for a long period of time to collect all possible attacks. Then we use communication port (port 139 in this study) to select all the records for a specific service from honeypots’ log files, and mine out the meaningful frequent episodes. Here an episode represents a sequence of events that constructed an attack. As the events in attacking process have time sequence, it is enough to mine frequent serial episodes only, ignored parallel episodes and complex episodes. After installing the KFsensor honeypots in the Internet for one week, many attack records can be obtained from the log files. Imported to My-SQL Server, communication ports for specific services were used to select the relevant attack records. In this study, all the connection records for port 139 (SMB with NetBIOS Session service), were dismantled into 547 events, including 10 types of events, see Table 1 for the details. Table 1. Event types, event names, and their codes

Event types A B C D E F G H I J

Event names Session Request [negotiate protocol] [session setup X] [tree con X] [create file] [write] [close file] [open file] [read] [open X]

The corresponding hexadecimal codes for SMB Command of events the first byte of NBSS header is 0x 81 0x72 (SMBnegprot) 0x73 (SMBsesssetupX) 0x75 (SMBtconX) 0x03 (SMBcreate) 0x0B (SMBwrite) 0x04 (SMBclose) 0x02 (SMBopen) 0x0A (SMBread) 0x2D (SMBopenX)

Applying the frequent episodes mining algorithm to the event sequence, we got the frequent episode “ADEFGHIGEFG” with frequency 0.160432. This episode was caused by worm attacks of series well-known Opaserv (or Opasoft.worm) [9, 10, 11]. Opaserv worms with function of dismissing simple passwords, exploits SMB protocol by scanning NetBIOS session services in the LAN and Internet. The detailed procedure about Opaserv attacks can be found in [9, 10, 11].

306

M.-Y. Su, K.-C. Chang, and C.-Y. Lin

5 Conclusions We assume that a good commercial honeypot can capture known and unknown attack episodes. Since honeypots can only record events in reality, it can not present the relationships among events, not even to state what kind of serious events representing an intrusion episode. Besides, the log files of honeypots would accumulate very soon, and thus the size after a period of time would be very large. By the frequent episodes mining, theoretically some not unveiled attack episodes can be obtained. A famous attack named Opaserv worm [9, 10, 11], for example, was successfully found in the experiment. Though SMB service based on NBSS (NetBios Session Service) for port 139 was taken as an example in the study, the framework proposed in this paper can be easily modified to protect other network services. Acknowledgments. This work was partially supported by the National Science Council with contract 96-2221-E-130-009.

References 1. KeyFocus Ltd., KFSensor - Advanced Windows Honeypot System, http://www.keyfocus.net/kfsensor/ 2. Mannila, H., Toivonen, H., Verkamo, A.I.: Discovery of Frequent Episodes in Event Sequences. Data Mining and Knowledge Discovery 1, 259–289 (1997) 3. Hwang, K., Cai, M., Chen, Y., Qin, M.: Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes. IEEE Transactions on Dependable and Secure Computing 4(1), 41–55 (2007) 4. Lee, W., Stolfo, S.J., Mok, K.W.: Adaptive Intrusion Detection: A Data Mining Approach. Artificial Intelligence Review 14(6), 533–567 (2000) 5. Luo, J., Bridges, S.M.: Mining Fuzzy Association Rules and Fuzzy Frequent Episodes for Intrusion Detection. International Journal of Intelligent Systems 15(8), 687–703 (2000) 6. Luo, J., Bridges, S.M., Vaughn Jr., R.B.: Fuzzy Frequent Episodes for Real-Time Intrusion Detection. In: Proceedings of the IEEE International Conference on Fuzzy Systems, vol. 1, pp. 368–371 (2001) 7. Qin, M., Hwang, K.: Frequent Episode Rules for Internet Anomaly Detection. In: Proceedings of the IEEE International Symposium on Network Computing and Applications, pp. 161–168 (2004) 8. Kaspersky Lab., http://www.viruslist.com/en/analysis?pubid=204791921 9. F-Secure Corporate, http://www.f-secure.com/v-descs/opasoft.shtml 10. Kaspersky Lab., http://www.viruslist.com/en/viruslist.html?id=52256 11. KFSensor, http://www.keyfocus.net/kfsensor/help/AdminGuide/ adm_TKFNBT.php

Efficient and Automatic Instrumentation for Packed Binaries Yanjun Wu1,2 , Tzi-cker Chiueh3 , and Chen Zhao1,2 2

1 Institute of Software, Chinese Academy of Sciences, Beijing, China National Engineering and Research Center for Fundamental Software, Beijing, China 3 Dept. of Computer Science, SUNY at Stony Brook, Stony Brook, NY 11790, USA

Abstract. Many modern software security techniques require transformation of executable binaries to add security features. Such transformation heavily depends on the correct and effecient disassembly. However, an increasing number of application binaries are packed before being distributed in the commercial world. Packed binaries are a special type of self-modifying code, which existing binary disassembly tools do not support very well, especially when automatic instrumentation is needed. This paper describes the design, implementation and evaluation of an efficient and automatic binary instrumentation tool for packed Win32/X86 binaries called Uncover. Uncover features two novel techniques: statically distinct packed binaries by entropy computation to minimize run-time disassembly overhead, and accurate tracking of binary unpacking process during runtime. These two techniques make it possible to disassemble Win32/X86 packed binaries as if they were never packed.

1 Introduction A substantial percentage of cyber attacks that take place on the Internet today exploit vulnerabilities in applications or operating systems. A majority of these research efforts assume they have access to the source code of these vulnerable programs. This assumption is unrealistic in practice, because end users rarely have access to the source code of most commercial applications they use. Therefore, protection techniques have to be applicable to executable binaries directly. The key enabling technology for such security-enhancing transformation is correct and efficient binary instrumentation. To instrument a binary, one needs to be able to examine every instruction before it is executed. Ideally, binary instrumentation should be done statically so that its run-time performance overhead is reduced to the minimum. In practice, however, it is greatly challenged by packed binaries produced by packers. Given an executable binary, a packer compresses or encrypts it and then includes the corresponding decompresser or decryptor (called unpacker hereafter) to recreate the final packed binary at run time. When a packed binary runs, the unpacker first decompresses or decrypts the embedded binary into its plaintext version, and then transfers control to it to start its execution. Binary packing makes it impossible to statically analyze a binary being packed, even for the state-of-the-art commercial disassemblers. Today, more and more commercial software, as well as a large amount of malware, choose a packer, or even multiple packers to pack themself before being distributed, to hide their internal logic. It is essential for binary instrumentation tools to be able to handle it. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 307–316, 2009. c Springer-Verlag Berlin Heidelberg 2009


308

Y. Wu, T. Chiueh, and C. Zhao

The paper describes the design, implementation and evaluation of a Win32/X86 binary instrumentation tool for Win32/X86 binaries called Uncover. Uncover solves the above problem by combining an entropy-based packed binary identification that can statically distinguish a packed binary, with a low-overhead runtime execution tracking mechanism that can accurately recognize the point at which the binary unpacking process is completed at run time. Although Uncover is able to handle many anti-disassembler tricks embedded in unpackers, as the first step, it is designed specifically for legitimate applications packed by commercial packers, rather than targets at arbitrary binaries packed with arbitrary packers. The rest of this paper is organized as follows. Section 2 reviews previous works related to binary disassembly and instrumentation. Section 3 describe the design and implementation of Uncover. Section 4 presents the evaluation results of Uncover. Section 5 concludes this paper.

2 Related Work Accurate disassembly is the foundation for binary instrumentation. There are many excellent commercial disassemblers such as IDAPro [1] and OllyDbg [2] that can achieve high disassembly coverage and accuracy for Win32/X86 binaries. However, they cannot automatically disassemble the original code of a packed binary, i.e. one has to use single-step or other manual debug techniques to reach the entry point of the original code. Moreover, because all of them try to disassemble the unpacker code, while many commercial packers embed anti-debugger and anti-disassembler techniques inside their unpackers, none of these disassemblers can disassemble packed binaries without occasional crashing. In contrast to these commercial disassemblers, Uncover chooses to avoid disassembling the unpackers embedded in packed binaries. It does this by incorporating a heuristic technique to precisely identify the point at which the original binary is fully unpacked, and then invokes the disassembler only on the unpacked original binary. This design decision not only greatly simplifies Uncover’s design and implementation complexity, but also improves its overall robustness significantly. There are several unpacker programs on the web such as PEiD [3], ASPackdie, etc. They use a signature-based approach to identify the packer behind a packed binary, and apply a packer-specific unpacker to unpack the binary. Because of the reliance of packer-specific unpackers, they are typically ineffective against unknown packers or new variants of existing packers. In contrast, Uncover is designed to unpack packed binaries in a packer-independent way. Bintropy [4] computes a binary’s entropy to determine whether the binary is packed/encrypted or not. Uncover applies a similar idea to determine if a binary is packed or not statically, and if the original binary has been fully unpacked at run time. There are also several Win32 binary instrumentation tools. However, none of them currently are capable of handling packed binaries as Uncover. Dyninst [9] applies static disassembly to Win32/X86 binary rewriting and optimization. It requires full debugging information to guarantee the safety of instrumentation. Uncover does not have this requirement. Dynamo [8] is another binary interpretation and optimization system that uses a software-based architectural emulator to detect so-called hot traces, i.e. sequences of frequently executed instructions, and optimize them dynamically so

Efficient and Automatic Instrumentation for Packed Binaries

309

that they can run faster. PIN [10] takes a similar dynamic binary emulation and instrumentation approach as Dynamo. It also performs instrumentation entirely at run time. HDTrans [11] is a light-weight IA32-IA32 binary translation system that combines a set of simple but effective translation techniques with well known trace linearization and code caching optimization techniques. OmniUnpack [13] is similar to Uncoverin terms of page status tracking. However, it focuses on virus detection and uses the third party virus-scanning engine to decide the end of unpacking. Therefore, its success depends on the virus-scanning engine. In contrast, Uncover applies to general packed binaries regardless the original binary is good or evil. BIRD [14] is a general binary analysis and instrumentation infrastructure that is specially designed to faciliate the development of software security for Windows/X86 binaries. Given a binary program, BIRD first statically disassembles it to uncover as many instructions as possible, rewrites it to allow run-time interception at all indirect jumps and calls, and then dynamically disassembles those areas that are explored during execution. By combination of static and dynamic disassembly, BIRD achieves both high acuracy and high coverage. However, for packed binaries, BIRD static disassembler can only reveal the unpacker code, thus cannot provide enough information for original code disassembly during run-time.

3 Design and Implementation Uncover consists of a static component and a dynamic component. The static component tries to identify the packed binary and then patch to inject a DLL. It is implemented as a stand-alone executable. The dynamic component performs page status tracking and dynamic instrumentation, and is implemented as the DLL injected by the static component. Figure 1 shows the software architecture of Uncover. Given an input binary to be instrumented, the static component of Uncover first checks if the input binary is packed or not. If the input binary is not packed, Uncover statically disassembles the binary, and instruments indirect branches and other instrumentation points of interest to the user. If the input binary is packed, Uncover will not disassemble it at all. In both cases, Uncover appends to the end of the input binary useful information that could facilitate dynamic disassembly and instrumentation such as base loading address, module size, code region offset, and packed/non-packed flag, as well as the directives that tells the binary to load a DLL when the binary is loaded. Uncover’s dynamic component is the DLL being loaded and contains a page status tracking mechanism to detect the end of unpacking during the execution of a packed binary, and invokes a dynamic disassembler and instrumentor when the original binary is completely unpacked. 3.1 Static Component Uncover borrows the idea in the Bintropy project [4] to compute the entropy of a binary file and use the entropy measure to determine if it is a packed binary or not. Entropy of a byte sequence Z is a measure of that sequence’s information content, and is computed by the following formula:

310

Y. Wu, T. Chiueh, and C. Zhao

Fig. 1. Overview of Uncover’s architecture

H(x) = −

N


p(i)log2 p(i)

i=1

where p(i) is the frequency of occurrence of the byte value i in Z, and N is the number of bytes in the sequence. Uncover use 256-byte blocks as the basic unit of entropy computation. A block is considered a valid block for entropy computation if the number of padding characters it contains is fewer than half of the block size. A page’s entropy is the arithmetic average of the entropy values of the valid blocks it contains. The entropy of packed data or code pages is typically higher than that of plaintext code pages, because the former contains more randomness. If continuous pages with high entropy are found in a binary, the binary is possibly a packed binary. We used this method to compute the entropy for a large set of Win32 binaries and DLLs, as well as their packed versions when packed by three packers, UPX, ASPack and PECompact. By applying standard statistical analysis to the entropy results, we arrived at a threshold value that can distinguish between packed binaries and normal non-packed binaries with 95% confidence. 3.2 Dynamic Component Typically, when a binary packer packs an input binary O, it compresses or encrypts O into E, and produces an output B that logically consists of three parts: an unpacker, E, and a blank area A that is to hold the unpacked result of E at run time. Depending on the packers, these three parts may be packaged into one, two, or three PE sections in the

Efficient and Automatic Instrumentation for Packed Binaries

311

packed binary. At run time, the execution of a packed binary starts with the unpacker, which completes the unpacking of E and transfers control to the entry point in A. Uncover focuses only on these legitimate packers, which are widely used by both malware and commercial software, and share the following three important characteristics: – The packer doesn’t parse or disassemble the input binary during the packing process. As a result, the packer treats the input binary as a black box and the unpacking result its unpacker produces at run time typically has the same address space layout as that when the original input binary is directly loaded into memory. – The unpacker unpacks the entire original binary before jumping to it. In other words, the unpacker does not unpack one part of the original binary, execute it, then unpack another part, etc. Actually this characteristics can be inferred by the first characteristic, because otherwise the packer needs to disassemble the input binary so that it can split the original binary correctly. – The unpacker includes various anti-disassembler, anti-debugger and anti-emulator mechanisms that are designed to defeat manual or automated reverse-engineering attempts. Uncover exploits the first characteristic to determine if an input binary is packed at static disassembly time and if the original binary has been completely unpacked at run time when it is packed through multiple layers of packers. Taking advantage of the second characteristic, Uncover applies a page status tracking mechanism to identify moments at run time at which the original binary is completely unpacked. Because of the third characteristic, a key design decision in Uncover is to not to disassemble or track the unpackers in packed binaries. Page Status Tracking. Assume a packed binary B contains a compressed or encrypted form of an original binary O. To instrument packed binaries, Uncover aims to identify the point during the execution of B at which O is completely recovered. After the unpacker in B completes the unpacking process, it transfers the program’s control to the entry point of O. Therefore, the transition from B’s unpacker to O corresponds to a jump whose target is a page that is written at run time. Uncover uses a page status tracking mechanism to detect such transitions. As mentioned earlier, a packed binary B contains an unpacker, the encrypted or compressed version of the input binary (E) and a blank area (A) that is to hold the unpacker’s output. When the unpacker in B unpacks E into A and transfers control to the entry point in A, the page containing the entry point satisfies two conditions at the time of this control transfer: (a) it is written and (b) it is about to be executed. Uncover’s page status tracking mechanism is designed to detect execution points at which a dynamically modified page is about to be executed, check if the original binary is completely unpacked, and if so invoke the disassembly and instrumentation engine on the original binary. Uncover exploits virtual memory hardware in the X86 architecture to identify pages that are first written and later executed. In particular, given a packed binary, Uncover first sets every page to be read-only and executable. Whenever the binary attempts to modify a page, a write exception occurs and Uncover handles the exception by setting the page writable but non-executable and recording the fact that this page has been modified. Later on if the binary’s control is transferred to a non-executable page, an execution exception occurs and Uncover handles the exception by checking if the page

312

Y. Wu, T. Chiueh, and C. Zhao

was modified previously. If so, this control transfer may well be from the unpacker to the unpacked binary. Because applications may set the protection attributes of their pages in a different way than required by Uncover’s page status tracking mechanism, Uncover needs to faithfully emulate the page protection behavior intended by the applications. This means that Uncover needs to hide from the applications those exceptions that should not have occurred if its page status tracking mechanism is not present. In addition, whenever an application queries a page’s protection attribute, Uncover needs to “lie” appropriately to convince the application that the page’s protection attribute is set in the way it expects. This is done by intercepting all possible ways an unpacker can use to explicitly or implicitly query a page’s protection attribute. Uncover’s page status tracking mechanism forces an application’s pages to be executable or writeable, but not both simultaneously. For applications that need to execute from a writeable page, for example, the stack, this mechanism could lead to an infinite loop of write and execute exceptions and thus a live lock. To resolve this problem, whenever Uncover detects that a write exception in which the exception-causing instruction resides in the same page as its target, it temporarily marks the target page as writeable, single-steps the instruction, and sets the page back to read-only immediately after that. Although single-stepping incurs a serious performance penalty, the fact that legitimate applications rarely contain instructions that need to modify the pages they are in suggests that this solution imposes little performance cost in practice. To mark a page as non-executable, Uncover exploits the DEP (Data Execution Prevention) mechanism on the Windows OS. DEP was originally designed to prevent execution of unauthorized code by making it possible to mark certain memory regions as non-executable. DEP can be implemented purely in software or through special hardware support. By preventing execution from the stack or heap (but not arbitrary pages), software-based DEP is meant to keep malicious code from taking advantage of Windows’s structured exception handling (SEH) mechanism. Hardware-based DEP leverages the DX (Intel processor) or NX(AMD processor) bit and therefore can mark any page non-executable. By leveraging virtual memory hardware, whenever a write or executable exception occurs at run time, Uncover takes control, records the page’s status, modifies the page’s page protection attribute appropriately, and continues the binary’s execution. In the Windows operating system, whenever an exception such as access violation, breakpoint (int 3) or single stepping (int 1) occurs, the kernel traverses both the VEH (Vectored Exception Handler) chain and SEH (Structured Exception Handler) chain, to determine if any registered handler could handle this exception. If the kernel cannot find a proper handler, it invokes a default handler, which typically terminates the thread. If multiple handlers exist to handle the exception, the kernel invokes them in the order of their registration. Uncover registers a user-level VEH exception handler for both write and executable exceptions. To guarantee that Uncover’s page status tracking mechanism is always the first in control upon each write or execute exception, Uncover modifies the system exception dispatcher API, KiUserExceptionDispatcher in ntdll.dll on Windows XP/2003/Vista, to ensure that its handlers are the first in the chain. After Uncover’s exception handler processes a write or execute exception, it should pass the exception on if and only if the exception in question is expected given the application’s protection setting for that page. Selective exception forwarding is an essential part of hiding page status tracking from application binaries.

Efficient and Automatic Instrumentation for Packed Binaries

313

End-of-Unpacking Detection. Because Uncover is designed to invoke the disassembly and instrumentation engine only when the unpacking in a packed binary is completely done, it needs to detect when the original binary embedded, which could be recursively packed, is fully unpacked. Because this detecting is the key step to discover the original binary code, various techniques are used in existing unpackers to obfuscate the end of unpacking. Currently, Uncover uses a combined method, which consists of several heuristics, for this detection. First, most unpackers will clean the stack frames they have established during the unpacking when they transfer control to the unpacked code. That means a thread’s stack pointer (ESP in 32 bit X86 CPU) should have the same value at the end of unpacking as at the time the thread is started. For example, assume that the initial ESP of a thread for a packed binary is 0x0012FFC4. right after the unpacking is done and the unpacked code is about to be executed, ESP should be 0x0012FFC4 again. This rule applies to many unpackers and is widely used in manually unpacking practice. Uncover automates this method. It triggers an exception at the entry point of unpacker code and records the initial stack frame from the exception context which contains information of all registers, then compares with the top stack frame fetched from the exception context of each exception sequence (see next section). If the two stack frames are the same, Uncover thinks the end of unpacking is reached. The second heuristic is based on the layout preservation characteristic of most unpacker code. The code section of a PE binary compiled by modern compilers on the Windows platform is typically loaded in an address space region that starts at a fixed location. More concretely, for a Win32 PE binary O consisting of a code section OC and a data section OD, its base loading address is 0x00400000 (as specified by Microsoft PE COFF specification), its OC starts from 0x00401000 and its OD starts with the page immediately following the OC. When a packer packs O, it compresses or encrypts O into E, and forms the final packed binary B by first reserving a blank section A that is to hold the load image of O when it is unpacked, then appending to A the unpacker, and finally appending E to the end of the unpacker. The entry point of B is set to that of the unpacker. The same principle applies when a packer packs a packed binary. Let’s use CBA (Code Base Address) to refer to the starting address of a non-packed PE binary’s code section, i.e. 0x00401000. Given a packed binary B, let’s call the region between CBA and the entry point page of the unpacker as X. For a recursively packed binary, the size of X keeps shrinking during the binary’s execution as each layer of unpacking unfolds. Because most if not all legitimate packers preserve the load image layout of the input binary, the binary’s code section region, which starts with CBA, should be filled at run time after it is fully unpacked. Therefore, every time Uncover detects a control transfer to a dynamically modified page, it performs the following checks: 1. Most if not all of the pages in X have been written. 2. The first several consecutive pages in X have been written and seems to be real code pages. When both conditions hold, Uncover considers the original binary is fully packed. For the first check, the current Uncover prototype uses 75% as the threshold to determine if most of X have been written. For the second check, Uncover uses entropy computation to determine if these pages contains real code.

314

Y. Wu, T. Chiueh, and C. Zhao

All the above heuristics Uncover employs are based on the general rules that applies to most of existing packers and Windows applications. It’s difficult for a packer to defeat the combination of these heuristics.

4 Evaluation To evaluate the effectiveness and performance overhead of Uncover, we chose three popular packers, UPX [5], ASPack [6] and PECompact [7] to pack a set of Win32/X86 binaries. For recursive packing experiments, we pack the test binaries first with UPX then with ASPack (denoted as UPX+ASPack), because both UPX and PECompact refuse to pack a binary that is already packed by another known packer. The overall effectiveness of Uncover depends on the effectiveness of its algorithms for packed binary identification, original entry point detection and performance overhead. We achieved the similiar result as that of Bintropy in packed binary identification, and the following will show the results of the rest two only. 4.1 End-of-Unpacking Detection Because Uncover is designed to avoid disassembling and instrumenting the unpackers in packed binaries, it is essential that it be able to accurately detect the end of binary unpacking and the control transfer to the unpacked original binary. We randomly choose 100 executables to test Uncover’s effectiveness in original entry point detection. We first record their entry points, and then pack them with UPX, ASPack, PECompact, and UPX+ASPack. There are total 315 packed binaries created, because some binaries cannot be packed by these packers, or their packed versions cannot run with Windows’s DEP enabled. Then we patch these 315 packed binaries with Uncover’s static component, and run them one by one under Uncover’s dynamic component. We record the original entry point that Uncover discovers, and compare them with their corresponding recorded entry points. The result is 100% correct for all the test programs. 4.2 Performance Overhead When instrumenting a packed binary, the major runtime overhead of Uncover comes from the following sources: – End-of-Unpacking Tracking (Oe ): This is the performance overhead during the binary packing process, including page tracking, protection exception handling, end of unpacking detection, etc. – Disassembly: This is the performance overhead associated with the application of a recursive traversal-based disassembler on the detected unpacked binary. This disassembling step takes place after binary unpacking is completed and before the execution of the unpacked code. In this paper we only focus on 0e . So we first run the non-patched version of the packed binary, and then run the Uncover-patched version with disassembly/ instrumentation disabled. The difference in their execution times corresponds to Oe .

Efficient and Automatic Instrumentation for Packed Binaries

315

Table 1. The end-of-unpacking tracking overhead of the test binaries when they run under dynamic component of Uncover. Times and overheads are in millions of CPU cycles. Application/Packer Original Size/Packed Size Original Time nasm/ASPack 373KB/129KB 1044 astyle/UPX 104KB/37KB 1297 pdftohtml/ASPack 568KB/220KB 1679 upx/UPX+ASPack 260KB/267KB 5447 speexenc/UPX 255KB/137KB 12675 lame/UPX+PECompact 396KB/184KB 3893 ncftpget/PECompact 204KB/92KB 13813 cmake/PECompact 1.3MB/375KB 50369

Oe Overhead 11 1.05% 44 3.39% 95 5.66% 448 8.22% 261 2.06% 198 5.09% 121 0.88% 2015 4.00%

We use the following set of Win32 binaries to evaluate the performance overhead of Uncover. including nasm.exe (Netwide Assembler), which assembles a 14KB assembly source file, astyle.exe (source code format tool), which formats a 509KB CPP source file, pdftohtml.exe (convert PDF file to HTML file), which converts a 542KB PDF file to an HTML file, upx.exe (the UPX packer itself), which compresses a 1MB DLL, speexenc.exe (audio file encoder), which encodes a 646KB Wav file, lame.exe (mp3 encoder), which converts a 646KB Wav file to a MP3 file, ncftpget.exe (commandline style FTP client), which retrieves a 130KB file from a local server on the same 10Mbps ethernet, and cmake.exe (a cross platform build manager), which creates a build environment for a sample project. Table 1 shows the detailed break-down of these eight test binaries when they run natively and under Uncover. All experiments are carried out on a PC with Intel Pentium4 3.06GHz CPU and 1GB DDR memory and running Windows XP Professional SP2. The execution time measurements are expressed in terms of millions of CPU cycles. We also tested the current Uncover prototype against the packed versions of a set of interactive GUI applications, including MS Word, PowerPoint, Internet Explorer, Windows Live Messenger, etc. For these interactive applications, Oe has little impact even on the initialization overhead.

5 Conclusions Binary analysis and instrumentation is an enabling technology for enhancing the security strength of commodity binaries through program transformation. This paper describes the design, implementation and evaluation of a new Win32/X86 binary instrumentation system called Uncover, which iimproves over existing binary instrumentation tools with the ability to instrument binaries packed by commercial packers by effectively detecting the end of binary unpacking with low overhead. Although Uncover demonstrates some initial success with popular commercial packers, there are many more other packers that need to be tested before the packed binary problem is considered solved.

References 1. IDAPro. IDA Pro Disassembler, http://www.datarescue.com/ 2. OllyDbg. Oleh Yuschuk, http://www.ollydbg.de/

316

Y. Wu, T. Chiueh, and C. Zhao

3. Peid, J., Qwerton, S., Xineohp, P., http://peid.has.it/ 4. Lyda, R., Hamrock, J.: Using Entropy Analysis to Find Encrypted and Packed Malware. IEEE Security and Privacy 5(2), 40–45 (2007) 5. UPX. The ultimate packer for executables, http://upx.sourceforge.net/ 6. ASPack. The advanced Win32 executable file compressor, http://www.aspack.com/ 7. PECompact. PE packer, http://www.bitsum.com/pec2.asp 8. Bala, V., Duesterwald, E., Banerjia, S.: Dynamo: a transparent dynamic optimization system. ACM SIGPLAN Notices 35(5), 1–12 (2000) 9. Dyninst. An application program interface (api) for runtime code generation, http://www.dyninst.org/ 10. Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: PLDI 2005: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, pp. 190–200. ACM Press, New York (2005) 11. Sridhar, S., Shapiro, J.S., Bungale, P.P.: HDTrans: A Low-Overhead Dynamic Translator. In: Proc 2005 Workshop on Binary Instrumentation and Applications (2005) 12. Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: Proc of USENIX 2005 Annual Technical Conference, FREENIX Track, pp. 41–46 (2005) 13. Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In: Proc. of 23 Annual Technical Computer Security Applications Conference (ACSAC 2007), pp. 431–441 (2007) 14. Nanda, S., Li, W., Lam, L.-C., Chiueh, T.: Bird: Binary interpretation using runtime disassembly. In: Conference of Code Generation and Optimization 2006, pp. 358–370 (2006)

Secure Cover Selection Steganography Hedieh Sajedi and Mansour Jamzad Computer Engineering Department, Sharif university of Technology, Tehran, Iran [email protected], [email protected]

Abstract. This paper presents a cover selection steganography method based on introduction of a technique for computing steganography capacity as a property of images. An ensemble system that uses different steganalyzer units, determines the upper bound of embedding rate in a cover image. In this technique, each steganalyzer unit is a combination of multiple steganalyzers with a same type but each one trained to detect stego images with a certain payload. Our proposed method minimizes the risk of detection by selecting a proper cover image that its steganography capacity is sufficient to hide a specific secret data securely. Experimental results demonstrate the efficiency and practicability of the proposed technique in enhancing the security of stego images. Keywords: Cover Selection, Steganography, Steganography Capacity.

1 Introduction Steganography is the science of secure communication where the presence of the communication cannot be detected while steganalysis is the art of discovering the existence of the secret communication. Different image steganography methods have been proposed in the literature. The cover image in steganography acts only as a carrier for the secret data. Cover selection steganography allows the embedder to find the best candidate cover image(s) from a database to hide a given secret data. Embedding in various steganography methods like Model-based [1], Perturbed Quantization (PQ) [2], and YASS [3] is done by changes in appropriately selected Discrete Cosine Transform (DCT) coefficients. It is shown in [5] that, when the embedding data size is larger than a threshold then steganalyzers can detect the presence of a hidden data more easily. This gives an upper bound for steganography capacity, such that if the hidden data size is less than that upper bound, the stego image is secure and it will not be detected by steganalysis methods. Steganography capacity is the key measure to compare the performance of different steganography algorithms. It is the maximum data size that can be securely embedded in an image. So far, steganography capacity has been considered as a property of a steganography method [4-7]. It is shown in [5] that the average steganography capacity of existing methods for grayscale JPEG images with quality factor of 70 is approximately 0.05 bits per non-zero AC DCT coefficient. However, applying a steganography technique, there is no guaranty for two images with equal number of non-zero DCT coefficients, have the same steganography capacities. Therefore, since J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 317–326, 2009. © Springer-Verlag Berlin Heidelberg 2009

318

H. Sajedi and M. Jamzad

the distribution of non-zero DCT coefficients may vary in different images, the steganography capacity should be considered relative to the image contents. Furthermore, a high performance steganography method is the one that, in average case, its produced stego images could be detected by the steganalyzers randomly (with a probability around 50%). Nevertheless, there is no guarantee that a specific stego image could not be detected reliably by the steganalyzers. In this paper, first, we define the steganography capacity of an image regarding to the state-of-the-art steganalysis methods with applying an ensemble technique and then we describe a cover selection steganography method based on steganography capacity of images. Most of the existing cover selection steganography methods like [23, 24] assume that the secret data is an image. But we consider binary bit sequences with random distribution as secret data. An ensemble method is the aggregation of multiple classifiers with the goal of improving accuracy of them [8]. In our work, each classifier is a steganalyzer and our intent is to distinguish the secure limit of embedding rate in an image. Each steganalyzer is a voter on whether an image is cover (clean) or stego. The combination of the votes of all steganalyzers in the ensemble defines the steganography capacity of a cover image. In our proposed approach, to hide a secret data with a certain size, the steganographer can check a database and suggest some proper candidate cover images based on their steganography capacities. Proper candidate cover images are those which their steganography capacities are greater or equal to the secret data size. In other words, considering the steganography capacity of an image, the steganographer can embed securely a secret data which its size is smaller or equal to the steganography capacity of the image. This strategy can be combined with all the existing steganography methods. It should be noted that the steganography capacity of an image depends on its content and used steganography method. The remainder of this paper is organized as follows. Section 2 describes related works. In Section 3 we introduce the proposed embedding security definition and cover selection method. Experimental results are given in Section 4 and finally, we conclude our work in Section 5.

2 Related Works A brief description of some related works is presented in this section. 2.1 Cover Selection Steganography Method A cover selection technique for hiding a secret image in a cover image was first introduced in [20]. This method operates based on image texture similarity and replaces some blocks of a cover image with similar secret image blocks; then, block location indices of secret image are stored in the cover image. In this method, the blocks of the secret image are compared with the blocks of a set of cover images and the image with most similar blocks to those of the secret image is introduced as the best candidate to carry the secret image. An improvement on this method is proposed in [21] that uses statistical features of image blocks and their neighborhoods. Using block

Secure Cover Selection Steganography

319

neighborhood information prevents appearance of virtual edges in the sides and corners of the replaced blocks. In [22], the cover selection problem was studied by investigating three scenarios in which the embedder has either no knowledge, partial knowledge, or complete knowledge of steganalysis methods. In addition, some measures for cover selection were introduced in [22]. Cardinality of changeable DCT coefficients, JPEG quality factor, number of modifications in a cover image, and Mean Square Error (MSE) obtained from cover-stego image pairs are some of the proposed measures. 2.2 Steganography Capacity A number of ways to compute steganography capacity have been proposed previously [4,6,7,9]. In [4] the definition of steganography capacity is presented from steganalysis perspective. This work argues that as the main goal of steganography is hidden communications, steganography capacity is dependent on the type of steganalysis detector employed to break the embedding algorithm. It defines γ-security so that in presence of a steganalysis detector D, a steganography method is said to be perfectly secure if γD = 0. The work in [6] defines a steganography method to be ε-secure (ε ≥ 0) if the relative entropy between cover and stego probability distributions (Pc and Ps, respectively) is at most ε, i.e.,

D( Pc Ps ) = ∫ Pc log

Pc ≤ε Ps

(1)

A stego technique is said to be perfectly secure if ε = 0. This definition assumes that the cover and stego images are independent identically distributed (i.i.d.) random variables. This assumption is not true for many real life cover signals [4]. One approach to rectify this is to put the constraint that the relative entropy computed using the nth order joint probability distributions must be less than εn. One can then force an embedding technique to preserve the n order distribution. But, it may then be possible to use (n+1) order statistics for steganalysis. Estimates of the steganography capacity of an image, based on a parallel Gaussian model in the transform domain have been provided by [7]. 2.3 Steganalysis Methods

A steganalysis method is a two-class classification problem. At the heart of every steganalyzer there is a classifier, which given an image feature vector, decides whether the image contains any secret data. Steganalysis classification is done based on some inherent features of cover images. These features may be modified when an image undergoes an embedding process. A number of universal steganalysis techniques are proposed in the literature. These techniques differ in the feature sets they consider for capturing the image statistics. Steganalyzers in [12,13] obtain a number of statistics from an image that is decomposed by wavelet. On the other hand, [14] utilizes statistics of DCT coefficients as well as spatial domain statistics. It is observed in [10,11] that the universal steganalysis techniques do not perform equally over all embedding techniques. In addition, they are not able to distinguish perfectly between cover and stego images.

320

H. Sajedi and M. Jamzad

In practice, since the steganalyst will not be able to know what steganography technique is used, he has to apply a number of steganalysis techniques on suspected stego images. In availability of different steganalysis techniques that extract nonoverlapping feature sets for analysis, each one makes mistakes independently of the rest. As a solution to this problem, we investigate how steganalyzers, can be incorporated together with the help of ensemble methods. In the area of machine learning, the concept of combining classifiers is proposed to improve the performance of individual classifiers. These classifiers could be based on a variety of classification methodologies, and could achieve different rates of correctly classified data instances [15]. Ensemble learning refers to a collection of methods that learn a target function by training a number of individual learners and combining their predictions. Using ensemble learning, a more reliable classification result can be obtained by combining the output of multiple classifiers. Also a complex problem can be decomposed into multiple sub-problems that are easier to understand and solve (divide-and-conquer approach). In addition, there is not a single model of classifier that works for all pattern recognition problems. Support Vector Machine (SVM) is a powerful learning tool in solving binary classification problems. The goal of SVM is to produce a model, which predicts target value of data instances in a testing set, which are given only the attributes. Here training vectors XI are mapped into a higher dimensional space. Then SVM finds a separating hyper-plane with the maximal margin in this higher dimensional space [16].

3 Proposed Method In cover selection steganography, to have a secure covert communication, one can select a cover image with high steganography capacity from a database. In our cover selection steganography, a batch process determines the steganography capacity of every image in the database and the results are stored in a feature database. When the steganographer wants to select a cover image, he can refer to this feature database and choose an image that can hold his secret data securely. All the images that their steganography capacities are greater than a secret data size are proper to hold the data. First we define embedding security and then we propose image steganography capacity that can be used for cover selection. A stego image has embedding security when the hidden secret data in it, is undetectable by steganalyzers. Embedding security is mostly influenced by the places within the cover image that might be modified, the type of embedding operation, and the amount of changes in the cover image. In stego-cover image classification we have:

⎧ P( I ∈ stego | X I ) > 0.5 ⇒ I ∈ stego ⎪ ⎨P( I ∈ cov er | X I ) = 0.5 no − decision ⎪ P( I ∈ cov er | X ) > 0.5 ⇒ I ∈ cov er I ⎩

(2)

P( I ∈ stego | X I ) , i.e., the posterior probability of image I represented by feature vector XI carrying a secret data. Since there are only two classes available (i.e. cover or stego), we have:

Secure Cover Selection Steganography

P( I ∈ cov er | X I ) = 1 − P( I ∈ stego | X I )

321

(3)

To determine the security, first, we compose a steganalyzer unit that is a multiple classifier system. Each vote (detection result) is the confidence of a classifier on classifying an image to cover or stego class. The result of jth steganalyzer is obtained as the following: ⎧ d j (I) > 0 I ∈ stego ⎪ no − decision ⎨d j (I) = 0 ⎪ d (I) < 0 I ∈ cov er ⎩ j

(4)

dj(I) is the distance of an image in feature space from the jth decision hyper-plane of SVM between clean and stego images. We consider the maximum result of all the steganalyzers as the result of the whole steganalyzer unit as follows:

d = max (d j (X I ))

(5)

Secure upper bound for embedding in an image is determined regarding to the maximum distance of the image from all the steganalyzer discriminant hyper-planes. This distance shows the closeness of the image to the unsafe region in feature space (stego space). If d>0, it demonstrates that the security of the stego image is threatened by at least one of the steganalyzers. With the definition of embedding security, we are now ready to define steganography capacity regarding to this definition. We combine some moderately inaccurate base classifiers (steganalyzers) into a combined predictor to determine the upper bound of steganography capacity of an image. Steganography capacity of an image may differ using various steganography methods. Therefore, to have a safe covert communication, each steganography method is allowed to continue embedding in the image until steganalysis algorithms do not threaten the security of the image. The steganography security scheme is constructed based on the following steganalysis methods in the literature: 1- Wavelet-based steganalysis method (WBS) proposed by [12] where in its feature extraction part, statistics such as mean, variance, skewness, and kurtosis are calculated from each wavelet decomposition sub-band of an image. 2- Markov-DCT based steganalysis method (274-dim) has a 274-dimensional feature vector that merges Markov and DCT features of an image [17]. 3- 324-dimensional feature vector steganalysis method (324-dim) proposed by [18], which is based on statistical moments of wavelet characteristic functions. 4- Contourlet-based steganalysis technique (CBS) suggested by [19] where in its feature extraction part mean, variance, skewness, and kurtosis statistics are computed from contourlet decomposition sub-bands of images. Fig. 1 shows the structure of the ensemble steganalyzer. Using this structure, we hope that image steganography capacity defined in this manner can be valid for upcoming steganalysis methods and this combination fill some gaps between feature spaces and can provide a suitable definition for secure capacity regarding to the advantage of steganalysis methods.

322

H. Sajedi and M. Jamzad

WBS Unit 274-dim Unit

Image

Evaluation 324-dim Unit

Stego/cover image

CBS Unit Fig. 1. Structure for determining the security of embedding in an image

In each steganalyzer unit, some SVM classifiers separate the feature space into two parts of cover and stego spaces. If a stego image in feature space resides in the cover side close to the hyper-plane discriminator line, it is a secure stego image that is misclassified by the classifier. In presence of multiple classifiers, each one is a discriminator between certain payload stego images and cover images. The distance of an image in feature space from decision boundary of SVM classifier, represents the confidence of the vote of SVM. The vote is positive if the image is recognized as a stego image; otherwise, it is negative. We assume that if a steganalyzer classifies clean images and stego images with payload of 1000 bits, this classifier can detect stego images with a higher payload correctly, as well. In this respect, we did some experiments and realized that this can be correct. However the accuracy of a steganalyzer trained with certain payload stego images, in detection of stego images with higher payloads is not much high. To have higher detection accuracy we train one classifier for each quantized payload and let a cascade classifier to detect stego images. We call each cascade classifier a steganalyzer unit. The result of a unit is the vote of confidence that the unit gives to an image. To construct each steganalyzer unit we quantized the payload range with step of 1000 bits and a SVM classifier trained for each specific payload. Since when a steganalyzer detects a stego image, the steganography purpose gets broken, the steganalyzer unit checks the classifiers in an ascending order of payloads. If any one detects the stego image, the unit stops and reports the result without checking other classifiers. The most secure state for a stego image is when all the units in the ensemble steganalyzer announce that the image is clean. As Fig. 2 shows, to have a secure steganography, one distinct classifier is considered for a payload as denoted by Stzi and each steganalysis method is used to compose a steganalyzer unit. We define random guess range with distance of 0.05 from pure random guess point (zero point).

Image

Stz 1

>thr

Stz 2

Stz n

Steganalyzer unit Fig. 2. Structure of a steganalyzer unit

Secure Cover Selection Steganography

0

-1 Cover image -0.05

323

+1 Stego image +0.05

Fig. 3. Unreliable decision interval in classifier result range

Cover Image Embed a little part of secret data

Secret Data 011100101…

Temporary Stego Image

Yes

Secure Stego Image? No

Stego Image (pervi- Embedding Capacity ous Temporary (Size of Embedded Stego Image) Data in Stego Image)

Fig. 4. Incremental embedding procedure to determine the steganography capacity of cover images

Fig. 3 shows the unreliable (random) decision interval in the classifier result range. To determine the steganography capacity of an image an incremental embedding routine is applied. In this regard, we increase embedding rate until the maximum distance of the image from discriminants in feature space reaches the random decision threshold, as the following relation remains true. This implies that the image is a cover. max (d Ui ) ≤ 0.05

(6)

where d Ui is the distance of ith steganalyzer unit from safe embedding threshold. We allow embedding in an image while all the votes of the steganalyzers reside in the random guess range. This procedure is the operation of Evaluation block in Fig. 1. If the steganalyzers agree with each other that a stego image is a cover image (e.g false negative), the goal of the steganography is obtained. Therefore, we can increase the size of embedded data in an image until the distortion of image features does not overrun a safety threshold. Fig. 4 illustrates the incremental embedding procedure to determine the steganography capacity of cover images. To calculate the steganography capacity of an image, the embedding rate is increased steadily until the security of the embedding is threatened by the ensemble steganalyzer.

324

H. Sajedi and M. Jamzad

4 Experimental Results Experiments were done on 1000 JPEG images derived from Washington University image database [23]. All images were converted to grayscale images of size 512×512. Random binary data is embedded into images by using PQ steganography method to achieve several stego image datasets with different payloads. Each distinct stego dataset has 1000 stego images. To train the SVM of each steganalyzer that collaborates in computing the steganography capacity, 1000 cover and 1000 stego images form the database were used. It should be noted that the embedding process can be carried on by any steganography method.

Steganography capacity

3000 bits

4500 bits

9000 bits

cover image

Fig. 5. Some cover images with steganography capacity of 3000, 5000, and 10000 bits using PQ steganography method secret data size

suitable covers

2000 bits

5800 bits

Fig. 6. Cover selection based on image capacity. For each secret data size, five most proper cover images are shown for applying PQ steganography method.

Secure Cover Selection Steganography

325

Fig. 5 shows some images from the database and their steganography capacities using PQ steganography method. Since the steganography capacities are determined by the ensemble steganalyzer, the security of these images with mentioned payload is satisfied. Fig. 6 shows the results of the experiment in which, the steganographer can select one of the proper images suggested by the proposed method to embed the certain payload. A secret data with a large size can be hidden in more than one image securely if its size is larger than the steganography capacity of an image.

5 Conclusions In this paper, we defined image steganography capacity as a selection measure for cover selection. Previous works in defining the steganography capacity have considered this measure as a property of a steganography method. Images with similar properties in steganography capacity analysis viewpoint may have unequal threshold for secure embedding due to their different contents. However, previous definitions cannot guarantee the security of embedding in a certain image. With our proposed approach, we can exactly determine the upper bound of secure embedding rate in an image. Also for embedding a secret data, the embedder can select the best cover image(s) regarding to the steganography capacity of images in the database. This capacity depends on the detectability of the steganography algorithm being used against steganalysis methods. The undetectability of a produced stego image is guaranteed, since the proposed technique allows each cover image to hide secret data with the size of smaller or equal to the cover image steganography capacity.

Acknowledgment This work was supported by Iran Telecommunication Research Center.

References 1. Sallee, P.: Model-based steganography. In: Kalker, T., Cox, I., Ro, Y.M. (eds.) IWDW 2003. LNCS, vol. 2939, pp. 154–167. Springer, Heidelberg (2004) 2. Fridrich, J., Goljan, M., Soukal, D.: Perturbed quantization steganography with wet paper codes. In: ACM Multimedia Workshop, Germany (2004) 3. Solanki, K., Sarkar, A., Manjunath, B.S.: YASS: yet another steganographic scheme that resists blind steganalysis. In: Furon, T., Cayre, F., Doërr, G., Bas, P. (eds.) IH 2007. LNCS, vol. 4567, pp. 16–31. Springer, Heidelberg (2008) 4. Chandramouli, R., Memon, N.D.: Steganography Capacity: A Steganalysis Perspective. In: SPIE Security and Watermarking of Multimedia Contents, vol. 5020, pp. 173–177 (2003) 5. Fridrich, J., Pevny, T., Kodovsky, J.: Statistically Undetectable JPEG Steganography: Dead Ends, Challenges, and Opportunities. In: MM&Sec, USA (2007) 6. Cachin, C.: An information-theoretic model for steganography. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 306–318. Springer, Heidelberg (1998) 7. Moulin, P., Mihcak, M.K.: A framework for evaluating the data hiding capacity of image sources. IEEE Trans. Image Processing 11, 1029–1042 (2002)

326

H. Sajedi and M. Jamzad

8. Dong, Y., Han, K.: Boosting SVM classifiers by ensemble. In: International conference ACM on World Wide Web, pp. 1072–1073 (2005) 9. Ker, A.: A Capacity Result for Batch Steganography. IEEE Signal Processing Let. 14(8), 525–528 (2007) 10. Kharrazi, M., Sencar, T.H., Memon, N.: Benchmarking steganographic and steganalysis, techniques. In: EI SPIE, San Jose, CA (2005) 11. Avcibas, I., Kharrazi, M., Memon, N., Sankur, B.: Image steganalysis with binary similarity measures. EURASIP Journal on Applied Signal Processing (2005) 12. Lyu, S., Farid, H.: Detecting hidden messages using higher-order statistics and support vector machines. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 340–354. Springer, Heidelberg (2003) 13. Lyu, S., Farid, H.: Steganalysis using color wavelet statistics and one-class support vector machines. In: SPIE Symposium on Electronic Imaging, San Jose, CA (2004) 14. Fridrich, J.: Feature-based steganalysis for jpeg images and its implications for future design of steganographic schemes. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 67–81. Springer, Heidelberg (2004) 15. Dietterich, T.G.: Ensemble methods in machine learning. In: Kittler, J., Roli, F. (eds.) MCS 2000. LNCS, vol. 1857, pp. 1–15. Springer, Heidelberg (2000) 16. Burges, C.J.C.: A tutorial on support vector machines for pattern recognition. Data Mining and Knowledge Discovery 2, 121–167 (1998) 17. Pevny, T., Fridrich, J.: Merging Markov and DCT features for multi-class JPEG steganalysis. In: SPIE, San Jose, CA (2007) 18. Chen, C., Shi, Y.Q., Chen, W., Xuan, G.: Statistical moments based universal steganalysis using JPEG-2D array and 2-D characteristic function. In: ICIP, pp. 105–108 (2006) 19. Sajedi, H., Jamzad, M.: A Steganalysis Method Based on Contourlet Transform Coefficients. In: Intelligent Information Hiding and Multimedia Signal Processing (2008) 20. Kermani, Z.Z., Jamzad, M.: A Robust Steganography Algorithm Based On Texture Similarity Using Gabor Filter. In: IEEE Symposium on Signal processing and Information Technology, pp. 578–582 (2005) 21. Sajedi, H., Jamzad, M.: Cover Selection Steganography Method Based on Similarity of Image Blocks. In: IEEE CIT, Sydney, Australia (2008) 22. Kharrazi, M., Sencar, H., Memon, N.: Cover Selection for Steganographic Embedding. In: ICIP, pp. 117–121 (2006) 23. Washington University image database, http://www.cs.washington.edu/research/imagedatabase

Side-Channel Leakage in Masked Circuits Caused by Higher-Order Circuit Effects Zhimin Chen, Syed Haider, and Patrick Schaumont Virginia Tech, Blacksburg, VA 24061, USA {chenzm,syedh,schaum}@vt.edu

Abstract. Hardware masking is a well-known countermeasure against Side-Channel Attacks (SCA). Like many other countermeasures, the side-channel resistance of masked circuits is susceptible to low-level circuit effects. However, no detailed analysis is available that explains how, and to what extent, these low-level circuit effects are causing side-channel leakage. Our first contribution is a unified and consistent analysis to explain how glitches and inter-wire capacitance cause side-channel leakage on masked hardware. Our second contribution is to show that inter-wire capacitance and glitches are causing side-channel leakage of comparable magnitude according to HSPICE simulations. Our third contribution is to confirm our analysis with a successful DPA-attack on a 90nm COMS FPGA implementation of a glitch-free masked AES S-Box. According to existing literature, this circuit would be side-channel resistant, while according to our analysis and measurement, it shows side-channel leakage. Our conclusion is that circuit-level effects, not only glitches, present a practical concern for masking schemes.

1

Introduction

Side-channel power analysis on cryptographic circuits has been investigated since well over a decade. Differential Power Analysis (DPA) [1], and the related attacks present great concern for cryptographic hardware. As one of the mainstream countermeasures, masking [2, 3] provides protection by randomizing the intermediate circuit values. However, like many other countermeasures, hardware masking faces problems at the circuit implementation phase. Glitches are a well-known circuit effect that deteriorates the effect of masking [4]. As a solution, dual-rail pre-charge circuit is employed. In this paper, we take a close look at the circuit properties that depend on more than one value in the circuit. We call them higher-order circuit effects. We first derive two conditions for secure masking of circuits: 1) the random masks need to be unbiased, and 2) the power consumption needs to be independent of the unmasked data. In logic simulations, for example in simulations based on toggle counts, these two conditions can be satisfied. In a real circuit, however, we find the second condition cannot be met because of higher-order circuit effects. While higher-order effects have been mentioned as a possible source of sidechannel leakage [5], no detailed analysis has been presented. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 327–336, 2009. c Springer-Verlag Berlin Heidelberg 2009


328

Z. Chen, S. Haider, and P. Schaumont

Our contribution includes detailed analysis of two common higher-order circuit effects, including glitches and inter-wire capacitance. Our analysis explains, in a consistent manner, why all higher-order circuit effects can cause side-channel leakage in masked circuits. As far as we are aware, no such analysis has been performed before. Our second contribution is to demonstrate and to quantify the impact of circuit effects on side-channel leakage. We present HSPICE simulations on an algorithmic masked GF (22 ) multiplier. In our experiment, we conclude that the leakage caused by each of the above-mentioned higher-order circuit effects are comparable. Our third contribution is to demonstrate our argument with a successful DPA-attack on a 90nm CMOS FPGA implementation of a glitch-free masked AES S-Box. The rest of the paper is organized as follows. Section 2 briefly introduces previous work. In Section 3, we present a detailed analysis on masked circuits. Section 4 provides experimental results. In Section 5, we conclude our work.

2

Previous Work

A circuit is called perfectly masked if there is no dependency, in a statistical sense, between the power signature and the unmasked circuit inputs [6]. Unfortunately, glitches have been indicated as a source of side-channel leakage in perfectly masked circuits [4]. Several dual-rail technologies [7] have since been proposed to address these issues . This makes glitch-free, perfectly-masked circuits a state-of-the-art solution for side-channel resistant hardware implementations. In this paper, we investigate the possibility of performing a first-order side-channel attack using higher-order circuit effects commonly found in deepsubmicron implementations.

3

Analysis on Masked Circuits

In this section we present an analysis of masked circuits. We first derive two conditions to implement perfect masking. Next, we show that higher-order circuit effects (such as glitches and inter-wire capacitance) may break these conditions. 3.1

Two Conditions for Perfect Masking

The perfect masking condition requires that a logic-0 and a logic-1 appears with the same probability on all intermediate circuit nodes. Let’s consider such an intermediate plaintext node a, which is masked using a mask m by means of Boolean masking (XOR) (am = a ⊕ m). Let F0 be the probability that m = 0, and F1 the probability that m = 1. Obviously F0 + F1 = 1. We can express the expectation of power consumption P with respect to the unmasked signal a as follows.
P (a = 0) = F0 P (am = 0, m = 0) + F1 P (am = 1, m = 1) (1) P (a = 1) = F0 P (am = 1, m = 0) + F1 P (am = 0, m = 1)

Side-Channel Leakage in Masked Circuits

329

In order to implement the perfect masking condition, the power consumption of the circuit needs to be independent from a in a statistical sense. Therefore, the first and second formula in Eq. (1) should have the same expectation. There are many ways to fulfill this condition. However, the most common approach is to require the following. F0 = F1 (2) P (am = 0, m = 0) + P (am = 1, m = 1) = P (am = 1, m = 0) + P (am = 0, m = 1)

(3)

We consider Eq. (2) and (3) as two general conditions for secure masked circuits. Eq. (2) shows that the mask signal needs to be unbiased, while Eq. (3) shows that the circuit must consume the same power for each value of the unmasked input in a statistical sense. The above conditions can be easily expanded to more general masking arrangements. Given a circuit block with masked data input am , and mask m, where each of these can be words, then we can write the power consumption in terms of the unmasked data a as follows.  P (a) = Fm P (am , m) Fm is the probability distribution of the mask, while P (am , m) is the power consumption of the masked circuit for each possible combination of mask and masked value. Accordingly, we can define two general conditions for secure masked circuits as follows: Fi = Fj |i=j (4)   P (am = i ⊕ m, m) = P (am = j ⊕ m, m) |i=j (5) m

m

The first condition (4) requires the mask to have a uniform distribution. The second condition (5) requires the circuit to consume the same power for each possible value of the unmasked input in a statistical sense. Thus, conditions (2) and (3), as well as their generalizations (4) and (5), express when perfect masking is achieved by a masked circuit implementation. First-order attacks on masked circuits are enabled by violation of either of these conditions. For example, it is known that a bias in the mask causes first-order side-channel leakage [8]. Indeed, bias represents a violation of Eq. (2) or Eq. (4). In order to understand the implications of the condition Eq. (3) or Eq. (5), we need a better understanding of the power consumption P . In a digital circuit, the dynamic power consumption is given by the following equations [9]. Pavg = α · fc · V 2 · C

(6)

P =I·V

(7)

In Eq. (6), Pavg is the average power consumption. α is the switching factor, fc is the clock frequency, V is the voltage of power supply and C is the effective

330

Z. Chen, S. Haider, and P. Schaumont

capacitance. In Eq. (7), P is the instant power consumption. I is the instant current and V is the instant voltage. For a real attack, the average power consumption is the average value of all the power samples in one cycle. The instant power consumption corresponds to only one power sample. Both of them can be used for the side-channel analysis. We need to examine every term in Eq. (6) and Eq. (7) for a possible dependency to the value of the unmasked signal a. If such a dependency is found, then the condition of Eq. (3) or Eq. (5) no longer holds and a first-order side-channel leakage appears. 3.2

Higher-Order Circuit Effects Causing Side-Channel Leakage

As it turns out, real circuits have a large number of higher-order effects that can cause the terms of Eq. (3) and Eq. (5) to become dependent on the circuit state. We will describe two of them: glitches and inter-wire capacitance. There may be other higher-order effects in circuits, but it is not our intention to be exhaustive. Instead, our objective is to show how and why higher-order circuit effects can be used to relate different intermediate circuit values. When these values contain both the information of the mask and the corresponding masked value (not necessary to be exactly m and am ), the previous ’perfect’ masking is not perfect anymore. Glitches. First, consider again the effect of glitches. A glitch results in additional net transitions in a circuit, so that the switching factor α in Eq. (6) appears to be increasing. Glitches are also state-dependent. For example, a glitch may appear when am = 1 and m = 1(a = 0) but not in any other combination. Hence, glitches may cause an imbalance in Eq. (3), which in turn results in a violation of the perfect masking condition. Inter-wire Capacitance. Second, consider the effect of the capacitance C on the average power consumption. The total capacitance of a circuit has two components: gate capacitance and wire capacitance. In deep submicron technology, the inter-wire capacitance accounts for more than 50% of the total capacitance for narrow wires [10]. Modeling of the wire capacitance in an integrated circuit is a non-trivial task. For simplicity, the following discussion is on the basis of the simplified model as shown in Fig. 1(a). This circuit shows two wires w1 and w2, am bm 2

2

ma mb

mq

2

2

2

w2

driver m

C2 C3

GF(22)

GF(22)

GF(22)

GF(22)

multiplier

multiplier

multiplier

multiplier

2

i1

i2

2

i3

2

w1

driver am

i4

2

XOR

C1

XOR XOR XOR 2

(a)

qm

(b)

Fig. 1. (a) Model for inter-wire capacitance; (b) Circuit for HSPICE simulation

Side-Channel Leakage in Masked Circuits

331

each with a different driver. There are two parts for the capacitance seen by each wire, one part between the wire and the semiconductor substrate (C1 and C2), and the other part between adjacent wires (C3). Wire w1 sees a single, fixed capacitor C1 and a second floating capacitor C3. The effective value of C3 as seen from wire w1 changes in function of w2’s voltage level. For example, when w1 carries a logic-1 while w2 carries a logic-0, then the effective capacitance on w1 is C1 + C3. However, when both w1 and w2 carry a logic-1, then the effective capacitance on w1 is only C1, since there is no current required to charge C3. Now assume that wire w1 is driven by the masked signal am and wire w2 is driven by the mask m. Evaluating Eq. (3), and assuming that logic-0 does not consume power, we find for the left side of Eq. (3): P (am = 0, m = 0) + P (am = 1, m = 1) = 0 + fc · V 2 · (C1 + C2) While the right side evaluates to: P (am = 1, m = 0) + P (am = 0, m = 1) = fc · V 2 · (C2 + C3) + fc · V 2 · (C1 + C3) Clearly, the right hand side is a factor 2 · fc · V 2 · C3 bigger than the left hand side. This factor is caused by taking inter-wire capacitance C3 into account. As chip feature sizes continue to shrink, inter-wire capacitance becomes more significant. This implies that the possible asymmetry of Eq. (3) is likely to deteriorate further with shrinking feature size. There are many other higher-order circuit effects, for example IR Drop, that can break Eq. (3) and Eq. (5). We do not discuss them in detail here because of lack of space. According to the above analysis, higher-order circuit effects make the correlation between different intermediate circuit values a common phenomenon in a real circuit. This presents a risk for the perfect masking scheme.

4

Experimental Results

In this section, we describe a series of experiments that we did to test the above analysis. We will show that higher-order circuit effects, not only glitches, can cause measurable side-channel leakage. Our experiments are divided into two parts. In the first part, HSPICE simulation shows that the amount of leakage caused by glitches and inter-wire capacitance can be comparable. Given that the glitches can lead to successful SCA [4], there is no reason to believe that inter-wire capacitance is secure. In the second part, we move from simulation to real circuits. The purpose is to see, after ruling out the effect of glitches, the leakage caused by the other higher-order circuit effects is measurable. 4.1

HSPICE Simulation

To prove the analysis in Section 3, we did the simulations with HSPICE. Compared with experiments on real circuits, HSPICE simulation can easily test the

332

Z. Chen, S. Haider, and P. Schaumont

influence of individual higher-order circuit effects. Our approach is to explore the difference between the circuits with and without higher-order circuit effects. The circuit under simulation is shown in Fig. 1(b). It is a masked Galois Field multiplier: a critical part of a masked AES S-Box. The circuit has 5 inputs: am , bm , ma , mb , and mq and 1 output: qm (2 bit for each). am and bm are masked values of a and b (am = a XOR ma , bm = b XOR mb ); qm is the masked value of q (qm = q XOR mq ). The circuit consists of 4 GF (22 ) multipliers and a set of XOR gates (36 standard gates in total). Glitches. We perform two simulations to test glitches: the first with the entire circuit in Fig. 1(b); the second only with the GF (22 ) multipliers. According to [4], only the XOR gates leak side-channel information through glitches. Therefore, we expect unmasked-data dependent power in the first experiment while no leakage in the second. In each simulation, we take the following steps: 1) Switch the input from 0 to every possible value n. Accordingly, we obtain 1024 average current values for the entire circuit, proportional to the average power. 2) Every average current value is mapped to a set of unmasked inputs a and b. We group the 1024 average current values in terms of the hamming weight (from 0 to 4) of the unmasked inputs. By averaging each group, we obtain the mean power for each hamming weight as the experimental result. The result is shown in Fig 3(a). As we can see, for the first experiment, the majority momentum of mean power in the first simulation is increasing as the hamming weight of the unmasked inputs increases. In contrast, mean power in the second simulation almost remains the same. Hence, we can attribute the leakage to the glitches in the XOR gates. What should be mentioned is that glitches in the XOR gates are related to the arrival time of the inputs which is decided by the layout of the circuit and other factors. In our experiment, we performed the first simulation several times with different arrival sequence of the inputs. The results turn out to be similar as the one shown in Fig. 3(a). Inter-Wire Capacitance. Inter-wire capacitance can exist between the outputs of the GF (22 ) multipliers. We can also find inter-wire capacitance between nets in different GF (22 ) multipliers, if they are placed close to each other. Furthermore, inter-wire capacitance is influenced by many factors, for example the layout of the circuit. In our simulations, we made a reasonable assumption for inter-wire capacitance: comparable to the gate capacitance [10]. Because it is really hard to eliminate glitches from the XOR gates, to see the individual 2

2

GF(22) ) multiplier

2

2

GF(22) ) multiplier

2

2

GF(22) ) multiplier

2

2

GF(22) ) multiplier

C=5fF

Fig. 2. Inter-wire capacitance between and inside GF (22 ) multiplier

0.193

0.304 0.3

glitchfromXOR

0.189

noXORwithglitch

0.185

0.296

0.181

0.292

0.177

0.288

0.173

0.284

0.169

0.28

0.165 0

1 2 3 hammingweightofunmaskedinputs

(a)

4

power(mW)

0.308

power(noXORwitthglitch)(mW) p

power(glitchfro omXOR)(mW)

Side-Channel Leakage in Masked Circuits 0.176 0.175 0.174 0.173 0 172 0.172 0.171 0.17 0.169 0.168

333

withinterͲwireC nointerͲwireC

0

1 2 3 hammingweightofunmaskedinputs

4

(b)

Fig. 3. (a) Result on glitches; (b) Result on inter-wire capacitance

influence of the inter-wire capacitance, we rule out the XOR gates and perform simulation just on the GF (22 ) multipliers. The first simulation is performed with inter-wire capacitances added between the outputs of the GF (22 ) multipliers, shown in Fig. 2. The second one is done without inter-wire capacitance, which is exactly the same as the second simulation for glitches. In each simulation, we take the same steps mentioned in the previous subsection. The results are presented in Fig. 3(b), where we can see the average power increases as the hamming weight goes from 0 to 4 in the first simulation but changes little in the second one. According to perfect masking conditions, the power should be independent on the unmasked inputs. Clearly, it should also be independent on the hamming weight of them. From the above experimental results, we can see the two higher-order circuit effects discussed in Section 3 introduce dependence between the power and the unmasked input. Therefore, they are indeed sources of side-channel leakage. We also quantify the relative side-channel leakage for each circuit effect. It is not easy to define the magnitude of a leakage. Usually, this is partially dependent on the attack method. Here, for the convenience, we base our analysis on the attack with hamming weight. From Fig. 3, we can find the maximum power variations for glitches and inter-wire capacitance are 0.025 mW, 0,0045 mW respectively. The ratio is 5.6 : 1. Clearly, their leakage are comparable. 4.2

Experiments on FPGA

In this section, we will show that, besides glitches, other higher-order circuit effects can also cause measurable side-channel leakage. All the other higherorder effects are considered together here, not individually. On the one hand, it is really hard to focus on one of them by disabling all the others; on the other hand, there is no need to do so because the purpose of this paper is to show that all the other higher-order effects as a whole present a practical concern for masking. The circuit under test is a glitch-free masked AES S-Box [3] in FPGA. Since the circuit is ‘perfectly’ masked and designed without glitches, we can then exclude the first-order circuit effects and the timing issues. In other words, if side-channel leakage is found, we can attribute it to the higher-order circuit effects other than glitches.

334

Z. Chen, S. Haider, and P. Schaumont key=0x23

8

am 8

m 4

f

outt = Sbox(a) Sb ( ) † k

Masked S-box (Fig. 1) key mask m'

0x63

200000 total

1150000

180000 160000

1130000

140000

1110000

120000

1090000

100000

1070000

output

masked

80000

1050000

60000

1030000

40000

1010000

20000

990000

logicͲ1cou unt(output)

masked key km'

logicͲ1count((total,masked)

1170000

0 0

51

102

153

204

255

unmaskedinputa

(a)

(b)

Fig. 4. (a) Design under test in FPGA; (b) Results from the first experiment - At the logic level, the masked S-Box works.

For the purpose of attack, we add a constant key addition (key = 0x23) to the S-Box as shown in Fig. 4(a). Only the output of the overall circuit is observed in unmasked form. The test setup also ensured that all mask values are unique and independently generated. In the first experiment, we perform a logic simulation of the FPGA netlist and count the number of logic-1s in the whole design during simulation. This count is an estimate for the power consumption. Our objective is to demonstrate that the masked AES S-Box is correctly implemented and immune to a first-order attack on the logic level. The testbench used for Fig. 4(a) enumerates every combination of the input am , mask m, and freshmask f to the masked S-Box. The logic-1 count from the FPGA netlist is obtained using logic simulation. We then group the resulting counts according to the value of the unmasked input a and accumulate each group. This results in the upper graph shown in Fig. 4(b), labeled ‘total’. We can clarify the shape of this graph as follows. The sum of logic-1 counts for each a consists of two parts. The first part is from the masked section in Fig. 4(a), which should be independent from a. The second part comes from the unmasked output in Fig. 4(a), and that count should be proportional to the hamming weight of the unmasked output. The lower graph in Fig. 4(b) shows hammingweight(Sbox(a) ⊕ k), the hamming weight of each unmasked output in function of the unmasked input a. Clearly, the variations of ‘total’ logic-1 count and ‘output’ logic-1 count are identical. This means that the logic-1 count of the masked S-Box must be constant and independent of a, as shown by the middle line in Fig. 4(b), labeled ’masked’. Therefore, we conclude from the first experiment that the masking methodology works on the logic level, and that the masked AES S-Box is designed and implemented correctly. In the second experiment, we implement a DPA attack on the implementation of the circuit from Fig. 4(a) in an FPGA. To make the circuit glitch-free, we transform the previous FPGA netlist to a pre-charged complementary logic,

Side-Channel Leakage in Masked Circuits

1789 ccoefficient

1788 pow wer

1787 1786 1785 1784 1783 1782 0

51

102

153

204

255

3.50EͲ02 3.00EͲ02 2.50EͲ02 2.00EͲ02 1.50EͲ02 1.00EͲ02 5.00EͲ03 0 00E+00 0.00E+00 Ͳ5.00EͲ03 Ͳ1.00EͲ02 Ͳ1.50EͲ02 Ͳ2.00EͲ02

335

guess_key =0x23

0

51

102

153

unmaskedinputa

guess_key

(a)

(b)

204

255

Fig. 5. (a) Results in the second experiment - At the circuit level, the glitch-free, masked S-Box shows first-order leakage; (b) A first-order attack on the glitch-free masked S-Box succeeds

based on WDDL [7] form. What’s more, we also ensure timing issues cannot cause any side-channel leakage. Further, we generate the post place-and-route timing model. Using simulation, we verify that the circuit contains no glitches. An important fact is that the leakage caused by imbalanced dual-rail capacitances in WDDL does not affect our design, because the circuit is already masked by an algorithmic masking scheme. In order to collect a large number of power traces, we created an automatic measurement system, which consists of three parts: the FPGA board, a Personal Computer (PC), and an oscilloscope. The FPGA board contains a Spartan-3E 1600 FPGA (90nm CMOS). Five identical WDDL based masked AES S-Boxes are implemented in the FPGA. A PicoBlaze is used to control the stimuli for the S-Box and the communication with PC through RS-232. During operation, each S-Box takes the same action. The oscilloscope is an Agilent DSO5032A. It samples the current running into the FPGA core through a current probe and also averages each trace 1024 times to eliminate noise. The PC automatically collects signal traces from the oscilloscope through a USB cable. The test program exhaustively enumerates all mask values m (0 . . . 255) for all possible masked inputs am (0 . . . 255). The freshmask f is randomly generated internally. Considering the 1024-time average, f is also exhausted and unbiased. This way, each data collection phase obtains 64K traces. Average power of these traces can be analyzed in the same manner as in the first experiment, by grouping the traces according to the value of the unmasked input a. The resulting power consumption is captured in Fig. 5(a) which is very different from the variation in Fig. 4(b). This means that the power consumption of the S-Boxes still depends on the value of the unmasked input, and therefore that the traces can be used for a first-order DPA attack. Moreover, we do the first-order DPA based on correlation of the unmasked input hamming weight and the corresponding average power. Fig. 5(b) shows the results of a successful first-order attack on the glitch-free, masked S-Box for a sample key k = 0x23. We also replaced the average power with instant power, the attack is still successful.

336

5

Z. Chen, S. Haider, and P. Schaumont

Conclusion

This paper introduced an analysis of masked circuits from the circuit-level perspective. This analysis is summarized with two general conditions for secure masking. Both of these conditions can be easily achieved at the logic-level, which abstracts voltage into discrete logic-levels and which abstracts time into clock cycles. Our results confirmed that a logic-level simulation of a masked circuit indeed remains side-channel-free. However, the conditions for secure masking are much harder to achieve in real circuits, in which we have to allow for various electrical and analog effects. We showed that glitches are not the only cause of side-channel leakage in masked circuits. As an example, the effect of inter-wire capacitance is elaborated. We evaluated our analysis using HSPICE simulations and measurements on a glitch-free masked AES S-Box in the FPGA. In HSPICE simulations, we found comparable side-channel leakage for glitches and inter-wire capacitance. We also successfully mounted first-order attacks on this FPGA. Our conclusion is that higher-order circuit effects, not only glitches, present a practical concern for masking schemes.

References 1. Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999) 2. Chari, S., Jutla, C.S., Rohatgi, P.: Towards Sound Approaches to Counteract Power-Analysis Attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999) 3. Oswald, E., Mangard, S., Pramstaller, N., Rijmen, V.: A Side-Channel Analysis Resistant Description of the AES S-Box. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 413–423. Springer, Heidelberg (2005) 4. Mangard, S., Schramm, K.: Pinpointing the Side-channel Leakage of Masked AES Hardware Implementation. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 76–90. Springer, Heidelberg (2006) 5. Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks - Revealing the Secrets of Smart Cards. Springer, Heidelberg (2007) 6. Bl¨ omer, J., Guajardo, J., Krummel, V.: Provably Secure Masking of AES. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 69–83. Springer, Heidelberg (2004) 7. Tiri, K., Verbauwhede, I.: A Logic Level Design Methodology for a Secure DPA Resistant ASIC or FPGA Implementation. In: Proc. of DATE 2004, pp. 246–251 (2004) 8. Gierlilchs, B.: DPA-resistance without routing constraints? In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 107–120. Springer, Heidelberg (2007) 9. Rabaey, J.M., Chanadrakasan, A., Nikolic, B.: Digital Integrated Circuits: A Design Perspective, 2nd edn. Prentice Hall, Englewood Cliffs (2003) 10. Weste, N.H.E., Harris, D.: CMOS VLSI Design: A Circuits and Systems Perspective, 3rd edn. (2005) ISBN: 0-321-14901-7

Performance Analysis of Digital Secure Voice Transmission over HF Radio Channel Kihong Kim1 and Jinkeun Hong2 1

The Attached Institute of ETRI, P.O. Box 1, Yuseong, Daejeon, 305-600, South Korea [email protected] 2 Baekseok University, 115, Anseo-dong, Cheonan-si, Chungnam, 330-704, South Korea [email protected]

Abstract. High-grade narrowband speech security for high frequency (HF) can be achieved using low rate speech coders and encryption algorithms. This paper presents test results of HF channel and structure of used test system for digital plain and secure speech transmission using mixed excitation linear prediction (MELP) vocoder. Test results are: bit error percentage in the received MELP bitstream and spectrum characteristic and perceptual evaluation speech quality (PESQ) test for synthetic speech under a number of different test conditions. In this paper, we first analyze the transmission performance of the digital secure speech and then assess the speech quality performance according to HF channel distortions. To our knowledge, this is the first comprehensive performance analysis of the digital secure speech transmission over HF channel. Our results can be used to design technique of efficient secure communication for HF network. Keywords: HF, security, low rate speech coder, encryption, modem.

1

Introduction

HF channel provides flexible and long distance data link. However, this channel has many drawbacks, related mostly to low data rate, multi-path fading and propagation, and high interference [1][2][3]. There are two basic techniques used for achieving secure speech transmissions over HF channel: analog speech scrambling and digital speech encryption. Conventional analog speech scrambling is considered to provide low-grade security. However, digital speech encryption can offer high-grade security using modern low data rate speech coder and strong encryption algorithm [4][5]. There have been several different previous researches regarding communication techniques and security issues for HF network. The integration of several advanced HF communication techniques into an efficient wireless network configuration has been addressed in [6]. The work in [7] described the principal elements of the Canadian navy mobile interoperable secure networking (MISN) J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 337–346, 2009. c Springer-Verlag Berlin Heidelberg 2009


338

K. Kim and J. Hong

programme and placed the emphasis on its HF communication components. In [8][9][10][11][12], low data rate digital speech coders which operate at 300bps, 600bps, 1.2kbps, and 2.4kbps for use on HF channel were discussed. The various techniques used to provide secure speech communication over HF radio channel were introduced in [2][4][5], while the test results of an investigation of the performance of the secure communications interoperability protocol (SCIP) and e-mail exchange over HF communication channel were presented in [13][14]. The [15] considered the effects of anti-jamming measures and synchronization on the security of a frequency hopping (FH) radio system in HF network. However, the most communication and security researches in HF channel are focused on efficient HF network configuration schemes and digital speech processing techniques for HF radio security. No work was done in the performance analysis of digital secure speech transmission and quality over HF links. In this paper, a test system for narrowband secure speech transmission using MELP vocoder over HF is presented and its transmission performance in terms of bit error percentage in the MELP bitstream and spectrum characteristic and PESQ test [16][17] for synthetic speech is analyzed for the first time. We first compare and analyze the transmission performance of the digital secure speech according to HF channel distortions. We then assess the synthetic speech quality performance. This work differs from previous works in that it concentrates on one significant aspect of an HF secure speech communication environment, namely transmission and quality performance of digital secure speech over HF channel. This is believed to be the first comprehensive performance analysis of a digital secure speech transmission over HF. The test results can be used to design an efficient digital secure communication for HF network. The remainder of this paper is organized as follows. In the next section, a brief description of the HF channel characteristic is given. In section 3, an overview of the 1.2/2.4kbps MELP vocoder scheme that is used in the digital speech production is described. In section 4, digital speech transmission test system for HF security with reference to a block diagram is discussed. Some experimental results are presented in section 5, and concluding remark and future work are provided in section 6.

2

Characteristic of HF Channel

HF channel (2∼30MHz) is used for long haul or extended range communications in many application fields such as point-to-point communications between civilian sites in remote areas and military communications between operating units {ground stations, fast jet aircrafts, and various other units}. However, since HF channel is notorious for its poor channel conditions including low signal to noise ratio (SNR), frequency shift (Doppler effect), multi-path fading and propagation, and high interference, it is one of the most challenging communication medium for any protocol to operate [1][2][3][13]. The multi-path is occurred due to the reflections of radio signals from different layers in the ionosphere and possibly a number of intermediate ground sites. As

Performance Analysis of Digital Secure Voice Transmission

339

the propagation times over the multi-path are different, the received signal may consist of several echoes or modes in time over an interval of several milliseconds. Thus, the total received signal is a composite of a number of multi-path components, each with different time delays, frequency shifts, and independent fading patterns [1][2].

3

MELP Speech Model

The 2.4kbps MELP speech coding algorithm was developed by U.S. government in March of 1996 as the next standard for seamlessly interoperable narrowband secure speech communications for strategic and tactical applications. The MELP is based on the linear predictive coding of order 10 enhanced (LPC10e) speech model, but also includes additional features, such as mixed excitation, aperiodic pulses, pulse dispersion, adaptive spectral enhancement, and Fourier magnitude scaling of the voiced excitation. The new speech coding model provides a dramatic enhancement in speech quality and intelligibility at the 2.4kbps data rate [9][10]. The 1.2kbps version of MELP was developed for a high-performance low data rate algorithm. It shares the 2.4kbps MLEP core algorithmic paradigm, but with an alternative quantization method. The 1.2kbps MELP speech coding algorithm divides the 8kHz sampled speech signal into groups of three 22.5ms frames into a 67.5ms super frame for encoding [9].

4

Test System Configuration and Description

A block diagram of the digital plain and secure speech transmission test system is shown in Fig. 1. Secure speech transmission test over HF channel is accomplished using five major blocks: the MELP encoding/decoding block, the ARIA encryption/decryption block, redundancy channel encoding/decoing block, the HF modulation/demodulation block, and HF channel simulator. The 2.4kbps MELP analysis frame rate is 44.4Hz corresponding to 180 samples at a sampling rate of 8kHz. After analysis of each input speech frame, 54bits of coded speech parameters are first transferred to the ARIA encryption block and then to the redundance channel encoding block. Finally, channel encoded speech bitstreams are transferred to the RM6 HF modem. The HF modulation block modulates the digital data derived from channel encoding block into a form suitable for transmission over HF media. The modulated speech signal is supplied to the HF channel simulator for digital speech transmission over the HF link. After demodulation at the receiver, channel decoding is performed and ARIA decryption is carried out. The MELP decoder then uses the received speech bitstream to reconstruct the synthetic speech output. ARIA is a 128bit block cipher with involutional substitution and permutation network (SPN) structure designed in 2003 and announced as Korean standard by Agency for Technology and Standards (ATS) in 2004. A detailed description of the ARIA goes beyond the scope of this paper. For more complete details of ARIA algorithm please refers to [18].

340

K. Kim and J. Hong Input Speech

1. 2. 3. 4. Output Speech

ARIA Encryption

MELP Encoding MELP MELP MELP MELP

→ → → →

Channel Encoding

ARIA → Channel Coding → Modem ARIA → Modem Channel Coding → Modem Modem

MELP Decoding

ARIA Decryption

Channel Decoding

HF Modem Modulation

HF Simulator

HF Modem Demodulation

Fig. 1. Experimental test system for transmission performance analysis

The channel coding is a broadly used term mostly referring to the error correction code (ECC) in communication where the communication media is viewed as a channel. Channel coding is a scheme to reduce data rate through the channel and increase communication reliability. The prime goal of channel coding is achieved by adding redundancy data to the original data symbol [19]. The RM6, high-speed HF data modem, complies to MIL-STD-188-110B, STANAG 4539, 4285, 4529, 4415, 4481 and 5065. This modem is capable of achieving data rate of up to 9,600bps full duplex over a standard 3kHz radio link and 19,200bps over an independent sideband (ISB) link. RM6 can work in half & full duplex operation, sync, standard async, and high-speed async mode. It also supports the comprehensive built-in-test (BIT), continuous error detection, and convolution encoding combined with soft-decision Viterbi decoding for providing forward error correction [20]. An HF channel simulator is used to obtain statistically reliable and repeatable evaluation of the transmission performance of a given speech transmission test system under a variety of HF channel conditions.

5

Test Results

To evaluate the performance of the digital secure speech transmission over HF, a series of tests, namely transmission test depending on the SNR/channel coding/interleaving and synthetic speech quality test were carried out. For average and extreme HF channel conditions during test, practical values for Doppler spread and delay spread in accordance with international radio consultative committee (CCIR) Recommendation 520-1 [21] employing the C. C. Watterson Model were used. In the channel coding, we used a BCH code, and in the HF waveform design, STANAG 4539 [22] and MIL-STD-188-110B [23] were used. It is known that STANAG 4539 and MIL-STD-188-110B provide the best fit for digital speech applications in HF channel. In order to ensure consistency and accuracy of our experimental test results, we averaged each of our results over several iterations for each transmission mode.

Performance Analysis of Digital Secure Voice Transmission

5.1

341

Bit Error Percentage

Fig. 2 and Fig. 3 present a comparison of the bit error percentage in the received 2.4kbps MELP bitstream according to transmission mode under the standardized Secure Mode with Channel Coding Plain Mode with Channel Coding Secure Mode without Channel Coding Plain Mode without Channel Coding 50

Bit Error Percentage(%)

45 40 35 30 25 20 15 10 5 0

10 1

20 2

30 3

40 4

SNR(dB)

Fig. 2. Bit error percentage(%) in the received bitstream under the CCIR good HF channel (Doppler spread: 0.1Hz, delay spread: 0.5ms) Secure Mode with Channel Coding Plain Mode with Channel Coding

55

Secure Mode without Channel Coding Plain Mode without Channel Coding

Bit Error Percentage(%)

50 45 40 35 30 25 20 15 10 5 0

101

202

30 3

40 4

SNR(dB)

Fig. 3. Bit error percentage(%) in the received bitstream under the CCIR moderate HF channel (Doppler spread: 0.5Hz, delay spread: 1.0ms)

342

K. Kim and J. Hong

(a) Original speech signal

(b) Synthetic speech signal in secure mode with channel coding

(c) Synthetic speech signal in plain mode with channel coding

(d) Synthetic speech signal in secure mode without channel coding

(e) Synthetic speech signal in plain mode without channel coding

Fig. 4. Spectrum of original and synthetic signal at 40dB SNR under the CCIR moderate HF channel

CCIR HF condition. In the good HF channel, bit error percentages in each transmission modes at 40dB SNR are provided: 8.6% in mode with both encryption and channel coding, 7.3% in mode without encryption and with channel coding, 16.4% in mode with encryption and without channel coding, and 9.2% without both encryption and channel coding. From these figures, we can see that bit error percentages decrease as SNR increases, and that bit error percentages using the channel coding are smaller than those not using the channel coding. We can also see that bit error percentages in plain transmission mode (without ARIA encryption) are smaller than those in secure transmission mode (with ARIA encryption).

Performance Analysis of Digital Secure Voice Transmission

5.2

343

Spectrum Characteristic

The spectrum of the original and synthetic speech signals according to digital speech transmission mode is illustrated in Fig. 4. (a) is the original speech signal and (b)∼(e) represent the synthetic speech signals while transmission mode is varied. In this figure, we see that the spectrum of the synthetic speech signals using the channel coding corresponds more close to the original speech signal than that not using the channel coding. It is also demonstrated that the spectrum of the synthetic speech signals from the plain transmission mode approximates more accurately that of the original speech signal. 5.3

Synthetic Speech Quality

Table 1 and Table 2 show the result of the objective speech quality test, the PESQ test, for the secure speech transmission mode compared against the plain transmission mode. The speech quality of the secure transmission mode is worse than that of the plain transmission mode for several test conditions. Table 3 and Table 4 below provide result of the PESQ test using short interleaving scheme. This means that the transmission mode with interleaving scheme increases speech quality performance by about 10% when compared with the transmission mode without interleaving scheme shown in Table 1 through Table 2. The reason is that interleaving scheme reduces bit errors in the received MELP speech bitstream, compared with transmission without interleaving. In addition, the quality of synthetic speech signal at the receiver can be much improved by applying a long interleaving scheme. Table 1. PESQ test result of the synthetic signal under the CCIR good HF channel

Transmission mode

10

SNR(dB) 20 30 40

With Secure voice 1.25 1.56 2.25 3.54 BCH(15, 7) Plain voice 2.00 2.09 2.72 3.63 Without Secure voice 1.24 1.41 2.14 3.08 BCH(15, 7) Plain voice 1.27 1.67 2.54 3.46

Table 2. PESQ test result of the synthetic signal under the CCIR moderate HF channel

Transmission mode

10

SNR(dB) 20 30 40

With Secure voice 1.22 1.28 2.16 3.35 BCH(15, 7) Plain voice 1.68 2.01 2.39 3.45 Without Secure voice 1.05 1.23 2.01 3.01 BCH(15, 7) Plain voice 1.10 1.32 2.11 3.09

344

K. Kim and J. Hong

Table 3. PESQ test result of the synthetic signal using short interleaving scheme under the CCIR good HF channel

Transmission mode

10

SNR(dB) 20 30 40

With Secure voice 1.55 1.80 2.54 3.66 BCH(15, 7) Plain voice 2.15 2.18 3.02 3.74 Without Secure voice 1.45 1.66 2.40 3.20 BCH(15, 7) Plain voice 1.50 1.98 2.81 3.57

Table 4. PESQ test result of the synthetic signal using short interleaving scheme under the CCIR moderate HF channel Transmission mode

10

SNR(dB) 20 30 40

With Secure voice 1.45 1.59 2.45 3.41 BCH(15, 7) Plain voice 1.93 2.12 2.60 3.50 Without Secure voice 1.25 1.43 2.23 3.07 BCH(15, 7) Plain voice 1.30 1.50 2.40 3.27

6

Conclusion and Future Work

This paper presented the first available wide variety of test results for the performance of digital secure speech transmission over HF media. That is, this paper has discussed digital secure speech transmission results for MELP for several different HF conditions, and compared then with the results for plain speech transmission under same conditions. Test results showed that the transmission performance of plain speech over HF links, in terms of bit error percentage, spectrum characteristic, and synthetic speech quality, exceeded the that of the secure speech for most test conditions. Moreover, a simulation for comparison of synthetic speech quality showed that the plain speech transmission mode improves MOS over 0.05∼0.54 compared with the secure transmission mode according to the SNR. This work is the first comprehensive analysis of the digital secure speech transmission for use in HF channel. It can be significant in the use of designs of efficient secure communication mechanism for secure HF network. It also can be extended to a variety of other wireless network environments, including ultra high frequency (UHF) and super high frequency (SHF), among others. In the future, the authors will attempt to test a same test system in an actual on-air HF network using the HF radio terminal in order to investigate the transmission performance in an actual scenario. The plan is then to examine the effect that actual HF radio channel environment has on the performance and efficiency of the digital secure speech transmission.

Performance Analysis of Digital Secure Voice Transmission

345

References 1. Pennington, J.: Techniques for Medium-Speed Data Transmission over HF Channels. IEE Proceedings 136(1), Pt. I, 11–19 (1989) 2. Nieto, J.W.: Waveform Design Considerations for Transmission of Digital Voice over HF. In: IEEE MILCOM 2004, pp. 542–547 (2004) 3. Furman, W.N., Nieto, J.W.: Understanding HF Channels Simulator Requirements in order to Reduce HF Modem Performance Measurement Variability. In: Nordic HF Conference, pp. 6.4.1–6.4.13 (2001) 4. Stansfield, E.V., Harmer, D., Kerrigan, M.F.: Speech Processing Technique for HF Radio Security. IEE Proceedings 136(1), Pt. I, 25–46 (1989) 5. Moulsley, T.J., Holmes, P.R.: A Narrow Band Secure Speech Transmission System. In: IEE Colloquium on Digitized Speech Communication via Mobile Radio, pp. 10/1–10/4 (1988) 6. Baker, M., Robinson, N.P.: Advanced HF Digital Networks. In: IEEE MILCOM 2001, pp. 929–933 (1991) 7. Dombowsky, L.P., Nourry, G.R.: Military Mobile Wireless Networking - HF Components. In: IEEE MILCOM 2001, pp. 465–470 (2001) 8. Tremain, T.E., Kemp, D.P., Collura, J.S., Kohler, M.A.: Evaluationof Low Rate Speech Coder for HF. In: IEEE ICASSP 1993, pp. II.163–II.166 (1993) 9. Collura, J.S., Brandt, D.F., Rahikka, D.J.: The 1.2kbps/2.4kbps MELP Speech Coding Scheme Suite with Integrated Noise Pre-Processing. In: IEEE MILCOM 1999, pp. 1449–1453 (1999) 10. Chamberlain, M.W.: A 600bps MELP Vocoder for Use on HF Channels. In: IEEE MILCOM 2001, pp. 447–453 (2001) 11. Guilmin, G., Capman, F., Ravera, B., Chartier, R.: New NATO STANAG Narrow Band Voice Coder at 600bit/s. In: IEEE ICASSP 2006, pp. I.689–692 (2006) 12. Ovens, M.J., Ponting, K.M., Turner, M.E.: Ultra Low Bit Rate Voice Coding. In: IEE Seminar on Speech Coding for Algorithms for Radio Channels, pp. 9/1–9/15 (2000) 13. Alvermann, J.M., Kurdziel, M.T., Furman, W.N.: Secure Communication Interoperability Protocol (SCIP) over An HF Radio Channel. In: MILCOM 2006, pp. 1–4 (2006) 14. Gajewski, R., Lopatka, J., Nowosielski, L., Uljasz, B., Piotrowski, Z.: Multimedia Transmission over HF Links. In: IEEE MILCOM 2000, pp. 45–47 (2000) 15. Darnell, M., Yung, H.M.: Security Considerations in Frequency Hopping Radio Systems. In: IEE Colloquium on Security and Cryptogratphy Applications to Radio Systems, pp. 11/1–11/3 (1994) 16. ITU-T Rec: P.862, Perceptual Evaluation of Speech Quality (PESQ) an Objective Assessment of Narrowband Telephone Networks and Speech Codecs. (2002) 17. Rix, A.W., Beerends, J.G., Hollier, M.P., Helstra, A.P.: Perceptual Evaluation of Speech Quality (PESQ) - a New Method for Speech Assessment of Telephone Networks and Speech Codecs. IEEE Trans. on ASSP 2, 749–752 (2001) 18. NSRI: Specification of ARIA, http://www.nsri.re.kr/ARIA/doc/ARIA-specification-e.pdf 19. Morelos-Zaragoza, R.H.: The Art of Error Correcting Coding. John Wiley & Sons Inc., Chichester (2002)

346

K. Kim and J. Hong

20. http://www.rapidm.com/documents/RM6 HF Modem%20MIL-STD-188-110BV2.pdf 21. ITU-T: Recommendation 520-1, Use of High Frequency Ionospheric Channel Simulatiors (1978) 22. NATO: STANAG 4539, Tactical Standards for Non-Hopping HF Communications Waveforms (2000) 23. US DoD: MIL-STD-188-110B, Military Standard - Interoperability and Performance Standards for Data Modems (2000)

Energy Analysis of Multimedia Video Streaming on Mobile Devices Chu-Hsing Lin, Jung-Chun Liu, Mao-Hua Cheng, Tsung-Che Yang, and Mei-Chun Chou Department of Computer Science, Tunghai University, 407 Taichung, Taiwan {chlin,jcliu,g95280065,g97357019,g96350011}@thu.edu.tw

Abstract. Video streaming is a data transfer technology to allow playing back video files via communication networks. In recent years, applications of the video streaming such as online TV have become very popular. However, complex operations of both downloading and replaying of multimedia video files consume a great amount of electric energy, and savvy strategies of power management are necessary for people to enjoy the video streaming on mobile handheld devices operated on batteries with limited capacity. In this paper, we try to find video encoders that are energy efficient. We investigate effects on energy consumption by encoding video files with various codecs, file formats, and encoding parameters, such as the bit rate and resolution. Also investigated are effects on the energy consumption of two replaying modes, i.e. “play after download” and “play as received”. Keywords: codec, energy consumption, mobile device, video streaming.

1 Introduction Video streaming is a data transfer technology to allow steady and continuous playing back of video files via communication networks. The basic concept of video streaming is to download and replay video files on the same time and we call it as “Play as received”. To watch video files stored on a remote server via the Internet, another way is “Play after download”, which means to download the whole video file by FTP or HTTP and play it on the media player when downloading is completed. For example, we can download complete MP3 files and replay them after finishing downloading, that is, “Play after download”; or we can listen to the music while downloading MP3 files, that is, “Play as received”. The convenience of video streaming is that it is a user friendly interface that downloading and replaying can be carried on almost simultaneously. But one needs to consider the limited capacity of batteries on mobile devices when applying video streaming on them [1]. To handle highly complicated audiovisual downloading and decoding at the same time will certainly consume much energy and make power management on mobile devices very difficult [2], [3], [4], [5]. In this paper, we encode films by several codecs developed by Microsoft and do energy consumption analyses when replaying the video films on mobile devices. From analyses of energy consumption we try to find the best energy efficient codec to J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 347–357, 2009. © Springer-Verlag Berlin Heidelberg 2009

348

C.-H. Lin et al.

compress the video, and further from comparison of energy consumption of replaying videos by “Play after download” and “Play as received” to give suggestions about how to choose the best playing mode on mobile devices. This paper is organized as follows: Section 2 introduces the video codec used in the experiment and relevant background knowledge; Section 3 describes the experimental environment and setups. Experimental results will be shown and energy analyses will be performed in Section 4. Conclusions will be made in Section 5.

2 Background We briefly introduce the relevant encoders and the stream server in our experiment in the following. 2.1 MEPG-4 MPEG-4 is an encoding standard used primarily to compress audio and visual digital data. The uses for the MPEG-4 standard are webs (streaming media), CD distributions, conversations (video phones), and broadcast televisions, all of them benefit from compressing the audio and visual stream. MPEG-4 absorbs many of the features of MPEG-1 and MPEG-2 and other related standards, adds new features such as the extended VRML support for 3D rendering, object-oriented composite files (including audio, video and VRML objects), supports for externally-specified Digital Rights Management and various types of interactivity. Most of the features included in MPEG-4 are left to individual developers to decide whether to implement them. To deal with this, the standard includes the concept of "profiles" and "levels", allowing a specific set of capabilities to be defined in a manner appropriate for a subset of applications [6], [7], [8]. In this paper, the MPEG4 codec, MS mpeg4 v2 (Microsoft MPEG4 version 2) is developed by Microsoft. 2.2 WMV Windows Media Video (WMV) is a generic name for the set of video codec technologies developed by Microsoft. WMV competes with other codec such as RealVideo, DivX, Xvid, and H.264, etc. Generally speaking, common usage of the term WMV refers to this codec only. WMV supports variable bit rate, average bit rate, and constant bit rate encoding. Although WMV is generally packed into an Advanced Systems Format (ASF) container format, it can also be put into AVI or Matroska containers. When encapsulated in ASF file format, WMV can be supported and managed tools with several rights that are use for protecting the intellectual property right [9]. In the experiment, we adopt WMV 7 and WMV 8. 2.3 MMS Microsoft's streaming server Microsoft Media Services (previously called NetShow Services) uses the Microsoft Media Server (MMS) protocol to transfer unicast data. MMS can be transported via UDP or TCP. The MMS default port is UDP/TCP 1755.

Energy Analysis of Multimedia Video Streaming on Mobile Devices

349

3 Experiment Setting 3.1 Experiment Environment We use the MS MPEG-4 V2 (Microsoft MPEG-4 version2), WMV1, WMV and WMV3 as encoders to compress the video files. In experiment 1 and experiment 2, we adopt SUPER © to encode videos [10] (Simplified Universal Player Encoder and Renderer). SUPER© is free software developed by eRightSoft and it supports many media formats, including 3GP/3G2, ASF, AVI, MOV, MP4 and WMV, etc. In experiment 3 and experiment 4, since we need more precise bit rates, we adopt ImTooTM MPEG Encoder to encode videos. ImTooTM MPEG Encoder is the shareware developed by Xilisoft Corporation. It also supports a lot of video forms and provides more precise bit rates.

Fig. 1. Windows Media Player

In our experiment, we use Windows Media Player [11] as the media player for the mobile device (Fig.1). It is used on the WinCE/Windows Mobile-based for Mobile device and it supports ASF and WMV file formats. The processes of encoding and streaming are shown in Fig.2. We measure and record energy consumption while playing back the video files. To implement Video Streaming, three ways can be used: broadcasting, unicasting, and multicasting. We adopt unicasting to do video streaming in our experiments. Unicasting adopts one to one direction to transmit the image to the receiver, and it is called as Video-on-Demand (VoD). Most existing general network applications adopt this method to transmit data. There is a point to point line between the end user and the server. Detailed MMS environmental structure is described below. First, we use the media encoder (namely SUPER© or ImTooTM MPEG Encoder) to encode multimedia files by different codecs in ASF or WMV file format, and write ASX files to produce multimedia files. The Advanced Stream Redirector (ASX) format is a type of XML metafile designed to store a list of Windows Media files to play during a multimedia presentation. We choose Windows 2000 Server that offers Windows Media Service,

350

C.-H. Lin et al.

Fig. 2. The process of encoding and streaming

set up webpage server, link to ASX file by the webpage, redirect to stream files (i.e. ASF, WMV files) in Windows Media Service by ASX, and use Microsoft Media Server (MMS ) protocol to transmit unicasting data. In the end, mobile device in the client can replay videos in the “Play as received” mode. 3.2 Experiment Setup The experiment setup is shown in Fig.3 [12], [13]. In our experiments an Acer n300 PDA was used, which has a 400 MHz Samsung S3C2440 processor with 64MB ROM and 64MB SDRAM, and its operating system is Microsoft® Windows Mobile™ Version 5.0. In order to measure the energy consumption, we removed the battery from the Acer n300 PDA and placed a resistor in series with the 5V power supply. We used a National Instruments PCI DAQ data acquisition board to sample the voltage drop across the resistor (to calculate the current) at 1000 samples/sec. The energy measurement is done using LabVIEW 8. We calculated the electric power by Equation 1, where PInst is instantaneous power consumption, VR is the voltage across the resistance R, and VR / R is the electric current through R. According to Joule's Law, we obtain the average electric energy in Joules by Equation 2, where T is the sampling time.

PInst =

VR × VPDA R

E = ∑ PInst × T

(1)

(2)

In experiment 1, we measured three genres of films: animation, action, and romance and tested five different films for each genre (listed in Table 1), all with resolution of 320×240, the frame rate of 30 frames per second, and the bit rate of 240 kbps. The playing time for each film is 5 minutes. In experiment 2, we use the animation films with the same parameter setting. We use the animation film, “the Simpsons” in experiment 3 and experiment 4. In experiment 3, the frame rate is fixed at 30 frames per second. The other two encoding parameters are changed: the bit rate and the resolution. We change these two

Energy Analysis of Multimedia Video Streaming on Mobile Devices

351

Fig. 3. Experimental Setup

parameters one at a time and observe their influence on energy consumption when replaying. In experiments to investigate effects on energy consumption by changing the bit rate, the resolution of the film is fixed at 160x120. In experiments to investigate effects on energy consumption by changing the parameters of resolution, we use two resolutions: 160x120 and 192x144. Table 1. Films tested in experiments Animation Films Action Thriller Romance Films

The Simpsons; The Lion King Aladdin's; The little Mermaid Tarzan Spider-Man 3; The Rock; X-Men: The Last Stand; Die Hard: With a Vengeance; Blade II Now, I Want to See You; You've Got Mail; Sleepless in Seattle; Serendipity; Ghost

In experiment 4, we adjust the bit rate and observe the difference of energy consumption of films in different playing modes, i.e. “Play after download” or “Play as received”. In this way, we are able to find the best combination of the bit rate and the playing mode that is energy efficient.

352

C.-H. Lin et al.

4 Experimental Result 4.1 Experiment 1 We use MS MPEG-4 V2 (Microsoft MPEG-4 version2), WMV1 (Windows Media Video V7), WMV2 (Windows Media Video V8) and WMV3 (Windows Media Video V9) to encode five films for the three genres. The format of the file is WMV. The energy consumption results are shown in Fig. 4 for the animation, in Fig. 5 for the action, and in Fig. 6 for the romance films.

Fig. 4. Energy consumption of Animation films (unit in Joules)

Fig. 5. Energy consumption of Action thrillers (unit in Joules)

By observing above plots, we find three trends. First, the films encoded by MS MPEG-4v2 and WMV1 codecs consume lesser energy than the films encoded by WMV2 and WMV3 codecs. Second, “Play as received” consumes more energy

Energy Analysis of Multimedia Video Streaming on Mobile Devices

353

Fig. 6. Energy consumption of Romance films (unit in Joules)

(about 110% more) than “Play after download” in this experiment. Third, energy consumption of action films is greater than animation films; and energy consumption of animation films is greater than romance films. 4.2 Experiment 2 In this experiment, we encode animation films in commonly used formats, i.e. ASF and WMV on mobile device by using MS MPEG-4 V2 (Microsoft MPEG-4 version2), WMV1, WMV2 and WMV3 as encoders. The experimental results are listed in Table 2 to Table 3. Table 2. Energy consumptions of animation films in different format for “Play as received” (unit in Joules) Non-WiFi ASF WMV

MS mp4 v2 402.88 398.71

WMV1 399.50 397.96

WMV2 410.56 410.90

WMV3 null 419.23

Table 3. Energy consumptions animation films in different format for “Play after download” (unit in Joules)

ASF WMV

MS mp4 v2 186.87 191.38

WMV1 176.47 190.61

WMV2 188.56 195.17

WMV3 null 200.07

From above result, we find that films encoded by the same codec but in different format (ASF, or WMV) consume similar amount of energy. In this experiment setting, the average energy consumption of “Play as received” is more than the average energy consumption of “Play after download”111.55%.

354

C.-H. Lin et al.

4.3 Experiment 3 In this experiment, we adjust encoding parameters and analyze the effect on energy consumption. Table 4 shows energy consumption in the “Play as received” mode and the films encoded with resolution of 160×120 and 192×144, both using 30 frames per second and various bit rates. Table 5 shows the growth rate of energy consumption of “Play as received” when bit rate is doubled. The growth rate of electric energy consumption is calculated by

latter ' s energy − former ' s former ' s

× 100%

(3)

The average growth rate of energy consumption when bit rates of the film doubled is found to be 1.93%. Table 6 shows the growth rate of energy consumption when the films encoded with resolution change 160x120 to 192x144. We find that when the resolution changed from 160x120 to 192x144, the average growth rate of energy consumption is 3.89%. Table 4. Energy consumption of films with resolution of 160×120 and 192×144, both using 30 frames/sec (unit in Joules) Resolution kbps

160×120

192×144

72 144 288 576 1152 72 144 288 576 1152

MS mp4 v2

WMV1

WMV2

WMV3

368.13 372.67 377.02 383.39 391.98 374.22 384.95 401.33 402.35 411.79

368.51 368.5 376.28 379.88 391.41 372.83 382.75 400.37 400.55 410.70

372.65 374.87 379.12 386.71 394.38 378.03 387.55 403.43 405.51 413.71

373.84 381.29 383.99 404.22 423.31 380.88 392.61 405.84 408.70 431.40

Table 5. Growth rate of energy consumption when bit rate is doubled kbps MS mp4 v2 72→144 1.23% 144→288 1.17% 288→576 1.69% 576→1152 2.24%

WMV1 0.00% 2.11% 0.95% 3.04%

WMV2 0.60% 1.13% 2.00% 1.98%

WMV3 1.99% 0.71% 5.27% 4.72%

From above results, we conclude that in order to have better image quality, it is better to increase the bit rate and keep or decrease the resolution. An example is shown in Fig. 7, where the film is encoded by WMV1 but in different resolution and bit rates. Energy consumption of the film with resolution of 160x120 and the bit rate

Energy Analysis of Multimedia Video Streaming on Mobile Devices

355

Table 6. Growth rate of energy consumption of films when resolution is changed from 160x120 to 192x144 kbps 72 144 288 576 1152

MS mp4 v2 1.65% 3.30% 6.45% 4.95% 5.05%

WMV1 1.17% 3.86% 6.40% 5.44% 4.93%

WMV2 1.44% 3.38% 6.41% 4.86% 4.90%

WMV3 1.88% 2.97% 5.69% 1.11% 1.91%

Resolution:192x144 ; Codec:WMV1 Resolution:160x120; Codec:WMV1 Bitrate:144kbps ; Energy comsuption: 382.75 J Bitrate:288kbps ; Energy comsuption:376.28 J Fig. 7. Picture quality of films of various parameters with similar energy consumption

of 288kbps is 368.51 Joule. Energy consumption of the film with resolution of 192x144 and the bit rate of 144kbps is 372.83 Joule. With similar amount of energy consumption, the film encoded in higher bit rates is shown to have better image quality. 4.4 Experiment 4 In this experiment, we analyze the effect on energy consumption of the two play modes: “Play as received” and “Play after download”. In “play after download” experiments, the downloaded multimedia file is stored in a 1GB SD card. Table 7 shows the energy consumption by using the “Play as received” mode and “Play after download” mode. The films are encoded with resolution of 320×240, the frame rate of 30 frames per second, and various bit rates. Table 8 shows the difference of energy consumption by changing “Play after download” mode to “Play after download” mode. According to Table 8, we observe that when the bit rate is higher, adopting “Play as received” mode consumes less energy, and when the bit rate of the film is lower, adopting “Play after download” mode consumes less energy.

356

C.-H. Lin et al.

Table 7. Energy consumption by “Play as received” and “Play after download” with resolution of 192×144 and 30 frames/sec (unit in Joules)

kbps 144 288 432 576 720 864 1008 1152

Play as received WMV1 378.03 407.00 408.15 414.11 419.02 426.52 430.33 434.88

WMV3 416.48 442.90 444.49 448.65 453.09 456.33 461.33 456.72

Play after download WMV1 146.13 203.05 267.48 365.74 432.92 607.90 936.78 1225.52

WMV3 164.59 220.84 298.74 389.83 511.94 672.55 996.28 1749.69

Table 8. Difference of energy consumption of films changing from “Play after download” to “Play as received” mode kbps 144 288 432 576 720 864 1008 1152

WMV1 158.70% 100.44% 52.59% 13.23% -3.21% -29.84% -54.06% -64.51%

WMV3 153.04% 100.55% 48.79% 15.09% -11.50% -32.15% -53.69% -73.90%

5 Conclusions In this paper, we use various codecs to encode films and adjust the encoding parameters for video streaming. We replay the video files on the mobile device to analyze energy consumption to find out the most suitable energy-conserving way to encode video files for replaying on the mobile device. From the experimental results, we have following conclusions. Films encoded by using MS mpeg4 v2 and WMV1 codecs consumes less energy than films encoded by using WMV2 and WMV3 codecs. As for the file format, the results of experiment 2 demonstrate that it does not have obvious effect on energy consumption. Films encoded by the same codec but with different file format consume similar amount of energy. As for the parameters of codecs, the results of experiment 3 show that with similar amount of energy consumption, films encoded with higher bit rates and lower resolution have better image quality than films encoded with higher resolution and lower bit rates. In experiment 4, we find that when the bit rate of the film is higher, “Play as received” mode is more energy efficient; and when the bit rate is lower, “Play after download” mode consumes less energy. So, when play back video streaming, you should select the playing mode according to the bit rate of the film.

Energy Analysis of Multimedia Video Streaming on Mobile Devices

357

Acknowledgments. This work was supported in part by Taiwan Information Security Center (TWISC), National Science Council under the grants NSC 95-2218-E-001001, NSC95-2218-E-011-015, NSC95-2221-E-029020 -MY3, and NSC 97-2221-E029 -023.

References 1. Lahiri, K., Raghunathan, A., Dey, S., Panigrahi, D.: Battery driven system design: a new frontier in low power design. In: Proc. ASP-DAC/VLSI Design 2002, Bangalore, India, pp. 261–267 (2002) 2. Lin, C.-H., Liu, J.-C., Liao, C.-W.: Energy Analysis of Multimedia Video Decoding on Mobile Handheld Devices. In: 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE 2007), Seoul, Korea, pp. 120–125 (2007) 3. Lin, C.-H., Liu, J.-C., Liao, C.-W.: Energy Consumption Analysis of Audio Applications on Mobile Handheld Devices. In: Proceedings of IEEE TENCON 2007, Intelligent Information Communication Technologies for Better Human Life, Taipei, Taiwan (2007) 4. Lin, C.-H., Liu, J.-C., Cheng, M.-H.: Energy Analysis of Multimedia Video Decoding on Embedded Systems. In: The International Conference on Information Networking 2008 (ICOIN 2008), Paradise Hotel, Busan, Korea (2008) 5. Lin, C.-H., Shih, C.-S., Liu, J.-C., Cheng, M.-H., Lee, Y.-W.: Energy Efficiency Measurement for Multimedia Audio Decoding on Embedded Systems. In: The Second International Conference on Ubiquitous Information Management and Communication (ACM ICUIMC 2008), Suwon, Korea (2008) 6. MPEG Industry Forum, http://www.m4if.org 7. Overview of the MPEG-4 Standard, http://www.chiariglione.org/mpeg 8. Applications and Requirements for Scalable Video Coding, MPEG-document ISO/IEC JTC1/SC29/WG11 N5540 (2003) 9. Ashmawi, W., Guerin, R., Wolf, S., Pinson, M.: On the impact of policing and rate guarantees in DiffServ networks: A video streaming application perspective. In: Proceedings of the 2001 conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, California, United States, pp. 83–95 (2001) 10. SUPER©: http://www.erightsoft.com/SUPER.html 11. TCPMP: http://tcpmp.corecodec.org/ 12. Potlapally, N.R., Ravi, R.S.A., Jha, N.K.: Analyzing the energy consumption of security protocols. In: Proceedings of the 2003 International Symposium on Low Power Electronics and Design, Seoul, Korea, pp. 30–35 (2003) 13. Potlapally, N.R., Ravi, S., Raghunathan, A., Jha, N.K.: A study of the energy consumption characteristics of cryptographic algorithms and security protocols. IEEE Transactions on Mobile Computing 5(2), 128–143 (2006)

Combating Index Poisoning in P2P File Sharing Lingli Deng1,2,
, Yeping He1 , and Ziyao Xu1,2 1 2

Institute of Software, Chinese Academy of Sciences, Beijing, 100190, P.R. China Graduate University of Chinese Academy of Sciences, Beijing, 100049, P.R. China {denglingli,yphe,ccxu}@ercist.iscas.ac.cn

Abstract. In a peer-to-peer (P2P) file-sharing system, the faithful delivery of an authentic file depends on the authenticity of the file advertisement as well as the authenticity of the shared file advertised. We present the index authenticity problem in a distributed P2P indexing scheme, and propose to employ a secure index verification scheme, which allows a querying requestor to securely verify the authenticity of file advertisements in the query response from a distrusted index peer with unforgeable proofs of indexing correctness, in order to combat index poisoning attacks targeting index authenticity. A solution based on signature and bloom filter (BF) and its cost-efficiency analysis are given. Keywords: P2P, index poisoning, authenticity, bloom filter.

1

Introduction

An effective file indexing scheme is essential for a P2P file-sharing system to deliver its service, since it is responsible for managing file advertisements from providers and responding to file queries from requestors. However, focused mainly on efficiency and scalability, researchers put little attention to the authenticity issues in these schemes. Especially, in distributed DHT indexing schemes, to adapt for dynamic multi-keyword searching patterns, both key-to-file and keyto-key mappings are continuously added into or deleted from the file index by distrusted index peers without verification. Index poisoning[1] exploits this by injecting large volume of inauthentic indexes, misleading downloads to unavailable or malicious sources, hence devastates system’s service quality dramatically. Contributions of this paper include: (1) the definition and analysis of index authenticity problem in a dynamic distributed DHT indexing scheme for P2P file-sharing; (2) a solution based on bloom filters, which effectively suppresses index poisoning by automatically filtering index decoys out of the query response to a requestor; and (3) a cost-efficiency analysis of the proposed solution. The paper is structured as follows. Section 2 describes the problem. Section 3 surveys related work. Section 4 proposes our BF-based solution, whose analysis appears in Sections 5. Section 6 concludes.


Supported by National Natural Science Foundation of China (No.90818012), Knowledge Innovation Key Directional Program of CAS (No.KGCX2-YW-125) and Municipal Science and Technology Commission of Beijing (No. Z08000102000801).

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 358–367, 2009. c Springer-Verlag Berlin Heidelberg 2009


Combating Index Poisoning in P2P File Sharing

2

359

Problem Statement

A Reference Model for P2P Indexing. The indexing system (Fig. 1) implements five primitives: publish, replicate, link, query and respond for three processes: file publication, file query, and index maintenance. A peer is involved in a process by acting as the requestor or the provider or an indexer. Indexer

Provider P

D

ad

i link

q˅

R˅ Requestor

I˅ i'

Requestor q

I

R

i=ad= i˅=link_item(I,{Concert})= i˅˅=rep_item(I,{Faye Wong})=

rep

i'' I˅˅

Indexing System

q˅˅

ad=

R˅˅

Requestor

q= q˅= q˅˅=

Fig. 1. A Reference Model for Dynamic Distributed P2P Indexing

In a file publication process, the provider P advertises a keyword list s to indexer I for a given file using primitive publish, the advertisement ad includes a list of searching keywords ad.S list and provider’s identifier ad.P id: publish(P → I) : advertisement(P, s) = P, s

(1)

In an index maintenance process, primitives link and replicate are provided to respectively model the indexing hierarchies[2] and caches[2][3], commonly used in dynamic distributed P2P indexing systems: Applying link to a locally indexed item i, an indexer I requests another indexer I  to store an indirect item i to direct users’ broad query q  (such that q  .Q list ⊆ i.S list) received by I  to the more specific item i stored at I. link(I → I  ) : link item(I, s ) = I, s 

(2)

Applying replicate to a locally indexed item i, an indexer I requests another indexer I  to store a replicated item i to enable I  to respond query q  (q  .Q list ⊆ i.S list) with i . replicate(I → I  ) : rep item(I, s , i) = i.P id, s 

(3)

In a file query process, using primitive query, the requestor R issues a query q (including requestor’s identifier q.P id and a list of querying keywords q.Q list) to an indexer J, who respond s with matching index items item list(J, q.Q list) as its response. query(R → J) : query(R, Q list) = R, Q list

(4)

respond(J → R) : response(q) = J, item list(J, q.Q list))

(5)

item list(J, Q list) = {i ∈ J.items|i.S list ⊆ Q list}

(6)

Each item returned can be: (1) an original advertisement; or (2) an indirect link to indexer J  for a more specific query q  (q.Q list ⊆ q  .Q list); or (3) a replicated item from indexer J  .

360

L. Deng, Y. He, and Z. Xu

Authenticity Objectives in P2P File Sharing. In [4], we define several authenticity objectives for P2P file sharing systems, where each shared file consists of content and a metadata, containing keyword s to facilitate searching. File D = content, metadata is defined to be authentic, if D.metadata accurately describes D.content. For simplicity, we assume there is an absolute global authenticity evaluation function Auth that takes as input a file D’s content and metadata and returns 1, if D.metadata is an accurate description of D.content; or 0, otherwise. I.e., D is authentic, whenever Auth(D.content, D.metadata) = 1. Any peer can evaluate the function for any file. There may be a semantic containment relation between different metadata: metadata M1 semantically contains M2 , depicted by M2 ⊆ M1 , if for any data content c, Auth(c, M2 ) = 1 holds whenever Auth(c, M1 ) = 1 stands. If each metadata contains only atomic independent keywords, the above relation is reduced to the subset relation. E.g., an authentic file described by M1 = {F aye W ong, concert} is also authentic in terms of M2 = {F aye W ong}. A downloading transaction T for file D from provider P to requestor R is depicted by R, P, q, ad, D (T.q and T.ad are the involved query and advertisement). However, the downloaded file T.D can be: (1) Correct File, the authentic file expected by requestor R for q; or (2) Incorrect File, an authentic file but undesirable to R for q; or (3) Fake File, an undesirable inauthentic file. It is clear that only the Correct File is what R wants. Therefore, we further define a transaction T to be authentic, if T.D.content conforms to T.q’s description, i.e. Auth(T.D.content, T.q.Q list) = 1. In other words, through an authentic transaction, the requestor gets what it wants (the correct file). Through an inauthentic transaction, the requestor wastes its resources for querying and loses its confidence in the system. Therefore, the service reliability and availability of a file-sharing system depends both on protecting authentic transactions and discarding inauthentic ones, which can be guided by the following theorem. Theorem 1 (Authenticity Assurance). T = R, P, q, ad, D is authentic, if (1) D is authentic, i.e. Auth(D.content, D.metadata) = 1 (file authenticity); and (2) ad’s description is contained by D’s metadata, i.e. ad.S list ⊆ D.metadata (index authenticity); and (3) q’s description is contained by ad’s description, i.e. q.Q list ⊆ ad.S list (query authenticity). Theorem 1 (see [4] for its proof) divides the goal of transaction authenticity into three sub-goals, file authenticity, index authenticity and query authenticity. To avoid inauthentic transactions, the requestor can verify the authenticity of a candidate transaction T , before downloading. However, the requestor has only T.q and T.ad for decision making. Although it can verify ”query authenticity” effectively, neither ”file authenticity” nor ”index authenticity” can be verified, which are the very two vulnerabilities exploited by file pollution[5] and index poisoning. While file pollution is typically addressed by a reputation system[6] through reliable estimates of file authenticity (from provider’s credibility), we focus on combating index poisoning targeting index authenticity in this paper.

Combating Index Poisoning in P2P File Sharing

361

Adversary Model. An index poisoning attacker (malicious/compromised indexer) falsely indexes coined items of targeted keywords. Three types of attacks are considered: (1) Fit (Fake ITem), where an attacker coins fake index item that do not correspond to any file/provider in the system; (2) Mit (Manipulated ITem), where an attacker modifies index items, e.g. its keywords, to cause fake query hits; and (3) Coy (Collusive decOY), where an attacker directs the requestor to malicious providers (pollution attackers) via modified index items.

3

Related Work

Daswani et al define the file authenticity problem in a P2P context [7], and evaluate several reputation proposals for authenticating a shared file’s authenticity [8]. Zhang et al [9] argue that the goal of authenticity is to ensure that shared information is genuine without malicious modification, which depends on valid behavior of both the providing peer and its P2P software. We define various authenticity objectives in a P2P file sharing system, and propose to add integrity protection mechanisms for both reputation values and distributed index data[4], which serves as the basis for our work in this paper. Traditional P2P indexing schemes fall into three categories: (1) Server-based schemes for hybrid P2P networks, such as BitTorrent[10], where some wellknown websites use central servers to store description files and conduct search. These schemes suffer from the performance/security bottleneck of central index servers. (2) Polling-based schemes for pure unstructured P2P networks, such as Gnutella[11], where a flooding mechanism is used: each peer forwards the received queries to all of its neighbors; the responses are routed back along the opposite path through which the original query arrived. Poor scalability is the main concern for such mechanisms, while the use of the TTL1 effectively segmented the network. (3) DHT-based schemes for structured P2P networks, where a DHT system, such as Chord[12], maps keys to peers in a P2P infrastructure such that any peer can use it to determine the current live peer (indexer) responsible for a given file’s identifier. Since advertisements and queries are routed to corresponding indexers, no index server is needed. DHT schemes demonstrate great scalability and availability. Simple DHT schemes only support single keyword exact-match lookups. In practice, however, requestors often have (1) multiple keywords, and/or (2) only partial information for the targeted file. [13] discusses complex queries in DHTbased P2P networks using traditional relational database operators. [2] employs indexing hierarchies to support queries with partial knowledge. Ever since [14] questioned the feasibility of an Internet wide search engine based on P2P, there have been rigorous work to better the tradeoff in P2P indexing between extra cost and query quality. To reduce the traffic cost for distributed intersection/union operations of an indexer, [15] use Bloom Filter (BF) encoding to handle multi-keyword search. To accelerate query processing, 1

Each message contains a time-to-live (TTL) field, whose value is decremented at each hop. A message is dropped when its TTL reaches zero.

362

L. Deng, Y. He, and Z. Xu

[2] proposes to cache query results for future use. To eliminate unnecessary storage burden, [3] further suggests a query-driven strategy which only generates and maintains those index entries actually used. Bloom filters have been used in database applications since the 1970s, but only in recent years have they become popular in the networking literature [16]. Their applications in P2P include: probabilistic routing for unstructured P2P networks[17], approximate set reconciliation for the segmented distribution of large files[18], and set intersection for multiple-keyword searches [15][19]. In all, without a proper understanding in index authenticity problem, the existing work on P2P indexing hardly pays attention to authenticity protection, and are therefore especially prone to index poisoning attacks.

4

System Design

Informally, to combat index poisoning, one must address the following problem [1]: how to authenticate query-returned index items to ensure that the file is not only present and will also be uploaded upon request? The proposed solution is a cost-efficient index verification scheme based on a robust subject reputation system. We assume a source reputation mechanism to reliably evaluate the provider’s credibility for publishing authentic advertisements (Definition 1). A secure index verification scheme, on the other hand, is employed as a plug-in component for a P2P indexing scheme, to authenticate the authenticity of an indexed advertisement from a distrusted indexer, according to Definition 2. Definition 1 (Source Authenticity). Advertisement ad published by P is authentic, if P owns an authentic file D such that ad.S list ⊆ D.metadata holds. Definition 2 (Conveyed Authenticity). An indexed advertisement ad returned by index peer Q is authentic, if it conforms to an authentic original advertisement ad0 from an honest provider P , i.e., ad.S list ⊆ ad0 .S list holds. In the following, we first formally define a secure index verification scheme. A simple signature-based scheme is given as the starting point, followed by our BF-based solution. We assume each provider P beheld an asymmetric key pair SKP , P KP , keeping P KP public and SKP private. Definition 3 (Index Verification Scheme). An index verification scheme is a tuple of efficient algorithms Tsfy, Cnvy, Tslt, Vrfy with the following properties: – Tsfy takes as input a keyword set S and peer P ’s private key SKP and outputs a bit string t = Tsfy(S, SKP ) as P ’s direct testimony for S (of S). – Cnvy takes sets S1 , S2 and P ’s testimony t2 for S2 of S and outputs a bit string t1 = Cnvy(S1 , S2 , t2 ) as P ’s indirect testimony for S1 from S2 of S. – Tslt takes sets S1 , S2 and P ’s testimony t2 for S2 of S and outputs a bit string t1 = Tslt(S1 , S2 , t2 ) as P ’s translated testimony for S1 from S2 of S. – Vrfy takes as input one set Q, a P ’s testimony t and P ’s public key P KP ; it produces a boolean value b = Vrfy(Q, t, P KP ).

Combating Index Poisoning in P2P File Sharing

363

Tsfy, Cnvy, Tslt, Vrfy is secure, if the following conditions hold: – (Correctness.) For all S1 , S such that S1 ⊆ S , Vrfy(S1 , t, P KP ) = 1 holds, if t is P ’s direct or indirect or translated testimony for S1 of S. – (Security.) It is computationally infeasible for an adversary on input S, P KP and SKP to find a set S   ⊆ S and a string t such that Vrfy(S  , t , P KP ) = 1. An index verification scheme is used as follows (adapting the terminology from Section 2). For each indexed item m, an extra field m.T est is added and locally stored by the indexer I as provider m.P id’s testimony for m.S list. To publish an advertisement ad for file D, P computes its direct testimony T o for s0 list, as ad.T est to the corresponding indexer I0 . advertise(P → I0 ) : m0 = P, s0 list, T o = Tsfy(s0 list, SKP )

(7)

An honest I0 accepts ad only when Vrfy(ad.S list, ad.T est, P KP ) = 1 holds. To insert an indirect link from indexer Ii to Ij for Ii ’s local index item mi , Ii computes provider P ’s indirect testimony Tijc for sj list ⊆ mi .S list of D.metadata using mi .S list, mi .T est and P KP , for the indirect item mj at Ij : link(Ii → Ij ) : mj = P, sj list, Tijc = Cnvy(sj list, mi.S list, mi .T est)

(8)

An honest Ij makes sure Vrfy(sj list, Tijc , P KP ) = 1 holds before accepting mj . Index replication is processed similarly, except that instead of Cnvy, Tslt is used by Ii to compute the translated testimony Tijt , for the replicated item mj : replicate(Ii → Ij ) : mj = P, sj list, Tijc = Tslt(sj list, mi .S list, mi .T est) (9) An honest Ij makes sure Vrfy(sj list, Tijt , P KP ) = 1 holds before accepting mj . When requestor R queries I for q, an honest indexer I returns a locally verified indexed item m if q.Q list ⊆ m.S list. Requestor R, in response to its query, receives m . Note that if I is malicious, then m .S list might be different from m.S list. R runs Vrfy(q.Q list, m .T est, P Km
.P id ). If I acted correctly, this will evaluate to 1 (by the correctness property); on the other hand, if m.S list  = m .S list this should evaluate to 0 (by the security property). A Trivial Scheme: SSB. The most intuitive way to authenticate an indexed advertisement is a simple signature-based scheme (SSB for short) as abstracted by Table 1. Informally, provider P ’s signature on an original advertisement m0 ’s keyword list m0 .S list signed with SKP serves as the direct testimony for m0 when publishing it to indexer I0 . For each indirect/replicated item mi maintained by an indexer Ii , the direct testimony m0 .T est is also stored by Ii as mi ’s conveyed/translated testimony. For a query-returned item m , requestor R first decrypts s0 list from m .T est with provider’s public key P Km
.P id to ensure that it’s from m.P id without manipulation, and then verifies its authenticity by checking whether both q.Q list ⊆ s0 list and q.Q list ⊆ m .S list hold. Since the original advertising keyword list is signed by the provider and stored at each corresponding indexer in the system, it is assured that any manipulation to a query-returned index item by malicious indexers be identified and discarded automatically. Although it achieves the goal for index authenticity perfectly,

364

L. Deng, Y. He, and Z. Xu Table 1. SSB: Simple Signature-Based Index Verification Scheme TsfySSB (s0 list, SKP ) = {s0 list}SKP CnvySSB (sj list, mi .S list, mi .T est) = mi .T est TsltSSB (sj list, mi .S list, mi .T est) = mi .T est VrfySSB (s, t, P KP ) = 1 ⇐⇒ s ⊆ {t}P KP = s0 list

SSB suffers from the prohibitive extra cost it imposes on indexers (Section 5), rendering it unfeasible for a dynamic distributed P2P indexing system. A Probabilistic Secure Scheme: Prosiv. Bloom filters (BFs) are compact data structures for probabilistic representation of a set. A bit vector B with m bits facilitates membership test to a set S = {x1 , x2 , ..., xn } of n elements from a universe U . A set H(x) of k uniform and independent hash functions map the universe U to [1, m]. Both representing the set S using a BF (BF in Table 2) and subsequent member checking (MT in Table 2) are fast and simple. Table 2. Algorithms for BF-aided membership testing BF(set S, integer m) MT(elm, f ilter) 1 f ilter = allocate m bits initialized to 0 1 for all hash functions hj do 2 for all xi in S do 2 if f ilter[hj (elm)] = 1 then 3 for all hash functions hj do 3 return false 4 f ilter[hj (xi )] = 1 4 return true 5 return f ilter Table 3. Prosiv: Probabilistic Secure Index Verification Scheme TsfyP rosiv (s0 list, SKP ) = {BF (s0 list)}SKP CnvyP rosiv (sj list, mi .S list, mi .T est) = mi .T est TsltP rosiv (sj list, Mi ) = max rep(Mi ).T est VrfyP rosiv (s, t, P KP ) = 1 ⇐⇒ ∀key ∈ s(M T (key, {t}P KP ) = 1)

Table 3 describes our design for Prosiv. Informally, provider P ’s signature on the BF of an original advertisement m0 ’s keyword list serves as P ’s direct testimony for m0 to indexer I0 . For each replicated index item mi at indexer Ii , its corresponding direct testimony m0 .T est is stored by Ii as mi ’s translated testimony. For each indirect index item mj maintained by Ij pointing to a set of index items Mi = {mi1 , ..., mix } at another indexer Ii , the testimony for the most reputable provider’s advertisement from Mi is stored at Ij as the conveyed testimony for mj . Requestor R verifies the signature of the query-returned item m’s testimony with P KP to ensure that it’s from P without manipulation and then verifies whether BF (q.Q list) ⊆ BF (m.T est) holds: If no, m is sure to be inauthentic in terms of q; otherwise, m is conjectured to be authentic.2 2

max rep(M ) in Table 3 takes a set of indexed items M and outputs m
∈ M such that m
.P id’s reputation is no less than that of m

.P id for any m

∈ M (m
= m

).

Combating Index Poisoning in P2P File Sharing

5

365

Analysis

Security Analysis. To represent target set S with n elements, its BF of m-bit length using k hash functions has the following two properties [16]: Theorem 2 (Zero false negative). For any x ∈ U , x  ∈ S if B[H(x)]  = 1. Theorem 3 (Possible false positive). For any x ∈ U , if B[H(x)] = 1, there is a small probability f ≈ (1 − e−kn/m )k that x  ∈ S. Given a specific ratio of m/n, f is minimized when k = (m/n)ln2 and fmin ≈ (0.6185)m/n. Informally, in Prosiv, if a requestor discards a query-returned item when a BF mismatch is located, the decision is assured no to lose any query quality by Theorem 2. However, it is possible that a requestor follows an incorrect index item with a perfect BF match, due to f (Theorem 3). Specifically, Prosiv provides – Perfect protection against Fit: It is clear that index poisoning attackers cannot perform Fit attacks under either SSB or Prosiv, since both schemes require that the provider sign the direct testimony for each original advertisement published. A fake index item coined by a Fit attacker without the provider’s private key, can be easily filtered out by signature verification with the provider’s public key. – Effective protection against Coy: Coupled with a robust reputation subsystem providing reliable evaluation on the provider’s credibility for publishing authentic advertisements, both SSB and Prosiv effectively suppress Coy attacks, since the index items pointing to a colluding provider would be discarded for its low reputation. – Probabilistic protection against Mit: In SSB, any manipulated index item can be detected directly and dropped immediately by a requestor, eliminating Mit attacks at the cost of prohibitive overheads as discussed below. On the other hand, employing BF-based testimony verification, Prosiv reaches better cost-efficiency tradeoff by tolerating a small possibility for Mit attacks in order to keep overhead acceptable in a distributed dynamic setting. Specifically, we can compute the probability for a successful Mit attack (which misleads a query q to an incorrect advertisement m0 by falsely testifying coined keyword list(s)) as: P Mit (d) = f d (where d = |m0 .S list − q.Q list|). Intuitively, the more coined keywords, the smaller probability for a Mit attack to be successful. With proper configuration, the average probability for Mit a Mit attack to succeed can be minimized to: E(Pmin ) = (fmin )E(d) . Cost Analysis. SSB requires the original m0 .S list and its signature be stored locally by the indexer for each index item, imposing – prohibitive storage cost in indexing schemes employing dynamic distributed caches and indirect links, because (1) for each replicated index item mr , the extra space required for storing mr .T est may well exceed that for mr .S list, for usually |mr .S list| << |m0 .S list|; and (2) an indirect index item usually corresponds to a (large) set of original advertisements, demanding a prohibitive storage burden for SSB testimonies.

366

L. Deng, Y. He, and Z. Xu

– relatively high computation cost for files published with large searching keyword lists, since: (1) for query q and a returned item mq , the querying peer has to perform a linear search in m0 .S list for each key ∈ q.Q list; and (2) for each indirect/replicated index item to be added, the responding indexer has to perform similar verification too. – prohibitive communication cost for adaptive indexing schemes, where new indirect/replicated index items are created dynamically according to the users’ query pattern causing testimony transmission between involved indexers. Prosiv differs from SSB in two ways: (1) instead of signing m0 .S list, the provider signs its Bloom filter to produce a direct testimony, and the requestor (or indexer) employs M T to test whether q.Q list/mq .S list is contained by m0 . list; and (2) instead of storing a separate conveyed testimony for each original direct testimony for a potentially large set of more specific index items corresponding to an indirect index item, the downstream indexer stores only the most reputable direct testimony as the conveyed testimony for the indirect item. Prosiv fits well to a distributed dynamic indexing scheme, for it imposes only – low storage cost, because for each index item i, the space for storing i at any indexer is fixed to m bits, which is a system parameter with bounded size; – low computation cost, because to verify an index item i’s authenticity in terms of q, a peer only performs k times hashing for each key ∈ q.S list (O(|q.S list|)) regardless of the size of usually much larger m0 .S list, resulting in a great reduction to that of SSB (O(|m0 .S list|)); – low communication cost for testimony transmission when indirect/replicated index items are created, since each testimony’ size is bounded to m-bit. Cost for Delayed Poisoning Detection in Prosiv. In SSB, since a requestor can verify m0 .S list directly and discard manipulated index items at once, no extra cost is incurred for a failed poisoning attack. While in Prosiv, since the testimony carried by a potentially manipulated index item mi only contains a BF for m0 .S list, a requestor can only verify that members of mi .S list are also members of m0 .S list by checking whether BF (mi .S list) ⊆ BF (m0 .T est) holds. In other words, with the progressively reveal and verification of the keyword list, a poisoning detection may be delayed for k hops until a BF mismatch for the first detectable coined keyword occurs in mi+k .S list (0 ≤ k ≤ d), where d denotes the depth of the indexing hierarchy. Potential extra cost on a requestor more than a failed verification operation (as SSB’s immediate detection) is imposed. A k-hop delayed detection causes no more than k − 1 extra verification operations, i.e. ckp = o(k × q.Q list), which is acceptable in most practical cases where k ≤ d << |m0 .S list| and |q.Q list| << |m0 .S list| both hold.

6

Conclusion

We provide a formal model of a distributed P2P indexing system, use it to define the index authenticity problem, and propose to use a secure index verification

Combating Index Poisoning in P2P File Sharing

367

scheme, which allows any distrusted principal to perform a keyword abstraction on a trusted original keyword set and provides unforgeable proof for its correctness in order for a distrusted indexer to manage distributed index items in a verifiable and secure way. We demonstrate through analysis, that our BF-based solution is effective in combating index poisoning with acceptable overhead.

References 1. Liang, J., Naoumov, N., Ross, K.W.: The index poisoning attack in P2P file sharing systems. In: Proc. of INFOCOM, pp. 1–12 (2006) 2. Garces-Erice, L., Felber, P.A., Biersack, E.W., et al.: Data indexing in peer-to-peer DHT networks. In: Proc. of ICDCS, pp. 200–208 (2004) 3. Skobeltsyn, G., Aberer, K.: Distributed cache table: efficient query-driven processing of multi-term queries in P2P networks. In: Proc. of IRP2P, pp. 33–40 (2006) 4. Deng, L., He, Y., Xu, Z.: Service Authenticity in P2P File-Sharing. In: Proc. of ICYCS, pp. 2246–2253 (2008) 5. Liang, J., Kumar, R., Xi, Y., et al.: Pollution in P2P file sharing systems. In: Proc. of INFOCOM, pp. 1174–1185 (2005) 6. Resnick, P., Kuwabara, K., Zeckhauser, R., et al.: Reputation systems. Commun. ACM 43(12), 45–48 (2000) 7. Daswani, N., Garcia-Molina, H., Yang, B.: Open problems in data-sharing peerto-peer systems. In: Calvanese, D., Lenzerini, M., Motwani, R. (eds.) ICDT 2003. LNCS, vol. 2572, pp. 1–15. Springer, Heidelberg (2002) 8. Daswani, N., Golle, P., Marti, S., et al.: Evaluating reputation systems for document authenticity. Technical report, Stanford University (2003) 9. Zhang, X., Chen, S., Sandhu, R.: Enhancing data authenticity and integrity in P2P systems. IEEE Internet Computing 9(6), 42–49 (2005) 10. Qiu, D., Srikant, R.: Modeling and performance analysis of BitTorrent-like peerto-peer networks. In: Proc. of SIGCOMM, pp. 367–378 (2004) 11. Ripeanu, M., Foster, I.: Peer-to-peer architecture case study: Gnutella network. In: Proc. of IPTPS, pp. 99–100 (2001) 12. Stoica, I., Morris, R., Liben-Nowell, D., et al.: Chord: a scalable peer-to-peer lookup protocol for internet applications. IEEE/ACM Trans. Netw. 11(1), 17–32 (2003) 13. Harren, M., Hellerstein, J.M., Huebsch, R., et al.: Complex queries in DHTbased peer-to-peer networks. In: Druschel, P., Kaashoek, M.F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 242–250. Springer, Heidelberg (2002) 14. Li, J., Loo, B.T., Hellerstein, J.M., et al.: On the feasibility of peer-to-peer web indexing and search. In: Kaashoek, M.F., Stoica, I. (eds.) IPTPS 2003. LNCS, vol. 2735, pp. 207–215. Springer, Heidelberg (2003) 15. Chen, H., Jin, H., Wang, J., et al.: Efficient multi-keyword search over P2P web. In: Proc. of WWW, pp. 989–998 (2008) 16. Broder, A., Mitzenmacher, M.: Network applications of bloom filters: a survey. J. Internet Mathematics 1(4), 485–509 (2004) 17. Kumar, A., Xu, J., Zegara, E.W.: Efficient and scalable query routing for unstructured peer-to-peer networks. In: Proc. of INFOCOM, pp. 1162–1173 (2005) 18. Byers, J.W., Considine, J., Mitzenmacher, M., et al.: Informed content delivery across adaptive overlay networks. IEEE/ACM Trans. Netw. 12(5), 767–780 (2004) 19. Jin, X., Yiu, W.P.K., Chan, S.H.: Supporting multiple-keyword dearch in a hybrid structured peer-to-peer network. In: Proc. of ICC, pp. 42–47 (2006)

A Cryptanalytic View of the NSA’s Skipjack Block Cipher Design Jongsung Kim1,
and Raphael C.-W. Phan2 1

Center for Information Security Technologies (CIST), Korea University, Anam Dong, Sungbuk Gu, Seoul, Korea [email protected] 2 Electronic & Electrical Engineering Department, Loughborough University, LE11 3TU, United Kingdom [email protected]

Abstract. Skipjack is a block cipher designed by the NSA for use in US government phones, and commercial mobile and wireless products by AT&T. Among its initial implementations in hardware were the Clipper chip and Fortezza PC cards, which have since influenced the private communications market to be compatible with this technology. For instance, the Fortezza card comes in PCMCIA interface and is a very easy plug-n-play device to add on to mobile and wireless systems to provide encryption for wireless transmissions. Initially classified when it was first proposed, Skipjack was declassified in 1998 and sparked numerous security analyses from security researchers worldwide because it provides insight into the state-of-the-art security design techniques used by a highly secretive government intelligence agency such as the NSA. In this paper, commemorating over a decade since Skipjack’s public revelation, we revisit the security of Skipjack against cryptanalytic results and discuss why certain attack approaches fare better with reference to Skipjack’s design structure. Keywords: Block Ciphers, Skipjack, NSA, Distinguisher, Cryptanalysis.

1

Introduction

Skipjack [29] is a symmetric-key block cipher designed by the US National Security Agency (NSA), with a 64-bit block size and an 80-bit key size. After Skipjack was designed, it was classified to be used in tamper-resistant Capstone and Clipper chips for US government purposes, e.g., voice, mobile and wireless communcations. What is intriguing about this cipher and what catches public attention to its design and analysis is that it was designed by mathematicians within the NSA, an agency highly notorious for its secrecy and the most advanced cipher design and analysis technology in the world. Moreover, the fact that it was designed and finalized in 1990, more than a decade after DES, means


The first author was supported by the Second Brain Korea 21 Project.

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 368–381, 2009. c Springer-Verlag Berlin Heidelberg 2009


A Cryptanalytic View of the NSA’s Skipjack Block Cipher Design

369

that it is expected that Skipjack be much more secure and resistant to known attacks. To allay initial public doubts [13,34] of its security, a panel of 5 wellknown cryptographers were asked to review its security [12] in 1993, and one of the conclusions made was: “In summary, SKIPJACK is based on some of NSA’s best technology. Considerable care went into its design and evaluation in accordance with the care given to algorithms that protect classified data.” Considering the year 1993 in which this summary was made, it would imply therefore that to an independent reviewer, Skipjack’s design has considerable strength against known state-of-the-art cryptanalytic attacks at the time (e.g. differential cryptanalysis [10], linear cryptanalysis [27], related-key cryptanalysis [1]). Skipjack was declassified in 1998 [29], and immediately triggered several cryptanalytic results including [2,3,24]. In addition to the public speculation and distrust of Skipjack, the facts that it is designed with “alien” encryption technology by NSA, that it was initially classified, and that it consists of very simple building blocks, have intrigued cryptanalysts [2,3,14,16,17,24,25,26,28,33,21]. 1.1

Outline of This Paper

In this paper we revisit the security of Skipjack in relation to different types of cryptanalysis techniques, and in connection with known attacks on Skipjack variants we discuss reasons why some techniques fare better against Skipjack. The best known attack on Skipjack [3] was presented a decade ago in 1999, but since then no improvements have been reported and an attack on the full 32-round Skipjack remains elusive until now. This work is intended to revisit known attacks on Skipjack variants, and discuss Skipjack’s underlying structure in relation to different cryptanalytic results to provide more insight into its design, and motivate continued public analysis of the NSA’s design of Skipjack.

2

Skipjack

The 64-bit block of Skipjack is divided into four 16-bit words. Eight A rounds and eight B rounds (see Fig. 1) are alternated until full 32 rounds are achieved, and a constant round counter is used that is actually the round number (in the range 1 to 32). The transformation G : {0, 1}32 × {0, 1}16 → {0, 1}16 consists of a 4-round Feistel structure whose internal function F : {0, 1}8 → {0, 1}8 is an 8 × 8 S-box. The key schedule of Skipjack takes the 10-byte (80-bit) secret key, K ∈ {0, 1}80 and uses four bytes at a time for the G transformation in each round. Let K = B1 B2 B3 B4 B5 B6 B7 B8 B9 B10 where Bi ∈ {0, 1}8 are the bytes of the key, K. Let RKi ∈ {0, 1}32 be the ith round key. Then RKi = RKi mod 5 and specifically: RK1 = B1 B2 B3 B4 , RK2 = B5 B6 B7 B8 , RK3 = B9 B10 B1 B2 , RK4 = B3 B4 B5 B6 and RK5 = B7 B8 B9 B10 . After every 5 rounds, the cycle repeats, hence the key schedule of Skipjack appears to have a periodicity of 5 rounds.

370

J. Kim and R.C.-W. Phan

Fig. 1. Round Functions of Skipjack

2.1

Cryptanalysis of Skipjack

The first third party independent analysis of Skipjack’s security was conducted in 1993 [12], summarizing that Skipjack’s design was based on some of NSA’s best technology, which at the time of the analysis (1993) would mean considerable resistance against differential and linear cryptanalysis based attacks. When Skipjack was declassified in 1998, [2] performed preliminary analysis, making observations on the key schedule, complementation properties as well as diferential and linear properties. They also considered the security of variants where the number of same round type sequences changed from 8 or where the order of the A and B rounds were reversed. Further discussion was presented in [25]. An intriguing side result was the presentation of the so-called yoyo game. The paper presented cryptanalysis based on truncated differentials including that of a 32-round Skipjack variant with 3 exclusive-or (XOR) operations removed. In subsequent work, [3] cryptanalyzed Skipjack reduced to 31 (out of 32) rounds. This attack, based on a 24-round impossible differential, despite being a decade old result now, remains the best known attack on Skipjack to date. [24] presented some truncated differentials of Skipjack, and applied them to Skipjack up to 28 rounds. It was subsequently shown [14] that some results were flawed due to probability calculations. Other flawed analysis on Skipjack include [32] and [16] (see [21] for discussion). As subsequent work to [24] and [14], Markov chains were used in [33] to systematically compute the truncated differentials of Skipjack. [28] and [17] independently analyzed Skipjack variants with respect to Square attacks and Saturation attacks respectively.

3

Techniques to Compose Differential-Style Distinguishers

We first discuss advanced cryptanalytic techniques which have been effectively used to evaluate the security of Skipjack. They compose different types differential-style distinguishers that apply several short differentials to form long

A Cryptanalytic View of the NSA’s Skipjack Block Cipher Design

371

ones, e.g. the impossible differential, inside-out and boomerang-style distinguishers, and we also discuss their related-key counterparts. 3.1

The Miss-in-the-Middle (MisM) Technique

The miss-in-the-middle (MisM) technique (the term was coined by Biham et al. in [4]), was first applied by Knudsen [23] in 1998 to construct a 5-round impossible differential of the DEAL block cipher, which is a Feistel cipher. This concept was later generalized by Biham et al. [4] as a generic construction to build impossible differentials for ciphers of any structure. Consider a cipher E as a cascade, i.e., E = E1 ◦ E0 such that for E0 there exists a differential (α → β) and for E1 there exists a differential (γ → δ), both with probability one, where β = γ. Both these are then used to form an impossible differential distinguisher, using the miss-in-the-middle technique:1 • Chosen-Plaintext (CP) Query: Obtain the encryption of a pair of plaintexts (P1 , P2 ) such that P1 ⊕ P2 = α, and denote the corresponding ciphertexts by (C1 , C2 ). • Check whether C1 ⊕ C2 = δ [Impossible Condition]. The impossible condition (α  → δ) happens because (α → β) always goes through E0 and (γ → δ) always goes through E1 but since β  = γ, thus (α → δ) is impossible. A plaintext pair P1 ⊕ P2 = α, and corresponding ciphertext pair C1 ⊕C2 = δ would form an impossible differential distinguisher. This was formed by a contradiction (miss) in the middle of the cipher, hence the name. In practice, impossible differentials can be applied by guessing key bits of outer rounds not covered by the differentials. That is, if the guessed outer keys cause impossible differentials, then they are discarded since the right key would never cause impossible differentials. On the other hand, this impossible condition is satisfied with probability p∗ = 2−n for a random permutation, where n is the block size; or with probability p∗ = 2−w×t in the case where δ is a truncated difference having t words of fixed difference, where w is the word size. Hence, since 0 << p∗ , then this distinguisher can be used to effectively distinguish E from a random permutation. Related-Key Counterpart. The miss-in-the-middle technique is used to concatenate normal (non-related-key) differentials. It is natural to apply this technique to the related-key setting. We first remark that related-key differentials are in fact very similar to normal differentials. While the latter makes use of differences only in the input pair, the former uses differences not only in the input pair but also in the key pair. Differences in the key pair subsequently cause corresponding differences in the round-key pairs generated from the key pair. However, aside 1

Note that not all impossible differentials are necessarily constructed via the miss-inthe-middle technique that uses two short differentials. Some other techniques include the shrinking technique [3], or simply using just one long differential that never results in a certain output difference.

372

J. Kim and R.C.-W. Phan

from this, differentials basically trace a difference value as it propagates through the cipher. Therefore, regardless of whether the difference comes from the input or from the key as well, we can treat and analyze these differentials in the same way. Therefore, the related-key miss-in-the-middle (RK-MisM) technique2 is a relatedkey counterpart of the normal miss-in-the-middle technique [4], and can equally be applied to concatenate two probability-one related-key differentials such that they form a contradiction in the middle. The concatenation of the two differentials results in a related-key impossible differential. 3.2

The Inside-Out Technique

Consider a cipher E = E1 ◦ E0 such that for E0−1 (respectively E1 ) there exists a differential (β → α) with probability p (respectively (β → δ) with probability q). Then Wagner [35] defined the inside-out distinguisher as follows: • Known-Plaintext (KP) Query: Obtain ciphertexts {Ci }si=1 of a pool of s plaintexts {Pi }si=1 . • Check whether there exists any pair Pi , Pj and corresponding Ci , Cj such that Pi ⊕ Pj = α and Ci ⊕ Cj = δ [Inside-Out Condition]. The inside-out distinguisher starts with a difference β in the middle (inside) of the cipher, and then goes outwards in both directions towards the plaintext and ciphertext ends; more precisely, the differential (β → α) to cover E0−1 in backward direction and the differential (β → δ) to cover E1 in forward direction. Then at both outside ends, the respective differences α and δ would both occur with probability pq. If β is a non-truncated difference, i.e. all its n bits are defined, then the inside-out condition will be satisfied with probability p˜ = 2−n × pq; if β is a truncated difference with t fixed word differences then the probability is p˜ = 2−w×t × pq. For a random permutation, this condition will only be satisfied at both ends with probability p∗ = 2−2n for n the block size; or with probability p∗ = 2−w×t1 × 2−w×t2 in the case where α and/or δ are truncated differences having t1 and t2 words of fixed difference. The distinguisher is effective when p˜ >> p∗ . This technique is seen as a dual [35] to the boomerang technique; from another angle, it can also be considered a dual to the miss-in-the-middle technique i.e the latter propagates differentials from both ends outside in, to the point of contradiction. 3.3

The Boomerang, Amplified Boomerang and Rectangle Techniques

Wagner [35] considered a cipher E = E1 ◦ E0 such that for E0 (respectively E1 ) there exists a differential (α → β) with probability p (respectively (γ → δ) with probability q). He then defined the boomerang distinguisher as follows: 2

The idea of RK-MisM was independently introduced in [31] and [18]. Since then, it has also been used in [9].

A Cryptanalytic View of the NSA’s Skipjack Block Cipher Design

373

• Chosen-Plaintext (CP) Query: Obtain ciphertexts (C1 , C2 ) of a pair of plaintexts (P1 , P2 ) such that P1 ⊕ P2 = α. • Adaptively-Chosen Ciphertext (ACC) Query: Calculate C3 = C1 ⊕ δ and C4 = C2 ⊕ δ, and obtain the decryption of the pair (C3 , C4 ), thus (P3 , P4 ). • Check whether P3 ⊕ P4 = α [Boomerang Condition]. The boomerang distinguisher uses the differential (α → β) to cover E0 in forward direction with respect to the pairs (P1 , P2 ) but in backward direction with respect to the pairs (P3 , P4 ); and the differential (γ → δ) to cover E1 in backward direction with respect to both (C1 , C3 ) and (C2 , C4 ). The boomerang condition (P3 ⊕P4 = α) happens because CP and ACC queries cause the boomerang property to occur in the middle of the cipher E: E0 (P3 ) ⊕ E0 (P4 ) = E0 (P1 ) ⊕ E0 (P2 ) ⊕ E0 (P1 ) ⊕ E0 (P3 ) ⊕ E0 (P2 ) ⊕ E0 (P4 ) = (E0 (P1 )⊕ E0 (P2 )) ⊕(E1−1 (C1 )⊕ E1−1 (C3 )) ⊕ (E1−1 (C2 ) ⊕ E1−1 (C4)) = β ⊕ γ ⊕ γ = β.

This boomerang property holds with probability pq 2 since E0 (P1 ) ⊕ E0 (P2 ) = β with probability p and E1−1 (C1 ) ⊕ E1−1 (C3 ) = E1−1 (C2 ) ⊕ E1−1 (C4 ) = γ with probability q 2 . When this boomerang property occurs, we then have P3 ⊕ P4 = α with probability p due to the differential (β → α) through E0−1 , and thus for the cipher E, the total probability of the boomerang distinguisher, i.e., the probability of satisfying the boomerang condition, is (pq)2 . On the other hand, this boomerang condition is satisfied with probability p∗ = 2−n for a random permutation, where n is the block size; or with probability p∗ = 2−w×t for the case where α is a truncated difference having t words of fixed difference. Hence, if (pq)2 >> p∗ , then this distinguisher can be used to effectively distinguish E from a random permutation. In fact, the resultant probability of the boomerang distinguisher can be improved (see [35] Sect. 4) using all possible differentials for E0 and E1 such that β and γ are varied over all their possible values (as long as β  = γ), i.e., the intermediate differences β and γ do not have to be fixed to any values, only α and δ need to be fixed. This refinement3 increases the total probability to (ˆ pqˆ)2 , and to align with current naming convention would be more rightly called the rectangled boomerang distinguisher, where:

 2 pˆ = Pr [α → β], qˆ = Pr2 [γ → δ]. (1) β

γ

One limitation of the boomerang is it requires adaptively-chosen ciphertexts, which works under a more restricted security model compared to more common known- and chosen-text attacks. To overcome this, Kelsey et al. [19] applied the birthday paradox technique by collecting many quartets (P1 , P2 , P3 , P4 ) such 3

Later called “rectangling” by Biham et al. [5].

374

J. Kim and R.C.-W. Phan

that the boomerang-style condition is satisfied for at least a few such quartets. This was termed the amplified boomerang attack. The steps in constructing such a distinguisher are: • Chosen-Plaintext (CP) Query: Obtain the encryption of a quartet of plaintexts (P1 , P2 , P3 , P4 ) such that P1 ⊕ P2 = P3 ⊕ P4 = α, and denote the corresponding ciphertexts by (C1 , C2 , C3 , C4 ). • Check whether C1 ⊕ C3 = C2 ⊕ C4 = δ [Amplified Boomerang Condition]. In this case, the amplified boomerang distinguisher uses the differential (α → β) to cover E0 in the forward direction with respect to both the pairs (P1 , P2 ) and (P3 , P4 ); and the differential (γ → δ) to cover E1 in the forward direction with respect to both the pairs (C1 , C3 ) and (C2 , C4 ). The amplified boomerang condition (C1 ⊕ C3 = C2 ⊕ C4 = δ) exists because when E0 (P1 ) ⊕ E0 (P3 ) = γ with some probability σ = 2−n , then the amplified boomerang property occurs in the middle of the cipher E: E0 (P2 ) ⊕ E0 (P4 ) = (E0 (P1 ) ⊕ E0 (P2 )) ⊕ (E0 (P3 ) ⊕ E0 (P4 )) ⊕ (E0 (P1 ) ⊕ E0 (P3 )) = β ⊕ β ⊕ γ = γ.

This boomerang property holds with probability 2−n ×p2 since E0 (P1 )⊕E0 (P2 ) = E0 (P3 )⊕ E0 (P4 ) = β with probability p2 and E0 (P1 )⊕ E0 (P3 ) = γ with probability 2−n . When this amplified boomerang property occurs, we then have C1 ⊕ C3 = C2 ⊕ C4 = δ with probability q 2 due to the differential (γ → δ) through E1 , and thus for the cipher E, the total probability of the amplified boomerang distinguisher, i.e., the probability of satisfying the amplified boomerang condition, is 2−n × (pq)2 . Since this amplified boomerang condition is satisfied with probability p∗ = 2−2n for a random permutation, or with probability p∗ = 2w×2t in the case where δ is a truncated difference having t words of fixed difference; thus if (2−n × (pq)2 ) >> p∗ , then this distinguisher effectively distinguishes E from a random permutation. Similarly, the resultant probability of the amplified boomerang distinguisher can be improved [5] using all possible differentials for E0 and E1 such that β and γ are varied over all their possible values (as long as β  = γ), i.e., the intermediate differences β and γ do not have to be fixed to any values, only α and δ need to be fixed. This rectangling refinement originally described by Wagner in [35] for the case of boomerang distinguishers, was adapted4 by Biham et al. [5] to the amplified boomerang distinguisher case, and given the name “rectangle attack”. For much clearer comparison with the original boomerang and amplified boomerang attacks, this would be more rightly called the rectangled amplified 4

To be clear, the first two improvements in [5] basically mean to count over all intermediate differences β and γ, and was already pointed out in [35]. The third improvement in [5] allows to optimize the probability of an amplified boomerang distinguisher, but it is very hard to do the exact calculation. Note that further improved attack algorithms for boomerang and rectangle attacks were later suggested in [6].

A Cryptanalytic View of the NSA’s Skipjack Block Cipher Design

375

boomerang attack. The rectangle distinguisher has an increased total probability of 2−n × (ˆ pqˆ)2 , where pˆ and qˆ are as previously defined in equation (1). (Note that the amplified boomerang condition can be C1 ⊕ C3 = C2 ⊕ C4 = δ or C1 ⊕ C4 = C2 ⊕ C3 = δ, which allows to reduce an attack complexity by a factor of 2.) However, the crypto community has grown accustomed to the term “rectangle attacks” to mean either the original amplified boomerang attack in [19] or the later rectangle attacks in [5], henceforth unless otherwise stated we will just use “rectangle attacks” to refer to either one interchangibly. Table 1 compares the differences between the boomerang attack variants. Table 1. Comparing the Boomerang Attack Variants Attack Variant

Differential Fixed Resultant Directions Differences Probability Boomerang E0 , E1 , E1 , E0−1 α, β, γ, δ (pq)2 −1 Rectangled Boomerang E0 , E1 , E1 , E0 α, δ (ˆ pqˆ)2 −n Amplified Boomerang E0 , E0 , E1 , E1 α, β, γ, δ 2 · (pq)2 Rectangled Amplified Boomerang E0 , E0 , E1 , E1 α, δ 2−n · (ˆ pqˆ)2

Source [35] [35] [19] [5]

Using Only Truncated Differentials. Truncated differentials [22], unlike conventional non-truncated differentials [10], do not necessarily have the same probability when going in reverse as when going forward. Thus when calculating the probability of a boomerang-style distinguisher based on the use of truncated differentials instead of non-truncated ones, more care is needed. This special consideration for boomerang distinguishers with only truncated differentials was considered by Wagner in [35] Sect. 6. The boomerang property in the middle of E may not work since we are using truncated differences, where only a subset of w-bit (word) differences are fixed to ‘0’ while remaining word differences are arbitrary and unknown. Let p1 (respectively p2 ) be a probability of a truncated differential α → β for E0 (respectively β → α for E0−1 ) and q1 (respectively q2 ) be a probability of a truncated differential γ → δ for E1 (respectively δ → γ for E1−1 ), where α, β, γ and δ all are non-empty difference sets. Then E0 (P1 )⊕ E0 (P2 ) = β1 ∈ β with probability p1 , E1−1 (C1 )⊕ E1−1 (C3 ) = γ1 ∈ γ with probability q2 and E1−1 (C2 ) ⊕ E1−1 (C4 ) = γ2 ∈ γ with probability q2 and the boomerang property occurs in the middle of the cipher E: E0 (P3 ) ⊕ E0 (P4 ) = E0 (P1 ) ⊕ E0 (P2 ) ⊕ E0 (P1 ) ⊕ E0 (P3 ) ⊕ E0 (P2 ) ⊕ E0 (P4 ) = (E0 (P1 )⊕ E0 (P2 )) ⊕(E1−1 (C1 )⊕E1−1 (C3 )) ⊕ (E1−1 (C2 ) ⊕ E1−1 (C4)) = β1 ⊕ γ1 ⊕ γ2 = β2 ∈ β,

only if γ1 ⊕γ2 = 0 [truncated restriction] occurs with some probability ρ in words corresponding to zero word differences of β. Note that although the truncated differences β1 , β2 (or γ1 , γ2 ) are equal in the zero word differences, they may have different values in the non-zero arbitrary words. We call this the truncated boomerang distinguisher. Thus, the resultant probability of
the boomerang distinguisher becomes p1 · p2 · (q2 )2 × ρ, where ρ = 2−(mβ −mγ )×w , and mβ is the

376

J. Kim and R.C.-W. Phan

number of w-bit zero word differences in β and mγ is the number of w-bit zero word differences in γ which are in the positions of the zero word differences in β. The extra ρ factor is the effect of using truncated differentials instead of conventional non-truncated ones. See [11] for another example of how boomerang distinguishers of AES are constructed using only truncated differentials. We now discuss how this applies to the amplified boomerang case. Although previous amplified boomerang attacks [19], rectangle attacks [5,6] and relatedkey rectangle attacks [20,15,7,8] have only used non-truncated differentials through the first half E0 of the cipher, the same special truncated consideration applies when truncated differentials are used, and thus would be called the truncated amplified boomerang distinguisher (initiated in our earlier work [30] and subsequently in [21]). As far as we know, using only truncated differentials to construct amplified boomerang distinguishers (and equally rectangled boomerang distinguishers) has not yet been considered before by other researchers. Here, the resultant probability of the truncated amplified boomerang distinguisher is
σ × (p1 q1 )2 × ρ, where σ = 2−mγ ×w < 2−n , ρ = 2−(mγ −mβ )×w , mγ is the number of w-bit zero word differences in γ and mβ is the number of w-bit zero word differences in β which are in the positions of the zero word differences in γ. See [21] for rectangle attacks using only truncated differentials through both halves of the cipher. Related-Key Variants. The related-key boomerang attack was considered in [7], while the related-key rectangle (amplified boomerang) attack, first considered in [20] with 2 related keys, was later extended in [15,8] to work with 4 related keys and in [7] with 256 related keys. The basic idea in [20] is to use either a conventional non-related-key differential or a related-key differential to cover E0 , and both nonrelated-key and related-key differentials to cover E1 . [15] used only related-key differentials to cover both E0 and E1 . Meanwhile, [7] similarly used only relatedkey differentials to cover both E0 and E1 , but they used structures of more related keys than [15], resulting in a higher probability of generating the required relatedkey rectangles. Refer to [20,15,7,8] for illustrative descriptions of these.

4

Cryptanalysis to Suit Underlying Structure

Table 2 compares cryptanalysis results on Skipjack variants to date; to act as reference for a better view of our discussion in this section. Clearly, cryptanalysis based on impossible differentials fares best (in terms of covering the most number of rounds) against Skipjack. We view that this is due to the following reasons: • Diffusion direction & diffusion rate: A rounds have better diffusion in the forward direction than backward, and conversely for B rounds. Thus, if the E0 of the miss-in-the-middle technique is mainly covering B rounds (resp. the E1−1 is mainly covering A rounds in reverse), then differentials propagate with less resistance (hence higher probability). Indeed, the 24-round impossible differential used to attack Skipjack in [3] is composed of two 12-round

A Cryptanalytic View of the NSA’s Skipjack Block Cipher Design

377

−1 −1 truncated differentials, covering E0 = 4rA ||8rB and E1−1 = 4rB ||8rA respectively. Note that differentials are essentially flowing in the direction of less diffusion resistance since 4 rounds of any type even for rA is weakly diffusing since at each round only a quarter of all words is diffused so it takes −1 4 rounds of those to diffuse across all words; and 8rB as well as 8rA have −1 less diffusion than 8rA and 8rB . • Symmetry: Skipjack is highly symmetrical in structure, e.g. a B round is basically almost an inverse of an A round barring some interleaving function. See [25] for some discussion. Therefore, for any differential in the forward direction through e.g. 4rA ||8rB it is not difficult to obtain a dual in −1 −1 the backward direction e.g. 4rB ||8rA . This phenomenon works especially well for applying the miss-in-the-middle composition technique on Skipjack, and so an r-round differential translates to a 2r-round composed differential distinguisher. • Word orientation: the word oriented-nature of Skipjack allows the use of truncated differentials rather than conventional ones. Truncated differentials are more general and they can often propagate through an underlying building block e.g. a nonlinear sbox, without having its probability affected (bypassing for free). For instance, due to the bijectivity of G, a non-zero (resp. zero) word difference propagates through G to a non-zero (resp. zero) word difference at the output with probability 1. In contrast, conventional (nontruncated) differentials require keeping track of the probabilities in which specific differences input to underlying building blocks e.g. sboxes, would lead to specific differences at the output.

Due to the first point (diffusion), it seems that an inside-out distinguisher would fare worse for Skipjack than an impossible differential distinguisher against the rounds covering e.g. E0 = 4rA ||8rB and E1 = 8rA ||4rB , since the former distin−1 −1 guisher would be composed of differentials going through E0−1 = 8rB ||4rA and E1 = 8rA ||4rB that provide more diffusion resistance than the E0 and E1−1 directions that the latter distinguisher would use. Nevertheless, if we consider the rounds covering e.g. E0 = 8rB ||4rA and E1 = 4rA ||8rB ; then an inside-out distin−1 −1 guisher would apply differentials in the E0−1 = 4rA ||8rB and E1 = 4rA ||8rB di−1 −1 −1 rections, of which E0 = 4rA ||8rB will have more diffusion resistance. Similarly if the rounds cover e.g. E0 = 8rA ||4rB and E1 = 4rB ||8rA ; then an inside-out dis−1 −1 tinguisher would apply differentials in the E0−1 = 4rB ||8rA and E1 = 4rB ||8rA directions, of which E1 = 4rB ||8rA will have more diffusion resistance. Due to the first point (diffusion) and second point (symmetry), boomerangstyle distinguishers are less effective than impossible differential distinguishers because the former uses differentials either through E0 , E0−1 , E1−1 (for a conventional boomerang) or through E0 , E1 (for an amplified boomerang). For the conventional boomerang, either of the E0 and E0−1 directions offer more diffusion resistance and hence lower the overall distinguisher probability; for the amplified boomerang, either of the E0 and E1 would offer more diffusion resistance since Skipjack is composed of alternating round type sequences of symmetric nature, i.e. if E0 has less diffusion then E1 would have more, and vice versa.

378

J. Kim and R.C.-W. Phan Table 2. Comparing Cryptanalyses of Skipjack Variants

Due to the third point (word orientation), distinguishers based on truncated differentials can cover more rounds than those based on conventional non-truncated differentials. Due to the second point (symmetry), distinguishers based on composing differentials i.e. via miss-in-the-middle, inside-out or boomerang-style would typically cover more rounds than non-composing distinguishers such as those based on Square or saturation attacks. The latter kind are difficult to compose since by construction they involve more texts that would therefore complicate the composition in the middle meeting point between two underlying differentials. Table 2 also shows that for Skipjack, related-key attacks are worse than non-related-key ones (e.g., in Differential vs RK-Differential, Rectangle vs RKRectangle, Impossible Differential vs RK-MisM and Square vs RK-Square). See our recent work [21] for more discussion. Thus, it counter-intuitively appears that the structure of Skipjack is more resistant to related-key distinguishers than it is to non-related-key ones. Recall that the related-key attack model requires the stronger assumption that an attacker has access to encryption/decryption oracles under the control of two or more unknown keys that are related in some way, thus one would expect it to perform better than non-related-key attacks. This appears to be due to: • the high-level structure admits good truncated differentials (used to build the infamous 24-round impossible differential of Skipjack [3]), e.g., the

A Cryptanalytic View of the NSA’s Skipjack Block Cipher Design

379

bijectiveness of G allows a zero (respectively non-zero) difference to pass through unchanged (a zero difference remains a zero difference, while a nonzero difference remains non-zero), and zero differences do not affect other differences when combined via XOR. • the structure complicates the propagation of related-key differentials, e.g., the related-key differentials that we use, exploit the invariance of a nonzero difference past G by depending on the round keys to G having that same difference, thus cancelling out each other. However, the invariant nonzero difference would affect other differences via XOR and thus this limits how far it can propagate unaffected. Also, a zero difference in a related-key differential goes to an arbitrary difference when going past G.

5

Concluding Remarks

The strength for the Skipjack structure appears to be derived from the round counters (that complicate key-schedule attacks) and the use of different round types (A, B) that further induces some form of asymmetry, although the duality and symmetry between the two round types, the weaker diffusion resistance of B rounds, and the asymmetry against diffusion resistance (i.e. A in reverse is weaker than A in forward direction) lead to issues raised in Section 4, making Skipjack more susceptible to appropriate cryptanalysis techniques that use underlying differentials flowing in the direction of less diffusion resistance (for the case of Skipjack, this technique would be the miss-in-the-middle one). From similar arguments, this seems to be the reason why (short of the discovery of novel cryptanalytic techniques) it is infeasible to advance the best known cryptanalytic result on Skipjack using existing techniques other than impossible differential.

References 1. Biham, E.: New Types of Cryptanalytic Attacks Using Related Keys. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 398–409. Springer, Heidelberg (1994) 2. Biham, E., Biryukov, A., Dunkelman, O., Richardson, E., Shamir, A.: Initial Observations on Skipjack − Cryptanalysis of Skipjack-3XOR. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 362–370. Springer, Heidelberg (1999) 3. Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack Reduced to 31 Rounds using Impossible Differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999) 4. Biham, E., Biryukov, A., Shamir, A.: Miss in the Middle Attacks on IDEA, Khufu and Khafre. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 124–138. Springer, Heidelberg (1999) 5. Biham, E., Dunkelman, O., Keller, N.: The Rectangle Attack − Rectangling the Serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 340– 357. Springer, Heidelberg (2001) 6. Biham, E., Dunkelman, O., Keller, N.: New Results on Boomerang and Rectangle Attacks. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 1–16. Springer, Heidelberg (2002)

380

J. Kim and R.C.-W. Phan

7. Biham, E., Dunkelman, O., Keller, N.: Related-Key Boomerang and Rectangle Attacks. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 507–525. Springer, Heidelberg (2005) 8. Biham, E., Dunkelman, O., Keller, N.: A Related-Key Rectangle Attack on the Full KASUMI. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 443–461. Springer, Heidelberg (2005) 9. Biham, E., Dunkelman, O., Keller, N.: Related-Key Impossible Differential Attacks on 8-Round AES-192. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 21–33. Springer, Heidelberg (2006) 10. Biham, E., Shamir, A.: Differential Cryptanalysis of DES-like Cryptosystems. Journal of Cryptology 4(1), 3–72 (1991) 11. Biryukov, A.: The Boomerang Attack on 5 and 6-round Reduced AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 1–5. Springer, Heidelberg (2005) 12. Brickell, E.F., Denning, D.E., Kent, S.T., Maher, D.P., Tuchman, W.: SKIPJACK Review: The SKIPJACK Algorithm, Interim Report, July 28 (1993) 13. Diffie, W., Landau, S.: Privacy on the Line. MIT Press, Cambridge (1998) 14. Granboulan, L.: Flaws in the Differential Cryptanalysis of Skipjack. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 328–335. Springer, Heidelberg (2002) 15. Hong, S., Kim, J., Kim, G., Lee, S., Preneel, B.: Related-key Rectangle Attacks on Reduced Versions of SHACAL-1 and AES-192. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 368–383. Springer, Heidelberg (2005) 16. Hui, L.C.K., Wang, X.Y., Chow, K.P., Tsang, W.W., Chong, C.F., Chan, H.W.: The Differential Analysis of Reduced Skipjack Variants. In: Chinacrypt 2002 (2002) 17. Hwang, K., Lee, W., Lee, S., Lim, J.: Saturation Attacks on Reduced Round Skipjack. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 100–111. Springer, Heidelberg (2002) 18. Jakimoski, G., Desmedt, Y.: Related-key Differential Cryptanalysis of 192-bit Key AES Variants. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 208–221. Springer, Heidelberg (2004) 19. Kelsey, J., Kohno, T., Schneier, B.: Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 75–93. Springer, Heidelberg (2001) 20. Kim, J., Kim, G., Hong, S., Lee, S., Hong, D.: The Related-key Rectangle Attacks – Application to SHACAL-1. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 123–136. Springer, Heidelberg (2004) 21. Kim, J., Phan, R.C.-W.: Advanced Differential-Style Cryptanalysis of the NSA’s Skipjack Block Cipher. Cryptologia (in press) 22. Knudsen, L.R.: Truncated and Higher Order Differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995) 23. Knudsen, L.R.: DEAL - a 128-bit Block Cipher., Technical Report 151, Department of Informatics, University of Bergen, Norway, Submitted as an AES candidate (February 1998) 24. Knudsen, L.R., Robshaw, M.J.B., Wagner, D.: Truncated Differentials and Skipjack. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 163–180. Springer, Heidelberg (1999) 25. Knudsen, L.R., Wagner, D.: On the Structure of Skipjack. Discrete Applied Mathematics 111, 103–116 (2001) 26. Lucks, S., Weis, R.: A Related-key Attack against 14 Rounds of Skipjack., Technical Report, Universitat Mannheim (1999)

A Cryptanalytic View of the NSA’s Skipjack Block Cipher Design

381

27. Matsui, M.: Linear Cryptoanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994) 28. Nakahara Jr., J., Preneel, B., Vandewalle, J.: Square Attacks on Reduced-Round Variants of the Skipjack Block Cipher, IACR ePrint Archive, 2002/003 (2002) 29. National Institute of Standards and Technology (NIST), Skipjack and KEA Algorithm Specifications. Version 2 (1998) 30. Phan, R.C.-W.: Cryptanalysis of the Advanced Encryption Standard (AES) & Skipjack. M. Eng. Sc. Thesis, Multimedia University (May 2001) 31. Phan, R.C.-W.: Related-key Impossible Differential Cryptanalysis of Skipjack (2002) (unpublished manuscript) (submitted) 32. Phan, R.C.-W.: Cryptanalysis of the Full Skipjack Block Cipher. Electronics Letters 38(2), 69–71 (2002) 33. Reichardt, B., Wagner, D.: Markov Truncated Differential Cryptanalysis of Skipjack. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 110–128. Springer, Heidelberg (2003) 34. Schneier, B., Banisar, D.: The Electronic Privacy Papers. John Wiley & Sons, Chichester (1997) 35. Wagner, D.: The Boomerang Attack. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999)

MinuCode: A Fixed-Value Representation of Fingerprint Minutiae for Biometric Cryptosystem Jinyang Shi and Kwok-Yan Lam Key Laboratory for Information System Security, Ministry of Education Tsinghua National Laboratory for Information Science and Technology Tsinghua University, Beijing 100084, P.R. China {shijinyang,kwokyan.lam}@gmail.com

Abstract. This paper proposes a new fingerprint verification algorithm, MinuCode, which represents minutiae information in fixed values that can tolerate distortions during different fingerprint image scanning processes. The fixed-value representations of minutiae make MinuCode a most suitable candidate to serve as a basis for fingerprint biometric cryptographic systems. To deal with the fingerprint translation, rotation and non-linear distortion, MinuCode first utilizes a minutiae-centered encoding mechanism which eliminates the need for reference core point determination, and quantizes the location relationship between each pair of minutiae to a fixed value. Furthermore, missing or additional spurious minutiae are handled with a threshold-based matching algorithm. Experimental results on the public domain database showed the MinuCode scheme can achieve recognition accuracy similar to the basic method of traditional fingerprint recognition. Thus, together with the fixed-value representations of minutiae, MinuCode is a most suitable and practical fingerprint matching scheme for supporting fingerprint-based biometric cryptosystem. Keywords: Biometrics, Fingerprint verification, Feature extraction, Minutiae, Biometric Cryptography.

1

Introduction

In this paper, a new fingerprint matching algorithm, namely MinuCode, is proposed. The new scheme represents fingerprint biometrics as unordered sets with fixed-value elements, and performs fingerprint matching by identifying the common fixed-value elements between the enrolled set and the query set. The fixedvalue representations of minutiae make MinuCode a most suitable candidate to serve as a basis for fingerprint biometric cryptographic systems. The MinuCode scheme extracts fingerprint features using a minutiae-centered quantization encoding mechanism, which is able to deal with the translation, rotation and non-linear distortion introduced during fingerprint image scanning. MinuCode constructs a minutiae-centered region around each minutia in a fingerprint, and the location relationship between each pair of minutiae will be J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 382–391, 2009. c Springer-Verlag Berlin Heidelberg 2009


MinuCode: A Fixed-Value Representation of Fingerprint Minutiae

383

quantized to a fixed-value element. In addition, the replacement noise of missing and additional minutiae is handled by a threshold-based matching algorithm. Hence the proposed quantization approach eliminates the need for unreliable reference core point determination and achieves practical recognition performance. In general, minutiae are widely accepted to be the most discriminating and reliable feature of fingerprint [1] and current minutiae templates can be transformed to this new fixed-value representation directly, the MinuCode scheme is compatible with the popular existing fingerprint minutiae databases. Moreover, considering that conventional cryptographic schemes can be combined with the fixed-value biometric representation directly and effectively, e.g. many hashing constructions [2] for fingerprint template security as well as cryptographic constructions for fingerprint-based key protection will be practical. Therefore, MinuCode is believed to be a promising approach that can broaden the fingerprintbased biometric cryptographic security applications. The rest of the paper is organized as follows: a new quantization-based fingerprint representation approach along with a threshold-based matching algorithm is described in Section 2. Experiment results on the MinuCode scheme using the public domain database FVC2002-DB2A are presented in Section 3. Section 4 concludes the discussion of this paper.

2

A New Quantization-Based Fingerprint Representation and Matching Approach

One of the most challenging issues in biometric cryptography is the need to deal with uncertainties inherent in fingerprint images. Many previous quantizationbased works are based on reference core points of a fingerprint [3], however it is difficult to determine the reference core points reliably and errors in location and orientation of the reference core points could lead to false reject [1]. Our new algorithm can avoid the problem of core point determination and provide a practical fixed-value representation. 2.1

Notations

a) Minutiae: the local ridge characteristics in a fingerprint including ridge endings and ridge bifurcations. b) Local Region: The proposed algorithm will construct a minutia-centered circular region around each minutia, so as to deal with the translation error over the reference core-point based works. Suppose there are N minutiae in a whole fingerprint, we can first gain N minutia-centered regions, each is called as a local region R. c) Core Minutia: In each local region R, the center minutia is called the core minutia. As illustrated in Figure 1. d) Neighbor Minutiae: In each local region R, the other minutiae are named as the neighbor minutiae.

384

J. Shi and K.-Y. Lam

Fig. 1. Illustration of tessellation quantization of minutia-centered regions

e) MinuWord: In one local region R, each neighbor minutia can be converted into a 3-tuple in the polar coordinate system with respect to the corresponding core minutia, so as to overcome the rotation distortion. Then a tessellationbased quantization is performed to work with the non-linear distortion effectively, and each neighbor minutia is thus represented as a positive integer. Every positive integer will be called as a MinuWord. f) MinuCode: For each local region, the location relationship between the neighbor minutiae and the core minutia is represented by an unordered set of MinuWords. This set is defined as a MinuCode. g) MinuMap: Suppose there are N minutiae in a fingerprint, the fingerprint can be represented by a MinuMapwhich is a collection of N local unordered sets. 2.2

Minutia-Centered Feature Extraction Using Quantization

Minutiae can be represented by a number of attributes such as the location, orientation and other local information. We use both the location and orientation attributes of a minutia, and these attributes are represented as a 3-tuple (x, y, Θ), where x and y indicate the coordinate of the minutia in the image, and Θ denotes its orientation with respect to the horizontal axis Θ ∈ [1, 360]. The proposed scheme is an extension of our preliminary work previously reported in [4]. Details of the algorithm are described as follows. Firstly, we construct a circular region around each minutia with the same radius. Secondly, each neighbor minutia will be converted into the polar coordinate system with respect to the corresponding core minutia, and be represented as a new 3-tuple (ρ, α, β), where ρ and α indicate the radial distance and angle separately, and β represents the orientation of the neighbor minutia with respect to the core minutia, α, β ∈ [1, 360]. An illustration is given in Figure 2. Thirdly, we carry out a tessellation quantization on each of the neighbor minutiae by tessellating the region of interest centered at the core minutia, so

MinuCode: A Fixed-Value Representation of Fingerprint Minutiae

385

Fig. 2. Illustration of minutia-centered region encoding

that each neighbor minutia will be represented as a positive integer. In detail, the 3-tuple (ρ, α, β) in the polar coordinate system will be quantized into a new 3-tuple (ρ , α , β  ) : ⎧  ⎨ ρ = ρ/db α = α/da (1) ⎩  β = β/do In Equation 1, the parameter db indicates the band width of the region tessellation, da means the distortion tolerable difference of radial angle, and do is the distortion tolerable difference of the orientation of the neighbor minutia with respect to the core minutia, and / is an operator to calculate the quotient. Figure 1 also shows an example of tessellation quantization in a fingerprint. Then, we derive a concatenated value w = F (ρ , α , β  ), which is called as a MinuWord and represents the neighbor minutia with respect to the core minutia in the special region. The function F() is given as follows: w = F (ρ , α , β  ) = ρ × (360/da) × (360/do) +α × (360/do) +β  .

(2)

Suppose there are m neighbor minutiae in a region R, R can be represented as a set of m MinuWords via the Eq. 2, and the set is called a MinuCode: M inuCode : M = w1, w2 ...wm  .

(3)

Finally, suppose there are N minutiae in a whole fingerprint, the stored fingerprint template can be a MinuMap: a collection of N MinuCodes {M1, M2, ...MN }. 2.3

Fast Fingerprint Matching Using Threshold-Based Algorithms

Firstly, suppose there are NE minutiae in the enrolled fingerprint, if the radius of minutia-centered region is larger than both the width and height of the fingerprint image, then all the other NE −1 minutiae will become the neighbors within

386

J. Shi and K.-Y. Lam

the region of each core minutia. Therefore, in this algorithm, the MinuMap for the whole enrolled fingerprint will contain NE MinuCodes, and each MinuCode will be a set of m = NE − 1 MinuWords. Similarly, suppose there are NQ minutiae in the query fingerprint, the MinuMap for the whole query fingerprint will contain NQ MinuCodes, and each MinuCode will be a set of n = NQ − 1 MinuWords Secondly, given a MinuCode ME from the enrolled fingerprint and another MinuCode MQ from query fingerprint, if there are at least t common MinuWord elements between the two MinuCode sets: |ME ∩ MQ | ≥ t

(4)

then ME and MQ can be regarded as t − close. Finally, a threshold-based mechanism is used to handle the replacement errors which bring with the removal and addition of some minutiae, and a positive integer parameter t will be adopted as the threshold for fingerprint matching: two fingerprint MinuMaps will be considered as matched if there exists at least one pair of t − close MinuCodes. A simple example of the fingerprint matching process is demonstrated in Algorithm 1..

Algorithm 1. An Example for Fingerprint Matching Process with MinuCode 1: vM atchingScore ⇐ 0 2: for i = 0 to NE − 1 do 3: for j = 0 to NQ − 1 do 4: vM atchedN um ⇐ 0 5: for wi = 0 to NE − 2 do 6: for wj = 0 to NQ − 2 do 7: if M inuCodeE[i][wi] = M inuCodeQ[j][wj] then 8: vM atchedN um ⇐ vM atchedN um + 1 9: break current loop 10: end if 11: end for 12: end for 13: if vM atchingScore < vM atchedN um then 14: vM atchingScore ⇐ vM atchedN um 15: end if 16: end for 17: end for

3 3.1

Experimental Performance of MinuCode Experiment Set-Up

The proposed MinuCode algorithms have been implemented and evaluated on the public domain FVC2002-DB2A fingerprint database [6], which contains 100

MinuCode: A Fixed-Value Representation of Fingerprint Minutiae

387

Table 1. Example parameters used for the MinuCode implementation Parameters t db bn da do

Indications Threshold Width of bands Number of the bands Tolerance of angle Tolerance of orientation

Choice 7-13 10 560/db 16 16

fingers and each finger has 8 impressions. The images were captured using an optical sensor, Biometrika FX2000, with the size of 560 × 290 at 590 dpi resolution. The implementation parameters are listed in Table 1. Since MinuCode is designed to provide the fingerprint feature representation basic for the biometric-based security system, it is reasonable to assume that users are co-operative and willing to provide good quality biometric data. We consider the same scenario as [2] i.e. first impression of each finger is used as the enrolled template and the second impression is used as the query. Therefore, the number of genuine attempts is 100, and the number of the impostor attempts is 100! 2!(100−2)! × 2 = 100 × 99 = 9900. 3.2

Basic Experimental Measurements

Figure 3(Left) gives the basic experimental results. The response of the Minu Code-based fingerprint identification system is the matching score and the system decision is regulated by the threshold parameter t: pairs of fingerprint samples generating scores higher than or equal to t are regarded as belonging to the same finger, otherwise inferred as belonging to different fingers. The distribution of matching scores generated from pairs of samples from the same finger is called the Genuine Score Distribution, and from different fingers is called the Impostor Score Distribution. Figure 3(Left) shows a clear separation of genuine Genuine and Impostor Score Distribution for MinuCode

FAR and FRR Distribution for MinuCode

50

100 Genuine Impostor

90

40

80

35

70

FAR and FRR Values %

Percentage of Scores %

45

30 25 20 15

60 50 40 30

10

20

5

10

0

0

0

10

20 30 Matching Score

40

50

ERR(0.71%) 0

5

10

15

20 25 30 Matching Score

False Reject Rate False Acceptance Rate 35

40

45

Fig. 3. Experimental results of MinuCode on FVC2002-DB2A [6]. (Left) The distributions of genuine and impostor attempts. (Right) FAR and FRR with an ERR of 0.71%.

388

J. Shi and K.-Y. Lam

and imposter score distributions, thus leads to a high successful identification rate and a low error rate. Furthermore, the criteria used for evaluating the identification performance are usually False Acceptance Rate (F AR) and False Reject Rate (F RR), where the F AR is defined as the false accept percentage of impostor attempts and the F RR is the false reject percentage of genuine attempts [5]. Therefore, the decidability of the system accuracy is determined by how much overlap there is between the F AR and F RR distributions, and thus the average value of two error rates, which is refers to the equal error rate(EER, EER = F AR = F RR). Figure 3(Right) gives the experimental results on F AR and F RR distributions. We can find that the F AR and F RR distributions for MinuCode have little overlap and lead to an low equal error rate (EER) of 0.71%. Such results prove that the proposed MinuCode algorithm is an efficient and feasible approach for fingerprint identification. 3.3

Comparison with Basic Method of Traditional Matching

To further investigate the practical identification performance of the fixed-value representation, we also implemented a traditional minutiae-based fingerprint recognition system as a basic method, using the original representation (x, y, Θ) and a matching algorithm by exhaustive searching [5], then compare the FAR and FRR of basic method to those of the MinuCode. Selecting Quantization Parameters. Considering the impact of the quantization paramenters of db, da and do, where db is the width of bands in the region tessellation, da and do are the distortion tolerable difference of angles, Figure 4 shows their impacts on the performance. It shows that MinuCode and the basic method always have similar FAR and FRR when the matching threshold t is within the practical bound of [7,13]. FRR become worse when quantization parameters are smaller. The reason may be that quantization errors happen when some minutiae are located around the quantization boundary, and such errors will increase when the quantization parameters become smaller. Multiple Queries. In order to reduce the FRR of MinuCode, it is reasonable to assume that users in a biometric security system are co-operative [2] when requested to perform multiple queries in order to retrieve cryptographic keys or to complete authentication. So we investigate the scenario that first impression of each finger is used as the enrolled template, and the second, seventh and eighth impressions are used as the multiple query fingerprints. Figure 5 presents the experimental results in the multiple queries scenario. It shows that the FRR of MinuCode is reduced, and achieves similar FAR and FRR to the basic method when t is in a wider range of [1,20]. 3.4

Discussions on MinuCode Enhancement

Though the basic MinuCode can achieve accuracy similar to the traditional approach, ERR in Figure 4 is still about 2%. Since the proposed Minucode

MinuCode: A Fixed-Value Representation of Fingerprint Minutiae FAR Distribution for MinuCode and Basic Method (db10 dado14)

FAR Distribution for MinuCode and Basic Method (db10 dado16)

100

100 MinuCode Basic Method

80

80

70

70

60 50 40

MinuCode Basic Method

90

FAR Values %

FAR Values %

90

30

60 50 40 30

20

20

MinuCode ERR(2.09%)

10 0

0

5

10

15

20 25 30 Matching Score

MinuCode ERR(2.21%)

10

Basic Method ERR(1.92%) 35

40

0

45

Basic Method ERR(1.10%) 0

FRR Distribution for MinuCode and Basic Method (db10 dado14)

10

15

20 25 30 Matching Score

35

40

45

100 MinuCode Basic Method

90

MinuCode Basic Method

90

80

80

70

70 FRR Values %

FRR Values %

5

FRR Distribution for MinuCode and Basic Method (db10 dado16)

100

60 50 40 30

60 50 40 30

20

20

MinuCode ERR(2.09%)

10 0

389

0

5

10

15

20 25 30 Matching Score

35

MinuCode ERR(2.21%)

10

Basic Method ERR(1.92%) 40

0

45

Basic Method ERR(1.10%) 0

5

10

15

20 25 30 Matching Score

35

40

45

Fig. 4. Effect of quantization parameters on FAR and FRR FRR Distribution for MinuCode and Basic Method (db10 dado14)

FRR Distribution for MinuCode and Basic Method (db10 dado16)

100

100 MinuCode Basic Method

80

80

70

70

60 50 40 30

60 50 40 30

20

20

MinuCode ERR(1.33%)

10 0

MinuCode Basic Method

90

FRR Values %

FRR Values %

90

0

5

10

15

20 25 30 Matching Score

35

MinuCode ERR(0.97%)

10

Basic Method ERR(1.92%) 40

45

0

Basic Method ERR(1.10%) 0

5

10

15

20 25 30 Matching Score

35

40

45

Fig. 5. Multiple queries scenario on FVC2002-DB2A [6]: FRR of MinuCode with multiple queries v.s. basic method on different parameters

scheme provides a well-designed framework that can be enhanced flexibly, this section further discusses some improvement options. Enhancement on the Attributes of Minutiae. In the basic MinuCode scheme, only the location and orientation attributes are utilized. We may use more attributes, such as the type of minutia and the number of intervening ridges between the neighbor minutiae and the core minutia.

390

J. Shi and K.-Y. Lam

Enhancement on the Region Hierarchy. In the basic MinuCode scheme, the radius parameter r of minutia-centered regions is big enough, so all the other minutiae in the fingerprint will become the neighbors of each core minutia. In fact, we can use a smaller radius parameter r, and the region of core minutia will not cover all the other minutiae in the whole fingerprint. An illustration is given in Figure 1(right). Accordingly, the enhanced matching algorithm should adopt two levels of hierarchy thresholds, t and tm. Two local regions are defined as equal if there are at least t equal neighbor minutiae, then two fingerprints are defined as matched if there are at least tm equal local regions. Genuine−Impostor Distribution for Enhanced MinuCode

FAR & FRR Distribution for Enhanced MinuCode

100

100 Genuine Impostor

80

80

70

70

60 50 40

60 50 40

30

30

20

20

10

10

0

0

5

10

15 20 25 30 35 Number of the t−close regions

40

45

False Reject Rate False Acceptance Rate

90

FAR − FRR Rate %

Distribution Rate %

90

0

ERR(0.00%)

0

5

10

15 20 25 30 35 Number of the t−close regions

40

45

Fig. 6. Experimental results of enhanced MinuCode scheme on FVC2002-DB2A [6]

Figure 6 gives the experimental results of the enhanced scheme with the ridge count attribute and two-level hierarchy matching algorithms (r=160, bn=16, t=6, tm=4∼10). We can find that the genuine and impostor attempts distributions have no overlap and lead to an EER of zero. The reason is that, the ridge attributes of minutiae can help to distinguish the fingerprints and the smaller regions will bring about less distortion and better accuracy performance. In summary, since the proposed MinuCode approach can deal with both fingerprint minutiae distortion and unreliable core point determination issues, the proposed fixed-value representation scheme can achieve similar and practical accuracy performance compared to the basic method of traditional fingerprint recognition system.

4

Conclusions

The increasing need for biometric-based security applications has led to new challenges in traditional biometric feature extraction and recognition systems. In this paper, we proposed a new fingerprint feature extraction approach, MinuCode, that could represent the fingerprint biometrics as unordered sets with fixed-value elements. The quantization mechanism of MinuCode had the advantage of combining conventional cryptographic mechanisms with the fixed-value fingerprint biometrics. Experimental results using the public domain database

MinuCode: A Fixed-Value Representation of Fingerprint Minutiae

391

showed the MinuCode could achieve recognition accuracy similar to the basic method of traditional minutiae-based recognition system. In the co-operative user scenarios such as distributed authentication and biometric cryptographic key management, MinuCode is a practical fingerprint representation and matching scheme that can serve as a basis for biometric cryptographic systems. Our future work will investigate the adaptive quantization mechanism.

References 1. Maltoni, D., Maio, D., Jain, A.K., Prabhakar, S.: Handbook of Fingerprint Recognition. Springer, New York (2003) 2. Jain, A.K., Nandakumar, K., Nagar, A.: Biometric Template Security. EURASIP Journal on Advances in Signal Processing, Special Issue on Advanced Signal Processing and Pattern Recognition Methods for Biometrics, vol. 2008, 1–17 (2008) 3. Jain, A.K., Prabhakar, S., Hong, L., Pankanti, S.: Filterbank-based fingerprint matching. IEEE Trans. Image Processing 9(5), 846–859 (2000) 4. Shi, J.Y., You, Z.Y., Gu, M., Lam, K.Y.: Biomapping: Privacy Trustworthy Biometrics Using Noninvertible and Discriminable Constructions. In: The 19th International Conference on Pattern Recognition, WeBCT9.38, Florida, December 8-11 (2008) 5. Jain, A.K., Hong, L., Bolle, R.: On-Line Fingerprint Verification. IEEE Trans. Pattern Analysis and Machine Intelligence 19(4), 302–314 (1997) 6. Maio, D., Maltoni, D., Wayman, J.L., Jain, A.K.: FVC 2002: Second Fingerprint Verification Competition. In: Proc. International Conference on Pattern Recognition 2002, Canada, pp. 811–814 (2002)

Self-initialized Distributed Certificate Authority for Mobile Ad Hoc Network Meng Ge1,2 and Kwok-Yan Lam1 1

2

Key Laboratory for Information System Security, Ministry of Education Tsinghua National Laboratory for Information Science & Technology School of Software, Tsinghua University, China Department of Computer Science & Technology, Tsinghua University, China

Abstract. Mobile Ad Hoc Network (MANET) is suitable for providing communication services in situations where no infrastructure exists. Due to the unique features of MANET, most of the applications of MANET have non-trivial security requirements. As the basis of security services, key management is essential for securing communication systems. In this paper, we address issues critical to key management in MANET. A Selfinitialized Distributed Certificate Authority (SDCA) model which combines the advantages of two existing schemes, the Distributed Certificate Authority (DCA) scheme and Certificate Chain (CC) scheme, is proposed. In the proposed model, no trusted dealer or the pre-established trust relationships is required. Instead, entities in the MANET could collaborate to initialize the key management service on the fly. The simulation results illustrate that the proposed model will bring less communication, storage and computational overheads for maintaining and using the key management service than other self-organized key management schemes.

1

Introduction

It is not uncommon that computer users have ad hoc needs to communicate with each other as part of their work and business operations such as occasional work meetings and data sharing among collaborators. However, the provision of a network platform to meet these ad hoc communication needs is challenging since there might be no fixed network infrastructure available when communication is required or such a pervasive communication platform is too expensive to build. Mobile Ad Hoc Network (MANET) which typically consists of mobile nodes connected by wireless links in an ad hoc manner is suitable for meeting such requirements since it is able to function without any pre-installed communications infrastructure. In general, applications running in a MANET environment have non-trivial security requirements due to the open nature of wireless links, physical vulnerability of mobile nodes and lack of centralized security administration. As a basis of security services in a network environment, key management is essential to the security protection of MANET applications. However, key management schemes for conventional wired networks are not suitable for MANET since a centralized authority J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 392–401, 2009. c Springer-Verlag Berlin Heidelberg 2009


Self-initialized Distributed Certificate Authority for Mobile Ad Hoc Network

393

cannot be ensured in a typical ad hoc network due to the issue of single point of failure. Existing key management schemes proposed for MANET could be categorized according to whether it depends on an online/offline trusted dealer. In some of the existing approaches, such as the Distributed Certificate Authority (DCA) based schemes [1,2,3,4,5], the key management service have to be pre-configured by a trusted dealer. In DCA schemes, the authoritative power of CA is firstly distributed by the trusted dealer to several nodes called DCA members/servers based on threshold schemes. A quorum of servers collaborate to issue certificates. These schemes address the problem of single point of failure, and achieve high availability and security. One of the major drawbacks of DCA is that servers and parameters have to be chosen and pre-configured by a trusted dealer in advance, and sufficient number of DCA members must be present when providing the service. However, such pre-configuration is not always feasible in MANET, which is typically organized in an ad hoc manner. Furthermore, since the DCA parameters depend largely on the actual network environment, preconfigurations before the deployment of network make the scheme less adaptive. Certificate Chain (CC), a fully self-organized approach, were proposed to address this issue [6,7]. In CC schemes, a trusted dealer is not required. Instead, each node may create its own public key pair and issues certificates to others. The party that needs its public key certified is called a “subject”, while the party that generates the certificate is an “issuer”. If the issuer is convinced that the public key really belongs to the subject, it issues the certificate. For distribution of the issued certificate, a certificate exchange mechanism [6], by which the nodes periodically exchange certificates with their neighbors is utilized. All the nodes and certificates in the system can be modeled as a directed graph G(V, E), where the vertices represent the public keys of nodes and edges represent the certificates. If vi is to obtain public key Pj of vj , at least one path i.e., the certificate chain, from Pi to Pj has to be found in the global certificate graph G. The CC schemes take advantage of the self-organizing nature of ad hoc networks in that they could be initialized spontaneously. However, it remains to have the following disadvantages, which might be even more severe when the scale of the network and system becomes larger: – The overhead problem - multiple certificates are issued and thus stored for each node. It incurs heavy communication and storage overheads, which might be unbearable for mobile devices. – The authenticating efficiency problem - to authenticate public key via certificate chain, more than one certificate need to be verified. – The security problem - as the length of the certificate chain increases, the trustworthiness of the public key obtained through the chain might be decreased, hence, the system might become vulnerable to attacks. The hybrid approach of [8] proposed to use the CC scheme in conjunction with DCA scheme. The availability is increased since both the DCA and CC could be utilized to authenticate a public key. But it suffers from the same security and overhead problems as the CC schemes. [9] presented a complete survey of key management schemes for MANET.

394

M. Ge and K.-Y. Lam

All the existing key management schemes suffer from these practical constraints in real deployment. Although the CC schemes are suitable for a MANET which is small in size, as the MANET grows, the drawbacks become more severe. On the other hand, DCA could be utilized to address the issue. However, pre-configuring a DCA is not always feasible especially for networks organized in an ad hoc manner. We thus propose a Self-initialized Distributed Certificate Authority (SDCA) approach which has the advantages of the two most popular schemes, namely, CC and DCA schemes. A trusted dealer is not required in the SDCA model. Instead, it is self-initialized i.e. DCA is initialized and constructed collectively by the participating nodes in a MANET. In an original MANET where no key management service exists, mechanisms similar to CC schemes are used to provide the self-organized key management service. As the MANET grows, and conditions for initializing a security authority are met, the Self Initializing Protocol (SIP) is launched by a specific node. In the SIP, fundamental parameters of the DCA, i.e. the total number of DCA members, threshold value and list of DCA members, will be negotiated and agreed among a certain number of nodes. With these parameters, the DCA is then constructed collaboratively by the involving nodes. It is believed that no existing approach that initializes a DCA without requiring a trusted dealer in MANET has been proposed. The rest of the paper is organized as follows. In Section 2, basic assumptions and overview of the proposed scheme are given. We further describe the details of proposed model in Section 3. In Section 4, the simulation of proposed model and analysis of simulation results are presented. Finally, we conclude our work in Section 5.

2 2.1

Overview Basic Concepts and Assumptions

In this paper, we consider a typical kind of MANET, i.e. growing MANET. In the growing MANET there are only a few nodes at the beginning. As new nodes join, the number of nodes will gradually become larger. The growing MANET is a typical pattern when the network is formatting. In our scenario, pre-established trust relationships among MANET nodes are possible but not required. For any two nodes which are unknown to each other, the trust relationship could be established based on the interactions between them. In the CC schemes, the trust relationships in terms of key management are established and certified through issuing certificates. For issuing a certificate, the issuer vi has to be convinced that the public key it certifies really belongs to the subject vj . Meanwhile, the issuer vi might be user of the certificates issued by vj . Thus, issuing certificate also means the issuer trusts subject on its key management service in the CC schemes. Actually, trustworthiness is not the only factor that affects the issuing of certificates. For example, the node with

Self-initialized Distributed Certificate Authority for Mobile Ad Hoc Network

395

richer connectivity and computational resources may have more interactions with others, hence have more chance to be issued with certificates. If some node is issued with more certificates, i.e. the in-degree value of the corresponding vertex is larger than other vertices, we assume that it is more suitable to provide key management service. We thus define a term suitability which is equivalent to in-degree of the vertex to measure how appropriate for each to be a DCA member. In our model, a trusted dealer is not required. We assume that the malicious/compromised nodes might exist and number of compromised nodes in the MANET is less than t. The certificate graphs on any k uncompromised nodes could be combined into a new graph G , which is very close to the global certificate graph G. This assumption is reasonable because there exists a convergence time for the certificate exchange mechanism during which a new issued certificate will arrive at all nodes. Since G is a subgraph of G, the edge set of G is a subset of the edge set of G, i.e., E  ⊆ E. 2.2

Overview of the Proposed Model

The proposed model consists of three stages in order to provide a self-initialized and adaptive key management service: – The pre-initialization stage, in which each node issues certificates to others and uses certificate chains to authenticate public keys of. Besides, conditions for initializing the security authority is periodically examined; – The DCA self-initialization stage, in which the SIP is executed, and the DCA parameters are negotiated. With the parameters, the DCA public key and shares of private signature key are generated; – The post-initialization stage, in which the DCA is taking effect. In MANET where no key management service exists, each node creates its own public key pair and issue certificates to others, and certificate chains are utilized to authenticate the public keys. Besides, each node will periodically check the conditions for initializing the DCA based on its own certificate graph. The decision of when to launch the SIP will be based on system and application-specific policies which may be pre-loaded when the system is installed or configured. The policies may focus on different aspects of the system to satisfy different requirements, such as reducing communication overheads or authentication costs, etc. When some node decides that the SIP be launched, the most suitable node will be selected node will be informed and treat as the initiator which is in charge of launching and coordinating the SIP. After that, the DCA self-initializing stage starts. The SIP is launched by the initiator and DCA parameters are negotiated and agreed by a certain number of nodes. With the negotiated parameters, the public key and shares of DCA private signature key are then generated by at least t nodes through the JRSS procedure. The public key is signed by each DCA members and published to other nodes, while shares of the private signature key are kept by the corresponding DCA members which will not be disclosed during the JRSS procedures.

396

M. Ge and K.-Y. Lam

The post-initialization stage starts after the DCA has been constructed. DCA members notify others that the DCA has started to operate and publish the public key of the DCA. Upon receiving the notification, each node may send request for certificate to the DCA.

3 3.1

Details Pre-initialization

Ideally, one should examine the conditions for initialization based on the global certificate graph G whenever a new certificate is issued. However, it is not feasible in our case for two reasons. On the one hand, examining the conditions whenever a new certificate is issued will incur heavy computational overheads on each node. On the other hand, since there is no central administrator in the MANET, all nodes have to be involved in order to obtain G. We thus adopt a best-effort method, i.e each node vi periodically examines conditions for initialization based on its own certificate graph Gi instead of G. If the conditions are met, vi selects the initiator vl based on Gi . After being informed, vl chooses other involved nodes based on Gl and launches the SIP. All these values will be agreed by a certain number of nodes in the SIP. The above procedure could be stated in details as follows. For each node vi , it will periodically examine the conditions for initialization, i.e. whether the SIP should be launched, by evaluate the following function: T estLaunch(Gi) = if Init. The return value depends on the polices and the network status, such as the number of vertices and edges in Gi . If if Init = TRUE, the SIP should be launched. Then vi will try to find out the initiator as vl = T estInitiator(Gi ). T estInitiator(Gi ) returns the vertex with largest in-degree in Gi . In case in-degree values of two vertices are equal, conflict-resist polices which ensuring that the return value is unique are applied. If vi = vl , vi will evaluate the CompP arameter(Gl ). Otherwise, vi will notify vl . After re-evaluating the above two functions based on Gl , vl will evaluate the DCA’s parameters, i.e., the number of servers n, the threshold value t and the list of the DCA members ln as follows: CompP arameter(Gl ) = {n, t, ln }. The return value depends on the current network status and some applicationspecific policies. vl launches the SIP to negotiate the SDCA parameters. 3.2

DCA Self-initialization

In the pre-initialization stage, the initiator and the DCA parameters are computed based on the initiator’s certificate graph Gl . To defend against malicious

Self-initialized Distributed Certificate Authority for Mobile Ad Hoc Network

397

nodes, they have to be further negotiated and agreed by a certain number of nodes. Thus we propose the SIP, which consists of two sub-procedures: the negotiating procedure and constructing procedure. The negotiating procedure is for negotiating among a certain number of nodes on the DCA parameters n, t, ln . The constructing procedure is for nodes in ln to generate DCA public key and shares of private signature key. For simplicity, only the negotiating procedure will be described in detail. For details of the constructing procedure, readers are referred to [10]. The Negotiating Procedure. In the negotiating procedure, the chosen DCA parameters are negotiated and agreed by at least k + t − 1 nodes involved in the SIP. Since there are t − 1 malicious nodes at most, the parameter are agreed by at least k correct nodes in the SIP. Besides, the conditions for initialization and initiator are also re-checked by each node involved during the negotiating procedure. The negotiating procedure consists of one or more rounds, which is described as follows: Step1. vl sends LAUNCH message to all nodes vi in ln : vl → ∀vi ∈ ln : LAUNCH, h(Gl ), Where LAUNCH is the message type, h(Gl ) is the list consists of hash values of each certificate in Gl . After the message is sent out, a timer launchT imer is started. Step2. Upon receiving the LAUNCH message, vi compares h(Gi ) with h(Gl ) and acts according to the comparison result: If ∃cs ∈ Ei , cs ∈ / El , vi → vl : DISAGREE, {cs |cs ∈ Ei , cs ∈ / El } else if ∃cs ∈ El , cs ∈ / Ei , vi → vl : LACK, {h(cr )|cr ∈ El , cr ∈ / Ei } else vi verifies the evaluation of the three functions T estLaunch(), T estInitiator(), CompP arameter() based on Gi , if the verification is passed, vi → vl : AGREE, Svi (h(Gl )) Step3. If DISAGREE is received, vl increases the counter disCounter by 1, and records the certificates of {cs } in updateList. If LACK is received, vl increases the counter lackCounter by 1, and ifdisCounter = 1, it records the replying node and list {h(cr )|cr ∈ El , cr ∈ / Ei } in lr and ackList respectively. If AGREE is received, vl increases the counter agrCounter by 1, and records the replying node in la .

398

M. Ge and K.-Y. Lam

Step4. When launchT imer expired, if disCounter+lackCounter+agrCounter < k + t − 1, vl exits the procedure. Otherwise, it acts as follows: If disCounter > 0, it update Gl using the certificates in updateList. Then it re-computes the three functions. If the conditions are still satisfied, it enters the next round of the negotiating procedure from Step1. Else if lackCounter > 0, vl sends the ACKLACK message and restarts the launchT imer: vl → vj ∈ lr : ACKLACK, {cr } else vl → vi ∈ ln : START, {Svj (h(Gl ))|vj ∈ la }, {pkj |vj ∈ la } Step5. Upon receiving ACKLACK, vi update Gi using {cr }, and verifies the three functions based on the updated Gi . If the verification is passed, vi → vl : AGREE, Svi (h(Gl )). Step6. Upon receiving START, vi verifies {Svj (h(Gl ))|vj ∈ la }. If no less than k + t− 1 signature could be verified successfully, it will enter the constructing procedure. To ensure the termination of the procedure, when vi receives the LAUNCH message, it makes sure that Gi used in this procedure will not be affected by other processes, e.g. process of the certificate exchange mechanism. To guard against tampering and replaying attacks, the signing data, time stamp and nonce should be included in the messages. For simplicity, these information as well as the identifiers of sender and receiver are omitted from the description of the protocol.

4

Performance Evaluation

We illustrate and analyze the proposed model in terms of system cost, availability and security by network simulation. All components of proposed model are implemented in the Network Simulator 2 (NS2) [11] platform. A typical CC scheme without update mechanism is also implemented for comparison. To simulate a practical scenario, the restricted random waypoint model of the random trip models [12] is adopted as the mobility model. Compared with the defective random waypoint model [13], it is more suitable to model a realistic intercity scenarios. In the simulation, 10 independent scenario files are generated based on the restricted random waypoint model. For each file, the mean pause time is set to be 10s, and the total simulation time is set to be 2000s. For a given system parameters setting, such as the total number of nodes, the scenario file name or the availability threshold etc., each of the scenario files is executed for 10 times. For each node in the scenario, the radio range is set to be 200m. On the MAC layer, the standard implementation of 802.11 for NS2 is utilized. The routing protocol is AODV [14].

Self-initialized Distributed Certificate Authority for Mobile Ad Hoc Network

399

Fig. 1. Average ACO in growing MANET

We use straightforward polices in the simulation. T estLaunch examines the number of vertices and edges in the certificate graph. T estInitiator returns the ID of the node with the highest suitability. If there are several nodes returned, the one with the lowest ID is chosen. For simplicity, a fixed (10, 3) threshold scheme is used in the simulation where there are 50 nodes in total. CompP arameter picks out 10 nodes with the highest suitability. Note that more complicate policies might make the proposed model more flexible and adaptive, however, the design of policies is out of scope of this paper and will be studied in our further research. The accumulated communication overhead (ACO) measures the accumulated size of the communicating packets used for maintaining the key management scheme in bytes. Figure 1 plots the ACO versus the running time of the MANET and service in growing MANET. It shows that the SDCA scheme could efficiently reduce the communication overhead compared with the CC scheme in such environment. The communication overhead of CC scheme includes the packets used for issuing and exchanging the certificates, while the communication overhead of SDCA scheme includes all the packets for constructing the DCA in three stages. Figure 1 illustrated that as the nodes and certificates gradually increase, the communication overhead of CC scheme increase dramatically. In SDCA, however, the ACO is not affected by growing in number of nodes after the DCA is constructed at about 1500s. Table 1 compares the overheads of the CC and SDCA schemes in a growing MANET. In Table 1, storage overhead (SO) denotes the number of certificates in the certificate graph on each node on average. Note that space for storing certificates in the pre-initialization stage may be released after the SIP. Table 1 illustrated that the storage costs of CC scheme is about 7.5 times to SDCA scheme. In an invariable environment, the storage costs of CC scheme is about 9 times to the SDCA scheme. The average path length (APL) is defined as the average of minimum hops between any two nodes in the certificate graph, while the longest path length (LPL) denotes the length of longest one in the shortest paths between two nodes.

400

M. Ge and K.-Y. Lam Table 1. Growing MANET

Since the trustworthiness tends to decrease along the certificate chain [15], the metrics APL and LPL also imply the trustworthiness of certificate chain for public key authentication. It is illustrated from the table 1 that to authenticate a public key in the growing MANET, more than 2 certificates need to be verified in average. In the worst case, about 5 certificates need to be verified. The availability (AVA) of the key management service is defined as the average success ratio of authenticating public keys. The availability of SDCA scheme is higher than CC scheme. To increase the availability of CC scheme, one could issue more certificates and expedite the exchange of certificates. However, this will bring more communication and storage costs. The SDCA scheme could achieve higher availability with lower communication and storage costs.

5

Conclusion

This paper proposed a self-initialized key management service, SDCA, for MANET. This scheme is believed to be the first key management scheme for MANET in which the security authority is self-initialized, i.e. the participating nodes collectively initialize a distributed security authority according to the application-specific polices and the network environment without a trusted dealer. Compared with existing DCA schemes, the proposed model is more flexible and more adaptive to the actual deployment environment which tends to be highly dynamic. On the other hand, SDCA is able to address the issue of scalability of CC schemes in MANET. SDCA is characterized by its low cost, high availability and security. These features are illustrated and analyzed by network simulations.

References 1. Zhou, L.D., Zygmunt, J.H.: Securing ad hoc networks. IEEE Network 13(6), 24–30 (1999) 2. Ge, M., Lam, K.Y., Gollmann, D., Chung, S.L., Chang, C.C., Li, J.B.: A Robust Certification Service for Highly Dynamic MANET in Emergency Tasks. International Journal of Communication Systems (to appear) 3. Yi, S., Kravets, R.: MOCA: Mobile certificate authority for wireless ad hoc networks. In: The 2nd Annual PKI Research Workshop (PKI 2003), pp. 65–79 (2003) 4. Luo, J., Hubaux, J.P., Eugster, P.T.: DICTATE: DIstributed cerTification authority with probabilisTic frEshness for ad hoc networks. IEEE Transactions on Dependable and Secure Computing 2(4), 311–323 (2005)

Self-initialized Distributed Certificate Authority for Mobile Ad Hoc Network

401

5. Ge, M., Lam, K.Y., Li, J.B., Chung, S.L.: Ubiquitous and Secure Certificate Service for Mobile Ad Hoc Network. In: IEEE/IFIP International Conference on Embedded and Ubiquitous Computing 2008 (EUC 2008), pp. 312–317 (2008) 6. Capkun, S., Buttyan, L., Hubaux, J.: Self Organized Public-key Management for Mobile Ad Hoc Networks. IEEE Transactions on Mobile Computing 2(1), 52–64 (2003) 7. Capkun, S., Hubaux, J.P., Buttyan, L.: Mobility helps peer-to-peer security. IEEE Transactions on Mobile Computing 5(1), 43–51 (2006) 8. Yi, S., Kravets, R.: Composite key management for ad hoc networks. In: Proceedings of MOBIQUITOUS 2004 - 1st Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services, pp. 52–61 (2004) 9. Van der Merwe, J., Dawoud, D., McDonald, S.: A survey on peer-to-peer key management for mobile ad hoc networks. ACM Computing Surverys 39(1), 3–45 (2007) 10. Pedersen, T.P.: A threshold cryptosystem without a trusted party. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 522–526. Springer, Heidelberg (1991) 11. ns-2 simulator, http://nsnam.isi.edu/nsnam/index.php/Main Page (February 12, 2008) 12. Le Boudec, J., Vojnovic, M.: Perfect simulation and stationarity of a class of mobility models. In: Proceedings - IEEE INFOCOM, pp. 2743–2754 (2005) 13. Yoon, J., Liu, M., Noble, B.: Random waypoint considered harmful. In: Proceedings - IEEE INFOCOM, pp. 1312–1321 (2003) 14. Perkins, C.: Ad hoc networking. Addison-Wesley, Reading (2001) 15. Sun, Y., Yu, W., Han, Z., Liu, K.: Information theoretic framework of trust modeling and evaluation for ad hoc networks. IEEE Journal on Selected Areas in Communications 24(2), 305–317 (2006)

Design and Delivery of Undergraduate IT Security Management Course Jemal H. Abawajy Deakin University, School of Engineering and Information Technology [email protected]

Abstract. Information technology has become the core tool of business organisations’. External and internal threats as well as legal, regulatory and contractual compliance requirements are all combining to make effective information security a key information technology management challenges. This paper describes an undergraduate information technology security management course that provides comprehensive knowledge and skills necessary to manage both strategic and operational aspects of information security. The course covers a broad range of managerial topics in information technology security and makes use of a number of security tools and techniques to complement the theory taught. In this paper, we describe our approach, our experiences and lessons learned for teaching information technology security management course. The paper details the content of the course and outlines how it is taught and assessed. Keywords: Information security management, curriculum development, Information Security Manager, job analysis.

1 Introduction Information technology (IT) security is a very important topic nowadays as the threats to information systems from hackers, outsiders, and even disgruntled employees are increasing. There is a shortage of adequately trained information systems security personnel [25], which necessitates a need for skilled IT security professionals [20]. Also, a recent survey conducted in 14 countries worldwide ranging, among others, from the U.S. and Canada to Poland, Australia and South Africa found that expertise in security is considered the most important skills for IT staff to have [21]. Key to building such professionals is the implementation of robust graduate and undergraduate curricula in information security and assurance. Sound curricula in information security management are required to develop enough number of information security professionals who can help ensure reliable deployment of information systems to enable organisations achieve their intended missions [14]. To address the needs for information security management education, many universities have incorporated computer and security courses into their undergraduate and graduate curricula. Most of the courses are not specific to the information security J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 402–411, 2009. © Springer-Verlag Berlin Heidelberg 2009

Design and Delivery of Undergraduate IT Security Management Course

403

management. Also, the general trends among the existing courses are that they are survey courses or introductory courses, which provided only orientation and guidelines in the field, but not the managerial topics in depth. In this paper, we discuss the design and delivery of an undergraduate IT security management course. The course was designed on the latest curriculum design theory supplemented with the market force to foster the academic development as well as job market skill sets of students. The course provides comprehensive knowledge and skills necessary to manage both strategic and operational aspects of information technology security. The course emphasizes the function and management of security in the protection of assets, and is supported by appropriate studies in security risk and risk management, security technology, law and ethics. The rest of the paper is organized as follows. We will describe the course contents and delivery modes, textbooks, rationale for topic selection, individual lectures, and course flow over a semester for coherence in Section 2. Specific examples of content and methods are provided. Section 3 will discuss the assessment methods. Student feedback is presented in Section 4. The conclusion is given in Section 5.

2 Contents and Delivery Methods From the literature review, for efficient delivery of the course content, both knowledge about subject content as well as knowledge of teaching techniques are important. The course was developed to promote a sense of efficacy and confidence in students. Teaching materials and course content were structured to enable students to gradually regulate their own learning in a meaningful learning context. Students are encouraged to research and read the references given after each lecture and other material relevant to the course to further develop their knowledge. In this section, we present the format, content and presentation of the lessons. 2.1 Course Design Rationales The course curriculum content ranges from concepts, confidentiality, integrity and accessibility of information to computer forensics and security policies. It could contain some practical teaching to investigate an organization’s Security policies and standards, or to audit aspects of the organization’s Security system and identify existing weaknesses. The content incorporates both technical and management perspectives to ensure its relevance to practice. In this section, we will describe the contents, organisation and teaching strategies. This course is designed to be job market friendly. The course has been developed in conjunction with the private security industry. We determined what skills and competencies potential employers are looking for, and the course is designed to enable students to develop these skills. The content reflects the Common Body of Knowledge (CBK) defined in CISSP. As the course contents reflect the CISSP ten CBK, it will contribute to the CISSP (Certified Information System Security Professional) accreditation. These ensure the course is relevant to today's industry and also enable students to become a graduate with the skills and knowledge employers want and need. Also, the course went through approbation process.

404

J.H. Abawajy

Because of the nature of the subject, balancing theory and practice is crucial in the area of IT security management education [16]. In order to achieve this educational aim, we used implementation of a situated learning strategy [17], which stresses the importance of enculturation and community of practice. A learning theory enshrining this epistemological belief implies a learning environment in which the individual acquires the ability to put theories into practice, so vital in IT security management education [16]. We took into consideration some criticisms of situated learning strategy [18]. The teaching philosophy of the course entails students being proactive and responsible for their own learning and staff facilitating this learning. To this end, the course engages the students at different levels and appeals to the participants though a wide range of delivery mechanisms. To further inject realism into the course, students do a real world group project. Part of the situated learning strategy is to promote group interaction and a cooperative learning process. Through group projects and online discussion, we have been able to achieve interaction among students. 2.2 Course Design Rationales The content incorporates both technical and management perspectives to ensure its relevance to practice. The course contents are organized in topics. Each thematic topic has a presentation wherein is described the study field and the general objectives to achieve. The thematic topic being studied is as follows: •

•

•

•

• •

Fundamentals of information security – students learn to identify and value information as an organizational asset, the fundamental causes of vulnerabilities, gain experience with various types of major system security attacks including human factors, tangible and intangible loses of an attack, detect and characterize various attack types. Incident handling and recovery – designed to provide basic skills and processes students will need to perform incident handling work that include identifying and gathering critical information, recognizing signs of attacks, detecting and analyzing incidents, finding contact information, coordinating response and disseminating information and working with law enforcement. Students have the opportunity to participate in sample incidents that they might face on a day-to-day basis. Information security risk management – the basic knowledge and skills needed to perform cost/benefit analysis, identify, analyze, and prioritize various types of information security risks as well as develop risk mitigation strategies that reflect improvements in controls to prevent risk where information lives. Business continuity and disaster recovery planning - an organization designs, develops, implements, and manages the protection and sustainability of businesscritical services, related business processes, and associated assets such as people, information, technology, and facilities. Information security policy – The course enables the students to acquire knowledge in how to set policies and how to derive standards, baselines, guidelines, and implement procedures to meet organizational policy goals. Information security awareness and training – awareness and training for IT users on security policy, procedures, and techniques, as well as the various management, operational, and technical controls necessary and available to secure IT resources.

Design and Delivery of Undergraduate IT Security Management Course

405

We believe that the course content gives students the technical know-how and full understanding of information security management issues to perform information security management functions for any organisation. These topics increase student knowledge and skills to formulate a position statement to help people make speedy decisions when confronted with difficult situations. The security of a system is only as good as the awareness of its users. Raising the level of security awareness across organisation is the goal of the information security awareness and training program. The theoretical content design followed an scheme of planning based on principles of the Case-Based Learning. All the main sections of a topic begin with a practical case that locates the student's learning in the acquisition of some competence. In the development of the case, diverse didactic elements were used. They motivate and demand the student to take an active role in his/her learning. Some of these elements are: real examples of concrete cases that are used so that student acquires a better understanding of the content; references to publications that enlarge the contributed information; links to technical words that include a brief definition; graphics and flowcharts like supplementary resource used so that the student assimilates the content better and facilitate his/her learning; table with definitions of useful terms for the understanding of the theoretical framework; table with important annotations that student should remember; practical experiences of use in fields with similar meanings; self-assessment exercises focused on reinforcing the key elements of one topic. 2.3 Delivery Methods The teaching methods incorporate interactive instruction, practical exercises, and role playing. In this section, we will explain these teaching methods. 2.3.1 Face-to-Face Lecture The lecturer supports student learning by providing a theoretical base for the content via an extensive range of lectures provided by the lecturer, with their associated notes and other materials. One criticism of the traditional lecture approaches is that students may become too passive and not actively attempt to understand difficult material. Thus, teacher-centered delivery methods have severe limitations in promoting learning, and additional sources are important [19]. To address this issue, we incorporated several techniques that includes time for free discussion, short questioning, casebased learning, real-life examples to improve student learning. To ensure that students have actually understood the lecture contents, students work through some example problems on that content to assess their comprehension. We found that the mini example problems after each lecture help students to quickly evaluate their understanding of the lecture, help the lecturer to identify specific problem areas and engage students effectively. However, students should be given enough time to respond so that their answers are the outcome of reasoned thinking rather than subjective reactions. Students learn with different learning styles, and examples allow students to adjust as well as learn at their own pace (repeating the examples covered in class). The practical nature of many of the areas within IT security is such that case studies are the most appropriate means by which participants can gain an understanding of practices and, after analysis, the concepts behind those practices. We also found that case study

406

J.H. Abawajy

is an effective teaching and learning tool because it brings real life experience into the classroom. Learning to solve real world problems in the case studies helps develop students' ability to think critically and sharpen their decision-making skills. 2.3.2 Seminars through Guest Lecturers In addition to the lectures and group tasks, the lecturer organised a series of information security guest lectures. The content of the presentation by the guest lecturers is usually related to in the topic of the course or to the contemporary IT security management discussions. We use guest lecturers from the industry or lecturers that are well-versed and experts in their field to give lectures on specific topics. This aims to strengthen the dialectic between theory and practice. Students have an opportunity to engage with IT security experts from industry, government and academia. 2.3.3 Practical Classes The practical classes serve as group problem solving sessions with specific problems relevant to the course being set for each week’s work. Attendance and participation at practical classes are mandatory and places much of the learning burden on the students’. In this approach, students have adequate knowledge and posses independent, collaborative and participant learning styles, while the teacher’s role is to ‘empower’ them. Practical classes give students the hands-on and practical exposure to the principles learned in lectures. In the two-hour weekly practical’s, students are instructed to prepare the answers and participate in the tutorial as a team rather than individuals. As the focus of the practical’s is on self-learning, the tutor spends less didactic teaching and spent more time commenting on the teams' different answers. This type of approach gives more freedom to the students to search and obtain information while filtering the information obtained in relevance to the particular topic. We found that students feel less intimated if asked to answer as a team rather than as individuals and are therefore more involved in class discussion. It also provides to students an opportunity to work in teams and learn from their peers, which they have to do as information security professionals subsequently. 2.4 Deakin Student Online Deakin Student Online (DSO) provides interaction with the lecturer, tutors and other students. It also provides student-centered, collaborative learning environment and encourage greater collaboration among students. DSO is used for enquiries about administration of the unit and about learning resources. The online learning environment serves the purpose of offering recorded lectures and guest talks, course information, communication and other learning tools. The online group discussion fosters an environment in which students can interact and achieve knowledge development as a community, without the usual time and space constraints. It also gives an opportunity for the individual student to interact directly with the instructor. Students and faculty can access the virtual classroom from their home or office. This is increasingly important to many institutions interested in drawing non-traditional students into their programs.

Design and Delivery of Undergraduate IT Security Management Course

407

Students were asked to participate in group discussions, facilitated by an online class teacher. The teacher posted questions on a weekly or fortnightly basis. Each question was related to what was taught in the lecture or discussed in the seminar sessions. The style of questions was open-ended and “discussion- based,” allowing the input from different perspectives. Students were also invited to post any of their own questions that they would like to discuss among their course mates. We found that frequent but short (less than 30 minute) exercises geared towards boosting the student's confidence while reinforcing the lecture material.

3 Assessment Methods Assessment forms the backbone to student learning, although it is used in various modes. In the interest of diversity of learning styles, a variety of assessment components and options are built into the course. Assessment activities are chosen such that it is capable of developing the desired outcomes. Assessments of the learning tasks have been designed to: • • • •

Ensure that all objectives and competencies are assessed. Provide a balance of online submissions and invigilated work, as a precaution against cheating. Assign tasks that integrate the acquisition and application of professional knowledge with other competencies (e.g., interpersonal, communications, IT). Situate learning in contexts that have personal relevance to students wherever possible (e.g., research, reporting, and problem solving).

Questions in assignments and exams should encourage students to come out with a variety of solutions and credit should be given for quality, originality and variety of ideas. Students are able to submit assessment tasks (i.e., assignments and projects) for formative feedback and assessment using the DSO facility. Also, we stress flexible assessment approach as well as allow students to take responsibility of their own learning to be the most important way to view learning in today’s world. 3.1 Requirements To be eligible to pass the course, students are required to complete all forms of assessment and must demonstrate a reasonable degree of competence in the required course objectives as examined in each form of assessment. The conventional assessment includes strict due date that students must adhere to in order to get marks. We also used hurdle in which students must get certain percentage (e.g., 40%) for each assessment to pass the course. Although this serves as a motivation to make students responsible for the work, it also has some serious side effects. In order to relax the hard-deadline, we introduced a graduated demerit structure in which students will have 3 more days to submit the assessment tasks such that the students lose 10% for each day the assessment is submitted late. After 3 days, the student’s submission is no longer accepted. We also ask for periodic update of the student work submission to ensure that the student has been working on the assessment task. This has helped me find a number

408

J.H. Abawajy

of issues including that the students are genuinely needed the time due to circumstances beyond their control. It also provided me with the learning process that individual students use to address the assessment tasks. This is quite useful as it allows you to capture early on if the student is drifting away from the task. It also helped me understand if the student did not really understand the problem or make wrong assumptions. All this will help me provide an early feedback and help to students. Some main problems I faced were the time pressure to provide timely feedback to students. Some students expect to get the feedback right away and start sending irritatingly 3.2 Term Assignments Longer homework assignments are given which ask the student to assimilate several lectures worth of material to solve more complex problems. Each assignment question is designed to test the mastery of specific objective of the course and provide reflective feedbacks for students. The following is an example of an assignment question given to students: Assume that you have been tasked with designing and implementing a computer security incident response team for an organization of your choice. • Provide a high-level overview of the key issues and decisions that must be addressed in establishing an incident response team. • Develop an action plan that can be used as a starting point in planning and implementing an incident response team. The intended objectives of this assignment is to test the students understanding and level of mastery of the requirements for establishing an effective incident response team, strategically plan the development and implementation of a new incident response team, highlight issues associated with assembling a responsive, effective team of computer security professionals, identify policies and procedures that should be established and implemented, understand various organizational models for a new incident response team and understand the variety and level of services that can be provided by a incident response team. 3.3 Term Project The group project is another technique embodying the concept of situated learning. In the beginning of the semester, students are given a project topic to be done during the whole semester. The project work assesses students' assimilation of the theoretical principles and their ability to research, analyse and present their work in written and oral forms. Each team will write a proposal and a project report and deliver an oral presentation. Group project is generally encouraged as we believe that students are an important source of knowledge for each other, and students’ teaching of one another is a vital exchange in the knowledge dialogue. Thus, the group project not only strengthens the notion of community of practice but also addresses the importance of group interaction as part of the learning process. Some of the project topics are suggested by the lecturer while students are encouraged to choose a topic related to the course. The reason for encouraging student to choose their own project topic is to enable them to become active creators of

Design and Delivery of Undergraduate IT Security Management Course

409

knowledge rather than being passive recipients of knowledge. By inventing their own ideas, students are placed at the center of active learning. One criticism of allowing the students to select their projects is that some students may not have the background to intelligently select an appropriate topic, instead choosing too easy or too difficult material. One option is for the instructor to prepare an approved list of acceptable projects to eliminate confusion and fear early in the semester. An example of a project given to the students is a risk assessment and an information security management policy design for a stock broking firm that specializes in providing financial advice to client and helps manage their portfolio. Students used the OCTAVE methodology for identifying and evaluating information security risks, develop qualitative risk evaluation criteria that describe the organization’s operational risk tolerances, identify assets that are important to the mission of the organization, identify vulnerabilities and threats to those assets and determine and evaluate the potential consequences to the organization if threats are realized. An advantage of lecturer set project is that the lecturer teaches the chapter about OCTAVE methodology and then show how lessons learned from the chapter can be applied to the project. In our first year of teaching the course, we found that students generally left the project to the last week of the term and in most cases did not complete the project in the allotted time. To address this problem, we asked student to report project progress periodically (bi-weekly) milestones with measurable objectives. We found this monitoring process as a valuable mechanism for bringing problems to light early. A related key to success is to divide your project into incremental deliverables, with each deliverable increment being a useful end-result as well as a suitable basis for further progress. 3.4

Final Exam

At the end of the semester, a closed book exam designed to measure the comprehension of the course's content is administered to students. All test items clearly relate to one or more of the course objectives. A series of review questions have been provided for students to practice best responses in the learning process. The feedback for review questions is both positive and immediate, and provides model responses for novice learners.

4 Student Feedbacks Student feedback has been gathered during the evolution of this process. In this section, we describe findings on the student feedback for the face-to-face dimension of the course. On the subject of lectures and the associated content, students reported that the course had transformed how they conceived security. Before commencing the course, most perceived information systems security as a technical problem, which can only be resolved by the use of technology. However, students commented that the many empirical examples given in the lectures helped them to understand why security management concerns more than just technology. The realization of the social and organizational dimension of security seems to be reinforced by the security seminars

410

J.H. Abawajy

as well. We observed that there was a high level of participation in the seminars sessions with students engaging in interactive discussion with the industry experts. In our interviews, we asked what they thought of the security seminar series. One student replied, ‘The guest seminars are very a good thing and give an opportunity to students to get direct contact with the "real" world!’ As regards the group assessments, the majority seemed to enjoy the task over the period of ten weeks although some students reported problems in working together. We also found that the quality of assignment produced by groups was better than that produced by individuals in the previous year. In the group work there were more indepth discussions and analysis.

5

Conclusions

Given the magnitude of real and potential loses associated with security breaches, employers increasingly expect graduates of information security programs to have an understanding of information security concepts. In this paper, we discussed the design and development of an undergraduate information security management course that provides comprehensive, up-to-date and practical information security management knowledge and skills needed by security professionals. The course curriculum content ranges from concepts, confidentiality, integrity and accessibility of information to computer forensics and security policies. It could contain some practical teaching to investigate an organization’s Security policies and standards, or to audit aspects of the organization’s Security system and identify existing weaknesses. The practical classes instructed students in the inspection and protection of information assets, and detection of and reaction to threats to information assets. Furthermore, the online forum reverberated with constant discussion on topical security issues, usually initiated by the students themselves. Also, students appreciate theory and retain new skills when they are immediately able to apply the current lesson to actual problem solving tasks.

References 1. Sharma, S.K., Sefchek, J.: Teaching information systems security courses: A hands-on Approach. Computers and Security 26(4), 290–299 (2007) 2. Crowley, E.: Information system security curricula development. In: Proceedings of the 4th conference on Information technology curriculum, pp. 249–255 (2003) 3. Turnbull, N.: From the preface of the book IT Governance: A Manager’s Guide to Data Security & BS 7799/ISO 17799 4. Bishop, M.: Introduction to Computer Security. Addison-Wesley Professional, Reading (2004) 5. Steele, G., Stojkovic, V.: An Information System Security Course for the Undergraduate Information Systems Curriculum. Information Systems Education Journal 2(3), 3–14 (2004) 6. Shing, M.-L., Shing, C.-C., Chen, K.L., Lee, H.: Issues in information security curriculum: collaborative learning and team teaching. International Journal of Innovation and Learning 4(5), 516–529 (2007) 7. Teaching IT security Computer Fraud & Security, vol. 2008(3), p. 10 (March 2008)

Design and Delivery of Undergraduate IT Security Management Course

411

8. Mubarak, S.: A Critical Analysis on Theoretical Perspectives of Teaching Information Security in Tertiary Education. In: 18th Australasian Conference on Information Systems, pp. 844–847 (2007) 9. Ramsden, P.: Learning to teach in higher education. Routledge, London (2003) 10. Jensen, B.K., Cline, M., Guynes, C.S.: Teaching the undergraduate CS Information Security Course. ACM SIGCSE Bull. 38(12), 61–63 (2006) 11. Theoharidou, M., Gritzalis, D.: Common Body of Knowledge for Information Security. IEEE Security & Privacy 5(2), 64–67 (2007) 12. Crowley, E.: Information System Security Curricula Development. In: Proc. 4th Conf. IT Curriculum, pp. 249–255. ACM Press, New York (2003) 13. Morneau, K.: Designing an Information Security Program as a Core Competency of Network Technologists. In: Proc. 5th Conf. IT Education, pp. 29–32. ACM Press, New York (2004) 14. Kim, K.-Y., Surendran, K.: Information Security Management Curriculum Design: A Joint Industry and Academic Effort. Journal of Information Systems Education 13(3), 227–236 (2002) 15. McKenzie, W., Murphy, D.: I hope this goes somewhere: Evaluation of an online discussion group. Australian Journal of Education Technology 16(3), 239–257 (2000) 16. Hsu, C., Backhouse, J.: Information Systems Security Education: Redressing the Balance of Theory and Practice. Journal of Information Systems Education 13(3), 211–217 (2002) 17. Harley, S.: Situated Learning and Classroom Instruction. Educational Technology, 46–51 (1993) 18. Anderson, J., et al.: Situated Learning and Education. Educational Research 25(4), 5–11 (1996) 19. Purao, Sandeep: Hyper-Link Teaching and Intelligent Slides: Complementary Strategies To Foster Active Learning. Journal of Education for MIS 5(1), 63–78 (1998) 20. Mckinney Jr., E.H., Yoos II, C.J.: The One School Roomhouse: An Information and Learning Approach to Curriculum Integration. Journal of Management Education 22(5), 618–636 (1998) 21. Logan, P.Y.: Crafting an Undergraduate Information Security Emphasis Within Information Technology. Journal of Information Systems Education 13(3), 177–182 22. Skills Gaps in the World’s IT Workforce, The Computing Technology Industry Association Inc. (February 2008), http://www.comptia.org/sections/research/default.aspx 23. Suydam, M.: Tapping the Security Job Market. Information Security, pp. 40–44 (October 1999) 24. Samavedham, L.: Teaching Students to Think: A Matter 25. USA Presidential’s National Plan for Information Systems Protection, http://www.ciao.gov/National_Plan/national_plan%20_final.pdf

Secure Multi-party Computation Using Virtual Parties for Computation on Encrypted Data Rohit Pathak1 and Satyadhar Joshi2 1 Acropolis Inst. Of Technology & Research, Shri Vaishnav Inst. Of Technology & Science, Indore, M.P., India {rohitpathak,satyadhar_joshi}@ieee.org 2

Abstract. In this paper, we propose a new Virtual Party Protocol (VPP) protocol for Secure Multi-Party Computation (SMC). There are many computations and surveys which involve confidential data from many parties or organizations. As the concerned data is property of the organization or the party, preservation and security of this data is of prime importance for such type of computations. Although the computation requires data from all the parties, but none of the associated parties would want to reveal their data to the other parties. We have proposed a new protocol to perform computation on encrypted data. The data is encrypted in a manner that it does not affect the result of the computation. It uses modifier tokens which are distributed among virtual parties, and finally used in the computation. The computation function uses the acquired data and modifier tokens to compute right result from the encrypted data. Thus without revealing the data, right result can be computed and privacy of the parties is maintained. We have given a probabilistic security analysis and have also shown how we can achieve zero hacking security with proper configuration. Keywords: Secure Multi-party Computation (SMC), Information Security, Privacy, Protocol.

1 Introduction Yao has described millionaires’ problem and gave the solution by using Deterministic Computations and introduced a view of Secure Computation [1]. We see about collaborative benchmark problem and a proposed solution in which the private shares are changed but in a manner that the sum remained the same [2]. Mikhail et al. has provided privacy-preserving solutions to collaborative forecasting and benchmarking that can be used to increase the reliability of local forecasts and data correlations, and to conduct the evaluation of local performance compared to global trends [3]. Wenliang et al. has proposed development of practical solutions to SMC problems, a new paradigm, in which we use an acceptable security model that allows partial information disclosure [4]. Linda et al. presents a unified approach to multi level database security based on two ideas: a trusted filter and an inference engine [5]. Wenliang et al. proposes the privacy preserving cooperative linear system of equations problem and privacy-preserving cooperative linear least-square problem J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 412–421, 2009. © Springer-Verlag Berlin Heidelberg 2009

Secure Multi-party Computation Using Virtual Parties

413

[6]. Ran et al. has shown how uncorrupted parties may deviate from the case where even protocol by keeping record of all past configurations [7]. Mikhal et al. have given a protocol for sequence comparisons in which neither party reveals anything about their private sequence to the other party [8]. A Secure Supply-Chain Collaboration (SSCC) protocols that enable supply-chain partners to cooperatively achieve desired system-wide goals without revealing the private information of any of the parties, even though the jointly-computed decisions require the information of all the parties is proposed by Atallah et al. [9]. The problem of defining and achieving security in a context where the database is not fully trusted, i.e., when the users must be protected against a potentially malicious database is discussed by Ueli et al. [10]. We have seen building a decision-tree classifier from training data in which the values of individual records have been perturbed, and reconstruction procedure to accurately estimate the distribution of original data values has been described [11]. We have already seen the Anonypro Protocol, which had a good concept to make the incoming data of anonymous identity [12]. Anonypro Protocol assumed the connection between the party and anonymizer to be secured. If we have to perform a calculation which includes data from many organizations, than the safety of the data of the organization is the prime concern. Suppose a statistical calculation is to be performed among several organizations. This calculation includes information related to various person’s related to the organization, may it be employees working for the organization or the customers of the organization such as customers of a bank. In this case, information of every person is to be kept secure so as to keep privacy of every individual. We have proposed a new protocol called the Virtual Party Protocol (VPP) which can be used safely to ensure the privacy of individual and preserving the data of the organization as a whole by not revealing the right data. In this method we will create some fake data and some virtual parties. Since the calculation is not dependent upon the number of parties, we can create any desired number of virtual parties. Now we will encrypt the data and create modifier tokens correspondingly. This modified data is mixed with fake data. These modifier tokens are related to the modification done in the data and will be used in the final computation to obtain the correct result. Now this modified data and the modifier tokens are distributed among the virtual parties. These parties will send their data to trusted anonymizers. These trusted anonymizers will send the data to un-trusted anonymizers. The un-trusted anonymizers will send this data to Third Party for computation. Third Party will use the data and the modifier tokens to compute the result. The modifier tokens will aid to bring the result obtained by the encrypted data values. The modifier tokens in any manner will not reveal the identity of the party or such. The modifier is a short collection of information which is used in the final computation to ensure the right result. The method of encryption, modifier tokens, encrypted data and the method of computation all are interdependent.

2 Proposed Protocol – VPP (Virtual Party Protocol) 2.1 Informal Description We have to compute the function f(a1, a2, a3…, an) where the function is dependent on the number of data items sent by the organization. There are n parties P1, P2, P3…, Pn.

414

R. Pathak and S. Joshi

Each party Pi has data Xi1, Xi2, Xi3…, Xim. Each party Pi has some trusted anonymizers Ai1, Ai2, Ai3…, Aix. There are z number of un-trusted anonymizers A1, A2, A3…, Az. Each party Pi will create some fake trivial data entries Fi1, Fi2, Fi3…, Fiq, where q is the total number of fake entries. The total number of fake entries q may be different for every party Pi but for the sake of simplicity in explanation it is kept same for every party. The fake data is generated in a manner that it doesn’t effects the overall result. We will group this data with original data entries Xi1, Xi2, Xi3…, Xim. Thus the new group of data having m+q total number of data items, i.e. Di1, Di2, Di3…, Di(m+q). The value of each data Di1, Di2, Di3…, Di(m+q) is encrypted to obtain the encrypted data Ei1, Ei2, Ei3…, Ei(m+q).

P1

P2

Pn

P11

P12

P1k

P21

P2k

P31

P3k

A11

A12

A1x

A21

A2x

A31

A3x

A1

A2

A3

Az

TTP Fig. 1. Data flow in VPP with five layer structure consisting of party layer, virtual party layer, trusted anonymizer layer, untrusted anonymizer layer and computation layer from starting to end respectively

Every party Pi will create k virtual parties Pi1, Pi2, Pi3…, Pik. Encrypted data Ei1, Ei2, Ei3…, Ei(m+q) is distributed randomly among the virtual parties Pi1, Pi2, Pi3…, Pik. Modifier tokens Ti1, Ti2, Ti3…, Tik are generated for every party Pi. These modifier tokens are randomly distributed among the virtual parties Pi1, Pi2, Pi3…, Pik such that every virtual party gets one modifier token. Encryption of data and generation of modifier tokens is explained in later sections of the paper. Now the virtual parties Pi1, Pi2, Pi3…, Pik distributes their data and modifier tokens randomly among the trusted anonymizers Ai1, Ai2, Ai3…, Aix. Trusted anonymizers distribute their data randomly among the un-trusted anonymizers A1, A2, A3…, Az.

Secure Multi-party Computation Using Virtual Parties

415

Anonymizers can take data from multiple parties. The data of the un-trusted anonymizers is sent to third party. The function h() uses the encrypted data and the modifier tokens to compute the right result. Function h(), will vary for different types of computation and will depend highly on f(). Third party will compute the value of function h(E11, E12, E13…, E1j…Ei1, Ei2, Ei3…, Eij, T11, T12, T13…, T1j…,Ti1, Ti2, Ti3…, Tij) which is the desired result, same as the result computed by the function f(X11, X12…, X1m, X21, X22…, X2m, X31, X32…, X3m…, Xn1, Xn2…, Xnm,), and this result is declared publicly. The whole scenario can be seen in Fig. 1. 2.2 Formal Description VPP Algorithm Identifier List: Pi – parties where i ranges from 1 to n Xij – Data of party Pi where j ranges from 1 to m Fij – Fake data of party Pi where j ranges from 1 to q Dij – total data including the fake and the original data Pij – Virtual Party of party Pi where j ranges from 1 to k Eij – Encrypted data associated with party Pi where j ranges from 1 to m+q Aij – trusted anonymizer of party Pi where j ranges from 1 to x Ay – untrusted anonymizer, where y ranges from 1 to z TP – third party Start VPP ¾ Create k virtual parties Pij for every party Pi ¾ Create fake data Fij for every party Pi ¾ Group fake data Fij with original data Xij to get Dij ¾ Encrypt data Dij to get Eij ¾ Create modifier tokens Tij for every party Pij ¾ Distribute the encrypted data Eij among the virtual parties Pij ¾ Send the data and modifier tokens from party Pij to trusted anonymizer Aij ¾ Send the data and modifier tokens from trusted anonymizer Aij to untrusted anonymizer Ay ¾ Send the data from un-trusted anonymizer Ay to TP ¾ Calculate the result at TP using the encrypted data and the modifier tokens ¾ The result is announced by TP End of Algorithm

3 Encryption Suppose each party is sending multiple data such that party Pi has data Xi1, Xi2, Xi3…, Xim, where m is the total number of data items. The number of data items, m may be

416

R. Pathak and S. Joshi

different for every party Pi but for the sake of simplicity in explanation it is kept the same for every party. Suppose we have to perform a calculation such as  6XPPDWLRQ I;;;«;P;;;«;P;;;«;P«;Q;Q;Q«;QP  ™J;LM   :HNQRZWKDWI;L;L;L«;LP  J;L J;L J;L «J;LP   1RZ ZH FDQ FUHDWH IDNH GDWD )L )L )L« )LT VXFK WKDW I)L )L )L« )LT   J)L J)L J)L «J)LT    0XOWLSOLFDWLRQ I;;;«;P;;;«;P;;;«;P«;Q;Q;Q«;QP  J; îJ; îJ; î«J;P î«J;Q îJ;Q îJ;Q î«J;QP   :HNQRZWKDWI;L;L;L«;LP  J;L îJ;L îJ;L î«J;LP   1RZ ZH FDQ FUHDWH IDNH GDWD )L )L )L« )LT VXFK WKDW I)L )L )L« )LT   J)L îJ)L îJ)L î«J)LT  

One way to find this is to take random data value for all but one, and find the one. Like taking Fi2, Fi3, Fi4…, Fiq all as random data values and finding Fi1 such that: 6XPPDWLRQ I)L  ±J)L J)L I)L «J)LT   0XOWLSOLFDWLRQ I)L  J)L îJ)L îI)L î«J)LT 

Now this fake data is to be grouped with the original data. Now the total number of data entries is m+q. {Di1, Di2, Di3…, Di(m+q) } = {Xi1, Xi2, Xi3…, Xim } U { Fi1, Fi2, Fi3…, Fiq } Now let us assume that party Pi has data Di1, Di2, Di3…, Di(m+q), which consist of the fake and original data. Now encryption of this data is to be done in a manner not to affect the overall result. We have to find the encrypted data Ei1, Ei2, Ei3…, Ei(m+q) such that: f(Ei1, Ei2, Ei3…, Ei(m+q)) = f(Di1, Di2, Di3…, Di(m+q)) One way of doing this to take random data values for Ei2, Ei3, Ei4…, Ei(m+q) and finding Ei1 that satisfies the above equation. Mathematically, finding Ei1 such that it satisfies the following equation: f(Ei1, ri2, ri3…, ri(m+q)) = f(Di1, Di2, Di3…, Di(m+q))

Secure Multi-party Computation Using Virtual Parties

417

where ri2, ri3, ri4…, ri(m+q) are randomly generated values and may directly be assigned to Ei2, Ei3, Ei4…, Ei(m+q) The method of encryption is highly dependent upon the type of computation and may vary for different types of computation.

4 Modifier Tokens There are certain kinds of computations which will be affected by encryption and increase in number of data items. In these types of computations we have to modify the computation method accordingly to process encrypted data and to use some additional information to compensate the increase in number of data items. This additional information is sent in the form of modifier tokens. Modifier tokens contain certain information or fixes which will ensure correct computation on encrypted data. The method of generating modifier tokens may vary for different types of computations. For average: Suppose we have to take a number from n parties and calculate average of all the values and announce the average publicly. P1, P2, P3…, Pn are parties with data X1, X2, X3…, Xn. Pi1, Pi2, Pi3…, Pik are the virtual parties created by party Pi. The number of virtual parties, k may be different for every party Pi but for the sake of simplicity in explanation it is kept same for every party. Now for average we have f(X1, X3, X3…, Xn) = ( ∑ Xi ) / n where n is total number of parties. If we create fake parties, the value of n is changed and hence the result may be changed, but to obtain the right result we have to modify the average computation method according to our modifier token and the encryption method. The modified method of average computation would be: h(E11, E12, E13…, E1k…, En1, En2, En3…, Enk, T, T11, T12, T13…, T1k…, Tn1, Tn2, Tn3…, Tnk) = ( ∑ Ei1 + Ei2 + Ei3 + …, Eik ) / ( T – ( ∑ Ti1 + Ti2 + Ti3 + …, Tik)) where Eij is the encrypted data of party Pij , Tij is the modifier token of party Pij and T would be the total number of data entries of computation. The data of the virtual parties is Xi1, Xi2, Xi3…, Xik, where k is the total number of virtual parties. Then so as to keep the average same, this data has to satisfy the equation Xi1 + Xi2 + Xi3 + …, Xim = Xi Taking the data of the virtual parties keeping the above equation in mind we can encrypt the data and keep the sum of the data values the same as the original sum. The modifier tokens for each virtual party is Ti1, Ti2, Ti3,…, Tik, where k is total number of virtual parties, then they should satisfy the equation:

418

R. Pathak and S. Joshi

Ti1 + Ti2 + Ti3 + …, Tik = k - 1 If each party has created k virtual parties then total parties would be T = k × n We know that Ti1 + Ti2 + Ti3 + …, Tik = k-1 so, ∑ ( Ti1 + Ti2 + Ti3 + …, Tik ) = n × (k-1) And hence T – (∑ (Ti1 + Ti2 + Ti3 + …, Tik )) = k × n - n × (k-1) = n And hence h() = ( ∑ Ei1 + Ei2 + Ei3 + …, Eik ) / ( T – ( ∑ Ti1 + Ti2 + Ti3 + …, Tik)) would yield the right result.

5 Security Analysis If the TTP is malicious then it can reveal the identity of the source of data. A set of anonymizers from the anonymizer layer will make the source of data anonymous and will preserve the privacy of individual. The more the number of anonymizers in the anonymizer layer the less will be the possibility of hacking the privacy of the data. Each virtual party reaches TTP on their own. Each party will reach TTP as an individual party and TTP will not know the actual party which created the virtual party. The probability of hacking data of virtual party Pir is

P (VPir ) =

1

(1)

n

∑k i =1

i

When party Pi has ki number of virtual parties, the probability of hacking data of any virtual party of party Pr is

P (VPr ) =

kr

(2)

n

∑k i =1

i

Even if the data of virtual party is hacked it will not breach the security as this data is encrypted. Probability of hacking the data of any party r is calculated as

P ( Pr ) =

kr

×

n

kr − 1 n

∑k ∑k i =1

i

i =1

i

−1

×⋅⋅⋅×

1

(3)

n

∑k −k i =1

i

r

The graph between number of virtual parties k vs. the probability of hacking P(Pr) for n=4is shown in Fig. 2. which clearly depicts that probability of hacking is nearly zero when the number virtual parties is three or more. Also the graph between number of parties and probability of hacking for k=8 is shown in Fig. 3. As the number of virtual parties is eight the probability of hacking is in the order of 10-5 or we can say nearly zero.

Secure Multi-party Computation Using Virtual Parties

419

Fig. 2. Graph between number of Virtual Parties (x axis) vs Probability of hacking (y axis)

Fig. 3. Graph between number of Parties (x axis) vs Probability of hacking (y axis)

Suppose that the number of virtual parties is ka then

P ( Pa ) =

ka

×

n

ka − 1 n

∑ k ∑ k −1 i =1

i

i =1

i

×⋅⋅⋅×

1 n

∑k i =1

i

(4)

− ka

420

R. Pathak and S. Joshi

For kb number of virtual parties we have

kb

P ( Pb ) =

kb − 1

×

n

n

∑k ∑k i

i =1

i =1

1

×⋅⋅⋅×

∑k −k

−1

i

(5)

n

i

i =1

b

if ka > kb then P(Pa) < P(Pb) by Eq. (4) and Eq. (5). We can see that as the number of virtual parties increases the probability of hacking the data will decrease by harmonic mean. Special Case 1- When the number of virtual parties is increased from ka to ka+1, the effect in probability of hacking is evaluated as

P ( Pa ) =

ka

ka − 1

×

n

×⋅⋅⋅×

n

∑ k ∑ k −1 i

i =1

P ( Pa +1 ) =

i =1

ka + 1 n

∑k i =1

i

×

+1

i

∑k i =1

ka n

∑k i =1

1 n

i

×⋅⋅⋅×

(6)

− ka

i

1 n

∑k i =1

i

(7)

− ka

from Eq. (6) and Eq. (7) we can evaluate the ratio as

P ( Pa +1 ) k +1 = na P ( Pa ) ∑ ki + 1

(8)

i =1

There is a linear increase in the security of data when the number of virtual parties is increased, providing no significant change in security ratio. Special Case 2- When the number of virtual parties are increased from ka to kb where kb > ka then the security ratio is evaluated as

P ( Pb ) ( ka + 1) × ( ka + 2 ) ×⋅⋅⋅× kb (9) = n P ( Pa ) ⎛ ⎞ ⎛ n ⎞ ⎛ n ⎞ ⎜ ∑ ki + 1⎟ × ⎜ ∑ ki + 2 ⎟ ×⋅⋅⋅× ⎜ ∑ ki + kb − ka ⎟ ⎝ i =1 ⎠ ⎝ i =1 ⎠ ⎝ i =1 ⎠ which shows that that changes in probability is represented as harmonic mean and it is clear that if the number of virtual parties is increased in multiple then there is a significance change in security ratio. It depicts that we should increase the number of virtual parties in multiples to increase the security. Even if data of all virtual parties of a particular party is hacked it will not breach the security. The data is encrypted and can only be used for computation and exact values can never be obtained from it.

Secure Multi-party Computation Using Virtual Parties

421

6 Conclusion In this paper we have proposed an SMC protocol named Virtual Party Protocol (VPP). We have corroborated that we can create fake data and distribute it among the generated virtual parties and send this data along with modifier tokens to carry out computations on encrypted data using an improvised computation method. Anonymizer is used to hide the identity of the parties. An example of computing average salary among several organizations without revealing the actual salary data has been substantiated. Encryption methods have been built for certain common functions and the process of generating modifier tokens for a collective method has been shown. SMC’s are used for many big surveys and large scale statistical calculations. With the use of VPP most of the statistical calculations and other computations can be performed without revealing the data to other parties and even to the third party. A probabilistic security analysis was given and it was shown how we can achieve zero hacking security with proper configuration.

References 1. Yao, A.C.: Protocols for secure computations. In: Proc. of 23rd Annual Symposium Foundations of Computer Science, pp. 160–164 2. Atallah, M., Bykova, M., Li, J., Frikken, K., Topkara, M.: Private collaborative forecasting and benchmarking. In: Proc. of the 2004 ACM workshop on Privacy in the Electronic Society (2004) 3. Atallah, M., Bykova, M., Li, J., Frikken, K., Topkara, M.: Private collaborative forecasting and benchmarking. In: Proc. of the 2004 ACM workshop on Privacy in the electronic society, pp. 103–114 (2004) 4. Du, W., Zhan, Z.: A practical approach to solve secure multi-party computation problems. In: Proc. of the New Security Paradigms Workshop (2002) 5. Null, L.M., Wong, J.: A unified approach for multilevel database security based on inference engines. Transaction of ACM 21(1) (February 1989) 6. Wenliang Du; Atallah, M.J.: Privacy-preserving cooperative scientific computations. In: Proc. 14th IEEE Computer Security Foundations Workshop, June 11-13, pp. 273–282 (2001) 7. Canetti, R., Feige, U., Goldreich, O., Naor, M.: Adaptively secure multi-party computation. In: Proc. The 28th annual ACM symposium on Theory of computing 8. Atallah, M.J.: Secure and Private Sequence Comparisons. In: Proc. The 2003 ACM workshop on Privacy in the electronic society (2003) 9. Atallah, M.J., Elmongui, H.G., Deshpande, V., Schwarz, L.B.: Secure supply-chain protocols. In: Proc. IEEE International Conference, E-Commerce (2003) 10. Maurer, U.: The role of cryptography in database security. In: Proc. The 2004 ACM SIGMOD international conference on Management of data (2004) 11. Agrawal, R., Srikant, R.: Privacy-Preserving Data Mining. In: Proc. The ACM SIGMOD Conference on Management of Data (2000) 12. Mishra, D.K., Chandwani, M.: Anonymity enabled secure multi-party computation for Indian BPO. In: Proceeding of the IEEE Tencon 2007: International conference on Intelligent Information Communication Technologies for Better Human Life, Taipei, Taiwan, October 29- November 02, pp. 52–56 (2007)

Using a Link Metric to Improve Communication Mechanisms and Real-Time Properties in an Adaptive Middleware for Heterogeneous Sensor Networks** Edison Pignaton de Freitas1,2, Tales Heimfarth2, Marco Aurélio Wehrmeister2, Flávio Rech Wagner2, Armando Morado Ferreia3, Carlos Eduardo Pereira2,4, and Tony Larsson1 1

School of Information Science, Computer and Electrical Engineering, Halmstad University, Halmstad, Sweden 2 Institute of Informatics, Federal University of Rio Grande do Sul, Brazil 3 Military Institute of Engineering, Brazil 4 Electrical Engineering Department, Federal University of Rio Grande do Sul, Brazil {edison.pignaton,tony.larsson}@hh.se, {theimfarth,mawehrmeister,flavio}@inf.ufrgs.br, [email protected], [email protected]

Abstract. This paper presents middleware mechanisms to support real-time services in heterogeneous sensor networks, focusing on the evaluation of link metrics. Heterogeneous sensor networks require specific QoS (quality of service) guarantees in order to allow the coordination and cooperation among the different nodes that compose the system. In order to improve QoS, one of the first steps is to enhance the usage of the communication links, aiming at a more reliable and efficient message exchange. In this paper, key middleware features to address this concern are presented, in which a focus is given on the use of a link metric that, as part of a protocol, is used to optimize the message forwarding in relay communications across the network. Additionally, preliminary results are also presented. Keywords: Heterogeneous Wireless Sensor Networks, QoS enhancement, Middleware support mechanisms, Link metric.

1 Introduction Complexity in sensor network applications is increasing due to the use of different kinds of mobile sensors, which provide more advanced functionality and are deployed in scenarios where context-awareness is needed. In order to provide support for those emerging applications, an underlying infrastructure in the form of a middleware is necessary. The current main state-of-the-art middleware proposals, such as [1], *

E. P. Freitas thanks the Brazilian Army for the given grant to follow the PhD program in Embedded Real-time Systems in Halmstad University in cooperation with Federal University of Rio Grande do Sul.

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 422–431, 2009. © Springer-Verlag Berlin Heidelberg 2009

Using a Link Metric to Improve Communication Mechanisms

423

present some important drawbacks, which are mainly twofold: (i) the assumption that the network is composed only by a homogeneous set of basic or very constrained lowend sensors; and (ii) the lack of intelligence in the network, which hinders the adaptability required to deal with changes in operation conditions, e.g. lack of QoS management and control. Adaptability is a major concern that must be addressed due to: (a) long life time; and (b) deployment in highly dynamic environments. The first reason increases the probability of changes in user requirements through a systems life time, thus requiring flexibility in order to deal with changing demands. The second reason implies that applications have to be flexible enough in order to cope with drastic changes in the operation scenarios. In such environments, real-time requirements are especially hard to be met, because of variable operational conditions. This paper presents the development of an adaptive middleware to support sophisticated sensor network applications, such as modern surveillance systems, that must adapt their behavior according to changes in their environment and in application demands. An overview of the middleware is presented, followed by some of the features for handling real-time requirements. The focus is then directed to the mechanisms that support these features, which is done by the use of a link metric that rates links and avoids the use of unstable or low-quality transitory communication links, thus reducing the negative impact from the dynamics of the topology. Preliminary results related to the link metric are also presented. The remaining of the text is organized as follows. Section 2 presents the application scenario in which the middleware will be deployed and the main related issues. Section 3 presents an overview of the middleware structure, while Section 4 presents selected middleware features. In Section 5 details about the used link metrics are provided. Section 6 discusses related work, and Section 7 concludes the paper and gives directions for future work.

2 Application Scenario and Overview of Key Issues The present work aims at contributing in the domain of modern surveillance systems. In this context, a sensor network composed by heterogeneous sensor nodes with different characteristics and capabilities is used. It is possible to indentify three dimensions when considering the heterogeneity of nodes: computer platform, sensing capabilities, and mobility. The first and second ones are closely related, considering rich sensor nodes using powerful sensor devices like radar, visible light cameras, or infrared sensors that are supported by moderate to high performance computing and communication resources. Low-end sensor nodes are those with constrained capabilities, such as piezoelectric resistive tilt sensors, with limited processing and communication support. The third dimension considers that sensor nodes can be static on the ground or can move, e.g. carried by a vehicle on the ground or flying at some height over the target area. Surveillance systems benefit from the interaction among heterogeneous sensors linked in a network, increasing the capability of data gathering and fusion and enhancing their efficiency by efficiently allocating resources according to the needs of a specific surveillance mission. For instance, in order to save resources, sophisticated and expensive sensors like radars can be deployed in mobile platforms and used on

424

E.P. de Freitas et al.

demand. When alerts are issued by low-end, cheap sensor nodes such as piezoelectric tilt sensors, the use of the more expensive high-end mobile sensors is triggered in this area. Another possibility is that a fleet with a number of autonomous, small Unmanned Aerial Vehicles (UAVs) is used to survey an area in cooperation with lowend ground nodes in order to give faster response to events triggered by the ground nodes. This implies the need for a tradeoff between the quality of the data that a node may provide and the time to respond to an event. A fleet of small UAVs may not provide accurate data as a resource rich and larger UAV carrying a more advanced sensor device, but, as they are more numerous, it is likely that one of the small UAVs of the fleet will be close to the area where the event occurred and can come faster to that area. In any of these cases, the deployed system has different problems to solve in order to make the entire network work properly, allowing the cooperation among individual nodes. Focusing the attention on the low-end ground sensor nodes, they have a constrained energy source and must spend it carefully in order to be able to run for a longer time. Communication is a key energy consumer in this case, so it is important to communicate as seldom as possible. The same holds for the small UAVs, which should also handle their energy resource carefully in order to not deplete it quickly. However, messages exchanged in the network must comply with QoS requirements, due to application or control mechanisms needs, thus demanding a strategy to optimize the use of communication links. Moreover, dynamic adaptations in the communication must take place due to changes in the network topology, which occur as nodes may come in and out of the network, as well as when their QoS status varies. On the other hand, most of the richer nodes handle more sophisticated data, such as radar images and high resolution video. These nodes may require more sophisticated network handling, such as bandwidth reservation and more complex QoS priority handling over certain transmissions. These issues hold for the small UAVs as well, but resized for the quality of the data that they handle.

3 Middleware Overview In order to support the dynamic nature of the operation scenarios in which the sensor networks are to be deployed, we propose the use of a set of mechanisms combined in a middleware that can address the required adaptation. These mechanisms are part of different services provided by the middleware, and many of them are supported by the use of a link metric. This metric rates the links, according to some parameters that will be presented further in Section 5, making possible the utilization of good quality links for the communications and preventing the use of transitory or bad communication channels. The middleware is divided in three layers, according to the goals of the services provided in each of them. The bottom layer is called Infrastructure Layer. It is responsible for the interaction with the underlying operating system and for the management of the sensor node resources, such as available communication and sensing capabilities, remaining energy, etc. A component in this layer implements part of the link metric and is responsible for collecting the signal strength indication from the incoming packets as well as the bit error rate.

Using a Link Metric to Improve Communication Mechanisms

425

The intermediate layer is called Common Services Layer, which provides services that are common to different kinds of applications, such as cross layer QoS negotiation and control, message delivery control, among other. An additional component is responsible for keeping the abstract information about the link metric for the direct neighbors of the node. This module is used by other services to increase the communication quality. It uses the information captured from the network interface in the Infrastructure Layer to update the link metric (presented in Section 5). The top layer is called Domain-Services Layer and has the goal of supporting domain specific needs, such as data fusion support and specific data semantic support to allow the production of application-related information by processing of raw data. Other reasoning capabilities related to the management of the sensing missions are also hosted in this layer. For more details about this topic readers are referred to [2].

4 Selected Middleware Features The proposed middleware is based on the publish-subscribe paradigm and inspired on the Data Distribution Service for Real-time Systems (DSS) specification, standardized by OMG [3]. Although being inspired by this standard, the middleware does not follow the whole specification. It takes the standard as a guideline but uses other mechanisms to address the problems highlighted above and others discussed in [4]. In the following, some selected features of the middleware, those more related with the use of the link metric, are presented. For a complete list of the middleware features concerning real-time handling, interested readers are referred to [4]. • Flexibilibility The middleware provides full control of the communication. It does not use underlying control mechanisms available in the nodes’ network layer. Instead, it provides its own communication control. This means that all parameters related to communication are controlled by the middleware, using only basic connectionless communication services offered by the network layer. The middleware handles parameters like number of retries, message priority, and memory usage for buffering and timing. Moreover, information about the error rate and signal strength of the incoming packets as well as the fusion of this kind of information into a high level metric are also concerns handled by the middleware. This control over the communication provides more flexibility to manage the messages exchanged by each node, with direct impact on the reduction of latency. • QoS Control QoS control is performed through a contract between the data provider and the data requester. When a node publishes a data service, it informs also which QoS it is capable to offer. Nodes interested in the published data service and that also accepts the QoS offered may subscribe to the service. However, if a node is only interested in the data but does not agree with the offered QoS, it has two alternatives: ƒ ƒ

If the application that is requiring the data has a priority lower than other ones using the same service, it looks for another data provider; If its priority is higher than other applications, it negotiates with the data provider, in order to obtain the desired QoS in spite of the bad consequences that this may imply to other lower priority applications.

426

E.P. de Freitas et al.

Communication also plays an important role in order to provide a certain level of QoS. When a given node requires a certain QoS, the question whether the QoS can be provided depends on the availability of a suitable communication path between provider and requester. If just error-prone and overloaded links are available, a requested quality of service cannot be provided. Moreover, the link rating, explained in Section 5, is used in the middleware to select better links for the traffic of high priority applications when congestion is observed. • Network Decomposition Network decomposition is triggered by the situation of nodes within a group having a high communication flow between them and a low one outside the group. In this situation, they form a cluster in order to reduce the communication with outside nodes. A cluster-head, which is responsible for communications with nodes outside the cluster, is elected. Preferably, a cluster contains several good rated links between their members in order to prevent errors and low QoS in the communication. The rating of links is done using the link metric described later. For the cluster-head election, a method based on a particular kind of selforganization is used: the division of labor and task allocation in swarms of social insects, described in detail in [5]. In social insects, different tasks are performed by specialized individuals. Each of the different morphological castes tends to perform a different task in the colony, ruled by a stimulus-threshold function, which is used in our case to assign the roles of cluster-head and cluster-member to suitable nodes. The idea of the cluster-head election is that each node has probabilistic tendencies to assume this role: nodes with good connectivity and plenty of energy are very good candidates and thus have a higher probability of assuming the role. The complete description of the cluster-head election can be found in [6]. • Data Segregation There are two kinds of data exchanged between nodes in the network: control data and application data. Control data are small and may not experience latency or unexpected delays to reach their destination. So, control data are segregated from application data by having higher priority to be forwarded. On the other hand, there are several kinds of application data, e.g. simple values (integers and floats), video streams, and character strings. Although this sort of data has a priority lower than control data, they must fulfill the QoS requirements of the application. Moreover, jitter is also reduced by the segregation, because the different kinds of data are handled by different buffers. In our middleware, data segregation is improved by using the link metric rating. Therefore, depending on the priority and on the required QoS, different paths may be used between the data source and destination. High priority data and control data are always transmitted through links that better fit their needs. This brings a small error rate and high reliability to the transmissions.

5 Link Metric In this section, we describe the mechanism used for the rating of links. As already seen, the link metric is a key feature of the middleware and is used extensively by

Using a Link Metric to Improve Communication Mechanisms

427

different other features, for example for selecting the links used for advertisements in the publish/subscriber paradigm. It is also very important for the QoS control of the middleware. The need for an elaborated link metric arises from a very important difference between wired and wireless networks, which is the behavior of the network links. In a wired network, the links have a relatively stable quality. The parameter that has most influence on this type of link is the load of the network. On the other hand, in ad hoc wireless networks, there are several parameters that influence the link quality. First of all, the propagation of the waves in a wireless medium is affected by phenomena like attenuation, distortion, exponential path loss, etc. Moreover, the environment is dynamic, with changing obstacles, temperature, and pressure that affect the transmission properties. The distortion caused by the physical effects over the radio waves introduces uncertainty at the receiver about the original signal, resulting in bit errors. Moreover, noise and interference lead also to reception errors. Because the quality of a link is an important factor in a wireless network, our model is based on a link rating provided by the common service layer of the middleware. This rating reflects the “usefulness” or “quality” of a link. However, the various properties that influence the quality of a wireless link make the task of finding the appropriate link rating a challenge. How the quality of a wireless link may change under a very uniform environment can be seen in the experiment reported in [7]. In Figure 1, a scatter plot of how links vary over distance for a collection of nodes on the ground of a tennis court is shown.

Fig. 1. Reception success rate versus distance of the transmitter/receiver (data source: [7])

Although in such an ideal environment a behavior near to the theoretical path loss curve was expected, the results depict a very different reality. After a certain distance (4m), the difference on the reception success rate between nodes at the same distance was very significant. This could be verified in the regions marked by “acceptable” and “poor” receptions (in the referred work the areas are called transitional regions). The labels in Figure 1 were assigned based on the average reception success rate (RSR). We can define thresholds for the lower limit of the defined regions, i.e., RSRiexcellent, RSRiacceptable, and RSRibad.

428

E.P. de Freitas et al.

Besides this, many approaches are based on a bimodal link quality, where a link may exist or not. Although this may often be a true assumption for wired networks, it is not a reasonable approximation for wireless networks. Algorithms based on this simplistic assumption often choose low-capacity, long-range links instead of highcapacity, short-range links. This affects negatively the performance. This happens because bad links are good enough for control packet exchange, but during data transmissions, much of the capacity is consumed by retransmissions. In this section, we define a link metric that summarizes the “goodness” of a link. Each link receives a real value that describes its quality. The quality of a link is estimated using the following variables: (1) Success Rate; (2) Received Signal Strength; (3) History; and (4) Energy Reserve. They are then summarized in our combined link metric. • Success Rate The idea is to use past samples of the success rate in order to estimate the quality of a link. Success rate is a relatively reliable method to predict the quality of a link. Nevertheless, there are also some drawbacks: at the beginning of the observation, there is no data to be used for the prediction; moreover, it reacts slowly to changes in the topology (a node has moved but the link rating still indicates a good link). In addition, very old measures can not accurately estimate the current situation. • Received Signal Strength The received signal strength indication (RSSI) as link metric is proposed as a substitute of the bimodal link metrics presented in some other approaches. The correlation between the received signal strength and the distance between two nodes is rather far from the ideal path loss curve, as presented in [8]. We argue that the signal strength may be used just as a rough indicator of the quality of the link, because, despite its low stability, it has a high agility. Therefore, we integrate it with other indicators in our combined metric. • History In the algorithms developed in this work, it is important to select trustworthy and stable links instead of newly created ones. In order to prevent the use of temporary links, an additional parameter is used in the metric. It measures how old the link is and penalizes very new links. This is especially important in networks with plenty topology changes. • Energy Reserve In a sensor network environment, the energy is a precious resource, and the pattern how energy is spent makes a real difference concerning the complete network life time. We decided to include the amount of energy of a node in the link metric to restrict the use of exhausted nodes, because the link metric tends to evaluate them worse than links between nodes with plenty of energy. This brings a more uniform consumption of energy. The energy reserve parameter of the link metric may improve a uniform energy use, especially by routing protocols.

•

Combined Metric As already mentioned above, the proposal combines the presented parameters in a link metric that indicates the goodness of a link. The combined metric is defined in the following equation:

Using a Link Metric to Improve Communication Mechanisms

M combined = 1 − (k1.M RSSI + k2 .M RSR + k3 .M history + k 4 .M energy )

429

(1)

where MRSSI ∈ [0, 1] indicates the normalized signal strength indication, MRSR ∈ [0, 1] is the reception success rate, Mhistory ∈ [0, 1] returns 0 for new links and 1 for old ones, and Menergy ∈ [0, 1] returns 0 for depleted nodes and 1 for full nodes. We present now how the sub-metrics used in the equation are calculated. The value of MRSSI is adjusted upon reception of any packet (addressed to the node or acquired in promiscuous mode). An average of the received values and the current MRSSI with an aging factor α is calculated, i.e., MRSSI = α · MRSSI + (1- α) · AMRSSI, where AMRSSI denotes the adjusted measured signal strength. The adjustment in the signal strength is done in order to improve its performance by cutting out extremes where the signal is either excellent (RSSIexcellent) or very poor (RSSIverypoor). The metric MRSR is just the combination of the current measured reception success rate with the existing one, i.e., MRSR = α · MRSR + (1 – α) measRSR. The measured reception success rate (measRSR) is calculated based on the monitoring of packet transmissions and correlated acknowledgment in the middleware Infrastructure Layer. The history metric (Mhistory) is calculated using the number of received packets. Crx is the number of received packets of the link. This counter is decremented periodically (down to 0) in order to cope with extinguishing links. We define: ⎞ ⎛ Crx ⎟⎟ M history = ⎜⎜1, ⎝ stable_link_count ⎠

(2)

where stable_link_count is the number of packets necessary to consider a link as fully active. Finally, the energy reserve measures how much energy a node has, i.e. Menergy returns one when the battery is full and zero when depleted. 5.1 Preliminary Results Preliminary results of the proposed link metric usage in a clustering algorithm are presented in this sub-section. In summary, two versions of the emergent clustering algorithm [6] were tested. One of them used the proposed link metric and the other one is exactly the same, but without the link metric. The algorithm has two main phases: the first one is the cluster-head election while the second one is the selection of the cluster members. The cluster-head election is not relevant for the link metric evaluation provided herein, since both versions (with and without link metric) use the same cluster-head election procedure. The second phase is based on a membership fitness function that evaluates the suitability of a node to be member of the cluster. Every time a node becomes cluster-head, it starts to search for suitable members using a broadcast message. When a candidate node receives this message, it calculates its own fitness to join the given cluster. This fitness function uses parameters as remaining energy, connection to the cluster (based on the link metric in one of the versions), and number of neighbors. Based on this fitness, the node starts a timer to reply to the clusterhead call. In this way, good candidates reply faster and are included in the cluster. When a node is included in the cluster, it also broadcasts the call for members’ message.

430

E.P. de Freitas et al.

Fig. 2. Normalized results for clustering with and without use of the link metric

The difference between the two versions is on using or not the link metric in the fitness function. Figure 2 shows the results of forty simulation runs. For each run, the cost of the solution is calculated using the following procedure: the distance between all nodes inside the cluster is calculated based on the link metric; when there is no direct connection between two nodes, the shortest path is used and the distance is the sum of the link metric of this path. The cost of one cluster is the sum of the distance of all nodes to all nodes. For the complete network decomposition, the total cost is given by the sum of all individual cluster costs. In the figure, one notices that the use of the link metric increases the performance of the algorithm considerably for most of the simulation cases. This happens because the cluster-head could select the nodes with higher link quality to be member, thus decreasing the individual cluster cost and resulting in a smaller total cost. It is important to remark that the figure shows the normalized costs.

6 Related Work MiLAN [9] is an adaptive middleware that explores the concept of proactive adaptation, in order to respond to the needs in terms of QoS imposed by changes in the operational environment. MiLAN allows the specification of the required QoS for data, adjusting the network to increase its lifetime, by efficiently using energy. The major difference is that in our work we consider levels of quality of the link state, by using the described link metric, to choose the best nodes to forward messages. In MiLAN, there is no such fine grain consideration of the link status; instead, a bimodal link quality approach is used. Quality Objects (QuO) [10] proposes the addition of a QoS adaptive layer on an existing middleware, such as RT-CORBA [11]. It provides means for specifying, monitoring, and controlling QoS and also for adapting the middleware behavior according to the QoS variations during runtime. However, as this framework relies on an existing middleware such as RT-CORBA, it has the same drawback regarding its use in low-end nodes. Besides, it also uses a bimodal link quality approach.

Using a Link Metric to Improve Communication Mechanisms

431

As far as we searched in the literature, no middleware uses link metrics to improve QoS in a way similar to the one presented in this paper.

7 Conclusions and Future Work This paper presented a proposal to use a link metric to support different mechanisms to address real-time issues in a middleware for heterogeneous sensor networks. An overview of the possible operational scenarios was discussed, highlighting the need for an efficient strategy to handle and adapt the communication, considering the QoS demands. Then the middleware was presented and some of its selected features described. Finally the link metric was described and preliminary results presented. As current work we are integrating the link metric mechanisms with the middleware services, as well as providing additional simulations to assess the efficiency of the technique in different scenarios.

References 1. Madden, S., Franklin, M.J., Hellerstein, J.M., Hong, W.: TinyDB: An Acquisitional Query Processing System for Sensor Networks. ACM Transactions on Database Systems 30(1), 122–173 (2005) 2. Freitas, E.P., Wehrmeister, M.A., Pereira, C.E., Ferreira, A.M., Larsson, T.: Multi-Agents Supporting Reflection in a Middleware for Mission-Driven Heterogeneous Sensor Networks. In: Proc. of 3rd ATSN, in conjunction with 8th AAMAS (2009) 3. Object Management Group (OMG). Distribution Service for Real-time Systems (DSS) Specification. Version 1.2 (January 2007) 4. Freitas, E.P., Wehrmeister, M.A., Pereira, C.E., Larsson, T.: Real-time Support in Adaptable Middleware for Heterogeneous Sensor Networks. In: Proceedings of International Workshop on Real Time Software (RTS 2008), pp. 593–600. IEEE, Los Alamitos (2008) 5. Bonabeau, E., Dorigo, M., Theraulaz, G.: Swarm Intelligence: From Natural to Artificial Systems. Sta Fe I. Studies in the Sciences of Complexity. Oxford University Press, Oxford (1999) 6. Heimfarth, T., Janacik, P., Rammig, F.J.: Self-Organizing Resource-Aware Clustering for Ad Hoc Networks. In: Obermaisser, R., Nah, Y., Puschner, P., Rammig, F.J. (eds.) SEUS 2007. LNCS, vol. 4761, pp. 319–328. Springer, Heidelberg (2007) 7. Woo, A., Culler, D.: Evaluation of Efficient Link Reliability Estimators for Low-power. Technical Report, UC Berkeley (2002) 8. Janacik, P.: Service Distribution in Wireless Sensor Networks. Master’s Thesis, University of Paderborn (2005) 9. Heinzelman, W., Murphy, A., Carvalho, H., Perillo, M.: Middleware to Support Sensor Network Applications. IEEE Network Magazine Special Issue (2004) 10. Vanegas, R., Zinky, J., Loyall, J., Karr, D., Schantz, R., Bakken, D.: QuO’s Runtime Support for QoS in Distributed Objects. In: Proc. of Middleware 1998, the IFIP International Conference on Distributed Systems Platform and Open Distributed Processing (1998) 11. Schantz, R.E., Loyall, J.P., Schmidt, D.C., Rodrigues, C., Krishnamurthy, Y., Pyarali, I.: Flexible and Adaptive QoS Control for Distributed Real-time and Embedded Middleware. In: Proc. of 4th Intl Conf. on Distributed Systems Platforms. Springer, Heidelberg (2003)

Performance Evaluation of DSR in Multi-services Ad Hoc Networks Ronald Beaubrun and Badji Molo Department of Computer Science and Software Engineering Université Laval Québec, Canada, G1V 0A6 [email protected], [email protected]

Abstract. In mobile ad hoc networks (MANET), links are created and destroyed in an unpredictable way, which makes quite challenging the determination of routes between each pair of nodes. In this paper, we evaluate the performance of the dynamic source routing (DSR) protocol in a multi-services MANET. Simulation results reveal that DSR enables to provide packet delivery ratio higher than 99% for low mobility level and low traffic intensity. Keywords: DSR, MANET, multimedia traffic, routing.

1 Introduction A mobile ad hoc network (MANET) is a decentralised, self-organizing and selfconfiguring wireless network, without any fixed infrastructure [7]. In this network, each mobile node behaves not only as a host, but also as a router which is capable of communicating with other nodes, using either direct wireless links, or multi-hop wireless links. Examples of ad hoc network applications include business associates sharing information during meetings or conferences, soldiers relaying information on a battlefield, and disaster relief personnel coordinating efforts after fires or earthquakes [8]. With such applications, MANETs are envisioned to become key components in the 4G architecture, as they will offer multimedia services to mobile users in areas where no pre-existing communications infrastructure exists. As nodes are mobile in a MANET, links are created and destroyed in an unpredictable way, which makes quite challenging the determination of routes between a pair of nodes that want to communicate with each other. In this context, a great number of routing protocols have been proposed [2], [8], [9]. Such routing protocols can be classified into two major classes: proactive protocols and reactive protocols. Proactive protocols disseminate routing information from each node to each other periodically, and find routes continuously, whereas reactive protocols find routes on demand, i.e. only when a source sends information for forwarding to a destination. Performance analysis shows that, in general, reactive protocols outperform proactive protocols [2]. Dynamic source routing (DSR) is one of the most representative reactive routing protocol [4]. In this paper, we propose a performance evaluation of DSR in the context of multimedia MANETs. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 432–437, 2009. © Springer-Verlag Berlin Heidelberg 2009

Performance Evaluation of DSR in Multi-services Ad Hoc Networks

433

The rest of this paper is organized as follows. Section 2 presents the state of the art on evaluating the performance of DSR. Section 3 outlines the most important parameters for the network model. Section 4 presents simulation results and analysis, whereas Section 5 gives some concluding remarks.

2 Background DSR is based on source routing concept, where each sender constructs a source route in the packet’s header [1], [8], [12]. More specifically, when a source wants to communicate with a destination, it checks its route cache to see if there is any routing information related to that destination. If such information is not found, the sender initiates a route discovery process by broadcasting a route request packet (RREQ) in order to dynamically find a new route [8]. If the route discovery is successful, the sender receives a route reply packet (RREP) listing the sequence of nodes through which it may reach the destination. The route carried back by the RREP is cached at the source node and all nodes that have forwarded the RREP for future use. When a route between a source and a destination is broken, a route maintenance process is invoked by the source in order to detect the broken link. In this context, a route error control packet (RERR) is sent to the source node. Each node that receives the RERR packet removes all routes that contain the broken link from its cache. If the route to the destination is still needed and no alternate route is available in the cache, a new route discovery process must be initiated by the source node. In DSR, route discovery and route maintenance operate on-demand, which is different from other routing protocols that use periodic routing packets that cause overhead in the network. There have been a lot of research activities on evaluating the performance of DSR [1], [4], [5], [6], [10], [12], [13]. Some of them propose extensions of DSR, and compare performance results with the original protocol [12], [13]. In particular, [12] proposes a routing scheme called Modified Dynamic Source Routing (MDSR) protocol, whereas Wong and Wong [13] evaluated the performance of two extended versions of DSR: the Fuzzy-based DSR (FDSR) and the Enhanced Fuzzy-DSR (EFDSR). Other approaches evaluate the traffic impact on the network performance while using DSR. More specifically, Dyer and Boppana [6] evaluate the impact of multiple HTTP and multimedia flows with and without background traffic on each other. More specifically, they evaluate the capabilities of MANETs in supporting multiple, simultaneous HTTP and multimedia streaming flows. However, no information is provided on the mobility model. Other schemes compare the performance of DSR with other routing protocols [1], [4], [5], [10]. However, most of those schemes have only considered one class of traffic which can be: - Constant bit rate (CBR) class [10]; - FTP or HTTP applications [4]; - MPEG-4 traffic [5]; - Exponential or Pareto [1]. Considering only one class of traffic does not make it possible to have a realistic idea of the protocol performance. In principle, services provided by MANETs generate

434

R. Beaubrun and B. Molo

several classes of traffic which combine voice, data and video. In order to provide good QoS, each class has its own requirements in terms of throughput, end-to-end delay and packet delivery ratio [3]. In this paper, we evaluate the impact of both mobility, traffic type and traffic intensity on the performance of DSR in a multi-services MANET. The performance parameter is expressed in term of the packet delivery ratio.

3 Parameters for the Network Model First, the network model must define the parameters related to the network environment. Such parameters include the network size, as well as the channel characteristics. In the context of this research, the network consists of 50 nodes that move over an area of 500 x 500 m2. Some nodes may have the ability to vary their transmission power. In this case, the MAC layer protocol considered is 802.11b with a nominal transmission range of 250 meters. It operates in the 2.4-GHz band at 11 Mbps. The two-ray ground propagation model is used at the physical layer. Moreover, two important variable parameters must be considered in the network model: the node mobility, as well as the traffic type and intensity. The node mobility generally includes the nodes’ maximum and minimum speeds, the speed pattern and the pause time. The speed pattern determines whether the node moves at uniform speed, or whether the speed is constantly varying. The pause time determines the length of time each node remains stationary between each period of movement. Combined with the maximum and the minimum speed, this parameter determines how often the network topology changes, and how often the network state information must be updated. In this research, the nodes move according to the random waypoint model at a speed that is uniformly distributed. Many levels of mobility are considered by varying both speeds and pause times. In particular, speeds are varying from 0 to 20 m/s, whereas pause times take the following values: 0, 100, 200, 300, 400, 500, and 600 seconds. To complete the model, the number, type and data rate of traffic sources must be specified. Intuitively, the traffic intensity in the network load depends on the number of traffic sources. In fact, all the nodes do not generate traffic at the same time. In order to change the traffic load in the network, we consider the following number of traffic sources respectively: 10, 20, 30 and 40 traffic sources. Moreover, traffic sources may generate packets at constant bit rate (CBR), or at variable bit rate (VBR). The CBR class is commonly used for voice and data services. In this context, the data rate and the delay remain constant during the packet transmission. More particularly, CBR traffic sources provide a constant flow of data packets of 512 bytes with a transmission rate of 4 packets per second. All CBR traffic scenarios are generated using cbrgen.tcl in NS-2. However, the CBR traffic class is not adapted to real-time multimedia traffic generated by on-demand and videoconferencing services [5]. The VBR traffic closely matches the statistical characteristics of a real trace of video frames generated by an MPEG-4 encoder [5]. Two parameters were used to control the traffic stream. The first parameter, the initial seed, results in the variants of traffic trace. This parameter was kept constant at 0.4, as the same traffic trace needed to be used in all the experiments. The second parameter, the rate factor, determined

Performance Evaluation of DSR in Multi-services Ad Hoc Networks

435

the level of scaling up (or down) of the video input while preserving the same sample path and autocorrelation function for the frame size distribution. Its value is 0.33 for 40 sources, and 0.25 for 10, 20, 30 sources.

4 Simulation Results and Analysis To evaluate the impact of mobility on the performance of each component of the multimedia traffic in a MANET, simulations with NS-2.29 are carried out using three sets of experiments. The first set only considers CBR traffic sources, whereas in the others, a mix of CBR and VBR traffic sources are used. More specifically, the second set has a percentage of 25% of VBR traffic sources and 75% of CBR traffic sources, whereas the third set of experiments has 50% of CBR traffic sources and 50 % of VBR traffic sources. The performance is expressed in terms of the packet delivery ratio, i.e. the ratio of the number of packets delivered at destination to those sent by the sources. The simulation time is 600 seconds for each experiment. Due to space limits, we only present the results related to 20 and 40 traffic sources, which characterizes low and high traffic intensity levels respectively. Such results are illustrated in Figures 1 and 2 which summarize the performance of DSR as a function of mobility and traffic intensity. More specifically, the results show the impact of the pause time and traffic intensity on the packet delivery ratio for each type of traffic. In this context, R1 represents the results obtained when only considering CBR sources, whereas R2 represents the results obtained when considering 75% of CBR sources and 25% of VBR sources, and R3 represents the results obtained when considering 50% of CBR and 50% of VBR sources. We realize that, in general, the packet delivery ratio increases as the mobility level decreases. In particular, low node mobility leads to more stable routes, which generates less overhead packets and makes the packet delivery ratio relatively high. On the

Fig. 1. Packet delivery ratio for 20 sources of traffic

436

R. Beaubrun and B. Molo

Fig. 2. Packet delivery ratio for 40 sources of traffic

other hand, high mobility level leads to increase the number of RREQ, RREP and RERR packets, which tends to decrease the packet delivery ratio. Moreover, the performance of DSR depends on the traffic intensity. More specifically, for the same type of traffic, the packet delivery ratio is lower with 40 sources of traffic than that with 20 sources of traffic, which can be illustrated in Figure 1 (min. 98.3%) and Figure 2 (min. 50.1%). In fact, high traffic intensity tends to create more congestion in the network. In this case, the packets have more chance to be discarded due to the delay associated to such congestion. Also, the type of traffic has an impact on the performance of DSR. In scenario R1, the packet delivery ratio is in general higher than in R2, whereas R2 leads to higher packet delivery ratio than R3 for any pause time and any number of traffic sources. In the presence of video traffic, a great number of packets are generated by the sources, which increases the congestion level and increases the packet loss rate.

5 Conclusion We evaluated the impact of multimedia traffic on the performance of DSR in MANETs. Simulation results show that DSR enables to provide packet delivery ratio higher than 99% for low mobility level and low traffic intensity (i.e., 20 traffic sources). However, when considering high traffic intensity (i.e., 40 traffic sources), the packet delivery ratio obtained with DSR reaches 50.1%, especially in the presence of multimedia traffic. Future work should be oriented towards the evaluation of DSR in terms of other parameters, such as the end-to-end delay and the jitter.

Performance Evaluation of DSR in Multi-services Ad Hoc Networks

437

References 1. Al-Maashri, A., Ould-Khaoua, M.: Performance Analysis of MANET Routing Protocols in the Presence of Self-Similar Traffic. In: Proceedings of 31st IEEE Conference on Local Computer Networks, November 14-16, 2006, pp. 801–807 (2006) 2. Bai, R., Singhal, M.: DOA: DSR over AODV Routing for Mobile Ad Hoc Networks. IEEE Transactions on Mobile Computing 5, 1403–1416 (2006) 3. Calyam, P., Sridharan, M., Mandrawa, W., Schopis, P.: Performance Measurement and Analysis of H.323 Traffic. In: Barakat, C., Pratt, I. (eds.) PAM 2004. LNCS, vol. 3015, pp. 137–146. Springer, Heidelberg (2004) 4. Chaplot, A.: A Simulation Study of Multi-Hop Wireless Network. In: IEEE International Conference on Personal Wireless Communications, December 15-17, 2002, pp. 86–89 (2002) 5. Chowdhury, M.U., Perera, D., Pham, T.: A Performance Comparison of three Wireless Multi-hop Ad-hoc Network Routing Protocols when Streaming MPEG-4 Traffic. In: Proceedings of the 8th Int. Multitopic Conference, December 24-26, 2004, pp. 516–521 (2004) 6. Dyer, T.D., Boppana, R.V.: On Routing Web and Multimedia Traffic in Mobile Ad hoc Networks. In: Proceedings of the 36th Annual Hawaii International Conference on System Sciences (HICSS 2003), Island of Hawaii, January 6-8, 2003, p. 10 (2003) 7. Hong, X., Xu, K., Gerla, M.: Scalable Routing Protocols for Mobile Ad Hoc Networks. IEEE Networks 16, 11–21 (2002) 8. Huang, T.-C., Chan, C.-C.: Caching Strategies for Dynamic Source Routing in Mobile Ad Hoc Networks. In: IEEE Wireless Communications and Networking Conference (WCNC) 2007, March 11-15, 2007, pp. 4239–4243 (2007) 9. Ooi, C.-C., Fisal, N.: Implementation of Geocast-enhanced AODV-bis Routing Protocol in MANET. In: IEEE Region 10 Conference TENCON, Vol, Chiang Mai, Thailand, November 21–24, 2004, vol. B, pp. 660–663 (2004) 10. Taddia, C., Giovanardi, A., Mazzini, G.: Energy Efficiency in OLSR Protocol. In: 3rd Annual IEEE Communications Society on Sensor and Ad Hoc Communications and Networks, vol. 3, pp. 792–796 (2006) 11. Tafazolli, H.: A Survey of QoS Routing Solutions for Mobile Ad Hoc Networks. IEEE Communications Surveys & Tutorials 9, 50–70 (2007) 12. Taing, N., Thipchaksurat, S., Varakulsiripunth, R., Ishii, H.: Performance Improvement of Dynamic Source Routing Protocol for Multimedia Services in Mobile Ad Hoc Network. In: 1st International Symposium on Wireless Pervasive Computing, January 6-18 (2006) 13. Wong, Y.F., Wong, W.C.: A Fuzzy-Decision-Based Routing Protocol for Mobile Ad Hoc Networks. In: Proceedings of the 10th IEEE International Conference on Networks, ICON 2002, Singapore, August 27-30, 2002, pp. 317–322 (2002)

Implementation and Evaluation of WiMedia MAC LSI Kazuyuki Sakoda, Yuichi Morioka, Chihiro Fujita, Erica Tanimoto, Kenzoh Nishikawa, and Mitsuhiro Suzuki Communication Technology Lab., System Technologies Labs., Sony Corporation 5-1-12 Kitashinagawa Shinagawa-ku, Tokyo, 141-0001 Japan {KazuyukiA.Sakoda,Yuichi.Morioka,Chihiro.Fujita, Erica.Tanimoto,Kenzoh.Nishikawa,Mitsuhiro.Suzuki}@jp.sony.com

Abstract. WiMedia Alliance has worked on the UWB-based system specification and has published the WiMedia specification for MAC, PHY, and MACPHY Interface. These specifications are further standardized in ECMA TC48 and are published as ECMA-368 – High Rate Ultra Wideband PHY and MAC Standard, and ECMA-369 – MAC-PHY Interface for ECMA-368. The standard specifies a personal area network air interface utilizing OFDM based PHY providing up to 480Mbps, and distributed controlled MAC mechanisms. This paper introduces the technology overview of WiMedia MAC and the MAC LSI design challenges. This MAC LSI is intended to offer a generic communication platform to meet various application needs, and was certified to be compliant to the specification by WiMedia. The MAC design includes not only standardized protocol set, but also some additional enhancement features to achieve better performance or to meet certain application requirements. Keywords: WiMedia, UWB, MAC, ECMA-368, ECMA-369, adhoc network, PAN, Superframe, Beacon Period, DRP, PCA, Block ACK, LSI, ECMA-387.

1 Introduction Wireless PAN System is one of the candidate technologies to form ad-hoc network and transmit wideband data among personal devices. WiMedia Alliance worked on the UWB based system specification [1] [2], and published PHY/MAC specification. In this paper, overview of WiMedia MAC protocol is introduced, firstly. Some general requirements for the MAC design are discussed, and implemented LSI architecture and features are described. We named this LSI “Magnicours”. Magnicours is aiming at the embedded chip solution for wireless PAN in general, and tries to handle high bandwidth signal with lower power consumption, to meet the general wireless PAN application requirements. We have done some measurements using this LSI, and some of the measurement results are also summarized at the later section. As discussed later, it is expected that Magnicours design is also applicable to other systems other than UWB. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 438–449, 2009. © Springer-Verlag Berlin Heidelberg 2009

Implementation and Evaluation of WiMedia MAC LSI

439

2 Overview of WiMedia MAC protocol WiMedia MAC is designed to deliver the scheduled channel access in distributed coordination environment, with additional accommodation of contention based access [4]. Some features characterizing WiMedia MAC are briefly introduced in this section. 2.1 Superframe Structure WiMedia MAC defines the basic time controlling unit called Superframe. Superframe is a constant duration of 65,536 [usec]. Superframe is composed of 256 MASs (Media Access Slots). The MAS duration is 256 [usec], and it is a basic unit for the channel time allocation. The channel time utilization is defined by the MAS type. MAS type is categorized as one of the following three types. − BP: The duration when only beacon frames are transmitted. All other types of frames can not be sent during this period. − DRP: Reserved time slots for the DRP owner to accommodate the scheduled channel access. − PCA: The time slots which are open for the prioritized contention access. Devices contend with CSMA/CA mechanism to get a channel access.

Fig. 1. Superframe structure

2.2 BP (Beacon Period) Beacon Period is further divided into time units called beacon slots. In each beacon slot, one beacon frame is transmitted. All the devices transmit a beacon frame in the BP of a Superframe. Beacon frames are used to signal most of the control information. For instance, DRP establishment is signaled using DRP IE (Information Element) contained in the beacon frame. Since there is no central coordinator in WiMedia MAC, each device tries to find out the right beacon slot to transmit beacon frames, so that the transmitted beacon frame does not collide with beacon frame of other devices [8]. This collision avoidance control is done through BPO IE in a beacon frame [4]. 2.3 DRP (Distributed Reservation Protocol) In order to establish DRP, devices need to negotiate among neighboring devices. Once the negotiation for setting up DRP succeeds, devices can utilize the established

440

K. Sakoda et al.

DRP MASs (time slots). Once it is established, DRP MASs are utilized exclusively for the reservation owners. All other devices other than the DRP owners shall be silent during the DRP MASs. Although DRP owners are allowed to use DRP, all the frame exchange sequences shall be terminated within the DRP MASs. DRP assignment pattern will affect required buffer sizes and data delivery delays. In order to deliver the fair channel access opportunities, there are certain rules for obtaining DRP reservation slots. In general, frequent MAS allocation helps in minimizing buffer requirements, whereas smaller MAS block results in larger overhead due to a fragmented utilization of the channel time [6]. 2.4 PCA (Prioritized Contention Access) PCA in WiMedia is similar to EDCA, defined in IEEE 802.11 wireless LAN, utilizing multiple prioritized contentions based on Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) [11]. PCA assumes that the transmitter has 4 parallel queues for each access category, and runs random backoff timers in parallel to gain a channel access. Unlike IEEE 802.11 wireless LANs, PCA imposes that the frame transmission needs to be controlled to be accommodated within the PCA time slots. That is, PCA requires a strict TDMA based time management, whereas it offers a contention based channel access [7]. In case of PCA, the use of RTS/CTS procedure is preferred to keep the channel capacity higher when the network is overloaded. 2.5 Frame Format WiMedia MAC Frame format is shown in figure 2. MAC header is placed inside of the PLCP header field. The maximum PSDU size is 4,095 octets. MSDUs may be aggregated into a PSDU and may be transported over a single frame. This frame is called aggregated MSDU frame.

Preamble PHY header

186[bit] @39.4[Mbps]

0~4095 [octets]

PLCP Header

PSDU

FCS

MAC header

Fig. 2. Frame format

2.6 Frame Transmission Sequence Frames may require acknowledgement from the receiver, to offer a reliable frame transmission. 2 kinds of ARQs are defined. The first one is a use of immediate ACK, where ACK frames are sent back immediately after the each data frame reception. This is easy to operate, but the overhead is large, especially when the frames are transmitted at higher PHY rates.

Implementation and Evaluation of WiMedia MAC LSI

441

The other one is a use of Block ACK. Block ACK is sent back to the transmitter only when the frame with Block ACK request is received. In this case, ACK frames are not required to be sent back frequently, and contribute a lot to reduce the overhead. Data frames can be transmitted successively, which is called “bursting”, with smaller inter frame spacing called MIFS (Minimum Inter Frame Space). When used with RTS/CTS procedure, TXOPs can be obtained assuming that the data frames will be transmitted using bursting, and set the duration field to the end of the last burst data frame.

Fig. 3. Frame exchange sequence example

3 Requirements for MAC Implementation There are many different requirements for wireless communication interfaces from the application and/or client device point of view. Some devices only have limited hardware resources and can not afford handling huge signal processing for access control at the client CPU. These kinds of devices usually intend to conserve power. In contrast, some devices require precise control for QoS delivery which is vital for real time AV stream handling. Some application may need to deliver traffics to multiple devices at the same time. It is also important to note that the footprint for the chip design affect the cost performance. Following items are some of the important requirements to be considered when the MAC LSI is designed in general. − − − − −

Reduction of signal processing load at the client High bandwidth signal processing Low power consumption Efficient utilization of hardware resources Extendibility of the platform

4 Architecture Design Taking into account the general requirements for MAC implementation described above, we have chosen the architecture of the LSI (Magnicours) carefully to meet many of these requirements. The designed MAC is composed of the following three major building blocks.

442

K. Sakoda et al.

− Client driver software: − Embedded CPU and software: − Custom hardware logic: The functionality mapping is depicted below.

Fig. 4. Functional blocks of the MAC design

Fig. 5. Hardware structure of Magnicours

The custom hardware logic portion consists of the functional blocks depicted in the following figure. Most of the WiMedia MAC services are processed at the “event driven framing and buffer handling engine” and “time driven event processing engine”. Magnicours has rather large data memory to offer reliable streaming services.

5 LSI Specification Physical specification of the Magnicours is summarized in the table below. Since this LSI itself is not intended for commercial services directly, we have included many redundancies so that the LSI can be used for various verifications. The memory size could be reduced once the resource utilization is verified, which results

Implementation and Evaluation of WiMedia MAC LSI

443

Table 1. Summary of the Magnicours specification Silicon process Die size Package Logic size SRAM for CPU SRAM for data buffer Clock Interface

TSMC 90LP TSMC library 4.5mm x 4.5mm 19mm x 19mm TBGA484 0.7MGate for WiMedia MAC service engine and interface circuits, 0.3MGate for CPU core, 2Mbit for instruction, 1Mbit for data processing, 2.5Mbit (TX/RX buffer) Ext.In 16.5MHz (20ppm), Internal max. 66MHz WiMedia MAC-PHY I/F, PCI IF (Cardbus I/F),

Fig. 6. Magnicours and evaluation board

in significant reduction of the footprint. Magnicours also outputs many test pins, which can be also eliminated. The following photos show the Magnicours and the evaluation board. Third party PHY LSI is connected via the MAC-PHY interface specified by WiMedia.

6 Major Functionalities Some of the functionalities offered by Magnicours are briefly introduced in this section. In order to achieve both the higher bandwidth signal processing and lower power consumption, most of the data path should be handled by the hardware logic [10]. Magnicours handles all the data path transaction with hardware logic portion only. This is one of the distinctive design rationales of Magnicours. 6.1 MAS Management MAS assignment is one of the critical portion of the WiMedia MAC protocol. Since the MAS utilization needs to be strictly controlled based on the signaled information over beacon frames, Time Base Control is handled by hardware logic part, based on the information parsed by the embedded software. Once the time allocation schedule is ordered by the software, the hardware modules manage the channel time precisely

444

K. Sakoda et al.

in autonomous way. This role partitioning contributes to lower the power consumption and keep the extendibility. 6.2 Frame Transmission Sequence Frame transmission sequence needs to be determined by the following status at least: − MAS status: whether the frame is transmitted via DRP or PCA, and how much channel time is available for this transmission. − PHY data rate: at which PHY rate the frame is to be transmitted. − Buffer status: pending transmission data amount, number of packets, and reported receiver’s buffer availability. − ARQ status: ARQ mode that is used for this transmission. If the Block ACK is open, data will be transmitted using bursting. Magnicours is capable of handling both DRP and PCA. Mixed utilization of both access schemes is also possible to serve better performance. Since Magnicours aims at the extendibility for the higher bit rate, the determination of above factors and the frame assembling are processed by the hardware logic part. 6.3 Block ACK Block ACK contributes a lot to reduce the overhead, although the implementation of Block ACK imposes many challenges. It is necessary to manage the buffer in real time and synchronize the buffer status with its counterpart of the transmission using the ARQ information such as Stream Index, Sequence Number, ACK Bit Map, etc. Since these processing is required for every frame transmission/reception, it is preferable that these transactions are handled with hardware portion again, especially if the LSI aims to offer high bandwidth transmission with lower power consumption. Magnicours handles all the Block ACK transaction within hardware logic part, based on the given status information. When ARQ related synchronization is lost, software will initialize the broken ARQ status and recover the transmission. 6.4 Frame Aggregation Frame aggregation is another promising feature to reduce the overhead at the MAC layer significantly. Although only MSDU aggregation is defined in WiMedia MAC, another aggregation method, which is called MPDU aggregation as defined in 802.11n [12], offers better characteristics if the aggregated frame size is larger. In case of MPDU aggregation, Frame Check Sequence is appended per MSDUs, and these MSDUs can be retransmitted independently regardless whether the frame is aggregated or not. It is also important to note that the maximum PSDU length should be defined longer to aggregate frames efficiently. Although maximum PSDU length for WiMedia MAC/PHY is 4,095 octets, it should be defined longer for further enhancements. The framing overhead δ can be calculated as following equation.

Implementation and Evaluation of WiMedia MAC LSI

δ=

445

N B LP / R N B LP / R + TP1 + ( N B − 1)(TMIFS + TP 2 ) + TSIFS + TACK

where N B is a number of bursting frames, LP is a packet length, R is a PHY data rate for transmission, TP1 is a standard PLCP heading duration, TP 2 is a short PLCP heading duration, TMIFS is a MIFS duration, TSIFS is a SIFS duration, and TACK is a ACK frame duration. For instance, if we assume 16 MSDUs (consists of 4,000 octets) transmission using bursting or aggregation at PHY rate of 480Mbps, the overhead percentage varies from 16.4% (when max MSDU size is 4k octet) to 3.6% (when max MSDU size is 64k octet). When higher PHY rate is offered, the overhead reduction rate will become larger. Magnicours aims for the higher data rate and better performance extendibility, thus offers both MSDU aggregation and MPDU aggregation, although MPDU aggregation is not specified in WiMedia MAC. Further, PSDU length up to 65,535 octets can be handled internally. 6.5 Rate Control PHY offers multiple modulation and coding schemes (MCS) to achieve various data rates [5]. MAC is responsible for selecting which MCS should be used for each data frame transmissions. There are many strategies to control the PHY layer data rate proposed by many researchers [9]. We have implemented the following 3 mechanisms to meet with the various use cases or external restrictions. − PER observation based algorithm: The MCS is selected observing the PER (Packet Error Rate). − PER and LQI combination algorithm: The MCS is selected using the outer and inner loop rate control. These loops are controlled based on the PER and reported LQI (Link Quality Indicator) from PHY layer. − Externally specified rate: The MCS is set to the value specified by the client. 6.6 Power Management Power management protocol is defined as a part of the WiMedia MAC protocol. In order to leverage the power management efficiently, CPU will be disabled when management frame transaction is not required, and most of the clock delivery inside the LSI will be suspended when the clock delivery is not necessary. Clock signal will be delivered only to the modules and memories that are processing signals, as for modules in the WiMedia MAC service engine. 6.7 Buffer Resource Management Buffer handling is one of the key features for high data rate applications. The system should utilize the memory space efficiently, since the memory size usually affects a

446

K. Sakoda et al.

lot in terms of the footprint of the LSI. At the same time, flexible queue control is required to meet the broad application requirements. In Magnicours, transmission buffer and reception buffer are shared in a single memory space, and transmission queues are managed per multiple stream index and receiver. In order to mitigate the effects of Head-of-Line Blocking in case the traffic is delivered to multiple destinations, the buffer resource management function controls the buffer utilization, monitoring the incoming and outgoing traffic streams. Data traffics up to 15 devices are controlled simultaneously. Some additional buffering flexibility allows the further enhancements by means of cross-layer optimization among applications. Buffers at the MAC layer can be used for other purposes such as jitter compensation. Since Magnicours may be connected to a simple application engine such as video codec directly, it contains relatively larger size of data memory space, and delivers some additional functionality to compensate jitters of packet arrival. The receiver buffer can be used for this purpose.

7 Measurement Some measurement of Magnicours MAC LSI has been carried out, and reported in this section. 7.1 MAS Management and Application Throughput As described above, MAS utilization is signaled through beacon frames among devices near, and all the devices shall conform to the rules specified. We have tested the implemented protocol using the protocol analyzer. Some MAS utilization results captured by the analyzer are shown in the figure below. All the frame exchange occurs only during the reserved MASs (cited as “Reservation Block” in the figure).

Fig. 7. MAS utilization captured by an analyzer

The MAS utilization conformance test is performed by WiMedia Alliance as a part of certification program. We also passed the conformance test, and the result is listed in WiMedia website. The application level throughput transmitted over this MAC has been measured. Using the bursting transmission with Block ACK and frame aggregation, two

Implementation and Evaluation of WiMedia MAC LSI

transport streams up to 180Mbps (360Mbps = 180Mbps x 2) accommodated1.

447

are constantly

7.2 Rate Control

DataRateClass

Adaptive rate control behavior is also observed to verify the implemented algorithms. PHY data rate control example is shown in the Figure 8. The graph on the left side shows the rate control behavior conducted by the computer simulation assuming the time varying channel due to multi-path fading. The graph on the right side is a rate control behavior of Magnicours captured by a protocol analyzer in our lab. In this measurement, PER observation based algorithm is used. It can be observed that the PHY rate is selected to meet the varying channel condition. The behavior can be tuned by setting appropriate parameters to the register.

Selected Data Rate (PER+LQI) Selected Data Rate (PER only)

10

5

0 Channel Response 0.2

0.3

0.4

0.5

0.6

0.7

Time 0.8

Fig. 8. Rate control behavior conducted by the simulation (left side), and rate control behavior captured by an analyzer (height of the bar represents PHY rate) (right side)

7.3 Power Consumption “How much power will be consumed for the MAC signal processing?” This is one of the difficult questions to answer, since the power consumption depends on many factors and the situation in general. However, we tried to capture some reference power consumption using the evaluation board. The energy is consumed at the embedded CPU, internal custom logic, and the chip interfaces (I/O). These three are measured separately. Also, energy consumption highly depends on the activity of the signal processing. In order to capture the delta between “stand-by state” and “data transmission state”, we measured them separately. The measurement results are shown in the table below. It should be noted that the large amount of energy is consumed at the external interface portion (I/O column in the table)2. And, clock gating contributes for lowering 1

With the testbed we developed, host client has a restriction in bus handling and it limits the throughput per stream. The MAC LSI itself has a capability to offer > 1Gbps except the MAC-PHY interface. 2 In Magnicours, external clock output can not be disabled, while it should be disabled. Since this can be fixed easily, the last column (Total-2) value is calculated assuming that the external clock output is disabled.

448

K. Sakoda et al. Table 2. Power consumption measurement result [mWatt]

Stand-by Stand-by (CLK gate) Tx 145Mbps Tx 145Mbps (CLK gate) Rx 145Mbps Rx 145Mbps (CLK gate)

CPU 24.0 2.4 24.0 2.4 24.0 2.4

3

Logic 15.3 10.0 21.0 17.2 20.2 19.0

4

I/O 0.0+12.0 0.0+12.0 16.0+12.0 16.0+12.0 13.0+12.0 13.0+12.0

Total-1 51.3 24.4 73.0 47.6 69.2 46.4

Total-2 39.3 12.4 61.0 35.6 57.2 34.4

the power consumption5 at the “stand-by state” significantly, although there are some room to lower the power consumption further.

8 Discussion and Conclusion The WiMedia MAC protocol and its LSI design are introduced. Since the WiMedia MAC protocol offers generic distributed wireless media coordination among devices, similar Superframe structure and the media access protocol is reused by the different wireless communication systems. ECMA-387, high rate data communication specification utilizing 60GHz, defines a very similar MAC protocol [13]. Since the designed LSI architecture is aimed to offer higher bandwidth signal processing, it is expected that this LSI can be reused for these systems and deliver Gbps-order communications with marginal modification. Many of the WiMedia MAC protocol such as frame format, Superframe concept, TDMA channel utilization, ARQ, etc, are designed based on 802.15.3 [3], and the designed LSI can be reused for 802.15.3 family systems as well, with small modifications. Further, as recently being discussed, cognitive radio systems for TV white space such as in IEEE 802.22 [14] or the like also utilize the fixed length Superframe structure with specific time window for beacon frames similar to beacon period [15]. These future systems may be also applicable systems for the utilization of this LSI, once the standardization activity is settled.

References 1. Distributed Medium Access Control (MAC) For Wireless Network Release 1.0, WiMedia Alliance (December 2005) 2. Standard ECMA-368 – High Rate Ultra Wideband PHY and MAC Standard, ECMA International (December 2005)

3

The value at the column labeled as “logic” includes consumed power by other reasons such as leakage or PLL. Leakage power was measured to be 3.5[mWatt]. 4 “+12.0” denotes external clock output consumes additional 12.0 [mWatt]. Toggle rate of the data payload is approximately 25%. 5 Power consumption at the CPU modules highly depends on the processing load, when the clock gating is operated. In this examination, it is assumed that the minimal signal processing for beacon frames are performed.

Implementation and Evaluation of WiMedia MAC LSI

449

3. IEEE-802.15.3, IEEE Standard for Information technology– Telecommunications and information exchange between systems– Local and metropolitan area networks– Specific requirements Part15.3: Wireless medium access control (MAC) and physical layer (PHY) specifications for high data rate wireless personal area networks, The Institute of Electrical and Electronics Engineers, Inc., IEEE Std 802.15.3-2003 (September 2003) 4. Pavon, J.d.P., Shankar, S., Gaddam, N.V., Challanpali, K., Chou, C.T.: The MBOAWiMedia specification for ultra wideband distributed networks. IEEE Communications Magazine 44(6), 128–134 (2006) 5. Batra, A., Balakrishnan, J., Aiello, G.R., Foerster, J.R., Dabak, A.: Design of a multiband OFDM system for realistic UWB channel environments. IEEE Transactions on Microwave Theory and Techniques 52(9) (September 2004) 6. Xu, Y., Guan, Q., Zhang, J., Wei, G., Ding, Q., Zhang, H.: Service Interval Based Channel Time Allocation in Wireless UWB Networks. In: ICCS 2008, pp. 1550–1554 (November 2008) 7. Wong, D.T.C., Chin, F., Shajan, M.R., Chew, Y.H.: Saturated Throughput of Burst Mode PCA with Hard DRPs in WiMedia MAC. In: IEEE Wireless Communications and Networking Conference 2008 (WCNC 2008), pp. 1645–1650 (March 2008) 8. Goratti, L., Celentano, U., Salokannel, J.: Energy consumption of beacon period extension and contraction in distributed medium access control. In: IEEE 17th Int’l Symposium on Personal, Indoor and Mobile Radio Communications 2006 (PIMRC 2006), pp. 1–5 (September 2006) 9. Kim, J., Huh, J.: Rate Adaptation Scheme for Slot Reservation in WiMedia MAC. In: International Conference on Consumer Electronics 2007 (ICCE 2007), Digest of Technical Papers, pp. 1–2 (January 2007) 10. Lee, S., Jeon, Y., Choi, S.: A Fully Harware-oriented Medium Acces Management for WiMedia MAC. In: IEEE International Symposium on Consumer Electronics 2007 (ISCE 2007), pp.1–4 (June 2007) 11. IEEE-802.11, IEEE Standard for Information technology– Telecommunications and information exchange between systems– Local and metropolitan area networks– Specific requirements Part11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications, The Institute of Electrical and Electronics Engineers, Inc., IEEE Std 802.11-2007 (June 2007) 12. 802.11 Working Group of the 802 Committee, Draft STANDARD for Information technology– Telecommunications and information exchange between systems– Local and metropolitan area networks– Specific requirements Part11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications, Amendment 5: Enhancements for Higher Throughput, The Institute of Electrical and Electronics Engineers, Inc., IEEE802.11n/D7.02 (January 2009) 13. Standard ECMA-387 – High Rate 60GHz PHY, MAC and HDMI PAL, ECMA International (December 2008) 14. Sherman, M., Mody, A., Martinez, R., Rodriguez, C.: IEEE Standards Supporting Cognitive Radio and Networks, Dynamic Spectrum Access, and Coexistence. IEEE Communications Magazine 46(7), 72–79 (2008) 15. Sengupta, S., Chatterjee, M., Chandramouli, R.: A coordinated distributed scheme for cognitive radio based IEEE 802.22 wireless mesh networks. In: IEEE International Conference on Communications Workshops 2008 (ICC Workshops 2008), pp. 461–465 (May 2008)

A Reliable and Efficient Pedal Back Data Disseminating Scheme for Ad-Hoc WSNs Nomica Imran and A.I. Khan Faculty of Information Technology Monash University [email protected], [email protected]

Abstract. Wireless Sensor Networks (WSNs) generate massive amount of live data and events sensed through dispersedly deployed tiny sensors. This generated data needed to be disseminate to the sink with slight consumption of network resources. Researchers prefer to choose gossiping to disseminate bulk data for unstructured ad-hoc wireless sensor networks. An important consideration in gossip-based dissemination protocols is to keep routing table up to date. Considering the inherent resource constrained nature of adhoc wireless sensor networks, we propose a gossip based protocol that consumes little resources. Our proposed scheme aims to keep the routing table size R as low as possible yet it ensures that the diameter is small too. We learned the performance of our proposed protocol through simulations .Results show that our proposed protocol attains major improvement in network reachability and connectivity.

1 Introduction Wireless ad-hoc networks consist of individual sensor nodes distributed over a given area is used to monitor physical phenomenon in the environment. Typical sensed phenomena includes temperature, humidity, position, speed, motion, and others used in applications ranging from health care and logistics, through agriculture, forestry, civil and construction engineering, to surveillance and military applications. Since sensor nodes are energy limited and may fail at any moment, this data delivery is far from secure. Therefore, it is important to design new solution to allow a robust and reliable data dissemination. Take the example of a geographical area being monitored for security breaches. All the events generated must reliably transmit to the sink node. Wireless ad-hoc networks are formed by a set of hosts that communicate with each other over a wireless channel. They provide an exclusive communication model. Each node has the ability to communicate directly with another node (or several of them) in its physical neighbourhood. They operate in a self-organized and decentralized manner and message communication takes place via multi-hop spreading. Any packet sent from one node to another may pass through a number of intermediate nodes acting as routers. The deployed ad-hoc WSNs pose great challenges in reliable sensed data delivery. Due to the small transmission range of sensor nodes the data is forwarded using multiple hops where unexpected node failure is common at each hop. Routing techniques in adhoc sensor network gives priority to reliable transmission as the loss J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 450–460, 2009. © Springer-Verlag Berlin Heidelberg 2009

A Reliable and Efficient Pedal Back Data Disseminating Scheme for Ad-Hoc WSNs

451

of important information prevents these sensor networks from fulfilling its primary purpose and hence this information loss should be avoided. The commonly used routing protocols uses single path routing or multiple path routing techniques to deliver the data, without providing reliable information dissemination and hence the overhead involve is same for all information. This paper presents a reliable N pedal-back data dissemination technique with efficient resource management for adhoc WSNs. The major contribution of the proposed scheme is to reduce the overhead of the acknowledgement. The proposed protocol is based on a simple idea of delaying the acknowledgement when and where possible. The acknowledgment is being delayed till it reaches the Nth node conditionally the Nth node has the strength to send acknowledgement back to the source. At the same time, if the source node has the same signal strength, it will send the next data chunk directly to the Nth node. Thus, saving considerable amount of network resources. Even the collision can be avoided by allocating the time slots plus ensuring the coordination among the nodes. The proposed protocol works for ad-hoc WSNs and is not Applicable for WSNs because of relatively large number of nodes in the sensor networks .Again in WSN , it is not possible to build a global addressing scheme for the deployment of a large number of sensor nodes as the overhead of ID maintenance is high. Second, in contrast to typical communication networks, almost all applications of sensor networks require the flow of sensed data from multiple sources to a particular BS. This, however, does not prevent the flow of data to be in other forms (e.g., multicast or peer to peer). The remainder of the paper is organized as follows. Section 2 describes of the related work. Section 3 provides a detail description of our proposed protocol. In Section 4 we discuss the simulation results and analyze the performance and cost of our algorithm. Finally, we conclude the paper in Section 5.

2 Related Work The data dissemination techniques can be categorized as structured and unstructured. The structured approach use up hash tables for table management routing. The same hash is used for placing data from different sources so as sinks uses to retrieve it. By doing so the query is significantly simplified as the sink knows where exactly should look for the stored data. The unstructured approach [1], [2], [3] implies the absence of a hash and the sink has no prior knowledge of the location of the information. In that scenario, the queries are disseminated to a randomly selected node. The surveys in [4] and [3] addressed several design issues and techniques for WSNs describing the physical constraints on sensor nodes, applications, architectural attributes, and the WSNS protocols proposed in all layers of the network stack. Different approaches have been proposed in the literature for data dissimilation in ad-hoc WSNs. LAF (Location-Aided Flooding) [5] is based on a modified flooding. It makes use of location information to partition the network into virtual grids. Based on there location sensor nodes are grouped into a virtual grid. Nodes are categorized as gateway and internal nodes. The job of gateway nodes is to forward the packets across virtual grids where as internal nodes forward the packets within a virtual grid. Redundancy is being reduced in LAF by adding a special field in packet header called node list which contains the ids of all nodes already having the packet.

452

N. Imran and A.I. Khan

Flooding is not consider appropriate for WSNs even though it is merely a simple means of broadcasting [6] .The reason is flooding leads to collision and redundant packet reception that together deplete sensors of valuable battery power. Considering the load balance for conserving the energy of sensor nodes, multipath routing protocols which have the advantage of sharing energy depletion between all sensor nodes have been proposed [7]. However, no research has been conducted for the effects of route maintenance schemes on communication performance and energy efficiency. Negotiation based protocols use high level data descriptors to eliminate redundant data transmissions through negotiation. Even the communication decisions are being taken depending on the available resources to them. The Sensor Network Protocols via Information Negotiation (SPIN) [8] and [9] are a set of protocols intended to disseminate data to all nodes in the network. The SPIN family of protocols uses data negotiation and resource-adaptive algorithms. SPIN assign a high-level name to completely describe their collected data and perform meta-data negotiations before any data is transmitted. This assures that there is no redundant data sent throughout the network. The semantics of of the meta-data format is application-specific and is not specified in SPIN. We are considering the lossy broadcast medium protocols only [9]. Authors in [10] have pointed out that the SP1N-RL for a lossy broadcast network is not capable enough to ensure reliability. They argue that the performance of SPIN-RL suffers due to the lossy nature of the broadcast medium and is at the same time not capable enough to ensure information convergence at all nodes in the network. If a node misses an initial advertisement because of an undelivered packet means that it is un-aware of the availability of the data item and consequently cannot request it. The scalable protocol for robust information dissemination, SPROID [10] is an energy-constrained, event-driven, reliable and efficient protocol. It recognizes the data generated by a unique tag .At the same time it uses the content tables for faster dissemination of information and guarantees reliable dissemination to all nodes in the network within a finite time. SPROID focus on the case of a single-channel broadcast medium. SPROID concentrate on a single-channel broadcast medium. SPROID achieves complete data dissemination in shorter time and with more energy efficiency as compared to SPIN [9]. Hue et al. [11] provides quick reliable dissemination of large data objects over a multi-hop, wireless sensor network. Each node infrequently advertises the most recent version of the data object to its neighbours. The node receiving an advertisement of older version will respond its object profile of new version. This process will go on until all the nodes get new version of data. Directed diffusion is a novel data-centric, data dissemination technique. In Directed Diffusion [12] the data generated by the producer is named using attribute value pairs. The consumer node requests the data by periodically broadcasting an interest for the named data. Each node in the network will establish a gradient towards its neighbouring nodes from which it receives the interest. Once the producer detects an interest it will send exploratory packets towards the consumer, possibly along multiple paths. As soon as the consumer begins receiving exploratory packets from the producer it will reinforce one particular neighbour from whom it chooses to receive the rest of the data.

A Reliable and Efficient Pedal Back Data Disseminating Scheme for Ad-Hoc WSNs

453

In acknowledgement-based reliable data dissemination protocols [16] data chunks are addressed and sent to only one receiver, which acknowledges each chunk packet received correctly. In doing so, a receiver should get the complete set of data chunks since chunks which have not been acknowledged are resent. But it doesn’t address the issue of loosing the acknowledgement in between. Neither it overcomes the problem if any in-between node is corrupt or doesn’t have enough energy to participate in data dissemination. Membership protocol makes use of locally-maintained complete or partial list of all non-faulty members provided to each member that belongs to that group [13]. The protocol needs to make sure that any changes in membership wether because of members joining, leaving or failing are made known to all non-faulty members of the group. Nearly all the membership protocols have two components: first one is to detect failures or node withdrawals and the second one is to spread the updates of membership information through the network. However, it is not possible for a failure detector to deterministically achieve both completeness and accuracy over an asynchronous unreliable network as shown by Chandra and Toueg in [14]. It resulted in the development of failure detection mechanisms that guaranteed completeness, although it achieves accuracy only in a probabilistic manner [15].

3 Proposed Protocol This unique gossip based N pedal-back technique ensures reliable data dissemination for unstructured ad-hoc WSNs in which the source node is not aware of the position of the sink node. The overall aim of the proposed scheme is to make sure that reliability and efficiency is not being compromised. N is the reliability factor. The underline idea is to delay the acknowledgment until it reaches the Nth node. Now, to ensure the reliable reception of data, the Nth node will acknowledge the data reception message to the source directly. We assume the value of Nth node bounded by network signal strength and is being set by the network administrator.

Fig. 1. Overview of Proposed Protocol

Network traffic can be reduced by increasing the value of N. Furthermore, our proposed protocol ensures high fault tolerance by avoiding faulty sensors and in turn it increase the network life time. The overview of the proposed scheme is presented in Fig. 1. In the rest of this section we explain in details the working of our proposed membership management protocol along with the message routing scheme.

454

N. Imran and A.I. Khan

An Example A wants to transfer data to the destination node. In this case Q is the destination node. A doesn’t know the location of the node. A will set the value of Nth node as 4.It means that A will traverse four neighbours. In fig, A will send data to E, D, and H and than reaches to Ith node. The timer is set to 10 seconds. As the value of nth node is expired at I, Ith node has received the data and after receiving the data chunk will send the acknowledgement back to A ensuring that it has received the data in defined time slot. Now I has become the source node. Again the value of nth node has been set along with the timer. The timer has been set to 9 sec and the nth value to 4.By doing so the data will reach to Qth node which is the destination node. Following issues are observed in the scheme. We will start by considering the first scenario in which an in-between node has not received the acknowledgement in time. If an in between node has not received the acknowledgement in time it means that either the timer has expired or an in-between node is corrupt. We will see both of these cases. Starting with the first case in which the timer has expired earlier before reaching the node, as shown in fig 2. If the timer has expired and acknowledgement has not received in time, merely resetting the value of timer will help. This problem can be fixed by simply changing the value of timer from 10 to 15 sec will fix the problem.

Fig. 2. Missed Acknowledgment

Now we will consider the second case in which the in between node is corrupt. This case is explained in detail in fig 4. As shown in fig, the nth value is set to 4 and the timer is being set to 10 sec. But A didn’t get the acknowledgement back in time. Even the resetting of the timer doesn’t work. The process is being repeated by changing the value of nth node as 2. Even after that A didn’t get the acknowledgement back. Again the process is being repeated by setting the value of nth as 1.A didn’t get the acknowledgement back. It means that Eth node is corrupt. This problem can be over come by rerouting the packet with a different route. Next we will consider the third scenario in which I don’t have enough energy to send the data. Ith node will check the status of its energy level. If it is below a

Fig. 3. Weak In-Between Node

A Reliable and Efficient Pedal Back Data Disseminating Scheme for Ad-Hoc WSNs

455

specified threshold, the node will not participate in the process. If it has energy but limited in amount, it will try to send data to its neighbour node. In the fig, Ith node sends the data to kth node in its immediate neighbour hood by keeping the value of n to be 1 .I will in the meanwhile send an acknowledgement back to A showing its energy level and at the same time A will get an acknowledgement from k .Now A knows that the data is with Kth node. Kth node will also send an acknowledgement back to Ith node to confirm that it has sent the acknowledgment back to A. Now K has become the source node.

Fig. 4.

3.1 Membership Management Algorithm Let there are N nodes in the network. Every node p keeps a routing table Tp of I arbitrary nodes in its routing table.

Fig. 5. Join Alogorithm

Fig. 6. Node MemberShip Algorithm

456

N. Imran and A.I. Khan

When node p first time join the network (or reconnect to the system after a (un)intentional departure), it executed the Join Algorithm as shown in Fig. [5]. This list of neighbours is maintained through a periodic refresh algorithm as shown in Fig. [6]. 3.2 Message Routing Algorithm The system invokes Algo. when a node p, interested in to send data to another node, says the node q. The node p will dispatch message to its randomly selected neighbour u. The node u upon request to forward data d to node q, store the d in its local cache and initialize the K counter. The datachunk d is kept there until acknowledge for it is received. The node u forwards the data to the first node w in Tu. Node u waits for the acknowledgement from’ the Kth node. If the acknowledgement is not received until an appropriate time t, u assumes that w is not available and forwards d to the next node in Tu. When adjusting value of t, it is important to note that t is directly proportional to K, more the value of K, more u has to wait for the acknowledgement to arrive.

Fig. 7. SendMessage Algorithm

Node w decrease the K counter and forwards the chunk to the first node in its routing table Tw. If K is not equal to zero, node w will pick one node at random from its routing table Tw and forward d to it. The d is routed in the network until it reaches its destination or K becomes zero. If the value of K is equal to zero, an acknowledgement is sent back to the source and the node w will declare itself as the new source of the data d and execute Route Message.

A Reliable and Efficient Pedal Back Data Disseminating Scheme for Ad-Hoc WSNs

457

Fig. 8. Route Message Algorithm

3.3 Discussion The major contribution of the proposed scheme is to reduce the overhead of the acknowledgement. The proposed protocol is based on a simple idea of delaying the acknowledgement when and where possible. The acknowledgment is being delayed till it reaches the Nth node conditionally the Nth node has the strength to send acknowledgement back to the source. At the same time, if the source node has the same signal strength, it will send the next data chunk directly to the Nth node. Thus, saving considerable amount of network resources. We can also find out the sink location and at the same time calculate the network reliability by disseminating test packets. On receiving the acknowledgement, we can further increase the value of N to make the scheme more efficient and can reduce the network traffic. At the same time, if the acknowledgement is not received in dedicated time, we can decrease the value of N to ensure that the acknowledgement is not missed because of weak signal strength of Nth node. It possibly will be argued that if the Nth node is within the source range, the performance can be enhanced by sending the data packet directly to the acknowledging node without relaying on the intermediate nodes. At this juncture we should clear the point that in the absence of complete list of other nodes, there can be a possibility that the source node may not know about the exact location of the destination node. Again, if the destination node is within the signal strength of sending node, it will next time send the data directly to it. By doing so, we ensure secure data delivery yet by keeping the resources low. Even the collision can be avoided by allocating the time slots plus ensuring the coordination among the nodes.

458

N. Imran and A.I. Khan

4 Simulation Results We simulated our proposed algorithm for 10 different values of K. We injected the faults into our system at different fixed rates and analysed the communication cost. System was tested for a data dissemination spawning 100 hops. The communication cost calculated as the number of bytes to disseminate a message from source to destination and the system efficiency is calculated as ratio of the time taken to send data from source to destination with faults and with-out faults. If the target node is within the transmission range of the data source (i.e. the hop to reach sink node are less then or equal to K), no further overhead is required.

Fig. 9. Communication Cost for varying values of K and varying faults rate

Fig. 10. Efficiency of the proposed protocol in case of varying faults

However, in order to account for multi-hop networks, the intermediate nodes will act as a data sources in order to cover distant nodes. Decreasing the value of K will give more reliability (that is an acknowledgement after every hop). Another advantage of keeping K low is that if message is lost very close to destination node, data chunk is sent to the next node from the new source. This, hence, save us from routing the data chunk again all the way back from the original source p. Moreover, the data is routed through a new node hence increasing the chances of successful delivery. On the other hand, for comparatively stable network links, increasing the value of K will result in high efficiency of the routing protocol as shown in Fig. 10.

A Reliable and Efficient Pedal Back Data Disseminating Scheme for Ad-Hoc WSNs

459

As seen in Fig. 9, our proposed scheme ensures the reliability against odd failures where acknowledgement cost can be mitigated or reduced without compromising on the reliability of the system. For highly un-reliable networks, the cost of acknowledgement is very less than the actual data dissemination and thus the benefit of our scheme can not be realized.

5 Conclusion In this paper, we present a reliable and efficient gossip based data dissemination scheme for our Pedal Back protocol. The proposed N-Pedal Back protocol considers the wireless lossy channel confronted by sensor networks. The basic idea we employ is to delay the acknowledgement message until it reaches Nth hop. The Nth node than acknowledge the receipt of the message to the source directly. By increasing the value of N, the network traffic can be minimized. Our proposed protocol is adaptive and self-configurable to churn transient failures.

References 1. Heinzelman, W.R., Kulik, J., Balakrishnan, H.: Adaptive protocols for information dissemination in wireless sensor networks. In: MobiCom 1999: Proceedings of the 5th annual ACM/IEEE international conference on Mobile computing and networking, pp. 174–185. ACM Press, New York (1999) 2. Sadagopan, N., Krishnamachari, B., Helmy, A.: Active query forwarding in sensor networks. Ad Hoc Networks 3(1), 91–113 (2005) 3. Al-Karaki, J.N., Kamal, A.E.: Routing techniques in wireless sensor networks: a survey. IEEE Wireless Communications 11(6), 6–28 (2004) 4. Akyildiz, I., Kasimoglu, I.: Wireless sensor and actor networks: Research challenges, pp. 351–367 (2004) 5. Sabbineni, H., Chakrabarty, K.: Location-aided flooding: An energyefficient data dissemination protocol for wireless sensor networks. IEEE Transactions on Computers 54(1), 36– 46 (2005) 6. Tseng, Y.-C., Ni, S.-Y., Chen, Y.-S., Sheu, J.-P.: The broadcast storm problem in a mobile ad hoc network. Wirel. Netw. 8(2/3), 153–167 (2002) 7. Hong, X., Gerla, M.H.W.: Load balanced, energy-aware communications for mars sensor networks, 1109–1115 (2002) 8. Heinzelman, W.R., Kulik, J., Balakrishnan, H.: Adaptive protocols for information dissemination in wireless sensor networks. In: MobiCom 1999: Proceedings of the 5th annual ACM/IEEE international conference on Mobile computing and networking, pp. 174–185. ACM Press, New York (1999) 9. Kulik, J., Heinzelman, W., Balakrishnan, H.: Negotiation-based protocols for disseminating information in wireless sensor networks. Wireless Networks 8(2/3), 169–185 (2002) 10. Rangarajan, H., Garcia-Luna-Aceves, J.J.: Reliable data delivery in event-driven wireless sensor networks. In: ISCC 2004: Proceedings of the Ninth International Symposium on Computers and Communications (ISCC 2004), vol. 2, pp. 232–237. IEEE Computer Society, Washington (2004)

460

N. Imran and A.I. Khan

11. Hui, J.W., Culler, D.: The dynamic behavior of a data dissemination protocol for network programming at scale. In: SenSys 2004: Proceedings of the 2nd international conference on Embedded networked sensor systems, pp. 81–94. ACM Press, New York (2004) 12. Govindan, R., Estrin, D.: Directed diffusion: A scalable and robust communication paradigm for sensor networks, pp. 56–67. IEEE, Los Alamitos (2000) 13. Xiao, B., Yu, B., Gao, C.: Chemas: Identify suspect nodes in selective forwarding attacks. J. Parallel Distrib. Comput. 67(11), 1218–1230 (2007) 14. Singh, K.H.: A study of membership management protocols for groups in wireless sensor networks. University of Illinois at Urbana- Champaign, Tech. Rep. PhD Thesis (2004) 15. Chandra, T.D., Toueg, S.: Unreliable failure detectors for reliable distributed systems. J. ACM 43(2), 225–267 (1996) 16. Khan, S., Huh, E.-N., Imran, N.: A Membership Scheme for Gossip based Reliable Data Dissemination in Ad-hoc WSNs. In: Networking and Communications Conference, 2008. INCC 2008. IEEE International, May 1-3, 2008, pp. 107–111 (2008) doi: 10.1109/INCC.2008.4562701

Improved Location Acquisition Algorithms for the Location-Based Alert Service So-Young Kang, Jin-Woo Song, Kwang-Jo Lee, Ju-Hee Lee, Ji-Hoon Kim, and Sung-Bong Yang Dept. of Computer Science, Yonsei Univ. 126-749 Seoul, Korea {milkyway,fantaros,kjlee5435,happy1024, barampow,yang}@cs.yonsei,ac.kr

Abstract. The location-based alert service is the one of the most practical location-based services. It alerts mobile users when approaching and entering into or leaving from a specific region, and provides certain services previously set by the users. To provide the service, the location of mobile users needs to be acquired periodically. However, a server which handles the location of users gets more burdens when the number of users increases. Hence it is a critical issue to properly adjust the location data acquisition time interval while maintaining the accuracy of the service. In this paper we propose two effective location acquisition algorithms, the speed-based acquisition algorithm and the anglebased acquisition algorithm. The proposed algorithms could reduce the irrelevant location information acquisition based on the movement of moving objects. The speed-based acquisition algorithm and the angle-based acquisition algorithm reduced the average number of location acquisitions by 20% and 37% over the distance-based acquisition algorithm, respectively, while they both maintained the same level of accuracy. Keywords: Alert service, LBS, Acquisition Algorithm.

1 Introduction With the development of wireless network, mobile communication technologies, various types of location-based services (LBS) on the wireless internet are provided. The location information of mobile users is gathered and processed to provide the services for individuals and groups. LBS deal with peripheral information, location tracking, traffic information, location-based e-commerce, machine control, recreation, and so on[1]. LBS are on the way of development according to the diversity of users’ demands. LBS technology can be classified into LBS position determination, LBS platform, and LBS applications. The position determination technology is for the observation of mobile users’ locations. The platform technology is for the servers that acquire, store and process the location data. The application technology implements various applications related to LBS for mobile users. In this paper we focus on the acquisition of location data for the location-based alert service. The location-based alert service consistently observe the location of a J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 461–470, 2009. © Springer-Verlag Berlin Heidelberg 2009

462

S.-Y. Kang et al.

mobile user and alert the user when approaching and entering into or leaving from a specified region or a selected area, and provide certain services previously set by the user. The typical location-based alert services are location-based advertisement services, L-Commerce, location-based meeting/matching services, contaminated region alarm services, disaster detecting services, and logistic control services. For the location-based alert service, the system communication overload increases as the number of users increases and so does the expense for continuously observing the mobile users. Accordingly, it is an important matter to reduce the number of user location acquisitions and at the same time to maintain the quality of the alert services. Several location acquisition algorithms are proposed such as static acquisition algorithms [2][3], the minimum alert triggering time acquisition algorithm[4] and the distance-based acquisition algorithm [5]. In this paper we propose two effective location acquisition algorithms for the location-based alert service, the speed-based acquisition algorithm and the angle-based acquisition algorithm. The proposed algorithms are to decrease the communication overload by controlling the location acquisition time interval based on the movement of the users. The speed-based acquisition algorithm adjusts the location acquisition time interval based on the speed of a user so that when the user is moving faster the location acquisition time interval is shortened, and vice versa. The angle-based acquisition algorithm considers only the alert areas which are on the direction of a mobile user to adjust the location acquisition time interval. Both algorithms reduced the average number of location acquisitions by 20% and 37% over the distance-based algorithm, respectively, while maintaining the same accuracy of the services. The rest of the paper is organized as follows. In Section 2 the location-based alert services and previous location acquisition algorithms are reviewed. In Section 3, the improved location acquisition algorithms are introduced. In Section 4 the experiment results are given. Finally Section 5 concludes the paper.

2 Location-Based Alert Services Location acquisition means finding a user location by using mobile commutation and location determination technology. Location acquisition algorithms aim at minimizing the overhead on the network load and communication cost when acquiring location information of users[6]. By efficiently controlling the location acquisition time intervals, unnecessary location information is not gathered and the number of location acquisitions itself is reduced. Furthermore, adequately controlling the location acquisition time interval also allows reducing the number of location information searches. In this section recent location acquisition algorithms are overviewed. 2.1 The Static Location Acquisition Algorithm The static location acquisition algorithm acquires location information by using a fixed time interval. For all the users, the same time interval is applied for gathering their location information. In the static location acquisition algorithm, when the interval becomes shorter, the reliability of the services does increase, but so does the

Improved Location Acquisition Algorithms for the Location-Based Alert Service

463

overhead of the location server. On the other hand, when the interval becomes longer, the reliability gets worse. The static algorithm is simple and easy to apply, but as the overhead of the server increases together with the increase in the number of users, the algorithm becomes not suitable for the services that might handle a large number of users. 2.2 The Minimum Alert Triggering Time Location Acquisition Algorithm A location-based alert system WaveAlert controls location search time by using two algorithms; MATT(Minimum Alert Triggering Time) and EAUT(Earliest Available Update Time). The maximum moving speed of the users and the distance to the nearest region (alert area) from the current location⎯Euclid’s distance, shortest path⎯are calculated with MATT. A mobile user is guaranteed not to enter the nearest alert region at least during the MATT. The location acquisition time interval is controlled dynamically in the system.

Fig. 1. The MATT Location Acquisition Algorithm

Figure 1 shows the shortest distances, d0, d1, and d2 between user U and each of alert areas A, B, and C, respectively. If in this case the maximum moving speed of U is Vmax, MATTU is di/Vmax. However, as MATT uses the maximum moving speed when the user moves in a much slower speed than the maximum speed during a considerable period of time, unnecessary location acquisitions are performed more often. For example, when a mobile user is trapped in traffic congestion and thus does rarely move or when a user moves on foot instead of using a car or a public transportation, the MATT location acquisition algorithm does suffer from unnecessary system overheads. EAUT means the fastest receivable update time that a researched information after a certain request for MATT to update. Therefore, only the location information determined between MATT and EAUT is valid and is used to update coming MATT or EAUT. 2.3 The Distance-Based Acquisition Algorithm The distance-based acquisition algorithm dynamically controls the location acquisition time interval in the ratio of a mobile user’s recent moving distances and thus can be

464

S.-Y. Kang et al.

applied to irregular moving speed circumstances where a mobile user might be moving with different speeds from time to time. Controlling the time interval is performed according to the ratio of d0 to d1, where d0 is the moving distance between the current location acquisition time t0 and the previous location acquisition time t1 and d1 is the moving distance between location acquisition time t1 and a prior location acquisition time t2. In Figure 2 locations Loc(t0), Loc(t1), and Loc(t2) represent the user’s locations at times t0, t1, and t2 respectively and d0 is the shortest distance between Loc(t0) and Loc(t1) and d1 denotes the shortest distance between Loc(t1) and Loc(t2). If d0>d1, the distance moved recently is longer, thus the location acquisition time interval is decreased, and vice versa. In addition the minimum and the maximum location acquisition time intervals are set aside so that the location acquisition time interval should not be extremely large or small. However, in this algorithm it is difficult to set the parameters for controlling the location acquisition time interval and a location alert buffer area has to be set so as not to trespass the alert area as shown in Figure 2. The area called the location alert buffer area that encloses a given alert area is defined for the algorithm. Right before a mobile user enters into the buffer area, the minimum location acquisition time interval is used. The buffer areas work as sort of warnings to the system that the alert zones are near the users. However, if the buffer area is larger to secure the accuracy of location alert services, then unnecessary number of location acquisitions will be increased. If it is smaller, then the accuracy of the location alert services would be deteriorated.

Fig. 2. The Distance-based Acquisition Algorithm

3 Improved Location Acquisition Algorithms In this section, we propose two algorithms. First algorithm exploits the users’ speed information. We call this algorithm the speed-based acquisition algorithm. The other algorithm uses the users’ directions and moving angles. We call this algorithm the angle-based acquisition algorithm. These algorithms utilize the users’ movement information to predict the future user locations and use the buffer area like distancebased acquisition algorithm. 3.1 The Speed-Based Acquisition Algorithm The speed-based acquisition algorithm uses the changes in the speed of a user. The distance-based acquisition algorithm uses only the moving distance. The distance

Improved Location Acquisition Algorithms for the Location-Based Alert Service

465

information does not provide logs’ different logging interval. So using the speed information is more appropriate for adjusting the location acquisition time interval, because the speed is calculated from distance and time. The speed-based acquisition algorithm controls the location acquisition time interval in such a way that when a user is moving faster than before, the location acquisition time interval is shortened and when the speed gets slower the location acquisition interval is increased appropriately. Input : the current time interval ti, the current speed scurrent, the previous speed sprevious, and a constant k that is determined by the experiments Output: the location acquisition interval ti +1 Calculate the acquisition interval ti +1 as follows if (sprevious / scurrent) > 1 ti +1= ti + k * ( sprevious / scurrent) else ti +1= ti – k * ( sprevious / scurrent) Algorithm 1. The Speed-Based Acquisition Algorithm

Fig. 3. The Speed-based Acquisition Algorithm

This algorithm extracts more accurate movement of users by adding the speed concept to the existing algorithms that are only relied on the distances. 3.2 The Angle-Based Acquisition Algorithm The algorithms discussed in Section 2 and the speed-based acquisition algorithm use look into all the alert areas of each user for controlling the location acquisition time interval. But considering all the alert areas is a waste of the system resources, because most of the alert areas that may not be entered by the user. In the angle-based acquisition algorithm, the areas that may not be entered are filtered with the users’ movements and possible moving angles. We control the location acquisition time interval only with these filtered alert areas.

466

S.-Y. Kang et al.

Fig. 4. The Angle-Based Acquisition Algorithm

Figure 4 depicts a concept of the angle-based acquisition algorithm. We can get the user’s moving direction with the user’s movement information. We set the possible moving angle to 10° through various experiments. In the figure alert areas A and C are filtered out. The location acquisition time interval is obtained with some basic physics formulas below. formula 1 : Distance = Time *Velocity formula 2 : Distance = Time *Velocity + 1 *Acceleration *Time2 2

When a user moves to uniform velocity, formula 1 is applied, and at this time acceleration is 0. If a user doesn't move to uniform velocity, formula 2 is applied. So we use two formulas for more correct location acquisition interval. The angle-based acquisition algorithm using filtered areas are described in more detail below. Input : filtered areas, user speed v, user acceleration a Output: the location acquisition interval t 1. 2.

Find the nearest alert area Z from the filtered areas; 2 If a = 0, t = d , else find t with solving 1 at +v t+d = 0, where d is the v

2

distance between user’s location and alert area Z Algorithm 2. The Angle-Based Acquisition Algorithm

4 Experiments 4.1 Experiment Environment For the experiment Visual Studio 2008 C++ is used for the simulation. The simulation handles a total of one thousand users and the time stamp is defined from 1 to 10,000. Each time stamp is set to five seconds and the total experiment time lasted

Improved Location Acquisition Algorithms for the Location-Based Alert Service

467

approximately fourteen hours. In addition, the moving paths of users follow ten different scenarios, and the experiment area is 100 km * 100 km. The number of alert regions per user is set between fifteen and twenty and the size of an alert area is in the range between 1 km and 5 km. Table 1 shows the experiment environment. Table 1. Experimental Environment

Parameter

value

Number of users

note

1,000

Execution time: time stamp

1~10,000

1 unit = 5sec

Total experiment time

14 hours

10,000*5sec ≈13.88hour

Moving paths

10 scenario file

Area of an experiment space

100 x 100(km)

No of Alert area per moving object

15 ~20

Size of alert area

1 ~ 5km

experiment space deviation

no

4.2 Scenarios There are ten scenario files used for the experiment according to the initial distribution methods and movement paths. An initial distribution allocates the starting location of each user. We use three initial distribution methods; Uniform, Skewed and Gaussian methods. The moving paths of users are made according to their moving pattern as the time passes. We adopt four patterns; Uniform, Skewed, 3-axis, and 8axis methods. We used GSTD[7][8] and generated ten scenarios as shown in Table 2. Table 2. Ten Scenario Files

Scenario file 1 2 3 4 5 6 7 8 9 10

Initial distribution Uniform Skewed Skewed Gaussian Uniform Gaussian Skewed Gaussian Skewed Skewed

Moving pattern Uniform Uniform Uniform Uniform Skewed Skewed Skewed 8-axis 3-axis 3-axis

468

S.-Y. Kang et al.

4.3

Experiment Results

The average numbers of location acquisitions and average numbers of alerts for the speed-based acquisition algorithm, the angle-based acquisition algorithm, and the distance-ratio acquisition algorithm have been evaluated and compared. Other algorithms are not compared since the distance-based algorithm outperformed the algorithms. Figure 5 compares the average numbers of location acquisition for the distancebased acquisition algorithm and the proposed algorithms. For each scenario file the angle-based algorithm showed the best performance and the speed-based algorithm outperformed the distance-based algorithm. The speed-based algorithm showed an average of 20 % reduction in the number of location acquisitions, and the angle-based algorithm showed an average of 37 % reduction in the number of location acquisitions. Such reductions were possible since both proposed algorithm take advantage of the speeds of users and the angle-based algorithm utilizes the moving directions of users.

Fig. 5. Numbers of Location Acquisitions

Fig. 6. Numbers of Alerts

Improved Location Acquisition Algorithms for the Location-Based Alert Service

469

Figure 6 compares the average numbers of alerts for the three algorithms. As shown in the figure, all three algorithms showed the equivalent level of alert accuracy for all the scenario files because three algorithms use a buffer area. These results proved that the proposed algorithms do no deteriorate the level of accuracy performance while reducing the number of location data acquisitions.

5 Conclusion A major problem of the distance-based acquisition algorithm is revealed from the fact that it simply considers the user’s moving distance. Although the user’s moving distance is increased and moving time is long, it does not necessarily mean that the user moves with a faster speed. However, the distance-based algorithm regards the user’s moving speed to be accelerated and reduces the location acquisition time interval. This induces an increase in the number of location acquisitions. The speed-based acquisition algorithm reduces the number of location acquisitions because it utilizes not only the moving distance but also the speed that has been calculated from the period of time when controlling the location acquisition time interval. Also, the angle-based acquisition algorithm has been proposed that considers users’ moving direction and hence reduces the number of unnecessary location acquisitions further. The characteristics of the angle-based acquisition algorithm is that it suggests when there is no alert region in the direction of users’ moving direction a reduced location acquisition time interval is not needed even the moving speed is accelerated. Both proposed algorithms show improved performances as they both indicate the same level of accuracy ratio and yet reduce the number of location acquisitions. Consequently, the proposed algorithms proved to be effective in controlling the acquisition algorithm by reducing the location acquisition process and at the same time by maintaining the accuracy of alert services. In the future, we plan to study on the efficient location search and control algorithm for various occasions where group users are involved and/or the area changes.

References 1. Varshney, U.: Location Management Support for Mobile Commerce Applications. In: International Conference on Mobile Computing and Networking, pp. 1–6 (2001) 2. Min, K., Park, J.: Techniques for Acquisition of Moving Object Location in LBS. In: Proceedings of FIG Conference, pp. 1–14 (2003) 3. Bar-Noy, A., Kessler, I., Sidi, M.: Mobile Users: to Update or Not to Update? Wireless Networks 1(2), 187–196 (1995) 4. Wave Market Incorporated, Mobile Tele Communication Network System That Provides Moving Objects with Alert-Based Service, Official Patent Publication in Korea Republic, Application No. 10-2004-7000651 (2004) 5. Ahn, B., Yang, S., Jin, H., Lee, J.: Location Poling Algorithm for Alerting Service Based on Location. In: Li, K.-J., Vangenot, C. (eds.) W2GIS 2005. LNCS, vol. 3833, pp. 104–114. Springer, Heidelberg (2005)

470

S.-Y. Kang et al.

6. Jin, H., Nam, K.: Analysis of Location Determination Technology and Location Based Service. Korea Institute Of Communication Sciences 25(7), 24–33 (2008) 7. Güting, R., Papadias, D., Lochovsky, F.: On the Generation of Spatiotemporal Datasets. In: Güting, R.H., Papadias, D., Lochovsky, F.H. (eds.) SSD 1999. LNCS, vol. 1651, pp. 147–164. Springer, Heidelberg (1999) 8. Theodoridis, Y., Nascimento, M.: Generating spatiotemporal datasets on the WWW, Under submission. GSTD Web interface (2000), http://www.cti.gr/RD3/GSTD/ (Valid as of January 2000)

An Enhanced Trust Center Based Authentication in ZigBee Networks Kyunghwa Lee, Joohyun Lee, Bongduk Zhang, Jaeho Kim*, and Yongtae Shin Room 407 Information Science B/D, Soongsil University, Sangdo5-dong Dongjak-gu Seoul, 156-743, South Korea {khlee,jhlee,bdjang}@cherry.ssu.ac.kr, [email protected], [email protected]

Abstract. The The ZigBee is a type of LR-WPAN technology that as low data rate, low power consumption, low cost, wireless networking protocol targeted towards automation and remote control applications. The ZigBee standard defines a comprehensive security architecture and management model, including frame encryption, authentication, and integrity at each layer of the ZigBee protocol stack. In addition, ZigBee defines a Trust Center that provides the essential security functions of key management, network management, and device configuration. But ZigBee specification describes only intra-PAN networks, and the network size is increasing, the energy required for authentication is larger. In this paper, we outlined the basic Trust Center based Authentication (TCA) mechanism. And we propose an enhanced TCA mechanism which improve the performance of current standards in ZigBee Network with mobility node. Through simulation experiments, we showed that the proposed scheme is more energy and memory effective than current scheme. Our scheme provides an optimal and feasible authentication of mobility node in ZigBee networks and is suited for large ZigBee Network. Keywords: ZigBee, sensor security, sensor authentication, key management.

1 Introduction The ZigBee is a low rate and low power networking technology for short range communications, and it currently uses IEEE 802.15.4 MAC and PHY layers[1]. In addition, ZigBee provides four basic security services: authentication, message integrity, message confidentiality, and replay protection. To coordinate these security services, ZigBee networks utilize the concept of a trust center. One device on the network serves as the trust center. Its tasks include allowing devices into the network, distributing security keys, and enabling end-to-end security between devices. Typically, the coordinator device on a ZigBee network functions as the trust center, and can even be a dedicated device. This Trust Center can scale with the size of the network, which has enough power and memory, but additional memory is required for larger *

This research has been supported by a grant from the Korea Electronics Technology Institute 2008.

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 471–484, 2009. © Springer-Verlag Berlin Heidelberg 2009

472

K. Lee et al.

networks. Moreover, the current ZigBee authentication mechanism is not effective in mobility cases. In this paper, we propose Trust Center based Authentication (TCA) mechanisms which improve the performance of current standards in ZigBee Network with mobility node. In TCA, node of the initial authentication is achieved through the Trust Center. If the node will be moved to a different subnet, Trust Center without a separate authentication process can effectively perform the authentication by sharing the initial authentication information between Trust Centers. First, we outlined the basic key management function and authentication scheme. Then, we describe our authentication scheme. The structure of the paper is as follows: in Section 2 we briefly introduce IEEE 802.15.4, ZigBee, and reviewed related work. In Section 3 we describe an overview of the TCA scheme for ZigBee networks, in Section 4 we describe our enhanced Trust Center based authentication scheme for in ZigBee Networks. In Sections 5 we present the technique to reduce the authentication cost, and report our implementation and performance results, and finally in Section 6 we concludes this paper.

2 ZigBee Security Architecture and Design ZigBee is a type of LR-WPAN technology and is built upon the lower layers of the IEEE 802.15.4 LR-WPAN standard. While the 802.15.4 standard defines the lowerlevel Physical (PHY) and Media Access Control (MAC) layers, the ZigBee standard defines the higher-level Network and Application layers as well as the security services[2][10]. ZigBee standard uses the security services specified in 802.15.4 in order to secure MAC layer frames. In addition, ZigBee defines its own security model and set of security services at the Network(NWK) and Application(APS) Layers of the stack in order to provide a comprehensive network security infrastructure. 2.1 Network Topology The ZigBee network layer supports star, tree, and mesh topologies[1][2]. In a star topology, the network is controlled by one single device called the ZigBee coordinator. The ZigBee coordinator is responsible for initiating and maintaining the devices on the network. All other devices, known as end devices, directly communicate with the ZigBee coordinator. In mesh and tree topologies, the ZigBee coordinator is responsible for starting the network and for choosing certain key network parameters, but the network may be extended through the use of ZigBee routers. In tree networks, routers move data and control messages through the network using a hierarchical routing strategy. Tree networks may employ beacon-oriented communication as described in the IEEE 802.15.4-2003 specification. Mesh networks allow full peer-to-peer communication. ZigBee routers in mesh networks do not currently emit regular IEEE 802.15.4-2003 beacons. This specification describes only intra-PAN networks, that is, networks in which communications begin and terminate within the same network. 2.2.1 Security Architecture The ZigBee standard defines a comprehensive security architecture and trust management model, including frame encryption, authentication, and integrity at each layer

An Enhanced Trust Center Based Authentication in ZigBee Networks

473

of the ZigBee protocol stack. The ZigBee security architecture includes security mechanisms at two layers of the protocol stack. The NWK and APS layers are responsible for the secure transport of their respective frames. Furthermore, the APS sublayer provides services for the establishment and maintenance of security relationships. The ZigBee Device Object (ZDO) manages the security policies and the security configuration of a device. For security purposes, ZigBee also defines the role of Trust Center which is component of the ZigBee security architecture. The Trust Center is the device trusted by devices within a network to distribute keys for the purpose of network and end-to-end application configuration management. Also, Trust Center is responsible for authenticating nodes requesting admission and deciding whether to permit the node to join. All devices within a ZigBee network shall recognize exactly one Trust Center, and there shall be exactly one Trust Center in each secure network and trust exactly. 2.2.2 Security Building Block Security services provided for ZigBee include methods for key establishment, key transport, frame protection, and device management. These services form the building blocks for implementing security policies within a ZigBee device. The block-cipher shall be used with symmetric keys with the same size as that of the block-ciphers having a 128-bit block size, such as AES-128. These symmetric keys shall be generated uniformly at random. Zigbee also suggests the keyed hash message authentication code (HMAC). A MAC takes a message and a secret key and generates a MACtag, such that it is difficult for an attacker to generate a valid message and is used to prevent attackers forging messages. 2.2.3 Security Keys In terms of key types, ZigBee uses Network, Link, and Master key to secure transmitted frames. A Network key is a common key shared among all nodes in a ZigBee network. A device shall acquire a Network key via key-transport or pre-installation (for example, during factory installation). Link key, on the other hand, are secret session key used between two communicating ZigBee devices. This key is unique to a pair of devices that are communicating with each other and is derived from their respective Master keys. A device shall acquire Link keys either via key-transport, keyestablishment, or pre-installation. The Master key may be used to generate the Link keys. A device shall acquire a Master key via key-transport or pre-installation. Unicast communication between APL peer entities is secured by means of a 128-bit link key shared by two devices, while broadcast communications are secured by means of a 128-bit Network key shared amongst all devices in the network. 2.2.4 SKKE(Symetric-Key Key Establishment) Protocol The APS sublayer's key-establishment services provide the mechanism by which a ZigBee device may derive a shared secret key (the so-called Link key), with another ZigBee device. Key establishment involves two entities, an initiator device and a responder device, and is prefaced by a trust provisioning step. The essential difference between the role of the initiator and responder is that the initiator sends the first pass of the exchange. In the SKKE protocol, an initiator device establishes a Link key

474

K. Lee et al. Table 1. SKKE term description

Key MacKey U V QUE UEV MAC

Shared key (i.e. Trust Center Master) A key created during generation of keying data Initiator’s unique ID (EUI64 Address) Responder’s unique ID (EUI64 Address) Initiator challenge (16 byte random number) Responder challenge (16 byte random number) Our HMAC Function

with a responder device using a Master key. The secrecy and authenticity of the Master key needs to be upheld in order to maintain a trust foundation. In the following explanation of the SKKE protocol, we will define a term with the following Table 1. Figure 1 illustrates the messaging involved in the use of the full symmetric-key key agreement with key confirmation scheme. MacKey QEU QEV MAC MacKey (0316 || U || V || QEU || QEV || [Text 2]), [Text 2] MACMacKey( 0216 ||U ||V || QEU || QEV || [ Text1] ), [ Text1]

Fig. 1. SKKE authentication scheme

The following are features in each step.

① Initiator generates QEU for the challenge domain parameters D and send it to Responder. Responder receives QEU from Initiator, verify that is a valid.

② Responder generates QEV for the challenge domain parameters D and sends it to Initiator. Initiator receives QEV from Responder, verify that is a valid.

③ Both Initiator and Responder will run the Secret Key Generation (SKG) Primitive.

Form the bit string consisting of U's identifier, V's identifier, bit string QEU corresponding to U's challenge, and the bit string QEV corresponding to QEV's challenge: MacData = U|| V|| QEU || QEV

④ Calculate the tag MacTag for MacData under the key MacKey using the tagging

transformation of the established specialized MAC scheme. The bit string Z as the shared secret value. Z = MacTag = MACMacKey(MacData)

An Enhanced Trust Center Based Authentication in ZigBee Networks

475

⑤ Use the key derivation function with the established hash function to derive Key-

ingData from the shared secret value Z. The hash value Hash-2 will be Link key among two devices. First 128 bits of KeyingData is MacKey and Second 128 bits of KeyingData is KeyData. Hash-1 = (Z || 0116) Hash-2 = (Z ||0216) KeyingData = (Hash-1 || Hash-2)

⑥ Initiator calculates MacTag2 using MacData2, and send it to Responder. MacData2 = 0316 || U || V || QEU || QEV’ || [Text2] MacTag2 = MACMacKey(MacData2)

⑦ Responder receives MacTag2 from Initiator, verify that is a valid. ⑧ Responder calculates MacTag1 using MacData1, and send it to Initiator. MacData1 = 0216 || V || U || QEV’ || QEU || [Text1] MacTag1 = MACMacKey(MacData1)

⑨ Initiator receives MacTag1 from Responder, verify that is a valid. 2.3 Use of SKKE in Our Authentication Scheme

We will divide the SKKE protocol as defined in sub-clause 2.2.4 into four steps for sensor node authentication. The following is a major step which is divided by a transmission device and challenge value.

① and has a value of chal② and has a value of chal③ to ⑦ and has a value of ⑧ to ⑨ and has a value of

SKKE-1 is transmitted by Initiator during action step lenge QEU in dada field. SKKE-2 is transmitted by Responder during action step lenge QEV in dada field. SKKE-3 is transmitted by Initiator during action step challenge MacTag2 in dada field. SKKE-4 is transmitted by Responder during action step challenge MacTag1 in dada field.

The Initiator device is responsible for sending the SKKE-1 and SKKE-3 and the Responder device is responsible for sending the SKKE-2 and SKKE-4. The main purpose of SKKE-1 and SKKE-2 is that they exchange the ephemeral key contribution data between Initiator and Responder devices, and main purpose of SKKE-3 and SKKE-4 is that they generate security link key between Initiator and Responder devices. During the key-establishment scheme, if the responder or initiator device detects any error condition. If no error conditions occur, then the initiator and responder shall consider the derived key (that is, KeyData) as their newly shared link key.

3 The Basic TCA Scheme In this section we describe the communication between the Trust Center and the ordinary nodes which occurs as result from the key exchange. Trust Center shall maintain

476

K. Lee et al.

a list of devices, Master keys, Link keys and Network keys that it needs to control and enforce the policies of Network key updates and network admittance. The basic authentication scheme uses the ZigBee Trust Center's functions and structure of the Trust Center, follows the standard. We assume that the coordinator has role as the Trust Center with powerful resources, and manage nodes and keys that are located within the networks. Also, we assume that the Trust Center is safe from the threat. So if Master keys are established, there is no threat of eavesdropping during exchange of Master keys. And all nodes and Trust Center has a private key and Master key, respectively, through the preinstallation which will be used session keys. We denote some common notations for describing our scheme in Table 2. Table 2. The notations

u, v, TC, MA TCid(A) Mkey(A), Lkey(A), Nkey(A) upk Kseq {TCid|upk|Kseq}

node or router, Trust Center All members in Subnet A Trust Center in Subnet A Master Key, Link Key, Network Key in Subnet A private key of node n for key establishment Sequence Number of Network Key The message is used to generate a key

After the initial network is configured, the joiner device authentication is achieved through the Trust Center within the same network. Figure 2 shows the authentication mechanism. The authentication process at each steps are as follows.

Trust Center

Router

Joiner Beacon request command Beacon (unsecured)

Association request command Association response command Update device command Joined (unauthenticated) Secured Transport-key command (Master key) Unsecured Transport-key command (Master key) SKKE command Secured Transport-key command Joined (authenticated)

Fig. 2. The basic TCA mechanism

An Enhanced Trust Center Based Authentication in ZigBee Networks

477

① When a joiner device need to join the network as a new node, it sends ‘beacon

request command’ and ‘association request command’ to its nearby routers includes unique ID of node, private key and count number. A count number is used to provide frame freshness and to prevent reply attack.

u ˧ ുvଲ0$ : {TCA(id), uid, upk, count_num}

② If the nearby router is admitted to join, and then the router send ‘update device command’ to Trust Center.

ുvଲ0$ ˧ TCAଲ0$ CMDupt.device ,{ TCA(id), uid, upk, count_num}

③ After the Trust Center allow joiner device to join, it sends a Master key and initiate the establishment of a Link key.

TCAଲ0$ ˧ uଲ0$ : Mkey(A)

④ In the Symmetric-Key Key Establishment (SKKE) protocol, the Link key shared

between the Trust Center and the joiner device. See Section 2.4.1 SKKE protocol for more detailed process.

TCAଲ0$ ˧ uଲ0$ : Lkey(A)

⑤ The Trust Center sends a Network key to the joiner device and then authentication

process is completed. A sequence number assigned to a Network key by the Trust Center and used to distinguish Network keys. When an error occurs during the authentication process, cancel all operations and go back to the initial authentication.

TCAଲ0$ ˧ uଲ0$ : Nkey,, {TCA(id)| kseq} In current ZigBee standard, a joiner device establishes a Link Key with a Trust Center using SKKE protocol and the generated keys delivery by flooding. This mechanism has fast performance in a small size network, but transmission delay occurs when network size increase. In addition, it is inefficient when network size increase or node moves because it required more resources to store the secret key which will be used for authentication. Therefore, we requires that a new authentication technology that improve these problems.

4 The Enhanced TCA Scheme ZigBee specification describes only intra-PAN networks, that is, networks in which communications begin and terminate within the same network. Unlike current authentication techniques, proposed mechanism establishes Link Key by share authentication information between Trust Centers. It provides a simple and low-cost to authentication for all mobility nodes by sharing authentication information with the neighbors Trust Center. In addition, it is efficient when the mobility node as new node which is located the network area needs to join other neighboring network area. In this section, we describe how the TCA improves performance without cost increase in inter-PAN networks. The trust based network model is shown in Figure 3.

478

K. Lee et al.

: Trust Center

: Sensor Node

uB

uA TCA Sensor Network A TC

Sensor Network B

Fig. 3. Trust based network model

If the nodes B(u) (called mobility node) which is located the network area B move to the network area A, the Trust Center in the network area A is discover that the mobility node is currently available in the subnet through checking the node ID values. If the mobility node is not child nodes in its own network area, the Trust Center B is requesting the mobility node authentication to the Trust Center A. If the mobility node is a child node in its own network area A, the Trust Center A sends key and initial authentication information of mobility node to the Trust Center B via requestreply communication. The Link key and Network Key are transported from the Trust Center to the mobility node, and authentication is complete. For transporting keys and authentication information, communication between Trust Centers is encrypted via a secure channel. Through the above process, the mobility node can join in the network area A without complex authentication process. Figure 4 shows the authentication mechanism. Authentication processes at each step are as follows. Trust Center A

Trust Center B

Joiner

Beacon request command Beacon Association request command Association response command Trust Center communication (authenticated) Joiner initial authentication data request Joiner initial authentication data response Secured Transport-key command (Link Key, Master key) Secured Transport-key command (NWK key) Joined (authenticated)

Fig. 4. The enhanced TCA mechanism

An Enhanced Trust Center Based Authentication in ZigBee Networks

479

ZigBee authentication algorithm Process 1. If it is the first time to authentication. Set msg.{TCA(id), uid, upk, count_num} in frame Sent to Trust Center If msg.{TCA(id), uid, upk,} is empty drop packet else if msg.{TCA(id) } current.TCA(id) /*complete certification and move to other subnet */ Go To process 2 else call authentication_function(msg, prm1 ,… , prmn) /* If the joiner device did not receive the key, it shall reset and the joining procedure again */ If error_code = 1 drop the packet and exit end if

≠

Process 2. If the joiner already has the Network key. (joiner device that is complete authentication once) Find the Trust Center by msg.{TCA(id)} If not found call authentication_function(msg, prm1 ,… , prmn) else send msg to previous Trust Center get auth.{authentication info} from previous Trust Center call calc_key_function(auth, prm1 ,… , prmn) send key info to joiner device end if Fig. 5. Authentication algorithm

① When the mobility node as new node which is located the network area B need to join network area A, it sends “beacon request command” and “association request command” to its nearby routers includes unique ID of node, private key and count number. A count number is used to provide frame freshness and to prevent reply attack. u ˧ ുvଲ0% : {TCB(id) , uid , upk, count_num}

② If the nearby router is admitted to join, and then the router send “update device command” to Trust Center.

ുvଲ0% ˧ TCBଲ0%

: CMDupt.device ,{TC B(id) , u id , u pk, count_num}

③ The Trust Center in the network area A is discover that the mobility node is cur-

rently available in the subnet through checking the node ID values. If the mobility node is not child nodes in its own network area, the Trust Center A is requesting the mobility node authentication to the Trust Center B using a previous ID of Trust Center. If the mobility node is a child node in its own network area B, the Trust Center B sends key and initial authentication information of mobility node to the Trust Center A via request-reply communication.

480

K. Lee et al.

f chkID ( TC id )

­1 ® ¯0

if

TC id  TC B

if

TC id  TC B

④ After the Trust Center A allow joiner device to join, it create a new Link key using delivered key information and it sends a new Link key to the mobility node.

TCAଲ0$ ˧ uଲ0$: Lkey

⑤ The Trust Center A sends Link key and Network key to the joiner device and then authentication process is completed. A sequence number assigned to a Network key by the Trust Center and used to distinguish Network keys. When an error occurs during the authentication process, cancel all operations and go back to the initial authentication. TCAଲ0$ ˧ uଲ0$ : Nkey , {TCA(id)|kseq}

Given session time T, the ZigBee authentication algorithm for a mobility node v receiving key information from Trust Center is shown figure 5.

5 Evaluation of Authentication Schemes 5.1 Evaluation Metrics For In this subsection, we prove that authentication mechanism to propose is more efficient through measure the cost of results by comparison with current authentication mechanism[3][4][5]. For the sake of convenience, we define that 1)ZigBee1 is a authentication mechanism of current standards; 2)ZigBee2 is a propose authentication mechanism. First we assume that sensor nodes Nk (k = 1…n) be in the communication range of R in which there are no packet loss by attacks from inside or outside network, and network bandwidth is sufficient for all requirements. Sensor nodes have power control so that they can transmit their data directly to the Trust Center or to any other nodes in the network. Further, the Trust Center has enough of power and memory. We also assume that network topology for cost analysis is tree based that has hierarchical routing strategy. The basic concept used in hierarchical routing[6] is that of the subtree. A message is first routed to the destination subtree and then down the subtree to its destination node. We define that the node name is node function initial+address. The node function initial r and n as route and end nodes, respectively. More details of address assignment in ZigBee networks can be found in[1]. Table 3. The system and network parameter Radius of the region, R Distance from Trust Center, d Number of cycles, T Propagation loss exponent, k Length of each packet Amount of energy spent in the transmitter, δ Account the constant factor in propagation loss term, µ

10m 10m~500m 1 2 4000 bits 50J, 150J 2

An Enhanced Trust Center Based Authentication in ZigBee Networks

481

The basic constraints of sensor networks are: limited power/energy, limited storage and working memory[7]. So in order to evaluating the performance of authentication mechanism, we have compared the energy and memory efficiency. To evaluate the performance of the proposed scheme, we assume that simulation environments are a congestion-free MAC layer and an error-free communication. And then we simulated the performance metrics with the parameters of the system and network parameter listed in Table 3. 5.2 Performance Evaluation 5.2.1 Energy Efficiency Firstly, we compare energy of the ZigBee1 which is required for authentication with the ZigBee2. In Figure 3, when Trust Center TC0 tries to authenticate a general node n3, the cost of authentication in the ZigBee1 and ZigBee2 are as follows:

Escan+Etrans.Mkey+ESKKE+ Etrans.Lke+Etrans.Nkey+△c

EZigBee1=

EZigBee2 =Escan + Etrans.TC-to-TC + Etrans.Lkey + Etrans.Nkey +

△c

(1)

△

where c is the processing cost. In the process above, we found that compared to the ZigBee1, the ZigBee2 is almost similar as the ZigBee1 except the Etrans.TC-to-TC in ZigBee2 changes to the ESKKE in ZigBee1. Therefore, we can calculate the energy required for authentication by comparing the ESKKE and Etrans.TC-to-TC. In[8], communication mode choice of the single hop or multi-hop communication. The ESKKE uses multi-hop communication and round trip is two times. The Etrans.TC-to-TC uses single-hop communication and round trip is one times. In ESKKE which uses multi-hop communication, communication between Trust Center and end node is carried out through intermediate nodes whose function is to relay information from one to another. The energy of the sensor nodes required for mult-hop communication during a lifetime of at least T period is as follows. ⎛ d2 E m = T ⎜⎜ ( 2 δ + µR k )( 2 − 1 ) + ( 1 + µR k R ⎝

⎞ ) ⎟⎟ ⎠

(2)

In Ttrans.TC-to-TC which uses single-hop communication, each node directly transmits its packet to the Trust Center. There is no relaying of packets. The energy of the sensor nodes required for single hop communication during a lifetime of at least T period is as follows. E s = T ( δ + µd

k

)

(3)

Where δ is the amount of energy spent in the transmitter electronics circuitry, µ is a value of the propagation loss exponent, d is a distance between nodes, R is a communication radius. If the node have not heard any message from the trust centre for timeout period T, then carry out an active scan.

482

K. Lee et al.

When k=2, we obtain. E m = T ( δ + µd 2 ) + 2T δ (

E s = T ( δ + µd

2

d2 R2 )

(4)

−1)

(5)

ͩ͡͡

Ͷΐ΄ͼͼͶ͑ΚΟ͑΋ΚΘͳΖΖ͙͢ΤΚΟΘΝΖ͞ΙΠΡ͚ Ͷ΅ʹ͞ΥΠ͞΅ʹ͑ΚΟ͑΋ΚΘͳΖΖ͙ͣ͑ΞΦΝΥΚ͞ΙΠΡ͚

ͥ͢͡͡ ͶΟΖΣΘΪ͑ʹΠΟΤΦΞΡΥΚΠΟ͙͑ͼͻ͚

ͶΟΖΣΘΪ͑ʹΠΟΤΦΞΡΥΚΠΟ͙͑ͼͻ͚

Thus we can see that Em>Es, i.e., the required battery energy is lower for single-hop mode than multi-hop mode when k=2. Figure 6 shows the energy consumption of each scheme according to the distance from Trust Center when the amount of energy spent in the transmitter is 50J and 150J, respectively. The distance from Trust Center ranges from 10 to 500. From the result, ZigBee2 needs less energy for authentication than ZigBee1 when new node joins in network. It is observed that the energy consumption of ZigBee1 is much larger than the energy consumption of ZigBee2. And as amount of energy spent in the transmitter(value of δ) is larger, the energy consumption of ZigBee1 is a proportional increasing, but the energy consumption of ZigBee2 is almost same. This is mainly due to flooding in multi-hop communication which is consists of two or more intermediate nodes. In order to relay information from one to another, it is requires more energy than direct communication. If the network size is increasing, ZigBee2 can certainly reduce energy consumption more than ZigBee1. Ͷΐ΄ͼͼͶ͑ΚΟ͑΋ΚΘͳΖΖ͙͢ΤΚΟΘΝΖ͞ΙΠΡ͚ Ͷ΅ʹ͞ΥΠ͞΅ʹ͑ΚΟ͑΋ΚΘͳΖΖ͙ͣ͑ΞΦΝΥΚ͞ΙΠΡ͚

ͣ͢͡͡

ͨ͡͡ ͧ͡͡

͢͡͡͡

ͦ͡͡ ͥ͡͡ ͤ͡͡ ͣ͡͡ ͢͡͡ ͡

ͩ͡͡ ͧ͡͡ ͥ͡͡ ͣ͡͡ ͡

ͣ͡ ͩ͡ ͥ͢͡ ͣ͡͡ ͣͧ͡ ͤͣ͡ ͤͩ͡ ͥͥ͡ ͦ͡͡

ͣ͡ ͩ͡ ͥ͢͡ ͣ͡͡ ͣͧ͡ ͤͣ͡ ͤͩ͡ ͥͥ͡ ͦ͡͡

͵ΚΤΥΒΟΔΖ͙͑Ξ͚

͵ΚΤΥΒΟΔΖ͙͑Ξ͚

Fig. 6. Energy consumption with δ=50, δ=150

5.2.2 Memory Efficiency ZigBee uses Network, Link, and Master key to authentication. The keys used for authentication is stored in each node. A Network Key is a common key shared among all nodes in a ZigBee network. Link Keys are pair-wise key in which used between two communicating ZigBee devices. Use the Network key is weak resilience, but efficient for memory. Therefore, we do not consider Network key in memory efficiency analysis. On the other hand, Link Key required the memory with amount of devices in the network. In current ZigBee standard, a joiner device establishes a Link Key with a Trust Center using SKKE protocol and the generated keys delivery by flooding. It is extremely memory inefficient and with poor scalability when network size increase. This problem is serious due to the nature of low-power sensor.

An Enhanced Trust Center Based Authentication in ZigBee Networks

483

Therefore, we compare memory of the ZigBee1 which is required for establish a Link Key with the ZigBee2. Table 4 shows establish a Link Key using SKKE when Trust Center TC0 tries to authenticate a joiner device n3. We compare the memory cost of the ZigBee1 with the ZigBee2. In order to calculate the memory cost, we assume memory cost that Singlehop is S, Multi-hop is M, calculation is C or C’. Table 4. Memory cost for authentication Memory cost

SKKE step

ZigBee1

(see sub-clause 2.2.4)

ཛ ཛྷ ཝ ཞ ཟ འ ཡ ར ལ Total

cost

u˧v u˥v MacData MacTag MacKey, KeyData MacTag2 u˧v v:verify MacTag1 u˥v u:verify summary count total

ZigBee2

TC0

r1

n3

TC1

TC0

r1

n3

M M C C C

M M -

S S -

S S C’ C’ C’

-

-

M

M

M M C C C C M

-

-

C C M

-

-

-

-

-

M

M

-

M

M

-

-

C

-

-

C

4M 5C

4M

1M

1M 1C

1

2

9

4 22

-

4M 5C

2S

9

2

C’ M 2S 1M 4C’ 7 12

Compared ZigBee1 and ZigBee2, memory which TCi consumes is as follows: MZigBee1 : MZigBee2 = (4M+5C) : (4S+M +4C’)

(6)

When is M = 2S, memory which M and S consumes is 57% and 42%, respectively. If S has good memory performance more than 15% than M, ZigBee2 always uses fewer memory in authentication. In case of r1 as intermediate node, we fount that ZigBee1 uses memory of quadruple than ZigBee2. Depth of tree that use in an experiment is 2, but if depth grows, this difference differential may great more. In case of n3 as joiner device, we fount that ZigBee1 uses memory of quadruple than ZigBee2. Compared ZigBee1 and ZigBee2, total memory cost is as follows: MZigBee1 : MZigBee2 = (12M+10C ) : (4S+3M+5C’)

(7)

When is M = S=C, ZigBee1 uses memory more than about double than ZigBee2. Through simulation experiments, we showed that the proposed scheme is more effective than current scheme. Our scheme provides an optimal and feasible authentication of mobility node in ZigBee networks and is suited for large ZigBee Network.

484

K. Lee et al.

6 Conclusion ZigBee standard that appear to solve security problem of Wireless LAN is offering effective security function in communication of sensor node. ZigBee also defines the role of Trust Center which is component of the ZigBee security architecture. In current ZigBee standard, a joiner device establishes a Link Key with a Trust Center using SKKE protocol and the generated keys delivery by flooding. This mechanism has fast performance in a small size network, but transmission delay occurs when network size increase. In addition, it is inefficient when network size increase or node is moved to a different subnet. In this paper, we propose an enhanced TCA mechanism which improve the performance of current standards in ZigBee Network with mobility node. In TCA, node of the initial authentication is achieved through the Trust Center. If the node will be moved to a different subnet, Trust Center without a separate authentication process can effectively perform the authentication by sharing the initial authentication information between Trust Centers. In order to evaluating the performance of proposed scheme, we have compared the energy and memory efficiency. Through simulation experiments, the proposed scheme is more effective than current scheme. The energy consumption of current scheme is much larger than the energy consumption of proposed scheme. Also memory consumption of current scheme is more than about double than proposed scheme.

References 1. ZigBee Alliance Document, ZigBee Specification Pro/2007 (2007) 2. IEEE Std 802.15.4: Wireless Medium Access Control(MAC) and Physical Layer (PHY) Specifications for Low-Rate Wireless Personal Area Networks (LR-WPANs) (2003) 3. Perrig, A., et al.: TESLA: Multicast Source Authentication Transform Introduction. IETF working draft, draft-ietf-msec-tesla-intro-01.txt 4. Perrig, C., et al.: SPINS: Security Protocols for Sensor Networks. ACM Wireless Networks 8(5), 521–534 (2002) 5. Zhu, S., Setia, S., Jajodia, S.: LEAP: Efficient Security Mechanism for Large-Scale Distributed Sensor Networks. In: Proc. 10th ACM Conf. Computer and Community Security (CCS 2003), Washington, DC (October 2003) 6. Bohge, M., Trappe, W.: An Authentication Framework for Hierarchical Ad Hoc Sensor Networks. In: Proc. 2nd ACM Workshop on Wireless Security, San Diego, CA (2003) 7. Zhou, Y., Fang, Y.: Securing Wireless Sensor Networks:A Survey. IEEE Communication 10(3) (October 2008) 8. Mhatre, V., Rosenberg, C.: Design guidelines for wireless sensor. networks: communication, clustering and aggregation. Ad Hoc. Networks, 45–63 (2004) 9. Sanchez, D.S., Baldus, H.: A Deterministic Pairwise Key Pre-Distribution Scheme for Mobile Sensor Networks. In: Proc. 1st IEEE Int’l. Conf Security and Privacy for Emerging Areas in Communications Networks (SecureComm 2005) (2005) 10. Khan, M., Amini, F., Mišić, J.: Key exchange in 802.15.4 networks and its performance implications. In: Cao, J., Stojmenovic, I., Jia, X., Das, S.K. (eds.) MSN 2006. LNCS, vol. 4325, pp. 497–508. Springer, Heidelberg (2006) 11. Ren, K., et al.: On Broadcast Authentication in Wireless Sensor Networks. In: Proc. Conf. Wireless Algorithms, Systems, and Applications, Xi’an, China (August 2006)

Sensor Disposition Problem in Wireless Ad-Hoc Sensor Networks Takahide Yanaka, Toshihiko Sasama, and Hiroshi Masuyama Department of information and electronics, graduate school of engineering, Tottori University {s042056,sasama,masuyama}@ike.tottori-u.ac.jp

Abstract. In order to monitor for traffic traversal, sensors can be deployed to perform collaborative target detection. Such a sensor network achieves a certain level of detection performance with an associated cost of deployment. This paper addresses two points in this problem where the absolute quantity of sensors is insufficient. The discussion on the best deployment concludes that Zigzag deployment is recommended. The other discussion on measures to evaluate the performances of variant deployments is addressed. The discussion concludes that, in place of the existing “exposure”, a new tool can measure more accurately the detection performance given the circumstance where every deployed sensor operates as a binary model. Keywords: sensor network, binary model, general model, deployment, detectability, exposure.

1 Introduction Wireless ad-hoc sensor networks have recently been emerging as a topic of conversation. Advancements in micro-sensor and communication technologies has made sensor networks applicable to environmental monitoring (such as stationary watch towers) or battlefield surveillance. The final research aim of the networks is to give the networks great long-term, economic, and potential benefits. Though we can consider a variety of network scenarios [1], [2], [3], [4], [5], [6], [7], in this work, we consider the circumstance where networks hold their long-term life by remaining in stand-by mode of redundant monitors at a little sacrifice of detectability. In other words, in order to maintain long-term workdays we aim at a selfmanagement service [8] for wireless sensor networks that, for the power saving, automatically controls the network redundancy in holding to an adequate certain level of higher value of detectability when the coverage is not perfect. Coverage represents the quality of service that it can provide and how well a region of interest is monitored by the network. However the life time of the network also represents the quality of service. The coverage approaches 0 as the network nears the end of life. This means that there is a trade-off in relationship between the coverage and the life time. In this work, we will investigate the detectability in each case of several different sensor placements where coverage is not enough and discuss an optimum sensor placement. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 485–493, 2009. © Springer-Verlag Berlin Heidelberg 2009

486

T. Yanaka, T. Sasama, and H. Masuyama

In order to find the optimum solution for sensor deployment, we will discuss the following items (1) ~ (4); (1) In the binary sensing model, in order to evaluate the detectability taking the most time and using the most precise measure, we perform simulation experiments. In order to evaluate the environment where many sensors are deployed in a narrow or vast geographical area, (2) We will investigate the detectability in two different areas 100×100 m2 and 1000×1000 m2 where sensors are deployed. Several papers use “exposure” as a computational measure [9], [10]. The measure “exposure” presupposes the general sensing model conceptually in terms of the sensing model. It is said that exposure is directly related to coverage where it is a measure of how well an object can be observed by the sensor network over a period of time. We will evaluate “exposure” by comparing it with the other new computational measure “closer”. (3) We will investigate the detectability with two measures “exposure” and “new” defined latter, and verify which is closer to the data which is obtained by the simulation experience, in other words, closer to the real data. The detectability evaluated by the “exposure” watches only the weakest sensingroute, but not the average sensing-route in the sensor field. This means it is doubted that “exposure” can evaluate the detectability of the sensor disposition exactly. Instead of the evaluation of the weakest sensing-route, we try to consider a new computational tool to evaluate the average sensing-route. (4) We will directly evaluate “All-Sensor Field Intensity”. This study, which is a combination of theoretical and simulated evaluations, quantifies the trade-off between power conservation and quality of surveillance while presenting guidelines for efficient deployment of sensor for the application to environmental monitoring. This paper is organized as follows: In section 2, we prepare the technical terms which will be used in the later sections. Sections 3 and 4 present Detectability using binary sensors and Detectability using general sensors, respectively. Section 5 presents evaluation results in the case of “All-Sensor Field Intensity”. This paper concludes in section 6 with a comparison of experimental and computational data.

2 Preliminaries 2.1 Coverage The sensor field is assumed as two-dimensional. For enhanced coverage of the sensor field, a large number of sensors are typically deployed in the sensor field so as to get rid of uncovered point. Even if the coverage areas of multiple sensors overlap, the precise location of the target can be determined by examining the location of these sensors. We will consider the opposite circumstance where the absolute quantity of sensors is insufficient because of a secular change or other reasons. Since we consider in the case of an insufficient number of sensors, we will define the coverage N of sensor field as the ratio of the number of deployed sensors to (the necessary and sufficient number of nodes which leave no uncovered point in the grid distribution, as shown in Fig 1).

Sensor Disposition Problem in Wireless Ad-Hoc Sensor Networks

Fig. 1. Case of N=1

Fig. 2. Case of N=0.3

487

Fig. 3. Case of N=0.3

2.2 Sensor Deployment We prepare three kinds of sensor deployment; Straight, Zigzag, and Random deployments. For each deployment, we will give formulas to automatically determine the deployment of all sensors with the parameters; coverage N, the sensor field X × Y, and the detection range r. 2.2.1 Straight Deployment We first define the straight deployment of N=1 as shown in Fig 1. This deployment is given by X × Y. The deployment of general N (<1) is given as the deployment whose number of columns is in the ratio of N to the number of columns of N=1. Fig 2 shows a straight deployment in the case of N=0.3. 2.2.2 Zigzag Deployment The zigzag deployment of N is given as the deployment when every even order sensor of each column is shifted to the next new column as shown in Fig 3 where a zigzag deployment in the case of N=0.3 is shown. 2.2.3 Random Deployment The location point (xi, yj) of each sensor si is given randomly.

Fig. 4. Binary sensing model

Fig. 5. General sensing model

488

T. Yanaka, T. Sasama, and H. Masuyama

2.3 Sensing Model 2.3.1 Binary Sensing Model The binary sensor model assumes that sensor readings have no associated uncertainty. Consider an X by Y sensor field grid and assume that there are k sensors deployed in the random deployment stage. Each sensor has a detection range r. Assume sensor si is deployed at point (xi, yi). For any point p at (x, y), we denote the Euclidean distance between si and p as d(si, p), i.d. d(si, p) = (x i - x) 2 + (y i - y) 2 . The following equation shows the binary sensor model [7], [11] that expresses the coverage cxy (si) of a grid point p by sensor si. cxy (si)= 1or 0 if d(si, p) < r or otherwise, respectively. 2.3.2 General Sensing Model General sensing model is a model whose sensing ability depends on the distance from the target as shown in Fig 5 [9]. All-Sensor Field Intensity is defined as IA(F,p) = ∑ S(si,p), for a point p in the field F, that is, as the effective sensing measures at point p from all sensors in F, where sensor S(si,p) is the general sensing model S at an arbitrary point p for a sensor s and defined as follows: S(s,p)=λ / [d(s,p)]κ. The positive constants λ and κ are sensor technology-dependent parameters. In this work, we assume λ and κ are 1 and 2, respectively. The exposure path is defined as a route whose total value on the path is the smallest between source S and destination D. If we assume the value of each sensor as shown in Fig 6, then the exposure path takes a red line. Finally, in order to introduce a new measure, we define new Field Intensity as IA’(F,p) = ∑ S’(si,p) where S’(s,p) = [d(s,p)]2.

Fig. 6. An example of exposure path

Fig. 7. New closer path

We refer to this identity as “closer”. A closer path is also defined as a route whose total value on the path is the smallest between source S and destination D. Though S(si,p) and S’(si,p) have the same sense that their paths trace so as to taking the

Sensor Disposition Problem in Wireless Ad-Hoc Sensor Networks

489

smallest total value, the new measure “closer” expresses the larger difference in the domain where the target leaves from each sensor. “Exposure” does not express the larger difference in such a domain. Fig 7 shows the closer of each sensor and the path (green line) in this measurement. The divisional sizes in Figs 6 and 7 are determined at will. 2.4 Measure of Detectability In binary sensing models, the detectability is measured as the ratio of the times that the target passes through the detection range of a sensor, to the total number of trials. On the other hand, in general sensing models the detectability is measured as the exposure of the exposure path between the start and destination nodes [1]. In general sensing models, the detectability is measured also with the new measure “closer” of the closer path between the start and destination nodes. 2.5 Measure of “All-Sensor Field Intensity” As defined in 2.3, the intensity by “exposure” of the sensor deployment shown in Fig 6 can be calculated as 0.02+0.04+0.11+…+0.04+0.02 by adding from left to right and from top to bottom. The intensity by “closer” of the sensor deployment shown in Fig 7, 49+26+9+…+25+49. 2.6 Simulation Method Finally we describe the input parameters and output measures for the evaluation of the detectability in different sensor deployments. For the purpose of our simulation, we consider two square domains; 100×100 and 1000×1000(m) where sensors required for coverage between 90% ~ 10% are distributed in a variety of sensor deployments. In binary sensing models, the target is given randomly start and destination positions and moves in a straight line between the two positions at speed 1(m/s) where the average distances are taken as 50, 40, 30, 20, 10m in domain 100×100, and 500, 400, 300, 200, 100m in domain 1000×1000, respectively. The detectable rage of each sensor is a radius 5m. The detectability of a given sensor deployment is evaluated as the average by generating 100 different pairs of start and destination positions.

3 Detectability Using Binary Sensor Model In this section, we present the results of simulations that is in the case of using binary sensors model. Figs 8~11 in Section 3. A plot the detectability and the average time interval required to detect with parameters of coverage N, average traversing distance of target, and sensor deployment, in the case of 100×100 m field. Figs 12 and 13 show the results in the case of 1000×1000 m field.

490

T. Yanaka, T. Sasama, and H. Masuyama 1.00

0.95

0.90

0.85

d e tectab ility

d e tec tab ility

0.80

0.75 0.65

random deployment

0.55

straight deployment 0.45

zigzag deployment

0.35 0.9

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.70 0.60 0.50

random deployment

0.40

straight deployment

0.30

zigzag deployment

0.20

0.1

0.9

coverage

Fig. 8. Detectability (average traversing distance 50m)

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.1

coverage

Fig. 9. Detectability (average traversing distance 20m)

3.1 100×100 m Field 3

20

random deployment

random deployment

2.5

straight deployment

straight deployment

15

zigzag deployment

zigzag deployment

2

tim e [s]

] s [ e1.5 m i t

10

1 5

0.5 0

0 0.9

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.9

0.1

0.8

0.7

0.6

0.5

0.4

0.3

0.2

coverage

Fig. 10. Average time interval required to detect (average traversing distance 40m)

0.1

coverage

Fig. 11. Average time interval required to detect(average traversing distance 20m)

3.2 1000×1000 m Field 1.00 40

0.95

random deployment straight deployment

0.90

zigzag deployment

0.85

time[s]

d ete cta b ility

30

0.80

20

0.75

random deployment

0.70

straight deployment

0.65

zigzag deployment

10

0

0.60 0.9

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.1

0.9

0.8

0.7

0.6

0.5

0.4

0.3

Fig. 12. Detectability (average traversing distance 100m)

0.2

0.1

coverage

coverage

Fig. 13. Average time interval required to detect (average traversing distance 100m)

Sensor Disposition Problem in Wireless Ad-Hoc Sensor Networks

491

4 Detectability Using General Sensor Model In this section, in the case of using a general sensor as a computational model, the detectability is plotted as “exposure” in 4.1 and “closer” in 4.2 with the parameters: coverage N, average traversing distance of target, and sensor deployment. 4.1 Exposure 1.20

1.00 0.90

1.00

0.80 0.70

exposure

exp o seu re

0.80 0.60 0.40 0.20

0.50 0.40

random deployment

0.30

random deployment

straight deployment

0.20

straight deployment

zigzag deployment

0.10

zigzag deployment

0.00 0.9

0.60

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.1

0.00 0.9

coverage

Fig. 14. Comparison in the case of “exposure” in 100×100 m field

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.1

coverage

Fig. 15. Comparison in the case of “exposure” in 1000×1000 m field

4.2 Closer 8000

16000

random deployment

7000

random deployment

14000

straight deployment

6000

straight deployment

12000

zigzag deployment

5000

10000

4000

8000

3000

6000

2000

4000

1000

2000

zigzag deployment

0

0 0.9

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.1

0.9

0.8

0.7

0.6

0.5

coverage

Fig. 16. Comparison in the case of “closer” in 100×100 m field

0.4

0.3

0.2

0.1

coverage

Fig. 17. Comparison in the case of “closer” in 1000×1000 m field

5 Detected-Ability Using “All-Sensor Field Intensity” In this section, we present the results in the case of using “All-Sensor Field Intensity”. Figs 18 and 19 show the intensity by “exposure”. Figs 20 and 21 show the intensity by “closer”. The divisional size is 50 50 in every case.

×

492

T. Yanaka, T. Sasama, and H. Masuyama

350

100 90

300

70

200

60 to tal

total

80 250

150

50 40

100 50

randam deployment

30

randam deployment

straight deployment

20

straight deployment

10

zigzag deployment

zigzag deployment

0

0 0.9

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.1 coverage

Fig. 18. Intensity by "exposure" in 100×100m field

0.9

0.8

0.7

0.6

Fig. 19. Intensity 1000×1000m field

0.5

by

0.4

0.3

0.2

0.1 coverage

"exposure"

in

3000000

2500000 randam deployment 2000000

randam deployment

2500000

straight deployment

straight deployment

zigzag deployment

zigzag deployment

2000000

to tal

to tal

1500000

1000000

1500000 1000000

500000

500000 0

0 0.9

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.1 coverage

Fig. 20. Intensity by "closer" in 100×100m field

0.9

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.1 coverage

Fig. 21. Intensity by "closer" in 1000×1000m field

6 Conclusion In this work, we prepared three kinds of sensor deployments; Straight, Zigzag, and Random deployments and evaluated each detectabilities. The experimental evaluation was performed with using several different measures. The results show little discrepancy among them in the easy discoverable circumstance (smaller domain, many sensors, and large average traffic traversal distance), but show the explicit superiority or inferiority in the opposite circumstance. In non-easy discoverable circumstance, though Binary sensing model (that is, simulation results) and the exposure of general sensing models show considerably the same experimental results, “All-Sensor Field Intensity” by “closer” is more close to the simulation results. Zigzag is indeed the best as the sensor deployment. The new closer path shows the different results from the simulation result. These experimental evaluations lead to the following conclusion: judging from the simulation result, the best deployment is Zigzag. In the circumstance where every deployed sensor operates as a binary model, the best computing evaluation in place of the simulation experience is “All-Sensor Field Intensity” by

Sensor Disposition Problem in Wireless Ad-Hoc Sensor Networks

493

“closer”. The discussion on the circumstance where every sensor operates as a general model is left to the future work.

References 1. Liu, B., Towsly, D.: A study of the coverage of large-scale sensor networks. In: First IEEE Intrernational Conference on Mobile Ad-Hoc and Sensor Systems, pp. 475–483 (2004) 2. Wang, G., Cao, G., LaPorta, T., Zhang, W.: Sensor relocation in mobile sensor networks. IEEE INFOCOM 4, 2302–2312 (2005) 3. Meguerdichian, S., Koushanfar, F., Potkonjak, M., Srivastava, M.B.: Coverage problems in wireless ad-hoc sensor networks. IEEE INFOCOM 3, 1380–1387 (2001) 4. Xing, F., Lu, C., Zhang, Y., Huang, Q., Pless, R.: Minimum power configuration for wireless communication in sensor networks. ACM Trans. on Sensor Networks 3, 200–233 (2003) 5. Balasubramanian, S., Aksoy, D.: Adaptive energy-efficient registration and online scheduling for asymmetric wireless sensor networks. Computer Networks 51, 3427–3447 (2007) 6. Wang, G., Cao, G., Porta, T.L.: Movement-assisted sensor deployment. IEEE INFOCOM 4, 2469–2479 (2004) 7. Chakrabarty, K., Iyegar, S.S., Qi, H., Cho, E.: Grid coverage for surveillance and target location in distributed sensor networks. IEEE Trans. on Computers 51, 1448–1453 (2002) 8. Siqueira, I.G., Ruiz, L.B., Loureiro, A.A.F., Nogueira, J.M.: Coverage area management for wireless sensor networks. Int. J. Network Mgmt 17, 17–31 (2007) 9. Meguerdician, S., Koushanfar, F., Qu, G., Potkonjak, M.: Exposure in wireless ad-hoc sensor networks. In: MOBICOM, pp. 139–150 (2001) 10. Clouqueur, T., Phipatanasuphorn, V., Ramanathan, P., Saluja, K.K.: Sensor deployment strategy for target detection. In: First ACM International Workshop on Wireless Sensor Networks and Application, pp. 42–48 (2002) 11. Zou, Y., Chakrabarty, K.: Sensor deployment and target localization based on virtual forces. IEEE INFOCOM 2, 1293–1303 (2003)

Performance Evaluation of Cost Effective Routing for Packet Transmissions in Mobile Ad Hoc Networks Kentaro Kishida, Toshihiko Sasama, and Hiroshi Masuyama Department of Information and Electronics, Tottori University 680-8552 Tottori, Japan {s042024,sasama,masuyama}@ike.tottori-u.ac.jp

Abstract. A mobile ad hoc network is a network of mobile nodes without any notion of centralized administration. In such a network, each mobile node behaves as not only a host which runs applications but also as a router to forward packets on behalf of others. Clustering is one of the most important approaches to energy efficient or cost efficient communications. Clustering is an algorithm in which the network is divided into non-overlapping sub networks, referred to as clusters where every node of each sub network is at the most k-hops from a distinguished station called the cluster-head CH. A CH network expresses the connected relation among cluster-heads. A one-to-one route can be determined after flooding on the CH network. The method of construction of the CH network is characterized by the calculating the amount of area to construct; the largest 2k+1 hops-, the middle 2.5 hops-, and the smallest A-NCR-methods. The A-NCR method is the most cost effective for construction of the CH network because it uses the smallest computing area. Since a path find through the smallest computing area creates the possibility of finding a longer routing path in a real network, this subsequently may lead to a higher running cost, which places receiving the data transmission in real circumstances at a disadvantage. This paper evaluates how the running costs vary for the transmission of data on each routing path, as found by the above three methods. This paper also makes clarifies how the differences of order-of-time complexities are under several times among these three methods. Keywords: MANET, routing, packet transmission.

1 Introduction A mobile ad hoc network (MANET) has properties which are fundamentally different from the traditionally wired networks regarding communication, mobility, and resource constraints. That makes the design of distributed algorithms much more complex than the designs of traditional distributed systems. However, re-source constraint, for example low bandwidth, limited power supply, or low process capability, is one of the prominent features of mobile environments [1]. In addition, the mobility of MANET nodes is handled by ad hoc routing protocol. These MANET nodes can be used in high-cost situations to create a centralized infrastructure. Recently, the integration of MANET nodes into the Internet has been the focus of many research J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 494–501, 2009. © Springer-Verlag Berlin Heidelberg 2009

Performance Evaluation of Cost Effective Routing for Packet Transmissions

495

efforts in order to provide MANET nodes with Internet connectivity [2]. Organizing a network into a hierarchical structure may make the management systems such as routing efficient. Clustering is a hierarchical structure, and as such is suitable for a relatively large numbers of nodes. Clustering is conducted by first selecting Cluster-heads. Non-cluster-heads choose clusters to join and then become members. Though there are several kinds of clustering algorithms, we take the lowest ID algorithm [3] which is widely used. In this algorithm, a node that has the lowest ID among neighbors which have not joined any clusters will declare itself the cluster-head. Other nodes will select one of the neighboring cluster-heads to join and become members. This process is repeated until every node has joined a cluster. Fig. 1 shows an example of a network clustered by the lowest ID algorithm. In this paper, we will define, in the next section, three methods for the construction of a CH network in which clusters are connected. In Sec.3, we will evaluate the cost performances of these CH net-works respective of the amount of packet transmissions.

Fig. 1. An example of a network clustered by the lowest ID algorithm (clusters; C1-C6 and C9)

2 Preliminary Connectivity among cluster-heads is required for most applications such as message broadcasting. On condition that is identical for all nodes is power supply, clusterheads do not directly connect with other clusterheads that are at least 2 hops away. This means that cluster-heads should include a multi-hop packet relay design, that is, some non-cluster-heads should be selected as gateway nodes to perform message forwarding between cluster-heads. The distance between the cluster-heads of two neighbor clusters is 2 or 3 hops. There are three ways to define a cluster-head V’s neighbor cluster-head set C(v), which are as follows: 2.1 2k+1-Hop Coverage One way is to select border nodes as gateways for connecting the cluster-heads. A border node is a member with neighbors in other clusters. Finding gateway nodes to connect all the cluster-heads within each other’s 3-hop neighborhood is another widely used method.

496

K. Kishida, T. Sasama, and H. Masuyama

2.2 2.5-Hop Coverage In [4], Wu and Lou developed the “2.5” hops cover-age theorem. Each cluster-head covers all cluster-heads in 2 hops and some cluster-heads that are 3 hops away. 2.3 A-NCR In [5], S. Yang et al. defined the adjacent-based neighbor cluster-head selection rule (A-NCR) which is an extension and generalization of the “2.5” hops covering theorem, used for neighbor cluster-head selection in the first phase. In A-NCR, a small set of neighbor cluster-heads (within 2k+1 hops) can be found by each cluster-head while ensuring the global connectivity of cluster-heads. At the most, 2k+1 hopsbroadcasting is needed. The parameter k is tunable, and usually at 1. This is because in ad hoc networks, network topology changes frequently. Therefore the small k may help to construct a combinatorial stable system, where the propagation of all topology updates is sufficiently fast enough to reflect the topology change. Fig. 2 shows each CH network constructed based on the above 3 kinds of methods.

Fig. 2. Each CH network is constructed based on 3 different methods

Fig. 3. Structure of a route-searching packet

Performance Evaluation of Cost Effective Routing for Packet Transmissions

497

2.4 Routing A one-to-one communication is possible in CH net-works. In one-to-one communications, the source node sends a request to the cluster-head of its cluster which the source node is a member. In the CH network, the cluster-head broadcasts route searching packets which contain the ID of the destination node. When the clusterhead with the destination node contained in its own cluster receives the broadcast, it then sends back a route decision acknowledgement packet to the source node along the route history. Thus, the source node is able to find the route.

3 Simulation Experiences and Results In this section, we evaluate the cost performances of these CH networks respective of the amount of packet transmissions. That is to say, we evaluate the running costs for transmitting data on each routing path as was found by the above three methods. 3.1 Simulation Environment For simulation purposes, we consider a 100x100 m square domain where 50-200 nodes are randomly distributed. We assume that all nodes are identical in broadcasting power, that is, each node has 25m transmitting range. 3.2 Packet Specification We will specify the following three kinds of packets; route-searching packet, routedecision-acknowledgement packet, and data packet. Route-searching packets are used by a cluster head which broadcasts the initial routing for the CH network. This packet is based on UDP/IP [6], [7]; it has sequence number, source address, destination address, hops-counting number, limited number of hops, route information for the adjacent cluster head and route history. Fig. 3 illustrates the structure of a route-searching packet. The sizes of route information for the adjacent cluster head and route history are decided by simulation results which say that the size is enough under 4x32 bits. Route-decision-acknowledgement packets are based on TCP/IP [7], [8], has and contain s sequence number, source address, destination address, and route information from the source address node to the destination address node. Fig. 4 shows the

Fig. 4. Structure of a route-decision-acknowledgement packet

498

K. Kishida, T. Sasama, and H. Masuyama

structure of a route-decision-acknowledgement packet. The sizes of route-information are decided by simulation results which say that the size is enough under 6x32 bits. The data packet is based on TCP/IP. That is to say, the size is 1500 bytes which is the MTU value in Ethernets. 3.3 Cost Computation We will evaluate the cost required for the route computation with the following equation; Route computation cost = (the packet size of a route searching packet)x(the total number of hops required in the routing decision)+(the packet size of a route decision acknowledgement packet)x(the total number of hops in the decided route). On the other hand, we can use the following formula for the evaluation of running costs; Running cost=(the packet size of a data packet)x(the total number of hops in the decided route). 3.4 Simulation Results We will present the route-computation cast and running costs in Fig. 5 and Fig. 6, respectively. These illustrate how A-NCR requires the largest running costs. Fig. 7

Fig. 5. Route-computation cost

Fig. 6. Running cost

Performance Evaluation of Cost Effective Routing for Packet Transmissions

499

Fig. 7. Correlation between route-computation costs and running costs

shows cost correlation. These data show that, in every number of nodes, the running cost decreases as the route-computation cost increases.

4 Conclusions In this paper, we evaluated the performance of three methods for construction of a CH network respective to the amount of packet transmissions. We demonstrated how the 2k+1 hops-method which supports the largest computing network and creates the shortest routing path performs the best after a certain amount of time passes. It was also made clear that the loss for obtaining this shorter routing path is only several times more complex in regarding to computing time. This result means, that under a realistic lever of node mobility, the effort to reduce a computing area in order to construct a CH network is not effective for total power saving. We are currently interested in the evaluations of the performances of these three methods cases where the propagation of all topology updates is not fast enough to effectively reflect the topology change.

References 1. Wu, W., Cao, J., Yang, J., Raynal, M.: Design and Performance Evaluation of Efficient Consensus Protocols for Mobile Ad Hoc Networks. IEEE Trans. Computers 56(8), 1055– 1070 (2007) 2. Ammari, H., El-Rewini, H.: Performance Evaluation of Hybrid Environments with Mobile Gateways, pp. 152–157 3. Lin, C.R., Gerla, M.: Adaptive clustering for mobile wireless networks. IEEE Journal on Selected Areas in Communications 15(7), 1265–1275 (1997)

500

K. Kishida, T. Sasama, and H. Masuyama

4. Wu, J., Lou, W.: Forward-node-set based broadcast in clustered mobile ad hoc networks. Wireless Communications and Mobile Computing 3(2), 141–154 (2003) 5. Yang, S., Wu, J., Cao, J.: Connected k-hop clustering in ad hoc networks. In: Proceedings of IEEE ICPP 2005, pp. 373–380 (2005) 6. Postel, J.: User datagram protocol, RFC 768 (1980) 7. Postel, J.: Internet protocol: DARPA internet program protocol specification. RFC 791 (1981) 8. Postel, J.: Transmission control protocol: DARPA inter-net program protocol specification, RFC 793 (1981)

Appendix Figures The sizes of route information for the adjacent cluster-head as well as passing history are decided by the following simulation results in Fig. 8 where size is less than 4x32 bits. The size of route information is also decided by the following simulation results in Fig. 9 where the size is less than 6x32 bits. Fig. 10 shows the total number of hops in the decided route which is required for the calculation of route-computation costs and running costs. Fig. 11 shows the total number of hops in the decided route which is required for the calculation of routecomputation costs.

Fig. 8. Size of route in a searching packet

Fig. 9. Size of history in a route-search packet

Performance Evaluation of Cost Effective Routing for Packet Transmissions

Fig. 10. Total number of hops in the decided route

Fig. 11. Total number of hops until a route is decided

501

Energy Lesser Broadcasting Algorithms Using Adjustable Transmission Ranges in Mobile Ad Hoc Networks Toshihiko Sasama, Yasuhiro Abe, and Hiroshi Masuyama Course of information and electronics, Graduate school of engineering, Tottori University, Tottori, Japan {sasama,s022001,masuyama}@ike.tottori-u.ac.jp

Abstract. This paper discussed 2 approaches to communication algorithms; 2level clustering mesh approach and 1-level flat mesh approach, and proposes one of them which makes it appear that the total amount of expended energy becomes lesser. Wu and Dai [1] previously proposed 2 approaches; 2-level clustering approach and 1-level flat approach. This study [1] is based on the virtual backbone conception. Our 2 proposed approaches change the clustering performed in [1] into mesh so that energy consumption becomes smaller in a broadcasting. Total energy is required in not only the broadcasting process but also the construction process of a broadcasting tree. This is our approaches become disadvantageous. In [2], we gave the static properties of our approaches. This paper gives the advantageous bound of mobile movement for the 1 level flat mesh approach through our simulation study in realistic situations where a certain percentage of total mobiles move at random speeds. Keywords: MANET, broadcasting, clustering, mesh, simulation.

1 Introduction Mobile ad hoc networks (simply MANET) consist of wireless mobile hosts that communicate without the need of any fixed infrastructure. Broadcasting is a process in which the same massage is delivered to every node. An overhead in MANET comes from this broadcasting or blind flooding which is a process to determine a necessary route in ordinary one-to-one routing protocols in MANET. Broadcasting or flooding may generate excessive redundant message derivation. This redundant message derivation causes not only a broadcast storm problem [3] but also serious redundant energy consumption. Two broadcast processes are explained in [2]; one using the concept of a virtual backbone and the other without, respectively. By way of the arrows in each graph, all necessary one-to-one communications necessary to perform a broadcast from source node s is described. [2] shows that the broadcasting process using the concept of a virtual backbone requires fewer arrows, this means less energy consumption. Virtual Multicast Backbone (VMB) structures are commonly used in current multicast protocols. Instead of the conventional Steiner tree model, the optimal shared J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 502–511, 2009. © Springer-Verlag Berlin Heidelberg 2009

Energy Lesser Broadcasting Algorithms Using Adjustable Transmission Ranges

503

VMB in ad hoc networks is modeled as a Minimum Steiner Dominating Set in UnitDisk Graphs [4] which leads also to NP-hard. Energy-efficient broadcasting has been widely studied. Several protocols have been proposed to manage energy consumption by adjusting transmission ranges. For a comprehensive survey on various aspects of broadcasting in MANET, refer to [5]. In this paper, we use the static and source-independent approach for CDS construction since it is more genetic. It is also assumed that no location information is provided, as was similarly mentioned in [1].

2 Preliminaries Instead of a physical backbone infrastructure, MANET can form a CDS, as mentioned before. Wu and Li [6] proposed the “marking process” which is a self-pruning process to construct a CDS: Each node is marked if it has two unconnected neighbors, otherwise it is unmarked. The marked nodes form a CDS, which can be further reduced by applying pruning rules [7]. Pruning rule k: A marked node can unmark itself if its neighbor set is covered by a set of connected nodes with higher priorities. The clustering approach is commonly used to offer scalability and is efficient in a dense network. Basically, the network is partitioned into a set of clusters, with one cluster-head in each cluster. Cluster-heads form a DS which is a subset of nodes in the network where every node is either in the subset or a neighbor of a node in the subset. No two cluster-heads are connected. Each cluster-head connects to all its members (non-cluster-heads) in most k hops, which originates from the k-level clustering approach. The classical clustering cluster formation works are stated in [1]: (1) A node v is a cluster-head if it has the highest priority in its 1-hop neighborhood including v. (2) A cluster-head and its neighbors form a cluster and these nodes are covered. (3) Repeat (1) and (2) on all uncovered nodes. Two new approaches to construct a backbone will be proposed and discussed in this paper. These approaches originate from two approaches; 2-level clustering and 1-level flat approaches. In the lower level of 2-level clustering, the network is covered by the set of cluster-heads under a short transmission range. In the upper level, all clusterheads are covered by the set of marked cluster-heads under a long transmission range. Conversely, the 1-level flat approach constructs a flat backbone, where the network is directly covered by the set of marked cluster-heads having a long transmission range. 2.1 2-Level Clustering Approach As mentioned above, this approach uses different transmission ranges at different levels to connect not only non-cluster-heads and cluster-heads but also to connect cluster-heads where gateway nodes are required to make selections.

504

T. Sasama, Y. Abe, and H. Masuyama

Marking process on cluster-heads and marked cluster-heads: 1.

2. 3. 4.

Select a node with the highest priority among nodes which belong to none of the cluster-heads and let it be a cluster-head. Every node in the cluster-head’s range of (1/3)r belongs to the cluster-head. In this case, the node priority can be defined based on node id. Continue process 1 until every node is a cluster-head or belongs to any one of the existent cluster-heads. Each cluster-head uses a range of r for CDS construction: Each cluster-head is marked if it has two unconnected neighbors, otherwise it is unmarked. Each marked cluster-head uses a range of r for Pruning rule k: A marked cluster-head can unmark itself its neighbor set is covered by a set of connected cluster-heads with higher priorities. In this case, the node priority can be defined based on node degree. If node degree is equal, node id is compared.

Broadcast process: 1. 2. 3. 4.

5.

A source node uploads its own data to the cluster-head. The cluster transfers the data to a marked cluster-head located within the range of r. The marked cluster-head transfers the data to every cluster-head and marked cluster-head within the range of r. Receiving marked cluster-heads change into transferors for the data if the data is new. Conversely, receiving cluster-heads transfers the broadcast data within their own range if the data is new. The process 4 terminates when every node receives data sent by the source.

Refer [2] to a broadcasting process based on this approach. 2.2 1-Level Flat Approach Though the two marking processes for cluster-heads and marked cluster-heads are the same as in the above approach, using a uniform transmission range can prevent redundant energy consumption. Marking process on cluster-heads and marked cluster-heads: 1.

2. 3. 4.

Select a node with the highest priority among nodes which belongs to no cluster head and let it be a cluster-head. Every node in the cluster-head’s range of (1/4)r belongs to the cluster-head. Continue process 1 until every node is a cluster-head or belongs to any other cluster-head. Each cluster-head uses a range of (3/4)r for CDS construction. Each marked cluster-head uses a range of (3/4)r for Pruning rule k.

Energy Lesser Broadcasting Algorithms Using Adjustable Transmission Ranges

505

Broadcast process: 1. 2. 3.

A source node uploads its own data directly to the marked cluster-head. The marked cluster-head broadcasts the data to every node (other marked cluster-heads, cluster-heads, and nodes) located within its range of r. The process 4 terminates when every node receives data sent by the source.

Refer [2] to a broadcasting process based on this approach.

3 2-Level Clustering Mesh Approach and 1-Level Flat Mesh Approach A mesh-clustering protocol is introduced to the above two approaches. A given domain is divided by N×N lattices. In the following marking process, let R=r2 in the 2level clustering mesh approach and let R=r1 in the 1-level flat mesh approach where r1 and r2 are shown in Fig.1.

△: cluster-head,

Fig. 1. Two ranges in 2-level clustering and 1-level flat mesh approaches. ( □: marked cluster-head)

(a) 2-level clustering mesh approach

(b) 2-level clustering approach

△: clus-

Fig. 2. Marked and non-marked cluster-heads nominated based on two approaches. ( ter-head, ○: node, Shaded part is a duplication of clusters)

506

T. Sasama, Y. Abe, and H. Masuyama

Marking process on cluster-heads and marked cluster-heads: 1.

2. 3.

Select the most central node in each lattice and let it be the cluster-head in the lattice and let randomly distributed nodes in the lattice be subordinate nodes of the cluster-head in the lattice. Each cluster-head uses a range of r2 for CDS construction. Each marked cluster-head uses a range of r2 for Pruning rule k.

Fig.2 (a) shows marked cluster-heads and cluster-heads nominated based on this process and for reference, and Fig.2 (b) shows them based on the previous 2-level clustering approach. Broadcast process: 2-level and 1-level mesh approaches adopt the same broadcast processes as those of the 2-level clustering approach and the 1-level flat approach, respectively. Fig.3 (a) and (b) show a broadcasting process based on these approaches.

(a) 2-level clustering mesh approach

(b) 1-level flat mesh approach

Fig. 3. Examples of broadcast process based on two new approaches in an 3×3. (●: source : cluster-head, □: marked cluster-head, Circled by broken line: transmisnode, ○: node sion range for upload, broken arrow: data upload,Circled by straight line: transmission range for broadcast, straight arrow: data broadcast)

，△

4 Simulation Experiences and Result We adopt a commonly encountered model of a network where n homogeneous nodes are randomly thrown in a given region S, both uniformly and independently. If more than two neighbors of a node transmit simultaneously, the node is assumed to receive

Energy Lesser Broadcasting Algorithms Using Adjustable Transmission Ranges

507

no message. The neighbors of a node are not permanent within a number of slots, because of unstable network topology. 4.1 Simulation Experience This section describes the input parameters and output measures for the evaluation of the volume of energy consumption in 4 kinds of clustering. For the purpose of our simulation, we consider a 100×100 square domain where 1000 nodes are randomly distributed. In mesh approaches, we set the square domain divided by 2×2(=N×N), 3×3,…, 9×9, and 10×10. We used the same value of r (=24m) as shown by Wu and Dai [1]. We also performed experimentation in the case where N is fixed as 3 but the total number of nodes are 100,200,…, and 1000. 1) In [2], while every node is stabile and has transmitting range r as 0.001r2 [8], we evaluated two kinds of energy volume consumptions, the broadcasting and total energy consumption including construction process of the broadcasting tree. 2) We suppose that the advantageous bound for each approach differs in mobile speed because the reconstruction frequency of each broadcasting tree differs, depending on the speed of the mobile. This reconstruction of each broadcasting tree must be performed when not every node can receive messages from the source node. Then, in this paper, we will next evaluate the relationship between the reconstruction frequency of broadcasting tree and the total energy consumption in condition that total 0%,10%, …, 70% with nodes moving in S at random speed between 1.0 and 1.5 m/second. The decision about whether a node will become a mobile node is performed each instance the time limit (which is settled as 60~300 seconds randomly for each stable node) of each stabile node comes over if the node is a stable node or when each mobile node reaches its destination if the node is a mobile node. 4.2 Results Figs.4, 6, 8, and 10 show the reconstruction frequency of a broadcasting tree in different transmission ranges of marked cluster-head when 10%, 30%, 50%, 70% nodes move in S. Figs.5, 7, 9, and 11 show the total energy consumed in different transmission ranges of marked cluster-head when 10%, 30%, 50%, 70% nodes move in S. Fig.12 (a), (b), (c), and (d) shows the comparison with 1-level flat and 1-level mesh approaches with respect to reconstruction frequency of broadcasting tree in different transmission ranges of marked cluster-head when 10%, 20%,…, 70% nodes move in S. Fig.13 (a), (b), (c), and (d) shows the comparison between a 1-level flat and 1-level mesh approaches with respect to total energy.

508

T. Sasama, Y. Abe, and H. Masuyama 2-level clustering

1-level flat

2-level mesh

1-level mesh

2-level clustering

1-level flat

2-level mesh

1-level mesh

600

200000

cyn eu qe fr onit cu300 trs no ce R

no tip m sun oc yg re ne100000 l tao T

0 20

25

30

35

40

45

50

55

60

65

70

75

80

85

90

Transmission ranges of marked cluster-head

95

100

105

110

115

120

0 20

25

30

35

40

45

50

55

60

65

70

75

80

85

90

Transmission ranges of marked cluster-head

95

100

105

110

115

120

Fig. 4. Reconstruction frequency of broadcast- Fig. 5. Total energy consumed in different ing tree in different transmission ranges of transmission ranges of marked cluster-head marked cluster-head when 10% nodes move in when 10% nodes move in S. S.

2-level clustering

1-level flat

2-level mesh

1-level mesh

2-level clustering

1200

1-level flat

2-level mesh

1-level mesh

400000

900

300000

yc ne uq er f no it 600 ucr stn oc e R

n iot p m us no c yg 200000 re ne alt o T 100000

300

0

0 20

25

30

35

40

45

50

55

60

65

70

75

80

85

90

Transmission ranges of marked cluster-head

95

100

105

110

115

Fig. 6. Reconstruction frequency of broadcasting tree in different transmission ranges of marked cluster-head when 30% nodes move in S.

2-level clustering

1-level flat

2-level mesh

20

120

25

30

35

40

45

50

55

60

65

70

75

80

85

90

Transmission ranges of marked cluster-head

95

100

105

110

115

120

Fig. 7. Total energy consumed in different transmission ranges of marked cluster-head when 30% nodes move in S.

1-level mesh

2-level clustering

1-level flat

2-level mesh

1-level mesh

500000

1800

1500

400000

n iot p m300000 sun oc yg re ne 200000 alt o T

cyn1200 eu qe fr onit 900 cu trs oc e 600 R

100000 300

0

0 20

25

30

35

40

45

50

55

60

65

70

75

80

85

90

Transmission ranges of marked cluster-head

95

100

105

110

115

120

20

25

30

35

40

45

50

55

60

65

70

75

80

85

90

Transmission ranges of marked cluster-head

95

100

105

110

115

120

Fig. 8. Reconstruction frequency of broadcast- Fig. 9. Total energy consumed in different ing tree in different transmission ranges of transmission ranges of marked cluster-head marked cluster-head when 50% nodes move in when 50% nodes move in S. S.

Energy Lesser Broadcasting Algorithms Using Adjustable Transmission Ranges

2-level clustering

1-level flat

2-level mesh

1-level mesh

2-level clustering

1800

1-level flat

2-level mesh

509

1-level mesh

1000000 900000

1500

800000

yc ne1200 uq erf no it 900 ucr stn oc e 600 R

no 700000 tip m 600000 sun oc yg 500000 re ne 400000 l tao T300000 200000

300 100000 0

0 20

25

30

35

40

45

50

55

60

65

70

75

80

85

90

Transmission ranges of marked cluster-head

95

100

105

110

115

Fig. 10. Reconstruction frequency of broadcasting tree in different transmission ranges of marked cluster-head when 70% nodes move in S.

40

25

30

35

40

45

50

55

60

65

70

75

80

85

90

Transmission ranges of marked cluster-head

100

105

110

115

120

1-level flat 1-level mesh

yc 30 ne uq ref onti 20 ucr ts no ce 10 R

0

95

Fig. 11. Total energy consumed in different transmission ranges of marked cluster-head when 70% nodes move in S.

40

1-level flat 1-level mesh

yc 30 ne uq ref onti 20 ucr ts no ce 10 R

20

120

0 20

30

40

50

60

70

80

90

100

Transmission ranges of marked cluster-head

110

120

20

30

cyn ueq 40 erf no 30 it cu rt so 20 ce R

60

70

80

90

100

110

120

110

1-level flat 1-level mesh

50

50

(b) 30% nodes move in S.

(a) 10% nodes move in S. 60

40

Transmission ranges of marked cluster-head

1-level flat 1-level mesh

100

yc 90 enu 80 qe 70 fr onti 60 ucr 50 ts 40 onc 30 eR 20

10

10 0

0 20

30

40

50

60

70

80

90

100

Transmission ranges of marked cluster-head

(c) 50% nodes move in S.

110

120

20

30

40

50

60

70

80

90

100

Transmission ranges of marked cluster-head

110

120

(d) 70% nodes move in

Fig. 12. Comparison with 1-level flat and 1-level mesh approaches with respect to reconstruction frequency of broadcasting tree in different transmission ranges of marked cluster-head when 10%, 30%, 50%, 70% nodes move in S.

510

T. Sasama, Y. Abe, and H. Masuyama

120000

120000

1-level flat 1-level mesh

100000

no it p 80000 m sun oc yg 60000 re enl 40000 at oT

1-level flat 1-level mesh

100000

no it p 80000 m sun oc yg 60000 re ne la 40000 otT 20000

20000

0

0 20

30

40

50

60

70

80

90

100

Transmission ranges of marked cluster-head

110

20

120

(a) 10% nodes move in S. 120000

100000

40

50

60

70

80

90

100

Transmission ranges of marked cluster-head

110

120

(b) 30% nodes move in S. 120000

1-level flat 1-level mesh

onti p 80000 m us no c 60000 gyr en el 40000 tao T

30

1-level flat 1-level mesh

100000

onti p 80000 m us no c 60000 gyr en el 40000 tao T

20000

20000

0

0 20

30

40

50

60

70

80

90

100

Transmission ranges of marked cluster-head

(c) 50% nodes move in S S.

110

120

20

30

40

50

60

70

80

90

100

Transmission ranges of marked cluster-head

110

120

(d) 70% nodes move in S.

Fig. 13. Comparison with 1-level flat and 1-level mesh approaches with respect to total energy.

5 Conclusion Our two proposed approaches not only use the concept of a virtual backbone but also adopt mesh into clustering so that less energy is consumed during the broadcasting process. The highest efficiency of the 1-level flat mesh approach is confirmed through our simulation study. However, the total energy includes the approaches in not only the broadcasting process but also the construction process of the broadcasting tree. Our previous static simulation study showed that the existing methods are advantageous regarding total energy. A dynamic simulation study has now been performed. The advantageous bound of mobile movement for the 1-level flat mesh approach is confirmed through our simulation study in realistic situations where a certain percentage of total mobiles move at random speeds. For the reader’s information, we would like to add the following simulation results: In 1-level flat, a transmission range of 24m is optimal regarding the total process, though around 96m is optimal regarding only the broadcasting process where the number of marked cluster-heads becomes to 1.

Energy Lesser Broadcasting Algorithms Using Adjustable Transmission Ranges

511

References 1. 2. 3. 4.

5. 6. 7.

We, J., Dai, F.: A distributed formation of a virtual backbone in MANETs using adjustable transmission ranges. In: ICDS 2004, pp. 372–379 (2004) Sasama, T., Abe, Y., Masuyama, H.: A broadcasting algorithm using adjustable transmission ranges in mobile ad hoc networks. In: WEBIST, pp. 123–128 (2008) Tseng, Y.C., Ni, S.Y., Chen, Y.S., Sheu, J.P.: The broad-cast storm problem in a mobile as hoc network. Wireless Networks 8(2–3), 153–167 (2002) Ya-feng, W., Yin-long, X., Guo-liang, C., Kun, W.: On the construction of virtual multicast backbone for wireless ad hoc networks. In: Mobile Ad-hoc and Sensor systems, pp. 294–303 (2004) Stojmenovic, I., Wu, J.: Broadcasting and activity -scheduling in ad hoc networks. In: Ad Hoc Networking, pp. 205–229 (2004) Wu, J., Li, H.: On calculating connected dominating set for efficient routing in ad hoc wireless networks. In: DialM, pp. 7–14 (1999) Dai, F., Wu, J.: Distributed dominant pruning in ad hoc wireless networks. In: IEEE ICC, vol. 1, pp. 353–357 (2003)

A Multi-Path Routing Supported Scheduling Algorithm for Multi-Channel Single-Transceiver Wireless Mesh Networks Chen Mei-Jhen and Yu Gwo-Jong Aletheia University, Dept. Computer Science and Information Engineering, 251 32. Chen-Li. St, Tamsui, Taipei, Taiwan [email protected]

Abstract. The scheduling of data transmission is a very important research issue in a wireless mesh network. However, IEEE 802.16 standard does not provide any scheduling mechanism for a wireless mesh network. In this paper, a multi-path routing supported scheduling algorithm for multi-channel singletransceiver IEEE 802.16 mesh networks is proposed. Instead of using a fixed routing tree, the proposed scheduling algorithm gives subscriber station (SS) freedom to choose a neighboring SS in an elastic way such that parallel link transmission can be maximized. In order to raise the number of, the MultiChannel Single-Transceiver model is adopted to maximize the data through and resolve the problems caused by secondary interference. To mitigate the traffic bottleneck near BS, it is assumed that BS equips with multi-transceiver to avoid problems with the low neighboring BS transmissions. According to the experiment results, the proposed scheduling algorithm has higher amount of parallel transmission links, lower packet delay, and is more efficient than fixed routing tree scheduling algorithm. Keywords: IEEE 802.16, Scheduling, Multi-channel, Mesh networks.

1 Introduction IEEE 802.16 is a wireless metropolitan network which operates on microwave and millimeter frequency. It adopts high efficiency wireless transmission and process techniques and has properties of long range transmission, high transmission speed, fast settlements, and lower development cost. IEEE 802.16 has two operation modes: Point to Multi-Point mode (PMP) and Mesh mode, as in Figure 1. In PMP mode, there is a base station (BS) and several subscriber stations (SS). BS is responsible for data access of the entire network. To perform data transmission, a SS sends a request to BS and waits for the BS to grant the request. Then a connection is established. In mesh mode, BS is a gateway node between backhaul networks and mesh networks. Mesh mode operation supports centralized and distributed scheduling [3]. When centralized scheduling is adopted, BS will decide all resource allocation for each connection. BS manages and controls the bandwidth request from SSs. On the J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 512–521, 2009. © Springer-Verlag Berlin Heidelberg 2009

A Multi-Path Routing supported Scheduling Algorithm

(a) Point-to-MultiPoint

513

(b) Mesh mode

Fig. 1. IEEE 802.16 mesh topology

contrary, a competitive mechanism is used to allocate time slots during the connection request of SSs to BS in distributed scheduling. The criteria of a good scheduling algorithm includes: (1) increasing the throughput, (2) decreasing the scheduling time and (3) reducing the packet delay. Although there are scheduling mechanisms provided by IEEE 802.16, but there are only definitions of scheduling messages and process of message exchange. The detail operations are not given. Lots of researches are proposed to deal with the scheduling problem. [1][46]. Most scheduling algorithms first establish fixed routing tree and assign traffics to routes according to fixed routing tree. The channel model is assumed to be single channel. Even though the fixed routing tree can simplify route choices, but fixed routing tree greatly limits possible route choices and may cause congestion problem in root node of routing tree. Furthermore, in single channel model, there will be less simultaneous transmitting links. As a result, the efficiency is not maximized. In order to resolve these problems, a centralized scheduling algorithm using multi-path routing is proposed to increase the utilization of network resources, to increase the choices of routing path and to decrease the load of the congested nodes in IEEE 802.16 mesh networks. The proposed algorithm uses multi-channel model to explore spatial reuse, to shorten scheduling time, and to increase the total network throughput. The proposed algorithm also considers the quality of service (QoS) classes of SSs so that packet delays can be reduced. The rest of the paper is organized as follows. In Section 2, scheduling process and the QoS service of IEEE 802.16 is described. Then the network models and assumptions will be discussed in details in Section 3. In Section 4, the scheduling algorithm is described in detail. Section 5 presents the simulation results. The conclusion of this paper is presented in the final section.

2 IEEE 802.16 Mesh Networks This section will give some background about centralized scheduling algorithm in IEEE 802.16. A brief description about mesh networks is first given, then the QoS classes and the related usage of control messages will be discussed. 2.1 Mesh Networks Essential components of mesh networks include neighbor node, neighborhood, and extended neighborhood. Let node x and node y can directly communicate with each

514

C. Mei-Jhen and Y. Gwo-Jong

other, node y is defined as a neighbor of node x. The set of all neighbors of node x forms the neighborhood of x. And all neighbors of neighborhoods are called an extended neighborhood. Extended neighborhoods include all nodes within two hops neighbors for a node x. In a mesh networks, every node has its own unique 48-bit address. This address can be used for network entry and authorization, and is also responsible for identifying the node. When a node joins the network, it needs authorization from BS and waits for the BS to obtain a 16-bit node ID (node identifier) from BS. The node ID is used for identifying different node. An 8-bit link ID (link identifier) can be used by each node to identify its neighborhood. Whenever a connection is established between a node and its neighbor, the connection is assigned a specific ID by the node. When other nodes in the neighborhood try to establish a link, a link ID can be used for the new connection. This link ID is used for identifying each node’s grants and requests in distributed scheduling. In this paper, link ID to used to identify nodes with different hop numbers. 2.2 IEEE 802.16 QoS Classes There are five categories of service flows defined in IEEE 802.16 [3]. Each of them has its own QoS requirement. The unsolicited grant service (UGS) is designed to support real-time data streams with fixed-size data packets. The real-time polling service (rtPS) is designed to support real-time data streams with variable-sized data packets. The extended rtPS (ertPS) combines the efficiency of UGS and rtPS. It is designed to support real-time service flows that generate variable size data packets on a periodic basis. The non-real-time polling service (nrtPS) is designed to support delay-tolerant data streams consisting of variable-sized data packets. The best effort (BE) service is designed to support data streams without requirement of any service level. 2.3 The Control Messages of Centralized Scheduling There are two important control messages in the centralized scheduling mechanisms of IEEE 802.16: the MSH-CSCF (Mesh Centralized Scheduling Configuration) message, and the MSH-CSCH (Mesh Centralized Scheduling) message. MSH-CSCF is mainly used for broadcasting. The BS will broadcast this message to every SS in the network. This message includes Routing Tree and information of the entire network. MSH-CSCH is created by the BS. BS will broadcast the message to SSs in the network, and when SSs have requests, they will send MSH-CSCH with requests back to the BS. BS gathers the messages from the entire network, and then sends MSH-CSCH message with grants and resource allocation information to SSs according to the status of the network.

3 Network Architecture In this section, we will propose the structure of the network and environmental assumptions. Then we describe Next-hop selection and channel allocation.

A Multi-Path Routing supported Scheduling Algorithm

515

3.1 The Network Structure and Environmental Assumptions We consider a BS serving several SSn(n = 1,2…n) in stationary positions. The SSs use OFDMA/TDD access modes in IEEE 802.16. The BS is in the center of the system. It grants to SSs and receives requests from them, and controls the mesh network. SSs are spread out uniformly. The SS transmit own data packets and neighboring SSs data packets. The SSs are connected when they are in transmission range of each other. All data packets from all the SSs are sent to the BS; then sent to backbone network by the BS. Each SS has various service flows with unique QoS requirement. We assume the mesh networks topology is G = (V, E). V is the set of nodes in the mesh network topology, n∈V. E is the set of links in the mesh network topology. Depending on the data transmission mechanism in wireless networks, data transmissions have two collision circumstances: Primary Interference and Secondary Interference [2]. Primary Interferences occur in one time slots of a scheduling process when the user does more than one thing. This means the user can only receive or transmit at one time slot. Secondary Interferences occur when user X switches its position from a receiver to a transmitter; however, user X is still in range of use Y which is also a transmitter. Therefore, the transmission of user Y is affected by user X. 3.2 Next-Hop Selection By using Multi-path Routing mechanism, we are able to increase spatial reuse rate and next-hop selection. We refer to Multi-path Routing in [6] and make modifications. First, we use the hierarchical method. We use the hop counts between the BS and the node as our standard; nodes with the same hop counts are belong to the same level. By doing so, the nodes will not choose the next-hop which have the same hop counts; therefore, data transmission delay and resources wasting are avoided. Let BS be level ( BS ) = 0 . The nodes one hop from BS will be level (n) = 1 . The nodes two

hops from BS will be level (n) = 2 , and so on. Then the nodes i hop from BS will be level (n) = i . As a result, the nodes can only choose the nodes that are level (n) = i − 1 as their Next-hop( n p ). Node n must be in transmission range of node n p and is connected to node n p .

(

)

level (n p ) = level (n) − 1 ∩ n, n p ∈ E '

(1)

For example, in figure 2, BS is level 0, and node A, B, C are the first level. Node D, E, F are the second level, and node G, H, I, J are the third level. The connection between level i and level i – 1 are shown in solid lines, whereas the connection between the nodes in the same level are shown in dotted lines. For the scheduling algorithm proposed in this paper, we only consider the part of solid lines. We suppose the hierarchical network is G′ = (V, E′). E′ is the set of links in the hierarchical network: l=(vt,vr)∈E′.

516

C. Mei-Jhen and Y. Gwo-Jong

Fig. 2. The Hierarchical Network

We use the amount of traffic demand (Ln) of all service flows in the node to choose the appropriate next-hop. The one with the lowest Traffic Demand is the next-hop. Consequently, the data that needed to be transmitted and the workload in the node are lower. Furthermore this avoids the concentration of data into one single node. If the nodes have the same value of Ln, we use the ID number of the node to decide the target.

Ln =

∑D

n,i

(2)

i

In (2), Dn,i is the traffic demand of i’th service flow of SSn. As a result, the next hop nodes is not the same depending on the time slot (t). The next-hop is changed according to the status of every node in the network. By doing so, the workload of each node is lowered, and the usage rate of the nodes is increased. 3.3 Channel Allocation

Only one channel can be used by a node in a time slot in a Multi-Channel SingleTransceiver system. If the neighboring nodes need to transmit data to each other, they must switch to a common channel. Therefore, Primary Interference is obviously unavoidable. Data transmission performing by the nodes on different channel can avoid Secondary Interference. Then all data will be transmitted to the BS, and to the backbone network. Consequently, data will flow to nodes near the BS in the end, resulting in high workloads in the nodes. To solve the problem, we equip with a Multi-Transceiver on the BS to reduce the transmission bottleneck, thus reducing the scheduling time. We use the coloring problem on channel allocation. We define PI(l) is the set of links affected by primary interference of link l. SI(I) is the set of links affected by secondary interference of link l. In figure 3, as an example, PI(E,B) and SI(E,B) of link(E,B) are {(B,BS), (E,C), (G,E), (H,E), (I,E)} and {(A,BS), (C,BS), (F,C), (D,A), (G,D), (I,F)} respectively. Furthermore, we use the hierarchical network shown in figure 2 as an example for channel allocation. First, we color the link(A,BS) using color 1. Then we select one link with secondary interference with color 2. These links are link(A,BS) and link(E,B). We color the link(E,B) with color 2. Then link(G,D) is also selected and colored with color 1. Until all links in the network are colored, figure 3 is complete. All the colors of links are shown beside the nodes.

A Multi-Path Routing supported Scheduling Algorithm

517

Fig. 3. Channel Allocation

4 The Proposed Scheduling Algorithm There will be introduction to the symbols we use for variables then the process of the scheduling algorithm in this section. 4.1 Symbol for Variables

Below are the symbols: Table 1. Symbols of Variables and Definition

Symbol Ω Q(x) Sn,i Nn Wn (vt, vr) LA NA

Definition The set of QoS classes, Ω={UGS, ertPS, rtPS, nrtPS, BE}. The weight of QoS, x∈Ω. The QoS class of i’th service flow of the SSn, Sn,i∈Ω. The number of SSn’s service flow. The QoS weight of SSn. The pair of link’s sender and receiver. The set of the coloring links. The set of nodes in LA.

4.2 The Proposed Scheduling Algorithm

We proposed a multi-path routing supported Scheduling Algorithm for Multi-Channel Single-Transceiver in IEEE 802.16 mesh network. The inputs of the algorithm are the mesh network topology G, the hierarchical network G′, channels and the bandwidth request of nodes in time slot t. The algorithm will function according to interference model, Next-hop selection and channel allocation. First, Ln of each SS is calculated. This value will vary and update with time slot t. The links with data that the Sender is sending are the available links. The available links form the set of available links: L. The senders of the available links are referring available nodes. The available nodes form the set of available nodes: N. We select a

518

C. Mei-Jhen and Y. Gwo-Jong

node for priority data transmission, then find the suitable Next-hop node as the available node using the Next-hop Selection Algorithm. The process is repeated for finding available links, and then allocates a channel to them. For every selected link, the Ln of the link’s sender decrease to 1, and the Ln of the link’s sender increase to 1. When all the nodes have an Ln of 0, the scheduling is done. S(t) is used to record for the set of links and nodes in time slot t. The detailed scheduling algorithm is shown in Figure 4. Scheduling Algorithm: Input : Mesh Network G = (V,E) Level Network G′ = (V, E′) Channel Set CHL Output : Scheduling result S Initialize Ln of each node t 1 while exist any Ln >0 for any SSn L φ N φ Add all (vt,vr) to L if Lt>0 Add vt to N if Lt>0 S(t)  Next-hop Selection (L,N) Adjust Ln for each node n in S(t) t  t +1 End while Fig. 4. The Proposed Scheduling Algorithm

Next-hop Selection Algorithm is mainly for selecting simultaneously available links within the available link set, and to allocate a channel for them. The algorithm is shown in Figure 5. Assume there is a number of c channels can be used, without considering general losses. We use a coloring set CHL=[1,…,c] to indicate the numbers of channels. The unselected links are in the set Ln. The unselected nodes are in the set U. The color of link l is noted as c(l). There will be a node selected from set N every time depending on the Wn of the nodes. Then the proper Next-hop is selected from the neighboring nodes for link l. Finally, Wn will select consecutive nodes respectively. We define Wn as the following, until there are no nodes that can transmit simultaneously:

∑ (Q(S )× D ) n,i

Wn =

i

n ,i

(2)

Nn

If a neighboring node of the BS is selected, Primary Interference does not consider, since BS has Multi-Transceiver equipment. As long as the data are transmitted using different channels, the data can be transmitted simultaneously.

A Multi-Path Routing supported Scheduling Algorithm

519

Next-hop Selection (L,N) Input : Mesh Network G = (V,E) Level Network G′ = (V, E′) available link set L available node set N Color set CHL= [1,n] Output : Active link set LA⊂L Active node set NA ⊂N Channel assignment c: LACHL Lu L UN While U ≠ φ s  arg max (Wn ) n∈U

Add np to NG if level (n p ) = level ( s ) − 1 ∩ n, n p ∈ E '

(

p arg

min

n p ∈NG − N A

)

( Ln p )

l  ( s, p ) S φ S  S ∪ {c(vt , v r )} for all (vt , v r ) ∈ SI (l ) ∩ L A if level ( p ) = 0 and CHL − S ≠ φ and

SI ( BS ) ∩ L A = φ L A  L A ∪ {l} c(l)  arg min i i∈CHL − S

else if PI (l ) ∩ L A = φ and CHL − S ≠ φ L A  L A ∪ {l} c(l)  arg min i i∈CHL − S

End if End if U  U − {s} Lu  Lu − {l} End While Fig. 5. Next-hop Selection Algorithm

5 Performance Evaluation In the simulation experiment, there are a BS and several SSs in the 1000x1000 square area. The network topology is shown in figure 2. Assume all nodes have a same transmission range. The SSs are in the transmission range each other, there is a link exist. The BS equips the multi-transceiver and the SSs only equip single-transceiver. There are five QoS service classes in each SS, and each service class has a service

520

C. Mei-Jhen and Y. Gwo-Jong

flow. These QoS weight are 5,4,3,2,1. And the proposed algorithm compares with the algorithm [4] that only consider multi-channel. The simulation result is shown in figure 6. The proposed algorithm is greater than the multi-channel algorithm.

t) 240 o ls 220 e 200 m ti( 180 e 160 140 m ti 120 g 100 in l u 80 d e 60 h 40 c s 20

the proposed algorithm multi-channel

10 20 30 40 50 60 70 80 90 100 number of node

Fig. 6. The scheduling time

6 Conclustion We proposed a multi-path routing supported scheduling algorithm supporting MultiChannel Single-Transceiver in IEEE 802.16 mesh network. The hierarchical networks are used for selecting Next-hop nodes, increasing the transmission route of nodes, and reduce the workload of certain nodes. Multi-Channel is also used for decreasing the chances of Secondary Interferences, and increasing the amount of nodes that can be used simultaneously. Moreover, by setting up a Multi-Transceiver in the BS, the problem of bottleneck in the nodes near the BS is avoided. According to the results from the experiment and simulations, our algorithm comparing to algorithms using Singlechannel and those with fixed routing structures is more efficient. By using the MultiChannel Single-Transceivers method, system performance is increased, packed delay is decreased, and scheduling time is decreased as well.

Acknowledgement The authors would like to thanks the financial support from National Science Council in Taiwan with project number: NSC-97-2221-E-156-002.

References 1. 2.

Han, B., Jia, W., Lin, L.: Performance evaluation of scheduling in IEEE 802. 16 based wireless mesh networks. Computer Communications 30(4), 782–792 (2007) Akyildiz, I.F., Wang, X., Wang, W.: Wireless Mesh Networks: a survey. Computer Networks 47(4), 445–487 (2005)

A Multi-Path Routing supported Scheduling Algorithm 3. 4.

5. 6.

521

IEEE 802.16-2004: IEEE Standard for Local and Metropolitan Area Networks Part 16: Air Interface for Fixed Broadband Wireless Access Systems (2004) Du, P., Jia, W., Huang, L., Lu, W.: Centralized Scheduling and Channel Assignment in Multi-Channel Single-Transceiver WiMax Mesh Network. In: Proc. of IEEE Wireless Communications and Networking Conference, pp. 1734–1739 (2007) Ramanathan, S., Lloyd, E.L.: Scheduling Algorithms for Multihop Radio Networks. IEEE/ACM Transactions on Networking 1(2), 166–177 (1993) Cao, Y., Liu, Z., Yang, Y.: A Centralized Scheduling Algorithm based on Multi-path Routing in WiMAX Mesh Network. In: Proc. of International Conference on Wireless Communications, Networking and Mobile Computing, pp. 1–4 (2006)

Predictive Scheme for Location Service in Mobile Ad-Hoc Networks ´ Ebtisam Amar1 , Selma Boumerdassi2 , and Eric Renault3 1

3

University of Pierre and Marie Curie, Paris, France [email protected] 2 CNAM — CEDRIC, Paris, France [email protected] ´ Institut T´el´ecom — T´el´ecom SudParis, Evry, France [email protected]

Abstract. Position-based routing protocols take advantage of location information to perform a stateless and efficient routing. To enable position-based routing, a node must be able to discover the location of the messages’ destination node. This task is typically accomplished by a location service. Recently, several location service protocols have been developed for ad hoc networks. In this paper we propose a novel location service called PHLS: Predictive Hierarchical Location Service. In PHLS, the entire network is partitioned into a hierarchy of smaller and smaller regions. For each node, one node in each-level region of the hierarchy is chosen as its local location server. When the network initializes or when a node attaches the network, nodes contact their local location server with their current location information (ie. position and velocity). Then, they only need to update their location server when they move away from their current region. Finally, nodes query their location servers and get the exact or predicted location of destination nodes.

1

Introduction

A mobile ad-hoc network (MANET) is a self-organizing and self-configuring multi-hop wireless network, where the network structure changes dynamically due to node mobility. In such a network, each node operates not only as a host, but also as a router, forwarding packets for other mobile nodes. One of the biggest challenges in MANETs is the design of scalable routing protocols. As of today, existing routing protocols are either based on topology or location. Topology-based routing protocols assume no knowledge of the mobile nodes’ positions. Proactive protocols such as DSDV [1], reactive protocols like DSR [2] and AODV [3], and hybrid protocols such as ZRP [4] are typically based on topology. They rely on discovering and maintaining global states to route packets. As a result, their scalability is limited. Position-based routing protocols [5, 6] have been proposed to address the scalability problem associated with early ad-hoc routing protocols. They use J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 522–531, 2009. c Springer-Verlag Berlin Heidelberg 2009


Predictive Scheme for Location Service in Mobile Ad-Hoc Networks

523

nodes’ location information available from positioning systems such as Global Positioning System (GPS) to forward packets. Since local information (neighbour’s locations) is used for global routing, position-based routing protocols can potentially scale to larger number of nodes than topology-based routing protocols. However, with a position-based routing protocol, the source node needs to retrieve the location of the destination node before sending a packet. Therefore, one of the main challenges in position-based routing protocols has been the design of different location services to track the location of mobile nodes and reply to location queries efficiently. This paper aims at proposing a novel hierarchical location service which main enhancement over other solutions is the use of prediction information for mobile nodes. The rest of the paper is organized as follows. The next section gives a brief description of existing location services. Then, Sec. 3 presents our location service and a qualitative comparison with two pre-existing location services is provided in Sec. 4. The next section evaluated the performance of our proposition. Finally, Sec. 5 concludes the paper and points out some future research issues.

2

Related Work

There is a growing body of work that uses location information for routing in MANETs and numerous protocols for location services [7,8,9,10,11,12,13,14,15,16,17,18,19] have been proposed to solve location tracking. [20] provides a recent survey and presents a qualitative comparison of different location services found in the literature of MANETs, while [21,22] provide a realistic, quantitative analysis comparing the performance of some location services. Location services can be divided into several categories: hierarchal or flat depending on whether a hierarchy of recursively defined subareas are used, with or without prediction, etc. The following focuses on the presentation of HLS and PLS, two location services that are of great help to introduce our work in the next section. 2.1

Hierarchical Location Service

Hierarchical Location Service (HLS) [14] partitions the area containing the adhoc network into cells and regions, this partition being known by all participating nodes. Cells are grouping nodes at the lowest level, and it is assumed that all nodes in a given cell can directly communicate with all the other nodes in the same cell. Then, cells are grouped into regions which are grouped into larger regions, thus creating the hierarchy. Regions composed of cells are level-one regions, regions composed of level-one regions are level-two regions and so on. Regions at the same level do not intersect, ie. each cell is part of one and only one level-one region and each level-n region is a member of exactly one level-(n + 1) region. For a given node, one specific cell is selected for each level of the hierarchy by means of a hash function. As the node changes its position, it transmits position updates to these responsible cells. If another node wants to find the position of

524

´ Renault E. Amar, S. Boumerdassi, and E.

the node, it uses the same hash function to determine the cells that may hold the position information of the node. It then queries the nodes in these cells in the hierarchy order until it receives a reply containing the current position of the node. 2.2

Predictive Location Service

Predictive Location Service (PLS) [15] is a flat location service that acts according to the following two design guidelines: i) prediction, ie. saved information is used to estimate the mobile node’s current location and ii) adaptability, ie. several parameters adapt to the mobile node’s speed. In PLS, location information are periodically shared among the neighbors and a mobile node floods the network if the required location information is not found in the mobile node’s location table. A mobile node’s previous state (both location and velocity) is used to predict the mobile node’s current state. Regularly, a mobile node sends a Location Packet (LP) to all of its 1-hopneighbors, ie. the mobile node transmits a broadcast packet with time-to-live (TTL) set to one. Each LP contains the current location information (both coordinates and velocity of the node) of the source mobile node plus location information about other mobile nodes that are stored in the source mobile node’s location table. Every time a mobile node receives an LP, it updates its location table by comparing its own table to the location information in the LP. Location entries that are older than a specific amount of time are considered as too old and are deleted from the location table. When a location query is received by a mobile node and there is an entry for the searched mobile node in the queried mobile node’s location table, the queried mobile node predicts the location of the searched mobile node using the previously saved location and velocity of the searched mobile node.

3

Predictive-Hierarchical Location Service

As hierarchical location service protocols scale better than flat location service protocols, we expect to enhance the location request answer by introducing prediction to hierarchal location services. In this way, we propose a novel algorithm Predictive Hierarchal Location Service (PHLS), which combines hierarchy to achieve scalability with prediction to enhance the performance. As presented above for HLS, PHLS divides the communication area into cells that are grouped into regions, and regions of regions, etc. Moreover, the behaviour of nodes in PHLS when the network initializes or when nodes attach the network remains the same. In the following, we assume each node has a unique ID and is aware of its own position through the support of GPS or any other positioning technique. 3.1

Area Division

PHLS partitions must be known to all participating nodes. The shape and size of these regions can be chosen arbitrary according to the properties of the network.

Predictive Scheme for Location Service in Mobile Ad-Hoc Networks

525

Nodes in the given lowest-level region must be able to send packets to all other nodes in the same region, this can be achieved by choosing an appropriate region size, where the distance between any two nodes in the smallest region must be smaller than the radio range. These regions are grouped hierarchically into regions of different levels, where the top-level forms the whole network. 3.2

Location Servers Selection

We assume that the density of location servers is one server in each level-n region in the network. As the network initialized and the partition is done, each node needs to designate some nodes, namely its location servers, and update them with its location. A hash function is used to map the node’s ID to a set of locations of its location servers. A node T selects one location server in each level n in the hierarchy according to the simple, modulo-based hash function: H(T, n) = ID(T ) mod ||S(T, n)||, where S(T, n) is the set of the nodes in the region of level n that contains T . 3.3

Mobility of Location Server

Due to the mobility of location server, the location server L of node T may no longer be its location server when it moves away from its region. This could be solved by: 1) L is responsible to find a new location server for T in that region according to the above selection algorithm, and move the location information of T to the new server; 2) L just discards the location information of T . Each time when T updates its location, it may check whether the original location server is still in the region. If it is, it will update this server with its new location information. Otherwise, it will choose a new server using the location server selection algorithm described previously. 3.4

Location Update

When a node leaves its region, it is expected to update its local location server with its recent location information (location and velocity). 3.5

Location Request

When node S needs to contact node T , then the position of T should be known to S, the request needs to be routed to a location server of T . The node S contacts its local location server and queries the location of T , if it knows the real location it will reply it, otherwise it will pass the request in conjunction with a predicted location (calculated according to the prediction algorithm described in next section) to the location server in the next upper level, which will broadcast the request to the location servers on the next lower-level. With this mechanism the request is forwarded from location server to location server until the real location of T is found, or the highest-level location server has

526

´ Renault E. Amar, S. Boumerdassi, and E.

been reached, in this case a predicted location is returned traversing the tree. To avoid the problem of expired predicted information, we join the predicted location calculated by a time, and the more recently one is chosen. 3.6

Prediction Method

To study the performance of PHLS we use two predictive methods. The Predective Velocity-based used in PHLS1. This method is based on this formula: P redicted location = locationrecord + v × (tnow − trecord ) where locationrecord is the previously stored location of the mobile node, v is the velocity of the node, tnow is the current time, and trecord is the time when previous location information was stored. The Moving Average Velocity Prediction used in PHLS2. This second method is based on the following formula [23,24]: vav (n) = α vav (n − 1) + (1 − α) vrec (n) where vav is the average velocity, vrec is the most recent velocity, and α is the filter gain constant that is used to calculate the weights of the node’s previous updates and 0 ≤ α ≤ 1. The lower the value of α, the higher the contribution of the current velocity to the average velocity. At α = 0, we calculate the average current velocity only by the last updated velocity (as in the predictive velocity-based model). The location server uses the calculated predicted velocity to predict the node’s current location.

4

Comparison

Table 1 shows the location services that have been discussed above. The Type indicates whether the network area is recursively divided into a hierarchy of smaller and smaller grids. Some location services provide Localized Information (LI) by maintaining a higher density or better quality of position information nearby the position of the node. This may be important if communication in ad hoc network is mainly local. The Robustness of a location service is considered to be low, medium, or high depending on whether it takes the failure of a single node, the failure of a small subset of all nodes, or the failure of all nodes to render the position of a given node inaccessible. The Implementation Complexity (IC) describes how well the location service is understood and how complex it is to implement and test. Location Server Identification (LSI), if the location service uses location servers, these servers can be identified either by their node id (id-based LSI) or by their actual position (position-based LSI). Most location services using Area Divisions

Predictive Scheme for Location Service in Mobile Ad-Hoc Networks

527

Table 1. Comparison of studied location services Criterion PLS HLS PHLS1,2 Type Flat Hierarchical Hierarchical LI No Yes Yes Robustness High Medium High IC Low Medium Medium LSI Position-based Position-based Area Division No Yes Yes Update Strategy Flooding Geocast Unicast Request Strategy Flooding Treewalk Treewalk

also use a hierarchical structure, where the hierarchies are based on dividing the area into different regions and use sets of these regions to form regions of a higher level. The Update and Request Strategy describes the method used by a location service to find location servers, the strategies can be flooding, geocast, unicast, treewalk (when using treewalk, the update and request packets are forwarded according to the treelike structure of the hierarchy, following e.g. a branch from a leaf to the root).

5

Evaluation

We have implemented PHLS1 and PHLS2 and compared it to HLS protocol. All of our simulations were conducted without any data traffic on the network, resulting in queries being sent out instead of data. As routing protocol greedy forwarding was used. The simulated area 1000 m × 1000 m. The transmission range is set to be 250 m. The modified random direction mobility model [25] was used, where a node arbitrary chooses speed, time and direction and moves into that direction until the chosen time period has expired. The node pauses for a time, and then other values for these parameters are selected. If the node hits the border of the simulation area, it bounces back according to the physical law of reflection. The pause time is set to 10 seconds. 5.1

Impact of Mobility

In this scenario we study the impact of mobility on the evaluated protocols in terms of the percentage query success rate and the accuracy of location prediction, as well as the bandwidth consumed by each location service. We fix the number of nodes to 300 while changing the node speed 10, 30 and 50 m/s. The nodes select their moving speed out of the intervals [0,10], [0,30] and [0,50] m/s and pause for a maximum 10 s between changing directions.

528

´ Renault E. Amar, S. Boumerdassi, and E.

Fig. 1. Query success rate

Query Success Rate: It is the percentage of queries that are successfully resolved by the location servers. As shown in Fig. 1, the success rate decreases as speed increases. We observe that PHLS2 provided the highest percentage of location requests answered, and PHLS1 outperforms HLS. For HLS, the decrease in the success rate at higher speed can be attributed to the query failure when a node moves far away from its previous location rendering the stored location in the location servers invalid. For PHLS1 and PHLS2, the decrease in success rate can be related to the facts that the nodes change directions in smaller intervals of time and our implemented velocity prediction schemes do not consider the direction of node movement. Prediction accuracy (Average Location Error): It is the absolute difference between the actual and reported (as stored in HLS or predicted in PHLS) location of the node and is measured in meters. Regarding Fig. 2, PHLS2 predicts a more accurate location than PHLS1, and outperforms HLS. Location errors in HLS can occur due to stale locations stored in location servers, especially in high mobility environment.

Fig. 2. The average location error

Predictive Scheme for Location Service in Mobile Ad-Hoc Networks

5.2

529

Impact of Node Density

We now study the impact of varying the node density on the performance of HLS and PHLS protocols. We are interesting to know how many nodes have to participate in HLS and PHLS in order to succeed. We fixed the speed at 10 m/s while varying the number of nodes between 100 and 400. Fig. 3 shows the percentage of query success rate for the evaluated protocols. The success rate increases as increasing the node density, the reasons for the query failure at a low density scenario could be due to the route failure with the simple greedy forwarding routing used. HLS achieves lower success rate than PHLS due to empty cells which caused lost updates to which rendering the location information in the location servers invalid.

Fig. 3. The impact of node density on the query success rate

6

Conclusion and Future Works

In this paper, we presented the Predictive Hierarchal Location Service (PHLS). PHLS uses a hierarchy of regions to achieve scalability, and predicts the requested location when the exact location is unknown by utilizing previous location information (location and velocity). By combining the hierarchy structure together with the prediction, flooding is avoided (despite in PLS), and the performance are improved. Two prediction schemes have been discussed and evaluated by comparing and analyzing the performance of PHLS with HLS. Both presented prediction schemes do not take into account the direction changes. As a future work, we intend to enhance the predictive schemes by taking into account the direction of node movement. Our on-going work also consists in studying PHLS with deep simulation analysis under different mobility models.

References 1. Perkins, C.E., Bhagwat, P.: Highly dynamic destination-sequenced distance-vector routing (DSDV) for mobile computers. In: Proceedings of ACM SIGCOMM (August 1994)

530

´ Renault E. Amar, S. Boumerdassi, and E.

2. Johnson, D.B., Maltz, D.A.: Dynamic source routing in ad hoc wireless networks. In: Mobile Computing. Kluwer Academic, Dordrecht (1996) 3. Perkins, C.E., Royer, E.M.: Ad hoc on-demand distance vector routing. In: Proceedings of IEEE WMCSA (February 1999) 4. Haas, Z.J., Pearlman, M.R.: The performance of query control schemes for the zone routing protocol. In: Proceedings of ACM SIGCOMM (August 1998) 5. Stojmenovic, I.: Position based routing in ad hoc networks. IEEE Communications Magazine 40(7), 128–134 (2002) 6. Mauve, M., Widmer, J., Hartenstein, H.: A Survey on Position-Based Routing in Mobile Ad-Hoc Networks. IEEE Network Magazine 15(6), 30–39 (2001) 7. Basagni, S., Chlamtac, I., Syrotiuk, V.R., Woodward, B.A.: A Distance Routing Effect Algorithm for Mobility (DREAM). In: Proceedings of the fourth annual ACM/IEEE International Conference on Mobile computing and networking (MobiCom 1998), Dallas, Texas, October 1998, pp. 76–84 (1998) 8. Camp, T., Boleng, J., Wilcox, L.: Location information services in mobile ad hoc networks. In: Proceedings of the IEEE International Conference on Communications (ICC), pp. 3318–3324 (2001) 9. Haas, Z.J., Liang, B.: Ad hoc mobility management with uniform quorum systems. IEEE/ACM Trans. on Networking 7(2), 228–240 (1999) 10. Li, J., Jannotti, J., DeCouto, D.S.J., Karger, D.R., Morris, R.: A Scalable Location Service for Geographic Ad Hoc Routing. In: Proceedings of the sixth annual ACM/IEEE International Conference on Mobile computing and networking (MobiCom 2000), Boston, Massachusetts, August 2000, pp. 120–130 (2000) 11. Giordano, S., Hamdi, M.: Mobility Management: The Virtual Home Region. Technical Report SSC/1999/037, EPFL-ICA (October 1999) 12. Stojmenovic, I.: Home agent based location update and destination search schemes in ad hoc wireless networks. Technical Report TR-99-10, Computer Science, SITE, University of Ottawa (September 1999) 13. Hsiao, P.: Geographical Region Summary Service for Geographical Routing. Mobile Computing and Communications Review (4), 25–39 (2001) 14. Kiess, W., F¨ ußler, H., Widmer, J., Mauve, M.: Hierarchical Location Service for Mobile Ad-Hoc Networks. ACM SIGMOBILE Mobile Computing and Communications Review (MC2R) 8(4), 47–58 (2004) 15. Luo, X., Camp, T., Navidi, W.: Predictive Methods for Location Services in Mobile Ad hoc Networks. In: Proceedings of the 5th IEEE International Workshop on Algorithms for Wireless, Mobile, Ad Hoc and Sensor Networks (WMAN), pp. 246– 252 (2005) 16. K¨ asemann, M., F¨ ußler, H., Hartenstein, H., Mauve, M.: A Reactive Location Service for Mobile Ad Hoc Networks. Technical Report TR-02-014, Department of Computer Science, University of Mannheim (November 2002) 17. Philip, S.J., Qiao, C.: Hierarchical Grid Location Management for Large Wireless Ad hoc Networks. In: MobiHoc 2003, Maryland, USA, June 1-3 (2003) 18. Xue, Y., Li, B., Nahrstedt, K.: A Scalable Location Management Scheme in Mobile Ad-hoc Networks. In: Proceedings of the 26th Annual IEEE Conference on Local Computer Networks - LCN 2001 (2001) 19. Liu, J., Guo, W., Xiao, B., Huang, F.: A Scalable Location Service for geographic Ad Hoc Networks, Mechatronics and Automation. In: IEEE International Conference, July-1 August, vol. 2(29), pp. 831–836 (2005) 20. Amar, E., Boumerdassi, S., Yahya, B.: A Survey on Location Services for PositionBased Routing in Mobile Ad Hoc Networks. In: The 2007 International Conference on Wireless Networks (ICWN 2007), Las Vegas (June 2007)

Predictive Scheme for Location Service in Mobile Ad-Hoc Networks

531

21. Amar, E., Boumerdassi, S., Yahya, B.: Performance Comparison of Scalable Location Services for Position-Based Ad-Hoc Routing. In: Proceedings of International Conference on the Latest Advances in Network (ICLAN 2006), Paris (December 2006) 22. Das, S.M., Pucha, H., Hu, Y.C.: Performance comparison of scalable location services for geographic ad hoc routing. In: Proceedings IEEE INFOCOM, Miami, FL, March 2005, pp. 1228–1239 (2005) 23. Liang, B., Haas, Z.J.: Predictive distance-based mobility management for PCS networks. In: Proceedings of IEEE INFOCOM, pp. 1377–1384 (1999) 24. Luo, X.: Predictive Methods for Location Services in Mobile Ad Hoc Netoworks. M.Sc. Thesis, Colorado School of Mines (2004) 25. Royer, E.M., Melliar-Smith, P.M., Moser, L.E.: An Analysis of the Optimum Node Density for Ad hoc Mobile Networks. In: Proceedings of the IEEE International Conference on Communications, Helsinki, Finland (June 2001)

An Efficient Hybrid Routing Approach for Hybrid Wireless Mesh Networks Anh-Ngoc Le, Dong-Won Kum, and You-Ze Cho School of Electrical Engineering and Computer Science Kyungpook National University, Korea {anhngoc,80kumsy,yzcho}@ee.knu.ac.kr

Abstract. A hybrid mesh network is the most generic type of Wireless Mesh Networks (WMN) and is a combination of static mesh routers and mobile mesh clients. Static mesh routers are typically much less resourceconstrained than mobile mesh clients, and are also often equipped with multiple radio interfaces. Furthermore, most of the traffic is directed to/from a gateway, as the mesh clients generally access services on the Internet or other networks. Thus, routing protocols need to distinguish the types of mesh node and take account of the traffic pattern in hybrid mesh networks. This paper proposes a Hybrid Distance Vector (HDV) routing protocol for hybrid mesh networks, which combines the treebased routing strategy with the reactive routing strategy. Simulation results demonstrate that the proposed HDV routing protocol can outperform AODV and AODV-ST routing protocols in terms of the routing overhead, network throughput, and end-to-end delay in a hybrid mesh network.

1

Introduction

Wireless Mesh Networks (WMNs) are emerging as a new attractive communication paradigm owing to their low cost and rapid deployment. The application scenarios for WMNs include wireless broadband Internet access, intelligent transportation systems, transient networks in convention centers and disaster recovery. WMNs can be categorised into three main types: infrastructure mesh networks, client mesh networks, and hybrid mesh networks [1]. In infrastructure mesh networks, the mesh routers provide a wireless backbone infrastructure. The key difference with a traditional WLAN is that the wired backbone is replaced with a wireless multi-hop network. The mesh clients simply access the network directly via a mesh router, however, they play a passive role in this architecture and do not contribute to the mesh network infrastructure. Meanwhile, client mesh networks are only made up of mobile mesh clients, and no dedicated network infrastructure is involved. Thus, the mesh clients need to perform network functions, such as routing and packet forwarding, making client mesh networks essentially the same as a traditional pure ad-hoc network. Hybrid mesh networks are the most generic type of WMN that combine the concepts of infrastructure mesh networks and client mesh networks as shown in Figure 1. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 532–542, 2009. c Springer-Verlag Berlin Heidelberg 2009


An Efficient Hybrid Routing Approach for Hybrid Wireless Mesh Networks

533

Internet

Level 1 gateways

IGW

IGW

IGW

Level 2 backbone of mesh routers Mesh router

Mesh client

Level 3 mesh clients

Mesh client Mesh clients connected in multi-hop

Fig. 1. Hybrid mesh networks

A hybrid mesh network consists of static mesh routers that form the backbone of the network (level 2 ). Some mesh routers can include gateway functionality and provide connectivity to other networks, such as the Internet and other networks (level 1 ). In addition, mobile clients can act as a dynamic extension of the static infrastructure part of the network, by implementing routing and packetforwarding functionalities (level 3 ). The hybrid mesh architecture is the most applicable because mesh clients can not only directly communicate with other mesh clients, but also access the Internet service through mesh routers. In this paper, we focus on this architecture, especially on mesh clients accessing Internet service through gateway nodes. Although hybrid mesh networks are a particular type of mobile ad hoc network (MANET) [2,3], there are also significant differences between hybrid mesh networks and general MANETs. In hybrid mesh networks, the mesh routers are relatively powerful and static nodes, which have access to a power mains system or are equipped with high-capacity batteries. Plus, the mesh routers are typically equipped with multiple radio interfaces assigned to non-overlapping channels, thereby significantly increasing the transmission capacity of wireless mesh networks [4]. In contrast to the mesh routers, the mesh clients are relatively constrained mobile client devices, such as a laptop or PDA, with just a single radio, high mobility, and limited battery power. Furthermore, in hybrid mesh networks, most of the traffic is directed to/from a gateway, as the mesh clients generally access services on the Internet or other networks. Consequently, an efficient routing strategy for hybrid mesh networks needs to take into account the differences of mesh nodes and traffic patterns. Ad hoc routing protocols are promising candidates for hybrid mesh networks, due to their capability to deal with dynamic environments. However, the direct application of routing techniques for ad hoc networks to hybrid mesh networks results in inferior performance, as the characteristics of mesh networks are not

534

A.-N. Le, D.-W. Kum, and Y.-Z. Cho

utilized. In hybrid mesh networks, most of the traffic is directed towards a gateway and thus all the source nodes require a route to a gateway node for data delivery beyond the mesh. Reactive routing protocols [5,6] generate multiple requests towards a gateway, they increase the traffic and overhead near the gateway. Moreover, in the case of a large network, the time required to acquire a route towards a gateway becomes significant, thereby increasing the overall delay. Conversely, in the case of proactive routing protocols [7], each node periodically sends updates of its routing table to maintain correct route information to all destinations, which results in a large overhead. In particular, the high mobility of the mesh clients degrades the performance of proactive routing, as the routing table becomes quickly outdated and requires an enormous overhead to keep it up to date. In addition, since ad hoc routing protocols were originally designed for homogeneous ad hoc networks, consisting of resource-constrained mobile devices, their performance is not optimal in hybrid mesh networks, as they are unable to take full advantage of the mesh routers in hybrid mesh networks. Accordingly, this paper proposes a Hybrid Distance Vector (HDV) routing protocol for hybrid mesh networks. A tree-based routing which periodically maintains routes between a gateway and mesh routers is used in the backbone of mesh routers. These routes are stable due to the stationary and high capacity of the mesh routers. Meanwhile, the reactive routing is used in the mesh clients to discover routes to the gateway node, which is maintained in the routing table of mesh routers, thereby reducing the latency and routing overhead related to route discovery to the gateway nodes. Simulation results show that the HDV protocol provides a better performance compared to AODV and AODV-ST routing protocols in a hybrid mesh network. The remainder of the paper is organized as follows: Section 2 discusses relevant related work. The proposed HDV protocol is described in Section 3. Section 4 provides details of the simulation environment and simulation results. Some final conclusions are given in Section 5.

2

Related Work

Many routing protocols have already been proposed for ad hoc networks and can generally be categorized as proactive [7] or reactive [5,6] based on the time of the route availability to the source node when a node has a data packet to send. In proactive routing protocols, the source node has knowledge of the route before it has any data packets to send. Routes to the destination nodes are semipermanently maintained in a routing table based on the periodic exchange of routing tables between neighboring nodes. Destination Sequence Distance Vector (DSDV) [7] is commonly used as a proactive routing protocol. In reactive routing protocols, the routes are established on-demand. Thus, when the source node has data to send, it initiates a route discovery procedure, and once the node acquires the desired routing information from the route discovery procedure, it forwards the data using the acquired route. Dynamic Source Routing (DSR) [5] and Ad-hoc On-demand Distance Vector (AODV) [6] are

An Efficient Hybrid Routing Approach for Hybrid Wireless Mesh Networks

535

examples of reactive routing protocols. In AODV [6], when a source node intends to communicate with a destination node whose route is unknown, it broadcasts a Route Request (RREQ) packet. Each RREQ contains an ID, source and destination node addresses, and sequence numbers together with a hop count and control flags. If the RREQ recipients have not seen the source address and RREQ ID pair or do not have a fresher (with a higher sequence number) route to the destination, they rebroadcast the same packet after incrementing the hop-count. Intermediate nodes also create and preserve a Reverse Route to the source node for a certain interval of time. When the RREQ reaches the destination node or any node that has a fresh route to the destination, a Route Reply (RREP) packet is generated and unicast back to the source of the RREQ. Each RREP contains the destination sequence number, source and destination node addresses, route lifetime, and hop count and control flags. Each intermediary node that receives the RREP then increments the hop-count, establishes a Forward Route to the source of the packet, and transmits the packet via the Reverse Route. To preserve the connectivity information, each node executing the AODV can use link layer feedback or periodic HELLO packets to detect link breakages with nodes that it considers as its immediate neighbors. When a link break is detected for a next hop of an active route, a Route Error (RERR) packet is sent to the active neighbors using that particular route. When using AODV in a network with multi-radio nodes, each RREQ is broadcasted on all interfaces. Intermediate nodes with one or more interfaces operating on a shared channel, receive the RREQ on received interface (Rx NIC) and create a Reverse Route using that interface towards the source node [8]. The proactive and reactive approaches have already been merged in hybrid routing protocols that aim to combine the advantages of both approaches. For example, the Zone Routing Protocol (ZRP) [9] is a hybrid routing protocol based on the notion of a zone, where a proactive protocol is used among the nodes of a particular zone, while a reactive protocol is used to reach a node outside that zone. However, this routing protocol was designed for homogeneous ad hoc networks, and is unable to differentiate between the different types of node in hybrid mesh networks. The AODV Spanning Tree (AODV-ST) [10] is also a hybrid routing protocol developed specifically for infrastructure mesh networks to provide Internet access to mesh clients with the help of one or more gateways. The AODV-ST uses a proactive strategy to discover routes between the mesh routers and the gateways, and a reactive strategy to find routes between the mesh routers. In the proactive case, the gateways periodically broadcast special route request packets to initiate the creation of spanning trees. All subsequent route request packets with a better routing metric are used to update the existing reverse route to the gateway. When applied to the hybrid mesh networks, routes which are periodically maintained between mesh nodes (mesh router, mesh client) and gateway do not distinguish the type of mesh node. Therefore, it results in an inferior performance in the hybrid mesh networks.

536

3

A.-N. Le, D.-W. Kum, and Y.-Z. Cho

Hybrid Distance Vector Routing Protocol for Hybrid Mesh Networks

This section presents the proposed Hybrid Distance Vector (HDV) routing protocol for hybrid mesh networks. The proposed HDV protocol is an extension of the AODV routing protocol in a multi-radio environment based on integrating a proactive component into the reactive routing of the AODV. A proactive component builds a tree-topology in the backbone of mesh routers, which links all the mesh routers with the gateway node. Meanwhile, the mesh clients reactively discover routes to the gateway, which is stored in the routing table of mesh routers (see Figure 2). In order to construct a tree-topology in the backbone of mesh routers, each gateway periodically broadcasts a Route Request (RREQ) message throughout the hybrid mesh network. Since a gateway node may have multiple radio interfaces, the RREQ message is broadcasted using all interfaces. This RREQ message is used instead of a Hello message that only indicates the presence of a node to its neighbors, as in the original AODV protocol. Furthermore, this RREQ message also spreads information about an existing Internet gateway throughout the hybrid mesh network. Figure 3(a) shows a flowchart for processing an RREQ message from the gateway. When a mesh node receives the RREQ message from the gateway, it updates its neighbor information and gateway information. However, when a mesh client receives an RREQ from a gateway node, they simply discard this message, thereby avoiding the creation of unstable routes that include mobile mesh clients. Furthermore, this helps to reduce the routing overhead due to flooding by RREQ messages. Upon receiving an RREQ message from a gateway, each mesh router determines the received interface (Rx NIC) through which the next node, for the

Sending RREQ

Gateway

Discarding RREQ

Mesh client

Sending RREP

Mesh router

Sending RREQ

Gateway

Discarding RREQ

Mesh client

Sending RREP

Mesh router

(a) Route discovery process of gateway (b) Route discovery process of mesh clients. node. Fig. 2. Route discovery in the HDV routing protocol

An Efficient Hybrid Routing Approach for Hybrid Wireless Mesh Networks Intermediate node

Intermediate node

START

START

Receive RREQ from the Gateway

Update neighbor table

Discard RREQ

537

Receive RREQ from mesh client

Re-broadcast RREQ using all interfaces

Re-broadcast RREQ using all interfaces

Discard RREQ Determine the Rx_NIC

Am I a mesh client?

Y

Unicast RREP to the source node

N

N

N

Determine the Rx_NIC

N

Is it duplicate RREQ with better route? Y Update Reverse Route on Rx_NIC

N

Is it duplicate RREQ with better route?

Is it the first RREQ?

Y Create Reverse Route on Rx_NIC

Y

Unicast RREP to the Gateway

Update Reverse Route on Rx_NIC

N

Is it the first RREQ?

Y

Am I destination or do I have a fresh enough route?

Y Create Reverse Route on Rx_NIC

(a) Processing RREQ from the gateway. (b) Processing RREQ from the mesh clients. Fig. 3. Flowchart for processing RREQ at mesh nodes

reverse route, can be reached and creates an entry in its routing table for the gateway using interface Rx NIC. If the mesh router already has an entry in the routing table for the gateway, it then compares the new route with the existing one. The new route is updated if it has newer information, as determined by a higher sequence number, or if the sequence number is the same as the existing entry but the new route is better. In this paper, the hop-count is used as the metric of interest. However, other routing metrics are also applicable. If a route towards a gateway is created or updated, the mesh router unicasts a Route Reply (RREP) message to the gateway node to establish a forward route, and then rebroadcasts the RREQ message using all its interfaces. Otherwise, the received RREQ message is discarded. Consequently, the successful broadcast of an RREQ message from a gateway into a hybrid mesh network means that each mesh router will have the route to the gateway (see Figure 2(b)). These routes are semi-permanently maintained in the routing table at each mesh router, and updated as necessary upon receiving another RREQ message from the gateway. The periodic nature of the RREQ messages ensures that the route to the gateway stays current. Whenever a mesh client seeks to communicate with another node whose route is not available in its routing table, the route discovery works similarly as in the AODV routing protocol. Figure 3(b) shows a flowchart for processing an RREQ message from mesh clients (source nodes). If a mesh client wants to discover a route towards a gateway node, it broadcasts a RREQ message. Since

538

A.-N. Le, D.-W. Kum, and Y.-Z. Cho

a route to the gateway is always present in the routing table at each mesh router, the mesh router simply unicasts a RREP message to the mesh client (see Figure 2(b)). Consequently, the route discovery delay for the mesh clients is significantly reduced.

4

Performance Evaluation

This section provides a detailed description of the simulation environment, performance metric, and results. The efficiency of the proposed HDV routing protocol is compared with that of the AODV and the AODV-ST routing protocols in a multi-radio multi-channel environment. 4.1

Simulation Environment

To evaluate the performance of the proposed routing protocol, simulations were performed using the NS-2 network simulator [11]. A hybrid mesh network with an area of 1500m x 1500m was established using uniformly distributed static mesh routers and randomly distributed mobile mesh clients. One mesh router, which was located at the upper right corner of the network, was selected as the single gateway (see Figure 4). The random waypoint mobility model for the mesh clients was used in our simulation. Mesh clients first wait for the pause interval of 10 seconds, then move to a randomly chosen position with a velocity chosen randomly between 0.1 m/s and the maximum speed, wait there for 10 seconds, and then move on to the next random position. The Distributed Coordination Function (DCF) of IEEE 802.11

Gateway 6

13

20

27

34

41

5

12

19

26

33

40

4

11

18

25

32

48 CH60

CH1 CH1

CH60

47 CH52

39

46

38

45

CH1 CH48

3

10

17

24

2

9

16

23

1

8

15

22

31

CH1

CH36 CH1

30

37

CH60

44

CH52 CH1

29

CH48

36

43

35

42

CH36

Mesh 0 router

7

14

21

28

CH1 CH1

CH1

Mesh client

CH1

AODV route HDV route

Fig. 4. Hybrid Mesh Network Topology

An Efficient Hybrid Routing Approach for Hybrid Wireless Mesh Networks

539

Table 1. Simulation description and parameter values Simulation time Simulation area Propagation model Mobility model for mesh clients Maximum speed of mesh clients Transmission range Traffic type Number of flows Packet size Number of mesh routers Number of mesh router interfaces Number of mesh clients Number of mesh client interfaces

250 seconds 1500m x 1500m Two-ray ground reflection Random waypoint 5, 10, 15, 20m/s 250 m CBR (UDP) 50 512 bytes 49 5 51 1

for wireless LAN is used as the medium access control (MAC) layer. The radio model uses the characteristics similar to a commercial radio interface, Lucent’s WaveLAN, which is modeled as a shared-media radio with a 2 Mbps nominal bit rate and a 250 m nominal radio range. In our simulation, we assumed common channel assignment approach for simplifying channel assignment of mesh routers. In this approach, each mesh router was equipped with multiple IEEE 802.11a wireless interfaces that were tuned to non-overlapping channels. The number of interfaces was the same for all the mesh routers, which also used the same channel allocation scheme (similar to [4]). For example, if two interfaces are used at each node, then the two interfaces are assigned to the same two channels at every node. The benefit of this approach is that the connectivity of the network is the same as that of a single channel approach. Meanwhile, the mesh clients were only equipped with a single radio interface. All the mesh routers and mesh clients had a radio interface tuned to a common channel. In our simulation, we used Constant Bit-Rate (CBR) traffic flows with UDP as transport protocol. Since most of the traffic in mesh network will be directed towards the gateway, we assume that all traffic flows from mesh clients are destined to the Internet through a gateway. In the simulation, the hop-count was used as the metric of interest, for all routing protocols. The internal parameters of the AODV protocol were set as suggested in [6]. For the HDV and the AODVST, we used the value of 1 second for the interval which gateway periodically broadcasts route requests. The common parameters for all the simulations are listed in Table 1. 4.2

Simulation Results

In this section, simulation results are examined for two scenarios, which are used to compare the performance of the HDV with that of the AODV and the

540

A.-N. Le, D.-W. Kum, and Y.-Z. Cho

AODV-ST routing protocols, in term of the routing overhead, network throughput, and end-to-end delay in a hybrid mesh network. Scenario 1: Varying Number of Radios on Mesh Routers. The first scenario varied the number of radios on each mesh router. Traffic flows with a packet rate of 12 packets/second were randomly started from the mesh clients to the gateway node. We considered the network with low mobility where mesh clients had a maximum speed of 5 m/s. As shown in Figure 5, the performance of the routing protocols improved rapidly when the number of radios on a mesh router was increased. In the case of two radios, the total throughput for the HDV protocol was comparable to that of the AODV and the AODV-ST protocols. Nonetheless, the HDV protocol provided stable routes from the mesh routers to the gateway in advance, thereby reducing the end-to-end delay compared to the AODV protocol in the hybrid mesh networks. Meanwhile, the AODV-ST routing protocol created routing paths from the gateway to all the mesh nodes without considering types of nodes by using flooding technique, therefore, it induced a large number of routing overhead compared to the HDV. When the mesh routers were equipped with more physical layer interfaces, they were able to support multiple flows distributed over distinct radio interfaces. This in turn helped in sustaining multiple ongoing flows and resulted in a higher network performance. Figure 4 shows an example of route selected by the HDV and the other routing protocols. The HDV protocol demonstrated the ability to create more stable routes with less contention by preferably involving static and high-capacity mesh routers. As a result, this reduced the number of route discoveries in the network, thereby lowering the routing overhead and shortening the delay. In contrast to the HDV protocol, the AODV and the AODV-ST is unable to distinguish the node type, meaning that both mesh routers and mesh clients are randomly selected when establishing a route. Note that routes consisting mostly of single-radio and high-mobility mesh clients experience a higher packet loss due to the contention for the wireless medium, which can lead to saturated interface queues and dropped packets.

5

7 HDV AODV−ST AODV

6.5

2.2 2 1.8 1.6 1.4 1.2

6

5.5

5

4.5

4

1 0.8

5

x 10

Routing overhead (packets)

7 HDV AODV−ST AODV

2.4

Total throughput (bps)

Average end−to−end delay (seconds)

2.6

2

3

4

5

The number of radio interfaces

(a) Average end-to-end delay.

3.5

x 10

HDV AODV−ST AODV

6

5

4

3

2

1

2

3

4

5

The number of radio interfaces

(b) Total throughput.

0

2

3

4

5

The number of radio interfaces

(c) Routing overhead.

Fig. 5. Simulation results for the scenario 1 (varying number of radio interfaces)

An Efficient Hybrid Routing Approach for Hybrid Wireless Mesh Networks 5

5

x 10

8 HDV AODV−ST AODV

6.5

Routing overhead (packets)

7 HDV AODV−ST AODV

1.5 1.4

Total throughput (bps)

Average end−to−end delay (seconds)

1.6

1.3 1.2 1.1 1 0.9

541

6

5.5

5

4.5

x 10

HDV AODV−ST AODV

7 6 5 4 3 2

0.8 4

1

0.7 8

12

16

20

Per flow rates (packets/second)

(a) Average end-to-end delay.

3.5

8

12

16

20

Per flow rates (packets/second)

(b) Total throughput.

0

8

12

16

20

Per flow rates (packets/second)

(c) Routing overhead.

Fig. 6. Simulation results for the scenario 2 (varying the traffic load)

Consequently, the HDV protocol achieved a shorter end-to-end delay compared to the AODV protocol (about 26% with 5 radios) and the AODV-ST (about 15% with 5 radios). In addition, the HDV protocol improved the total throughput by 20% compared with the AODV protocol and 15% compared with the AODV-ST for the five radios case. Scenario 2: Varying Traffic Load. The second scenario varied the traffic load from low to high, corresponding to a packet rate of 8 to 20 packets/second in the hybrid mesh network. We also considered the network with low mobility where mesh clients have a maximum speed of 5 m/s. Figure 6 compares the multiple metrics between the HDV and the other routing protocols, for the case of five-radio mesh routers. Although the latency of the network increased when increasing the traffic load, due to an increased contention for the wireless medium by nodes operating on interfering channels, the HDV protocol still managed to maintain a significant improvement over the AODV and the AODV-ST protocols. When increasing the load, the packet loss incurred by the AODV and the AODV-ST protocols increased significantly since they did not distinguish between high-capacity mesh routers and mobile mesh clients in the routing path, thereby decreasing the throughput of the network. Meanwhile, since the routes created by the HDV protocol contained static mesh routers with high resources, an improved performance was observed when increasing traffic load. The routing overhead in the AODV-ST protocol remained the same but the routing overhead in the AODV and the HDV increased, as increasing traffic load. However, the HDV had lower routing overhead than the AODV since it provided stable routes from the mesh routers to the gateway in advance, thereby reducing the number of route discovery in the network. As shown in Figure 6, with packet rate of under 12 packets/second, the HDV protocol improved the end-to-end delay compared with the AODV (about 26%) and the AODV-ST (about 15%). Meanwhile, the HDV protocol performed higher total throughput compared to the AODV (about 20%) and the AODV-ST (about 15%).

542

5

A.-N. Le, D.-W. Kum, and Y.-Z. Cho

Conclusion

This paper proposed a Hybrid Distance Vector (HDV) routing protocol for hybrid mesh networks. In the HDV, a gateway node periodically broadcasts a route request message that only allows mesh routers to establish a route toward the gateway node. As such, these routes are more stable due to the stationary and high capacity of mesh routers. Plus, the latency and routing overhead for discovering route towards a gateway node are reduced for the mesh clients. The low-complexity implementation of the HDV protocol also makes it applicable to large hybrid mesh networks. Simulation results demonstrate that the HDV protocol is a promising candidate for hybrid mesh networks.

Acknowledgement This work was supported by the Korea Science and Engineering Foundation (KOSEF) (No. R01-2006-000-10753-0).

References 1. Akyildiz, I.F., Wang, X., Wang, W.: Wireless mesh works: a survey. Computer Networks Journal 47, 445–487 (2005) 2. Bruno, R., Conti, M., Gregori, E.: Mesh networks: commodity multihop ad hoc networks. Communications Magazine 43, 123–131 (2005) 3. Ammari, H.M.: A survey of current architectures for connecting wireless mobile ad hoc networks to the Internet. International Journal of Communication Systems 20, 943–968 (2007) 4. Draves, R., Padhye, J., Zill, B.: Routing in multi-radio, multi-hop wireless mesh networks. In: Proc. ACM MobiCom, Philadelphia, PA, U.S.A (2004) 5. Johnson, D., Maltz, D.: Dynamic source routing in ad hoc wireless networks. In: Mobile Computing, vol. 353. Kluwer Academic Publishers, Dordrecht (1996) 6. Perkins, C., Belding-Royer, E., Das, S.: Ad hoc on-demand distance vector (AODV) routing. IETF RFC 3561 (July 2003) 7. Perkins, C., Bhagwat, P.: Highly dynamic destination-sequenced distance vector (DSDV) routing for mobile computers. In: Proc. ACM SIGCOMM, London, U.K (August 1994) 8. Pirzada, A., Portmann, M., Indulska, J.: Performance analysis of multi-radio AODV in hybrid wireless mesh networks. Computer Communications 31, 885–895 (2008) 9. Haas, Z., Pearlman, M., Samar, P.: The zone routing protocol (ZRP) for ad hoc networks. IETF MANET: Internet Draft (July 2002) 10. Ramachandran, K., Buddhikot, M., Chandranmenon, G., Miller, S., Belding-Royer, E., Almeroth, K.: On the design and implementation of infrastructure mesh networks. In: Proc. WiMesh, Santa Clara, California, U.S.A (2005) 11. Fall, K., Varadhan, K.: The ns Manual. UC Berkeley, LBL, USC/ISI, and Xerox PARC (April 2005), http://www.isi.edu/nsnam/ns/ns-documentation.html

Relationship between Motivation and Satisfaction of Online Computer Games: Evidence from Adolescent Players Using Wireless Service in Taiwan Lily Shui-Lien Chen, Michael Chih-Hung Wang, and Yung-Hsin Lee* Associate Professor, Business Administration Dept., Hsing Wu College Business Administration Dept., National Central University Graduate Institute of Finance, National Taiwan University of Science and Technology [email protected]

Abstract. This study provides insight into the relationship between leisure motivation and leisure satisfaction with wireless service among teenage online gamers. A systematic sampling produced 134 usable questionnaires for the final data analysis. Findings revealed that teenagers playing online games with wireless service for intellectual motivations report educational leisure satisfaction. With wireless service, online game players with social motivations report educational, social and relaxation leisure satisfaction. Players with stimulus-avoidance motivation report greater psychological, educational, relaxation, physiological and aesthetic leisure satisfaction. Finally, this work discusses implications for leisure practice and further research. Keywords: Leisure motivation, leisure satisfaction, adolescent, online computer game.

1 Introduction Online computer gaming in Taiwan accounts for 40% of all Internet use and exceeds three million people, according to the Institute for Information Industry. Over 450,000 users play online computer games in Taiwan during peak hours, making online gaming the most popular pastime. Online computer gaming in Taiwan is growing at a rapid pace (Wang, et al., 2008). For adolescents who use the Internet primarily for entertainment (Bayraktar & Gun, 2007), online gaming is a popular activity and the primary means of entertainment (Steinkuehler, 2004) and leisure activity that merits study (Chou & Tsai, 2007). The Fubon Cultural and Educational Foundation’s (2004) research reports showed of the 34.26 hours of leisure time senior and junior high school students in Taiwan have each week, 12.27 hours are used for “online activities” or “playing video games and using the computer.” *

Corresponding author.

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 543–552, 2009. © Springer-Verlag Berlin Heidelberg 2009

544

L.S.-L. Chen, M.C.-H. Wang, and Y.-H. Lee

Motivation and satisfaction are two important factors in understanding people’s choice of leisure activities (Beard & Ragheb, 1983, 1980). Leisure motivation assists in understanding the consequences of leisure engagements (Manfredo & Driver, 1996, p.188) and leisure satisfaction can be a direct indicator of leisure effects (Lu & Hu, 2005, p.329). The behavior of young computer gamers has received considerable attention in recent years (Griffiths et al., 2003; Shieh & Cheng, 2007). Researchers have argued that adolescents and adults interact with games in entirely different ways (Griffiths et al., 2004; Yee, 2006). Players of online computer game possess different leisure motivations and different leisure satisfactions. The purpose of this study is to gain further insight into teenage online gamers’ effect by understanding their motivations and how they achieve satisfaction in Taiwan to fulfill this gap.

2 Literature Review and Conceptual Framework There are two kinds of online computer gaming: multiplayer (MOGs) and massively multiplayer (MMOGs) based on the maximum number of simultaneous players (Ye & Cheng, 2006). The first and more popular type is the massively multiplayer online role-playing game (MMORPGs) genre, characterized by large, sophisticated, detailed, and evolving worlds based in different narrative environments (Griffiths et al., 2004). This study focuses on the MMORPGs. People engage in leisure activities, for intellectual, social, competence-mastery and stimulus-avoidance reasons, these leisure motivations explain why people engage in leisure activities to meet their social needs, to achieve, master, challenge and compete, and escape (Beard & Ragheb, 1983). These components of leisure satisfaction are psychological, educational, social, relaxational, physiological and aesthetic (Beard & Ragheb, 1980). People engage in leisure activities to obtain satisfaction. 2.1 Leisure Motivation and Psychological Satisfaction Psychological satisfaction refers to the sense of accomplishment (Beard & Ragheb, 1980). Online game adolescent players can represent them and that explores this virtual world; this results in feelings of achievement (Choi et al., 2007). Adolescent players with social motivation would chat with other players (Yee, 2006) to share their experiences to find an efficient way to “level up” character’s abilities or skills by training or by mastering certain situations (Choi et al., 2007). During these “level-up” processes, adolescent players with competence-mastery motivation may control their online personae to compete with other players to optimize their own character’s performance (Yee, 2006). If adolescent players use less time to “level up” their characters than other online players, they may have a sense of achievement. Gradually, they can attract other players’ attention, which gives adolescent players a sense of accomplishment. H1: Online computer gaming adolescent players’ through wireless service (a) intellectual motivation (b) social motivation (c) competence-mastery motivation (d) stimulus avoidance motivation is positively related to their psychological satisfaction.

Relationship between Motivation and Satisfaction of Online Computer Games

545

2.2 Leisure Motivation and Education Satisfaction Education satisfaction refers to intellectual stimulation and the opportunity to learn new things (Beard and Ragheb, 1980). Different online computer games have tasks that different characters with different skills must complete (Dickey, 2007). This competitive process makes them learn how to clear different stages may create their satisfaction on learn new things. During game play, adolescent players have opportunity to cooperate with other group members. Via on-screen text messages with other players, they can provide instructions, advice and encouragement (Dickey, 2007). As the quests are completed, adolescent players come to understand teamwork (Helena & Griffiths, 2007) and derive satisfaction from being part of a group effort (Yee, 2006). H2: Online computer gaming adolescent players’ through wireless service (a) intellectual motivation (b) social motivation (c) competence-mastery motivation (d) stimulus avoidance motivation is positively related to education satisfaction. 2.3 Leisure Motivation and Social Satisfaction Social satisfaction means that by participating leisure activities, people can form relationships with others (Beard & Ragheb, 1980). Most online computer games are structured; the “quests” are deliberately too difficult for a single character, so they need the help of other players (Ducheneaut & Moore, 2004). Adolescent players with intellectual motivation would like to interact with and form interpersonal relationships with then. Online computer gamers form two types of group: the party, which comes together only long enough to complete a particular task (Choi et al., 2007), and the guild, a longer-standing community that has other objectives, for instance, to assist to lower-level members (Humphreys, 2003). After specific adventure or battle, adolescent players who have social motivation belong to a party would cooperate with and create close relationships with other members. Adolescent players who have competence-mastery motivation and belong to a guild may foster interdependency among members. This interdependency rewards participation in those collaborative activities (Choi et al., 2007), and results in significant friendships (Krotoski, 2004) in the virtual world. H3: Online computer gaming adolescent players’ through wireless service (a) intellectual motivation (b) social motivation (c) competence-mastery motivation (d) stimulus avoidance motivation is positively related to social satisfaction. 2.4 Leisure Motivation and Relaxational Satisfaction Relaxational satisfaction refers to through leisure activity individual can take rest and relief the stress from life or work (Beard & Ragheb, 1980). Online games can be seen as a type of contemporary adolescent pop culture (Steinkuehler, 2004). Adolescent players with intellectual motivation who join online games can understand the “up to date” game terminology or game-related information such as the strategy of accumulating

546

L.S.-L. Chen, M.C.-H. Wang, and Y.-H. Lee

wealth in the form of money and weapons (Humphreys, 2003). The information makes them enjoy virtual world and relieve their stress from school. During game play, the interactions make online adolescent players seek pleasure (Wu & Liu, 2007) and enjoy it. As they enjoy, adolescent players who have competence-mastery motivation want to play more (Huang & Cappel 2005), and the more time they play the less stress they feel. Additionally, this behavior will make adolescent players feel safer and happier in the virtual world than they feel in the real world (Kelly2, 2004.) H4: Online computer gaming adolescent players’ through wireless service (a) intellectual motivation (b) social motivation (c) competence-mastery motivation (d) stimulus avoidance motivation is positively related to relaxational satisfaction. 2.5 Leisure Motivation and Physiological Satisfaction Physiological satisfaction is the development of physical fitness and the promotion of well being (Beard & Ragheb, 1980), where well being is a subjective, overall and comprehensive evaluation towards feeling of the self with life status quo (Shichman & Cooper, 1984). There are many kinds of online games. Adolescent players may try to understand the differences among these games and may learn the characters’ actions. Moreover, if adolescent players try to attract the attention of other adolescents, they may need to practice more. As they become more familiar with the actions of the characters, they may become more physically fit. Besides, adolescent players whose physical disabilities limit their activity (Burns & Graefe, 2007) or who are recuperating from serious illnesses can run, jump, and race in online computer games (Kelly2, 2004). In this way, playing can give them happiness and physical satisfaction. H5: Online computer gaming adolescent players’ through wireless service (a) intellectual motivation (b) social motivation (c) competence-mastery motivation (d) stimulus avoidance motivation is positively related to physiological satisfaction. 2.6 Leisure Motivation and Aesthetic Satisfaction Aesthetic satisfaction refers to leisure activity as being pleasing, interesting, beautiful, and well-designed (Beard & Ragheb, 1980). Most of the activities offered by online computer games are represented by large, sophisticated, detailed and evolving worlds based in different narrative environments (Griffiths et al., 2003). Online computer games adopted 2D/3D graphics for both draft and photo-realistic representation of images (Kerbs, 2005) and make adolescent players who with intellectual motivation learn appreciate beautiful frame and foster feeling of pleasing during game play. Because each of online computer game features a unique combination of landscapes, challenges, players and emotional climates (Kelly2, 2004), adolescent players with social motivation via online or offline discussion can share their preference frames or visual aesthetics (Humphreys, 2003). During discussion their favorite frame may also create adolescent players with components-mastery motivation imitate these frames and improve their sense of aesthetics.

Relationship between Motivation and Satisfaction of Online Computer Games

547

H6: Online computer gaming adolescent players’ through wireless service (a) intellectual motivation (b) social motivation (c) competence-mastery motivation (d) stimulus avoidance motivation is positively related to aesthetic satisfaction.

3 Methods 3.1 Data Collection This study used a street survey interview, gathering research samples in the public in Taipei, Taiwan. We had two reasons for conducting the survey in Taipei. First, Taipei is a densely populated city of 2,600,000 people, many of whom come from other parts of Taiwan. Second, Taipei is the first wireless city in the world. This study adopted adolescent players enter into the entrances of the railway and MRT were chosen for participation. Adolescent players were asked their willingness to participate in the survey. Interviewers were then stood by for answering any question when the participants suffered. Participants were required to read the questionnaire instructions carefully before completing them and were confirmed they had the experience using the wireless service to play the online game. A total of 134 useful questionnaires were collected for final data analysis. 3.2 Research Instruments Leisure Motivation Scale (LMS). This study adopted the Leisure Motivation Scale designed by Beard and Ragheb (1983). Leisure motivation consists of four dimensions: intellectual (e.g., increase knowledge, discover new places and things, and use imagination), social (e.g., interaction with others, good time with friends, building and developing close friendships, and gain a feeling of belonging), competence-mastery (e.g., use physical abilities, increase abilities, and avoid the hustle and bustle of life), and stimulus-avoidance (e.g., relax mentally and physically, calm atmosphere). Leisure Satisfaction Scale (LSS). Leisure Satisfaction Scale (LSS) was adopted by Beard and Ragheb (1980). Leisure motivation consists of six dimensions: psychological, educational, social, relaxational, physiological, and aesthetic. These dimensions are measured with 24 items: four items measured psychological satisfaction, four items measured educational satisfaction four items measured social satisfaction, four items measured relaxational satisfaction four items measured physiological satisfaction and four items measured aesthetic satisfaction. 3.3 Data Analysis Cronbach’s α (internal consistency coefficient) was used to determine reliability of the leisure motivation and leisure satisfaction scales. Exploratory factor analysis (EFA) was used to determine the validity of dimensions. Finally, regression analysis was used to determine the significant and relative coefficients of leisure motivation dimensions in predicting each leisure satisfactions. In each regression model, independent variables included four dimensions of leisure motivation and the dependent variables are six dimensions of leisure satisfaction.

548

L.S.-L. Chen, M.C.-H. Wang, and Y.-H. Lee

4 Results The reliability and validity of leisure motivation scale and leisure satisfaction scale are tested before the final regression analysis. Cronbach α and corrected item-to-total correlations are adopted to measure scale reliability. Originally, there are 14 items of leisure motivation scales and 24 items of leisure satisfaction. Item-to-total correlation was used to delete non-correlate item for leisure motivation scale, all items are kept, but one item was omitted from the physiological dimension of leisure satisfaction. Therefore, leisure satisfaction left 23 items for final analysis. The final Cronbach α for dimensions of leisure motivation are: intellectual (α=0.842), social (α=0.817), competence-mastery (α=0.832), stimulus-avoidance (α=0.846); for dimensions of leisure satisfaction are: psychological (α=0.880), educational (α=0.874), social (α=0.807), relaxational (α=0.878), physiological (α=0.852), aesthetic (α=0.888). All dimensions of the Cronbach α greater than 0.8 threshold reflected strong internal consistency for the measurements (see Table 1). Therefore, scale internal consistency and homogeneity are very good in this study. Table 1. The reliability of the measurement

Construct Leisure Motivation Intellectual Social Competence-mastery Stimulus-avoidance Leisure Satisfaction Psychological Educational Social Relaxational Physiological Aesthetic

Measurement Items Initial Final

Cronbach α

3 5 2 4

3 5 2 4

0.842 0.817 0.832 0.846

4 4 4 4 4 4

4 4 4 4 3 4

0.880 0.874 0.807 0.878 0.852 0.888

Although the authors made a theoretical assumption about a four-dimensional and a six-dimensional structure, exploratory factor analysis was performed on the initial scales to check item loadings and to allow the data to drive the number of dimensions in the initial exploratory phase. Since the data appeared to possess construct validity, a principal component analysis with varimax rotation was undertaken, assuming unrelated factors. All factors that were extracted with eigenvalues greater than 1, expect aesthetic satisfaction. However, the cumulative explanation of these six factors is 75.246%. Five factors emerged with construct loadings equal to or exceeding 0.5, suggesting discriminant and convergent validity. The items formed the expected factors.

Relationship between Motivation and Satisfaction of Online Computer Games

549

The results of OLS regression estimates are presented in Table 2. Each of the six columns contains estimation results obtained using different dimensions of leisure satisfaction as dependent variable and leisure motivation as independent variable. All six regression models exhibited reasonable fit with the values of Adj-R2 ranging from 0.212 to 0.389, except for Column 5 (leisure motivation and physiological satisfaction), the Adj-R2 is 0.136. The results in Model 1 indicated that two leisure motivation dimensions (competence-mastery and stimulus-avoidance) predicted a significant contribution to psychological satisfaction. As expect, adolescent players who have competence-mastery motivation and stimulus-avoidance motivation with higher psychological satisfaction. Coefficients of these two motivations are statistical significance for competence-mastery motivation (β=0.213, p<0.05), stimulus-avoidance motivation (β=0.277, p<0.01), respectively, therefore, H1 (c) and H1 (d) are supported. Intellectual and social are not statistical significance, therefore, the results do not support H1 (a) and H1 (b). Coefficients in Model 2 showed all leisure motivation dimensions as expectations are positive and statistical significance to predict educational satisfaction: intellectual motivation (β=0.161, p<0.05), social motivation (β=0.248, p<0.05), competence-mastery motivation (β=0.263, p<0.01), and stimulus-avoidance motivation (β=0.175, p<0.05). The results shows adolescent gamers with these motivations cause higher educational satisfaction, therefore, H2 are all supported. In Model 3, the results showed one leisure motivation dimension (social) with positive significant influence on social satisfaction. As expect, adolescent players who have social motivation with higher social satisfaction. The coefficient is statistical significant (β=0.608, p<0.001), showed support H3 (b). The other leisure motivation dimensions, intellectual, competence-mastery do not have statistical significant; stimulus-avoidance are not statistically significant. H3 (a), H3(c), and H3 (d) are not supported. Coefficients in Model 4 showed that two leisure motivation dimensions (social and stimulus-avoidance) predicted a significant contribution to relaxational satisfaction: social motivation (β=0.268, p<0.05) and stimulus-avoidance motivation (β=0.418, p<0.001), therefore, H4 (b) and H4 (d) are supported. Intellectual motivation and competence-mastery motivation are not statistically significance, thus, H4 (a) and H4 (c) are not supported. The results in Model 5 showed one leisure motivation dimension (stimulus-avoidance) with a positive significant influence on social satisfaction. As expect, adolescent players who have stimulus-avoidance motivation with higher physiological satisfaction. Coefficient (β=0.347, p<0.01) showed support H5 (d). The other leisure motivation, intellectual, competence-mastery, stimulus-avoidance without statistically significance. According to these results, H5 (a), H5 (b), and H5 (c) are not supported. Similarly, results in Model 6 also showed one leisure motivation dimension (stimulus-avoidance) with positive significant influence aesthetic satisfaction. As expected, adolescent players who have stimulus-avoidance motivation with higher aesthetic satisfaction, (β=0.396, p<0.001) support H6 (d). The other leisure motivation, intellectual, competence-mastery, stimulus-avoidance were not statistically significance. According to these results, H6 (a), H6 (b), and H6 (c) are not supported.

550

L.S.-L. Chen, M.C.-H. Wang, and Y.-H. Lee Table 2. Regression Analysis for leisure motivation on leisure satisfaction Psychological

Educational

Social

Relaxation

Physiological

Aesthetic

Model

(Model 1)

(Model 2)

(Model 3)

(Model 4)

(Model 5)

(Model 6)

β

β

β

β

β

β

(Constant) Intellectual Social Competence-mastery Stimulus-avoidance R2 Adj-R2

0.988* 0.087 0.179 0.213* 0.277** 0.320 0.299

.642 .161* .248* .263** .175* 0.407 0.389

1.355** -.032 .608*** -.056 .138 0.345 0.325

1.045* -.010 .268* .059 .418*** 0.326 0.305

1.162* .043 .127 .029 .347** 0.162 0.136

1.499** -.100 .160 .130 .396*** 0.236 0.212

*p<0.05; **p<0.01; ***p<0.001.

5 Conclusions 5.1 Discussion The objective of the present study was to test the relationship between leisure motivation and leisure satisfaction in the online computer gaming with wireless service context. Results of regression analysis revealed that leisure motivation could be a predictor of leisure satisfaction among adolescents. Results also contributed to existing leisure research and to our understanding of leisure motivation’s (Beard & Ragheb, 1983) influence on leisure satisfaction (Beard & Ragheb, 1980) in the online computer gaming context. Although results suggested that adolescent players have various leisure motivations are more likely to foster leisure satisfaction, not all leisure motivations influence leisure satisfaction. Adolescent online gamers with intellectual motivation will report educational leisure satisfaction, but not psychological, social, relational, physiological, or aesthetic satisfaction. According to Beard and Ragheb (1983), intellectual motivation assesses the extent to which people are motivated to engage in leisure activities which involve substantial mental activities such as learning, exploring, discovering, creating or imaging. Thus, perhaps online computer games contain many types of content, and adolescent players who have intellectual motivation would like to learn while playing online computer games, only achieve educational satisfaction. Adolescent gamers with social motivation will cause educational, social and relaxational satisfaction, but this motivation does not influence psychological satisfaction, physiological satisfaction, and aesthetic satisfaction. Previous researchers have argued that playing online computer games fosters collaboration (Choi et al., 2007) and eventually results in significant friendships (Krotoski, 2004). Perhaps adolescents like to make friends with others, rather than find achievement in playing online games keep physically fit, find online computer gaming well-designed or not. Additionally, adolescent online gamers with competence-mastery motivation view online gaming as a leisure activity that brings psychological and educational

Relationship between Motivation and Satisfaction of Online Computer Games

551

satisfaction. This is because during gameplay, adolescent players can experience accumulated after complete a task (Dickey, 2007) and compete with other online players in order to optimize their own character performance (Yee, 2006). The results showed that the stimulus-avoidance motivation of online computer gaming has positive effect on all except the social dimensions of leisure satisfaction. In this virtual world, adolescents can escape their failures in the real world and fulfillment or satisfaction via playing online computer gaming. The managers of online computer gaming could adopt the results of this study to design online games that cater to the adolescents’ leisure motivations. Facing the strong suspicions about negative effects of parents, the managers have to develop the approval to parents. The key points managers can emphasize are not only the psychological and physiological attractions of the activity, but also their educational advantages. 5.2 Limitations and Future Research Directions This study was limited to a sample of Taipei adolescents. The study may not be representative of all adolescent online gamers in Taiwan, although Taipei is a famous wireless city. In addition, the scale used in this study may not have been suitable for adolescents, because previous leisure motivation scale (LMS) in Beard and Ragheb (1983) and leisure satisfaction scale (LSS) in Beard and Ragheb (1980) studies measured adults’ motivation and satisfaction. Although the results of the study confirmed the relationship between leisure motivation and leisure satisfaction by survey adolescent players of online computer games, several issues should be further investigated. First, more variables should be incorporated into future models in order to predict adolescent leisure satisfaction in online computer gaming. Another issue is related to the best way to measure adolescent motivation and satisfaction in leisure activities. Since online computer gaming is popular among adolescents, measurements should factor the characteristics of online computer gaming into the scale.

References 1. Bayraktar, F., Gun, Z.: Incidence and correlates of Internet usage among adolescents in North Cyprus. Cyber Psychology & Behavior 10, 191–197 (2007) 2. Beard, J.G., Ragheb, M.G.: Measuring leisure satisfaction. Journal of Leisure Research 12, 20–33 (1980) 3. Beard, J.G., Ragheb, M.G.: Measuring leisure motivation. Journal of Leisure Research 15, 219–228 (1983) 4. Burns, R.C., Graefe, A.R.: Constraints to Outdoor Recreation: Exploring the Effects of Disabilities on Perceptions and Participation. Journal of Leisure Research 39, 156–181 (2007) 5. Choi, B., Lee, I., Choi, D., Kim, J.: Collaborate and share: an experimental study of the effects of task and reward interdependencies in online games. CyberPsychology & Behavior 10, 591–595 (2007) 6. Chou, C., Tsai, M.J.: Gender differences in Taiwan high school students’ computer game playing. Computers in Human Behavior 23(1), 812–824 (2007)

552

L.S.-L. Chen, M.C.-H. Wang, and Y.-H. Lee

7. Dickey, M.D.: Game design and learning: a conjectural analysis of how massively multiple online role-playing games (MMORPGs) foster intrinsic motivation. Educational Technology, Research and Development 55, 253–273 (2007) 8. Ducheneaut, N., Moore, R.J.: The social side of gaming: a study of interaction patterns in a massively multiplayer online game. In: Proceedings of the ACM conference on Computer supported cooperative work, vol. 6, pp. 360–369 (2004) 9. Fubon Cultural & Educational Foundation: Online activities of Taiwan teenagers (2004), http://www.eshare.org.tw/eshare_response_Text.asp?Txt_ID=634 (Derived, March 8, 2007) 10. Griffiths, M.D., Davies, M.N.O., Chappell, D.: Breaking the Stereotype: The Case of Online Gaming. CyberPsychology & Behavior 6, 81–91 (2003) 11. Griffiths, M.D., Davies, M.N.O., Chappell, D.: Online computer gaming: A comparison of adolescent and adult gamers. Journal of Adolescence 27, 87–96 (2004) 12. Helena, C., Griffiths, M.D.: Social Interactions in Massively Multiplayer Online Role-Playing Gamers. CyberPsychology & Behavior 10, 575–583 (2007) 13. Huang, Z., Cappel, J.J.: Assessment of a Web-Based Learning Game in an Information Systems Course. Journal of Computer Information Systems 45, 42–50 (2005) 14. Humphreys, S.: Online Multiuser games: Playing for real. Australian Journal of Communication 30, 79–91 (2003) 15. Kelly, R.V.: Massively multiplayer online role-playing games: the people, the addiction and the playing experience. McFarland & Co, Jefferson, N.C (2004) 16. Kerbs, R.W.: Social and ethical considerations in virtual worlds. The Electronic Library 23, 539–546 (2005) 17. Krotoski, A.: Chicks and joysticks: an exploration of women and gaming. Entertainment and Leisure Software Publishers Association, London (2004) 18. Lu, L., Hu, C.H.: Personality, leisure experiences and happiness. Journal of Happiness Studies 6, 325–342 (2005) 19. Manfredo, M.J., Driver, B.L., Tarrant, M.A.: Measuring leisure motivation: A meta-analysis of the recreation experience preference scales. Journal of Leisure Research 28, 188–213 (1996) 20. Shieh, K.F., Cheng, M.S.: An empirical study of experiential value and lifestyles and their effects on satisfaction in adolescents: an example using online gaming. Adolescence 42, 199–215 (2007) 21. Shichman, S., Cooper, E.: Life satisfaction and sex role concept. Sex Role 11, 227–240 (1984) 22. Steinkuehler, C.A.: Learning in massively multiplayer online games. In: Proceedings of the 6th international conference on Learning sciences, Santa Monica, California, pp. 521–528 (2004) 23. Wang, E.S.T., Chen, L.S.L., Lin, J.Y.C., Wang, M.C.H.: The Relationship between leisure satisfaction and life satisfaction of adolescents concerning online games. Adolescence 13, 177–184 (2008) 24. Wu, J., Liu, D.: The effects of Trust and enjoyment on intention to play online games. Journal of Electronic Commerce Research 8, 128–140 (2007) 25. Yee, N.: Motivations for Play in Online Games. CyberPsychology & Behavior 9, 772–775 (2006) 26. Ye, M., Cheng, L.: System-performance modeling for massively multiplayer online role-playing games. IBM Systems Journal 45, 45–58 (2006)

DISHES: A Distributed Shell System for Ubiquitous Computing
Chih-Chung Lai and Ren-Song Ko National Chung Cheng University, Chia-Yi, Taiwan 621 {laicc,korenson}@cs.ccu.edu.tw

Abstract. This paper proposes the design of a distributed shell system, DISHES, for ubiquitous computing environment, as the interface middleware between a mobile user and the ambient computers. With DISHES, a mobile user can issue a command containing programs and location of data, the mobile devices will retrieve the data from the specified location and automatically look for the required program to process the data from the computing environments. Moreover, a complicated task may be performed by gluing several primitive programs. Thus, functions of hardware and software on mobile devices may be kept as simple as possible, and the development costs may be reduced.

1

Introduction

Due to advance of technology, various types of intelligent devices have pervaded in our daily life. We may have smart appliances. Besides, many public infrastructures, such as intelligent power, communication, and transportation systems, have been embedded with computers. In the future as we envisage it, networking these intelligent devices enables them to cooperate in support of better human living. Consequently, people are situated in the environment with many devices capable of computation and communication and exposed in computer networks, a computing environment called ubiquitous computing by Weiser[1]. However, the hardware constraints of these devices often limit their usage. It is almost impossible to store huge amount of data and software in these devices as in PC. Furthermore, because of the limit of battery power, computation quality often degrades. For example, the AI and user interfaces of games on mobile devices are usually simpler than that on PC. One solution to this problem is to store data and software on other networked computers instead of carried by users. When needed, a mobile device user can download the data on demand via networks. Now take this idea one step further, the computation resources needed to process the data can also be retrieved from networked computers. That is, we download the necessary programs or software on demand to process the data or have other computers to process the data and retrieve the results. Such an onsite computing approach relieves a mobile user’s need to carry required software


This work is supported in part by the National Science Council under grants no. NSC 97-2218-E-194-003.

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 553–562, 2009. c Springer-Verlag Berlin Heidelberg 2009


554

C.-C. Lai and R.-S. Ko

and data for computing on the road and, hence, boost people’s mobility. By specifying the location of software and data, the mobile devices will retrieve the data from the specified location and automatically look for the required program to process the data from the computing environments. Based on above idea, we propose a system, DISHES, to mitigate the limitation caused by the hardware constraints of mobile devices. Users can issue a command containing the data location and the program to process the data. When a mobile device receives the command, it will look for the computer nearby which have the required program and send the data location to the computer. Then, the computer downloads the data, executes the program to process the data, and send the result back to the mobile device. Of course, the processing result obtained by one program can be further processed by another program. Thus, a complicated task can be achieved by sequential cooperation of several small programs. Shell on UNIX systems provides a good analogy of the above idea on a single computer. In UNIX, execution of a program can be launched by issuing a command containing the program and the data to shell. Then shell will find the program among the default search paths and execute the program once found. Multiple programs can be combined to accomplish a complicated task via the pipe mechanism. Besides, the computation result can even be redirect to a specific file via the I/O redirection mechanism. DISHES (DIstributed SHEll System) extends the shell on a single computer to the ubiquitous computing environment. That is, a user can issue a command on a mobile device, and one of ambient computer having the required program will be “automatically” found, and will download and process the data from the specified data location. DISHES also provides the distributed pipe mechanism to enable sequential cooperation of program on different computers through network. After the computation is completed, the result can be sent back to the user’s mobile device or stored in a specific location specified by the user via the distributed I/O-redirection mechanism. The following scenario may illustrate our idea more explicitly. A salesperson travels to Chicago for visiting his clients in the city. He wants to visit the clients in the order of their free time. To find out the visit schedule, he may issue the following command to his PDA: grep Chicago http://mycompany.com/clients list | sort -k 2,2 > visit schedule According to the command, the PDA of the salesperson will find the computers providing the required program (grep and sort). Suppose computer A provides grep and computer B provides sort, as depicted in Fig.1. Then A will retrieve the client information by the specified data location, http://mycompany.com/ clients list, and executes grep Chicago to pick up the clients residing in Chicago, and send the result to B. After receiving the result from A, B executes sort -k 2,2 to sort the clients in Chicago by their free time. Finally, the sorted result will be sent back to the PDA and stored in the file, visit schedule.

DISHES: A Distributed Shell System for Ubiquitous Computing

555

Fig. 1. The salesperson inputs the command to his PDA to get visiting schedule. According to the command, the PDA will find the computers providing the software, and the computer executing the command will get the data by the specified URL.

In the above example, the salesperson only provides the location of data and the names of programs. Computing environments will retrieve the data from the specified location and automatically look for the required program to process the data. Moreover, a complicated task may be performed by gluing several primitive programs (grep and sort). These primitive programs do not have to be loaded into and executed on the salesperson’s PDA. They may be executed on the more power computers nearby (A and B), and the results can be glued together and returned to the user. With this approach, functions of hardware and software on mobile devices may be kept as simple as possible and, consequently, can reduce the volume, weight, and cost. Thus, it boosts people’s mobility. Besides, a complicated task can be performed by gluing several primitive programs; thus the software development costs may be reduced.

2

Related Work

Shell on many systems including UNIX provides a command line interface which allows a user issue a command, and then it will interpret the command, and tells the system to execute the corresponding computing tasks. In recent years, network technology brings up distributed computing and also push shell program into new paradigms. Secure Shell[2] provides a secure remote login mechanism by which a user can securely issue commands to control a remote computer. MOSIX[3] provides transparent execution of commands via a shell in a computer cluster, which consists of workstations or PCs loosely coupled by network. M. Truong and A. Harwood[4] proposed a shell that provides distributed computing over a peer-to-peer network, which is characterized by good scalability. In ubiquitous computing environment, DISHES aims to provide automatic program discovery functionality to utilize various types of ambient devices and help the mobile device finishing the computing task, and also remote file access functionality enable storing data and the computation results in a distributed manner.

556

C.-C. Lai and R.-S. Ko

DISHES is inspired by the concept of ad hoc system[5]. An ad hoc system consists of multiple network connected computer or smart devices. The program executed on the ad hoc system is componentized as multiple components. Each component will be dispatched to the most suitable device to be executed. Thus, a mobile device can unite ambient computers or devices to form an ad hoc system to run a big program. A related topic is the composition of web services. The World Wide Web Consortium (W3C) defines the Web Services Description Language (WSDL)[6], to describe characteristics such as input and output of a web service. With WSDL, a programmer knows how to access a web service, and thus web services can be composed to provide a complicated service. However, WSDL does not support semantics description; thus, the composition always must involve the programmer. To perform dynamic composition by the web services itself, David Martin et al. propose the OWL-S approach[7]. With OWL-S, the client program and the web service can have a common consensus of the semantics of the terms in WSDL by an ontology on a third-party, and thus a web service can automatically interact with another web service by previously setting up the rule for the semantics. Based on the OWL-S method, Mokhtar et al. propose a conversationbased service composition method, COCOA[8] that aims for dynamic compose services to complete a user task. With COCOA, a service as well as a user task is transformed as an automata and an algorithm is proposed to combine the automata of services into the one of the user task.

3

Architecture of DISHES

DISHES contains five subsystems, Service Discovery (SD), Admin (AD), User Interface (UI), Command Dealer (CD), and Pipe-I/O-Exec (PIE). Fig.2 depicts an overview of the system architecture of DISHES. The following five subsections briefly describe each subsystem. 3.1

Service Discovery (SD) Subsystem

The main task of SD is to provide the functionality of automatic program discovery. SD works like a broker–It provides registration and lookup service of a

Fig. 2. An overview of the system architecture of DISHES. An arrow represents an interaction existing between two components.

DISHES: A Distributed Shell System for Ubiquitous Computing

557

program via two types of request from other subsystems, registration request and lookup request. When a host device has a specific program and wants to provide a service of executing the program, it can use the registration request to state its intention. The registration request contains the attributes such as program name and the network address of the device. When receiving the registration request, SD stores the program name and the corresponding device network address into the database, and replies success or fail message. When a device wants to know which devices provide a specific program, it can query SD by using the lookup request. The lookup request will contain the specified program name. On receiving lookup request, SD will search the program name in the database and reply with the corresponding information of the host device which has registered the program. 3.2

Admin (AD) Subsystem

AD receives configuration information from the system administrator, and sends registration requests to SD to register the programs to provide with corresponding host device information. 3.3

User Interface (UI) Subsystem

A user can issue a command or a script of commands to UI. Then, UI will parse and interpret the script. When a user specified program is absence in local device, UI sends a lookup request to SD get the information of the host device that has registered the program. After obtaining the information of all host devices having required programs, UI will marshal the command into a standardized format, including program name concatenated with the network address of the host device and file path concatenated with the network address of the file storage. The purpose of the marshalling process is to provide sufficient information where a program or a file is located for the subsequent processing of the command. Then, UI will send the marshalled command to CD. UI usually resides in a mobile device and SD resides in a centralized server. When a mobile device moves to a new environment, the UI on the mobile device will find a SD through broadcasting to the local network. 3.4

Pipe-I/O-Exec (PIE) Subsystem

Execution of a marshalled command is basically a sequence of interactions between CD and PIE. CD parses the marshalled command, and asks PIE to perform corresponding work. This subsection describes the services provided by PIE, and the next section describes how CD request PIE to handle a marshalled command. As the name indicates, PIE is responsible for three types of services, namely, remote pipe, remote I/O redirection, and remote execution.

558

C.-C. Lai and R.-S. Ko

(a) The remote pipe.

(b) The remote I/O redirection. Fig. 3. The diagrams of constructing the remote pipe and remote I/O redirection

The remote pipe request is to construct a virtual pipe from standard input of a process to standard output of a remote process through network. It can be realized by assistance of two extra processes. Fig.3(a) depicts the concepts of how a remote pipe is constructed. Suppose we want to construct a remote pipe from process PA of device A to process PB of device B. First, we create two assistant processes, APA on A and APB on B. Second, create a regular UNIX pipe mechanism from PA to APA , and another pipe from APB to PB . Next, construct a socket connection between APA and APB . Finally, redirect the standard output of APA to the socket output, and redirect the socket output to the standard input of APB . In this way, we have created a remote pipe from PA to PB , in which the information actually flows from PA to APA via one regular UNIX pipe, then APA to APB via a socket connection, and finally APB to PB via the other regular UNIX pipe. The remote I/O redirection request is to redirect standard output of a process to a remote file through network. Fig.3(b) depicts the concepts of how a remote I/O redirection is constructed. Similar to remote pipe, two assistant processes, APA on the source device and APB on the destination device, are required. The output of PA is transferred to APA , and then to APB via a socket connection. Finally, the output is saved to the file FB via the regular I/O redirection mechanism. The remote execution request is to execute a program on a remote host device. If the program is given an URL that indicates the file location of the input data, PIE will retrieve the file by the URL, and store the file as input data in the executing devices.

DISHES: A Distributed Shell System for Ubiquitous Computing

3.5

559

Command Dealer (CD) Subsystem

CD processes a marshalled command in three phases, namely, pipe phase, I/O redirection phase, and execution phase. Pipe phase is to create necessary remote pipes. When a pipe token, “|” , is parsed, CD sends a remote pipe request with the addresses of the start device and the end device to PIE for constructing a remote pipe. If a device has created an assistant process during the previous pipe phase, then the process can be reused. The two processes connected by the remote pipe will be used for the subsequent phases. I/O redirection phase is to create necessary remote I/O redirection. When an I/O redirection token, “>”, is found. CD sends a remote I/O redirection request with the addresses of the source device and the destination device and the file name to PIE for constructing a remote I/O redirection. If a device has created an assistant process during the previous pipe phase, then the process can be reused. Otherwise, a new assistant process will be created for use. Execution phase is to perform remote execution. When a program name is parsed, CD sends a remote execution request with the addresses of the host device and the parameters of the program to PIE for executing the program on the remote host device. If the remote host device has created a process for executing the program, then the process is used for the executing the program. Otherwise, a new process will be created for use. The order of remote execution for programs is the reverse of the order that the programs appears in the marshalled command. The reason is that the end process of a remote pipe must execute the specified program before start process outputs result to the remote pipe or the result may be lost. Fig.4 is an example which depicts how CD processes the marshalled command, progA@addressA | progB@addressB > FC@addressC In pipe phase, CD sends a remote pipe request with addressA and addressB to PIE, and then process PA and PB are created and be connected by a remote pipe. In I/O redirection phase, since the device in addressB has created PB for the previous phase, PB is used as the source process to be remotely I/O redirected to the file FC on the device addressC. Note that we ignore the assistant processes, regular pipes, regular I/O redirection, and the socket required for the remote pipe and I/O redirection here to simplify the figure. In execution phase, progB is first remote executed on the device at addressB, and then progA is remote executed on the device at addressA. After the computation is finished, the data is stored at FC on the device at addressC. 3.6

An Example of the Operation Procedures

Fig.5(a) illustrates the operation procedures of DISHES for the scenario mentioned in section 1. The operations occur in the following sequences. 1. The Admin on computer B send a registration request with sort to the SD on a nearby server.

560

C.-C. Lai and R.-S. Ko

Fig. 4. The three phases that CD processes the marshalled command “ progA@addressA | progB@addressB > FC@addressC”. Note in the execution phase, progB is executed before progA.

2. The Admin on computer A send a registration request with grep to the SD on a nearby server. 3. The UI on the PDA receives the command, grep Chicago http://mycompany.com/clients list | sort -k 2,2 > visit schedule issued from the salesperson. 4. The UI on the PDA finds that there is no grep or sort on the PDA, and sends lookup requests with grep and sort to the SD on the nearby server. 5. The SD on the nearby server replies the information of A and B to the UI on the PDA. 6. The UI on the PDA marshals the user command by attaching the address of A and B to grep and sort. Suppose the address of A is adr(A), the address of B is adr(B), and the address of the PDA is adr(PDA). The input command will be marshalled as grep@adr(A) Chicago http://mycompany.com/clients list | sort@adr(B) -k 2,2 > visit schedule@adr(PDA) Then the marshalled command will be send to CD on the PDA. 7. In pipe phase, the CD on the PDA sends a remote pipe request to the PIE on the PDA to notify the PIE on A to construct a remote pipe to B. 8. In I/O redirection phase, the CD on the PDA sends a remote I/O redirection request to the PIE on the PDA to notify the PIE on B to construct a remote I/O redirection to file, visit schedule, on the PDA. 9. In execution phase, the CD sends a remote execution request with “sort@adr(B) -k 2,2” to the PIE on the PDA to notify the PIE on B to execute “sort -k 2,2”. Then PIE on B starts to execute “sort -k 2,2”. 10. Right after the above operation, the CD sends a remote execution request with “grep@adr(A) Chicago http://mycompany.com/clients list” to the PIE on the PDA to notify the PIE on A to execute “grep Chicago http://mycompany.com/clients list”.

DISHES: A Distributed Shell System for Ubiquitous Computing

561

11. The PIE on A finds there is a remote file specified by “http://mycompany.com/clients list”, and then it sends out http request to retrieve the file, and store the file, client list, in A. Then the PIE on A starts to execute “grep Chicago client list”. After the above operations, A runs “grep Chicago client list”, and sends the result to B through the remote pipe constructed in operation 7. Meanwhile, B runs “sort -k 2,2”, which takes the result from A as input. Finally, B sends the sorted information to the file, visit schedule, on the PDA through the remote I/O redirection constructed in operation 8. Fig.5(b) depicts the relationship of the executed programs, the remote pipe and the remote I/O redirection.

(a) The operation process.

(b) The data flows through remote pipes and remote I/O redirection.

Fig. 5. An operational example of DISHES

4

Conclusion and Future Work

Ubiquitous computing environment brings mobile users new computing experiences. Mobile users can be served by various types of ambient devices while mobile devices play the role of the bridges between mobile users and pervasive computers. Thus, new middleware for mobile devices to connect mobile users and the pervasive computers is necessary. To fit the necessity, this paper proposes the design of a distributed shell system, DISHES. DISHES provides remote pipe, remote I/O redirection, remote execution, remote file retrieval and automatic program service discovery. With these functionalities and pervasiveness of computers, a mobile device can easily find and use the programs provided by the devices nearby to process the data on the network, and the computation results can be retrieved or stored in a

562

C.-C. Lai and R.-S. Ko

specified location. With this approach, functions of hardware and software on mobile devices may be kept as simple as possible and, consequently, can reduce the volume, weight, and cost. Thus, it boosts people’s mobility. Besides, a complicated task can be performed by gluing several primitive programs; thus the software development costs may be reduced. However, service discovery in the current design is simple. It lacks of considering some issues such as semantics matching, load balancing, or performance optimization. In the future, we will investigate and study more sophisticated service discovery design. DISHES is an open-source software project[9]. The development process follows the lightweight CMMI. At the time of writing this paper, the project is at the design stage. The implementation is expected to be completed in October, 2009 and to be released under GNU General Public License 2.0 (GPLv2).

Acknowledgement Thanks to all other members of DISHES project, Chia-Kuan Yen, Po-Liang Lin, Kai-Wen Shih, and Shan Kuan for contributing their ideas and effort. Also especially thanks to National Science Council and Academia Sinica for supporting this project.

References 1. Weiser, M.: The Computer for the Twenty-First Century. Scientific American, 94– 104 (September 1991) 2. OpenSSH, information, http://www.openssh.com/ 3. Barak, A., Wheeler, R.: MOSIX: An integrated multiprocessor UNIX. In: USENIX Technical Conference Proceedings (1989) 4. Truong, M., Harwood, A.: Distributed shell over peer-to-peer networks. In: Proceeding of the International Conference on Parallel and Distributed Processing Techniques and Applications, Las Vegas, NV, pp. 269–275 (2003) 5. Ko, R.S., Lai, C.C., Yen, C.K., Mutka, M.W.: Component-based ad hoc systems for ubiquitous computing. International Journal of Pervasive Computing and Communications 4(4) (2008) 6. Web Services Description Language (WSDL) 1.1 (2001), http://www.w3.org/TR/wsdl 7. Martin, D., Paolucci, M., Mcilraith, S., Burstein, M., Mcdermott, D., Mcguinness, D., Parsia, B., Payne, T., Sabou, M., Solanki, M., Srinivasan, N., Sycara, K.: Bringing Semantics to Web Services: The OWL-S Approach, pp. 26–42. Springer, Heidelberg (2004) 8. Mokhtar, S., Georgantas, N., Issarny, V.: COCOA: ConversationBased Service Composition for Pervasive Computing Environments. In: International Conference on Pervasive Services, pp. 29–38 (2006) 9. OpenFoundry project, DISHES, http://of.openfoundry.org/projects/1052

Error Control Scheme of Hybrid ARQ Based on Majority Voting Bit by Bit Hsin-Kun Lai, Chia-Chin Ma, and Erl-Huei Lu Chin Min Institute of Technology, Chang Gung University, Chang Gung University No. 110, Syuefu Rd., Toufen Township, Miaoli County, Taiwan 351, R.O.C. 259 Wen-Hwa 1st Road, Kwei-Shan, Tao-Yuan, Taiwan 333, R.O.C. [email protected], [email protected], [email protected]

Abstract. A hybrid ARQ scheme based on the conception of majority voting for binary linear block codes over AWGN channel is presented. At each transmission, the received word is kept in memory buffers. After a number of receptions, the decoding process first determines each bit as 1 or 0 based on the majority of the corresponding bits in the received words. The word resulting from voting is then decoded by algebraic decoder as the output code word. Simulation results show that the proposed hybrid ARQ scheme outperforms ARQ scheme in both error-correcting performance and throughput efficiency, particularly under low SNR. Additionally, a criterion in measure of throughput and coding gain is proposed for overall evaluation of hybrid ARQ schemes compared to ARQ scheme. Keywords: hybrid ARQ, throughput, majority voting.

1 Introduction In principle, error control schemes are classified into auto-repeat request (ARQ) and forward error-correction (FEC) [1]. Both of which have their own advantages and disadvantages. Therefore, the ARQ scheme incorporating with the FEC scheme results in the so called hybrid ARQ scheme. Compared to ARQ scheme, hybrid ARQ scheme trades a little bit expense at error-correcting performance to improve throughput efficiency as near to that of FEC scheme as possible. Basically, there are two major principles to improve throughput efficiency. The best way is to find a threshold which can discriminate with very high probability whether the received word is in error or not and so to determine if retransmission is required. However, it is hard to find such a threshold. A stringent threshold always results in an inefficient system. On the other hand, a loose threshold reduces the error-correcting performance. The other way of improving the throughput is collecting useful information at each transmission to make an early stop of retransmission. Then, throughput efficiency can be improved. So, many studies proposed hybrid ARQ algorithms utilize accumulation of SNR [2,3,4] or increment of parity bits at each retransmission [5]. Some algorithms base on adaptive code rates [6,7], on time out technique with a threshold of path metrics [8], J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 563–569, 2009. © Springer-Verlag Berlin Heidelberg 2009

564

H.-K. Lai, C.-C. Ma, and E.-H. Lu

and on cascaded encoding [9] to improve throughput efficiency. Other algorithms base on criteria such as decoding failure interpreted as a retransmission [10], lack of orthogonal check sums [11], or bits with low reliabilities for which fail to converge during the iterations [12]. More algorithms exploit the unique structures of particular codes such as low-density parity check codes (LDPC) [13], generalized burst-trapping codes [14], zigzag code [15], and KM code [16]. This paper proposes another hybrid ARQ scheme other than those described above and which will be presented in more detail in the subsequent sections.

2 The Proposed Hybrid ARQ Scheme For convenience, the acronym MVHARQ is used to represent the proposed majority voting hybrid ARQ scheme. Suppose that a code C(n, k, dmin) is used for errorcorrecting, where n denoted length of code word, k message length, and dmin minimum distance between code words. Consider a code word X=[x1 x2 …xn] transmitted using BPSK modulation technique over additive white Gaussian Noise channel. And Y=X+AWGN= [ y1 y2 …yn] denotes the received signal. By hard decision as (1), the received word is then R=[ r1 r2 …rn].

⎧0, ri = HD( yi ) = ⎨ ⎩1,

yi ≤ 0 yi > 0

(1)

The MVHARQ scheme operates as the following. Step1. Check if any error occurred by R mod G over GF(2), where G the generating polynomial. Step2. If the syndrome is zero, R is the output code word. If not, ask for retransmission and design a number of threshold η for an upper bound of retransmission. Step3. Keep the received words of each transmission in memory buffers. When the number of transmissions reaches the threshold η, retransmission stops. Step4. Decode in sense of majority. Assume that the following words were received, where rij denoted the jth bit of ith received word and RM denoted the word resulting from majority voting. R1=[ r11 r12 …r1n] R2=[ r21 r22 …r2n] . . . Rη=[ rη1 rη2 …rηn] RM=[ rM1 rM2 …rMn], where rMj=maj(r1j r2j. . . rηj) Step5. Decode RM by hard decision decoding (HDD). CM=HDD(RM) . Example: For simplicity, suppose that BCH(15,7,5) is used, retransmission threshold η is 7, and the following words are received.

Error Control Scheme of Hybrid ARQ Based on Majority Voting Bit by Bit

565

R1=[ 1 1 0 1 1 1 0 1 0 1 1 0 0 1 0] R2=[ 1 1 0 1 0 1 0 1 0 1 1 0 0 0 0] R3=[ 1 1 0 0 1 0 0 1 0 1 0 1 1 1 1] R4=[ 0 1 0 1 1 1 0 1 0 1 1 1 1 0 1] R5=[ 1 0 1 1 1 0 0 1 1 1 0 1 0 1 0] R6=[ 1 1 0 0 1 1 1 0 0 1 1 1 1 0 1] R7=[ 1 0 1 1 0 1 0 1 0 0 1 0 1 1 0] Then, the word resulting from majority voting is RM=[1 1 0 1 1 1 0 1 0 1 1 1 1 1 0] RM is then decoded by a hard decision algebraic decoder and the decoded code word CM is as follow. CM=HDD(RM)= [0 1 1 0 0 0 1 1 0 1 1 1 1 1 0]

3 Simulation Results The notation HARQxx used in the simulation results represent the performances of convectional hybrid ARQ schemes, where the first number behind the HARQ denoted the capability to detect the number of errors and the second one denoted the capability to correct the number of errors. For instance based on Golay(23,12,7), the convectional ARQ scheme is equivalent to HARQ60 which can detect 6-error and correct no error. In addition, the number between V and H in the notation MVxHARQ denotes the number of votes. In other words, the number means the maximum number of transmissions. Referring to Figure 1, the proposed MVHARQ schemes outperform the HARQ60 scheme in error-correcting performance by around 0.5 dB of coding gain at block error rate (BER) 10-5 based on perfect code Golay(23,12,7). In case of other nonperfect code such as BCH(15,7,5), the proposed MVHARQ schemes still effectively work. As shown in Figure 2, coding gain is improved by around 0.3 dB at BER 10-3. Furthermore, the throughput efficiency of proposed MVHARQ is defined as (2), the inverse of 1 plus the number of retransmissions. 0

10

HARQ42 HARQ51 HARQ60 MV7HARQ MV9HARQ

-1

10

-2

Block Error Rate

10

-3

10

-4

10

-5

10

-6

10

-7

10

-2

-1

0

1 Eb/No(dB)

2

3

4

Fig. 1. Simulation of error correcting performances bases on selective repeat ARQ using Golay(23,12,7) code, where HARQxx in red are convectional schemes, and MVxHARQ in blue are the proposed schemes with threshold x

566

H.-K. Lai, C.-C. Ma, and E.-H. Lu 0

10

HARQ31 HARQ40 MV7HARQ MV9HARQ

-1

Block Error Rate

10

-2

10

-3

10

-4

10

-5

10

-2

-1

0

1 Eb/No(dB)

2

3

4

Fig. 2. Simulation of error correcting performances bases on selective repeat ARQ using BCH(15,7,5) code, where HARQs in red are convectional schemes, and MVxHARQ in blue are the proposed schemes with threshold x

Throughput (%) =

1 1+ # retransmis sions

(2)

In case of FEC scheme, there is no retransmission and the throughput becomes

Throughput (%) =

1 = 100 % 1+ 0

(3)

As illustrated in Figure 3 and Figure 4, the throughput efficiency of proposed MVHARQ is improved with respect to that of HARQ60 and HARQ40 schemes based both on Golay (23,12,7) and on BCH(15,7,5) respectively.

0.8 HARQ42 HARQ51 HARQ60 MV7HARQ MV9HARQ

0.7

ThroughputEfficiency

0.6 0.5 0.4 0.3 0.2 0.1 0 -2

-1

0

1 Eb/No(dB)

2

3

4

Fig. 3. Simulation of throughput efficiency bases on selective repeat ARQ using Golay(23,12,7) code, where all curves are normalized to that of the FEC scheme and corresponding to the associated curves in Fig. 1

Error Control Scheme of Hybrid ARQ Based on Majority Voting Bit by Bit

567

0.7 HARQ31 HARQ40 MV7HARQ MV9HARQ

0.6

ThroughputEfficiency

0.5

0.4

0.3

0.2

0.1

0 -2

-1

0

1 Eb/No(dB)

2

3

4

Fig. 4. Simulation of throughput efficiency bases on selective repeat ARQ using BCH(15,7,5) code, where all curves are normalized to that of the FEC scheme and corresponding to the associated curves in Fig.2

4 Overall Evaluation for Hybrid ARQ Normally, a hybrid ARQ scheme with higher throughput efficiency results in lower error-correcting whereas demanding error-correcting performance degrades the throughput. Therefore, some hybrid ARQ schemes outperform others in errorcorrecting performance while some exceed others in throughput efficiency. There is no standard to judge which scheme is better than the other as a whole. In consideration of error-correcting and throughput efficiency, we define an equation as (4) to evaluate the overall performance of a hybrid ARQ scheme and term it as hybrid coding gain (HCG) on basis of ARQ scheme.

HCG =

CGvsARQ 1 − Throughput vs ARQ

(4)

In (4), the CGvsARQ is defined as the coding gain (CG) with respect to that of ARQ scheme at a specific BER and the ThroughputvsARQ is the throughput improved with respect to that of ARQ at the Eb/No where the curve of MVxHARQ interests with the line of specific BER. Put it another way, Figure 5 pictorially defines the HCG. By example of proposed MV7HARQ using Golay(23,12,7) as shown in Figure 1, the CGvsARQ at BER=10-5 is about 3.5dB – 3dB = 0.5dB. Referred to Figure 2, the ThroughputvsARQ of MV7HARQ is around 22% - 9% = 13%. Hence, The HCG of MV7HARQ is

0.5 dB ≈ 0.57 dB . Likewise, the HCG using BCH code is around 1 − 13%

0dB -5 ≈ 0dB at BER=10 . In measure of HCG, it concludes that using Go1 − 1% lay(23,12,7) attains more profit than using BCH(15,7,5) in the proposed hybrid ARQ scheme. In spite of the decoding complexity, HCG is a useful benchmark to evaluate a system’s performances as a whole.

568

H.-K. Lai, C.-C. Ma, and E.-H. Lu

BER ARQ HARQ

Eb/No CGvsARQ

ThroughputvsARQ

Throughput Efficiency

Eb/No

Fig. 5. Dfinition of CGvsARQ & ThroughputvsARQ

5 Conclusion As demonstrated in the simulation results, the proposed MVHARQ schemes exceed ARQ scheme in both error-correcting performance and throughput efficiency, particularly under negative Eb/No. Such achievements do pay something. In aspect of space complexity, memory buffers are required to keep received words at each transmission for the proposed MVHARQ scheme compared to that of ARQ scheme. Additionally, a hardware unit is necessary to find the majority of received words bit by bit. Accordingly, time complexity is increased in finding the majority bits. Finally, a HDD is inevitable as well to determine the output code word. Without the concern of decoding complexity, the proposed MVHARQ scheme outperforms the conventional ARQ scheme in standard of HCG. Also, the HCG can be used to evaluate other hybrid ARQ schemes of different kind and to determine which kind of system is desirable, despite of decoding complexity.

Error Control Scheme of Hybrid ARQ Based on Majority Voting Bit by Bit

569

References 1. Lin, S., Costello Jr., D.J.: Error Control Coding. Prentice Hall, New Jersey (2004) 2. Holland, I.D., Zepernick, H.-J., Caldera, M.: Soft Combining for Hybrid ARQ. Elec. Lett. 41 (2005) 3. Zepernick, H.-J., Rohani, B., Caldera, M.: Soft-Combining Technique for LUEP Codes. Elec. Lett. 38 (2002) 4. Lai, H.-K., Lu, E.-H.: Hybrid ARQ Based on Accumulated Reliabilities and Error Hamming Weights. In: ICICIC 2008 (2008) 5. Mandelbaum, D.M.: An Adaptive-Feedback Coding Scheme Using Incremental Redundancy. IEEE Trans. Inf. Theory (1974) 6. Deng, R.H., Lin, M.L.: A type I hybrid ARQ System with Adaptive Code Rates. IEEE Trans. Comm. 43, 733–737 (1995) 7. Pursely, M.B., Standberg, S.D.: Variable-Rate Hybrid ARQ for Meteor-Burst Communications. IEEE Trans. Comm. 40, 60–73 (1992) 8. Druukrev, A., Costello Jr., D.J.: Hybrid ARQ Error Control Using Sequential decoding. IEEE Trans. Inf. Theory it-29, 521–535 (1983) 9. Kousa, M.A., Rahman, M.: An Adaptive Error Control System Using Hybrid ARQ Schemes. IEEE Trans. comm. 39, 1049–1057 (1991) 10. Rice, M.: Application of Generalized Minimum Distance Decoding to Hybrid-ARQ Error Control. IEEE Trans. Comm. 42, 640–647 (1994) 11. Rice, M.D., Wicker, S.B.: Majority Logic Decoding in Type-I Hybrid-ARQ Protocols. IEEE, Los Alamitos (1990) 12. Shea, J.M.: Reliability-Based Hybrid ARQ. Elec. Lett. 38, 644–645 (2002) 13. Inaba, Y., Saito, T., Ohtsuki, T.: Reliability-Based Hybrid ARQ (RB-HARQ) Schemes Using Low-Density Parity-Check (LDPC) Codes. IEICE Trans. Comm. E89-B, 1170–1177 (2006) 14. Sastry, A.R.K., Kanal, L.N.: Hybrid Error Control Using Retransmission and Generalized Burst-Trapping Codes. IEEE Trans. Comm. com 24, 385–393 (1976) 15. Chan, K.S., Ping, L., Chan, S.: Adaptive Type II Hybrid ARQ Scheme Using Zigzag Code. Elec. Lett. 35, 2102–2104 (1999) 16. Krishna, H., Morgera, S.D.: A new error control scheme for hybrid ARQ systems. IEEE Trans. Comm. 35, 981–990 (1987)

Secure Error-Correction Network Coding in a Randomized Setting Yejun Zhou, Hui Li, and Jianfeng Ma Key lab of CNIS Ministry of Education, Xidian University Xi’an, Shaanxi 710071, China {yjzhou,lihui,jfma}@mail.xidian.edu.cn

Abstract. Using a metric on the space of all subspaces of a fixed vector space, a secure error-correcting network coding scheme is proposed. Firstly, We show that, a limited dimension errors can be corrected using the minimum distance decoder for this metric. Secondly, when the number of channels the adversary can eavesdrop on is limited (two types of adversaries is considered), he can’t get any information about the source. Finally, when the source and the destination can share a low rate secret channel and a Pseudo-Random number generator, we present a coding scheme which can prevent eavesdropping adversaries who can eavesdrop on all the channels of a network.

1 Introduction The concept of network coding was first introduced by Ahlswede et al. [1]. They showed that multi-cast rates could be increased by allowing for network coding instead of just routing. Shortly afterwards, Li, Yeung and Cai [12] showed hat it is sufficient for the encoding functions at the interior odes to be linear. Ho et al.[6] proposed a random coding scheme. It has been shown that random network coding dose almost as well with high probability [8]. In reality, network transmission may suffer from two kinds of adversaries: contamination and eavesdropping. Here contamination referring to the distortion on the transmission, such as random errors, link failures, traffic congestion and malicious modifications. Network coding has been studied to conquer these two kinds of adversaries. Cai and Yeung [3] considered the problem of using network coding to achieve perfect information security against an eavesdropper who can eavesdrop on a limited number of network links, and presented the construction of a secure linear network code for this purpose. Bhattad and Narayanan [2] first defined a model for security that is more suitable for practical applications. A more general threat posed by intermediate nodes was considered in [11]. Ho et al. [7] considered the problem of network coding in the presence of Byzantine attacker. Jaggi et al. [9] also considered the related problem. The concept of network error correction coding, a generalization of classical error correction coding, was first introduced by Cai and Yeung [4], [14], [5]. Zhang [16] introduced the minimum rank for linear network codes, which plays a role similar to that of the minimum distance in decoding classical error-correcting codes. Sun et al. [15] also considered the related J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 570–577, 2009. c Springer-Verlag Berlin Heidelberg 2009


Secure Error-Correction Network Coding in a Randomized Setting

571

problem. Ngai and Yang [13] studied the similar problem and constructed a Deterministic secure error-correcting network codes. In contrast, Koetter and Kschischang [10] take a more combinatorial approach to the problem. In their context, an appropriate encoding of information is the choice by the transmitter of a suitable vector space, rather than a vector as in classical coding theory. They defined an appropriate metric on subspaces. As the vector space is closed under linear combinations, correct reception is possible. Their approach works for any given field and imposes virtually no constraints on packet size. Our coding scheme is partly motivated by the work of Koetter and Kschischangs’. In this paper, we consider these two kinds of adversaries at the same time, that is, the adversary can contaminate the transmission on a subset of channels, and at the same time eavesdrop on another subset of channels. We assume that the adversary contaminates the same subset of channels for a long period of time (the inaction assumption) and the min-cut of the network is large enough to support the transmission i.e. the “rank deficiency ”is not considered in this paper. The main contribution of this paper is to propose a network code, called secure error-correcting network codes under this inaction assumption. The proposed scheme can transmit information to all sink nodes with complete reliability and completely free from eavesdropping adversary. Based on this algorithm, we further present a coding scheme which can prevent eavesdropping adversary who can eavesdrop on all the channels of a network. The remainder of this paper is organized as follows. In Section 2, we provide a brief description of the rank metric and the coding scheme under the metric. In Section 3, we provide a formulation of the problem of error control and security against the eavesdropping adversary. Secure network code against the stronger eavesdropper is presented in section 4. Finally, this paper is concluded in section 5.

2 Model and Definitions In this section, we present the network model considered in this paper and briefly review the coding scheme defined by Kotter and Kschischang [10]. 2.1 Network Model We formulate our problem for the case of a single unicast, i.e., there is a source, Alice, and a destination, Bob, who communicate over a wired or wireless network. There is also an attacker Calvin, hidden somewhere in the network. He aims to eavesdrop on the transfer of information from Alice to Bob and injects his own. Generalizations to multicasts and sets of disjoint unicasts in a network are relatively straightforward and so we will not comment further on these. We assume that Alice sends information u of the following form: ⎞ ⎛ ⎞ ⎛ ⎜⎜⎜ u01 u02 · · · u0n ⎟⎟⎟ ⎜⎜⎜⎜ u0 ⎟⎟⎟⎟ ⎜⎜⎜ u u12 · · · u1n ⎟⎟⎟⎟ ⎜⎜⎜⎜⎜ u1 ⎟⎟⎟⎟⎟ ⎟=⎜ u = ⎜⎜⎜⎜ 11 (1) ⎟ · · · · · · · · · ⎟⎟⎟⎟⎠ ⎜⎜⎜⎜ ... ⎟⎟⎟⎟ ⎜⎜⎝ · · · ⎜⎝ ⎟⎠ uk−1,1 uk−1,2 · · · uk−1,n uk−1 We call ui , i = 0, 1, . . . , k − 1 a packet.

572

Y. Zhou, H. Li, and J. Ma

2.2 Encoding Given u, the vector space V can be generated as follows: Let Fq be a finite field and F = Fqn be a (finite) extension field of Fq . We regard F as a vector space of dimension n over Fq . Let A = {α1 α2 . . . αl } be a set of linearly independent elements in this vector space. These elements span an l-dimensional vector space A ⊆ F over Fq . Clearly l ≤ n and the vector space W = A ⊕ F = {(α, β) : α ∈ A, β ∈ F}, is of dimension l + n over Fq . All transmitted and received packets will be vectors of W; Let P(W) denote the set of all subspaces of W. The dimension of an element V ∈ P(W) is denoted as dim(V). Denote by P(W, l) the set of all subspaces of W of dimension l. The transmission model is in terms of subspaces of W spanned by the message packets u as follows. Let Fk [x] denote the set of linearized polynomials over F of associate degree at most  [i] k − 1 and f (x) ∈ Fk [x], defined as f (x) = k−1 i=0 ui x be the linearized polynomial with i i coefficients corresponding to u. Here x[i] denoted xq and the associate degree of xq is i. Finally, let βi = f (αi ). Each pair (αi , βi ), i = 1, . . . , l, may be regarded as a vector in W. The set {(α1 , β1 ), . . . , (αl , βl )} spans an l-dimensional subspace V of W. We denote the map that takes the message polynomial f (x) ∈ Fk [x] to the linear space V ∈ P(W, l) as evA . It had been proved in [10] that if l = |A| ≥ k the map evA is injective and the image under of Fk [x] is a code with D(C) ≥ 2(l − k + 1), where C ⊆ P(W, l) be all the possible vector space to be transmitted in the network and D(C) is defined as follows The metric on C is defined as: d(A, B) := dim(A + B) − dim(A ∩ B)

(2)

The size of a code C is denoted by |C|. The minimum distance of C is denoted by D(C) :=

min

X,Y∈C:X
Y

d(X, Y)

(3)

2.3 Decoding The network input V and output U are related as U = V ⊕ E where E ∈ P(W) is an arbitrary error space, and ⊕ denotes the direct sum. The dimension of E is called the error norm t(E) of E. The direct sum V ⊕ E is by definition the set {v + e : v ∈ V, e ∈ E}, where we may always assume that E intersects trivially with V. Suppose that an r = l + t-dimensional subspace U of W is received, where r is the max-flow of the network and dim(U ∩ V) = l. In this situation, we have an error norm of t, and d(U, V) = t Lemma 1. Assume we use a code C for transmission. Let V ∈ C be transmitted, and U = V ⊕ E be received, where dim(E) = t. If 2t < D(C), then a minimum distance decoder for C will produce the transmitted space V from the received space U. (Lemma 1 is just a particular case of Theorem 2 in [10]) Proof. For the space V, we have d(V, U) ≤ t. If T
V is any other codeword in C, then D(C) ≤ d(V, T ) ≤ d(V, U) + d(U, T ), from which it follows that d(U, T ) ≥ D(C) − d(V, U) ≥ D(C)−t. Provided that the inequality 2t < D(C) holds, then d(U, T ) > d(U, V) and hence a minimum distance decoder must produce V.

Secure Error-Correction Network Coding in a Randomized Setting

573

Lemma 2. Given the vector space V, the message u can be decoded. Proof. Let {(a 1 , β 1 ), . . . , (a l , β l )} be a set of basis of the vector space V, we have β i = f (a i ), i = 1, 2, . . . , k, since f (x) is a linearized polynomial. These equations can be rewritten as ⎛

⎞ · · · a k ⎟⎟ a 2 ⎜⎜⎜ a1 ⎜⎜⎜⎜ a 1 q a 2 q · · · a q ⎟⎟⎟⎟⎟ k ⎟ ⎜



(u0 , . . . , uk−1 ) ⎜⎜⎜⎜ .. .. (4) . . .. ⎟⎟⎟⎟ = (β1 , . . . , βk ) ⎜⎜⎜ . . . ⎟⎟⎟ . ⎟ ⎝⎜ qk−1 qk−1 k−1 ⎠ a1 a2 · · · a k q Bob can decode the message u as follows ⎛

· · · a

a

⎜⎜⎜ a1 ⎜⎜⎜ a q a 2q · · · a kq ⎜⎜ 1 2 k u = (u0 , . . . , uk−1 ) = (β 1 , . . . , β k ) ⎜⎜⎜⎜ .. .. . . .. ⎜⎜⎜ . . . . ⎝⎜ qk−1 qk−1 k−1 a1 a2 · · · a k q

⎞−1 ⎟⎟⎟ ⎟⎟⎟⎟ ⎟⎟⎟ ⎟⎟⎟ ⎟⎟⎟ ⎠

(5)

3 Network Error Correction and Secure Network Codes In this section, we show that, using the error correction coding scheme in section 2, the adversary can’t get any information about the message u, when the number of channels the adversary can eavesdrop on is limited. In particular we have Theorem 1 and Theorem 2. Firstly, when the vectors the adversary can eavesdrop on are also corrupted, we have Theorem 1. Theorem 1. When the number of channels the adversary can eavesdrop on is less than r (the max-flow of the network), he can’t get any information about the source. Proof. We assume that the eavesdropper get a space U , and the dimension of U is r < r. Because the adversary contaminates the same subset of channels for a long period of time. We have U = V ⊕ E, where dim(E) = t. In this case, d(U ∩ V) < l, Clearly the eavesdropper can’t get the space V from U . We now prove that the eavesdropper can’t get any information from the space U he received. As in section 2.3, the equations β i = f (a i ), i = 1, 2, . . . , k can be rewritten as follows ⎛

· · · a

a

⎜⎜⎜ a1 ⎜⎜⎜ a q a 2q · · · a kq ⎜⎜ 1 2 k (u0 , . . . , uk−1 ) ⎜⎜⎜⎜ .. .. . . .. ⎜⎜⎜ . . . ⎜⎝ qk−1 q. k−1 k−1 a 1 a 2 · · · a k q

⎞ ⎟⎟⎟ ⎟⎟⎟ ⎟⎟⎟ ⎟⎟⎟ = (β 1 , . . . , β k ) ⎟⎟⎟ ⎟⎠

(6)

As proved above, Calvin can get the vector space V i.e. he can’t get {(a 1, β 1),. . . ,(a l , β l )}, so he can’t get any information about the information u.

574

Y. Zhou, H. Li, and J. Ma

Theorem 1 consider the case that the vectors the adversary can eavesdrop on are also corrupted. Secondly, If the adversary can eavesdrop on vectors that are not corrupted, we have Theorem 2. Theorem 2. The adversary can’t get any information about the source when the number of channels he can eavesdrop on is less than k. Proof. Since the vectors the adversary can eavesdrop on are not corrupted, if he can get k linear independent vectors {(a

1 , β

1 ), . . . , (a

k , β

k )}, he can get the message u by the following equation. ⎛

· · · a

a

⎜⎜⎜ a1 ⎜⎜⎜ a

q a

2q · · · a

k q ⎜⎜ 1 2 k u = (u0 , . . . , uk−1 ) = (β

1 , . . . , β

k ) ⎜⎜⎜⎜ .. .. . .. ⎜⎜⎜ . . .. . ⎝⎜

qk−1

qk−1 k−1 a1 a2 · · · a

k q

⎞−1 ⎟⎟⎟ ⎟⎟⎟⎟ ⎟⎟⎟ ⎟⎟⎟ ⎟⎟⎟ ⎠

(7)

On the other hand, if the number of linear independent vectors he can eavesdrop on is less than k, without loss of generality we assume that he gets k − 1 linear independent vectors {(a

1 , β

1 ), . . . , (a

k−1 , β

k−1 )}. He can only construct the following equation ⎛

· · · a

k , y a

⎜⎜⎜ a1 ⎜⎜⎜ a

q a

2q · · · a

k−1 q , yqk ⎜⎜⎜ 1 2



.. u = (u0 , . . . , uk−1 ) = (β1 , . . . , βk−1 , x) ⎜⎜⎜⎜ .. .. .. .. . ⎜⎜⎜ . . . . ⎜⎝

qk−1

qk−1 k−1

qk−1 a1 a2 · · · ak−1 , yqk

⎞−1 ⎟⎟⎟ ⎟⎟⎟ ⎟⎟⎟ ⎟⎟⎟ ⎟⎟⎟ ⎟⎟⎠

(8)

Where x and y are unknown parameters. He can’t get any information about u without the parameters x and y.

4 Secure Network Code against the Stronger Eavesdropper In this section, we propose a coding scheme which can prevent eavesdropping adversary who can eavesdrop on all the channels of a network. In this model, we assume that Alice and Bob share a Pseudo-Random number generator and a low rate secret channel. As in section 2, u = (u0 , . . . , uk−1 ) ∈ Fk denote a block of message symbols, and k−1  f (x) = ui x[i] ∈ Fk [x] be the linearized polynomial with coefficients corresponding to i=0

u. The set {(a1 , β1 ), . . . , (al , βl )} spans an l-dimensional subspace V of W. 4.1 Alice’s Encoder Alice encodes the basis of V {(a1 , β1 ), . . . , (al , βl )} as follows: 1. She chooses r = l + t random numbers m1 , . . . , mr over the finite field Fq and transmits these numbers via the secret channel to Bob.

Secure Error-Correction Network Coding in a Randomized Setting

575

2. She generates r vectors l1 , . . . , lr in the Pseudo-Random number generator using the random numbers m1 , . . . , mr . Each vector is of dimension r. Let L = [l1 , . . . , lr ]T , the matrix L should be a nonsingular matrix, if not return to step 1. 3. She selects t vectors {(g1 , h1 ), . . . , (gt , ht )} in the space V. Clearly, {(g1 , h1 ), . . . , (gt , ht )} are some linear combinations of {(a1 , β1 ), . . . , (al , βl )}. Let ⎛ ⎞ ⎜⎜⎜ a1 , β1 ⎟⎟⎟ ⎜⎜⎜⎜ .. .. ⎟⎟⎟⎟ ⎜⎜⎜ . . ⎟⎟⎟ ⎜⎜⎜ ⎟ ⎜ a , β ⎟⎟⎟ M = ⎜⎜⎜⎜ l l ⎟⎟⎟⎟ = (A, B) (9) ⎜⎜⎜ g1 , h1 ⎟⎟⎟ ⎜⎜⎜ . . ⎟⎟⎟ ⎜⎜⎜ .. .. ⎟⎟⎟ ⎜⎝ ⎟⎠ gt , ht Where A are the left r = l + t columns of M and B are the remnant columns. It is noted that M span the same vector space as {(a1 , β1 ), . . . , (al , βl )}. 4. She per-multiplies the associated matrix L with A and gets M as follows M = (AL, B)

(10)

5. She transmits the vector space V = M . 4.2 Bob’s Decoder 1. He first generates l1 , . . . , lr in the Pseudo-Random number generator using the random numbers m1 , . . . , mr received from the secret channel. 2. Let (xi , yi ), i = 1, . . . , r be a basis for space U

= M

 Bob received. ⎛ ⎞ ⎜⎜⎜ x1 , y1 ⎟⎟⎟ ⎜⎜ ⎟⎟ M

= ⎜⎜⎜⎜ ... ... ⎟⎟⎟⎟ (11) ⎜⎝ ⎟⎠ xr , yr r×2m ⎛ ⎞ ⎜⎜⎜ x1 , y1 ⎟⎟⎟ ⎜ ⎟⎟ ⎜ 3. He rewrites M

as M

= ⎜⎜⎜⎜ ... ... ⎟⎟⎟⎟ = (F, H), where F are the left r columns of M

⎜⎝ ⎟⎠ xr , y r and H are theremnant columns. 4. He gets Mˆ = FL−1 , H . 5. He finds the vector space V from Mˆ and then decodes the message u. Theorem 3. Using the coding scheme designed above, Assume V = M  ∈ C be transmitted and U

=< M

>= V ⊕ E be received, where dim(E) =t, if 2t < D(C)

(12)

Then a minimum distance decoder for C will produce the transmitted space V from the received space U

(V is the vector space generated by the original source message u).

576

Y. Zhou, H. Li, and J. Ma

Proof. Alice transmits the vector space V = M . Assume that the variable T refers to the linear transform from Alice to Bob, while T Z→Y refers to the linear transform from Calvin to Bob. We have ⎛ ⎞ ⎜⎜⎜ x1 , y1 ⎟⎟⎟ ⎜⎜ ⎟⎟ M

= ⎜⎜⎜⎜ ... ... ⎟⎟⎟⎟ = T (AL, B) ⊕ T Z→Y E ⎜⎝ ⎟⎠ xr , yr (13)

= T (AL, B) ⊕ T Z→Y (E ) = Tˆ (A L, B ) = (F, H)

 E1 Here, E is assumed to be constructed as , Where E1 are l vectors in the E r×2m error vector space  E.

ˆ Hence M = FL−1 , H = Tˆ (A , B ) = T (A, B) ⊕ E

, where E

= T Z→Y (E )L−1 is a



transformation of E and dim(E ) =t. ˆ ≤ t and Uˆ = V ⊕ E

. Follows from Let Uˆ =< Mˆ >, for the space V, we have d(V, U) our proof of Lemma 1, a minimum distance decoder must produce V. Theorem 4. The coding scheme designed above can prevent eavesdropping adversary who can eavesdrop on all the channels of a network. Proof. When the eavesdropper want to decode the message u, as in section 2, he should first finds the vector V. Unfortunately, the vector space he eavesdropped on is not the space generated by u. He can’t recover the vector space V generated by u, since he didn’t know the random numbers m1 , . . . , mr . Obviously, he can’t get the message u without the vector space V.

5 Conclusions In this paper, under the inaction assumption, where the adversary contaminates the same subset of channels for a long period of time, a secure error-correcting network coding scheme is proposed. Firstly, We

show that, the proposed coding scheme can correct errors up to dimension D(C)−1 , where D is the minimum distance of the vector space 2 C. Using our coding scheme, the adversaries who can eavesdrop on limited number of channels of a network can’t get any information about the source. Secondly, by using the secret channel, we present a error correction coding scheme which can prevent eavesdropping adversary who can eavesdrop on all the channels of a network.

Acknowledgment The work was supported by National Natural Science Foundation of China (No. 60772136, No. 60633020 and No. 60832001), 863 Hi-Tech Research and Development Program of China (No. 2007AA01Z435 and No. 2007AA01Z429), Foundation of Guangxi Key Laboratory of Information and Communication and National 111 program (B08038).

Secure Error-Correction Network Coding in a Randomized Setting

577

References 1. Ahlswede, R., Cai, N., Li, S.-Y.R., Yeung, R.W.: Network information flow. IEEE Trans. Inf. Theory 46(4), 1204–1216 (2000) 2. Bhattad, K., Narayanan, K.R.: Weakly secure network coding. In: Proc. of the First Workshop on Network Coding, Theory and Applications (NetCod), Riva del Garda, Italy (2005) 3. Cai, N., Yeung, R.W.: Secure network coding. In: IEEE Intl. Symp. Inf. Theory, Lausanne, Switzerland, p. 323 (2002) 4. Cai, N., Yeung, R.W.: Network coding and error correction. In: Proc. IEEE Inform. Theory Workshop, pp. 119–122 (2002) 5. Cai, N., Yeung, R.W.: Network error correction, part II: lower bounds. Communications in Information and Systems 6(1), 37–54 (2006) 6. Ho, T., Koetter, R., M´edard, M., Karger, D.R., Effros, M.: The benefits of coding over routing in a randomized setting. In: IEEE Intl. Symp. Inf. Theory. Yokohama Japan, p. 442 (2003) 7. Ho, T., Leong, B., Koetter, R., M´edard, M., Effros, M., Karger, D.R.: Byzantine modification detection in multicast networks using randomized network coding. In: IEEE Intl. Symp. Inf. Theory. Chicago, USA, p. 144 (2004) 8. Ho, T., M´edard, M., Shi, J., Effros, M., Karger, D.R.: On randomized network coding. In: Proc. 41st Annual Allerton Conference on Communication Control and Computing (2003) 9. Jaggi, S., Langberg, M., Katti, S., Ho, T., Katabi, D., M´edard, M., Effros, M.: Resilient network coding in the presence of Byzantine adversaries. IEEE Trans. Inf. Theory 54(6), 3579–3591 (2008) 10. Koetter, R., Kschischang, F.R.: Coding for Errors and Erasures in Random Network Coding. IEEE Trans. Inf. Theory 54(8), 2596–2603 (2008) 11. Lima, L., M´edard, M., Barros, J.: Random linear network coding: A free cipher? In: IEEE Intl. Symp. Inf. Theory. Nice, France, pp. 546–550 (2007) 12. Li, S.-Y.R., Yeung, R.W., Cai, N.: Linear network coding. IEEE Trans. on Information Theory 49(2), 371–381 (2003) 13. Ngai, C.K., Yang, S.: Deterministic Secure Error-Correcting (SEC) Network Codes. In: IEEE Information Theory Workshop, Bergen, Noway, pp. 96–101 (2007) 14. Yeung, R.W., Cai, N.: Network error correction, part I: basic concepts and upper bounds. Communications in Information and Systems 6(1), 19–36 (2006) 15. Yue, S., Yuan, Y., Xinmei, W.: Multicast fault recovery on network coding. Journal of Xidian University 34(1), 122–125 (2007) 16. Zhang, Z.: Linear network error correction codes in packet networks. IEEE Trans. Inf. Theory 54(1), 209–218 (2008)

Bayesian Approach Based Comment Spam Defending Tool Beatrice Cynthia Dhinakaran1, Dhinaharan Nagamalai2, and Jae-Kwang Lee1 1 Department of Computer Engineering, Hannam University, Daejeon, South Korea 2 Wireilla Net Solutions, Chennai, India

Abstract. Spam messes up user’s inbox, consumes network resources and spread worms and viruses. Spam is flooding of unsolicited,unwanted e mail.Spam in blogs is called blog spam or comment spam.It is done by posting comments or flooding spams to the services such as blogs, forums,news,email archives and guestbooks. Blog spams generally appears on guestbooks or comment pages where spammers fill a comment box with spam words. In addition to wasting user’s time with unwanted comments, spam also consumes a lot of bandwith. In this paper,we propose a software tool to prevent such blog spams by using Bayesian Algorithm based technique. It is derived from Bayes’ Theorem.It gives an output which has a probability that any comment is spam, given that it has certain words in it. With using our past entries and a comment entry , this value is obtained and compared with a threshold value to find if it exceeds the threshold value or not. By using this cocept, we developed a software tool to block comment spam. The experimetal results shows that the bayesian based tool is working well. This paper has the major findings and their significance of blog spam filter. Keywords: Bayesian Algorithm, spam, comment spam, blog spam.

1 Introduction The growth of the Internet from a mere Local area network to world wide network plays an important role in day to day activities of humanity. Especially in the field of e-business, e-science, e-publications, the third generation life online is predicted to feature intuitive Artificial Intelligence applications that work shiftily across broadband Internet connections. A web 3.0 target is to develop AI agents that mine mountains of information on the Internet to provide materials that suit the interests of people they serve. The Internet search has become the first choice to gather information leads to a competition to achieve the top ranks from popular search engines. This trend is wide spread in Internet from adult industry to scientific research community. The web world has become a base for billions of dollars worth of business. Apart from the information available in the web pages the blogs, forums and email archives have become a source for search engines. These technological innovations in the field of Internet impacts millions of people world wide. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 578–587, 2009. © Springer-Verlag Berlin Heidelberg 2009

Bayesian Approach Based Comment Spam Defending Tool

579

Email and its by-products have become a common and cheaper mode to reach millions of end users for business houses and others. At the same time criminals use spam to mount DDoS, Man in the middle attacks to cripple network servers and other resources which are handling online business. Phishing is a kind of social engineering technique based attack luring thousands of end users to lose their money and peace. The phishing attack targets online business such as banking, financial sectors and others. Comment spam refers unsolicited messages or trackbacks or pingpongs posted in a web page, blog, forum, mail archives. These are often irrelevant to the main body of post. The spammers are inserting their target URL to attract more traffic to their website or blog. Spammers use comment spam as an agent to list their intended website in search engines order list. There are lot of semi, full automated tools to handle these spam, but completely eradicating the comment spam attack is cumbersome. Even though email and comment spam are similar in many ways, there are lot of differences between attacks & defense mechanisms. Comment spam reaches limited number of audiences based on the traffic in the particular website, blog, and forum. The traffic in a particular website or blog post is based on its popularity. At a time an attacker can send millions of spam mails using automated tools such as Phasma Email Spoofer, Bulk Mailer, Aneima, Avalanche, Euthanasia etc.,. These tools are highly sophisticated and are capable to bypass the defense methods of anti spam software. Even the email service providers are using lot of technologies to stop spamming, the spammers are always doing better job than anti spammers. Since the comment spam posting is not private like email spam, the content of comment spam reaches end users through search engines. The success of comment spam is visible since the attacker can see the results immediately. If the comment spam attack is not successful, the attacker can change the method of attack. But this is not possible in email spamming. There are many tools freely available in the market to send email spam. These tools can send spam without manual intervention to many users. But most comment spammers need more manual effort to post comment spam. Comment spamming tools are not sophisticated like email spamming tools. The mail administrators have lot of tools to identify the spam such as content filters, DNSBL, SURBL, rDNS etc. These kind of facilities are not available to defend comment spamming. The rest of the paper is organized as follows. Section 2 is dedicated to related work, mostly previously proposed methods for blog spam tools based on Bayesian algorithm. Algorithm of the proposed mechanism & working principle of the tool explained in section 3. In Section 4, the experimental topology and results are explained. The conclusion of this paper is presented in the final section.

2 Related Work [1] Authors extensively studied the characteristics of spam and the technology used by spammers. In order to counter anti-spam technology, spammers change their mode of operation. These evaluations help us to enhance the existing anti spam technology and thereby help us to combat spam effectively. They observed that spammers use software tools to send spam with attachment. The main features of this software are hiding senders identity, randomly selecting text messages, identifying open relay

580

B.C. Dhinakaran, D. Nagamalai, and J.-K. Lee

machines, mass mailing capability and defining the duration of spamming. Spammers do not use spam software to send spam without attachment. Another important revelation of their study is that, relatively age old heavy user’s email accounts attract more spam than old light user’s mail accounts. Relatively new email accounts are not attracting spam except attacks caused by virus, worms & malware. We believe that this analysis could be useful to develop more efficient anti spam techniques for spam including blog comment spam. [2] The authors presented an approach to classify the blog link comment spam by comparing the language models used in blogs and its comments post. According to their approach, they identified three language models such as language model used in original blog post and two language models used in comment post. The comment posts two language models are the language models used in comment area and the language model used in the page linked by the comment. To compare these language models, the authors used Interpolated aggregate smoothing and probabilities which are calculated by using maximum likelihood models and Jelinek mercer smoothing. Here this approach is applied for both contents of the comment and linking blog contents. The authors exploited the weakness of the spammers trying to create link between two sites that have no semantic relation. Since the spammers enhance their methods quickly, this approach will become less effective. [3] Blog spam- A Review. The author presented an in-depth analysis of spam in blog in particular as seen at major blog service TypePad. Author used two open source statistical email anti-spam solutions to classify blog comment spam and experiment results shows that they are effective. Their study reveals that comment spam traffic volume has gone down during the weekends. [4]Authors proposed a filter based on text of the junk mail and domain specific features of the problem. In order to design filters, the authors used Bayesian Network theorem applied to a classification task. By using Bayes theorem, they were able to make use of probabilistic learning methods in conjunction with a notion of differential misclassification cost. According to the authors, their methodology is well suitable for spam filters. Even though their study is very old and not suitable for current trends, they proved that the Bayesian approach is useful to design spam filters. In olden days, the domain of the email sender provides additional facility to identify the characteristics of the email such as there is no spam from .edu domain. But this concept is not acceptable these days. The attacker can use any domain by brute force method to spam end users. The authors used approximately 35 phrases to identify spam emails such as “FREE!”, ”only $” etc.,

3 Operational Methodology of Comment Spam In most cases, to post a comment the users are asked to write their name and email addresses. The blog itself will identify the location of the comment writer by recording the user’s ip address. The comment posted by the end users will be displayed immediately in dynamic blogs, forums and discussion boards. In these dynamic blogs, forums & web pages, the spammers take the freedom to attack the service by spamming. In contrast some blogs, forums and news archives ask users to get a login and password by submitting identity proof or some private details. Such kind of registration process increases the burden of end users. These kind of static blogs do not

Bayesian Approach Based Comment Spam Defending Tool

581

attract more traffic to their comment area due to reluctant of end users to divulge their identity and other details. Topix is one of the worlds largest community news site supporting dynamic comment postings from the users. Topix gives freedom to end users to kill the problematic postings. Approximately topix is handling 120000 comments per day [monitored from 20th to 30th September 2008]. The advantage of the topix is that, the postings will be displayed immediately without joining the community. Blogherald is similar to topix in handling dynamic postings and is supported by wordpress plugin Akismet. Livebooking Network is another dynamic comment post supporting service provider, powered with deletion of comment duplication. WordPress is an anti comment spam service provider, which also works with other blogging systems, giving more bloggers much needed spam protection. Wordpress plugin Akismet has received more than 7 billion blog spam and says that 88% of all comments spam. Akismet is handling 1902 000 average spam per day approximately [monitored on 20th to 30th September 2008]. Live Journal is an online journal with emphasis on user interaction. My space is similar to Live journal and both are free service providers. Weblog & Vox allow comments from registered users and comments are moderated and will not appear until the administrator has approved them. Google blogger needs users name, password and word verification test to post comments. Typepad also requires login and password to post comments in the comment areas. Twitter,Jaiku,Qik & Facebook are other major spam vulnerable blog service providers. There are more than hundred such service providers and millions of end users are publishing their stories on blogs. 3.1 Mechanism of Proposed Comment Spam Tool To prevent spams from sites which allows commenting, blog spam filter can be used. This supports a reliable protection to the blog,forum, mail archive & guestbooks owners. It works with detecting spam words in a comment and finding the probability whether the comment is spam or not. To find the probability of any spam the bayesian algorithm is used. Incoming comment and earlier comments stored in database are used to derive this formula. To by pass spam filters, spammers use punctuations, capital letters in between small letters and special characters to modify the meaning to the filters. To avoid this, the words that are sent from users are counted and unneccesary words like punctuation and special characters elimininated. After this elimination process, the entire user comment should be stored in database in lower case format. Bayesian spam filtering has become a popular mechanism to distinguish spam from legitimate email. We are using Bayesian algorithm to identify the comment spam & designed a software tool to defend comment spam attacks. Bayes' theorem, in the context of spam, says that the probability that an email is spam, given that it has certain words in it, is equal to the probability of finding those certain words in spam email, times the probability that any email is spam, divided by the probability of finding those words in any email: Pr(spam|words)=Pr(words|spam)Pr(spam)/Pr(words)…… ……..(1)

582

B.C. Dhinakaran, D. Nagamalai, and J.-K. Lee

Here we are going to use (1) it for comment spam. Since we are going to use this formula for comment, we have changed according to our requirement. The probability that a comment is spam, given that it has certain words in it, is equal to the probability of finding those certain words in comment spam, times the probability that any comment is spam, divided by the probability of finding those words in any comment : Pr(comment spam|words)=Pr(words| comment spam)Pr(comment spam)/Pr(words) Algorithm of the software Tool The following algorithm shows the clear structure of our blog comment spam blocker methodology. Step 1: The system asks user to enter their name and email addresses. The entered names and email addresses are verified for its validity before connecting to the database and web page. Step 2: The users IP address shoud be noted and stored in the database. Step 3: Unwanted characters like punctuations and special characters should be removed. Step 4: All words should be converted to lowercase letters. Step 5: Unnecessary words should be removed & total number of words counted. Step 6: Identify the probability of incomming comment based on Bayesian algorithm with the help of data in database & user input. Step 7: The probablity of the comment spam will be compared with threshold value. If the probablity value is equal or greater than the threshold value, the incomming comment will be rejected and stored in database for future use. Other wise the comment will be posted in the web immediately. Step 8:If the user input is spam, the IP address of the sender will be stored in database. Step 9:Go to step 01 Step 10: Again if there is any comment spam from the same IP address for a particular number of times, the IP address will be blocked for a particular period of time. Step 11:To avoid flooding of data, the user should be barred to send comment without interval. Fig. 1. The Proposed Algorithm

Bayesian Approach Based Comment Spam Defending Tool

583

3.2 Working Methodology We selected Bayesian algorithm to derive a formula to detect whether the given comment is spam or not. We derived this formula carefully to avoid false positive and false negative comments. A legitimate comment may contain a couple of bad words but this does not mean that the comment is a spam. Also, a spam comment may contain some good words and this does not mean that the comment is legitimate. Therefore, a probability mechanism is designed to distinguish incoming comments. We derived this formula based on Bayesian algorithm to block incoming comments from the end-users. To implement this algorithm, the administrator should store sample spam words in the database. The incoming comment will be used along with the existing data in the database. The first 5 steps mentioned in this algorithm are basic programming techniques, so we are not going to explain them here. We are going to deal directly with the mechanism to identify the spam comment. Our first step is to establish a connection between the database and our comment page. İn step 1, The system asks users to enter their name & email address. The entered names and email addresses are verified for its validity before connecting to the database and web page. Without proper name & mail address, users are not allowed to enter a comment. To support dynamic user participation,the users are encouraged to post their comment without registering into the local host. After submitting, the page is directly connected to the database. In Step 2,the users IP address shoud be noted and stored in the database. İn the next step, unwanted characters like punctuations and special characters should be removed. Spammers mix lower case, uppercase characters and punctuations to bypass the filters. To prevent this, all incoming user’s comments will be free from punctuations and all words will be converted to lower case. In step 4, comments should be eliminated from unnecessary words. Those words are not counted as spam or nonspam. However, they are counted from the spam filter. To increase the performance of the spam filter, unnecessary words should be ignored. These words must be defined by the programmer. Selection of those words depends on the programmer. In Step 5 of the algorithm, unnecessary words should be removed & total number of words counted. The unnecessary words include pronouns like ‘am','is','are','he','she','it','you','we','they','i','have','has','had','and','us','do','does','did','was ','were','a','an','in','on','the','to','but','of','from','them','also','their' will be removed. The administrator can define any such words by himself. Step 6: Identify the probability of incomming comment based on Bayesian algorithm with the help of data in database & user input. In step 6, defining of the spam words is the most important part. Like unnecessary words, spam words should be defined by the programmers. Programmers can add spam words to the database, so that the program can find out the spam words to block easily. The following section shows example of spam word definition. The spam word replication is also an important factor to calculate the probability. The number of repeated spam words should be included as a new spam word in the calculation. To identify the probability of a comment being spam, the stored spam word database is used as a reference factor in Bayesian algorithm. Pr (spam| words) = Pr (words | spam) * Pr (spam) / Pr (words)..................(2)

584

B.C. Dhinakaran, D. Nagamalai, and J.-K. Lee

The modified structure of Bayesian Algorithm is shown below. Pr (comment spam| words) = Pr (words | comment spam) * Pr (comment spam) / Pr (words)………………………………………………………………………...... (3) In detail, the Pr (words | Comment spam) can be calculated as follows Pr (words | comment spam) =Number of spam words in user input/ Total Number of words in user input………………………………......….……...............………… (4) Pr (comment spam) can be calculated as follows from the database Pr (comment spam) = total number of Comment spam / total number of comments….................................................................................................................(5) Pr (words) can be calculated as follows .

Pr (words)=total number of spam words detected in legitimate comment as well as spam comment / total number of comments………………........ ……………………(6) .

These formulas can be explained in words as, Pr(words/spam) is equal to spam words in the current comment divided by the total number of words in this comment. Total number of words doesn’t include unnecessary words mentioned before. Pr (spam) is equal to finding total comment spam stored in database divided by the total number of comments entered by the users. This value depends on past entries stored in the database of the web host. Pr (words) is equal to total number of spam words detected in any comment divided by the total number of comments. This includes the spam word detected in a legitimate comment as well as a comment spam. The numerator shows that the number of spam words is encountered in any comment. If the probability of being a spam comment is greater than the threshold value, the comment will be classified as spam or else it will be posted online. The algorithm is shown below. If probability of being spam >= user defined threshold value It will reject the incoming comment as spam Else It will be posted online End if To block the spam mails a threshold value should be defined. This value totally depends on the programmers and their desires. The lower threshold value will protect from spam comments. This part of the program is the core of the comment spam filter tool. As it appears from the program, any probability value which is greater or equal to the threshold value is blocked. The user is warned that the comment is spam & it will be stored in the database, but not displayed. The admin can check the database and make a decision to display or not, if necessary. Also, the probability of the comment text can be lower than our threshold value. In this time, the comment will be displayed immediately. If the probability of being a spam comment is very high compared to threshold value, the entire comment statement can be added to the spam word database.

Bayesian Approach Based Comment Spam Defending Tool

585

4 Experimental Topology and Results To do the experiments, we setup a web page with database connectivity. We used WAMP paradigm to setup this webapge with database connectivity WAMP stands for Windows, Apache, MySQL, PHP stack that can be used as a platform for web applications [5]. We used MySQL for backend and PHP as a frontend and Apache2triad for inputting users data to the SQL database. Before starting to filter the spams, we need a database and a web page that are connected to eachother. For database part MySQL is selected and PHP is used for coding the Spam filter. For graphical MySQL database interface, we used PHPMyAdmin. Apache2triad is selected to send users information with their comments and theirs relation to the database. We deployed our web software in windows server using Apache2Triad to execute PHP codes. WAMP is a package of independently-created programs installed on computers based on PC operating systems. The interaction of these programs enables dynamic web pages to be served over a computer network, such as the internet or intranet.Another part of this project is to identify proper threshold value to provide a good solution to the problem. Before the threshold value is obtained, some questions should be answered. For what purpose should this spam filter be used? What kind of security level is needed? After those questions are answered, the threshold value can be obtained for reliable service. 4.1 Experimental Results We tested our spam filtering tool with the help of students. We asked a group of our students to send comment spam to the particular web page loaded with our comment spam blocking tool. We changed the threshold value from 0.1 to 0.99 and monitored the output. For all experiments, we asked our 50 students to enter comments in a particular page. For the first session we set up the threshold value=0.1. If the probability of the comment being a spam is equal or greater than .1, the incoming comment will be classified as spam and it will be blocked from being displayed on the web page. In this case, our software identified all comment spam (100%) entered by the users but it also classified legitimate mail as spam. The approximate number of false positives is 20%. Here some of the comments got one or two spam words, which also got blocked as a spam comment. At the same time the number of false negative is 0%. We conducted the same kind of experiments with the threshold value upto 0.99 as shown in the table. From the experiments we identified that if we use a low threshold value, the tool blocked all spam comments but the rate of false positive is high. If we use a high threshold value the false negative is increasing and the spam identification is also not working well. The performance of the software is similar to major spam killer tools available. But for the mid range threshold value from 3.5 to 5.5, the comment spam blocking tools performs well. In that range the tool identified all spam comments. The number of false positive or false negative is almost 0 or negligible.The test results are given below.

586

B.C. Dhinakaran, D. Nagamalai, and J.-K. Lee Table 1. Experimental results

Selecting threshold value is a key asset to identify the spam comment. The administrator can block all incoming comment spam by fine tuning of the spam filtering tool. An empirical study of spam & spammers characteristics plays an important role in selecting & adding spam word for the database table. The length of the comment in our blog or web page is not limited like most of the major blog, forum and message archive services in the Internet. The size of the spam word database is not limited to give space for more accurate performance of the tool. The size of our software tool is much less, so this tool can be loaded in any level of server or web page handling comments. Since the line of code is very less, it will not increase the access time of the web page. The sample output is shown below. The web page accepts comment, name, surname, age and e-mail areas. After entering the fields, the user should click the submit button. Now, we will see the results after submitting. As you can see in the Fig.2. the comment has been displayed. We fixed the threshold value equal to “ 0.35 ”. because, the probability of a comment being a spam is “ 0.320819112628 ”. This comment contains 3 spam words which is defined by the administrator (bad,disgusting,stupid). The spam word “bad” repeats two times, so, the probability of this comment is calculated by using 4/12 with other data. The number of words after eliminating unnecessary words are 12.

Fig. 2. Output after submitting

Bayesian Approach Based Comment Spam Defending Tool

587

Therefore, any comment which has the lower probability value than the threshold value can easily pass the filter and will be posted in the web page immediatly. In the second example,the comment contains 7 spam words. (Awful, fool, bad, rubbish, terrible, disgusting). Its probability as being a spam is “0.484797297297”. Since this value is greater than the threshold value, the user comment is blocked by the tool.

5 Conclusion Spam is a simple methodology to spread commercials through email, blogs, forums, email archives and instant messengers. Virus, worms, and trojon deployment through spam is forcing business houses to spend millions of dollars each year to protect their resources from these attackers. Comment spam is a type of spam annoying end users and wasting bandwidth. There were many methods proposed in the past to stop but nothing worked properly against spammer’s technology. In this paper we proposed an approach based on Bayesian algorithm. The total line of code for this software is much less. It can be deployed in any level of server or web page. The experimental results show that our software tool works well to protect users from comment spammers. Our test results show that the fine tuning of the threshold value & continous updating of the spam words can play an important role to completely eliminate the comment spam. The main problem with this approach is that it requires constant updating since spammers constantly find new ways to by pass any filter.

References 1. 2. 3. 4. 5.

6. 7.

Nagamalai, D., Dhinakaran, B.C., Lee, J.K.: An In-depth analysis of spam and spammers. IJSA 2(2), 9–22 (2008) Mishne, G., Carmel, D., Lempel, R.: Blocking blog spam with language Model disagreement. In: AIRWEB 2005 (2005) Thimason, A.: Blog spam- A Review. In: CEAS 2007 (2007) Sahami, M., Dumais, S., Heckerman, D., Horvitz, E.: A Bayesian Approach to Filtering Junk E-mail. AAAI Technical Report WS-98-05 (1998) Androutsopoulos, I., et al.: An experimental comparison of naive Bayesian and keywordbased anti-spam filtering with personal e-mail messages. ACM SIGIR CRDIR, 160–167 (2000) Apache2triad, http://apache2triad.net/ WAMP, http://oss.segetech.com/wamp.html

An Improved Secure Identity-Based On-Line/Off-Line Signature Scheme Jianhong Zhang1,2 , Yixian Yang2 , Xinxin Niu2 , Shengnan Gao1 , Hua Chen1 , and Qin Geng1 1

2

College of sciences, North China University of Technology, Beijing 100144, China [email protected] Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China

Abstract. On-line/off-line signature is an important cryptographic tool, it is widely applied to resource-constrained environment. Recently, an IDbased online/offline signature scheme was proposed for authentication in the AODV protocol. Unfortunately, we show that the scheme are insecure in the paper, it is universally forgeable and malleable. And we give a stronger attack which is able to make that any one can produce a forged signature on arbitrary a message in the absence of the private key of a signer and a valid signature of a message. To overcome the attack, an improved scheme is proposed and we show that the improved scheme is provably secure against adaptive chosen message attack in the random oracle model. Keywords: On-line/off-line signature, Forgeability, Attack, Security Analysis.

1

Introduction

The notion of online/offline signature was first introduced by Even, Goldreich and Micali[1]. It can improve the security and the real-time efficiency of a signature scheme. The idea is to perform the signature generating procedure in two phases. The last phase is performed offline (before the message to be signed is given) and the second phase is performed on- line (after the message to be signed is given). On-line/off-line signature schemes are useful, since in many applications the signer has a very limited response time or limited computation capability once the message is presented, but he can carry out costly computations between consecutive signing requests. For instance, consider a stock brokers server that has bursty requests that need to be signed, where there are periods of low activity and infrequent bursts of rapid transaction requests (e.g., immediately after financial updates or news releases). On-line/off-line signature schemes are particularly useful in smart card applications: The off-line phase is implemented either during the card manufacturing process or as a background computation whenever the card is connected J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 588–597, 2009. c Springer-Verlag Berlin Heidelberg 2009


An Improved Secure Identity-Based On-Line/Off-Line Signature Scheme

589

to power, and the on-line phase uses the stored result of the off-line phase to sign actual messages. The on-line phase is typically very fast, and hence can be executed efficiently even on a weak processor. In 2001, Shamir and Tauman proposed a generic method[2] to construct online/offline signature scheme. In [11], Galindo, Herranz, and Kiltz proposed an generic construction of ID-based online/offline signature . Subsequently, several efficient on-line/off-line signature schemes [3,4,5,6] and its variants [12,14] were proposed. In ACISP06, Xu, Mu, and Susilo [4] proposed an ID-based online/offline signature scheme for authentication in the AODV protocol[7]. Recently, Li et.al [8] showed that Xu-MuSusilo scheme was insecure. Given a signature on message m, anyone can forge a signature on a new message m . In this paper, we give a stronger attack on Xu-Mu-Susilo scheme, the attack makes that anyone is able to forge a signature on arbitrary message m ¯ in the absence of the private key of the signer’s and a valid signature of message m. Obviously, our attack is much stronger than one in [8]. And we also show that the scheme is malleable. For a given signature on message m, anyone can forge another signature on message m. Finally, to overcome our attack, we give an improved ID-based online/offline signature scheme and show that the improved scheme is secure against adaptive chosen message attack in the random oracle. The rest of the paper is organized as follows. in Section 2, some preliminaries and security model of online/offline signature were recalled; in section 3, we present a brief description of Xu-Mu-Susilo scheme , and a stronger attack method is given in section 4. In section 5, we propose an improved scheme; The security proof of the improved scheme is given in section 5; Finally, The conclusions of the work are given in section 6.

2

Preliminaries and Security Model of Online/Offline Signature Scheme

In the section, we first briefly describe bilinear Parings [15] and some related mathematical problems, which form the basis of security for our scheme, and security model of online/offline signature scheme [8]. Let G1 be a cyclic multiplicative group generated by the generator P , whose order is a prime q, and G2 be a cyclic multiplicative group of the same prime order q. We assume that the discrete logarithm problem (DLP) in both G1 and G2 are hard. An admissible pairing e : G1 × G1 −→ G2 , which satisfies the following three properties: – Bilinearity: If U, V ∈ G1 and a, b ∈ Zq∗ , then e(aU, bV ) = e(U, V )ab ; – Non-degenerate: There exists a P, Q ∈ G1 such that e(P, Q)  = 1; – Computable: If U, V ∈ G1 , one can compute e(U, V ) ∈ G2 in polynomial time. We note the modified Weil and Tate pairings associated with supersingular elliptic curves are examples of such admissible pairings. The security of the scheme discussed in this paper is based on the following security assumption.

590

J. Zhang et al.

Definition 1. [Computational Diffie-Hellman (CDH) Assumption]. Let G be a CDH parameter generator. We say an algorithm A has advantage
(k) in solving the CDH problem for G if for a sufficiently large k, AdvG,A (t) = P r[A(q, G1 , xP, yP ) = xyP | (q, G1 ) ← G k , P ← G1 , x, y ← Zq ] We say that G satisfies the CDH assumption if for any randomized polynomial time in t algorithm A we have the AdvG,A (t) is negligible function. An ID-based online/offline signature scheme consists of the following five algorithms. 1. Setup: is a probabilistic algorithm run by a PKG that takes as input a security parameter k to output system parameters params and a master key s that is kept secret. 2. Extract: is a key generation algorithm run by the PKG that takes as input the system parameters params, the master key s and an identity ID, and returns the corresponding private key DID . 3. OffSign: is a probabilistic algorithm that takes as input the system parameters params and a signature key DID , and outputs an offline signature S. 4. OnSign: is a probabilistic algorithm that takes as input a message m and an offline signature S, and returns an online signature δ. 5. Verify: is a deterministic algorithm that takes as input (ID, m, S, δ), and returns either accept or reject. The security of the online/offline signature can be defined as followed: Definition 2. An identity based online/offline signature is said to be existentially unforgeable under chosen-message attacks if no probabilistic polynomial time adversary has a non-negligible advantage in this game: 1. The challenger A runs the setup algorithm to generate the system parameters and sends them to the adversary F . 2. The adversary F performs the following queries: – Key Extraction Query: F produces an identity ID and receives corresponding secret key DID . – Offline Signing Query: F produces an identity ID, and receives an offline signature generated by offline signing oracle using the secret key corresponding to ID. – Online Signing Query: F produces a message m, and receives a online signature generated by online signing oracle. The online signature is corresponding to the offline signature 3. After a polynomial number of queries, After a polynomial number of queries, F produces a tuple (ID∗ , m∗ , S ∗ , δ ∗ ) of identity ID., whose secret key was never asked in key extraction query. Besides, the pair (ID∗ , m∗ ) was never asked in online/offline signing queries. produces a tuple (ID∗ , m∗ , S ∗ , δ ∗ ) of identity ID∗ , whose secret key was never asked in key extraction query. Besides, the pair (ID∗ , m∗ ) was never asked in online/offline signing queries.

An Improved Secure Identity-Based On-Line/Off-Line Signature Scheme

591

The success probability of winning the above game is defined by −IOS−CMA SuccEF (l). An online/offline signature scheme is secure if the sucA cess probability of above attack is negligible. −IOS−CMA SuccEF (l) ≤
, A

where
is negligible.

3

Review of Xu-Mu-Susilo Scheme

Xu et.al claimed that Xu-Mu-Susilo scheme is secure, and the scheme consists of five algorithms: 1. Setup: Given a security parameter k, the PKG chooses groups G1 and G2 of prime order q. Let P be a generator of group G1 , e : G1 × G1 → G2 be a bilinear map. H0 : {0, 1}∗ → G1 and H1 : {0, 1}∗ → Zq∗ are two hash functions. The PKG chooses a master key s ∈ Zq∗ randomly and computes Ppub = sP . The PKG publishes system parameters {G1 , G2 , q, e, P, Ppub , H0 , H1 } and keeps the master key s secret. 2. Extract: Given an identity ID, the PKG computes QID = H0 (ID) and the private key DID = sQID . Then the PKG sends the private key to its owner in a secure way. 3. OffSign: The signer chooses r, x ∈ Zq randomly and computes the offline signature pair (S, R), where S = DID − xPpub and R = rP . 4. OnSign: In order to sign a message m, the signer computes the online signature δ = H1 (m)r + x mod q. The resulting signature is (S, δ, R). 5. Verify: Give an online/offline signature (S, δ, R) on a message m for identity ID, it is accepted if only if the following equation holds. e(S + δPpub , P ) = e(QID + H1 (m)R, Ppub )

4

Our Attack on Xu-Mu-Susilo Scheme

Though Xu et.al claimed that their scheme was secure, unfortunately, we showed that the scheme was insecure in the section and universally forgeable. Namely, anyone is able to produce a forged signature on arbitrary message m ¯ without a give signature of message m. In [8], Li et.al also showed that Xu-Mu-Susilo scheme was insecure, but only when an adversary was given a valid messagesignature pair, it can produce a forgery signature on message. Obviously, our attack is much stronger than one in [8]. 4.1

Attack1

Here, we show how an adversary produces a forgeable signature in the absence of the secret key of the signer and a signer’s valid signature. The steps are performed as follows:

592

J. Zhang et al.

1. for a forged message m , an adversary randomly chooses k1 ∈ Zq and computes R = (H1 (m ))−1 (−QID + k1 P ). 2. randomly choose k2 ∈ Zq to set S  = k2 Ppub . 3. set δ  = k1 − k2 . 4. the forged signature on message m is (S  , δ  , R ) In the following, we show that the forged signature (S  , δ  , R ) on message m is valid. Since e(S  + δ  Ppub , P ) = e(k2 Ppub + (k1 − k2 )Ppub , P ) = e(k1 Ppub , P ) e(QID + H1 (m)R, Ppub ) = e(QID + H1 (m )(H1 (m )−1 (−QID + k1 P )), Ppub ) = e(QID + (−QID + k1 P ), Ppub ) = e(k1 Ppub , P ) Thus, we can obtain the following relation e(QID + H1 (m)R, Ppub ) = e(S  + δ  Ppub , P ) It means that our forged signature can pass verification equation of online/offline signature. That is to say, the scheme is universally forgeable. 4.2

Attack2

Here, we will show that the scheme is also malleable. Given a valid signature on message m, any one can produce another signature on message m. The detail is as follows: 1. give a signature (R, S, δ) on message m, an adversary randomly chooses a ∈ Zq to compute S  = S − aPpub . 2. then compute δ  = δ + a mod q 3. the resultant another signature on message m is (S  , δ  , R). Obviously, the forged signature (S  , δ  , R) is also a valid signature. It means that the scheme is malleable.

5

The Improved Online/Offline Signature Scheme

To overcome the above forgery attack, we give an improved scheme. The detail is as follows: 1. Setup: Given a security parameter k, the PKG chooses groups G1 and G2 of prime order q. Let P be a generator of group G1 , e : G1 × G1 → G2 be a bilinear map. H0 : {0, 1}∗ → G1 and H1 : G21 → Zq∗ are two hash functions, f : {0, 1}∗ → Zq∗ is a one-way function. The PKG chooses a master key s ∈ Zq∗ randomly and computes Ppub = sP . The PKG publishes system parameters {G1 , G2 , q, f, e, P, Ppub , H0 , H1 } and keeps the master key s secret.

An Improved Secure Identity-Based On-Line/Off-Line Signature Scheme

593

2. Extract: Given an identity ID, the PKG computes QID = H0 (ID) and the private key DID = sQID . Then the PKG sends the private key to its owner in a secure way. 3. OffSign: The signer chooses r, x ∈ Zq randomly and computes (S, R, V ), where S = DID − xPpub , R = rP and V = H1 (S, R)r, and sets the offline signature pair as (S, R). 4. OnSign: In order to sign a message m, the signer computes the online signature δ = f (m)V + x mod q. The resulting signature is (S, δ, R). 5. Verify: Give an online/offline signature (S, δ, R) on a message m for identity ID, it is accepted if only if the following equation holds. e(S + δPpub , P ) = e(QID + f (m)H1 (S, R)R, Ppub ) In our improved scheme, signing algorithms satisfy the requirement of online/offline signature as the actual message signing takes only one multiplicative and one addition operation. And the size of our signature is 2log2 ρ + log2 q, in which ρ stands for the safe length of GDH in group G1 . According to the above verification equation, we also know that our improved scheme is very easy to realize batch verifying of signatures. The computational cost of verifying only needs two pairing operators. Given two signatures (S1 , δ1 , R1 , m1 ) and (S2 , δ2 , R2 , m2 ), the verification is as follows: e(S1 + S2 + (δ1 + δ2 )Ppub , P ) = e(QID + (f (m1 )H1 (S1 , R1 )R1 +f (m2 )H1 (S2 , R2 )R2 ), Ppub )

6

Security Analysis

In this section, we show that our improved scheme is existentially unforgeable under adaptive chosen-message attack. Theorem 1. In the random oracle model, if a probabilistic polynomial time forger F has an advantage ε in forging an online/offline signature with runing time t and asking H0 , H1 , key extraction oracle and online/offline signing oracle qH0 , qH1 , qe and qs times respectively, then the CDH problem can be solved with an advantage
− (qs (qh1 + qs ) + 1)/2k
 > e(qe + 1)qh1 within a time t < t + (qH1 + qH0 + qe ) + 2qs + 2)tm + (qs + 1)tmm where e denotes the base of the natural logarithm, tm is the time compute a scalar multiplications in G1 and tmm is the time to perform a multi-exponetiation in G1 . Proof. Suppose that an adversary F can break the improved scheme. Then we will construct an algorithm B that makes use of F to solve the CDH problem.

594

J. Zhang et al.

Let (X = xP, Y = yP ) ∈ G1 × G1 be a random instance of the CDH problem taken as input by B. To do so, algorithm B performs the following simulation by interacting with the forger F . Setup: Algorithm B sets the system-wide public key Ppub = X = xP and sends it to the adversary F . At any time, algorithm A can query the random oracles H1 , H0 , Key Extraction oracle, OffSign oracle and OnSign oracle (without loss of generality, we assume that, for any key extraction query or OffSign query involving an identity, a H0 oracle query was previously issued for the same identity). To answer these queries, B executes the following responses. H0 -Oracles: when an identity ID is submitted to the H0 oracle, B flip a coin T ∈ {0, 1} that yields 0 with probability θ and 1 with probability 1 − θ. B then picks u ∈ Zq . If T = 0 then the hash value H0 (ID) = uP . If T = 1, then B sets H0 (ID) = uY . Finally, B adds a tuple (ID, u, T ) in a list L0 which is initially empty. Key Extraction Oracles: when F requests the private key associated to an identity ID, B recovers the corresponding (ID, u, T ) from L0 −list. If T = 1, then B outputs ”f ailure” and halts it. Otherwise, it means that H0 (ID) was previously defined to be uP and uPpub is returned to F as a private key associated to identity ID. H1 -Oracles: when a tuple (S, R) is submitted to the H1 oracle, B first looks up a list L1 to check whether H1 was already defined for that input. If it is, the defined value is returned. Otherwise, B picks a random v ∈ Zq and returns it to F . Finally, B adds a tuple (v, S, R) in a list L1 which is initially empty. OffSign Oracles: when F queries a offline signature for an identity ID, F first recovers the previously defined value QID = H0 (ID) from L0 −list. Then randomly choose α, β, γ ∈ Zq to set S = αPpub , δ = β and R = γ −1 (−QID + (α + β)P ) . Finally, B adds a tuple (S, R, δ, ID) to S−list and return (S, R) to F as a offline signature. OnSign Oracles: when F queries a online signature for an identity ID and a message m, F first recovers the previously defined value QID = H0 (ID) and (R, S, δ) from L0 −list and S−list, respectively. If ID doesn’t exist in the S−list, then B makes a query to OffSign Oracle on ID. Then, B defines the hash value γ H1 (R, S) = f (m) and checks whether H1 (R, S) is defined in the L1 −list, if it has already be defined, then B halts and outputs ”f ailure”. Otherwise, B returns δ as a online signature on message m. Output:Eventually, F outputs a online/offline signature (ID∗ , m∗ , S ∗ , R∗ , δ ∗ ). According to fork lemma[10], B rewind F to the point which it just queries H1 (R∗ , S ∗ ) and returns a different value with the same input to hash query. A obtain another a online/offline signature (ID∗ , m∗ , R∗ , S ∗ , δ ∗ ), where R∗ = R∗ , S ∗ = S ∗ .

An Improved Secure Identity-Based On-Line/Off-Line Signature Scheme

595

Then B recovers the triple (ID∗ , u∗ , T ∗ ) from L1 −list. If T ∗ = 0, then B outputs ”f ailure” and aborts it. Otherwise, B can obtain the following realtions: e(S ∗ + δ ∗ Ppub , P ) = e(QID∗ + f (m∗ )H1 (S ∗ , R∗ )R∗ , Ppub ) e(S ∗ + δ ∗ Ppub , P ) = e(QID∗ + f (m∗ )H1 (S ∗ , R∗ )R∗ , Ppub ) Then it has e((δ ∗ − δ ∗ )Ppub , P ) = e(f (m∗ )(h1 − h1 )R∗ , Ppub ) where h1 = H1 (S ∗ , R∗ ) and h1 = H1 (S ∗ , R∗ ). It means R∗ =

δ ∗ − δ ∗ P = r∗ P f (m∗ )(h1 − h1 )

and r∗ =

δ ∗ − δ ∗ f (m∗ )(h1 − h1 )

Thus we can obtain ∗ DID = S ∗ + (δ ∗ − f (m∗ )H1 (R∗ , S ∗ )r∗ )Ppub ∗ by S ∗ = DID − x∗ Ppub and δ ∗ = f (m∗ )H( S ∗ , R∗ )r∗ . Finally, B obtains the solution of the CDH problem

xyP = u−1 (S ∗ + (δ ∗ −

H1 (R∗ , S ∗ )(δ ∗ − δ ∗ ) )Ppub ) (h1 − h1 )

When assessing B’s probability of failure, one readily checks that its probability to fail in handling an online signature query because of a conflict on H1 is q +q at most H12k s while the probability for F to output valid forgery (R∗ , S ∗ , δ ∗ ) on message m∗ without asking the corresponding H1 (R∗ , S ∗ ) query is at most 1/2k . In the key extraction query, the probability for B not to fail is at most θqe (1 − θ). B guesses it correctly as the point of rewind, with probability at least 1/qH1 . Finally, the probability which F outputs it forgery on a ”bad” identity ID is greater than 1 − 1/e(qe + 1) when the optimal probability θ = qe /(qe + 1) is used when handling key extraction queries. Thus, it comes that B’s advantage is at most
− (qs (qH1 + qs ) + 1)/2k e(qe + 1)qH1


7

Conclusion

Online/offline signature is an important cryptographical primitive, it is particularly useful in resource-constrained environment. In this paper, we show that the Xu-Mu-Susilo scheme is insecure in their security model. It is universally

596

J. Zhang et al.

forgeable. Then we give a stronger attack which makes an adversary can produce a forged online/offline signature on arbitrary a message in the absence of the private key of the signer and a valid signer’s signature. However, only when an adversary has a valid online/offline signature in [8], it can produce a forged signature. Finally, to overcome our attack, we give an improved ID-based online/offline signature scheme and show that the improved scheme is secure against adaptive chosen message attack in the random oracle.

Acknowledgement This work is supported by Natural Science Foundation of China (NO:60703044, 90718001), the New Star Plan Project of Beijing Science and Technology (NO:2007 B001), the PHR, Program for New Century Excellent Talents in University(NCET-06-188), The Beijing Natural Science Foundation Programm and Scientific Research Key Program of Beijing Municipal Commission of Education (NO:KZ2008 10009005), National Basic Research Program of China (973 Program) (No. 2007CB310704) and the 111 ProjectNo. B08004.

References 1. Even, S., Goldreich, O., Micali, S.: On-line/Off-line digital signatures. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 263–275. Springer, Heidelberg (1990) 2. Shamir, A., Tauman, Y.: Improved online/offline signatuer schemes. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 355–367. Springer, Heidelberg (2001) 3. Yu, P., Tate, S.R.: Online/offline signature schemes for devices with limited computing capabilities. In: Malkin, T.G. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 301–317. Springer, Heidelberg (2008) 4. Xu, S., Mu, Y., Susilo, W.: Online/offline signatures and multisignatures for AODV and DSR routing security. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 99–110. Springer, Heidelberg (2006) 5. Kurosawa, K., Schmidt-Samoa, K.: New online/offline signature schemes without random oracles. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 330–346. Springer, Heidelberg (2006) 6. Catalano, D., Di Raimondo, M., Fiore, D., Gennaro, R.: Off-line/on-line signatures; theoretical aspects and experimental results. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 101–120. Springer, Heidelberg (2008) 7. Perkins, C.E., Royer, E.M., Das, S.R.: Ad hoc on-demand distance vector (AODV) routing. IETF Internet Draft, Manet working group, Draft-ietf-manetaodv- 13.txt 8. Xu, S., Mu, Y., Susilo, W.: On the Security of Online/Offline Signatures and Multisignatures from ACISP 2006. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 99–110. Springer, Heidelberg (2006); M.K. Franklin, L.C.K. Hui, and D.S. Wong (eds.) CANS 2008. LNCS, vol. 5339, pp. 64–79. Springer, Heidelberg (2008) 9. Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997)

An Improved Secure Identity-Based On-Line/Off-Line Signature Scheme

597

10. Pointcheval, D., Stern, I.: Security proof for signature scheme. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996) 11. Galindo, D., Herranz, J., Kiltz, E.: On the generic construction of identity-based signatures with additional properties. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 178–193. Springer, Heidelberg (2006) 12. Deng, H., Agrawal, D.P.: TIDS: threshold and identity-based security scheme for wireless ad hoc networks. Ad Hoc Networks 2(3), 291–307 (2004) 13. Catalano, D., Di Raimondo, M., Fiore, D., Gennaro, R.: Off-line/on-line signatures; theoretical aspects and experimental results. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 101–120. Springer, Heidelberg (2008) 14. Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991) 15. Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: Proceedings of Symposium on cryptography and Information Security, SCIS 2000, pp. 459–466 (2000) 16. Chen, L., Pedersen, T.P.: New group signature schemes. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 171–181. Springer, Heidelberg (1995)

Honeybee-Based Model to Detect Intrusion Ghassan Ahmed Ali, Aman Jantan, and Abdulghani Ali School of Computer Sciences, Universiti Sains Malaysia, 11800 Pulau Pinang, Malaysia [email protected], [email protected], [email protected]

Abstract. This paper proposes a novel approach based on the honeybee model to improve the intrusion detection system. The power of defending the intruder from entering the hive, the effectiveness of exchanging information between the bees and the successfulness of other existing AI approaches that honey bee can be efficiently compared to, have lead us towards analyzing a new area in honeybee concerning security. Most existing systems only detect general and known attacks. Therefore a lot of malicious attacks intrude without any detection. We demonstrate the methods that use HoneybeeGuard in filtration and classification; “undesirable–absent” and “desirable–present”, to identify a malicious packet, and detect the known and unknown intruders. Keywords: intrusion detection, natural computing, honeybee, network security.

1 Introduction Computer security remains as obsession for many years for improvement and research works. However, it still needs a lot of hard work to settle the critical security problems. The survey which was carried out by the computer security institute on December 2008 reported that the average annual loss reported by the US companies in the 2008 was close to $500,000. One of the significant causes of the loss, as the report mentioned, was the system penetration by outsiders. Referring to [1], there are 25 billion intrusion attempts per day and they are increasing every day. The defense systems are still not very strong to prevent every attack [2]. Most existing systems only detect the general and known attacks. Thus, a lot of malicious attacks intrude without any detection. Taking this into consideration, it would be highly valuable to introduce a novel analytical method of detecting the known and unknown intruders and malicious attacks. Many researches such as [3] have taken steps towards supporting the computer security by understanding and trying to apply the methods underlying social insects' behavior system that faces the same problems. The ability to recognize and detect intrusion is critical to the maintenance of the integrity of social insect colonies [4], however, many proposed methods can only be applied in specific cases where such attack is known. In our case, we lean on the natural honeybee, which faces the analogous security problems. Honeybees survive in difficult environments with different levels of threats to security. These threats motivate the bees to be able to detect and respond quickly on any aggressive acts that may attack the colony [5]. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 598–607, 2009. © Springer-Verlag Berlin Heidelberg 2009

Honeybee-Based Model to Detect Intrusion

599

This paper focuses on how the bees solve the detection problem to crossover directly to IDS. Many studies are being carried out, attempting to understand and extract the key mechanisms of how the natural bee guarding can achieve its detection and protection capabilities [6],[7]. The problem faced by the honeybee guard is the same as the one faced by IDS, which is distinguishing between the intruder and nest-mate. The honeybee colony has a small entrance which is patrolled by its’ workers called guards [8] who allow nestmates and deter the intruders. The entrance guards intercept and examine incomers at the nest entrance [8] and differentiate between nestmates and non-nestmates. In computer security, the role of intrusion detection is basically to identify the ongoing threat to the system [9]. The main task of the intrusion detection system is to classify the incoming entry and assign it to a selective group based on its characteristics. Therefore, it would be highly valuable to introduce a novel analytical method of detecting intruders and malicious attacks. This paper demonstrates the effectiveness of Marmelada1 approach which is inspired from the behavior of natural honeybee and it is introduced to solve the intrusion detection regarding the classification problem. The paper also intends to: 1. Formalize and figure out an approach based on the honeybee’s intrusion detection which is originally initialized here. 2. Analyze the honeybee prevention method that would be the integration in the model of detection. 3. Investigate new classification method to improve the intrusion detection by using the artificial intelligence and network security techniques. In the remaining sections of this paper, we outline the relationship between computer security aspects and artificial honeybee model including the security aspects emphasizing on the honeybee colony. The methods that honeybee uses to detect the intruder without affecting the routers job are illustrated. The pre-final section is the sketch of the extraction model that will be applied to the IDS and the final section concludes this paper.

2 Computer Security and Intelligent Honeybee Computer security is supposed to address five aspects of any computer-related system: confidentiality, integrity, availability [10], accountability, and correctness [11],[12]. - Confidentiality: Ensures that information and computer-related assets are accessible only to those authorized. - Integrity: Data is protected against unauthorized changes that are not detectable to authorized users and should be protected from corruption. In this context, to protect data from writing, updating, deleting, and creating. - Availability: Information and information processing should be accessible to the authorized party when needed within the acceptable time. 1

A common Brazilian type of stingless bee known as Marmelada[14] which emulated in our approach.

600

G.A. Ali, A. Jantan, and A. Ali

- Accountability: The computer security system should preserve the information from being tracked down and clarify the wrongdoers. - Correctness: The alarm should be reliable to convey the correct message in order to take the appropriate action rather than disturbing the users. What could be more dangerous to the users is that the false alarm may hide the attacks. False alarm should be minimized for the system to be useable. Figure 1 shows the computer security aspects and the relationships that make the system secured.

Confidentiality

Correctness

Integrity SECURE

Accountability

Availability

Fig. 1. Computer security aspects

The similarities between a computer security’s problem and the one encountered by the honey bees can be seen by interpreting the honeybee colony behavior into a computer security conduct. The security aspects are emphasized in the honeybee colony behavior; confidentiality and integrity have high priority in the colony, special guard bees scrutinize every entering individual and elicit a colony defense when nonnest members try to intrude [13]. Guards protect their nest and contents from various robbers including the bees from other colonies. Availability means enabling any nest member to access the nest at any time and to use the resources with cognizable rights. Accountability means examining other bees not only at the nest entrance but also inside the nest [8]. The early-warning system which the honeybee used to detect threats and clarify the intruder makes the nest system always safe. Correctness means participating in nest defense; many bees from the comb rush to join the group to defend their colony from the intruders [7]. The multilayer protection in honeybee colony and the diversity of defenses can be viewed as a typical framework of detection system. Detection, or recognition, is essential in maintaining the integrity in the honeybee colony as well as in the IDS. Indeed, the similarity of the problem has continued to match up in deeper level with the computer security.

Honeybee-Based Model to Detect Intrusion

601

3 Marmelada Approach Using Undesirable-Absent and Desirable-Present In this section, we show how the entrance guard of Marmelada is able to discriminate between the normal incomers and the intruders [14]. We demonstrate the two methods that use HoneybeeGuard in filtering the incomer; “undesirable–absent” and “desirable–present”. The system would accept the incomers because they have the desirable characteristics, D-present. These characteristics would be seen on most entries because they are the easiest to imitate and spoof. On the other hand, a HoneybeeGuard would also accept the incomers because they do not contain the undesirable characteristics U-absent; these undesirable characteristics are seen on almost all intruders but very few on valid incomers. I n c o m in g Packet

R o u te th e Packet

C h e c k th e Packet S ta tu s

YES

A la rm

A l lo w P a s s in g

D e te c t U n d e s ir a b l e Absent

YES

NO

D e te c t D e s ir a b le P re s e n t

YES

NO

F i lt e r in g D e c i s io n

NO

P a c k e t D ro p

Fig. 2. Marmelada approach

If the system only uses the D-present detection method, this would allow the intruders to be accepted. But with the U-absent, all incomers would be rejected if intrusion characteristics are found, even if they hold desirable characteristics. Figure 2 illustrates the algorithm of the Marmelada approach. In U-absent method, it is easier

602

G.A. Ali, A. Jantan, and A. Ali

to reject a suspected incomer than to accept it. There will be more rejection errors and a smaller amount of acceptance errors, and this will be safer for the system. However, if a system uses D-present only, that will make a large number of acceptance errors and smaller amount of rejection errors. The HoneybeeGuard would be stricter to admit intruders but may also be more likely to reject valid incomers [14]. In Marmelada approach, the detection system starts with the U-absent method. The accepted packets will be stamped with U-absent_stamp (queen odor) to indicate that they are free from undesirable characteristics and then, these packets will be forwarded to D-present. At D-present, all received packet will be verified that each packet has a Uabsent_stamp which ensures that all incoming packets have been verified and passed from U-absent to preclude spoofing. In addition to that, all packets are verified to ensure that each one has desirable characteristics. If not, the packets still have a last chance to attain a low percentage of acceptances by forwarding to Filtring_decision (FD) to calculate the acceptance percentage. This depends on the related costs of the two types of errors (acceptance of intrusion packet, rejection of valid packets).

4 Where and How to Filter There are three main methods in Marmelada approach which are integrated together to detect the intrusion effectively. They work at different levels to avoid being centralized; each one has detailed procedures and emulates the HoneybeeGuard model by using the principles of detecting behavior as their basis (see Table 1). Table 1. Marmelada approach emulating the HoneybeeGuard nature

HoneybeeGuard nature model

Marmelada AI approach

-Guards and the bees examined by them (examinees) differ considerably in their behaviour according to their particular role in the nestmate recognition process. -The defensive response is usually initiated by guard bees, which patrol the nest entrance and are the first line of colony detection. Also guards examine other bees not only at the nest entrance but also inside the nest -Bee pheromone odor is responsible for detecting the invasion of aliens into the nest and highly significant effect in making decision. -Ability of honeybees to develop templates by referring to groups of properties.

UA & DP classify each coming packet based on the characteristics that packet posses.

UA: examine packets at the main gate DP: examine packets inside the network

UA stamps each packet that has been verified to prevent spoofing UA examines each incomer packet at the main gate and classify between valid packet and intruder by verifying the characteristics present on each incomer packet.

Honeybee-Based Model to Detect Intrusion

603

These methods and their functions are presented below: 1- Undesirable-Absent (UA): this is the main method in the Marmelada approach, where every receiving packet will be verified and examined based on the behavior classification. It’s place will be at the main gate - as the nest door is in a honeybee colony -[14] for two reasons: 1) to reduce loading at the main gate where only UA is working there and it inquires a certain requirements from each incomer packet.. 2) to accept or reject the receiving packet immediately at the main door so that there is no burden or resource exhaustion. Figure 3 summarizes the UA function and formula (1) illustrates the way UA calculates the ratio for each receiving packet. UA= MEAN(ua1+ ua2 + ua3 …+ uai)

(1)

L eg e n d :

Legend :

Le g e n d :

S c h e du l e d

L e ge n d :

A c tu a l

C u rre n t

S ch e d u le d

L eg e n d :

S c he d u l ed

S c h e d ul e d

A c tu a l

C u rre n t

A c tu a l

C u rre n t

C u rre n t

S c h ed u l e d

A ct ua l

C u rre n t

A ct ua l

C u rre n t

L eg e n d :

C u rre n t

S c h e du l e d

A c tu a l

C u rr e nt

L eg e n d :

S c h e d ul e d

L e g e nd :

A c tu a l

L e g en d :

S c h e du l e d

Legend :

A c tu al

Undesirable Absent

S c h ed u l e d

L eg e n d :

S c h e d ul e d

A ct ua l

C u rre n t

S c h e d ul e d

A ct ua l

C u rre n t

Legend :

Ac tu a l

C ur re nt

S c h ed u l e d

A c tu a l

C u rre n t

L e g en d :

S ch e d u le d

A c tu a l

C u rre n t

UA

UA

L eg e n d :

S c h e d ul e d

A ct ua l

S c h e du l e d

A c tu a l

A c tu a l

L e g en d :

C u rr e nt

S c he d u le d

A c tu a l

C u rre n t

UA

L e g e nd :

S c h e du l e d

UA

L e g e nd :

C ur re nt

UA

Legend:

C ur re nt

S c h e d ul e d

A ct ua l

C u rre n t

UA Le g e n d :

Ac tu a l

C u rre n t

rren Act u al

:

Ac l ed

Act ual

end

Sch

edu

led

Leg

R e jec te d P ac ke ts

Cur ren

Sch

t

edu

led

Leg

end

:

Act ual

Sch

edu

Cu

Sch

rren

t

edu

L ege

led

nd:

Leg

tua

l

end :

Sc h ed

ul ed

Cu

Le

rren

ge

t

Cu

nd:

Act ual

t

Cur

re

Sch

nt

edu

led

Le

gen

d:

Act u al

Cu

rren

t

S c h e du l e d

Fig. 3. Undesirable-Absent method

2- Desirable-Present (DP): the forwarding packet from UA is checked here for two reasons: 1) we assume that there may be malicious attacks roaming inside the network which didn’t pass from the UA so it will be easily captured by checking for the U-absent_stamp. 2) this hierarchy structure supports the trace back which helps to detect the spoofing efficiently. DP compares between the characteristics of the forwarded packet and its "template" which contains the desirable characteristics of an accepted packet. If found, then the packet will be routed to the desired location directly, otherwise, it may be judged as suspicious packet and forwarded for the filtering decision method to determine the packet status decisively. Figure 4 shows the DP function. For each packet, the DP calculates the desirable characteristics rate as shown in the following formula: DP=MEAN(dp1+ dp2 + dp3…+ dpi)

(2)

3- Filtering Decision: the packets forwarded from DP are verified here for a final decision to either accept or reject; by calculating the average of UA & DA. If the calculated result is above a certain level, it will be determined as accepted, otherwise it will be rejected. The FD formula and figure 5 are shown below.

604

G.A. Ali, A. Jantan, and A. Ali

P a s s e d P a c k e ts

DP

Le gen d :

DP

S c h edul ed

A c t ual

C u rre nt

Lege nd :

UA

C urren t

S c hedu led

A c t ua l

A c t ual

C urrent

C urrent

S c he dul ed

UA

C urrent

S c hed ule d

A c t ual

A c t ua l

C urren t

UA

Le gend :

C urren t

Lege nd :

S c hed uled

S c he dul ed

A c t ua l

A c t ual

C urrent

C urrent

L egen d :

S c hed ule d

A c t ual

A c t ual

S c he dul ed

A c t ua l

C urren t

C urrent Leg end :

Present

A c t ua l

L egen d : A c t ual

DP

S c hedu led

Le gend : S c hed uled

S c he dul ed

L ege nd :

S c hedu led

UA

Lege nd :

Lege nd :

C urren t

Desirable

Packets

from UA

Receiving

UA

Leg end :

Leg end :

L ege nd :

DP

DP A c t ua l

C urrent

A c t ua l

C u rre nt

C urrent

FD

FD

L ege nd :

S c he dul ed

A c t u al

Lege nd :

S c h edul ed S c he dul ed

DP

S c hed ule d

FD

Leg end :

A c t ua l

C urrent

S c h edul ed

C urrent

S c hedu led

A c t ual

C urrent

ent C urr

rr ent

Actu al

Cu l

S c he dul ed

A c t ua l

C urrent

F o r w a rd e d to F ilte r in g D e c is io n

Actu Sch

edu

led

Le

Sch e du

led

gen

d:

Leg

al

en

d:

Actu al

Cu

rr ent

Cur r en

t

Sch

Sch e du

edu

led

led

Leg

C u rre nt

Lege nd :

gen

d:

Act ua

C urrent

Le

en

d:

A c t ua l

A c t ua l

FD

Lege nd :

S c hedu led

Le gend :

S c h edul ed

FD

D e te c te d P a c k e ts

FD

L egen d :

A c t u al

Fig. 4. Desirable-Absent method

FD

FD

Le g en d :

S c he d ul ed

FD

L eg e nd :

A c t ua l

C u rre nt

S c h e d u le d

FD

L eg e nd :

A c t u al

C urre nt

S c he du l ed

A c t ua l

C urre n t

C u rre nt

Decision

A ctu a l

C urr en t

Le g en d :

S c h e d u le d

A c t u al

C u rren t

Filtering

A c t u al

L eg en d :

S c h e d u le d

P a s s e d P a c k e ts

Le g en d :

S c h e d u le d

FD

FD

Le ge n d :

S c h e du l ed

A ctu a l

C u rren t L eg e nd :

L e ge nd : S c h e d u le d S c he d ul ed

A c t ua l

A c t ua l

C urre n t

C urre n t

L eg en d :

S c he d ul ed

A ctu a l

C u rre nt

L e ge nd : Le g en d : S c he d ul ed A c t u al

C u rre nt

C u rren t

nt rre Sch ed

ule d

Le

gen d:

Actu

Sch

al

edu led

Cu

Leg e nd:

Act u al

Cur r ent

S c h e d u le d

A c t ua l

al

Actu d

Leg e nd:

hed ule

Sch edu

le

d

Leg

Sc

en d:

Act ua

l

Cu r ren

t

Cu

rren t

R e je c te d P a c k e ts

Fig. 5. Filtering decision method

FD = Average(UA + DA)

(3)

5 Ideal Detection Threshold In an ideal detection system, a guard would accept all nestmates and reject all intruders [15]. A guard could learn the characteristics of the intruders and nestmates then use this learning as reference [16]. When the guard encounters incomer at the main gate, the guard compares the reference with the entering incomer, and based on the comparison, the guard decides whether to allow this entry or reject it. Distinguishing between a nestmate and non-nestmate is very difficult especially when there are overlapping characteristics [17]. Also, if there is a small similarity between a template and a receiving packet, this will make the discrimination difficult because a guard cannot simply reject a valid packet. However, permitting too much of dissimilarities between the template and characteristics of the receiving packet will result accepting more intruders [5]. In Marmelada approach, an optimal acceptance threshold is determined at UA by calculating the average amount of undesirable characteristics that we find in a receiving packet and compare it with the internal characteristics template.

Honeybee-Based Model to Detect Intrusion

605

If there’s a match between the UA template and a receiving packet above a certain level, this is classified as intrusion packet, otherwise it will be classified as accepted. This mechanism will support UA by reducing the identification errors – rejecting a valid packet or accepting an intruder. The complete pseudo code of the proposed Marmelada approach is described in Fig. 6 1. Set initial value for UA(ua1 ,ua2 ,ua3 …,uai) {ua: undesirable characteristics that must not be found in the entering bee} Route each arrive bee (b)  to UA For every bee (b) do compare with UA values Compute (b (UA= MEAN(ua1+ ua2 + ua3 …+ uai))) IF (b > (UA average)) Then stamp b by UA_stamping {queen_odor} forward to DP Else Record as malicious b and reject 2. Set initial value for DP(dp1 ,dp2 ,dp3 …,dpi) {dp :desirable characteristics that should be found in the entering bee} Route each forwarded bee (b) to DP For every bee (b) do IF found ( UA_stamping ) Then Compute (b(DP=MEAN(dp1+ dp 2 + dp3 …+ dpi)) Compare bee (b) with DP values IF(b>(DP_average) Then allow passing Else forward to FD Else Record as malicious b and reject 3. Receive bee (b) from DP For every bee (b) do Compute FD=AVERAGE(UA+DP) Compare bee (b) with FD values IF (b>(UA+DP)) Then allow passing Else Record as suspicious b and alert Fig. 6. The pseudo code of Marmelada approach

Figure 7.a illustrates the optimal threshold where the system would accept all valid packets and reject all intruders, whereas figure 7.b and 7.c exhibit the consequences of threshold determining the acceptance and rejection.

G.A. Ali, A. Jantan, and A. Ali

Accept

606

T h r e s h o ld

V a lid p a c k e t

a) In tru d e r

Accept

R e je c t T h r e s h o ld

b)

c)

Accept

R e je c t T h r e s h o ld

R e je c t

Fig. 7. (a) An optimal threshold (b) Restrictive threshold (c) Permissive threshold

6 Conclusion In this paper we introduce an approach based on the honeybee by emulating the first layer of honeybee defending system "detection" and its benefits to propose a novel model to improve IDS. We investigate the new side of honeybee colony focusing on security and how it can be used to enable us to improve the computer security. The security aspects which emphasize on the honeybee behavior are proposed to address the computer security issues. In Marmelada approach, the packet acceptance is determined based on the degree of threshold selection. It is difficult to set a threshold value; however, the threshold would be more restrictive when undesirable characteristics are found, to ensure high levels of intrusion rejection. Besides that, once the packet has passed the UA, the probability of being accepted increases gradually [9] because the occurrence of intrusions is retreating. Future works will be on comparing the expected results that are going to be reported soon with the other data obtained through some experiments.

Honeybee-Based Model to Detect Intrusion

607

References 1. Vinod, Y., Paul, B., Johannes, U.: Internet intrusions: global characteristics and prevalence. In: International conference on measurement and modeling of computer systems, USA (2003) 2. Liu, P.: Architectures for intrusion tolerant database systems. In: Annual, P.t. (ed.) Computer Security Applications Conference (2002) 3. Gu Hsin, L., Chia-Mei, C., Bing-Chiang, J., Willams, C.: Ant-based IP traceback, vol. 34, pp. 3071–3080. Pergamon Press, Inc., Oxford (2008), http://dx.doi.org/3010.1016/j.eswa.2007.3006.3034 4. Mukkamala, S., Janowski, G., Sung, A.: Intrusion detection using neural networks and support vector machines. In: Janoski, G. (ed.) Neural Networks, vol. 2 (2002) 5. Couvillon, M.J., Robinson, E.J.H., Atkinson, B., Child, L., Dent, K.R., Ratnieks, F.L.W.: En garde: rapid shifts in honeybee, Apis mellifera, guarding behaviour are triggered by onslaught of conspecific intruders. Animal Behaviour 76, 1653–1658 (2008) 6. Horridge, G.A.: Pattern discrimination by the honeybee (Apis mellifera): training on two pairs of patterns alternately. Journal of Insect Physiology 45, 349–355 (1999) 7. Breed, D., Guzmán-Novoa, E., Hunt, G.J.: Defensive behavior of honey bees:organization, genetics, and comparisons with other Bees. Annual Review of Entomology 49, 271–298 (2004) 8. Butler, C.G., Free, J.: The behaviour of worker honeybees at the hive entrance. Behaviour 4, 263–291 (1952) 9. Vincent, J., Mintram, R., Phalp, K., Anyakoha, C., Bauerdick, H., Gottfried, B., Muthuraman, S.: AI Solutions for MDS: Artificial Intelligence Techniques for Misuse Detection and Localisation in Telecommunications Environments (July 2006), http://www.comarch.com/en/MDS 10. Charles, P.P., Shari Lawrence, P.: Security in Computing. Prentice Hall Professional Technical Reference (2002) 11. Simson, G., Gene, S.: Practical Unix and Internet security, 2nd edn. O’Reilly & Associates, Inc., Sebastopol (1996) 12. Hofmeyr, S.A.: An Immunological Model of Distributed Detection and its Application to Computer Security. Vol. PhD thesis. University of New Mexico (1999) 13. Kitching, I.J.: Phylogeny of the death’s head hawkmoths, Acherontia[Laspeyres], and related genera (Lepidoptera: Sphingidae: Sphinginae: Acherontiini. Systematic Entomology (2003) 14. Ratnieks, M.J.C.F.L.W.: Odour transfer in stingless bee marmelada (Frieseomelitta varia) demonstrates that entrance guards use an “undesirable–absent” recognition system. Behav. Ecol. Sociobiol. 62, 1099–1105 (2008) 15. Sherman, P.W., Reeve, H., Pfennig, D.: Recognition systems. In: Krebs, J.R., Davies, N.B. (eds.) Behavioural Ecology, pp. 69–96. Blackwell Science, Oxford (1997) 16. Lacy, R.C., Sherman, P.: Kin recognition by phenotype matching. Am. Nat. 116, 489–512 (1983) 17. Ratnieks, F.L.W., Downs, S.G.: Adaptive shifts in honey bee (Apis mellifera) guarding behavior support predictions of the acceptance threshold model. Behavioral Ecology 11 (2000)

A Data Mining Framework for Building Intrusion Detection Models Based on IPv6* *

Zenghui Liu1 and Yingxu Lai2 1 Science and Technology Engineering Faculty, Beijing Vocational College of Electronic Science, Beijing 100029, China zenghuiliu@ sohu.com 2 College of Computer Science, Beijing University of Technology, Beijing 100124, China [email protected]

Abstract. In Intrusion Detection Systems (IDS), many intelligent information processing methods, data mining technology and so on have been applied to improve detection accuracy for IPv4 network. IPv6 will inevitably take the place of IPv4 as the next generation of the Internet Protocol. Considering the problem of the urgent requirement of IDS for IPv6 networks, we present a novel intrusion detection model, and successfully applied it into an IPv6 experimental network in our lab. Lots of experiment indicated that this model can work well for intrusion detection for IPv6 network.

1 Introduction T Intrusion detection (ID) is a type of security management system for computers and networks. An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system detects attack from someone attempting to break into or compromise a system. Several researchers adopted association rule to design their anomaly-based network intrusion detection system. However, they all emphasize the effectiveness of applying association rules to IPv4 network, ignored IPv6 will inevitably take the place of IPv4 as the next generation of the Internet Protocol. Presence of the IPv6 protocol brings new demands for typical network protecting mechanisms. IDS system against IPv4 networks might also affect on an IPv6 network, but it is difficult to process new IPv6 functions and security functions such as neighbor discovery or auto configuration, and so on[1-3]. So in this paper, we also have a comprehensive study on intrusion detection for IPv6 network. The rest of this paper is organized as follows: Section 2 is a brief discussion of related works. Section 3 gives a brief description of dataset. Section 4 presents details of our methods. Section 5 shows the experiment results. Lastly, we state our conclusions in Section 6. * Supported by Scientific Research Common Program of Beijing Municipal Commission of Education (No: KM200810005030). J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 608–618, 2009. © Springer-Verlag Berlin Heidelberg 2009

A Data Mining Framework for Building Intrusion Detection Models Based on IPv6

609

2 Related Work 2.1 Typical Attack under IPv6 Some of changes in IPv6 protocol specifications may potentially result in security problems. In this subsection we mainly concentrate on explaining typical attacks about IPv6 protocol. (1) Reconnaissance attacks Reconnaissance techniques are the same for IPv4 and IPv6, but the subnet size in the IPv6 network is much larger than in the IPv4 network (the default size is 64 bits). To perform a scan of the whole subnet it is necessary to make 264 probes - so that makes it impossible. Unfortunately, some types of multicast addresses used in IPv6 networks can help an intruder to identify and attack some resources in the targeted network. RFC 2375 [4] defines a node, a link and site-specific use of multicast addresses (e.g. all routers have a site-specific address FF05::2). (2) Misuse of routing headers According to [5], all IPv6 nodes have to be capable of processing routing headers. This behavior produces some security problems. It is possible that an intruder sends a packet to a publicly accessible address with a routing header containing a "forbidden" address (address on the victim network). Then the publicly accessible host will forward the packet to a destination address stated in the routing header ("forbidden" address) even though that destination address is filtered. (3) Fragmentation related attacks IPv6 protocol specification [6] does not allow packet fragmentation by intermediary devices. The minimum recommended MTU size for IPv6 is 1280 octets. It is recommended security practice to drop all fragments with less than 1280 octets unless the packet is the last in the flow. Using fragmentation an intruder can achieve that port numbers are not found in the first fragment and in that way bypass security monitoring devices (which do not reassemble fragments) expecting to find transport layer protocol data in the first fragment. By sending a large number of small fragments an attacker can cause an overload of reconstruction buffers on the target system potentially implying a system to crash (a type of a Denial of Service attack). (4) Misuse of ICMPv6 and multicast Some important mechanisms in IPv6 networks, such as neighbor discovery and path maximum-transmission-unit discovery, are dependent on some types of ICMPv6 messages [6]. ICMPv6 specification also allows an error notification response to be sent to multicast addresses (if a packet was targeted to a multicast address). That fact can be misused by an attacker. By sending a suitable packet to a multicast address an attacker can cause multiple responses targeted at the victim (the spoofed source of the multicast packet).

610

Z. Liu and Y. Lai

2.2 Intrusion Detection There are two main categories of intrusion detection technology: misuse detection and anomaly detection. Misuse detection, the most common approach to intrusion detection, detects previously seen, known attacks by looking for an invariant signature left by these attacks. The main shortcoming of misuse detection is that it can not predict future attacks and has high false-alarm rate. In fact, these systems must be updated manually and frequently to detect new attacks as they are discovered. Anomaly detection is based on the assumption that misuse or intrusive behavior deviates from normal system use[7]. One of the advantages of anomaly detection is that it can detect attacks regardless of whether or not the attacks have been seen before. Intrusion Detection System has some defects, such as signatures being generated manually, updating signatures difficultly and doing nothing in front of ultra data sets. Intelligent computing techniques, such as state transition analysis, statistical approaches, expert system, Model-Based approach, Pattern matching, Artificial Neural Network, Support Vector Machines, Neuro-Fuzzy, Multivariate Adaptive Regression Splines, Linear Genetic Programming, hybrid system with above techniques and data mining, are being widely used by the IDS researchers according to their capabilities. These techniques help to detect known intrusions and unknown intrusions and can process well with ultra data that have no previously described patterns. A review of the many alternative approaches to intrusion detection is available in [8]. In next subsection we mainly concentrate on explaining association rule mining method. 2.3 Association Rule Mining Association rule discovery, the area being studied most actively[9-11] technique to investigate the possibility of simultaneous occurrence of the data. Let I = {i1, i2, ..., im} be a set of literals, called items. Let D be a set of transactions, where each transaction T is a set of items such that T ⊂ I. An association rule is an implication of the form X→Y, where X I, Y I, X Y= . Support and confidence are used to describe the “interestingness” or “goodness” of a rule as follows:

∈ ∈ ∩ Φ

support(X→Y)=P(X

∪Y), confidence(X→Y)=P(Y | X),

or confidence(X→Y)= support(X→Y)/P(x). The support of the rule X→Y is the proportion of transactions in D that contain X Y. The confidence of the association rule X→Y is the proportion of transactions including both X and Y to all the transactions that include X. The existing association rule discovery techniques have discovered the association that may happen only among the data that satisfy the minimum support and minimum confidence set by the users. All item sets that have support greater than or equal to the user specified minimum support are generated.

∪

A Data Mining Framework for Building Intrusion Detection Models Based on IPv6

611

3 Intrusion Data Set The KDD Cup 1999 Intrusion detection contest data[12] is always used in IDS experiments for IPv4 net. The raw data was processed into 24 attack types. These attacks fall into four main categories: probing, denial of service, User to root attacks and Remote to user attacks. In this paper we mainly focus on the typical Dos/DDoS attacks and misuse router header attacks under IPv6, which including the DoS attacks pertinent to IPv6 Neighbor Discovery protocol and DDoS attacks based on the four representative attack modes, they are respectively TCP-Flood, UDP-Flood, ICMP-Flood and smurf. We do these attack experiment under IPv6 and attend IPv6 attack packet. Table 1 shows an example of a reconnaissance attack and a normal visit. Packets are captured by winpcap (or Linpcap). In this example we recognize an attack (or a normal visit) as a sequence of connection attempts to different ports on the targeted host during a very short period. Since the amount of audit data is huge, for example, some days have several millions of connection records, we did not aggregate all the connection records into a single training data set. Analyzing and summarizing raw audit data is an essential task for an IDS system. Our data mining programs use pre-processed audit data where each record corresponds to a high level event, e.g. a network connection or host session. That is, we join a sequence of connections as one transaction based on the same destination. Table 2 shows the joined transaction from Table 1. Each record normally includes an extensive set of features that describe the characteristics of the event, for example, the duration of a connection, the number of bytes transferred between source host and destination host, etc. We formally define a record as a seven tuples to output a summarized connection record, that is, {IP, Port, Flag, Protocol, Service, State, Class}. 6 various features plus one class label were extracted in the data set belonging to four kinds. It includes 2 basic features, 2 content features, and 2 host-based features. Basic features are service requested, protocol used between source and destination machine. Content features are flag and TCP connection state. Host-based features are host IP address and IP Port. Table 3 shows the summarized training data set. The data set is divided into two sets, namely, a training set and a testing set. In the training set the system constructs a model using training data to give maximum generalization accuracy. The test data is passing through the constructed model to detect the intrusion in the testing phase. Training set and testing set in the paper contained 5000 records respectively.

4 Implement of IDS for IPv6 Network In this section, we describe our data mining algorithm, and illustrate how to apply this algorithm to generate detection models from training data.

612

Z. Liu and Y. Lai

4.1 Basic Algorithm We can solve the associate rule mining problem in two steps: 1)Dig out all the frequent itemsets from transactional database D. 2)Compute the requisite frequent association rules from frequent itemsets. The first step is the most difficult in the mining process. After discovering all the frequent itemsets, it is easy to computer the relative association rules. Many mining algorithm are advanced to solve the first step. Algorithm Apriori[13] is the most effective among these mining algorithms. The algorithm is to generate all frequent itemsets described as follows: Step 0. scan the database D to find out L1. Step 1. Ck,K>1, is generated by joining the itemsets in L k-1. The itemsets in Ck which have some (k-1)-subset that is not in Lk-1 are deleted. Step 2. the support of itemsets in Ck is calculated through database scan to decide Lk. Step 3. Go to step 1 until Lk=

Φ.

The algorithms implement a method that extracts frequent items through scanning the transactional database repeatedly. However, the spending for scanning the database is so lavish that the efficiency of the algorithm databases. Therefore, we take the interestingness into account and improve on the basic algorithm. 4.2 Improve Algorithm We call the essential attribute axis attribute when they are used as a form of item constraint in the association rules algorithm. In practice, we need not designate all Table 1. a. Reconnaissance attack pattern captured by Winpcap

A Data Mining Framework for Building Intrusion Detection Models Based on IPv6

613

attributes as the axis attributes. For example, many source hosts will connect destination server to visit some services on some ports. So the source host IP address and source host port are not as axis attributes. The candidate frequent sets include source IP address or port (such as {3eff:124e:0000:0001, 80}) are not useful. We formally define seven essential attributes as the axis attributes, i.e., {DIP, DPort, Flag, Protocol, Service, State, Class}. During candidate generation, an item set must contain values of the axis attributes. Table 2. Reconnaissance attack pattern captured by Winpcap

Table 3. Data set IP 3eff ୖ 124e ୖ0000ୖ0001 3eff ୖ 124e ୖ0000ୖ0002 3eff ୖ 124e ୖ0000ୖ0003 ….

PORT 80

FLAG Passive

PROTOCOL tcp

SERVICE http

STATE sf

CLASS normal

23

Active

udp

telnet

S1

abnormal

100

Active

icmpv6

ftp

S0

abnormal

300

…

…

…

S2

…

The algorithms Apriori may be extracts 2-item frequent items like {3eff:124e:0000:0001, 3eff:124e:0000:0002}. It is not useful to generate 3-item frequent items from these 2-item. We improve algorithm to extract frequent items efficiently that is shown in Algorithm 1.

614

Z. Liu and Y. Lai

Algorithm 1: Apriori begin 1) L1 =find_frequent_l-itemset(D)

；L

； ，

：

≥≠ ∅ k++) 3) Lk =apriori_gen( Lk −1 min-sup) 4) Return L= U k Lk

2) For(k=2

k −1

；

Procedure apriori_gen( Lk −1

，min-sup)

L1 ∈ Lk −1 For each itemset L2 ∈ Lk −1 If( L1 [l]= L2 [1]) ∧ ( L1 [2]= L2 [2]) ∧ … ∧ ( L1 [k-2]= L2 [k-2]) ∧ ( L1 [k l]< L2 [k-l]) Then{c= L1 >< L2 If has-infrequent-subset(e, Lk −1 )then

For each iternset

一

；

；

Delete c Else{ For each ransaetion t ∈ D{ If(count(t)
；

，； ；

For each candidate c ∈ Ct c.count++ } Lk ={c ∈ Ck |support(c)>=min-sup} } }

} Retum Lk

；

Procedure has-infrequent-subset(c

；L

k −1 )

For each(k-l)-subset s of c If s ∈ Lk −1 then Return TRUE Return FALSE

；

Our goal is to detect the association rules in the data sets. We argue that the “relevant” association rules should describe pattern related to the axis attributes “Class”. Pattern that include only other attributes are normally “irrelevant”. For example, the basic association rules algorithm may generate rules such as

A Data Mining Framework for Building Intrusion Detection Models Based on IPv6

615

host, port -> flag = passive This rule is not useful and to some degree is misleading. There is no intrusion for the association between the connection of host and port.

5 Experimental Results 5.1 Experimental Design For experimenting purposes at the college of computer science, Beijing University of Technology, a small IPv6 network has been established. The network consists of four desktop PCs (based on Intel Celeron and Intel P4 CPUs). All computers have been configured as dual-boot configurations driven by MS Windows XP (with SP2 included) and Mandrake Linux 10 operating systems. Also, all computers in the experimental network have been configured as dual-stack devices supporting both IPv4 and IPv6 protocols. In the described experimental network some IPv6 intrusion detection tests have been done. Different types of DoS attacks have been performed. Through continuous monitor network streams data in 24 hours, we get the intrusion behavior and some normal connections. Much real streams data are also been performed upon this model. Experimental results and some possibilities for their successful detection will be analyzed in next subsection. 5.2 Experimental Results 5.2.1 Data Set and Rules We select intrusion data to perform pattern mining and feature construction, and to label each connection record with “normal” or “abnormal” to create training data for building classification models. Table 4 shows some intrusion behavior and normal connection packets. We get associate rules based on our model are shown in Table 5. Where, an associate rule is {3eff 124e 0000 0001, 80, passive, tcp, http, sf Æ normal, 0.95 , 1}. That means a server (IP is 3eff:124e:0000:0001) afford a Http service on port 80, the connection is disconnected safely, so the connection is normal under support=0.95 and confidence=1.0.

： ：

：

5.2.2 Testing Result Tests in Table 6 are done with testing data set. In order to find the relationship between detection accuracy and attributes with the same minimum supports, experiments are done with data of different attributes. The classifying result is shown in Table 6. When the minimum support changed to 0.1, the best detection rate of normal connection data is 72.2%. 5.2.3 Improve Algorithm Time consumption is fundamental to evaluate an algorithm. The time consumption of the two algorithms, base Apriori algorithm and improved algorithm, is compared in Fig.1.

616

Z. Liu and Y. Lai Table 4. training data (part) IP

Port

Flag

protocol

3eff:124e:0 000:0004

80

Pas siti ve

tcp

3eff:124e:0 000:0001

80

Pas siti ve

tcp

3eff:124e:0 000:0004

*

Icm pv6

3eff:124e:0 000:0001

*

3eff:124e:0 000:0002

*

3eff:124e:0 000:0003

39

3eff:124e:0 000:0004

39

3eff:124e:0 000:0001

39

3eff:124e:0 000:0003

39

Pas siti ve Pas siti ve Pas siti ve Pas siti ve Pas siti ve Pas siti ve Pas siti ve

s e r v i c e P o p 3 P o p 3 *

state

SF

normal

SF

normal

*

abnor mal

Icm pv6

*

*

abnor mal

Icm pv6

*

*

abnor mal

tcp

f t p f t p f t p f t p

SF

normal

SF

normal

SF

normal

SF

normal

tcp

tcp

tcp

Table 5. Association rules (part)

No 1 2 3 4 5 6 7 8

Rule 208,passitive,udp Æ abnormal, 0.256, 1.0 Passitive, tcp, SFÆnormal, 0.215, 1.0 Passitive, tcp, S1Æ abnormal, 0.12, 1.0 Tcp,ftp,SFÆnormal, 0.122, 1.0 3eff:124e:000:0003, passitiveÆ abnormal,0.1,1.0 Passitive, icmpv6Æabnormal, 0.24, 1.0 PassitiveÆ abnormal, 0.706, 0.7 3eff 124e 0000 0001, 80, passive, tcp, http, sf Æ normal, 0.95 , 1

： ：

Class

：

A Data Mining Framework for Building Intrusion Detection Models Based on IPv6

617

Table 6. The detection accuracy of experiments

Support

0.1

True False Accuracy

361 139 72.2%

0.2 236 264 47.2%

0.30.7 353 147 70.6%

>0.7 0 500 0%

Fig. 1. Time cost of two algorithms

From the Figure above, it can be seen that our solution is superior to that by Apriori algorithm.

6 Conclusion An improved association rule discovering system under IPv6 network has been studied in this paper. Contributions of this paper are listed as follows: It is the first time that association rule data mining algorithm has been performed on IPv6 simulation data sets. That is meaningful for studying IPv6 security mechanism. It improved the base Apriori algorithm, this makes association rule mining techniques applicable to IPv6 network.

References 1. Jung, B.H., Lim, J.D., Kim, Y.H., Kim, K.Y.: An Analysis of Security Threats and Network Attacks in IPv6. Electronics and Telecommunications Trends 22(1), 37–50 (2007) 2. Kaeo, M., Green, D.: IPv6 Security Technology Paper. North American IPv6 Task Force(NAv6TF) Technology Report, Ver. 1.0, July 22 (2006) 3. Lim, J., Kim, Y., Jung, B., Kim, K., Kim, J., Lee, C.: Implementation of Multi-thread based Intrusion Prevention System for IPv6. In: International Conference on Control, Automation and Systems 2007, COEX, Seoul, Korea, October, pp. 404–407 (2007)

618 4. 5. 6. 7. 8. 9. 10.

11. 12.

13.

Z. Liu and Y. Lai RFC 2375: IPv6 Multicast Address Assignments RFC 2460: Internet Protocol, Version 6 (IPv6) Specification RFC 2463: Internet Control Message Protocol (ICMPv6) for the IPv6 Specification Bishop, M., Cheung, S., Wee, C., Frank, J., Hoagland, J., Samorodin, S.: The Threat from the Net. IEEE Spectrum 34(8), 56–63 (1997) Frank, J.: Artificial Intelligence and Intrusion Detection: Current and Future Directions. In: 17th National Computer Security Conference, pp. 22–33 (October 1994) Agrawal, R., Shafer, J.C.: Parallel mining of association rules. IEEE Transaction on Knowledge and Data Engineering 8(6), 962–969 (1996) Agrawal, R., Srikant, R.: Fast Algorithms for Mining Association Rules in Large Database. In: Proceedings of 20th International Conference on Very large Data Bases, pp. 478–499 (September 1994) Srikant, R., Agrawal, R.: Mining Generalized Association Rules. In: Proceedings of 20th International Conference on Very large Data Bases, pp. 407–419 (September 1995) Lee, W., Stolfo, S.J., Mok, K.: Data mining in work flow environments: Experiences in intrusion detection. In: Proceedings of the 1999 Conference on Knowledge Discovery and Data Mining (KDD 1999) (1999) Agrawal, R., Mannila, H., Srikant, R., Toivonen, H., Verkamo, A.: Fast Discovery of Association Rules. In: Advances in Knowledge Discovery and Data Mining. MIT Press, Cambridge (1996)

FPGA Implementation of Elliptic Curve Point Multiplication over ( ) Sameh m. Shohdy, Ashraf b. El-sisi, and Nabil Ismail Computer science department, faculty of computers and information, Menoufiya University, Shebin Elkom 32511, Egypt [email protected], [email protected], [email protected]

Abstract. Hardware acceleration of cryptographic algorithms is beneficial because considerable performance improvements can be attained compared to software implementations. Thus, hardware implementations can be used in critical applications requiring high encryption or decryption speeds. Parallel architecture with efficient hardware implementation of Galois field arithmetic operations is used to produce high speed computation time for the scalar multiplication operation which is the main operation in Elliptic Curve Cryptography (ECC) system. This work proposed a modification in karatsuba-ofman algorithm which is one of the best algorithms used to perform multiplication operation over Galois field. The modification contrasted on truncating karatsuba-ofman algorithm in a low level and using the classic polynomial multiplication algorithm. In addition, this work proposed architecture for implementing ECC on hardware using Montgomery algorithm in projective coordinates. The results show that the proposed architecture is able to compute GF(2^191) elliptic curve scalar multiplication operations in 72.939 µs on Xilinx Virtex-II XC2V6000 FPGA device and 100.68 µs on Xilinx VirtexE 2600. Also, the proposed architecture can be changed to be suitable for any arbitrary Galois field size with little modifications. Keywords: Galois field, Elliptic curve cryptography, Karatsuba-Ofman multiplier, field programmable gate arrays, polynomial multiplication, and polynomial inversion.

1 Introduction Now in the internet age, information is transferred through different media with several ways and using dissimilar methods. The importance of transferred information makes eavesdropper infatuated with crushing the privacy of transferred data. Eavesdropping arise the importance of the information security to guarantee information privacy. Cryptography is the main method to guarantee a secure data transferring through any media. Information sender can encrypt his message from plain text to J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 619–634, 2009. © Springer-Verlag Berlin Heidelberg 2009

620

S.m. Shohdy, A.b. El-sisi, and N. Ismail

cipher text. Even if anyone trying to eavesdrop on the transferred media, he can't understand the encrypted message. On the other hand, information receiver is the only person who can decrypt the message from cipher form to plain form and can easily read it. Cryptography systems differ from many views. One view is how that encrypt/decrypt processes done. One kind of cryptography system named symmetric cryptography systems depend on a secret key used for encrypt and decrypt operations, so this key must be private between sender and receiver. On the other hand if it’s important to transfer this key between the two parties cryptography system must guaranteed secure channel for this process. The other kind of cryptography system named asymmetric cryptography systems which is depend on two keys - public/private keys - public key is used for encrypt message and this available for any party and private Key is the key which can decrypt the message. But, this one is private for receiver only to guarantee that receiver is the only one who can read the message. Also, cryptography systems differ from the view of mathematical concept making it’s so difficult to compute private key from public key although they related, for example, Discrete Logarithm (DL) systems (e.g. Diffie-Hellman, DSA), Integer Factorization (IF) systems (e.g. RSA) and Elliptic Curve Discrete Logarithm (EC) systems. Also each algorithm can implement using software or hardware. Software is less secure and slow operation, but it's easy. But, although it is difficult to implement security algorithm in hardware, it's more secure and faster operation. Fig. 1 illustrates the ECC operations which can include an Arithmetic/Logic Unit (ALU) for ECC processor.

Fig. 1. ALU for ECC Processor

This work concerned on implements one of the modern cryptography systems called Elliptic curve cryptography on FPGA hardware technology. ECC preferred when compared with classical cryptosystems such as RSA because of higher speed and lower power. Because of ECC guarantees the same security level as RSA but with shorter key size [1]. Elliptic curve used in many applications (e.g. Digital Signature, authentication protocols, etc.).

FPGA Implementation of Elliptic Curve Point Multiplication

621

This paper is organized as follows: Section 2 describes mathematical background of Galois field and elliptic curve cryptography. Section 3 describes architecture and design for Galois field arithmetic and ECC Operations. In section 4 Results and comparison for the implementation of scalar ECC multiplication in GF(2 ) is presented. Finally, in section 5 some conclusions remarks as well as future work are drawn.

2 Mathematical Background 2.1 Galois Field Arithmetic Galois field or Finite field ( ) defines as GF(p ) which is a field with finite number of elements. Galois field arithmetic plays a critical role in elliptic curve cryptography implementation because it’s the core of ECC scalar multiplication operation. So, more efficient implementation of underlying field operations results more efficient in the overall algorithm. Galois fields suitable for ECC implementation divides into two categories: prime field where m = 1 and binary field where p = 2 and m 1. Binary field is the suitable field to implement in hardware because of field elements can be easily implemented as a bit vector (polynomial basis representation) in hardware and free carry propagation property. Arithmetic on Binary finite field is the core of Elliptic Curve Cryptography scalar multiplication implementation. Montgomery algorithm applied on Weierstrass elliptic curve depend on four main operations field multiplication, Field addition, field square and field inversion. Algorithms define the arithmetic operation in binary field depend on the methodology of field element representation. This section presents the finite field arithmetic operations in GF(2 ). 2.1.1 Addition Operation It can be done only using one n-bit XOR operation (equal to bit wise addition module 2). The sum of two elements A, B GF(2 ) is given by equation (1). ( )= ( )

( )=

(

)

(1)

2.1.2 Square Operation The binary representation of element’s square is done by inserting a 0 bit between consecutive bits of the binary representation. The square of A GF(2 ) is given by equation (2). ( )=

2.1.3 Multiplication Operation Assume we have two elements ( ), ( ) belongs to binary field ducible polynomial ( ). Field multiplication done by two steps: 1. Polynomial multiplication of ( ) and ( ) ’( ) = ( ). ( )

(2)

(

) with irre-

622

S.m. Shohdy, A.b. El-sisi, and N. Ismail

2. Reduction using irreducible polynomial p(x) ( ) = ’( )

( )

A lot of multipliers addressed the problem of compute polynomial multiplication some suitable for hardware like: Polynomial basis LFSR multiplier [2], Massey-Omura multiplier [3], Berlekamp multiplier [4], and karatsuba multiplier [5]. The work in [6] suggests a modified version of a multiplier algorithm called Karatsuba-ofman multiplier. It make a new algorithm called Binary karatsuba-ofman multiplier which is used to multiply two elements in a finite field GF(2 ) where m an arbitrary number. 2.1.4 Reduction Operation Multiplication and square operations need as mention above a reduction process which is the process to reduce the order of resulting values from larger than m to less or equal to m. ( ) =

’( )

( ).

2.1.5 Inversion Operation Inversion is the most time-consuming process when computing the scalar multiplication in elliptic curve cryptography using Montgomery method which will discuss later. Inversion in binary finite field is the process of getting a-1 for a nonzero element a є GF(2 ) such that: ) =1

(

( ).

Several algorithms exist for computing the inversion like: Standard Division Algorithm [8], extended Euclidean algorithm (EEA), Modified Almost Inverse Algorithm (MAIA) [9], Binary inversion algorithm, and Itoh-Tsujii multiplicative Inverse Algorithm. By take an element (a) and irreducible polynomial f(x) as input, the output will be the inverse (a ). The extended Euclidean Algorithm (EEA) depends on classical Euclidean Algorithm (EA) used for compute greatest common divisor (gcd) of two numbers A and B. EA define as follow: Let a, b be binary polynomials not equal zero. The greatest common divisor (gcd) of A and B, is the binary polynomial D of highest degree that divides both A and B (without remainder), where deg(B) deg(A). Extended Euclidean algorithm (EEA) is a modification of EA. Compute Inversion of a polynomial element in a Binary finite field is one of its applications as follow: Suppose A had an inverse mod p(x) (where, x an element in Finite field and p(x) is an irreducible polynomial). So, B is the inverse of A, so that A · B = 1 mod p(x) if and only if gcd(A, p(x)) = 1. We now know that if this is true, there exist polynomials p and s so that: · + · ( ) =1

,

·

=1

· ( )

·

=1

( ) ( )

FPGA Implementation of Elliptic Curve Point Multiplication

Algorithm 1 defines EEA algorithm which gives a method for calculating ly. The algorithm terminates when u = 0, so that is the inverse of x.

623

efficient-

Algorithm 1. Extended Euclidean Algorithm [10]

Input: 1, ( ) 1

Output:

( ).

1.

,

.

2. 1

1, 2

0.

3.

1

3.1

( )

3.2

0

3.3

+

3.4 1 4.

.

( ). :

, 1

2,

.

.

1 +

2.

( 1).

2.2 Elliptic Curve Arithmetic Elliptic curves are defined over chosen finite field. This paper used Weierstrass nonsupersingular Elliptic Curve define over (2 )where = 191. A Weierstrass non(2 ) is defined to be the set of supersingular elliptic curve points ( , ) (2 ) that satisfy the equation (3). +

=

+

+ , Such that ,

(2 ) (3)

The main operation in ECC is the scalar multiplication operation ( = • , where is an integer and is a point on the selected curve and is the scalar multiplication resulting from multiply with ). There is no multiplication operation in elliptic curve groups; however the scalar product ( ) can be obtained by adding k copies of the same point . The security of elliptic curve systems is based on the difficulty of the elliptic curve discrete logarithm problem (ECDLP). ECDLP define as : Given an elliptic curve E defined over a Galois field (2 ) and two points Q and P that belong to the curve, the trick is to find the integer which if multiply by we get Q. Pollard’s rho is one of the popular algorithms known for solving the ECDLP. The largest ECDLP instance solved with Pollard’s rho algorithm is for an elliptic curve over a 109-bit prime field as illustrates in [10]. Different methods solved the problem of computing scalar multiplication for Elliptic curve crypto systems. Ref [13] illustrates one of the most efficient algorithms used to this operation which called Montgomery’s method. Also, Ref [14] presents efficient implementation of this algorithm to compute scalar multiplication over nonsupersingular multiplication ( ) operation. This work used Montgomery algorithm for compute • in GF(2 ).

624

S.m. Shohdy, A.b. El-sisi, and N. Ismail

2.2.1 Montgomery Group Law Corresponding to Affine Coordinates: Montgomery algorithm needs an implicit computation of two point’s addition and point’s doubling in affine or projective coordinates. Let = ( 1, 1) (2 ) . For all points on the curve we have: and = ( 2, 2) P+Q=( 3, 3) . +

=

+

+

+

(

+

= (

=

+

+

)+

+

+ 1

+

)

(

)

(

)

= (

)

(4)

(5)

Equations 4 and 5 illustrates that for point addition operation using affine coordinates cost one field inversion and two field multiplications neglecting the costs of field additions and squaring. 2.2.2 Montgomery Group Law Corresponding to Projective Coordinates Point doubling Operation Using projective coordinated to compute Elliptic curve scalar multiplication avoid Inversion operation in underlying field which is the most time Using projective coordinated to compute Elliptic curve scalar multiplication avoid Inversion operation in underlying field which is the most time consuming operation. By using projective coordinates point doubling can computed as 2P= (X , Y , Z ) X =X +b· Z

(6)

Z =X · Z

(7)

As illustrates in equations 6 and 7 the cost of point doubling is: one general multiplication, one multiplication by a constant, five squaring and one addition. Algorithm 2 used to compute point doubling using Montgomery method. Algorithm 2. Montgomery point doubling [14]

:

:

= ( 1, , 1), =2 _

= = . = . = = =

+

2= ( 1, 1,

,

)

FPGA Implementation of Elliptic Curve Point Multiplication

625

Point addition Operation Also, by using projective coordinates point doubling can computed as: P + Q = (X , Y , Z ). Z = (X · Z + X · Z )

(8)

X = x . Z + (X · Z ) · (X · Z )

(9)

Also, you can use Algorithm3 to compute point addition using Montgomery method.

Algorithm 3. Montgomery point addition Algorithm [14]

:

= ( 1, , 1), :

=

= ( 2, , 2)

+ _

=(

·

)+(

·

)·(

( 1, 1, 2, 2, ·

,

)

)

= =( =( .

·

)

)+

As illustrates in equation 8, 9 and Algorithm3 the cost of point doubling is: three general multiplications, one multiplication by a constant x, one squaring and two addition operations in (2 ). Convert projective coordinates to affine coordinates The Montgomery algorithm as will discussed in next section depends on the representation of points as projective coordinates. We use projective coordinates to represent points in Elliptic curve to avoid use of inversion operation over GF(2m) many times, but we still need it one time to return projective coordinates to affine coordinates as illustrated in equations 10, 11. = =( +

/ ) (

+

)(

+

/ )+(

(10) + )(

)(

)

+ (11)

The coordinate conversion process makes use of 10 multiplications and only 1 inversion ignoring addition and squaring operations. Montgomery Algorithm Montgomery scalar multiplication method defines using three operations: point addition, point doubling and converting projective coordinates to affine coordinates. The Montgomery algorithm 3 ( = where in an integer and , is two points in curve). Algorithm 4 shows the Montgomery algorithm depends on addition and doubling operation in elliptic curve. Both operations are executed each iteration of the algorithm.

626

S.m. Shohdy, A.b. El-sisi, and N. Ismail Algorithm 4. Montgomery Algorithm [15]

=( =1

: :

,

= _

= ,

( , , )

= 1,

=

+ ,

2 (

,… , ) ( (2 )

, ( , )

=

0

= 1)

_

(

,

,

,

),

_

(

,

)

_

(

,

,

,

),

_

(

,

)

Return Q=Mxy(

,

,

,

)

3 Architectural Description 3.1 Galois field Hardware Architectures 3.1.1 Addition Operation In hardware addition does not have any carry propagation. The addition is done using only XOR operation.

Fig. 2. Addition Operation in

(

)

3.1.2 Square Operation Polynomial squaring over (2 ) is a free cost operation in hardware. It takes no hardware to implement. It's done by only routing input bits to specific output bits. Squaring still needs a reduction process which will illustrates later to complete its function. Figure 3 shows the hardware architecture for Squaring in (2 ).

FPGA Implementation of Elliptic Curve Point Multiplication

Fig. 3. Square Operation in

(

627

)

3.1.3 Multiplication Operation A good observation is when truncated Binary karatsuba–ofman multiplier at low level and used the classic multiplier reduced the hardware resources and timing needed for complete the multiplication process. Ref [7] illustrates the architecture of Binary karatsuba multiplier for GF (2191) which can easily modify for any m bits size. ) is ( Architecture of implement polynomial multiplier for binary field implemented using Xilinx xcv2600efg1156-8 FPGA device results , with time delay . . Also, Xilinx Virtex-II XC2V 6000 FPGA device used for testing the architecture of suggested binary karatsuba multiplier truncated at 8 bit results , with time delay . . 3.1.4 Reduction Operation Once the irreducible polynomial P(x) has been selected, the reduction step can be complete by using XOR gates only . C’=∑

C

C=∑

C ,

where C=C’ mod P(x) C(x) = C

,

+C +C

, ,

+C , X )

X + (C

,

(12) + + 1 in the form X + We select the irreducible polynomial ( ) = X + 1 for this work. Figure 8 illustrates the reduction step in (2 ). 3.1.5 Inversion Operation Extended Euclidian Algorithm (EEA) is used to implement inversion operation in (2 ). As mentions in section 2.1.5. inversion operation is the most time consuming operation in ECC scalar multiplication operation. The goal here is to minimize the number of inversion operations needed to complete the overall process.

628

S.m. Shohdy, A.b. El-sisi, and N. Ismail

Fig. 4. Reduction Step in

(

)

Montgomery algorithm minimizes the number of inversion operation to one. The suggested architecture of EEA takes about 1,346 slices. An exact value for the latency of the inverter cannot be given because it depends on the number of ones in the given element. But we choose a random element in (2 ) that requires 1420 clock cycles to complete inversion computation. Architecture of implement inversion for (2 ) is implemented using Xilinx xcv2600efg1156-8 FPGA device binary field with clock frequency 21.79 MHz results 1,346 occupied slices with time lay=( clock Cycles 1420 Clock delay 45.889 = 65.162 μs). Also, Xilinx Virtex-II XC2V6000 FPGA device used for testing the architecture of inversion (2 ) on with clock frequency Clock Frequency =30.08 MHz results 1,346 with time delay= clock Cycles 1420 Clock delay 33.245 = 47.207 μs clock Cycles 1420 Clock delay 33.245 = 47.207 μs 3.2 Montgomery Algorithm Hardware Architecture Different methods solved the problem of computing scalar multiplication for Elliptic curve crypto systems. The work in [15]illustrates one of the most efficient algorithms used for this operation which called Montgomery’s method. This algorithm computes scalar multiplication over non-supersingular Elliptic curve multiplication ( ) operation. This work used Montgomery algorithm for compute KP in GF(2 ). Montgomery algorithm relates the scalar multiplication operation with another two operations: point addition and point doubling next subsections illustrate the algorithm and the sub-algorithms needs to complete its process. 3.2.1 Point Addition Operation This section illustrates point addition operation which is defined as: suppose P1, P2, P3, P (2 ) are represented in projective coordinates. The issue is how to compute 3 = 1 + 2 2 = 1 + Point addition operation can be computed using M_addition algorithm illustrated in section 2.2.2. The algorithm illustrates that the point addition computation consists of four multiplications, two addition operations and only one squaring operation. Fig. 5 illustrates these operations step by step. Fig. 5 (a),(b),(c) and (d) is the four multiplication operations as

FPGA A Implementation of Elliptic Curve Point Multiplication

629

Fig. 5. Sequence of operation ns needed for point addition algorithm as illustrates in MA ADD algorithm

Fig. 6. Point addition operation (P+Q) architecture using one karatsuba multiplier

appears the (c) operation is i depend on the results of (a) and (b) operations so we can’t implement point ad ddition using four concurrent karatsuba multiplierss in GF(2m). This work suggesst to hardware architectures to implement point addittion operation. Fig. 6 illustrates hardwaare architecture using one karatsuba multiplier to perfoorm four multiplication operatiions in four computation cycles that minimize the aarea needed for point addition op peration but increase the total time delay. 3.2.2 Point Doubling Opeeration Point doubling is the secon nd operation needed for compute KP scalar multiplicattion operation .This operation is simpler than point addition operation. This section iillu௠

strates point doubling operration which is defined as: suppose ͳǡ ߳‫ܧ‬ሾ‫ܨܩ‬ሺʹ ሻሿ are represented in projective coordinates. The issue is how to compute P1= 2 * P. T The

630

S.m. Shohdy, A.b. El-sisi, and N. Ismail

Fig. 7. Sequence of operations needed for point doubling operation as illustrates in MDOUBLE algorithm

Fig. 8. Point Doubling (2P) operation with one karatsuba multiplier in

(

)

point doubling computation consists of 4 multiplications, 2 additions and only one squaring. Fig. 7 illustrates these operations step by step. Fig. 7 (c) and (d) are the two multiplication operations needed. To perform two multiplication operations in two computation cycles that minimizes the area needed for point addition operation. Fig. 8 illustrates hardware architecture using one karatsuba multiplier. 3.2.3 Montgomery Point Multiplication The Montgomery algorithm ( = where in an integer and , is two points in curve). As illustrated in Algorithm 4. Montgomery algorithm depends on addition and doubling operation in elliptic curve. The point multiplication is performed in projective coordinates and therefore, the point = ( , ) must be mapped from affine coordinates to projective coordinates. This mapping is done for the point and for doubled point 2 . Because the point multiplication is performed using Montgomery method, information of the -coordinate is not needed in the point multiplication and the mapping has to be done only for x-coordinates of the point ( 1, 1)and 2p (x2, y2).Aafter the Montgomery point multiplication in projective coordinates,

FPGA Implementation of Elliptic Curve Point Multiplication

631

affine coordinates of the result point Q(x, y) are calculated as implemented in pervious section. For parallel implementation, Fig. 9 illustrates an architecture executes point addition and point doubling operations in parallel. So, we need two karatsuba multiplier run in parallel one for point addition and one for point doubling. In each step of the algorithm one point addition and one point doubling are performed The final step is to return the affine coordinates ( , ) from projective nates ( , , ). Calculation of -coordinate of is calculated from X- and Z- coordinates with the equations 10 and 11. This computation costs: 10 multiplications over (2 ) operations and only one inversion operation Total time delay= 10*45.889 ns + 65162 ns=65.62 µs. Also, Fig. 9 shows the architecture of Montgomery algorithm. Total time delay= 35.06+65.62 = 100.68 µs

Fig. 9. Montgomery point multiplication algorithm architecture

4 Results and Comparisons In previous section different architectures for different operations to implement scalar multiplication operation in (2 ) is presented. Table 1 list the results for implement these architectures using Very high speed integrated circuit hardware description language (VHDL) Code and Xilinx ISE 9.1 tool on VirtexE 2600 and Virtex-II XC2V 6000 FPGA devices. Listed operations relate to the algorithm used to implement it and area as number of occupied slices in FPGA device and time latency. The comparison concentrates on comparing the performance of the implementations. Implementations techniques are not presented here in detail. More detailed presentations of the implementations in this comparison can be found from the references, where the implementations were first published. Table 2 shows a comparison between different hardware implementations of scalar multiplication operation of ECC. Many of publications listed in Table 2 concentrates in minimize the area that makes badly effects on timing delay of the overall operation.

632

S.m. Shohdy, A.b. El-sisi, and N. Ismail Table 1. Results for scalar multiplication’s operations needed on two Xilinx devices Operation

Algorithm

Square in GF(2^191) Multiplication in GF(2 ) Inversion in GF(2 ) Point Addition in EC(GF(2 )) Point Doubling in EC(GF(2 )) Projective Conversion Scalar Multiplication

‫ــــــ‬

Area (Slices)

Latency (Virtex-II XC2V 6000)

latency (VirtexE 2600)

91

7.390 ns

6.04 ns

6,265

45.889 ns

47.207 µs

1,346

65,162 µs

33.245 ns

‫ــــــ‬

8,576

183.556 ns

132.98 ns

‫ــــــ‬

7,115

91.778 ns

66.49 ns

‫ــــــ‬

‫ــــــ‬

65.62 µs

47.539 µs

25,963

100.68 µs

72.939 µs

Binary Karatsuba Multiplier Extended Euclidian Algorithm

Montgomery Algorithm

Table 2. Comparison between different scalar multiplication operation hardware implementations Ref.

 ůŚĂĚũ [16]

FPGA Device

Field

Occupied slices

Clock (MHz)

Timing delay

 sŝƌƚĞdž2ϲϬϬ

 ϭϲϯ  ϭϲϯ  ϭϲϯ

 ϵ͕ϱϴϭ  ϭϴϬϬ;ĞƐƚ͘Ϳ  ϳ͕ϱϳϵ

 EŽƚĂǀĂŝů͘  EŽƚĂǀĂŝů͘  EŽƚĂǀĂŝů͘

 2͘ϲϭϴŵƐ ϱ͘2ŵƐ;ĞƐƚ͘Ϳ ϯ͘ϵϳϲŵƐ

 ϭϲϯ

 ϭϯϬϬ;ĞƐƚ͘Ϳ

 EŽƚĂǀĂŝů͘

ϰ͘ϭŵƐ;ĞƐƚ͘Ϳ

 ϭϵϭ

 EŽƚĂǀĂŝů͘

 EŽƚĂǀĂŝů͘

 ϭϳ͘ϳϭŵƐ

 ϭϵϭ  ϭϲϯ  ϭϵϭ ϭϲϯ ϭϵϯ

 EŽƚĂǀĂŝů͘  EŽƚĂǀĂŝů͘  EŽƚĂǀĂŝů͘  EŽƚĂǀĂŝů͘  EŽƚĂǀĂŝů͘

 EŽƚĂǀĂŝů͘  ϭϬϬD,nj  ϭϬϬD,nj  ϲϲ͘ϰD,nj  ϲϲ͘ϰD,nj

 ϭϭ͘ϴ2ŵƐ  Ϭ͘ϴϰŵƐ  2͘ϭϭŵƐ Ϭ͘ϭϰϯŵƐ Ϭ͘ϭϴϳŵƐ

2ϯϯ

 EŽƚĂǀĂŝů͘

 ϲϲ͘ϰD,nj

Ϭ͘22ϱŵƐ

 ϭϵϭ  ϭϵϭ  ϭϵϭ  ϭϵϭ  ϭϵϭ  ϭϵϭ  ϭϲϯ  2ϯϯ  ϭϵϭ

 EŽƚĂǀĂŝů͘  EŽƚĂǀĂŝů͘  EŽƚĂǀĂŝů͘  EŽƚĂǀĂŝů͘  EŽƚĂǀĂŝů͘  EŽƚĂǀĂŝů͘  2ϱ͕ϳϲϯ  ϯϱ͕ϴϬϬ  2ϱ͕ϵϲϯ

 ϱϬD,nj  ϱϬD,nj  ϱϬD,nj  ϯϲD,nj  ϯϲD,nj  ϯϲD,nj  ϲϴ͘ϵD,nj  ϲϳ͘ϵD,  2ϭ͘ϴD,nj

ϯ͘ϳ2ŵƐ ϰ͘ϬϳŵƐ 2͘2ϳŵƐ Ϭ͘ϱŵƐ Ϭ͘ϰϲŵƐ Ϭ͘2ϳŵƐ ϰϴђƐ ϴϵђƐ  ϭϬϬ͘ϲϴђƐ

 ϭϵϭ

 2ϱ͕ϵϲϯ

 ϯϬ͘ϭD,nj

 ϳ2͘ϵϯϵђƐ

 ^ŵĂƌƚ [17]

 ysϰϬϬϬy>

^ĂŬŝLJĂŵĂ  [18]

 sŝƌƚĞdž//ƉƌŽ

 'ƵƌĂ΀ϭϵ΁

sŝƌƚĞdž  ys2ϬϬϬ

ĞĚŶĂƌĂ  [20]

sŝƌƚĞdž  ysϭϬϬϬ' 

 Shu [21]

 sŝƌƚĞdž//

 dŚŝƐǁŽƌŬ͕

 sŝƌƚĞdž2ϲϬϬ sŝƌƚĞdžͲ//y2s  ϲϬϬϬ

FPGA Implementation of Elliptic Curve Point Multiplication

633

As illustrated this work is balanced the area and timing delay for the overall operation by using parallel architecture of Elliptic Curve Operations-Point addition and point doubling- and serial architecture for underlying Galois field Operations-Multiplication and Inversion- . Also, some of publication didn’t demonstrates some parameter of their implementations like clock or number of occupied slices that because of concentrating on some parameter to be efficient and loss the importance of other parameters.

5 Conclusion and Future Work This work design and implement EC scalar operation using FPGA Technology. The work doesn’t concentrate on one parameter, but it trying to make balance between area and timing delay. Two devices are used for implementation Virtex-II XC2V 6000 and Virtex-II XC2V 6000 by using 25,963 Slices and 100.68 µs and 72.939 µs. Also, different architecture for the operations needed to implement KP operation is presented and the time and area for each operation is listed. This work uses Xilinx ISE9.1 as synthesis tool and Xilinx Simulation Tool (XST) for simulation propose. The future work is to improve the architectures of different operations in ECC. One of them is to use the same multiplier on point doubling and projective coordinates that because these operations can’t do in parallel form.

References 1. Lenstra, A., Verheul, E.: Selecting Cryptographic Key Sizes. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 446–465. Springer, Heidelberg (2000) 2. Bednara, M., Daldrup, M., von zur Gathen, J., Shokrollahi, J., Teich, J.: Reconfigurable implementation of elliptic curve crypto algorithms. In: Reconfigurable Architectures Workshop (RAW) (2002) 3. Omura, J.K., Massey, J.L.: Computational method and apparatus for finite field arithmetic, United States Patent 4,587,627 (1986) 4. Robert, J., McEliece: Finite Fields for Computer Scientists and Engineers. The Kluwer International Series in engineering and computer science. Kluwer Academic Publishers, Dordrecht (1987) 5. Karatsuba, A., Ofman, Y.: Multiplication of multidigit numbers on automata. Sov. Transaction Info. Theory 7(7), 595–596 (1963) 6. Rodriguez-Henriquez, F., Kog, Q.K.: On Fully Parallel Karatsuba Multipliers for GF (2m). In: International Conference on Computer Science and Technology (CST), pp. 405–410 (2003) 7. El-sisi, A.B., Shohdy, S., Ismail, N.: Reconfigurable Implementation of Karatsuba Multiplier for Galois Field in Elliptic Curves. In: International Joint Conferences on Computer, Information, and Systems Sciences, and Engineering (CISSE 2008) (2008) 8. Chang Shantz, S.: From Euclid’s GCD to Montgomery Multiplication to the Great Divide., Technical Report SMLI TR-2001-95, Sun Microsystems Laboratories (June 2001) 9. Kejin, B., Younggang, S.: Hardware Implementation and Study of Inverse Algorithm in Finite Field. IJCSNS International Journal of Computer Science and Network Security 6(9A) (Septemeber 2006) 10. Darrel, H., Alfred, M., Scott, V.: Guide to Elliptic Curve Cryptograph. Springer, Heidelberg (2004)

634

S.m. Shohdy, A.b. El-sisi, and N. Ismail

11. Rodriguez-Henriquez, F., Saqib, N.A., Diaz-Perez, A., Cetin Kaya, K.: Cryptographic Algorithms on Reconfigurable Hardware. Springer, Heidelberg (2006) 12. Lopez, J., Dahab, R.: An Overview of Elliptic Curve Cryptography, Tech. Report, IC-0010 (May 2000) 13. López, J., Dahab, R.: Fast multiplication on elliptic curves over GF(2m) without precomputation. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 316–327. Springer, Heidelberg (1999) 14. Saqib, N.A., Rodríguez-Henruez, F., Díaz-Pérez, A.: A Reconfigurable Processor for High Speed Point Multiplication in Elliptic Curves. Int’l J. Embedded Systems 1(3/4), 237–249 (2005) 15. Rodriguez-Henriquez, F., Saqib, N.A., Diaz-Pérez, A.: A fast parallel Implementation of Elliptic Curve point multiplication over GF(2m). In: Computer Science Section, Electrical Engineering Department, Centro de Investigaciony de Estudios Avanzados del IPN, Microprocessors and Microsystems, August 2, 2004, vol. 28(5-6), pp. 329–339 (2004) 16. Youssef Wajih, E.h., Zied, G., Mohsen, M., Rached, T.: Design and Implementation of Elliptic Curve Point Multiplication Processor over GF (2m). IJCSES International Journal of Computer Sciences and Engineering Systems 2(2) (April 2008) 17. Smart, N.P.: The hessian form of an elliptic curve. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 118–125. Springer, Heidelberg (2001) 18. Sakiyama, K., De Mulder, E., Preneel, B., Verbauwhede, I.: A Parallel Processing Hardware Architecture for Elliptic Curve Cryptosystems. In: Acoustics, Speech and Signal Processing, ICASSP (May 2006) 19. Gura, N., Shantz, S., Eberle, H., et al.: An End-to-End Systems Approach to Elliptic Curve Cryptography. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 349–365. Springer, Heidelberg (2003) 20. Bednara, M., Daldrup, M., Shokrollahi, J., Teich, J., von zur Gathen, J.: Reconfigurable Implementation of Elliptic Curve Crypto Algorithms. In: 9th Reconfigurable Architectures Workshop (RAW 2002), Fort Laud- erdale, Florida, U.S.A, pp. 157–164 (April 2002) 21. Shu, C., Gaj, K., El-Ghazawi, T.A.: Low Latency Elliptic Curve Cryptography Accelerators for NIST Curves Over Binary Fields. In: Proceedings of the 2005 IEEE International Conference on Field-Programmable Technology, FPT 2005, Singagore, December 11-14, 2005, pp. 309–310. IEEE, Los Alamitos (2005)

A Forward-Secrecy WTLS Handshake Protocol Based on XTR Bin Li State Key Lab. of Integrated Service Networks, Xidian University, China [email protected]

Abstract. Because of the lack of the forward secrecy and the indefensibility from intermediator attacks and DOS attacks in WTLS, the security of current WTLS handshake protocol is far from satisfactory. In this paper we propose a new WTLS handshake protocol to solve these problems. Forward secrecy attribute has been added in the scheme, and a practicable WTLS handshake protocol has been designed on XTR system. Experiments have been taken on MSM6280 platform and the result turns out that the above security problems were efficiently solved and achieve a good performance on popular embedded platform. The conclusion can be drawn that the security and practicability of WTLS protocol has been greatly improved. Keywords: WTLS; Forward Secrecy; Intermediator Attack; XTR.

1 Introduction Because of the openness of air interface, security problems in wireless communication network have been greatly paid attention to. Being an industry standard of wireless application, WAP protocol is always the focus point of the researchers. Most studies of security problem on WAP (Wireless Application Protocol) concentrate on its sub-protocol WTLS (wireless transport layer security[1]). WTLS includes the services such as data privacy, completeness and AKA (authentication & key agreement), etc. By referring to the principles (RFC2246 [2]) of TLS protocol in Internet, certain optimization is taken according to the characteristics of the wireless environment. The concrete measures include: 1.UDP is adopted to replace TCP transport layer agreement; 2.Dynamic key refresh system is increased; 3.The oval curving password system is added to be the encryption algorithm for new certificates. All of these improvements made it possible to implement WTLS in wireless channel, but some problems still exist. For example, after UDP replaces TCP, WTLS becomes much easier to be attacked by DoS (denial of service); dynamic key refresh system can provide limited forward secrecy, but it is not sufficient; it is a little complicated to choose system parameters on ECC encryption algorithm, and the system security will be lowered if careless, furthermore, the complexity of distributing keys has produced certain influence on the management efficiency of CA certificates. So, the results of WTLS are disappointing in practical use. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 635–643, 2009. © Springer-Verlag Berlin Heidelberg 2009

636

B. Li

Until now, most of the achievements on WTLS focus on the aspect of security improvement of handshake protocol. Papers [3,4] propose the forward secrecy protocol prototype in the wireless network, and paper [5] puts forward the WTLS handshake protocol based on the exchange of EC-DH and RSA keys, in which, forward security was firstly added in WTLS. Paper [6] has made improvement for the long-time danger of public key disclosure in document [5], but the problem of intermediator attack was increased. As for avoiding the attack of denial of service, no other practicable study achievements appeared except the refusal of data packet which has been sent for many times and verified to be a failure by WTLS protocol itself. To solve the above problems, forward secrecy is added in WTLS protocol in this paper, and some measures are adopted to prevent attacks of denial of services to increase the security of WTLS practical operation. Another improvement is to use XTR to replace ECC, which is practical in theory, but the actual application results must be judged by experiments.

2 WTLS Handshake Protocol WTLS protocol[1] consists of two layers: the bottom layer is to record data compression, ciphertext encoding and decoding of HMAC on the information sent by the protocol layer. The upper layer is handshake protocol layer, composed by three sub-protocols: password modification norm protocol, alarming protocol and handshake protocol. WTLS client terminal and server use these sub-protocols to make certifications, negotiate safety parameters rapidly and report false situations mutually. When two parties start WTLS communications for the first time, they must arrive at consistence in such processes as the protocol version, password algorithm, certification for the other party, and generation of mutually shared key through public key algorithm. These password parameters are produced by negotiation of WTLS handshake protocol, and we make explanations with the handshake protocol realized by EC-DH and ECDSA algorithm.Papers not complying with the LNCS style will be reformatted. This can lead to an increase in the overall number of pages. We would therefore urge you not to squash your paper. 2.1 Concept and Symbol Appointment All concepts and symbols appearing in WTLS handshake protocol can be described as follows:

： ：

V WTLS protocol version number. SID conversation marker of this safe conversation. SecNegE information supported by entity E, such as key algorithm, compression way and key refresh. assistant key in WTLS handshake protocol, used to calculate KP HMAC. communication key HMAC in WTLS handshake protocol. KM H a safe one-way Hash function, such as SHA-1 and MD5 etc. KH a safe one-way Hash function with keys.

： ： ： ：

：

A Forward-Secrecy WTLS Handshake Protocol Based on XTR

： ： ： ： ： ‖： ： ：

637

f fake random function, one-way Hash function including key input. xE private key of entity E, including xS and xC. PE public key of entity E, including Ps and PC. CertE public key certificate of entity E, including CertS and CertC. RE a random number generated by entity E, including Rs and RC. EK{x}(DK{x}) use key K to encrypt(or decrypt) x. x y bit cascade of xand y. P point group generator of oval curve E. π calculate the function of coordinates x in P ( x, y).

：

2.2 Conversation Process of Handshake Protocol WTLS handshake protocol includes the following procedures:

[ClientHello]

Rc,V,SID,SerNegc Rs,V,SID,SerNegs Certs

Kp=xcPs Km=f(Kp,Rc,Rs) Certc

[Certificate] r=л(kP) s=(H(HandShake)+xcr)k-1modq

[CertificateVerify]

H(HandShake)||r||s

[ServerHello] [Certificate] [CertificateRequest] [ServerHelloDone] Kp=xsPc Km=f(Kp,Rc,Rs)

u=H(HandShake)s-1 r=л(uP+rs-1Pc)

[ChangeCliperSpec] [Finished]

[ChangeCliperSpec] [Finished] [ApplicationData]

[ApplicationData]

Fig. 1. Old WTLS handshake protocol

I.

The client terminal transmits ClientHello, and this information includes the random number RC Z, version number V, conversation marker SID and SecNegC; II. After the server receives ClientHello, it replies Server-Hello, and this information includes the random number RS Z, version number V, conversation marker SID and other information of SecNegS needed for security negotiation; III. The two parties of client terminal and server calculate assistant exchange keys KP, and KM=f (KP, RC, RS) as the main exchange key for DH protocol, later on, the client terminal transmits CertC to the server;

∈

∈

638

B. Li

IV. The client terminal chooses k randomly, and constructs its own certification signature H(HandShake)+xC r)k-1modq, among which, HandShake is the proclaimed information regulated by the two parties. V. The server verifies the information on signature of H(HandShake)||r||s , calculates u=H(HandShake)s-1, and judges the equation r=л(uP+rs-1Pc); VI. If the verification is passed, both parties respectively transmit the messages of and to the other party, and the handshake protocol ends, the two parties can take private communications through KM. VII. The passive key refresh system in WTLS is triggered when messagetransmitting times arrive at the threshold limit value. In WTLS, there is a key refresh variety indicating this threshold limit value. For example, key-refresh = 3, then when the message is sent for 8 = 23 times, the key refresh system is transferred to produce new KM information.

·

(

(

)

[ChangeCipherSpec]

[Finished]

2.3 Performance Analyses Thought of WTLS handshake protocol is to generate the key of public channel through EC-DH algorithm, and to verify the identity of client terminal though ECDSA algorithm. By analysis, we think that there are the following problems which need to be improved: (1) Security of UDP protocol UDP protocol is the data packet protocol without connection, so it is much easier to be attacked by DoS. In WTLS protocol, the client terminal carries out step 1 at first, the server generates a thread after it receives the message of ClientHello, and then step 2 is implemented and the client terminal is waited for to transmit [Certificate]. But the client terminal does not carry out step 3, in this way; a useless thread will be produced in the server. When the client terminal makes a large number of such operations, there will be too more useless threads in the server, and it will exert influence on normal services, which is DoS attack. In WTLS, the success rate of this passive check method is extremely limited, which determines whether it has been attacked by DoS through checking the re-transmitting times and verification success rate of data packet. (2) It cannot provide forward secrecy Forward secrecy is an important security property. Though attackers’ interests can be lowered and difficulties can be enlarged for external attacks by the key refresh system, the problem of disclosure on information internally may be produced if complete forward secrecy can not be provided. (3) Slow generation speed of keys Although ECC efficiency and length of encryption signature result are far smaller than that of RSA, the key generation speed is several quantity degrees slower than RSA algorithm, which exerts certain influence on the generation and management of certificates. When confirming the oval curve formula, the security of the whole system will be lowered with a little carelessness. For example, super-odd and irregular oval curves do not meet the requirements of security.

A Forward-Secrecy WTLS Handshake Protocol Based on XTR

639

3 Handshake Protocol Based on XTR 3.1 Introduction of XTR Cryptography XTR is also called as “effective and compact sub-traces indication”, which is a kind of encryption method to calculate the XTR exponentiation of sub-group element through Trace on the limited codomain [7]. XTR group indicates that the step of subgroup p2-p+1 step on the step of GF(p6)is the sub-group of q. The group whose step is p2-p+1 is called as XTR super-group, and is referred to as XTR supergroup. On GF(p6), the conjugated element of h for GF(p6) is h p2

p4

,

2

4

h p and h p . Trace

of h is Tr(h)= h+ h + h . The discrete logarithm problem (XTR-DH) on XTR group is defined as: it will be much easier to calculate Tr(gn) if Tr(g) and n have been known, while difficult if Tr(g) and Tr (gn) known. So the corresponding common password system is realized as: n is the private key, while Tr (gn) the public key. Security strength of each bit in XTR public key password system is quite similar to that of ECC system, which is much higher than RSA public key password system. But it is much easier to confirm XTR group than to choose a safe oval curving point group, and the speed to choose keys is also several quantity degrees faster than that of ECC [8]. So security same as that of ECC can be kept by adopting XTR system to improve WTLS protocol, at the same time, it has no complexity on choosing parameters of oval curve system, and the efficiency on keys choosing has also been enhanced. 3.2 A New XTR Handshake Protocol We employ XTR public key password system to improve WTLS handshake protocol. By replacing the original algorithm of EC-DH and ECDSA with XTR-DH and XTRDSA[7], and modifying partial parameters to increase the forward secrecy of the system, the danger of attacks from denial of service and intermediators has been diminished. The WTLS handshake protocol based on XTR is modified as follows: I.

The client terminal transmits message of ClientHello, which includes trace Rc Tr(g ) of the random number RC , version number V, conversation marker SID and SecNegC, and identity marker IMEI of the client terminal. II. After the server receives ClientHello and replies ServerHello, which inRs cludes Pc encryption result of trace Tr(g ) of the random number RS., version number V, conversation marker SID and other information SecNegS needed for security negotiation. Rs III. After the client terminal receives ServerHello, it calculates Tr(g ) with xc. Both parties of the client terminal and server calculate assistant exchange Rc Rs key KP and KM f KP Tr(g ) Tr(g ) is the main exchange key of DH protocol, and later the client terminal transmits the server CertC. IV. The client terminal and server take XTR-DSA process, and the client termik nal chooses a random number k, and indicates Tr(g ) as the form in GF(p2): 2 x2 , and calculates r = r x1+x2 p q, and later it calculates x1

=( ,

·α+ ·α

,

=(

· )mod

640

B. Li -1

the signature value: s = ( H ( HandShake) + xc) k modq, and then transmits H (HandShake) | | r| | s to the server. V. After receiving the signature, the server calculates u H(HandShake)s-1 u kv v rs-1, and it calculates v0 Tr g g by using the algorithm 6-13 in paper[8]under the condition that k is unknown, and indicates it as the form in 2 2 GF ( p ) as: z1 z2 ; VI. The server calculates v z1 z2 p)modq, and determines whether it meets the equation of v = r. VII. If the verification is passed, the two parties transmit and to the other party respectively, and the handshake protocol ends. The two parties can make private communications through KM.

=

= (

·α+ ·α =( +

)

=

[ChangeCipher-

Spec] [Finished]

[ClientHello]

Tr(gRc),V,SID,SerNegc,IM EI E pc (Tr(gRs)) ,V,SID,SerNeg s Cert s

Tr(g Rs )=D xc ( E pc (Tr(gRs))) K p= Tr(g Rc .g Rs ) Km= f ( K p,Tr( g Rs ),Tr( g Rs ))

Certc

[Certificate] Tr(g k ) = x 1 a + x 2 a

2

,

[ServerHello] [Certificate] [CertificateRequest] [ServerHelloDone]

K p= Tr(g Rc .g Rs ) Km= f ( K p,Tr( g Rs ),Tr( g Rs ))

,r= ( x 1 +x 2 p )mod q

s=(H(HandShake)+ x c r)k -1 modq

[CertificateVerify]

H(HandShake)||r||s u=H(HandShake)s -1 ,v=rs -1 v 0 = Tr(g u g kv ) =z 1 a + z 2 a

[ChangeCliperSpec] [Finished] [ApplicationData]

2

v =( z 1 + z 2 · p )mod q=r

[ChangeCliperSpec] [Finished] [ApplicationData]

Fig. 2. WTLS handshake protocol based on XTR

4 Performance Analyses (1)

One wireless terminal user is unlikely to attack other terminal users and make them developed into its own “dummy computer” due to the limitations of mobile network. Therefore, limited client side often initiates the denial of service attack to server. In this scheme, IMEI identifying information is added to [ClientHello] message, and the server can effectively identify the connected users. If a large quantity of [ClientHello] message is sent by the same client side, the server may consider it as denial of service attack and refuse the response. In the meantime, IMEI is very

A Forward-Secrecy WTLS Handshake Protocol Based on XTR

(2)

(3)

(4)

(5)

641

significant to the addressing of wireless channel. If user falsifies IMEI information, effective identification can be performed when the network equipment sends the information and WAP gateway performs protocol conversion. Compared with the original passive detection of WTLS, this kind of active prevention method has higher accuracy rate. In particular, accurate identification can be performed when the user modifies the datagram information spitefully [10]. The forward secrecy is strengthened by making the random numbers RS and RC in [ClientHello] and [ServerHello] information modified into Tr (gRc ) and Tr ( gRs ). In the original WTLS handshake protocol, RS and RC can be obtained if the user reserves the previous session message, and KM can be calculated quickly, so forward secrecy does not exist. Only limited forward secrecy can be added even if it is modified periodically through key refresh mechanism. For the newly modified protocol, RS and RC will not directly appear in the session, so user cannot obtain the original RC, and KM cannot be calculated, which guarantees the forward secrecy of WTLS. When the server transmits Tr (gRs ) to the client side, the public key of the client side is adopted for encryption, which is unlike the scheme in paper [6] in which the transmission is directly performed through network, which can prevent intermediator attack. Public communication key KM is calculated by adopting XTR-DH protocol, and the identity of client is verified by XTR-DSA, so the secrecy of the improved WTLS protocol is consistent with the original secrecy. The original ECC is replaced by adopting XTR. The process of establishing key and selecting system parameters is simplified while the characteristics of small ECC data volume and high efficiency is reserved, which in fact improves the efficiency of the whole system.

5 Experiment In order to test the practicability of new WTLS handshake protocol after improvement, we take the development platform of a kind of wireless terminal as an example, to realize the client terminal algorithm of this protocol.

parallel bus

Fig. 3. Simulator environment

642

B. Li

Experiment environment: HSDPA wireless environment - MSM6280 of Qualcomm Company, processor kernel is ARM9 926EJ, primary frequency of 120MHz, and the storage space is 128M byte ROM and 64M byte RAM. Stimulator environment: Dell Lap topD600 + Lautach Trace32 System parameters: p = 2 q=

326

− 2189 − 5 ⋅ 2163 + 2 50 + 2 27 + 7 ,

2162 − 2 24 − 1 .

XTR program is realized by adopting C language of the lip library (free XTR program library developed by Lenstra). It is operated in the simulator environment of Trace32, according to the protocol; the time cost for each step is shown as the following table1. Table 1. Experiment result

Exponentiation 185ms

Trace 311ms

KM 486ms

DSA signature 424ms

So we draw a conclusion that this WTLS handshake protocol is practicable on the ordinary mobile system.

6 Conclusion The danger of attack from denial of service (DoS) has been reduced effectively through modifying the handshake protocol, and the efficiency of certificates management has also been effectively improved by modification of core encryption algorithm, meanwhile, forward secrecy, which does not exist in the present system, is added. The experiments have proven that this protocol has a high practicability, and it can replace the former protocol in practical application.

References 1. WAP Forum. Wireless Application Protocol Wireless Transport Layer Security Specification Version 06 [EB /OL][2006-02-02], http://www.wapforum.org 2. TSL. The TLS Protocol version 1.0 [EB/OL][2006-02-02], http://www.ietf.org 3. Park, D., Boyd, C., Moon, S.: Forward secrecy and its application to future mobile communications security. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 433– 445. Springer, Heidelberg (2000) 4. Lee, K., Moon, S.: AKA Protocols for Mobile Communications. In: Clark, A., Boyd, C., Dawson, E.P. (eds.) ACISP 2000. LNCS, vol. 1841, pp. 400–411. Springer, Heidelberg (2000) 5. Karkd, J., Ha, J.C., Lee, H.J.: A WTLS Handshake Protocol with User Anonymous and Forward Secrecy. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656. Springer, Heidelberg (2003)

A Forward-Secrecy WTLS Handshake Protocol Based on XTR

643

6. Cui, Y.Y., Zhou, Y.B., Ding, J.K.: Secrecy Analysis and Improvement of a Kind of WTLS Handshake Protocol with User Anonymity and Forward Secrecy. High Technology Letters 15(4), 6–10 (2005) 7. Lenstra, A.K., Verheul, E.R.: The XTR public key system. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, p. 1. Springer, Heidelberg (2000) 8. Lenstra, K., Verheul, R.: Key improvements to XTR. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 220. Springer, Heidelberg (2000) 9. Qualcomm. Ltd co. mobile Station Modern 6280 specification [EB\OL][2006-02-02], http://www.cdmatech.com/solutions/pdf/msm6280.chipset.pdf

Application of 2D Barcode in Hardcopy Document Verification System Mazleena Salleh and Teoh Chin Yew Faculty of Computer Science and Information System, Universiti Teknologi Malaysias, 81300 Skudai, Johor, Malaysia {[email protected],alden teoh}@yahoo.com

Abstract. Forgery can cause significant damage in terms of trust and authenticity. Therefore, it is essential that the integrity of important documents should be maintained to avoid implication of the document being jeopardized by criminals. In this study we explore the applicability of two-dimensional (2D) barcode, specifically Data Matrix Barcode, for the integrity verification of hardcopy documents. The proposed system also includes other cryptographic algorithms such as hashing (SHA-256) and timestamp. A tracking number that is unique for each document is added to enhance the document security protection. Based on modular implementation, the system modules can be simply plugged and played. The system was tested and experimentally proved that it is capable of providing reliable integrity verification for hardcopy document. Keywords: integrity, verification, hardcopy document.

1

Introduction

In today electronic age, the usage of hardcopy documents still cannot be disregarded. Hardcopy documents are still used for important document as such certificates, academic transcripts, wills, contracts and land titles. However, there have been many forgery cases of hardcopy documents over the years. Fake and altered documents are created to deceive anyone who is not aware of the authenticity of the documents. It was reported that the administrators of United States of America were embarrassed when they did not detect fake Iraq documents that they received to prove that Iraq was developing nuclear weapons [1]. Another case was when two policemen were charged for 14 counts of forging witness statements and using forged documents at the Criminal Investigation Department (CID) office in Malaysia [2]. As we know, forgery can cause significant damage in terms of trust and authenticity. Therefore, it is essential that the integrity of important documents should be maintained to avoid implication of the document being jeopardized by criminals. Currently, most methods of hardcopy document integrity protection are expensive due to cumbersome process and hard to come by of needed materials. Furthermore, some of these methods are not only expensive but slow as J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 644–651, 2009. c Springer-Verlag Berlin Heidelberg 2009


Application of 2D Barcode in Hardcopy Document Verification System

645

well. Hence, although those methods are effective, they are still not efficient in providing integrity protection of hardcopy documents. It is due to the inadequate of these approaches that motivated our study to investigate alternative scheme and as such the study explore the application of two-dimensional (2D) barcodes for the integrity verification of hardcopy documents. 2D barcodes have the capability of storing more data compared to one-dimension barcodes [3] [4] and are particularly useful for verifying a pages integrity. They can also withstand errors in subsequent scans through its error correction features. The paper organization is as follows: Section 1 introduces the security issues of hardcopy document and the usage of 2D barcode. Section 2 discusses the related works in the area while Section 3 describes the system process and protocol. Section 4 details the system design and its architecture and Section 5 shows the testing of the system and its results. Section 6 concludes the paper.

2

Related Works

There are a number of works in this particular research and several integrity verification techniques have been patented. The author of [5] presented a method for protecting against forgery sheet-like printed documents. In this technique a microcapsule layer is applied on the printed document. This layer comprises of a chemical product adapted to release an indelible mark that reveals tampering on surfaces portions of a document subjected to a pressing or rubbing tampering force. On the other hand, the author of [6] proposed document alteration indicating system. The invention evaluates markings in half-tone fields of the document. The markings will form an image that will help in determining whether the document has been altered. An alteration is indicated when the first dot count and second dot count are different. Another Policy based printing is another technique used for document integrity verification [7]. The document is printed using forgery detection and deterrence technologies, such as fragile and robust watermarks, glyphs, and digital signatures that are appropriate to the level of protection determined by the policy. A plurality of printers is managed by a print management system. The policy determines the protection technologies for the document to be printed and the print management system routes the print job to a printer that can apply the appropriate protections and sets the appropriate parameters in the printer. A document can be verified as an original or a forgery by inspecting the copy evidence and/or tracing information in the watermark. Printable digital signatures are also proposed in Korea for an online hardcopy document integrity verification application [8]. Besides that, digital watermarking is used to embed a watermark into an image [9] and a photo and fingerprint of a driver into the drivers license barcode [10]. From all these studies, it can be concluded that efficient techniques must not be only effective but affordable and simple to implement. By such, anyone who needs integrity protection can just use the techniques without hurdling over

646

M. Salleh and T.C. Yew

technical complexities. This is because high technology is not value added unless it is user friendly. Thus, this study aims to provide an effective and yet simple and fast method of document integrity verification through the usage 2D barcodes.

3

Hardcopy Document Verification System

As described in Section 1, forgery of hardcopy document is easily being done with the abundance of advance digital tools. To provide an alternative solution, this study proposed an integrity verification system for hardcopy document. The system uses a 2D barcode to store valuable contents of a page in a document. The security feature is further enhanced by adding a timestamp as well as a tracking number in every page before generating the barcode. The timestamp is unique as the time value is read at 10−6 degree second. This help to minimize any duplication of the document. Since the system goal is the verify the integrity of an offline document, the application of databases is not in the scope of the system and thus the usage of public key infrastructure and digital signature is not consider during this stage of the project. The tracking number is used as a serial number of the pages created by the user. This help to prevent perpetrator of inserting or deleting page(s) to or from the document. The timestamp, track number and the content of the document is together hashed to produce a unique key of the document. Without hashing the timestamp and tracking number, any perpetrator may change the date to declare that the page is created on a different day. Hence, the timestamp and tracking number is important to deny anyone from disputing the creation data. This is particularly important for documents that are used in court cases and insurance claims. This means that the barcode acts as a carrier of the text context of the page and hash value. Thus, this method does not require any chip for security data storage, special paper for printing, special printing device and lamination or hologram for integrity protection. The document that is attached with the barcodes can be printed with any common laser printer. Figure 1 illustrates the generation and the insertion process of the barcode into the document. Table 1 list the protocol of the barcode generation. Figure 2 depicted the decoding and verification process of the hardcopy document. Before verification of the document integrity, the document is scanned and using optical character recognition (OCR), the text of the document along with the timestamp and the tracking number is extracted. This data is then hashed and compared with the value that is extracted from the 2D barcode to verify the integrity of the document.

4

System Design and Architecture

The system uses Data Matrix barcode as a symbology in the system. It is found that Data Matrix barcode is smaller than QR Code and it is non-proprietary. Since data integrity is an important part of detecting or preventing forgery of documents, hashing could be used in order to verify whether a data is tempered.

Application of 2D Barcode in Hardcopy Document Verification System

647

Fig. 1. Barcode Generation Process

Table 1. Barcode Generation Protocol Step Description Symbol Representation 1 Page Content (M) M 2 Append Timestamp (T) to the page content T
M 3 Append Tracking Number (N) to the page content N
T
M 4 Hash (H) the page content H(N
T
M ) 5 Encode (E) the page content E(H(N
T
M ))

Hashing compresses data of various lengths to a fixed length. It provides a unique relationship between the input and the hash value by replacing the authenticity of a large amount of information by the authenticity of a much smaller hash value [11]. There are several hashing algorithms currently used such as Message Digest 5 (MD5), Secure Hash Algorithm (SHA) and RACE (Research and Development in Advanced Communications Technologies in Europe) Integrity Primitives Evaluation Message Digest (RIPEMD). However, this study intends to use Secure Hash Algorithm (SHA) -256 as the hashing algorithm for the system. SHA-256 is currently more suitable for general application. The framework of the system is modularized whereby each functional unit has its own responsibility of executing an individual procedure. If there is any need of further upgrading in the future, this kind of system architecture facilitates an easy upgrading process. This is because the modules can simply be plugged and played. Any new or better technique can replace the current technique without any much hassle. There are four main functional components; OCR, Data Matrix encoding and decoding, compression and SHA-256 as shown in Figure 3. It should also be noted that in our previous study [12], the size of the generated 2D barcode is proportional to the amount of data in a page. Therefore to have an efficient barcode size, the data along with the hash value and the track number is compressed before the barcode generation. Figure 4 is the snapshot of the

648

M. Salleh and T.C. Yew

Fig. 2. Barcode Decoding and Verification Process

application during the process of verification of the hardcopy document that has been integrated with the word processor of MicroSoft Office application.

5

System Testing

Integrity test is important to prove that the system is able to provide a reliable integrity verification service to the user and detect any hardcopy document forgery. The system must not only be reliable but consistent for each integrity

Fig. 3. System Architecture

Application of 2D Barcode in Hardcopy Document Verification System

649

Fig. 4. Snapshot of MicroSoft Word Ribbon

Fig. 5. Testing Environment

test. In this study, two main tests are conducted that is text content modification detection and barcode modification detection. The text content modification detection tests whether the system is able to detect changed text content in a document while the barcode modification detection in tests whether the system is able to detect an altered barcode in a document. The testing environment is as shown in Figure 5. In this system testing only text data are considered. Even if a document consists of image data, the system will only extract the text during 2D barcode encoding. This is because most forgery cases involve with the changes of text data. The testing is done by comparing the scanned document with the decoded document from the barcode. To simulate an act of forgery the data of the original document with the barcode is modified theta is adding and deleting characters to the text content. The timestamp and tracking number is also changed. The testing showed that the proposed application is able to detect all cases of modification. Another possible forgery that could happen to a document is the act of altering or replacing the barcodes. For the detection of barcode alteration, the data areas of the barcode are altered by changing several random pixels of the barcode and replaced over the original barcode before printing. The system compares the decoded barcode content with the OCR document to verify the integrity. However, this test fail because the Data Matrix System has an error correction procedure embedded in the system. The error correction data enables correct decoding even when all areas are altered. This illustrated that the barcode is high resistant to damage. The high amount of error correction data has helped the barcode decoding process. According to the authors [13], the Data Matrix barcode can withstand high level of damage up to 60%. Thus, the damage or alteration of a barcode must be significant enough to affect the barcode decoding process.

650

6

M. Salleh and T.C. Yew

Conclusion

The focus of this study is to develop a new system that produces a printed document that is hard to alter to maintain the integrity of the text content. This is done by storing a copy of the document in a form that is hard to comprehend. Hence, the 2D barcode is used to store a copy of the document. It is difficult to directly compare this system with other available solutions in the market since this kind of system is new. The timestamp can be used to prove that a page is created at a certain time whereas the tracking number can be used as an identification number of a document that is created by a user. Both of these two values are important in identifying the document. By hashing these two values, it is tough for criminals to change the document creation date and reference number. Thus, to enhance the security of the system, a different hashing algorithm can be used by just replacing the SHA-256 hashing module in the system. For the proposed system we have selected the Data Matrix barcode for storing the text content of a document, timestamp, tracking number and their hash value. The Data Matrix barcode has a high error resistant rate. Any damage or alteration done on the barcode must be significant enough to affect the barcode decoding process. We have also tested the system and experimentally proved that the system is capable of providing reliable integrity verification services to user. As technology grows day by day, the capability of software systems also improved. Hence, it is hoped in the future a better data compression method can be used together with this study in order to increase the density of information stored in the barcode. Once the amount of storage increases, the size of the barcode definitely decreases, paving way for more usage of this integrity verification system. For example, the barcode is then able to store images, black and white, grayscale or even colour for integrity protection. However, in order for the system to support images, the system must also be equipped with pattern recognition technology whereby the images stored in the barcode needs to be compared with the images from the scanned document. Image processing is also needed for preprocessing altered images before recognition process. The images might be altered due to the process of printing, delivery and scanning of the document. In additional the system can be extended to include authentication of the document by applying digital signature. However this will obviously include database for retrieving the public keys. Acknowledgments. This project is funded by Ministry of Science and Technology, Malaysia under E-Science Grant number 79323.

References 1. Ensor, D.: Fake iraq documents ’embarrassing’ for u.s. CNN.com, March 14 (2003) 2. Sim, B.H.: Two policemen claim trial to 14 counts of forgery. The New Straits Times Online, October 4 (2007)

Application of 2D Barcode in Hardcopy Document Verification System

651

3. Hee, I.H., Joung, K.J.: J. of algorithm to decode two dimensional barcode pdf-417. In: Proceeding of 6th International Conference on Signal Processing, pp. 1791– 1794, August 26-30 (2002) 4. Premaratne, P., Safaei, F.: 2d barcodes as watermarks in image authentication. In: 6th IEEE/ACIS International Conference on Computer and Information Science, 11- 13 July 2007, pp. 432–437 (2007) 5. Vigano, V.: U.s. patent no. 5789019. Washington DC: U.S. Patent and Trademark Office (1998) 6. Prakash, R.: U.s. patent no. 6748102. Washington DC: U.S. Patent and Trademark Office (2004) 7. Lunt, T. F., Franklin, M.K.: U.s. patent no. 7110541. Washington DC: U.S. Patent and Trademark Office (2006) 8. Lee, J., Kwon, T., Song, S., Song, J.: A model for embedding and authorizing digital signatures in printed documents. In: 5th International Conference on Information Security and Cryptology, November 28-29, 2002, pp. 465–477 (2002) 9. Song, Y., Liu, R., Tan, T.: Digital watermarking for forgery detection in printed materials. In: Proceedings of the Second IEEE Pacific Rim Conference on Multimedia, October 24-26, 2001, pp. 403–410 (2001) 10. Noore, A., Tugala, N., Houck, M.M.: Embedding biometric identifiers in 2d barcodes for improved security. Computers & Security 23(8), 679–686 (2004) 11. Preneel, B.: Cryptographic primitives for information authentication state of the art. In: Course on Computer Security and Industrial Cryptography, June 3-6, 1997, pp. 50–105 (1997) 12. Salleh, M., Yew, T.C., Subariah, I.: Spatial resource analysis of two dimensional barcodes. In: Proceeding of Innovations 2008 Conference, December 12–14 (2008) 13. Han, S.Y., Jung, E.H., Cho, S.Y.: A robust digital watermarking adopting 2d barcode. In: Proceedings of the 11th International Conference on Computer Analysis of Images and Patterns, September 5-8, 2005, pp. 717–723 (2005)

Protecting Global SOA from DoS and Other Security Threats Deven Shah1, Ashish Mangal1, Mayank Agarwal1, Mahendra Mehra1, Tushar Dave1, and Dhiren Patel2 1

Sardar Patel Institute of Technology, Mumbai University. Mumbai, Maharastra 400058, India [email protected], [email protected], [email protected], [email protected], [email protected] 2 Sardar Vallabhbhai National Institute of Technology Surat, Gujrat, India [email protected]

Abstract. Global SOA requires a dynamic and ubiquitous security which cannot be provided by the SOA due to its static and pre-configured nature. The security is the major barrier for migrating SOA from intra-enterprise to the web. In this paper we are defining the security risk associated with the Global SOA and proposing the handler mechanism to deal with each type of security risk. Our simulation emphasized on the DoS attack on the Web Service and suggested the counter measure through the handlers. Keywords: Global SOA, Simulation, Handlers, SOA, Security, Web Services, DoS, Denial of Service.

1 Introduction A service-oriented architecture (SOA) is essentially the collection of services wherein the communication between services can involve either simple data passing or the co-ordination between various services to perform an activity. In the Global SOA environment scenario, distributed systems are pervasive. These systems have the capability to remotely execute a file on heterogeneous networks; Interoperability is the prime concern here which is responsible for the cross-platform communication. Web Services provides Web Service Description Language (WSDL), Simple Object Access Protocol (SOAP) and Universal Description Discovery and Integration (UDDI) that enable loose coupling of services and also achieve interoperability. These three protocols viz. WSDL, SOAP, UDDI together make Web Services an appropriate technology for Service Oriented Architecture. In today’s world Service Oriented Architecture (SOA) is used to make software, flexible to changes and interoperable. Also the software running on the industrial system has to ensure that a user aspiring for a Web Service should not wait unnecessarily long to get the service. The basic concern that prevents organizations from implementing Global SOA in a meaningful way is the lack of understanding of what the security risks are and the J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 652–661, 2009. © Springer-Verlag Berlin Heidelberg 2009

Protecting Global SOA from DoS and Other Security Threats

653

way to handle these security risks. The contribution of this paper is twofold: In the first place we classify the threats that Web Services are prone to and present a model to prevent those threats using handlers. In the second place, we simulate the model to prevent DoS attacks using the concept of dynamic security handlers. Web Services traffic involves application API’S sending data over HTTP, HTTPS, SMTP, wireless and other medium. In Web Services environment application will be consumers and producers of SOAP wrapped messages. A Web Service application can be both: a service provider and a service requestor. Authentication, access control, encryption, data integrity, digital signatures provides basic level of security for communication with Web Services. The paper is organized as follow: In the first part, we explain the various threats that can affect the SOAP message while it participates in a multi-hop transaction over internet. In the second part, we present a model for simulation of dynamic handlers. In third part, we simulate the concept of dynamic handler to overcome XML Denial of Service (XDoS) attacks. The next part presents the simulation results that we have obtained and the last section concludes our paper. We also mention the reason why hard-coding is infeasible to meet the demands required in a Global SOA environment.

2 Security Issues in Soap Based Web Services 2.1 Distributed Systems Risks and Message Risks Risks to the services are similar to the risks that exist in web applications and component applications, like SQL Injection, buffer overflow etc. These risks arise from being distributed on a network. IT security controls like network firewalls and application firewalls have the ability to examine packets but cannot be a fool-proof solution for all kinds of attacks. The data and documents that are exchanged among the service requesters and providers are vulnerable to attacks. The document may participate in a multi-hop transaction or can be subject to inspection by a variety of intermediaries, each operating in different security zones, including separate policy, security mechanism, geographic, technical, and organizational domains. The message’s payload may contain sensitive data. Some architecture may use plain XML over HTTP, and avoid using SOAP. With these two high-level risk factors in mind, let’s examine how threats and vulnerabilities arise in a Web Services system.

3 Threats 3.1 Service-Level Exposure Threat and Message-Level Exposure Threat An attacker may footprint a system’s data types and operations based on information stored in WSDL, since the WSDL may be published without a high degree of security. WSDL contains the message exchange pattern, types, values, methods, and parameters that are available to the service requester. An attacker may use this information to gain knowledge about the system and to craft attacks against the service directly and the system in general. Attacker may clone a WSDL File and create a forged web-service.

654

D. Shah et al.

The XML request and response messages posted in SOAP may be passed without encryption; leaving the messages and any data they contain vulnerable to deliberate interception. Message exposure may lead to identity spoofing and replay attacks as explained in the Figure 1.

Fig. 1. Example of exposure threats

Fig. 2. Example of illusion threats

3.2 Service-Level Illusion Threat and Message-Level Illusion Threat An attacker may spoof the identity of the service requester by taking a well-formed SOAP XML request message and posting it to the service provider, causing the service provider to assume that the response is being sent to a valid service requester. Likewise, an attacker may spoof the identity of the service provider to deceive legitimate service requesters to post messages to the spoofed service provider. XML messages are transmitted without integrity protection by default, leaving the messages vulnerable to tampering. An attacker may tamper with the XML message to execute code and/or gain privileges and information on service requesters and providers. Message tampering may result in injection attacks, using XML messages to transmit attack requests to other parts of the service infrastructure, refer Figure 2. 3.3 Service-Level Intrusion Threat and Message-Level Intrusion Threat An attacker may usurp command of a system through elevating privileges, for example on the service registry, which contains the policies for the services. The service requester and service provider publish service metadata in a service registry. The service metadata may contain: • • • •

Service policy Addressing and location Quality of service Interface information.

Protecting Global SOA from DoS and Other Security Threats

655

The attacker may exploit the service registry to redirect service requests, change policy, and perform other privileged operations. SOAP XML messages may be used to propagate viruses that contain malicious code to steal data, refer Figure 3. XML messages may be used as a vector to transmit viruses that usurp command through shells or other mechanisms throughout the system. Injection attacks such as SQL Injection, LDAP Injection, XPath Injection, and XQuery may be used to usurp privileges, drop and alter tables, edit user privileges, and alter schema information, refer Figure 3.

Fig. 3. Example of intrusion threats

3.4 Denial of Service Attack A Denial of Service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. By targeting a computer and its network connection, or the computers and network of the sites user is trying to use, an attacker may be able to prevent user from accessing email, banking services etc., or other services that rely on the affected computer. One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. The four basic types of DoS attacks on a Web Service are: 1. 2. 3. 4.

Consumption of computational resources, such as bandwidth, disk space, or processor time. Disruption of state information, such as unsolicited resetting of TCP sessions. Disruption of configuration information, such as routing information. Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

In a typical connection, the user sends a message asking the server to authenticate it. The server returns the authentication approval to the user. The user acknowledges this approval and then is allowed onto the server. In a Denial of Service attack, the user

656

D. Shah et al.

sends several authentication requests to the server, filling it up. All requests have false return addresses, so the server can't find the user when it tries to send the authentication approval. The server waits, for a specified interval, before closing the connection. When it does close the connection, the attacker sends a new batch of forged requests, and the process begins again--tying up the service indefinitely. Figure 4 & Figure 5 shows the typical flow of traffic during a DoS attack on a Web Service.

Fig. 4. Occurrence of numbers in DoS flow source IP

Fig. 5. DoS Flows per Minute

4 Why Handlers? SOAP allows for extensions in the form of headers but SOAP does not specify any headers by itself; instead it provides a framework for incorporating and processing headers. Each Web Service can define its own SOAP extensions using custom headers, however when the extension is to address a concern such as security, the extensions need to be standardized. WS-Security provides a standard for extending SOAP to address security concerns and provide the syntactic and the semantic support needed to implement any security model. WS-security define a security header <wsse> to insert security claims and message level security but there are several issues that are not addressed by WS-Security such as: 1. What keys and algorithms can be used by the Web Services to encrypt or sign message data? 2. What if Web Services demand a certain quality of security? Consider a Scenario in which there are two Web Service W1 and W2. W1 need a special quality of security S1, and W2 needs a special quality of security S2. By the

Protecting Global SOA from DoS and Other Security Threats

657

present approach we need to embed the mechanism to enforce S1 and S2 in the application code of the both the Web Services. Now if there are three Web Services W1, W2 and W3 and they require Special quality of security S1, S2 and S3 respectively then we again have to implement the mechanism to handle S1 and S2 in the application code of all the three Web Services. In Global SOA architecture there are thousands of Web Services that interact with each other dynamically and they may require Special Security. So as Web Services grows larger in scale or becomes highly distributed, to manage a change in the security processing logic of each and every Web Service is enormous and will be practically difficult to make changes in application code. Moreover, the maintenance effort required will also be huge. Therefore, we need a generic mechanism to deal with SOAP extensions. Our strategy would be to use Message Handlers also known as SOAP interceptors; they provide a way of modifying the SOAP Request/Response. 4.1 Handlers Concept Handlers will be configured on the both server side and client side engines .Handlers can be used for providing basic encrypting and decrypting of the data in the SOAP Message as well as dealing with complicated issues likes preventing Denial of Service attacks. A client application can use a handler to encrypt the data before it sends the SOAP message request to the Web Service. The Web Service receives the request and uses a handler to decrypt the data before it sends the data to the back-end component that implements the Web Service. Thus a client side security handler added a WSSecurity element into the <wsse> header. The server side handler consumed the same header and thus can use it to enforce security making it independent of the business functionality. 4.2 Handler Implementation Handlers are created using the JAX-RPC handler APIs. We have created the handlers based on all the security risks describe in the section. All handlers are part of security package and can be bundled with J2EE or .NET Framework, or can be freely downloadable from Internet. Client will identify server side handlers based on this identification, and then create handler chain from the same package to implement desired security. 4.3 Handler Chain Handlers can be used for various security tasks. On the client side one handler may add a WS-Security header and another may encrypt the username and password in the WS-Security header. On the server side there will be a decryption handler followed by the authentication handler to verify the username and password provided by Client. Our proposal is based on the Dynamic and Ubiquitous security in Global SOA and involves use of Dynamic Invocation Client (DII Client), refer Figure 6.

658

D. Shah et al.

Fig. 6. Model for Security in Global SOA

5 Security Handler for Denial of Service Attack As per our proposed architecture we have developed the following setup to implement our architecture: • • •

The Web Services are generated using the IBM WSAD. Flow analysis is performed by asking the network users to send the requests. Handlers are created using JAX-RPC. Xml Denial of Service attack (XDoS): 1. By flooding Web Services with XML request thereby not allowing the service to process any other request. 2. By increasing the size of SOAP message

5.1 Method 1: Prevention against Flooding of Web Services To prevent the first type of XDoS attacks, we propose the following method: Step1: The user credentials are checked and verified using the existing security handlers. Step2: The user is also authenticated and authorized using authentication and authorization handlers. Step3: A request is allowed to move to the next step, only after successful authorization and authentication. Every request header is stored in a database. Step4: Once the values are stored, the next step is to verify the frequency of the request. Xml Request Frequency In this the time difference between the last request and the current request for the same service by the same user is compared. The Algorithm works as follows: 1.

There will be two level of threshold time ─ Time t1(Low) ─ Time t2(High)

Protecting Global SOA from DoS and Other Security Threats

659

2. All the requests are allowed to next stage for time gap greater than t2. 3. If the time gap is between t1 and t2, the request is logged into the Threat level in the back end and the user is allowed to next stage.

Fig. 7. Method 1 to prevent DoS attack

4. For a time gap of request less than the t1, the user information and request details are stored in Danger level. The request is blocked and no further requests are processed for the particular user as long as the user id is stored in Danger Level. 5. All the users in Danger Level are immediately mailed and asked for credential confirmation and nature of work before resuming services to them. 6. If a user needs to access the service very frequently and at a time limit less than the t1 level then he/she should be given special permission and that for a limited duration of a time. Refer figure 7. We propose the following method to effectively choose the time t1 and t2. Scenario works as follows: We assumed that a user1 sends r1 request in time t1, user2 sends r2 requests in time t2 and so on. We calculate t2 on basis of weighted average. Weighted Average =

(r1.t1+r2.t2+r3.t3+r4.t4) (r1+r2+r3+r4)

. (1)

660

D. Shah et al.

This will give us the value t2. Similarly we use historical data [4] of DoS attack and used the above method to calculate t1. 5.2 Method 2: Prevention of DoS from Large SOAP messages To prevent the second type of XDoS attack, we propose the following method: There can be many Web Services running on an application server and each one may have a separate SOAP message size. We have created two handlers which will be working in synchronization with each other. One handler synchronizes with all Web Services and finds the max size of SOAP message that can be accepted for each Web Service. Second Handler will perform the filtering of SOAP messages in which all the SOAP message size will be compared with the maximum acceptable SOAP size for corresponding Web Services. If the size of the SOAP message sent by the user is larger than the max acceptable size then that request will be blocked and user will be logged into the Threat Level Log. If the same user again tries to send the large SOAP message that user will be logged into the Danger level Log and that user along with its IP address would be blocked. Refer figure 8.

Fig. 8. Method 2 to prevent DoS attack

6 Conclusion This paper presents how we can apply the concept of dynamic handlers to prevent Denial of Service attacks. Although a lot of research work is going in this direction, but we highlight these methods, since they are relatively simpler to implement. The main advantage of this method is that handlers are being invoked dynamically and real time data is being used for filtering traffic. This overcomes the traditional

Protecting Global SOA from DoS and Other Security Threats

661

approach of using static data to prevent Denial of Service attack. Also due to introduction of dynamic handlers we extend the present intra-enterprise SOA to truly Global SOA. Another advantage here is that no changes to existing Web Services standards are required to implement our method.

References 1. Shah, D., Patel, D.: Architecture framework proposal for dynamic and Ubiquitous Security in Global SOA. International Journal of Computer Science and Applications 6(1), 40–52 (2008) 2. Schroth, C., Christ, O.: Brave New web: Emerging Design principles and Technologies as Enablers of a Global SOA. In: IEEE SCC 2007, pp. 597–604 (2007) 3. Bertino, E., Martino, L.: Security in SOA and web services. In: IEEE SCC 2006, p. 41 (2006) ISBN 0-7695-2670-5 4. Cotroneo, D., Graziano, A., Russo, S.: Security requirements in Service Oriented Architectures for ubiquitous computing. In: 2nd workshop on Middleware for Pervasive and ad-hoc computing, pp. 172–177 (2004) 5. Panstasso, C., Zimmermann, O., Leymann, F.: RESTful web service vs. “big“web services: making the right architectural decision, IWWWC, china,, pp. 805 – 814 (2008) 6. Rahaman, M.A., Schaad, A., Rits, M.: Towads secure SOAP message exchange in a SOA. In: Workshop on secure web services, pp. 77–84 (2008) 7. Shah, D., Patel, D.: Global SOA Architectural Style – SOA for the user. In: SEEC 2008, pp. 172–175 (2008) 8. Bhatti, M., Youcef, S., Mokdad, L., Monfort, V.: Execution Time Analysis of Aspectized Web Services (2007) ISBN: 0-7695-2844-9 9. Cheng, Y., Tan, P.S.: Achieving high availability and security of web services for SOAbased applications, SIMTech technical reports, 6(1) (January-June 2005) 10. Gutiérrez, C., Fernández-Medina, E., Piattini, M.: Web Services Enterprise Security Architecture: A Case Study

CRYPTEX Model for E-Commercial Contract of Software Source Code Using Secrete Sharing Scheme ByungRae Cha1 and YoungIl Kim2 1

Dept. of Information and Communication Eng., Chosun Univ., Korea [email protected] 2 Dept. of Internet Software, Honam Univ., Korea [email protected]

Abstract. Software source code management needs it to improve the functioning of the information society. And there are management and security of software source code equivalent to assembly lines of important infrastructure in the early stage of information society directly. Thus, support technologies to protect and trade software source code are so poor state. In this paper, we propose management framework to support access control and new authentication system for E-commercial contract of software source code using CRYPTEX model of secure container and Secrete Sharing Scheme. Keywords: CRYPTEX Model, Software Source code, E-Commercial Contract, Secrete Sharing Scheme.

1 Introduction Software source codes are based on computer code. The code tells the microprocessors and other hardware components what to do. Yet these remarkable software engines are invisible to most of us. Their creators write them in a language that looks almost human. Software source codes are a technology-though one based on a written language-that can be deployed in a vast range of industries for a great multitude of purposes. The multisided potential of software source codes is not their only common feature. They share all the characteristics of complex software. They are designed, written, and debugged almost entirely by humans. Once created, a software program is cheaper to replicate and distribute than a book. After it sells enough copies to cover the costs of creating it, it becomes a money machine: each copy generates revenue at little extra cost. The intellectual effort that went into the creation of the program is also at risk. Most software businesses distribute their code only in almost indecipherable machine language and secure legal protections such as copyrights and patents to deter theft of their intellectual property. Without intellectual property protection there is no obvious way to make money. And the management and E-commercial contract of software source code uses it to improve the functioning of the information society. Software source code is one of the most important assets of the information society, and thus it is important to capture, store, and apply it. These are the major purposes of software source code management and E-commercial contract. A major purpose of a management source code base is to allow for authorized source code sharing using J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 662–671, 2009. © Springer-Verlag Berlin Heidelberg 2009

CRYPTEX Model for E-Commercial Contract of Software Source Code

663

secrete sharing scheme. Source code sharing among developers, with customers, and with business partners has a huge potential payoff in improved customer service, the ability to solve difficult copyrights management problem, shorter delivery cycle times, and increased collaboration within the company and with business partners. Furthermore, some source code can be sold to others or traded for other source code. In this paper, we propose business model to support E-commercial contract of software source code using secure container CRYPTEX model and secrete sharing scheme.

2 Related Works 2.1 ISO 19770[1] ISO/IEC 19770-1 is a framework of Software Asset Management (SAM) processes to enable an organization to prove that it is performing software asset management to a standard sufficient to satisfy corporate governance requirements and ensure effective support for IT service management overall. This part of ISO/IEC 19770-1 describes the life cycle processes for the management of software and related assets.[2, 3] ISO/IEC 19770-2 provides a software asset management (SAM) data standard for software tags. Software tags provide authoritative identifying information for installed software ("software configuration items").[4] This process starts with the software manufacturer/publisher who will use this standard to enable their software to be accurately identified, which will make the software significantly more manageable from a software asset management perspective. 2.2 Protection Tech. and Secure Container Technological approach methods to prevent illegal use or copying of digital contents can largely be divided into passive protection technology and active protection technology. Active protection technology prevents unauthorized users from accessing digital contents [5], and thus actively protects contents. Active protection technology can largely be divided into access control method [6], usage control method and copy protection, according to technological characteristics. The copyright information expression technology which is a passive protection technology of software source codes, developed a technology that issues and searches digital licenses of software source codes [7, 8]. Containers are software components that can contain a variety of different media objects; when accessed by a user, the container activates appropriate processes such as decryption, viewing, etc. The container is not an inert object such as a data file that can be opened and manipulated by a wide variety of applications; it incorporates code as well as data and only allows itself to be read or altered under specific conditions. We present a snapshot of two currently available container technologies: InterTrust’s DigiBoxes[9] and RightsMarket’s RightsPublish[10] products. InterTrust licenses its technology to partners and application developers. A key component is the DigiBoxTM container technology, which provides a way of securely encapsulating content to be managed and protected by the InterTrust rights management system. RightsMarket provides an "end-to-end" digital publishing technology that can be

664

B. Cha and Y. Kim

integrated with an existing publishing website. The digital content is encrypted and wrapped into a container which interacts with a RightsMarket application on the user machine and a media player/reader for the particular file format of the content. RightsMarket implements true "super-distribution"[11], in that users may freely copy or distribute the objects they have downloaded, but such copies cannot be further used by users who have not obtained authorization via the RightsPublish server. This study proposes the CRYPTEX model to support E-commercial contract of software source codes. 2.3 Source Code Management (SCM) Source code management systems are a common feature of large software development environments. They are used by both commercial and open source projects. It is far less common, however, to see SCM used in Web development, although larger development firms and projects do use SCM to manage their code. SCM solutions are based on a simple principle: the authoritative copies of your source code, and other project files, are kept in a central repository. Developers will check out copies of files from the repository, work on those copies, and then check them back in to the repository. This is where SCM becomes an important tool; SCM manages and tracks revisions by multiple developers against a single master repository and provides: Locking and concurrency management, Versioning and revision history, Synchronization, and Project forking. There are numerous SCM systems available. There are three main enterprise-class SCM systems that are widely used: • Visual SourceSafe (http://msdn.microsoft.com/ssafe/) • Concurrent Versions Systems (CVS, http://www.cvshome.org/) • Subversion (SVN, http://subversion.tigris.org/) In addition, there are other tools which, while not full-blown SCM systems, can provide some of the benefits of SCM for small teams or individual developers: • ColdFusion's Remote Development Services (RDS) • WebDAV (http://www.webdav.org/) 2.4 Secret Sharing Scheme [12] In cryptography, a secret sharing scheme is a method for distributing a secret amongst a group of participants, each of which is allocated a share of the secret. The secret can only be reconstructed when the shares are combined together; individual shares are of no use on their own. More formally, in a secret sharing scheme there is one dealer and n players. The dealer gives a secret to the players, but only when specific conditions are fulfilled. The dealer accomplishes this by giving each player a share in such a way that any group of t (for threshold) or more players can together reconstruct the secret but no group of less than t players can. Such a system is called a (t, n)-threshold scheme. A popular technique to implement threshold schemes uses polynomial interpolation ("Lagrange interpolation"). This method was invented by Adi Shamir in 1979.

CRYPTEX Model for E-Commercial Contract of Software Source Code

665

3 Business Model of Software Source Code The copyright information expression technology which is a passive protection technology of software source codes, developed a technology that issues and searches digital licenses of software source codes. And this study proposes the CRYPTEX model of secure container to develop active protection technology for software source codes as shown in figure 1 and 2.

Fig. 1. DRM models of Software Source Codes

Fig. 2. Role and function of CRYPTEX Model

3.1 CRYPTEX Model of Software Source Code The administration and security side of software source codes, which is a assemble line of directly important infrastructure in the information age, is still in its beginning stages. Support technology and frameworks to protect software source codes are also very weak. CRYPTEX [13] is the name of a security facility that stores secret documents as mentioned in the novel, "The Da Vinci Code." This is where it got its idea, and it is used by the same name. CRYPTEX has a encryption key through a combination of letters, and if the document is opened randomly without solving the cryptography, the acid inside the CRYPTEX melts the document made of papyrus, held inside. This study aimed to present a security model called CRYPTEX just like the document security facility in the real world, as a cyber document security facility of software source codes in figure 3. The CRYPTEX proposed in this study is a model indicating a group of all supporting technology to safely protect and support access control of

666

B. Cha and Y. Kim

software source codes from authenticated and non-authenticated subjects. CRYPTEX is used to propose a business model that is active towards passive software source codes in the form of documents, can control access and offer security, and can grant mobile and delegation functions. As a pre-study for this study, a study was carried out on issuance, search, division and performance of digital licenses of software source codes with passive protection technology, to protect software copyright [7, 8]. The software source code's digital license is a method that marks copyright information using the architecture, index information and node information of the copyright. A digital license is a passive object like software source codes, and does not have active capabilities. Active protection technology and support technology and frameworks to protect software source codes are too weak. In order to solve this, first of all, a CRYPTEX business model needs to be established [3]. CRYPTEX is a model that indicates a combination of supporting technology for safe protection and access control of software source codes. The CRYPTEX business model system components can be divided into the subject, which is the developer, the object, which is the CRYPTEX, and the verification facility. The CRYPTEX business model can be largely divided into the authentication stage and access control stage. The authentication stage consists of the certificate authority, the owner of intellectual property rights, and CRYPTEX. The access control stage consists of the certificate, the owner of intellectual property rights and CRYPTEX. The CRYPTEX consists of software source codes and an algorithm to control access.

Fig. 3. Business Model of CRYPTEX

3.2 Source Code Management and Security Function of CRYPTEX The core function of CRYPTEX [14-18] is software source code management and mobile agent software created by an algorithm to control access. Software source codes are made up of American Standard Codes for Information Intercharge (ASCII) or Unicodes, and are in the form of a passive document that states processes the software will carry out in its programming language. Since it is no in a state where it can carry out things actively, the CRYPTEX, which can support these functions, is included to carry out movement, management and access control. Software source codes are passive file objects that consist of ASCII codes or Unicodes. The

CRYPTEX Model for E-Commercial Contract of Software Source Code

667

CRYPTEX itself is insignificant, and has an active management system function to manage source codes, and a mobile function through networks. The management function consists of source codes management, certificate management, compression, digital license function, authentication, access control and authority delegation to matches, and the mobile function is movement through networks. Security function controls user access to source codes after the authentication stage, and carries out access control function of source codes according to access levels. The access control function consists of access policy and level, delegation, certificate expiration function, and encryption function.

4 CRYPTEX's Access Control Model Information Assurance (IA) is the protection of information systems against unauthorized access to or modification of information that is stored, processed, or being sent over a network. The importance of the IA model to EC is that it represents the processes for protecting information by insuring its confidentiality, integrity, and availability. The success and security of EC depends on the confidentiality, integrity, and availability of information. There is a need to advance from the passive authentication of digital licenses represented by software source codes of the past, and have a physical access control for software source codes. Software source codes consist of ASCII codes or Unicodes, and their access controls cannot be actively controlled. The subject's ID and password and subject/object certificates carry out CRYPTEX access control. First, the subject's ID and password clear the subject's identity, and responsibility inquiry starts. The subject and object's certificate consist of CRYPTEX access control information for digital licenses of software source codes. 4.1 Source Code Handling Access to CRYPTEX source codes is similar to normal file handling. First you go through the process of open-read-write-close with the source code. In order to access the CRYPTEX source code, you have to open it. When you open the CRYPTEX, it automatically schedules a close handling. When the open handling has been executed by the CRYPTEX, the source code goes to read, and this is when the coding and compression is released. Also, access level is decided according to the access control policy. The CRYPTEX write handling is an action that leaks source codes to the outside. This also has an access level according to the access control policy, and this is the stage where source code block copying or screen capture is executed or rejected. All memory and other information used for all actions executed by CRYPTEX are initializing in this stage. When the open handling starts, memory use is traced through the actions schedule, and initializing is planned and executed. Bank ATM machines do not make withdrawals possible if authentication fails 3 times, and you have to reset the security of that account if this happens. The CRYPTEX model is also designed to destruction itself or become impossible to use if authentication fails 3 times. In order to use CRYPTEX again you have to download it again at the source code download Web site.

668

B. Cha and Y. Kim

4.2 Authentication and Access Control Stage The authentication stage is a stage where the identity is checked through responsibility inquiry according to software source code access. Identity is confirmed through ID and password given by the certificate authority, and this decides the level for access control. If the identity of the subject is confirmed through completion of the authentication stage, the access control stage is carried out through the certificates of the subject and object. In order to access source codes included in the CRYPTEX, policy establishment, level delegation, trust delegation and sales strategy and mapping need to be set by the first person to register at the CA: Policy establishment stage, Level delegation stage, Trust delegation stage, and Policy establishment and sales strategy and mapping. CRYPTEX can be used to sell software source codes through electronic exchange. In the past source code exchanges were only possible 1:1, between the developer and purchaser, and there could be no limit at a second exchange by the purchaser. However, with CRYPTEX, a more advanced electronic exchange has become possible, and copyright management of almost all exchanges is being executed. Around 10 years ago, basic security policies were allowed if there was no special reason not to allow it, but with activation of Firewall systems to protect intranet due to hackers and viruses, not allowing them is the implied basic rule, now. Access control rules of CRYPTEX have also changed according to time. When the level of the subject's certificate and object's certificate are the same, access control is carried out for that level. If they are different, access control is carried out according to the rules (Def. 1 ~ Def. 2-4) [14-18] and Conflict example of CRYPTEX Model’s Access Control. 4.3 Sales and Purchase of Software Source Codes through a Third Party Developed software are usually sold in the form of compiled binary files, but are also sold as software source codes themselves due to technology transfer and original technology purchase. If software source codes are purchased or sold through a third party it is not a physical substance, so there is intellectual property rights and authority to access source code documents. In order to receive the seller has to delegate the authority to the purchase, and the purchaser receives authority of the subject from the seller. The purchaser's access authority level is decided by sales strategy and access policy: • The purchaser receives a new ID and password from the software source code seller. • The purchaser newly creates and downloads a CRYPTEX object to use through the ID and password received. • The purchaser can receive all authority from the developer and CA, but delegated authority is not 100 percent valid according to the contract situation and security policy, and is some parts restrained in figure 4. Software source code is of limited value if it is not shared. The ability to share source code decreases its cost and increases its effectiveness for greater competitive advantage. Thus, another major purpose of Software source code management is to increase software source code sharing. According to this framework, authorized developers promote source code sharing via the use of rewards or incentives, through the use of different sharing mechanisms according to the type of source code, and by appropriately codifying source code. The proposed framework begins with the listing

CRYPTEX Model for E-Commercial Contract of Software Source Code

669

Fig. 4. Conflict Example No. 5[18]

of strategic goals and objectives and the critical information needed for their attainment. Then, analysis and storage mechanism is built as part of a business intelligence system. The framework also deals with source code collection (from internal and external sources) and it’s authorized dissemination in support of attaining the goals.

5

New Authentication System for E-Commercial Contract Using Secrete Sharing Scheme

New authentication system authorizes users to access the system and maps the authorized users to the role and access authority. New authentication system uses the concept of secrete sharing scheme [12] which develops general user authentication system further, provides role delegation function and prevents wrong judgment on authorized user and administrator's role performance. To access any system, user must be authenticated. In this study, it goes a step further from the user authentication. It uses secrete sharing scheme to compensate for the absence of the respondent. New authentication system using secrete sharing scheme does not set only one decision maker for system access (decision making and authorization) but set a decision maker in the center and site administrator in the remote place together to make a decision. Additionally, when emergency comes with the absence of the person in charge of superior task, subordinate managers can delegate the corresponding roles with more than 50% consents. The functions of this system are; to authenticate the users and administrators, give roles and authorities to each ID according to their own security levels and tasks, to allow subordinate administrators to play the part of the roles of the superior administrator in emergency or important decision making according to secrete sharing scheme, and to allow the authentication and agreement of each other where the agreement of center and the remote place is needed to perform the task. The agreement between the center and the remote place shall remain the settlement by new authentication system using secrete sharing scheme in the log and the mutual agreement can be executed. New authentication system using secrete sharing scheme is used to get the delegation of the superior party by agreement of subordinate administrators when the superior one is absent. For the system operation, user authentication is needed and users will get ID and its corresponding roles. Additionally the allowed ID uses secrete sharing scheme as authentication process to delegate the superior role. If more than 50% of subordinate administrators agree, for example 2 out of 3 agree in

670

B. Cha and Y. Kim

the figure 5, it provides them with the authentication that they can delegate the role of the superior administrator. When the superior administrator is absent, ID2 and ID3 (more than 50% of the whole) can authenticate the superior administrator's role with the combination of B and C of ID2 and A and C of ID3. Furthermore, ID2 and ID3 identify that they are at the same level through C and prepare for the counterfeit. ID1:Passwd

ID2:Passwd

Authentication System

Role Mapping

Action Performance

IDn:Passwd

ID1:Passwd

ID2:Passwd

+

IDn:Passwd

Fig. 5. New Authentication System using Secrete Sharing Scheme

6 Conclusion The management and E-commercial contract of software source code use it to improve the functioning of the information society. Software source code is one of the most important assets of the information society, and thus it is important to capture, store, and apply it. These are the major purposes of software source code management. Thus, software source code management refers to the process of capturing or creating source code, storing and protecting it, updating it constantly, and using it whenever necessary. Management framework of source code is collected from both external and internal sources. Then it is tested, compile-or-interpreted, optimized, and stored in what is called an organizational source code base, the repository for the package's source code. Source code sharing among developers, with customers, and with business partners has a huge potential payoff in improved customer service, the ability to solve difficult copyrights management problem, shorter delivery cycle times, and increased collaboration within the company and with business partners. Furthermore, some source code can be sold to others or traded for other source code. This study presented a model that is a combination of technology to safely protect software sources code, the object, control access from the authenticated or nonauthenticated subject, and sharing source code using secrete sharing scheme. It also presented a management framework that is active towards software source codes that are in the form of passive documents, makes access control and security possible, and has mobile and delegation functions using secrete sharing scheme.

References 1. ISO/IEC 19770-1: Information technology — Software asset management — Part 1: Processes 2. Web site from the working group that developed the 19770-1 standard

CRYPTEX Model for E-Commercial Contract of Software Source Code

671

3. ISO/IEC WD 19770-2: Information technology — Software asset management — Part 2: Software Tag 4. Web site from the working group developing the 19770-2 standard 5. Kang, H.: Opposition strategy and Trend analysis of Domestic DRM Standardization. Communications of The Korea Information Science Society 23(8), 15–24 (2005) 6. Tittel, E., Chapple, M., Michael Stewart, J.: CISSP:Certified Information Systems Security Professional Study Guide, Sybex (2003) 7. Cha, B.R.: Business model and comparasion of S/W source code vs. Digital license for iPRs. In: Nguyen, N.T., Grzech, A., Howlett, R.J., Jain, L.C. (eds.) KES-AMSTA 2007. LNCS (LNAI), vol. 4496, pp. 825–832. Springer, Heidelberg (2007) 8. Cha, B.R., Kim, K., Lee, D.: Study of Digital License Search for Intellectual Property Rights of S/W Source Code. In: Gervasi, O., Gavrilova, M.L. (eds.) ICCSA 2007, Part III. LNCS, vol. 4707, pp. 201–212. Springer, Heidelberg (2007) 9. Sibert, O., Bernstein, D., Van Wie, D.: DigiBox: A Self-Protecting Container for Information Commerce. In: Proceedings of the First USENIX Workshop on Electronic Commerce, New York (July 1995) 10. http://en.wikipedia.org/wiki/Iso_19770 11. Cox, B.J.: Superdistribution: Objects as Property on the Electronic Frontier. AddisonWesley, Reading (1996) 12. Shamir’s Secret Sharing Scheme, http://point-at-infinity.org/ssss/ 13. Brown, D.: The Da Vinci Code. Anchor Books (2004) 14. Cha, B.R.: Patent Registration of Korea: 10-0740222, CopyRights Management Method for Software Source Code, July 7 (2007) 15. Cha, B.R., Jung, Y.: Discrimination and Comparison of Digital License for Copyright Management of Software Source Code and CRYPTEX model. Journal of the Korea Contents Association 8(1), 246–258 (2008) 16. Cha, B.R.: CRYPTEX Model for Software Source Code. In: ISA 2008 (April 2008) 17. Cha, B.R., Park, S.: Copyrights Expression and Secure Container of Software Source Code. In: NCM 2008 (September 2008) 18. Cha, B.R., Kim, Y., Oh, S., Kim, H.: Management Framework of Software Source Code and Copyrights: CPTEX Model of Secure Container. In: SecTech 2008 (December 2008)

HOTP-Based User Authentication Scheme in Home Networks Binod Vaidya1 , Jong Hyuk Park2 , and Joel J.P.C. Rodrigues3 1 2

Instituto de Telecomunicações, Covilhã, Portugal [email protected] Dept. of Computer Eng., Kyungnam Univ., Korea [email protected] 3 Instituto de Telecomunicações, University of Beira Interior, Covilhã, Portugal [email protected]

Abstract. Home networks are one of the focused areas of research these days. One of the important services that home networks provide is to remotely control home appliances in home network. However, the remote control service causes home networks to have various security threats. Hence, home networks should provide strong security services, especially remote user authentication. In this paper, we provide an efficient solution for authentication scheme to provide secure remote access in home network environments. Our proposed scheme uses HMAC-based one-time password algorithm for the user authentication in home networks. The proposed scheme is not only has several advantage features but also is quite satisfactory in terms of the security requirements of home networks.

1

Introduction

Home networks are one of the focused areas of research these days as they provide remote access control over the connection between information home appliances and information devices on Internet [1,2,3]. This service enables residential users to remotely access and control home appliances such as TVs, lights, washing machines, and refrigerators using their handheld devices. For example, from their office, they can turn on or turn off their gas range using their cellular phone. Figure 1 shows the general architecture for the home networks. Home networks consist of several wired/wireless mediums and protocols, so it also has the existing security vulnerabilities. And it has the problem that it can be adapted to current network-based cyber attacks. In home control protocols, authentication and encryption should be considered as security functions [4]. Home networks information appliances have relatively low computing capabilities, and they are difficult to build with security functions, so they can be used in cyber attacks and have the possibility of being targeted by several attacks. Home networks services contain private information, and will provide direct-life services such as health-care service. Therefore, attacks on home networks can J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 672–681, 2009. c Springer-Verlag Berlin Heidelberg 2009


HOTP-Based User Authentication Scheme in Home Networks

673

Fig. 1. Home Network Architecture

violate person’s privacy and ultimately threaten the life of home users, so appropriate security measures must be considered carefully. Hence, home networks should provide strong security services, especially remote user authentication. User authentication is a ubiquitous process in the modern Internet era. Password authentication is the simple and convenient remote user authentication mechanism. To prevent direct wiretapping attacks in open network environments, many modern password authentication schemes use one-time passwords. Thus One-Time Password (OTP) is certainly one of the simplest and most popular forms of two-factor authentication for securing network access. In this paper, we propose an authentication protocol based on HMAC-Based OTP (HOTP) algorithm, which is suitable for home network environments. The rest of this paper is organized as follows: Section 2 presents related work, while Section 3 briefly describes HMAC-Based OTP (HOTP) algorithm. Section 4 presents a proposed HOTP-based User Authentication Scheme for home networks and Section 5 gives an analysis of the proposed scheme. Finally, Section 6 concludes the paper and provides future works.

2

Related Work

Password-based authentication scheme that was first introduced in [5] is the most widely used method for remote User Authentication (UA). Existing schemes could be categorized into two types [6]. One uses weak-password approach, while the other uses strong-password one. Up to now, many one-time password-based authentication schemes have been proposed [7,8,9,10,11]. The purpose of a one-time password (OTP) is to make it more difficult to gain unauthorized access to restricted resources. In [11], a new user authentication (UA) scheme based on OTP protocol using smart cards for home networks was proposed, which not only can protect against illegal access for home services but also does not allow unnecessary service access by legitimate users.

674

B. Vaidya, J.H. Park, and J.J.P.C. Rodrigues

In HMAC-Based One-Time Password Algorithm (HOTP) [12] based on the HMAC-SHA-1 algorithm [13], it uses an increasing counter value representing the message in the HMAC computation. In this paper, we have proposed a new user authentication based on HMACbased OTP algorithm for home network environment which has better security features.

3

HOTP: HMAC-Based One-Time Password Algorithm

On both the client and the server, the choice of algorithm for passcode generation is essentially arbitrary, so long as it provides adequate security and can be used in a user friendly manner (this is particularly relevant for the client). In this scheme, we chose a counter-based algorithm called HMAC-Based OneTime Password (HOTP) Algorithm that is relatively easy to implement and met the necessary usability requirements. The algorithm is described in detail in [12]. The HOTP algorithm is based on a monotonically increasing counter value and a static symmetric key known only to the client and the server. In order to create the HOTP value, the HMAC-SHA-1 algorithm is used. Each client has a unique shared secret, typically 128 bits or 160 bits in length. The shared secret is combined with an increasing counter, also shared between the client and the server, to generate the current passcode. The obtained HOTP is as follows: HOTP(K,C)

= Truncate(HMAC-SHA-1(K,C)) where Truncate represents the function that converts an HMAC-SHA-1 value into an HOTP value; and the key (K), the counter (C), and Data values are hashed high-order byte first.

The actual HOTP algorithm is relatively simple to understand. First, a SHA1 HMAC generator is initialized using the shared secret. Then the HMAC of the current counter, or moving factor, is computed. Next, through a process called dynamic truncation, certain bytes are extracted from the HMAC. Finally, these bytes are taken modulo 10n , where n is the number of digits desired in the passcode, to produce the current passcode. In order for a client to authenticate to a server, both must generate the same passcode. Specifically, assuming that the server has already distributed the shared secret to the client, the client counter and the server counter must be synchronized. When the counters are not synchronized, a process called resynchronization must occur. The HOTP algorithm has two basic mechanisms to resynchronize the server with the client. The most straightforward method is for the client to simply send the counter value over to the server. The server would merely need to verify that the new counter is greater than the current counter. The second method is for the server to maintain a look-ahead window of future passcodes. If the client provides a passcode that lies within this window, the server will ask the user to generate the next passcode and send it to the server.

HOTP-Based User Authentication Scheme in Home Networks

675

If two consecutive passcodes match, then the server will resynchronize. While the first of these two resynchronization methods is easier to implement, this project chose to use a look-ahead window to follow industry convention.

4

HOTP-Based User Authentication Scheme

In this section, we propose an efficient remote password authentication scheme based on HOTP algorithm and using smart cards. The security of our scheme depends on the secure HMAC function and encryptions. The nonce or random number is also used to avoid replay attack and the serious time synchronization problem. Table 1 shows the notations used for this scheme. The proposed scheme consists of registration phase, login/authentication phase and service request phase. The proposed scheme has light-weighted overhead for home networks. The user transmits information required for HOTP operation in login and authentication phases to Integrated Authentication Server (IAS) through the secure channel, while the IAS writes all the needed information in smart card and issued to the user. The user can select their own PIN in the registration phase and the IAS doesn’t store a password table for each user, but one-way collision-resistant hash functions of the user’s identifications. Service subscribers require mutual authentication between IAS and home gateway server (HG), in order to access home network services. In addition, they must be able to operate service access control when privileged services are granted. Users are authenticated through single-sign-on (SSO) and then, they can access other home services without additional authentication procedures. Figure 2 illustrates the proposed user authentication scheme. Table 1. Notation used for the proposed scheme Notation used IDC IDIAS P IN x h(.) ⊕  Hi (K, C) CX K SK

KIAS−HG T EKX (M )

Description User’s Identifier IAS’s identifier User’s pin identification number Secret key maintained by the remote system One-way hash function XOR operation Concentration ith HMAC-Based One-Time Password 8-byte counter value, the moving factor (C - client, S - server, M - Max allowed) shared secret between client and server Session key Symmetric key between IAS and HG Timestamp Encryption of message M with KX

676

B. Vaidya, J.H. Park, and J.J.P.C. Rodrigues

Fig. 2. Proposed User Authentication Scheme

It is assumed that IAS is located on the outside of the home network environment, manages the home gateway, and performs authentication, authorization, and accounting (AAA) functions. A user authentication protocol is proposed for home network environments, focusing on user authentication for receiving the home service and controlling the service privilege. For the proposed scheme, the following assumptions have been considered: – The algorithm is counter-based, that means the HOTP algorithm embedded in smart cards. – The algorithm uses a strong shared secret. The length of the shared secret must be at least 128 bits and preferably of 160 bits. – The 8-byte counter must be synchronized between the HOTP generator (client) and the HOTP validator (server). – Each HOTP generator has a different and unique secret K shared between client and server. – The IAS has established the security association with home gateway server (HG) using symmetric key KIAS−HG 4.1

Registration Phase

The user submits its identity and PIN to the remote system for registration. 1. User sends IDC , P IN to IAS. After receiving the registration request, the remote integrated authentication server (IAS) will perform as follows: 1. 2. 3. 4. 5.

Compute vT = h(IDC ⊕ x) Compute eT = vT ⊕ h(IDC P IN ) Save IDC , h(IDC P IN ) Write h(.), eT , K, CM to a smart card and Issue securely the card to User

HOTP-Based User Authentication Scheme in Home Networks

4.2

677

Login/ Authentication Phase

When the user wants to log into the remote system, he must insert his smart card into the terminal and input the IDC and h(IDC P IN ). The smart card will then perform the following operations: 1. Generate current HOTP i H(K,C = HOT P (K, CC , h(IDC P IN )) C) 2. Increase to CC to CC + 1 i 3. Compute G = h(eT ⊕ H(K,C ) C) ∗ The user will send IDC , G to the IAS server. After receiving the authentication request, the IAS will perform the following operations: ∗ Check IDC i Compute H(K,C = HOT P (K, CS , h(IDC P IN )) with CS S)  ∗ ∗ Compute vT = h(IDC ⊕ x) with the received IDC   i Compute G = h(vT ⊕ h(IDC P IN ) ⊕ H(K,CS ) ) i i Check if H(K,C = H(K,C and G = G C) S) If the both equations are true, then increase CS to CS + 1 i Then compute K1 = h(H(K,CS) K) and generate random number K2 as shared secret Compute SK = h(K1 K2 T ) and AS = h(SK IDC ) Compute EK1 (IDC , IDIAS , K2 , AS , T ) and EKIAS−HG (IDC , IDIAS , K2 , K1 , T ) 11. Send Authentication Response EK1 (IDC , IDIAS , K2 , AS , T ) along with authentication ticket EKIAS−HG (IDC , IDIAS , K2 , K1 , T ) to the user

1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

The user will perform the following steps: 1. 2. 3. 4. 4.3

i Compute K1 = h(H(K,C K) C) Then decrypt EK1 (IDC , IDIAS , K2 , AS , T ) with K1 and get K2  Compute SK = h(K1 K2 T ) and AS = h(SK IDC )  Check if AS = AS to verify the authentication response

Service Request Phase

In order to use the available services, the authenticated users can request home services to the HG. The user performs the followings: 1. Send EKIAS−HG (IDC , IDIAS , K2 , K1 , T ), ESK (IDC , service_req) to the HG. After receiving the service request, the HG will perform the followings: 1. Decrypt EKIAS−HG (IDC , IDIAS , K2 , K1 , T ) using KIAS−HG and get K2 , K1 , T 2. Compute SK = h(K1 K2 T )

678

B. Vaidya, J.H. Park, and J.J.P.C. Rodrigues

3. Decrypt ESK (IDC , service_req) with session key SK 4. Verify IDC in authentication ticket and service request 5. Send ESK (K1 T ) to the user The user will also authenticate HG by following process: 1. Decrypt ESK (K1 T ) with session key SK 2. Verify K1 , T

5 5.1

Analysis of Proposed Scheme Features of the Proposed Scheme

In this sub-section, we present some of the following essential criteria for authentication schemes: A. Freely chosen PIN by the users: In our scheme, each user can choose his own PIN, not decided by the system. B. No time synchronization: In time stamp-based authentication scheme [14], the clocks of the system and all users’ computers must be synchronized with one another and the transmission delay time of the login message also has to be limited. To eliminate the requirement of clock synchronization and the limitation of transmission delay time, our scheme is based on counter and nonce instead of timestamps. C. Server authentication: Any illegal server cannot cheat a user to log into its system without (K, C) in the proposed scheme. Since it cannot obtain the correct HOTP for that particular user, the login process will be terminated by the user by verifying AS  = AS. Also the user will authenticate HG by verifying K1 . D. Session key agreement: A session key agreed by the user and the remote system generated in every session. E. Low communication cost: Due to usage of HOTP algorithm, the communication cost is relatively low. Table 2. Comparison between the proposed scheme with Jeong et at.’s scheme in terms of functionalities Features Jeong et at.’s scheme [11] Proposed scheme Freely chosen PIN by the users Yes Yes No time synchronization Yes Yes Server authentication Yes Yes Session key agreement Yes Yes Low communication cost Yes Yes Resynchronization of OTP No Yes

HOTP-Based User Authentication Scheme in Home Networks

679

Besides, our proposed scheme can provide resynchronization of OTP. Assuming that the server has already distributed the shared secret to the client, the counters in client and server must be synchronized. In the proposed scheme, when the client counter and server counter are not synchronized, HOTP algorithm use two mechanisms as mentioned in Section 3 to resynchronize them. We compare the proposed scheme with Jeong et at.’s scheme [11] as per the above-mentioned features. Table 2 shows the comparison between two schemes. 5.2

Security Analysis of Proposed Scheme

In the proposed scheme, it assumed that there is a symmetric key is shared between IAS and HG. In addition, it is assumed that trusted IAS exists outside the home network, which manages the home gateway, authenticates users, grants privileges, and controls accounting as the home gateway operator. Authentication between HG and users is achived with the authentication ticket granted by the IAS, and users can request and receive services with a valid authentication ticket until authentication ticket’s validity does not expire so there is no requirement to login each time when the users request services. A. Eavesdropping attack: A host is configured to listen to and capture data not belonging to it. Carefully written eavesdropping programs can take usernames and passwords when users first login to the network. Broadcast networks like Ethernet and Wireless LAN are especially vulnerable to this type of attack. Our scheme can resist eavesdropping attack as all the important messages such as the authentication response, authentication ticket, service request and service response are encrypted with the K1 , symmetric key and session keys respectively. B. Replay attack: An attack in which a valid data transmission is maliciously or fraudulently repeated either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack. HOTP that is sent to the IAS is computed using counter-based HMAC-SHA1 so attackers cannot replay the password to the authentication server after intercepting user’s password. C. Man-in-the-middle attack: An attacker intercepts and modifies the messages between two parties with a malicious intent without either party knowing that the link between them has been compromised. The proposed scheme is based on HMAC one-time password protocol is that attackers cannot reuse the user’s passcode because the passcode is changed each time during login and authentication request to the authentication server. And also the messages are encrypted so the adversaries cannot modify the message. D. Denial of Service (DoS) attack: The proposed scheme uses HMAC-based OTP as a passcode and protects the user’s authentication messages. And the HOTP is changed in each login and authentication phase. Therefore, the proposed scheme prevents DoS attacks from the attackers.

680

B. Vaidya, J.H. Park, and J.J.P.C. Rodrigues

E. Stolen-verifier attack: In most applications the server stores hashed passwords instead of clear text passwords. The stolen-verifier attack means that an adversary who steals the password-verifier from the server can use it directly to masquerade as a legitimate user during the user authentication phase. The user and authentication server shares the shared secrets needed for HOTP operations during registration phase, so the proposed scheme is secure. And even if the adversary is successful to get h(IDC P IN ) from the IAS server, it is very difficult for adversary to gain the HOTP values for HOTP operations because authentication data are calculated by HMAC function. F. Mutual Authentication: User authentication schemes satisfied the security requirements for home networks, but mutual authentication is necessary for critical applications in processing confidential data. The proposed scheme uses a 3-way challenge-response handshake protocol to provide the mutual authentication. Authentication server transmits the authentication data (Authentication Ticket) to user, user checks the timestamp T and authentication server authenticated successfully by user if T value is allowed.

6

Conclusions and Future Work

In home networks major service is to provide remote control access to home appliances. However, the remote control service causes home networks to have major security threats. In order to provide secure remote access, we propose a simple solution for authentication scheme in home network environments. The proposed user authentication scheme is designed to accept existing home networks which are based on the HOTP algorithm using low-cost smart cards. So, the proposed scheme requires low communication cost and provides high security for secure home networks. Moreover, it protects against illegal access from inside as well as outside home networks. In future, we will conduct detailed performance evaluation of the proposed scheme with existing representative schemes. Furthermore, we will conduct formal analysis of the proposed scheme as well.

Acknowledgment Part of this work has been supported by Instituto de Telecomunicações, Next Generation Networks and Applications Group (NetGNA), Portugal.

References 1. Schulzrinne, H., Xiaotao, W., Sidiroglou, S., Berger, S.: Ubiquitous computing in home networks. IEEE Communications Magazine 41(11), 128–135 (2003) 2. Saito, T., Tomoda, I., Takabatake, Y., Arni, J., Teramoto, K.: Home gateway architecture and its implementation. IEEE Transactions on Consumer Electronics 46(4), 1161–1166 (2000)

HOTP-Based User Authentication Scheme in Home Networks

681

3. Choi, K.S., Lim, S.O., Park, Y.C., Jung, K.M.: Home station, novel architecture of home gateway and its implementations. In: Proc. of the 4th WSEAS International Conference on Applied Informatics and Communications (AIC 2004) (2004) 4. Ise, M., Ogasahara, Y., Watanabe, K., Hatanaka, M., Onoye, T., Niwamoto, H., Keshi, I., Shirakawa, I.: Design and Implementation of Home Network Protocol for Appliance Control Based on IEEE 802.15.4. IJCSNS International Journal of Computer Science and Network Security 7(7), 20–30 (2007) 5. Lamport, L.: Password authentication with insecure communication. Communications of the ACM 24(11), 770–772 (1981) 6. Das, M.L., Saxena, A., Gulati, V.P.: A Dynamic ID-based Remote User Authentication Scheme. IEEE Transactions on Consumer Electronics 50(2), 629–631 (2004) 7. Haller, N., Metz, C., Nesser, P., Straw, M.: A One-Time Password System. IETF RFC 2289 (February 1998) 8. Yeh, T.C., Shen, H.Y., Hwang, J.J.: A Secure One-Time Password Authentication Scheme Using Smart Cards. IEICE Transaction on Communication E85-B(11), 2515–2518 (2002) 9. Tsuji, T., Shimizu, A.: One-time password authentication protocol against theft attacks. IEICE Transactions on Communications E87-B(3), 523–529 (2004) 10. Wang, N.W., Huang, Y.M.: User’s Authentication in Media Services by using OneTime Password Authentication Scheme. In: Proc. of the 3rd International Conference on International Information Hiding and Multimedia Signal Processing (IIHMSP 2007), vol. 01, pp. 623–626 (2007) 11. Jeong, J., Chung, M.Y., Choo, H.: Integrated OTP-Based User Authentication Scheme Using Smart Cards in Home Networks. In: Proc. of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008) (January 2008) 12. M’Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., Ranen, O.: HOTP: An HMAC-Based One-Time Password Algorithm. IETF RFC 4226 (December 2005) 13. Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication. IETF RFC 2104 (February 1997) 14. Wu, S.T., Chieu, B.C.: A user friendly remote authentication scheme with smart cards. Computers and Security 22(6), 547–550 (2003)

A Comparative Analysis of HC-128 and Rabbit Encryption Schemes for Pervasive Computing in WSN Environment Firdous Kausar and Ayesha Naureen Department of Information Security, College of Signals, National University of Sciences and Technology, Rawalpindi, Pakistan {firdouskausar,ayeshanaureen}@mcs.edu.pk

Abstract. Confidentiality, integrity and availability (CIA) are the three basic requirements for an encryption mechanism utilized in any security architecture. Implementation of such a comprehensive security framework for pervasive computing environment, specifically in wireless sensor networks (WSN), is not feasible in the context of scarce resource availability and its efficient utilization. Application of stream ciphers for conventional security applications has proved to be proficient in terms of efficient energy and memory consumption. This paper presents WSN-specific NesC based implementations of two stream ciphers selected from the eSTREAM project, namely HC-128 and Rabbit. HC-128 and Rabbit have both qualified for the final portfolio phase of the eSTREAM project but their suitability for WSNs needs to be justified in a totally different context. If the two stream ciphers manage to adhere to the WSN-specific requirements and perform efficiently under these requirements only then the scheme/s can be classified as suitable. This paper tends to test the suitability of HC-128 and Rabbit for WSN-specific environment and evaluates the schemes in terms of memory usage, time consumption and energy utilization. The aim of this study is to present either one of the two schemes as an efficient solution for pervasive computing. Keywords: Wireless Sensor Network (WSN), Pervasive Computing, Stream Ciphers, H-128, Rabbit.

1 Introduction Wireless sensor networks form an emerging field for a wide variety of applications in the domain of pervasive computing. The network constitutes of a large number of tiny sensor nodes which are presented with the task of carrying out desired sensing, computations and communications. The nodes are dependent on limited memory and limited computational resources for all the three operations. Security is very important for sensor networks applications such as military, homeland security, health-care, and industry automation. However, the penalties arising from enhanced security strengths include the ever-increasing computational, communications, and management overheads. As a consequence of applying security J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 682–691, 2009. © Springer-Verlag Berlin Heidelberg 2009

A Comparative Analysis of HC-128 and Rabbit Encryption Schemes

683

enhancements in a resource constrained sensor network, some concerns exist over network performance in terms of scalability, service availability and robustness. It should be noted that both security strength and network performance are equally important, and a properly designed end-to-end security architecture is the fundamental challenge to ensure the usability of WSNs in ubiquitous applications. From November 2004 to April 2008, EU ECRYPT network strived to identify “new stream ciphers that might become suitable for widespread adoption” in a project named eSTREAM. As an outcome of several phases, the effort was able to identify several algorithms suitable for both hardware and software applications.

2 Related Work Meiser et al. [1] gives implementation results for Dragon, HC-128, LEX, Salsa20, Salsa20/12, and Sosemanuk on small embedded 8-bit microcontrollers that are also constrained in memory resources. They find that except for Salsa20 all studied stream ciphers reach higher speeds at keystream generation than AES. In terms of memory, Salsa20, Salsa20/12, and LEX can be implemented almost as compact as AES, while Dragon and Sosemanuk require noticeable more memory resources and may be suboptimum for embedded applications with very low memory constraints. Salsa20/12 is the only promising alternative for the AES cipher on memory constrained 8-bit embedded microcontrollers. Eisenbarth et al. [2] presents a selection of recently published lightweight cryptographic implementations and compares them to state-of-the-art results in the field. This survey covers recent hardware and software implementations of both symmetric and asymmetric ciphers. Fournel et al. [3] study the implementation of stream ciphers including DRAGON, HC-256, HC-128, LEX, Phelix, Py, Pypy, Salsa20, SOSEMANUK, RC4, SNOW v2 [4] and AES-CTR used in WPA2 on a dedicated platform of sensors. They do not give any recommendation about their use in WSNs constrained environment but in the case of well-known and well-studied stream ciphers, they found that SNOW v2.0 is swift as well on traditional platforms as on the highly constrained environment. Lim et al. [5] demonstrated the feasibility of software-based cryptography building block in sensor networks by implementing Dragon stream cipher in real sensor test bed. Their scheme uses a message authentication code (Dragon MAC) to achieve twoparty authentication and data integrity along with confidentiality. Dragon-MAC has retained the structure of Dragon stream cipher and shared its F function for MAC generation.

3 Algorithms’ Description eStream project groups the stream ciphers into two categories namely: Profile 1 and Profile 2 entries respectively. Profile 1 is concerned with “Stream ciphers for software applications with high throughput requirements” whereas Profile 2 is associated with “Stream ciphers for hardware applications with restricted resources such as limited storage, gate count, or power consumption” [6].

684

F. Kausar and A. Naureen Table 1. Algorithm Profile HC Algorithm Name Algorithm Type Authors

HC-128 Synchronous Stream Cipher Hongjun Wu

Creation Date Proposed Environment Intellectual Property

Pre-2004 SW

Speed Effective Key Length Initialization Vector Internal State

3.05-3.6 cycles/byte 128 bits 128 bits 32768 bits

Free for any use

Rabbit Rabbit Synchronous Stream Cipher Martin Boesgaard, Mette Vesterager, Thomas Christensen and Erik Zenner Feb 2003 SW, HW Patented, but free for noncommercial use. 3.7-9.7 cycles/byte 128 bits 64 bits 512 bits

Both HC-128 and Rabbit fall under the category of Profile 1 and were shortlisted for Phase 3 eSTREAM project. Table 1 gives a comparative overview of the two stream ciphers [7]. 3.1 HC-128 There are two variations available for HC stream cipher: HC-128 and HC-256, with the respective key lengths of 128 and 256 bits. HC-128 is based on the use of two secret tables with 512, 32-bit entries each along with six non-linear feedback functions for its operation. The algorithm utilizes shift operators as well as rotation operators to get one 32-bit output at each step. Table II gives a detailed account of the HC-128 algorithm. The table is based on the information provided in the official document for HC-128 available on the eSTREAM project site [8]. 3.2 Rabbit Rabbit is designated as a lightweight algorithm designed specifically for hardware environments. It operates on a 128-bit secret key and a 64-bit IV to output 128 pseudorandom bits using internal state bits. The internal state constitutes of eight 32-bit state variables, eight 32-bit counters and one counter carry bit. Eight coupled non-linear functions are employed to update the eight state variables. Table III gives a detailed account of the Rabbit algorithm. The table is based on the information provided in the official document for Rabbit available on the eSTREAM project site [9]. The development environment for WSN specific implementation constitutes of TinyOS as the designated application programming platform. TinyOS is an opensource development environment that constitutes a programming language and model (NesC) and a set of services [10]. It is an event driven operating system for networked applications in wireless embedded systems with a small memory footprint (400 bytes of data and instruction memory) supporting several hardware platforms [11].

A Comparative Analysis of HC-128 and Rabbit Encryption Schemes Table 2. HC-128 Algorithm Initialization Operations +: bit-wise addition -: bit-wise subtraction ⊕ : bit-wise exclusive OR ||: concatenation >>: right shift operator <<: left shift operator >>>: right rotation operator <<<: left rotation operator Functions

Parameters P : table with 512 32-bit elements Q : table with 512 32-bit elements K : 128-bit key IV : 128-bit initialization vector s : the keystream

f1(x) = (x >>> 7) ⊕ (x >>> 18) ⊕ (x >> 3) f2(x) = (x >>> 17) ⊕ (x >>> 19) ⊕ (x >> 10) g1(x; y; z) = ((x >>> 10) ⊕ (z >>> 23)) + (y >>> 8) g2(x; y; z) = ((x <<< 10) ⊕ (z <<< 23)) + (y <<< 8) h1(x) = Q[x0] + Q[256 + x2] h2(x) = P[x0] + P[256 + x2] Procedure Key and IV Setup 1. Let K = K0 || K1 || K2 || K3 and IV = IV0 || IV1 || IV2 || IV3, where each Ki and IVi denotes a 32-bit number. Let Ki+4 = Ki, and IVi+4 = IVi for 0 < i < 4. The key and IV are expanded into an array Wi (0 < i < 1279) as: 0≤i≤7 Wi = Ki 8 ≤ i ≤ 15 IVi-8 f2(Wi-2) +Wi-7 + f1(Wi-15) +Wi-16 + i 16 ≤ i ≤ 1279 2. Update the tables P and Q with the array W. P[i] = Wi+256 for 0 ≤ i ≤ 511 Q[i] = Wi+768 for 0 ≤ i ≤ 511 3. Run the cipher 1024 steps and use the outputs to replace the table elements as follows: for i = 0 to 511, do P[i] = (P[i] + g1(P[i - 3]; P[i - 10]; P[i - 511])) ⊕ h1( P[i - 12] ); for i = 0 to 511, do Q[i] = (Q[i] + g2(Q[i - 3];Q[i - 10];Q[i - 511])) ⊕ h2(Q[i - 12] ); Keystream Generation i = 0; repeat until enough keystream bits are generated { j = i mod 512; if (i mod 1024) < 512 { P[j] = P[j] + g1(P[j - 3]; P[j - 10]; P[j - 511]); si = h1( P[j - 12] ) ⊕ P[j]; } else { Q[j] = Q[j] + g2(Q[j - 3];Q[j - 10];Q[j - 511]); si = h2(Q[j - 12] ) ⊕ Q[j]; end-if } i = i + 1; } end-repeat

685

686

F. Kausar and A. Naureen Table 3. Rabbit Algorithm

Initialization Operations ⊕ : bit-wise exclusive OR &: bit-wise exclusive AND >>: right shift operator <<: left shift operator >>>: right rotation operator <<<: left rotation operator ||: concatenation Functions Next-State Function: x0,i+1 = g0,i + (g7,i<<<16) + (g6,i<<<16) x1,i+1 = g1,i + (g0,i<<<8) + g7,i x2,i+1 = g2,i + (g1,i<<<16) + (g0,i<<<16) x3,i+1 = g3,i + (g2,i<<<8) + g1,i x4,i+1 = g4,i + (g3,i<<<16) + (g2,i<<<16) x5,i+1 = g5,i + (g4,i<<<8) + g3,i x6,i+1 = g6,i + (g5,i<<<16) + (g4,i<<<16) x7,i+1 = g7,i + (g6,i<<<8) + g5,i gj,i = ((xj,i + cj,i+1)2 ⊕ ((xj,i + cj,i+1)2 >> 32)) mod 232 Counter Carry Bit: Фj,i+1 = 1 if c0,i + a0 + Ф7,i ≥232 ^ j = 0 1 if cj,i + aj + Фj-1,i+1 ≥ 232 ^ j > 0 0 otherwise

Parameters xj,i: state variable of subsystem j at iteration i cj,i: counter variable of subsystem j at iteration i Фj,i: counter carry stored between iterations j and i.

Counter System: c0,i+1 = c0,i + a0 + Ф7,i mod 232 c1,i+1 = c1,i + a1 + Ф0,i+1 mod 232 c2,i+1 = c2,i + a2 + Ф1,i+1 mod 232 c3,i+1 = c3,i + a3 + Ф2,i+1 mod 232 c4,i+1 = c4,i + a4 + Ф3,i+1 mod 232 c5,i+1 = c5,i + a5 + Ф4,i+1 mod 232 c6,i+1 = c6,i + a6 + Ф5,i+1 mod 232 c7,i+1 = c7,i + a7 + Ф6,i+1 mod 232 aj Constants: a1 = 0xD34D34D3 a0 = 0x4D34D34D a2 = 0x34D34D34 a3 = 0x4D34D34D a5 = 0x34D34D34 a4 = 0xD34D34D3 a7 = 0xD34D34D3 a6 = 0x4D34D34D

Procedure Key and IV Setup 1. Divide K[127..0] as: k0 = K[15..0] , k1= K[31..16] ,… k7= K[127..112] 2. Initialize the state variables as: for i = 0 to 4, do for j even xj,i = k(j+1 mod 8) || kj k(j+5 mod 8) || k(j+4 mod 8) for j odd 3. Initialize the counter variables as: for i = 0 to 4, do for j even cj,i = k(j+4 mod 8) || k(j+5 mod 8) for j odd kj || k(j+1 mod 8) 4. Re-initialize the counter variable as: cj,4 = cj,4 ⊕ x(j+4 mod 8);4 5. XOR the IV [63...0] on all the 256 bits of the counter state as: for i = 4 to 0, do c1,i = c1,i ⊕ (IV [63..48] || IV [31..16]) c0,i = c0,i ⊕ IV [31..0] [63..32] c2,i = c2,i ⊕ IV c3,i = c3,i ⊕ (IV [47..32] || IV [15..0]) c4,i = c4,i ⊕ IV [31..0] c5,i = c5,i ⊕ (IV [63..48] || IV [31..16]) c6,i = c6,i ⊕ IV [63..32] c7,i = c7,i ⊕ (IV [47..32] || IV [15..0]) Keystream Generation At iteration i, the 128-bit keystream block si is generated as: si[15..0] = x0,i[15..0] ⊕ x5,i[31..16] si[31..16] = x0,i[31..16] ⊕ x3,i[15..0] [47..32] [15..0] [31..16] si = x2,i si[63..48] = x2,i[31..16] ⊕ x5,i[15..0] ⊕ x7,i si[79..64] = x4,i[15..0] ⊕ x1,i[31..16] si[95..80] = x4,i[31..16] ⊕ x7,i[15..0] [111..96] [15..0] [31..16] si = x6,i si[127..112] = x6,i[31..16] ⊕ x1,i[15..0] ⊕ x3,i

A Comparative Analysis of HC-128 and Rabbit Encryption Schemes

687

Although a lot is already in literature related to the C platform implementation of HC-128 and Rabbit but as such no WSN-specific NesC implementation is in place. This work reports the first NesC based implementations of both HC-128 and Rabbit. The reported implementations are based on the available official C implementations of the stream ciphers on the eSTREAM project site [6]. The implementations were incorporated in the TestTinyViz project, provided with the TinyOS releases, for testing against the provided test cases for HC-128 and Rabbit. It was gathered that both the implementations proved successful against their respective test cases. Table 4. HC-128 Functions Structure/ Function Name struct ECRYPT_ctx

key_setup()

iv_setup() cipher()

Parameters uint32_t T[1024], uint32_t X[16], uint32_t Y[16], uint32_t counter1024, uint32_t key[8], uint32_t iv[8], uint32_t keysize, uint32_t ivsize struct ECRYPT_ctx, const char *key, uint32_t keysize, uint32_t ivsize struct ECRYPT_ctx, const char *iv struct ECRYPT_ctx, const char *input, const char *output, uint32_t msglen

Description HC-128 Encryption parameters

Carries out the key setup procedure based on the key parameters.

Carries out the IV setup procedure based on the IV input. Encrypts the input plaintext using encrypt parameters to output the ciphertext

Table 5. Rabbit Functions Structure/ Function Name struct t_instance next_state() key_setup() iv_setup()

cipher()

Parameters uint32_t x[8], uint32_t c[8], uint32_t carry struct t_instance struct t_instance, const char *p_key struct t_instance, const char *p_iv, size_t iv_size struct t_instance, const char *p_plaintext, const char *p_ciphertext, size_t data_size

Description Rabbit Encryption parameters

Initializes state variables, counter variables and counter carry bit. Carries out the key setup procedure based on the key input. Carries out the IV setup procedure based on the IV input. Encrypts the input plaintext using state variables and counter variables to output the ciphertext

688

F. Kausar and A. Naureen

• •

HC-128 The HC-128 algorithm has already been specified in Section 3. Table 4 illustrates the functions utilized for the NesC based HC-128 implementation. Rabbit The Rabbit algorithm has already been specified in Section 3. Table 5 illustrates the functions utilized for the NesC based Rabbit implementation.

4 Analysis and Evaluations This section discusses the feasibility of HC-128 and Rabbit stream ciphers for wireless sensor networks in terms of power, time and memory consumptions. 4.1 Power Consumption Analysis A typical sensor mote relies on 2xAA batteries for its survivability and operation in the respective deployment environment. Both controlled and uncontrolled environments are the possible domains for sensor deployment. Lifetime of a sensor, specifically in uncontrolled domains, is essentially determined by its power consumption in all the three phases of sensing, computations and communications respectively. When considering any encryption mechanism for such resource constrained environments, considerable attention has to be given to the power consumption efficiency of the scheme. Any encryption mechanism utilized should be light on sensor power resources to maximize its lifetime. Figure 1 and Figure 2 demonstrate the power traits observed for HC-128 and Rabbit implementations respectively. Figure 3 compares the power characteristics for both the stream ciphers. Based on the results analyzed it can be stated that HC-128 performs better than Rabbit on account of power consumption efficiency. 4.2 Memory Consumption Analysis The memory characteristics for HC-128 and Rabbit were analyzed for micaz platform. A typical micaz mote has 128 KB of instruction memory, 4 KB of data ram and p Power Consumption (µJ)

14 12 10 8 total

6

cpu

4

radio

2 0 8.186913

8.186914

9.169413

9.169414

Simulation Time (s)

Fig. 1. H-128 Power Consumption against the Simulation Time

A Comparative Analysis of HC-128 and Rabbit Encryption Schemes

689

Power Consumption (µJ)

14 12 10 8 total

6

cpu

4

radio

2 0 7.713705

7.713706

8.164837

8.164838

Simulation Time (s)

Power Consumption (µJ)

Fig. 2. Rabbit Power Consumption against the Simulation Time 2000 1800 1600 1400 1200 1000 800 600 400 200 0

CPU Radio Total

H-128

Rabbit Stream Cipher

Memory Consumption (bytes)

Fig. 3. Power Consumption Comparison for H-128 and Rabbit 35000 30000 25000 20000 15000

RAM

10000

ROM

5000 0 H-128

Rabbit Stream Cipher

Fig. 4. Memory Consumption Comparison for H-128 and Rabbit

512 kb of flash memory [12]. Figure 4 compares the ROM/RAM consumption for the two stream ciphers. It can be seen that HC-128 requires a lot more memory than Rabbit. This is due to the fact that HC-128 is dependent on two secret tables, each consisting of 512 32-bit entries.

690

F. Kausar and A. Naureen

4.3 Time Consumption Analysis For real time applications, time efficiency is a major factor. Timely computations and timely report to the sink must be taken into account while considering the effectiveness of any scheme for WSNs. For HC-128 and Rabbit, the basic concern is how quickly the encryption and decryption processes can be carried out regardless of the time taken in message dissipation. Figure 5 shows the time consumption comparison of the two schemes. The time comparison includes the time taken by the stream ciphers to carry out all the initializations, setup key and IV and encrypt the provided plaintext. HC-128 consumes 48 µs for these tasks whereas Rabbit requires only 39 µs for the same. 60

Time(us)

50 40 30

Time

20 10 0 HC-128

Rabbit

Stream Cipher

Fig. 5. Time Consumption Comparison for H-128 and Rabbit

5 Conclusion The research work has discussed the applicability of the two stream ciphers: HC-128 and Rabbit for wireless sensor networks. NesC implementations have been considered in this regard. The implementations have been evaluated on the scale of performance metrics like: power, time and memory consumptions. Based on the analyzed results, it can be said that although HC-128 is merely classified as software profile stream cipher but its performance, in the domain of sensor networks, is almost comparable to that of Rabbit, a stream cipher categorized for both hardware and software applications.

References 1. Meiser, G., Eisenbarth, T., Lemke-Rust, K., Paar, C.: Efficient implementation of estream ciphers on 8-bit avr microcontrollers. In: Industrial Embedded systems, 2008. SIES 2008, pp. 58–66 (2008) 2. Eisenbarth, T., Kumar, S., Paar, C., Poschmann, A., Uhsadel, L.: A survey of lightweightcryptography implementations. IEEE Design and Test of Computers 24(6), 522–533 (2007) 3. Fournel, N., Minier, M., Ubeda, S.: Survey and benchmark of stream ciphers for wireless sensor networks. In: Information Security Theory and Practices. Smart Cards, Mobile and Ubiquitous Computing Systems, pp. 202–214 (2007)

A Comparative Analysis of HC-128 and Rabbit Encryption Schemes

691

4. Ekdahl, P., Johansson, T.: A new version of the stream cipher snow. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 47–61. Springer, Heidelberg (2003) 5. Lim, S.Y., Pu, C.C., Lim, H.T., Lee, H.J.: Dragon-MAC: Securing Wireless Sensor Networks with Authenticated Encryption, http://eprint.iacr.org/2007/204.pdf 6. The eSTREAM Project, http://www.ecrypt.eu.org/stream/ 7. Stream cipher From Wikipedia, the free encyclopedia, http://en.wikipedia.org/wiki/Stream_cipher 8. Wu, H.: The Stream Cipher HC-128. ECRYPT Stream Cipher Project Report 2005/001 (2005) 9. Boesgaard, M., Vesterager, M., Christensen, T., Zenner, E.: The Stream Cipher Rabbit. eSTREAM, ECRYPT Stream Cipher Project Report 2005/001 (2005) 10. Gay, D., Levis, P., Culler, D., Brewer, E.: nesC 1.1 Language Reference Manual (May 2003), http://www.tinyos.net/tinyos-1.x/doc/nesc/ref.pdf 11. Easwaran, A.: TinyOS: Operating System for Sensor Networks., CIS 640: Embedded Systems Seminar, Spring, University of Pennsylvania (Spring 2004) 12. Crossbow Technology Inc., Processor/Radio Modules, http://www.xbow.com, http://www.xbow.com

A Comparative Analysis of PKC and Semi-PKC Based Key Management Schemes for Hierarchical Sensor Networks Ayesha Naureen1, Attiya Akram1, Rabia Riaz2, Ki-Hyung Kim2, and H. Farooq Ahmed3 1

College of Signals, National University of Science and Technology, Pakistan {ayeshanaureen,attiyaakram}@mcs.edu.pk 2 AJOU University, South Korea {rabiaiqbal18,kkim86}@gmail.com 3 Communication Technologies, Japan [email protected]

Abstract. Symmetric key cryptography (SKC) based solutions for key management in wireless sensor networks have security shortcomings. A more secure solution demands the use of public key cryptography (PKC) based key management scheme. This, however, introduces an increased computation overhead in the tiny devices. An intermediate approach between SKC and PKC may prove beneficial in terms of both security and efficiency. To investigate the applicability of such a hybrid key management approach, a hierarchical organization of sensor network is considered and the security and efficiency characteristics of a pure PKC based key management scheme are compared and evaluated against a semi-PKC based key management scheme. Both theoretical and experimental basis have been considered in this regard. Keywords: Wireless Sensor Network (WSN), Security; Key Management, Symmetric Key Cryptography (SKC), Public Key Cryptography (PKC).

1 Introduction A wireless sensor network (WSN) constitutes of a number of tiny nodes, working in coordination to sense and report some activity going on in the WSN setup environment. Application environments for WSN vary from deployment in battlefield to monitoring in industrial and environmental areas. Hierarchical wireless sensor networks (HWSN) and distributed wireless senor networks (DWSN) form two options for sensor network deployment. In hierarchical mode of operation, sensors follow a multilevel command chain with the nodes being categorized on account of their computational capabilities as: Base Station (BS), Cluster Leader (CL) and Cluster Node (CN) respectively. For distributed WSN, all sensor nodes work in a P2P manner to carry out coordinated collaborative activity. Security threats in a wirelessly setup environment are manifold and vary complexity-wise depending on the computational capabilities of the attacker. Apart from J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 692–701, 2009. © Springer-Verlag Berlin Heidelberg 2009

A Comparative Analysis of PKC and Semi-PKC Based Key Management Schemes

693

security concerns, efficient resource consumption is the second prime factor in determining the success of any security architecture deployed in a WSN. For efficiency reasons, public key cryptography (PKC) is often used in combination with symmetric key cryptography (SKC) in traditional communication networks. In WSN, the need for efficient resource consumption is further elevated in the context of a secure communication framework deployment. For that reason, SKC has so far been considered as the only approach for key management in resource constrained WSNs, with the PKC being considered as the expensive alternative. But a hybrid approach might be suitable in the context that SKC is employed in the most resource constrained nodes whereas on an upper level, with better resources, PKC is utilized. This paper discusses the evaluation of two key management schemes for hierarchical sensor networks: SACK-P: based purely on PKC, and SACK-H: a hybrid of PKC and SKC. The schemes are first evaluated in TOSSIM simulation environment and then testified fort hardware implementation on MICAz motes.

2 Literature Review In traditional cryptographic designs, symmetric and asymmetric keying mechanisms are often combined to achieve computational efficiency together with higher level of security provision. Symmetric keys are first encrypted using secure, hard to break asymmetric cryptography. Once securely transmitted, these symmetric keys are later used to protect the actual communication process. Wireless sensor networks employ wireless radios as the medium of communication. Based on the inherent security shortcomings in wireless communications, sensor networks too endure the associated risks of information disclosure and manipulation through denial of service attacks, traffic analysis attacks and other such attacks on privacy. Thus the utilization of key management becomes essential to establish and maintain a secure channel for communicating parties. Secure communication in a WSN is a three step process wherein the nodes use their pre-distributed keys or keying material to exchange information with immediate neighbors and with at least one of the computationally robust nodes. Thereby the key management process is broadly classified into the four phases of key analysis, key generation, key assignment and key distribution. Based on the resource constrained nature of WSNs, it was believed that traditional security mechanisms are not suitable for WSNs based on costly computational requirements. It was considered that new security solutions need to be designed to cater specifically for sensor environment. Deriving from these requirements, the first initiative was to use symmetric cryptographic solutions to develop a key management framework for WSNs. The first naïve approach was to transmit the symmetric keys directly over the communication media or to pre-deploy the key in each node. The second improved version was to communicate key generation material instead over the media. In traditional public key cryptography, RSA is the most used algorithm but it has been evaluated that RSA is an expensive choice for sensors [1]. Elliptic curve cryptography (ECC) is another approach for asymmetric cryptography that provides same security as RSA using lesser number of key bits. In the ECC implementation for

694

A. Naureen et al.

WSNs, public keys and shared secrets are generated within a few seconds using adequate memory resources [2]. Based on these observations, ECC, or in other terms PKC, is now considered as a valid keying option for WSNs. It is important to note that ECC implementation is just a key generation mechanism but no complete PKC key management framework is in use to-date. The term hybrid is used in WSNs in many different contexts. Some literature classifies a key management scheme to be hybrid if it provides different levels of security to minimize communication overhead [3]. Others offer an integrated hybrid security approach by categorizing the network according to nodes capabilities and functionalities [4]. Key management schemes are classified as either Static or Dynamic based on how administrative keys are changed during network life time [5]. Networks can also be classified according to their key distribution mechanism as Probabilistic, Deterministic, and Hybrid basing on how keys are generated from key pool. Key pre-distribution schemes involve loading keys or key materials into sensor nodes prior to deployment. At deployment, the nodes compute a common key for communication. There are two extremes in deterministic mode of pre-distribution keying schemes namely Single Master-Key Approach and All Pair-wise Keys Approach [6]. While the single master key approach is memory efficient, the security provision is extremely low where one node compromise can make the whole network vulnerable. For a network of N nodes, all pair-wise keys approach assigns N-1 keys to each node. Thereby, making the security perfect but at the same time increases the memory requirements to the maximum. The probabilistic pre-distribution schemes involve random keys, random pair-wise keys, random key spaces and group-based keys. In Basic Key Pre-Distribution Scheme [7], K keys are randomly selected from a key pool of P keys by each node. Two nodes can communicate with each other if they have at least one common key. While the scheme is advantageous is the sense that base station is excluded and postdeployment overhead is reduce, but at the same time successive node capture can reveal the stored keys. Deployment Based Key Pre-Distribution Scheme [8] deploys the nodes in form of groups in two dimensional regions XxY. Key pool S is divided in txn key pools Si,j. Each node selects m keys from its corresponding key pool Si,j. ESA [9] is a pair-wise scheme where nodes are separated into domains supervised by base stations. SNEP [10] is another pair-wise scheme where each pair of communicating nodes share a master secret key XA,B and a PRF. Localized Encryption and Authentication Protocol (LEAP) [11] is another such scheme. In key setup phase, each node receives a general key KI. A node Su uses KI and hash function H to generate its master key Ku =HKI (IDu). In shared key discovery phase, neighboring node master key Kv is generated using KI and hash function H as Kv =HKI (IDv). Session keys are then generated using Kv and IDu. Multi-hop pair-wise keys are employed to reach cluster heads. Security of the system depends on the general key KI, which can be compromised by a single node capture. Exclusion Based System (EBS) [12] is a dynamic keying system where each node stores k keys from a pool P=k+m keys and does not know at least m keys out of pool P. When a node is compromised, new keys are encrypted using m keys unknown to that node and distributed to other nodes. However, small number of nodes may join

A Comparative Analysis of PKC and Semi-PKC Based Key Management Schemes

695

together and reveal all the network keys. SHELL [13] and LOCK [5] are two enhancements of EBS that use hierarchical network model. IKA2 [14], Burmester-Desmedt [15] both use asymmetric cryptography like Diffie-Hellman key exchange protocol. ID-star [16] uses identity based cryptography to derive nodes’ public keys from their identities. While a number of schemes have been proposed so far for sensor networks, each with associated strengths and weaknesses, it is believed that applicability of any such scheme would depend on the specific operational environment.

3 Network Layout and Key Setup for the Two Architectures Consider a hierarchical organization of a wireless sensor network where the nodes are categorized according to their computation capabilities as: Base Station (BS), Cluster Leader (CL), and Cluster Node (CN) respectively. BS is a computationally robust node placed in a controlled environment with the prime features of gathering information from CLs, coordinating the activities of key distribution, and carrying out compromised node revocations. CL is an ordinary sensor node but with slightly better resources and is assigned the task of coordinating a subsection of the network. A CN is an ordinary sensor node carrying out the sensing activity while forming a part of a CL-coordinated network subsection. SACK-P, the PKC based key management architecture, employs the use of public keys network wide, securing all the communications between BS/CLs; CLs/CNs and vice versa via public/private key pairs. In SACK-H, the hybrid effort between SKC and PKC, inter-cluster communications are secured by symmetric keys and intra-cluster communications are secured by PKC. Table 1 gives a brief account of the basic steps involved in the key management process of SACK-P and SACK-H. It is important to note that CL nomination and cluster formation procedure is beyond the scope of both SACK-P and SACK-H architectures. Let N be the number of nodes in network, C be the number of clusters in network and n be the number of nodes in a cluster. For SACK-P, the key management process initiates in the pre-deployment phase where Ids {SNID} are assigned and public/private key pairs {Kpub[SN], Kpri[SN]} are generated for all the nodes. At the time of deployment, each CN sends its ID along with public key {SNID, Kpub[CN]} to the concerned CL, which forwards it to the BS. Upon authentication verification, BS asks the CL to add the CN to its respective cluster. Each CL gets verified by the BS via its {SNID, Kpub[CL]} in a similar manner. The key management process completes with public key broadcasts from CLs to CNs and from BS to CLs respectively. This 3-step procedure facilitates both network-wide and cluster-wide communications. In case of SACK-H, all the participating SNs are assigned their respective Ids, master keys and base station pair-wise keys {SNID, KM, KNB} in the pre-deployment phase. The key distribution process starts with public key broadcast from BS to all CLs followed by public key distributions from all the CLs to BS. The collected CLs Ids, public keys {SNID,Kpub[CL]} are broadcasted, one by one, from the BS to the CLs. Upon completion of this process, each CL transmits a seed SC in its respective cluster. All the involved CNs use the seed and master key {SC,KM} to generate a cluster wide shared key KC.

696

A. Naureen et al. Table 1. Key Management in SACK-P and SACK-H SACK-P

SACK-H

Legend: SN: Nodes before deployment. Includes CLs & CNs Algorithm: 1: Key Registration SNiÆBS: {SNIDi,Kpub[SNi]}; 1”i”N 2: CN Key Distribution a: CNijÆCLi: {SNIdk,Kpub[CNij]}; 1”i”C, 1”j”n, 1”k”N b: CLiÆBS: {SNIdk,Kpub[CNij]}; 1”i”C, 1”j”n, 1”k”N c: BSÆCLi: {OK||REVOKE}; 1”i”C 3: CL Key Distribution a: CLiÆBS: {SNIdk,Kpub[CLi]}; 1”i”C, 1”k”N b: BSÆCLi: {OK||REVOKE}; 1”i”C c: CLiÆCNij: { Kpub[CLi]}; 1”i”C, 1”j”n 4: BS Key Distribution BSÆCLi: {Kpub[BS]}; 1”i”C

Legend: SN: Nodes before deployment. Includes CLs & CNs Algorithm: 1: SN Key Deployment {SNIDi, KMi, KNBi}; 1”i”N 2: BS Key Distribution BSÆCLi: {Kpub[BS]}; 1”i”C 3: CL Key Distribution a: CLiÆBS: {SNIDk,Kpub[CLi]}; 1”i”C, 1”k”N b: BSÆCLi: {SNIDk,Kpub[CLi]}; 1”i”C, 1”k”N c: CLiÆSNij: {SCi}; 1”i”C, 1”j”n 4: CN Key Generation KCi: {KM, SCi}

4 Theoretical Comparisons and Evaluations

0.5

14 12 10 8 6 4 2 0

Tim e (S eco nds)

Tim e (Seconds)

In SACK-P architecture, BS stores N+1keys, each CL stores n+2 keys and each CN stores 2 keys. For SACK-H, key storage is divided among nodes as: BS stores C+N+2 keys, each CL stores C+6 keys and each CN stores 3 keys. The time and power computations have been performed for a network of 3 nodes with each one node categorized as BS, CL and CN respectively, thereby N=3, C=1 and n =1. Let PR be the reception energy, PT be the transmission energy and PC be the computation energy. It is known that the energy consumed in sending 1 byte is 59.2 µJ whereas the energy consumed in receiving 1 byte is 28.6 µJ whereas computational energy is negligible in comparison to the energy consumed in transmission [1]. For TOSSIM based simulation of the two architectures, the time calculations have been done using SysTimeC module and power computations have been performed using TinyViz PowerProfile plugin. Fig. 1 (a) compares key generation time for SACK-P and SACK-H for the three types of WSN nodes. While BS and CL key generation time are almost the same for

SACK-P SACK-H BS Key Generation CL Key Generation CN Key Generation

(a)

0.4 0.3 0.2 0.1 0 BS-->CL CL-->BS CL-->CN CN-->CL

SACK-P SACK-H

(b)

Fig. 1. SACK-P, SACK-H Time Comparisons for Key Generation and Key Distribution

A Comparative Analysis of PKC and Semi-PKC Based Key Management Schemes

697

300 250 200 CPU

150

Radio Total

100 50 0 SACK-P

SACK-H

Fig. 2. SACK-P and SACK-H Power Comparisons

both the architectures, the main difference is observed in case of CN key generation. It is very much logical because CNs are the most resource constrained devices in the network and hence require operations that are not computationally intensive. Fig. 1 (b) compares the key distributions time for SACK-P and SACK-H for all the three node categories. In case of SACK-P, BS performs 1 public key broadcast only, CL carries out 1 public key broadcast and 1 public key forwarding and CN only sends its public key to the respective CL. Hence most time consuming operations for key distribution are performed at the CL. In case of SACK-H, most time consuming operations are performed at the BS hence balancing out the resource intensive operations against the node’s computational capability. Fig. 2 compares the power consumption for the two schemes. Simulated transmission energy consumption for SACK-P is 156.09 µJ whereas computational energy consumption is 90.86 µJ. Power profiling of SACK-H demonstrates that simulated transmission energy consumption is 145.09 µJ whereas computational energy consumption is 82.6 µJ.

5 Experimental Comparisons and Evaluations The experimental evaluation for SACK-P and SACK-H was conducted on MICAz sensors from Crossbow [18]. MICAz is a 2.4 GHz, IEEE/ZigBee 802.15.4, board with 128 KB of instruction memory, 4 KB of data ram, and 512 KB of flash memory [18]. The experiment utilized three MICAz motes categorized as: BS, CL and CN respectively. The nodes are programmed with the respective codes for SACK-P and SACKH on the MPR2400CA board. The CL and CN motes are programmed with Ids 1 and 2 and are made to communicate with BS and each other via RF links. The mote designated as the BS, with Id 0, is mounted on the MPR2400CA programming board, with MIB510 serial interface to collect and display the messages onto the PC. SerialForwarder is a java program, provided with standard TinyOS installation, which reads packets coming onto the serial port and directs these for display. In the demonstrations carried out, SerialForwarder is made to run in background, with no frontend

698

A. Naureen et al.

GUI, and SACK-P/SACK-H Java application is utilized to report the received messages onto standard output. Fig.3 shows the equipment arrangement done for the evaluation of the two architectures. Cluster Node (MICAz Mote)

PC Base Station (MICAz Mote on programming board)

RF

Cluster Leader (MICAz Mote)

Serial

RF

Serial Forwarder (No GUI)

SACK-P/SACK-H (Java App)

Fig. 3. Experimental Setup for SACK-P and SACK-H Evaluation

5.1 Power and Time Analysis: Basic Assumptions It is important to note that the experiments have been done while considering a network of only 3 nodes, with one BS, one CL and one CN. All power computations have been carried out for the processor in active mode using the formula E = U*I*t. For MICAz, when the processor is in active mode, I = 8 mA and U = 3.0 V for two new AA batteries are used [18]. 5.2 SACK-P Time and Power Analysis Table 2 gives the hardware based time and power measurements for SACK-P. Key generation time for all the nodes is determined to be 30.35 s. This is in accordance with the findings of the TinyOS based ECC implementation [2]. Key distribution time for each hop approximates around 120 s. With the current I and voltage U being constant at 8mA and 3.0 V, the power characteristics directly derive from the time consumption, averaging around 2.9 J for each step. Apart from own key distribution, CL also spends time and energy in ley forwarding operation from CN to BS. 5.3 SACK-H Time and Power Analysis Table 2 gives the time and power readings for the hardware implementation of SACK-H. Both BS and CL require approximately 30.35 s for key generation due to asymmetric key computations while CN require a negligible time of a few microseconds due to symmetric key operations. Hop-wise public key distributions require approximately 115-120 s whereas cluster-wise seed distribution requires only 11 s. Power computations derive accordingly. Here, BS is presented with an additional broadcast for CL public key flooding in the network.

A Comparative Analysis of PKC and Semi-PKC Based Key Management Schemes

699

Table 2. Time and Power Measurements SACK-P Key Gen CN Key Distrib.

CL Key Distrib. BS Key Distrib.

BS CL CN CNÆCL CLÆBS CNÆCL ÆBS CLÆBS CLÆCNs BSÆCL

Time (Seconds) 30.35 30.35 30.35 143.31 120.71 264.02

Power (Joules) 0.73 0.73 0.73 3.44 2.90 6.34

120.71 106.31 112.54

2.90 2.55 2.70

SACK-H Key Gen

Seed Gen BS Key Distrib. CL Key Distrib. CL Seed Distrib.

BS CL CN CL

Time (Seconds) 30.35 30.350066 63x10-6 49x10-6

Power (Joules) 0.73 0.73 1.51 x10-6 1.18x10-6

BSÆCL

112.54

2.70

CLÆBS BSÆCLs CLÆCNs

120.71 112.54 11.096

2.90 2.70 266 x10-3

5.4 Comparisons

35 30 25 20 15 10 5 0

0.8

Power (Joules)

Time (Seconds)

Fig. 4 (a) compares the experimental key generation times for SACK-P and SACK-H. Again as noticed in case of simulated results, experimental results too reveal that while SACK-P requires the same key generation time for all nodes, SACK-H minimizes the key generation time for the weakest CN. Fig. 4 (b) compares the power consumption measurements for SACK-P and SACK-H. For SACK-P, all the nodes reveal similar power characteristics. In SACK-H, as the time measurements place the minimum burden on CNs so the resultant power measurements also come out to be minimum for CNs.

BS Key Generation

SACK-P

SACK-H

(a)

CL Key Generation CN Key Generation

0.6 0.4 0.2 0 SACK-P SACK-H

(b)

Fig. 4. SACK-P, SACK-H Time and Power Comparisons for Key Generation

Fig. 5 (a) evaluates the two architectures in terms of time measurements for key distribution. Since CL performs the maximum message transmission in case of SACK-P and the BS carries out the maximum communications in case of SACK-H, hence the resultant peaks in the graph. It is obviously better to place the burden on BS because of no resource limitation factor. Fig. 5 (b) illustrates the comparison for power measurements for SACK-P and SACK-H. Since the power characteristics directly derive from timing characteristics, hence the same peaks are observed for CL and BS in case of SACK-P and SACK-H respectively.

A. Naureen et al.

250

6

200

5

Power (Joules)

Time (Seconds)

700

150 100 50

BS-->CL

0

CL-->BS

SACK-P

SACK-H

(a)

CL-->CN CN-->CL

4 3 2 1 0 SACK-P SACK-H

(b)

Fig. 5. SACK-P, SACK-H Time and Power Comparisons for Key Distribution

6 Conclusion The paper has presented a comprehensive comparative analysis of two key management schemes for wireless sensor networks: one based purely on public key cryptography whereas the second uses a hybrid of both symmetric and public key approaches. The performance analysis proves semi-PKC based scheme i.e. SACK-H as a better approach for use in resource constrained sensors. However, applicability domains for WSNs are numerous and hence SACK-P applicability cannot be totally eliminated. It is, therefore, adequate to suggest that SACK-P maybe used in an environment requiring strict security measures where sensors are not used for time critical operations and either the network life time is short or batteries can be replaced periodically.

7 Future Work The research carried out evaluates the SACK-P and SACK-H architectures on performance grounds. A comprehensive security analysis for the two can also be performed where the schemes can be tested for resilience against different attacks. Furthermore, the applicability domains for the two architectures also need to be identified.

References 1. Wander, A.S., Gura, N., Eberle, H., Gupta, V., Shantz, S.C.: Energy analysis of public-key cryptography for wireless sensor networks. In: Third IEEE International Conference on Pervasive Computing and Communications, pp.324–328 (2005) 2. Malan, D.J., Welsh, M., Smith, M.D.: A Public-Key Infrastructure for Key Distribution in TinyOS Based on Elliptic Curve Cryptography. In: IEEE SECON (2004) 3. Landstra, T., Zawodniok, M., Jagannathan, S.: Energy-Efficient Hybrid Key Management Protocol for Wireless Sensor Networks. In: 32nd IEEE Conference on Local Computer Networks, pp. 1009–1016 (2007) 4. Cao, X., Huang, M., Chen, Y., Chen, G.: Hybrid Authentication and Key Management Scheme for WSANs. In: Chen, G., Pan, Y., Guo, M., Lu, J. (eds.) ISPA-WS 2005. LNCS, vol. 3759, pp. 454–465. Springer, Heidelberg (2005)

A Comparative Analysis of PKC and Semi-PKC Based Key Management Schemes

701

5. Eltoweissy, M., Moharrum, M., Mukkamala, R.: Dynamic key management in sensor networks. IEEE Communications Magazine 44(4), 122–130 (2006) 6. Perrig, A., Stankovic, J., Wagner, D.: Security in wireless sensor networks. Communications of the ACM, Special Issue on Wireless Sensor Networks 47(6), 53–57 (2004) 7. Eschenauer, L., Gligor, V.D.: A key-management scheme for distributed sensor networks. In: Proceedings of the 9th ACM conference on Computer and communications security, pp. 41–47 (2002) 8. Du, W., Deng, J., Han, Y.S., Chen, S., Varshney, P.K.: A key management scheme for wireless sensor networks using deployment knowledge. In: IEEE INFOCOM, pp. 586–597 (2004) 9. Law, Y., Corin, R., Etalle, S., Hartel, P.: A formally verified decentralized key management for wireless sensor networks. Personal Wireless Communications (2003) 10. Perrig, A., Szewczyk, R., Wen, V., Culler, D.: Spins: Security protocols for sensor networks. Wireless Networks (2002) 11. Zhu, S., Xu, S., Setia, S., Jajodia, S.: Leap: Efficient security mechanisms for large-scale distributed sensor networks. In: 10th ACM Conference on Computer and Communications Security CCS (2003) 12. Eltoweissy, M., et al.: Combinatorial Optimization of Key Management in Group Communications. J. Network and Sys. Mgmt., Special Issue on Network Security, 332b (2004) 13. Younis, M., Ghumman, K., Eltoweissy, M.: Locationaware Combinatorial Key Management Scheme for Clustered Sensor Networks. IEEE Transactions on Parallel and Distributed Systems (2006) 14. Steiner, M., Tsudik, G., Waidner, M.: Key agreement in dynamic peer groups. IEEE Transactions on Parallel and Distributed Systems (2000) 15. Burmester, M., Desmedt, Y.G.: A secure and efficient conference key distribution system. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 275–286. Springer, Heidelberg (1995) 16. Carman, D., Matt, B., Cirincione, G.: Energy-efficient and low-latency key management for sensor networks. In: 23rd Army Science Conference (2002) 17. Riaz, R., Akbar, A.H., Hasan, M., Kim, K., Lhee, K., Naureen, A., Akram, A., Ahmed, H.F.: Key Management Scheme for Sensor Networks with Proactive Key Revocation and Sleep State Consideration. In: Li, K., Jesshope, C., Jin, H., Gaudiot, J.-L. (eds.) NPC 2007. LNCS, vol. 4672, pp. 368–373. Springer, Heidelberg (2007) 18. Crossbow Technology inc., http://www.xbow.com

A Mathematical Approach towards Trust Based Security in Pervasive Computing Environment Naima Iltaf1, Mukhtar Hussain1, and Farrukh Kamran2 1 Military College of Signals (NUST), Pakistan [email protected], [email protected] 2 Center for Advanced Studies in Engineering, Pakistan [email protected]

Abstract. In ubiquitous computing traditional security mechanism is difficult to realize, as users do not have prior knowledge of each other and the availability of a trusted third party cannot be relied upon. Since trust is used as an elementary channel of interaction in a human society, a security model based on the real world characteristics of trust can provide the internal security before taking action, despite uncertainty and inadequate information in ubiquitous computing environment. We propose the trust based security architecture based on the human notion of trust as a mechanism to secure computing in ubiquitous environment.

1 Introduction Ubiquitous computing is catching up the computing arena as it promises to break the paradigm of desktop computing. Computational services are now desired to become as mobile as their users. In such a dynamic environment user anticipates to access resources and services at any time and anywhere. This user expectation amplifies the severity of security tribulations since the entity is constantly interacting and accessing services outside the system. Access to collaborative resources in ubiquitous environment requires some way of authenticating an entity requesting for a resource, as well as a way of determining the extent of access that entity may have to shared resources. In ubiquitous computing traditional security mechanism is difficult to realize, as users do not have prior knowledge of each other and the availability of a trusted third party cannot be relied upon. Since trust is used as an elementary channel of interaction in a human society, a security model based on the real world characteristics of trust can provide the internal security before taking action, despite uncertainty and inadequate information in ubiquitous computing environment. In this paper, we present Security &Trust Enforcement in Pervasive Computing Environment (STEP) as the security model for such a pervasive computing environment. We propose to use trust as a fundamental criterion for authorizing known, partially known and unknown entities to interact with each other. The objective of this work is to provide a trust model for ubiquitous environment based on the real world characteristics of trust. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 702–711, 2009. © Springer-Verlag Berlin Heidelberg 2009

A Mathematical Approach towards Trust Based Security

703

2 Related Work Until now, several trust models have been proposed in literature for different distributed systems. Most trust related projects in the area of distributed computing allow access of collaborative resources to unregistered users by certificate-based delegation. Kagal et al. [1] argue that large, open systems do not scale well with centralized security solutions. They instead, propose a security solution (Centaurus) based on trust management, which involves developing a security policy and assigning credentials to entities. Centaurus depends heavily on the delegation of trust to third party. Now much research has been done to build autonomous trust management as fundamental building block to design future security framework. Project SECURE [3] presents a formal trust and risk framework to secure collaboration between ubiquitous computer systems.

3 Definition of Trust Several trust definitions have been given in psychology, economy, sociology, mathematics, etc. A concrete and mathematical definition of trust that has been followed in this paper is given by Diego Gambetta [4]: “Trust (or, symmetrically, distrust) is a particular level of the subjective probability with which an agent assesses that another agent or group of agents will perform a particular action, both before he can monitor such action (or independently or his capacity ever be able to monitor it) and in a context in which it affects his own action”. When we say we trust some entity, we implicitly mean that the past behavior of the entity was good enough or at least not that detrimental for the service for which request to access is being considered.

4 Trust Representation Trust values are used to represent the different levels of trust a service has on an entity. In our approach, 0 corresponds to total absence of trust. This can occur only if the service completely distrusts an entity, or service has no past interaction with entity and hence no reason to trust or distrust it. Trust cannot be an absolute value and thus the table below outlines trust levels, their corresponding range and meaning as used in our trust model. Table 1. Trust Levels

Level

Value

Meaning

Description

0 1 2 3 4 5

0 0 ≤ value < 0.25 0.25 ≤ value < 0.5 0.5 ≤ value < 0.75 0.75 ≤ value < 1 1

Complete Distrust High distrust Low trust Medium trust High trust Complete

Completely untrustworthy. Lowest possible trust. Not very trust worthy Mean trustworthiness. More trustworthy than most entities. Completely trust this entity.

704

N. Iltaf, M. Hussain, and F. Kamran

5 Characteristics of Trust The proposed model is designed considering few main characteristics of trust identified as following:•

• • • •

Trust is a relationship established between an entity and a service for a specific action thus representing the amount of trust a service has, in an entity, to authorize access to the resources. We introduce the notation {Entity; Service; trust value} to describe a trust relationship. Trust is a time variant value, it decays with time. The trust an entity has acquired now in a context of a specific service might not be the same as the trust attributed to him in the same context, a year ago. Social trust affects the trust factor. An entity is more likely to be trusted if it is trusted by the peer services as compared to the other services located in other autonomous pervasive environments. Trust is dynamic. Managing trust involves collecting information, monitoring the current interaction and evaluating the trust. The discrete levels of trust are used in this model, referred to as the trust value. Quantification of trust is most critical and should be evaluated on sound mathematical foundations.

6 Proposed Framework As it is widely acknowledged that traditional security measures fail to provide necessary flexibility for interactions between unknown entities, the need of trust model for secure collaboration between unknown entities in an uncertain environment leverage us to design our trust based security architecture. In our model, we assume that all entities are autonomous and some of them are mobile. Entities can either be persons or devices which try to access the services. Thus, we establish trust relationships between entities and the services. Each service maintains a list of trustworthy and untrustworthy entities, trust value associated with them, time when trust value was last revised and number of interactions with each entity. An overview of our proposed trust-based security framework (STEP) is shown in Figure 1

Fig. 1. STEP: A Trust Based Security Model

A Mathematical Approach towards Trust Based Security

705

The framework consists of five main components. Dispatcher module is responsible for receiving the request initiated by the entity requesting to access a shared service and in response authorizes the entity to access the service if the trust value of the requestor is compliant with the local policies. It then passes the request to access control module. Access Control Module computes the trust value for each entity requesting a service or shared resource in the network by interacting with trust DB and the Reputation Evaluator Module to get the information about the trustworthiness of the entity. If no prior trust information is available, Reputation Evaluator module seeks recommendation from peer services located within the same pervasive environment or from trusted parties offering service located in other autonomous pervasive environments and aggregated recommendations received form the basis for new trust relationship. Similarly, if no recommendation is available for the entity, the module can give it an ignorance value based on which certain level of access can be granted to the entity. Performance Interpretation module is responsible for the evolution process. It evaluates the behavior patterns of entity involved in interaction according to its actions as additional evidence becomes available. It is connected with Trust DB and event monitoring module of the system. This evaluation function takes place after culmination of an interaction and obtaining some observations from the event monitoring module. The basic function of a policy analyzer is to process the request in order to determine whether it is permitted to the requestor for the trust value in the presence of the policies defined for that service.

7 STEP Trust Algorithm In proposed framework, we divide the computation of trust at various levels. Now we need to convert these computations into mathematical formulas. We define a mathematical model to compute the Trust of an entity requesting a service and revising the trust value during the lifetime of the trust relationship. Reputation of an entity is computed as a weighted sum of the recommendations of all services that belong to the requesting pervasive domain (peer services) and the services located in other autonomous pervasive environments. Trust algorithm also defines the evolution process which can be regarded as iteration of trust formation process as additional evidence becomes available. Accumulation of evidence with experience of new interactions modifies the level of trust. The evaluation of an action performed by an entity interacting with the service in a particular context will change its trust level. This depends on how much is known about its positive or negative perceived actions in the past. A successful interaction results in increase of trust. To describe STEP trust algorithm, the notations used are described in the next section. 7.1 Notation • • •

Let Ei and Sj be the requesting entity and requested service respectively. Let T (Ei , Sk, t, nk) denote trust value of service Sk for entity Ei at time t having nk interactions with the service. Let Tp (Ei, SN, t, nN) denote the aggregated peer recommended trust value of N peer services for entity Ei at time t having n interactions with each service.

706

N. Iltaf, M. Hussain, and F. Kamran

• • • •

Let To (Ei , SM, t, nM) denote the aggregated recommended trust value from M services in other autonomous pervasive environment for entity Ei at time t having n interactions with each service. Let γ (θ, ∆t) denote decay function Let η denote the normalized interaction value. Let Tnew( Pe, Told) be the new trust value calculated from previous trust value and the performance estimation.

There are two main computations involved. First is the calculation of trust within the reputation evaluator module, which is based on the recommendation from peer services and services in other autonomous pervasive environments. Second computation formulated in the performance interpretation module revises the trust value during the lifetime of the trust relationship by evaluating the behavior patterns of entity involved in interaction according to its actions as additional evidence becomes available. Here we discuss the computation of the reputation evaluator module and performance interpretation module. 7.2 Reputation Evaluator Module Reputation evaluator module seeks recommendation for further information when the amount of observation is insufficient for the service to define the trustworthiness of the entity requesting the service. It requests recommendation, with respect to the entity in question, from peer services located within the same pervasive environment or from trusted parties located in other autonomous pervasive environments. Reputation evaluator module while computing the entity‘s recommendation takes into consideration: • •

Number of recommenders Confidence level on recommendation

The reputation evaluator module computes the recommended trust value TR(Ei, Sk, t, n) of entity Ei for service Si at time t. This computation is based on peer services recommended trust value Tp(Ei, SN, t, nN) and other services in other autonomous pervasive environment’s recommended trust value To(Ei, SM, t, nM). Thus TR(Ei, Sk, t, n) is given as (1) The weights given to peer services recommended trust value and other services in other autonomous pervasive environment’s recommended trust value are α and (1-α) respectively where α is a positive constant that can be fine tuned to have trust value for an entity between 0 and 1. The trust worthiness of Ei is based more on peer services recommendation than the recommendation of services in other autonomous pervasive environments. Peer recommended trust value is computed as average of the product of the trust value and the confidence level on that trust value of all the peer recommenders. N

Tp (E i , S N, t, n N, ) =

∑T j =1

value

(E i , S j, t, n j ) ∗ CL N

(2)

A Mathematical Approach towards Trust Based Security

707

Where confidence level (CL) is dependent upon number of interactions with the service, sensitivity of recommender and Decay function (Time based experience). CAPS, a programmable model of the human cognitive architecture, shows that a memory element is accessible only if it has enough activation. The unused memory elements decay over time; that is, their activation decreases [5]. The rate of decay can vary by the kind of relation but human nature study shows that all relations show a liability of newness in which the rate of decay slows over time [6]. Since trust based access control mechanism is based on the human notions therefore, we also use a decay function to define the time based experience. The services having old experiences with the entity in question should have a less weight in peer recommendation. That is, older experience decays with time and has a less effect. Therefore we define a threshold time interval. The peer recommenders having old interaction with the entity should have a less weight over the others. The confidence level on trust value will be more if the recommender had the most recent interaction with the entity. Let θ denote the threshold time interval and t and tc denote the time of last interaction and current time respectively. The decay function denoted by γ is defined as γ (θ , t c − t ) =

θ Λ t

Where ∆t = tc – t

(3)

The threshold time interval θ is a tunable variable and defines the rate of decay. If the recommended trust value is calculated within the threshold time interval then γ will have a value equal to 1, thus the recommended trust value will have a high weight in trust calculation. Fig 2b shows the decay rate when a service considers only the trust values calculated with in a month and the trust value calculated with in the day is given highest priority or we can say that θ= 24 hours. Fig 2a shows decay function is social relation [4] which highlights the similar trend as calculated using the above decay equation taking θ=24 in fig 2b. From the figures its obvious that the rate of decay is fast in the start but over time the it slows down, showing the human nature that the longer a relation ship survives, the more likely is that the two people involved develop a stable relationship.

Fig. 2a. Decay of Relations in Humans

Fig. 2b. Decay Function

708

N. Iltaf, M. Hussain, and F. Kamran

The greater the number of interactions of the recommending peer service with the entity in question, the greater is the confidence level. Hence, the confidence level on the recommender is directly proportional to the number of interactions it had with the entity. As it is defined that trust value is given by 0≤ tvalue≤1, we require a monotonically increasing function that can limit the number of interactions in the range 0 to 1. where with increasing x, it quickly The function we have used is f ( x ) = 1 − 1 x+α

approaches 1. α is an adjustable positive constant that can be tuned accordingly. The number of interactions n can be normalized using the above function to give normalized interaction value η, defined as

η = 1−

1 n +1

Where 0≤ η ≤ 1

(4)

The peer recommendation based trust value calculation process, while evaluating the trust value given by the service, takes into account the sensitivity of the service offering the recommendation. For example, a simple scan service has lesser sensitivity than a file service and thus has lesser weight in the recommendation process than the file service. The sensitivity of the service Sj is denoted as SSj.. Therefore the confidence level (CL) is defined as CL = η * SSj * γ

Where 0≤ CL ≤ 1 and 0≤ SSj ≤ 1

(5)

Recommended trust values from services in other autonomous pervasive environments are computed similarly as average of the product of the trust value and the confidence level on that trust value. This provides an aggregated trust value which is specified by the following formulation: M

T o (E i , S M, t, n M, ) =

∑T j =1

value

(E i , S j, t, n j ) ∗ CL

(6) M

7.3 Performance Interpretation Module Performance interpretation module is responsible for the evolution process. It evaluates the behavior pattern of the entity involved in an interaction according to its actions, as additional evidence becomes available. After completion, the outcome of interaction is evaluated and unexpected behaviors are penalized by reducing the system’s trust in the entity thereon reducing the trust value. This module takes the current trust value and the observed outcome as an input and returns a new trust value. A value in ‘Trust Level’ table of the service, for the entity involved in interaction is modified by new trust value Tnew. The trust value is dependent on the: • • •

The size of the observations available. Effect of most recent interactions, which should be independent of the total number of the interactions. Performance estimation.

A Mathematical Approach towards Trust Based Security

709

And is defined as

Tnew ( Pe , Told ) = Performance estimation

Pe + Told 2

(7)

Pe is calculated by taking into account the past behavior.

If the entity has a history of performing unsuccessful interactions and the outcome of the current interaction is also negative, then it is more probable that the entity is a malicious one. It should be penalized based on its history by reducing the system’s trust in the entity and hence, reducing the trust value. But if the entity has a history of performing successful interactions but its current interaction resulted into a wrong action, then the intention of the entity stays unconfirmed. However, keeping in view the past behavior, there is more probability that the wrong action was unintentional or accidental. Let Pe denote the performance estimation and is defined as:

Pe = W (I o + x ) 1 − US n Total

Where W = 1 −

US n Total a

(8)

specifies the historical behavior of the entity. This value tends to reach a

zero when the behavior is negative, and it tends to reach 1 when the behavior is positive. US n is the number of negative performed actions and Totala is the total number of performed interactions. Io is the interpreted value of the outcome of observed interaction as monitored by the event monitoring module of the system. The outcome of the observed interaction can be positive or negative. Performance interpretation module interprets the outcome of the observed interaction as 1 if positive and 0 if negative.

8 STEP Algorithm Validation We have validated our STEP trust algorithm by calculating the peer recommendation trust value. The trust value is evolved based on a number of interactions in order to demonstrate that the trust formation and evolution correspond suitably with intuitive human judgment. The table in figure 3 illustrates how peer recommended trust value is dependent on the confidence level. Peer recommended trust value is calculated for an entity from a service having a sensitivity level 0.5 and the trust value received has been updated within the last 24 hours. Figure 3 shows that the trust value received from the service having more past experience with the entity has a higher weight in the recommendation process than the one having a lesser number of interactions. It also depicts that the recommended trust value can never be greater than the trust value received until the service has its own interaction with the entity based on which it can form its opinion about the trustworthiness of the entity in question.

710

N. Iltaf, M. Hussain, and F. Kamran

Fig. 3. Comparison of recommended trust value according to trust value received and CL

Fig. 4. Comparison of Behavior pattern of an entity evaluated by the trust algorithm

The table in figure 4 illustrates how trust algorithm evaluates the behavior pattern of entity involved in interaction according to its actions, as additional evidence becomes available. An entity is permitted to access the service with a variable set of trust levels, and is observed how trust value evolves against the fixed pattern of outcomes in a set of interactions. Figure 3 shows the general behavior of the system, the occurrence of an unsuccessful interaction reduces the trust value for that entity whereas a successful interaction results in gaining the system trust. System has more confidence on an entity to behave positively if the entity has a higher trust value prior the interaction as compared to an entity having a lower trust value prior to interaction. The graph also illustrates that different entities with assorted recommended trust values, if show analogous behavior pattern, their trust values tend to converge to a single point. This signifies that the system forms its own judgment about the entity through its behavior pattern. Basing on this judgment, it computes its own trust value and in future assigns permissions to access service in accordance with the new evolved trust value. In general, the negative behavior converges to 0 declaring an entity as completely distrustful and positive behavior converges to 1 declaring an entity as completely trustful as shown in figure 5.

0.12 0.1 0.08 0.06 0.04 0.02 0

T ru s t V a lu e

T ru s t V a lu e

A Mathematical Approach towards Trust Based Security

1

2

3

4

5

6

7

8

711

1.2 1 0.8 0.6 0.4 0.2 0 1 2 3 4 5 6 7 8 9 10

No of Unsuccessful Interaction

No of successful Interaction

Fig. 5. Entity’s behavior

9 Conclusions In this paper, we proposed an algorithm for the computation of trust in trust based security architecture for a ubiquitous computing environment. The algorithm reflects how we get from a state of ignorance about an entity, to trusting or distrusting it, and how trust is revised during the lifetime of the trust relationship. The calculation of the trust depends upon the peer recommendation and also recommendation from other trusted parties offering services located in other autonomous pervasive environments. It also takes into account the sensitivity of the services offering the recommendation and its time-based evaluation in order to handle bogus recommendations. Trust changes dynamically according to the entity’s behavior thus minimizing human involvement for the security management and hence can be used as the basis for authentication and authorization in ubiquitous computing environment. Through the trust computation, the system handles by itself situations both in which the requesting entity has a past experience with the service and a stranger entity requesting to access the service without any identity and past interaction with the service.

References 1. Kagal, L., Finin, T., Joshi, A.: Trust-Based Security in Pervasive Computing Environments. IEEE Computer (2001) 2. Kagal, L., Undercoffer, J., Perich, F., Joshi, A., Finin, T.: Vigil: Enforcing Security in Ubiquitous Environments. In: Grace Hopper Celebration of Women in Computing 2002 (2002) 3. Gray, E., o’Connell, P., Jensen, C., Weber, S., Seigneur, J.M., Yong, C.: Towards a framework for assessing trust-based admission control in collaborative ad hoc applications (2002) 4. Gambetta, D. (ed.): Trust: making and breaking cooperative relations (1988) 5. Gray, W.D., Altmann, E.M.: Cognative modeling and human-computer interaction (1999) 6. Burt, R.S.: Decay Functions (August 1999)

A Secure Group Rekeying Scheme with Compromised Node Revocation in Wireless Sensor Networks Asma Khalid1 and Mukhtar Hussain2 1

2

College of Signals, National University of Science and Technology, Rawalpindi, Pakistan [email protected] College of Signal, National University of Science and Technology (NUST), Rawalpindi Pakistan [email protected]

Abstract. Security is one of the core concerns in group communication in wireless sensor networks (WSNs). Secure group key management schemes are responsible for secure distribution of group keys among valid nodes in a group. We are representing a secure group re-keying scheme with compromised nodes revocation in WSNs. This scheme represents function of joining and leaving of nodes in a group. As WSNs are exposed to threats, so compromised node revocation is a challenging task. Our main focus is revocation of compromised nodes from a group without re-grouping. And also when a compromised node is revoked; it is unable to join any new group in future. In the scheme, we are updating the pre-deployed keys as well as current group keying material. Thus compromised node is unable to continue with current and future groups. Scheme is examined for verification of its computational and security requirement.

1

Introduction

Wireless sensor networks (WSNs) are currently significant area in research and are conferring a viable solution to different problems. Its application includes industrial monitoring, military tracking, atmosphere monitoring, patient monitoring and many others. WSN includes small sensor nodes that have less computational, communication power, storage capability and bandwidth. As the nodes are power constraint, so there is need for efficient scheme that helps in reducing communication and computational overhead. Group communication is one of vital applications of WSN and helps in decreasing the communication overhead [1]. Many techniques have been proposed in order to address the issues involved in group communication. Most of them work for traditional wired networks but proved to be infeasible if used in WSNs. Secure group communication (SGC) depends on the secure transmission of group key among valid nodes in a group. It involves communication among the nodes which are eligible to receive and send messages to the group. The J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 712–721, 2009. c Springer-Verlag Berlin Heidelberg 2009


A Secure Group Rekeying Scheme with Compromised Node Revocation

713

information carried in the messages must be of no use to interloper even if they are able to capture it. The main issue of secure group communication (SGC) is key management. Nodes are continuously leaving and joining the group. Thus, on each depart and a join, a new group key is needed. No new node should be able to get the previous group keys although it is able to derive future keys of group. Similarly no departed node should be able to originate future keys from the keys it already had [2] . Thus only legitimate nodes are able to get the group key. As in WSNs, sensor nodes are set out in hostile environment, so they are prone to physical attacks. Nodes can be captured physically, and thus these compromised nodes can be used for attacking the network. In SGC, the detection of compromised nodes and its revocation from group is one of the core concern that need to be addressed. It should be revoked from group without re-grouping or re-initialization of group. Also once a compromised node is revoked; it should not be allowed to participate in other groups in a network. In this paper we are addressing two main issues: re-keying and compromised node revocation, where as main issues of SGC are rekeying, scalability, reliability, forward secrecy, backward secrecy, broadcast authentication, compromised node detection and revocation. Rest of the paper is organized as follows; Section 2 consists of related work. In Section 3 we are representing network model, Section 4 consists of detailed of proposed scheme, in Section 5 analysis of scheme is carried out, which is followed by conclusion in Section 6.

2

Related Work

Secure group communication have been explored a lot in wired networks. But these solutions are not adoptable in wireless sensor networks due to issues involved in the small devices. Thus, secure group communication needs to be re-examined in WSNs. Recently, some work is being done in group key management in WSN. A few of techniques involve use of public key cryptography. Kaya et al [3] has proposed a scheme which relies on authentication certificates and GPS information of sensor nodes.These certificates are provided to nodes when they are offline. Any new node joins the physically closest node, which is determined by the GPS location of nodes. And it authenticates itself with its certificate. After authentication, a secure link is formed through public keys and finally, they agree on a session key. This scheme involves computational overhead, as on each hop, one encryption and one decryption operation is performed [4]. Chiang et al [5] has proposed a scheme for group key management that relies on use of Diffie-Hellman and GPS information. But there is no authentication of users in the scheme. Also it doesn’t address the issues of revocation, join and leave procedures [4]. GKMPAN [6] is another probabilistic based group rekeying scheme for adhoc networks. This scheme presents an updating process of pre-deployed key with help of a key that is held by majority of authorized nodes. This scheme depends on a single key server, thus can be victim of single point of failure [4].

714

A. Khalid and M. Hussain

Fig. 1. Network model

A cluster-based scheme has been proposed by Guang Hu [7].It is a distributed key management technique and is composed of two phases: Virtual Backbone management and Group rekeying. The key for group is originated by local secret information. Much of work is done on tree-based group key generation [8] [9]. A logical tree is formed such that its leaves are related with the users of group. The group key is the root key and every user has all keys from its ancestor. Wong et al [8] scheme deals with the scalability issue in group communication and have presented three types of rekeying strategies, individual-oriented, group oriented and key-oriented. Several schemes [2] [10] [11] [12], have been proposed that addressed the issue of self-healing of the packets. Thus no re-transmission is required and the nodes themselves could recover the lost packets without contacting key server. Some of the schemes [2] [10] have proposed time-limited node revocation without contact of key server. These schemes have used one-way hash chains with session key to produce group key. But [2] [10] [11] [12], haven’t addressed the issue of compromised node revocation. Wang et al have proposed a key management protocol for wireless sensor networks with Multiple Base Stations [13]. In this scheme,a polynomial is used to produce session keys for multiple base stations. For each rekeying, every revoked nodes id is needed to be broadcasted. Then a polynomial is derived from these id’s. Thus, as the number of revoked nodes increases, more communication and computational power is required.

3

Network Model

We assume that nodes collaborate with each other to form a group, so that they are able to get access to broadcasted messages and to communicate in a group. There may be many groups in a network but for our ease, we assume one group in a network. The nodes involved in group communication can send message to all group and only valid group nodes can decrypt it.In the network, base station(BS) is responsible for generating a group event. The group head (GH)

A Secure Group Rekeying Scheme with Compromised Node Revocation

715

is a node that is responsible for all the key management task of a group. It can be selected on the bases of different criteria’s like node with maximum battery power etc. There are multiple GH nodes in a group that are again selected by BS. The nodes which come under the GH are at the distance of single hop from it. In Figure 1, we have shown network model. Dotted circle shows the broadcast range of GH’s. GH allows a node to join a group if the node is in its vicinity.

4

Proposed Scheme

In this paper, we present a group rekeying scheme for wireless sensor network. Our scheme presents a solution for compromised node revocation without reinitialization or re-grouping. Also non-compromised nodes, that are needed to be revoked from group, are revoked without GH intervention. Firstly we explain about the initial key setup. 4.1

Initial Key Setup

Base Station generates a set of n random keys before deployment of network. Every sensor node v in network is assigned with a set of randomly chosen m keys U = {k1 , k2 ........km } from set of key pool. Each node is assigned an id. This set U is generated by a deterministic algorithm based on node id. Every node in the network is aware of the algorithm. Thus there is no need for a node to broadcast it key’s id for determining shared key between them. These key will act as a key encryption keys (KEKs) which will be used for encrypting messages containing group key material. If two nodes share a key, a communication path will be established among them. All the nodes share a secret key with BS which can be used for secure node-to-BS communication. 4.2

Group Initialization

First of all BS generates a set of random numbers rn which will act as a seed in the hash functions, that are explained later. When a new group is initialized, BS associates a lifetime l to the group. Group formation phase is not discussed in this paper. There can be multiple GH in a group. BS picks two random numbers S0F , S0B and lifetime of a group l and send them to all GH in a group through secure channel. On receiving the random values, GH generates bi-hash chains: forward hash using seed value S0F and backward hash using seed value S0B .The bi-hash chains of length l are generated as follows: forward hash chain {S0F , H(S0F ), ...H i (S0F ), .....H (l−1) (S0F ), H l (S0F )} and backward hash chain {S0B , H(S0B ), ...H i (S0B ), .....H (l−1) (S0B ), H l (S0B )}.During group initialization, the lifetime l is further divided into s sessions, as shown in figure 2. If a key is shared between a node and GH, a node will be eligible for becoming a group

716

A. Khalid and M. Hussain

Fig. 2. Life period of a node

member. Now path between them can be established by using two modes: direct key sharing and indirect key sharing. Direct key sharing : If a node A shared a key with GH, it will directly reply to GH with the id of key that is shared among them. Indirect key sharing : If a node B doesn’t shared a key with GH, it will use some other node A that has direct key sharing with GH and with the node B. A will help to establish a secret shared key among node B and GH. The group key material is unicast to every node through this secure channel. The message patterns are as follows: GC → ∗ : e, idGH , M AC(e, idGH ) A → GH : idA , idKA ,GH , M AC(KA,GH , idA , idGH ) Where e shows the event for a group creation, idA and idGH are id of the node A and GH, and KA,GH is a key shared between A and GH . Once the secret channel is set between the nodes A and GH, GH sends the group key information to the node. GH assigns a prearranged lifetime (t1 , t2 ), for every node participating in the group such that t1 > 1 and t2 < l. Thus a node can only participate in the group communication until its lifetime doesn’t expire. Once a group is formed, the GH produces a random session key SKi for each session i. This session key is broadcasted by GH on each session of the group. Firstly, SKi is encrypted by XOR of the forward hash and backward hash values of that session, and then broadcasted to the group. On receiving the session key, the nodes that posses the hash values of that session will XOR the two values and get the key. The group key will be generated by adding the session key with both hashes: Kg = H l−t1 (S0B ) + H t1 (S0F ) + SKi 4.3

Node Revocation

This scheme gives the time-restricted node revocation. That is each node can only participate in a group until it has life period. As its life period is expired, it is unable to generate the decryption key and thus will be revoked automatically from the group.

A Secure Group Rekeying Scheme with Compromised Node Revocation

4.4

717

Compromised Node Revocation

When a node is compromised in a group, it should not be able to get the group key and decrypt the group messages. One solution to impede a compromised node from participating in a group, is to demolish the existing group and form a new group. But this leads to an inefficient solution. Also if a node is compromised and is revoked from a group, it should be unable to rejoin any new groups. This can be done if the compromised pre-deployed set of keys is removed from all the nodes. But destroying all the compromised keys is not a wise solution and in result the scheme will no longer be scalable. In our scheme, we present a method by which instead of deleting the keys, we will update the compromised set of keys in all the valid nodes. In order to prevent regrouping, all the group material, including the hash values of that session and the session key are updated. A secret renew key Kr is produced with help of polynomials for updating the keying material. Once BS detects a compromised node in a group, it uses an n-degree polynomial. F (x) = a0 + a1 x + a2 x2 .......an xn Each node v, including GH, has its individual secret random value SECv and F (SECv ) which can be pre-loaded during the pre-deployment phase. We are not catering compromised node detection in our scheme. After detection of a compromised node, BS randomly chooses another n-degree polynomial s(x) = b0 + b1 x + b2 x2 .....bn xn .Now it picks a random number and uses this number as renew key Kr for updating the keying material. BS also generates another polynomial t(x) = Kr − s(x). In order to prevent compromised node c from getting renew key, BS station computes a revocation polynomial on the base of secret of compromised node SECc . Thus, a revocation polynomial of node c will be r(x) = (x − SECc ). On the basis of these polynomials, BS generates a broadcast message that includes the id of a compromised nodes, secrets of compromised nodes and two polynomials: BS → ∗ : SECc , idc , w, S(x), T (x), M AC(SECc , idc , w, S(x), T (x)) Where S(x) = r(x).s(x) − F (x) and T (x) = r(x).t(x) − F (x), while w is the session which will be explain later. Any valid node v is able to extract s(SECv ) and t(SECv ) from the message, as the terms F (SECv ), T (SECv ) and S(SECv ) are known, while r(SECc) can be calculated by the secret SECc of compromised node that is broadcasted by BS. s(SECv ) = [S(SECv ) + F (SECv )] ÷ [r(SECv − SECc )] t(SECv ) = [T (SECv ) + F (SECv )] ÷ [r(SECv − SECc )] But the compromised node c is be unable to compute the two value s(x) and t(x), as r(SECc ) = SECc − SECc will be 0.After computing s(SECv ) and t(SECv ), renew key Kr can be calculated by Kr = s(SECv ) + t(SECv ). This is illustrated with the help of an example in figure 3. On getting the renew key Kr , every node revises its pre-deployed keys by applying some pseudo-random

718

A. Khalid and M. Hussain

Fig. 3. Example for computing renew key




function Ki = fKr (Ki ).The compromised nodes doesn’t have Kr , so they are unable to update their keys. Thus once a compromised node is revoked, it is unable to attach with any new group in future. Along with the future groups, it should also be withdraw from existing group and not allowed to participate

A Secure Group Rekeying Scheme with Compromised Node Revocation

719

in the communication. To revoke a node c from the current group, the forward and backward hash values of the on-going session are also updated.


H w (S0F ) = f (H w (S0F ), Kr )


H l−w (S0B ) = f (H l−w (S0B ), Kr ) The next forward and backward hash chains for future sessions are produced by applying one-way hash on the new hash values. Renew key Kr is dispose of after its usage. Thus, there is a decrease in computational overhead as there is no need for group renewal. The GH generates a new hash chain after updating the hash values of that session. All the other nodes are able to derive their own new chain by themselves without contacting the GH or BS. In broadcast message, w is actually the value that is showing the session whose hash values are updated so that if any node gets a delayed message it would be able to compute the new session hash values. If GH is compromised, BS chooses some other node to be GH of that cluster. And nodes under the compromised GH are informed to join the new GH for further sessions in the group. 4.5

Node Addition

When a new node sends a request message for joining, first of all, secret key between the GH and node is selected. Once secret channel is established, GH unicast a message to the new node containing its forward and backward hash values depending upon the lifetime allocated to node and current session key. 4.6

Broadcast Authentication

Our scheme doesn’t address the issue of broadcast authentication. But it is a very crucial matter that needs to be addressed. As, any adversary can send false messages for compromised node revocation, so the sender must be authenticated. This can be done with the help of µT ESLA [14].

5 5.1

Analysis Forward Secrecy

When a node is revoked from a group, it should be unable to compute the future group keys from the keys it had when it was legitimate member of group. In our scheme if a node is revoked at session z, it is unable to get group keys for session ≥ z + 1. As the revoked node can compute the forward chain H z+1 (S0F ), beyond session z but couldn’t compute the backward hash H l−z−1 (S0B ) of session z + 1. To get SKz+1 , the node need to know both the values. Thus forward secrecy is achieved by using bi-hash chains.

720

5.2

A. Khalid and M. Hussain

Backward Secrecy

If a new node enters into the group at session w, it must be unable to compute the previous group keys from keys it have. As when node joins at w session, the values that are transfer to it are H z (S0F ) and H l−z (S0B ) .To originate previous group key, a node need to know the value of forward hash chain before session w. But it is computationally infeasible to compute H z−1 (S0F ). 5.3

Compromised Node Revocation

As a compromised node is detected, it must be revoked from group without re-initialization to reduce the communication and computational overhead. In order to revoke a compromised node, polynomial is used to produce a renew key Kr for updating the keying material. To compute Kr , each node v needs to find r(x) and S(x) and T (x) at x = SECv . This need 3t multiplication operation and two division operation which are equivalent to multiplication operation. Thus total of (3t + 2) multiplication operation are required by each node to get Kr , where t is degree of polynomial .This computation is required for revocation of a compromised nodes only, while other nodes are automatically revoked out when their lifetime is expired. While in case of Wang scheme [13], BS broadcast id of all revoked node for each rekeying message which increase the message size as well as bandwidth consumption. In order to establish session key, each node needs to generate a polynomial based on revoked nodes id. Thus computations increase with increase of revoked nodes list. Our scheme session key doesn’t depend on the revoked nodes id. The compromised nodes are revoked by broadcasting their secrets only once. On next revocation their secrets are not needed to be broadcasted again. Thus, it reduces computation and communication overhead.

6

Conclusion

Our scheme represents an efficient group rekeying scheme for wireless sensor networks. The analysis shows that scheme is secure regarding both computational and communication operations. Nodes are revoked without intervention of the GH and a lifetime is associated with each node for achieving the security requirements of forward secrecy and backward secrecy. If a compromised node is detected, instead of re-grouping, a polynomial is used to produce a renew key Kr to update all keying material including pre-deployed keys. As the pre-deployed keys are updated instead of discarding, this makes the scheme scalable. Compromised node is unable to compute the renew key. Thus this leads to reduce communication and communication requirement needed in case of re-grouping. There are multiple GH in a group, so it reduces the overhead involved in case of single GH.

A Secure Group Rekeying Scheme with Compromised Node Revocation

721

References 1. Wang, Y., Ramamurthy, B.: Group rekeying schemes for secure group communication in wireless sensor networks. In: IEEE International Conference on Communications, 2007. ICC 2007, pp. 3419–3424 (2007) 2. Kausar, F., Hussain, S., Park, J.-H., Masood, A.: Secure group communication with self-healing and rekeying in wireless sensor networks. In: Zhang, H., Olariu, S., Cao, J., Johnson, D.B. (eds.) MSN 2007. LNCS, vol. 4864, pp. 737–748. Springer, Heidelberg (2007) 3. Kaya, T., Lin, G., Yilmaz, G.N.: A.: Secure multicast groups on ad hoc networks. In: SASN 2003: Proceedings of the 1st ACM work-shop on Security of ad hoc and sensor networks, Fairfax, Virginia, pp. 94–102. ACM Press, New York (2003) 4. Uzun, E.: Survey report on group key distribution schemes for secure multicast in mobile ad hoc networks (2004) 5. Chiang, T.C., Huang, Y.M.: Group keys and the multicast security in ad hoc networks. In: Parallel Processing Workshops, International Conference on Parallel processing, p. 385 (2003) 6. Zhu, S., Setia, S., Xu, S., Jajodia, S.: Gkmpan: An efficient group rekeying scheme for secure multicast in ad-hoc networks. In: Proc. of Mobiquitos 2004, pp. 42–51. IEEE, Los Alamitos (2004) 7. Hu, G., Kuang, X., Gong, Z.: A cluster-based group rekeying algorithm in mobile ad hoc networks. In: ICCNMC, pp. 344–353 (2005) 8. Wong, C.K., Gouda, M., Lam, S.S.: Secure group communications using key graphs. IEEE/ACM Transactions on Networking, 68–79 (1998) 9. Yang, Y.R., Li, X.S., Zhang, X.B., Lam, S.S.: Reliable group rekeying: a performance analysis. In: Proceedings of ACM SIGCOMM 2001, pp. 27–38 (2001) 10. Jiang, Y., Lin, C., Shi, M., Shen, X.: Self-healing group key distribution with timelimited node revocation for wireless sensor networks. Ad Hoc Networks 5(1), 14–23 (2007) 11. Liu, D., Ning, P., Sun, K.: Efficient self-healing group key distribution with revocation capability. In: Proc. of the 10th ACM Conference on Computer and Communications Security (CCS 2003), pp. 231–240 (2003) 12. Dutta, R., Chang, E.-C., Mukhopadhyay, S.: Efficient self-healing key distribution with revocation for wireless sensor networks using one way key chains. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 385–400. Springer, Heidelberg (2007) 13. Wang, Y., Ramamurthy, B., Xue, Y.: A key management protocol for wireless sensor networks with multiple base stations. In: ICC, pp. 1625–1629. IEEE, Los Alamitos (2008) 14. Perrig, A., Szewczyk, R., Wen, V., Culler, D., Tygar, J.D.: Spins: Security protocols for sensor networks. Wireless Networks, 189–199 (2001)

Fault Tolerant Secure Routing in Cluster Based Mobile Sensor Networks Usama Ahmed, Muhammad Arif Wahla, and Firdous Kausar Department of Information Security University of Science and Technology, Rawalpindi, Pakistan [email protected], [email protected], [email protected]

Abstract. This paper presents a Fault Tolerant Secure Routing scheme (FTSRMSN) for cluster based Mobile Sensor Networks. Mobility in sensor networks has not only expanded the role of sensor networks but has also given a whole new dimension to all research areas. Extra vigilance and unique approaches are required to address the concerns raised due to mobility. Therefore, we present a secure routing scheme that also takes into account the factor of mobility along with the Hop Count for creating multiple paths to destination, thus providing a fail-safe mechanism for data delivery. The proposed scheme is not only secure against various proposed threat models but also provides reliability and fault tolerance in MSN. Keywords: Mobility, Security, Routing, Fault tolerance.

1 Introduction Mobile sensor networks have given a whole new dimension and challenges to researchers. In a mobile networked environment, link breaks are more frequent than the static networks for the reason that nodes may move to other locations as desirable by the application. Hence there is a need for more reliability across the route to the destination. Since sensor networks are deployed in various different environments, that often are hostile, considerable security approach is needed to be taken into account in designing a routing protocol, besides the other conventional factors like reduced overhead, scalability, reliability, loss response, and power consumption. Our motivation is to design a routing protocol for those MSNs that use a timesynchronized [1], [2], [3], cluster-based approach in which Cluster Head (CH) is responsible for aggregating and routing information to the Base Station (BS). It is a foremost concern that updated routing information is always present in the network and no such information is routed that may cause repudiation and loss to the integrity of the data. Therefore a method is devised to provide a routing protocol which offers reliability, improved error control mechanism and better link repair with low overhead. The cost of routing a packet is derived from the mobility across the shortest possible path without compromising on security. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 722–731, 2009. © Springer-Verlag Berlin Heidelberg 2009

Fault Tolerant Secure Routing in Cluster Based Mobile Sensor Networks

723

The rest of the paper is structured as follows: Section 2 explains the previous work and its limitations to achieve the desired goals. Section 3 gives an overview of assumptions regarding the current scheme. Section 4 explains FTSR-MSN. Section 5 gives the analysis of the proposed scheme and finally there is the conclusion and future work.

2 Related Work A little effort have been made to address the issues related to MSN, one of the reasons being the fact that assumption of a static network facilitates the simplification of the clustering and routing protocols. Routing protocols developed for MANET are strong candidates to be considered for MSN because of both being somewhat similar except the resource scarcity of MSN. This restriction prevents MANET protocols to be used in sensor networks without modification. IETF points out the short comings of MANET protocols and suggest the suitability requirements for such low power networks [4]. Besides all the efforts and research carried out in the development of routing protocols for MSN, we still are lacking a standardized, efficient, and secure routing algorithms that address the problems regarding path finding, route creation, route preservation, and route recreation with an added capability of avoiding impulsive degradation. The algorithm must also cater for security concerns raised by being mobile and deployed in hostile environment, with maximum fault tolerance utilizing a minimum amount of resources. Arboleda, and Nasser have proposed a routing protocol for cluster based mobile sensor network [5]. The protocol utilizes zone-base information and a cluster-like communication pattern. The routing protocol has two phases, Route Creation and Route preservation. Route creation is used to create a route from source to the destination whenever required. Route Preservation is required for the maintenance of in case of broken routes. The most studied Adhoc On demand Distance Vector routing protocol (AODV) [6] and its multipath variant Adhoc On demand Multipath Distance Vector routing protocol (AOMDV) [7] uses monotonically increasing sequence number system to avoid routing loops. The node that wants to send data broadcasts a control packet (RREQ) to find a route to the destination. AODVM differs in a way that it adds the ID of its neighbor in an additional field FIRST_HOP in RREQ and unicast it to each neighbor. This results in multiple link-disjoint paths from source to destination. Intermediate nodes that receive the RREQ verify the sequence number, establish the reverse path with the sender and forward the packet to the next hop incrementing the hop count. The destination upon receiving the RREQ generates a RREP and unicast it along the reverse path to the source. Otherwise, if the intermediate node receiving the RREQ has a valid and fresh route to the destination it generates a RREP to the source by itself and notifies the destination only if the Gratuitous flag is set. This mechanism has strong implications on security [14], which is avoided by introducing a double signature extension of RREQ in

724

U. Ahmed, M.A. Wahla, and F. Kausar

SAODV [15]. However the resulting cost of calculating a double signature extension is unbearable for sensor networks. The only route selection criterion for a node in AODV and AODVM is to select the fresh path with less Hop count. However in low power networks there is a need to set criteria for the cost of routing based on certain parameters that must exhibit the capability of the nodes to forward data [4]. Link repair and maintenance is carried out whenever there is route failure. The control message RERR is broadcasted by the corresponding node to all its neighbors that result in global network re-optimization [4]. Local repair is executed if required. However this resulting cost of reporting an error is tremendous and is not affordable by sensor networks.

3 Preliminaries FTSR-MSN makes certain assumptions to facilitate the design. • The network is time-synchronized and cluster based. Each operation in the network (like cluster formation, CH election, sensing, nodes leaving or joining the network or cluster), is governed by time. It may be network wide by broadcasting synchronization information [8] or cluster level by keeping local synchronization settings [9],[10]. Table 1. Acronyms and meanings Acronym AODV AOMDV SAODV M.F Ct Mt CH CHi HC IDS IDBS IDZ AHC MAC SEQ

Meaning Adhoc On demand Distance Vector Adhoc On demand Multipath Distance Vector Secure AODV Mobility Factor Cluster changes in time t Total Moves in time t Cluster Head Cluster Head i Hop Count Source ID Base Station ID Zone ID Advertised Hop Count Message Authentication Code Sequence Number

• All sensors are location aware. The entire sensor field is divided into m x n square zones. Each sensor has the information about its zone id IDZ. Here cluster and zone are used interchangeably. More information on GPS based or GPSfree localization schemes can be found in [11], [12]. Detailed list of acronyms and abbreviations can be found in Table 1. • Secret keys are already exchanged. The scheme make use of the fact that each cluster head share a group key with its neighbor cluster heads [13] and also a pair wise key with base station. The cluster heads are responsible for

Fault Tolerant Secure Routing in Cluster Based Mobile Sensor Networks

725

communication between their member nodes, aggregating and routing the data to base station. • All nodes in the network are mobile, with each node having exact information about its location (Xt, Yt), velocity (VXt, VYt) and acceleration (AXt, AYt) in x and y directions respectively. The cluster head is the one that is least mobile among all the nodes in the cluster.

4 Proposed Scheme FTSR-MSN is modified from AOMDV protocol [7]. Mobility is an important factor and must be into account for the creation of reliable path between source and the base station, thus deriving the cost of each path. Mobility factor is calculated locally at each node as

M .F =

Ct Mt

(1)

Mt is the number of moves in time t and Ct is the total cluster changes in time t, where Mt is always greater than Ct. The whole sensor network is divided into square zones leading each CH to have at most eight neighboring cluster heads. This restriction has a great implication on security as we will discuss it in section 4. The protocol consists of following phases. 4.1 Local Information and Connectivity Besides other mandatory information, each node in the cluster maintains the information about ZONE_ID, CH_ID. CH bears additional information about the nodes in its cluster, its neighbors and routes in the routing table. Cluster heads maintain their connectivity with neighbors using HELLO messages. HELLO messages are signed by computing MAC with the group key it shares with its neighbors. MAC can be calculated using keyed hash functions [16] CHA Æ *: {IDA, IDZ, nonceA} || MAC {IDA, IDZ, nonceA}KGA Where nonce is a random number generated by CHA. Each neighbor generates a reply to this HELLO message, including the nonceA, and computing MAC with the group key it shares with CHA. This offers a confirmation that the link is bidirectional and prevents CHA from accepting false HELLO replies that it has not generated. The HELLO reply message format from CHB, a neighbor of CHA, is given as CHB Æ CHA: {IDB, IDZ, nonceA} || MAC {IDB, IDZ, nonceA}KGB 4.2 Route Discovery When it is required to send data, the source CHS checks its routing table for a valid route to the destination. A valid route entry is the one with a non-expired timer. In case of no valid route it starts the discovery process by generating a RREQ with its

726

U. Ahmed, M.A. Wahla, and F. Kausar

MF added to it, computes a MAC over the immutable fields of RREQ using the pair wise key it shares with the base station and unicast it to its immediate neighbors. The RREQ format is as below CHS Æ CHA: {IDS, IDBS, IDZ, SEQ, FIRST_HOP, AHC, MF} || MAC {IDS, IDBS, IDZ, SEQ} KSBS The neighbor upon receiving the request, checks the validity of the RREQ by verifying the sender from the neighbor list, compares it with any valid route entry to the destination with same source id IDS and FIRST_HOP. In case of no valid entry the receiving node updates MF and HC fields in the RREQ. MF is updated by multiplying its own MF with the received one and HC is incremented by one. Then it establishes a reverse path with sender and broadcast the RREQ to its neighbors along side updating its routing table. The routing table looks like Destination

SEQ NO.

AHC

Path List

MAC

Next Hop 1

Hop Count 1

Last Hop

Timer

Mobility

Next Hop 2

Hop Count 2

Last Hop

Timer

Mobility

Next Hop n

Hop Count n

Last Hop

Timer

Mobility

Fig. 1. Routing table

When the request reaches the base station BS, it establishes a reverse path to sender, verifies that the RREQ is received through link-disjoint paths [7] and generates RREP signed in the same way as RREQ with the key shared with the source to all the RREQs received via different exit nodes. Exit nodes are one-hop neighbors of BS. Here source is the initiator of RREQ and sender is the node that replays the received message to its next hop. The RREP on its way to source follows the same procedure. The intermediate node receiving a RREP verifies the previous node, constructs a forward path, updates the information regarding HC and MF in the RREP packet and also in the routing table if it finds necessary and forward it across the reverse path not already used for any RREP, else the RREP is discarded. The same procedure is adhered by all the RREPs following the link-disjoint paths. The route discovery procedure is finished when the PATH_DISCOVERY_TIME is expired or the node has k number of valid RREPs in its route table whichever is the first. After the route discovery procedure is finished the source ends up with more

Fault Tolerant Secure Routing in Cluster Based Mobile Sensor Networks

S

A

B

C

727

D

Fig. 2. Link repair mechanism

than one RREP, each corresponding to a different link disjoint path to destination. The path with least MF is marked as primary, whereas the rest of the (k-1) paths are marked as secondary and hence they all construct a valid route to the destination. 4.3 Intermediate Node Reply In the case that intermediate node receiving a RREQ has a valid and fresh route to the destination, the node will store a copy of the RREQ, establish a reverse path to the previous node, stops broadcasting RREQ further and unicast the RREQ to the BS. The BS generates a RREP with destination as source, using the same available path. The intermediate node receiving the RREP forwards the packet via the established reverse path. 4.4 Path Update Procedure With each valid path in the routing table, a path life time is set, which tells the node S to discard those paths when timer expires and the neighbor node is unsuccessful to reply the HELLO message. A path update procedure is activated whenever a path is received with larger sequence number or with both less MF and less HC. However the node will not update its path if it is currently utilizing those paths for sending data and the path is stored in waiting queue and then upgraded after the node is finished utilizing the path to be replaced. An update in the path information results in an update of path expiry timer. 4.5 Path Repair and Error Report Mechanism Local link repair is enabled at intermediate nodes as follows. Suppose that CHS is using a link disjoint path CHSÆCHAÆCHBÆCHCÆCHDÆBS to deliver data to BS (Fig.2). Link break occurred at this path between CHBÆCHC. There are two possible causes 1. CHC is dead. − Local repair at cluster level. New CH is selected. The minimum time for selecting a new CH must not exceed (MAX_HELLO_LOSS x HELLO_INTERVAL). Otherwise the path will be marked as invalid and CHB will initiate path discovery. − CHB unicast RERR to CHS, CHD informs BS. − Link restoration leads to route update at both CHB and CHD.

728

U. Ahmed, M.A. Wahla, and F. Kausar

2. Node CHC has moved out of range from Node CHB but is still in range with its member nodes. − CHB unicast the RERR packet to S or any other nodes currently sending data so that they stop transmitting more data before marking the route as invalid. − CHC will generate RERR to BS informing the link break. − CHB will mark all routes as INACTIVE in the routing table using CHBÆCHC as next hop. − CHB will stop responding to HELLO packets of all those nodes that have CHB Æ CHC as next hop. Until the route to the BS is repaired within the (MAX_HELLO_LOSS x HELLO_INTERVAL) time limit or HELLO packets are lost up to MAX_HELLO_LOSS and each neighbor node marks this route as invalid. − Initiating route repair is the responsibility of CHB that is the intermediate node towards the source. Path is updated at CHB as the link is restored.

5 Analysis We analyze the performance of FTSR-MSN with respect to the diversity of features that it offers. 5.1 Fault Tolerance Selection of multiple paths to a destination has its advantages in two folds. First, it serves the source with a failsafe route, so that the failure of a primary path does not result in the initiation of path discovery procedure. The source can always make use of the (k-1) secondary paths readily available. Second, it has a strong implication on security as described further. As a matter of fact, multiple path selection gives FTSRMSN a maximum level of fault tolerance. Link repair and maintenance mechanism allow another level of fault tolerance. One of the facts that result a link break is the energy starvation of a CH that lies in the path to the destination. The underlying clustering mechanism elects a new CH within the specified time interval and the path remains active as all the communication is addressed to the cluster not the specific node. This prevents the link break from propagating the entire network and affecting all routes using that cluster. In terms of error reporting, FTSR-MSN only generates local error messages confined to the nodes that are actively using the broken link for data delivery. This prevents the error message to spread and make changes to the topology globally across the network. This gives FTSR-MSN an advantage in terms of very less control traffic in the network. Another characteristic of routing protocol for low power networks is that the hop count must not be the only metric for calculating the cost of desired path [7]. FTSRMSN chooses the best possible path for data delivery on the basis of calculated mobility across that path. Having a least mobility factor means that the path will predictably remain unchanged for a longer period of time.

Fault Tolerant Secure Routing in Cluster Based Mobile Sensor Networks

729

5.2 Security Analysis Karlof and Wagner [14] have discussed the various attributes that a secure routing protocol must have in it to avoid possible attacks on the routing information in sensor networks. Here we analyze FTSR-MSN in terms of reliability and security and show that our scheme is fully reliable with very low overhead. Spoofed altered or replayed routing information The most basic form of attack is expected by spoofing, altering, or replaying routing information, so that the malicious nodes is able to create routing loops, draw or repel network traffic, generate false error messages etc. However, monotonically increasing sequence number system and its inclusion in the calculating MAC in FTSR-MSN does not allow the adversary to hold the control packet, change the sequence number and make false use of it after a while. Selective forwarding attack In a selective forwarding attack, either malicious nodes refuses to forward routing messages by dropping them or only propagate some selected traffic. Which ever is the case selective forwarding is a serious threat to the multi-hop networks and is not easy to detect such kind of misbehavior. The best solution possible is to deceive the attacker by using multiple paths for information delivery [14] as are employed in FTSR-MSN. Hence the proposed scheme is efficient against selective forwarding attacks. HELLO flood attack Hello flood attack is mounted by an adversary with powerful transmission capabilities. It broadcasts false HELLO packets in the network and hence convinces the nodes that the adversary is its neighbor. Hello flood attacks can be defended by verifying the bidirectionality of the link before taking any action on the received message [14]. FTSR-MSN uses a random value noncei in HELLO messages and confirm the bidirectionalty of the link by only accepting those replies that include the random number previously sent, otherwise the message is discarded and no action taken. Sink Hole Attack Malicious nodes lure traffic that it has a high quality route to the base station. Combined with selective forwarding attack it can be successful and undetectable [14]. However the proposed scheme offers a complete Defence against sinkhole attack, by the fact that a RREP is never generated by the intermediate node. The source node will verify the RREP by calculating the MAC on immutable fields with the key that it shares with the base station and in case of any discrepancy, immediately discards the packet. Sybil Attack In a Sybil attack, a single node presents multiple identities to other nodes in the network. The Sybil attack can significantly reduce the effectiveness of multipath routing,

730

U. Ahmed, M.A. Wahla, and F. Kausar

or routes believed to be using disjoint nodes could in actuality be using a single adversary presenting multiple identities [14]. FTSR-MSN makes use of the fact that each node shares a unique key with the base station and a group key shared among its neighbors. The square zone based structure restricts any cluster head to accept pairing requests after a maximum neighborhood limit is achieved that is eight. Thus the Sybil attack is infeasible and difficult to mount against our proposed scheme.

6 Conclusion This paper presents a secure multipath routing protocol for mobile sensor networks. The scheme uses multiple paths for each discovered route keeping into account the factor of mobility across every path. Path repair mechanism is designed in order to prevent the error messages from spreading across the whole network. The network always converges into a fail-safe mode of operation in case of broken links, due to the selection of multiple paths for data delivery. The analysis of the proposed scheme has shown that it provides efficient security in various proposed threat models. Future work includes the development of a simulation with different threat models to analyze the performance of FTSR-MSN in terms of memory usage, energy utilization, latency and communication overhead.

References 1. Elson, J., Romer, K.: Wireless Sensor Networks: A New Regime for Time Synchronization. In: Proceeding. First Workshop Hot Topics in Networks (HotNets-I) (October 2002) 2. Greunen, J., Rabaey, J.: Lightweight Time Synchronization for Sensor Networks. In: Proceeding Second ACM International Workshop Wireless Sensor Networks and Applications (WSNA) (September 2003) 3. Halpern, J.Y., Simons, B.B., Strong, H.R., Dolev, D.: Fault- Tolerant Clock Synchronization. In: Proceeding of Third Annual. ACM Symposium. Principles of Distributed Computing, pp. 89–102 (1984) 4. Levis, P., Tavakoli, A.: Overview of Existing Routing Protocols for Low Power and Lossy Networks. Draft-ietf-roll-protocols-survey-02.txt (2008) 5. Arboleda, C.L.M., Nasser, N.: Cluster-based routing protocol for mobile sensor networks. In: Proceedings of the 3rd international Conference on Quality of Service in Heterogeneous Wired/Wireless Networks, QShine 2006, Waterloo, Ontario, Canada, August 07-09, 2006, vol. 191. ACM, New York (2006) 6. Perkins, C., Belding-Royer, E., Das, S.R.: Ad hoc On-Demand Distance Vector (AODV) routing. rfc3561.txt (2003) 7. Marina, M.K., Das, S.R.: On-demand Multipath Distance Vector Routing for Ad Hoc Networks. In: Proceeding of 9th IEEE International Conference On Network Protocols, pp. 14–23 (2001) 8. Li, Q., Rus, D.: “ Global Clock Synchronization in Sensor Networks. In: Proceeding of IEEE INFOCOM 2004 Conf. (March 2004) 9. Dolev, D., Halpern, J.Y., Simons, B., Strong, H.R.: Dynamic Fault-Tolerant Clock Synchronization. J. ACM 42(1), 143–185 (1995)

Fault Tolerant Secure Routing in Cluster Based Mobile Sensor Networks

731

10. Sun, K., Ning, P., Wang, C.: Member, IEEE: Fault-Tolerant Cluster-Wise Clock Synchronization for Wireless Sensor Networks. IEEE Transactions On Dependable And Secure Computing 2(3) (July-September 2005) 11. Savvides, A., Han, C.C., Strivastava, M.B.: Dynamic fine-grained localization in Ad-Hoc networks of sensors. In: Proceeding Seventh Annual ACM/IEEE International Conference. Mobile Computing and Networking (MobiCom 2001), Rome, Italy, July 2001, pp. 166– 179 (2001) 12. Niculescu, D., Nathi, B.: Ad hoc Positioning System (APS). In: IEEE INFOCOM 2003, San Francisco, CA (2003) 13. Sultana, N., Choi, K.M., Huh, E.N.: Application Driven Cluster Based Group Key Management with Identifier in Mobile Wireless Sensor Network. In: Future generation communication and networking (fgcn 2007), December 6-8, 2007, vol. 1, pp. 362–367 (2007) 14. Karlof, C., Wagner, D.: Secure routing in wireless sensor networks: attacks and countermeasures. In: Proceedings of the IEEE International Workshop on Sensor Network Protocols and Applications, pp. 113–127 (May 2003) 15. Zapata, M.G.: Secure Ad hoc On-Demand Distance Vector (SAODV) Routing. Draftguerrero-manet-saodv-06.txt 16. Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication. rfc2104.txt (1997)

Hardware-Based Random Number Generation in Wireless Sensor Networks(WSNs) Rabia Latif1 and Mukhtar Hussain2 1

2

College of Signals, National University of Science and Technology, Rawalpindi, Pakistan rabiya [email protected] College of Signals, National University of Science and Technology, Rawalpindi, Pakistan [email protected]

Abstract. A wireless sensor network (WSN) is an emerging area and almost all of its major security issues are currently in research. The Security of mobile sensor networks relies on cryptographic protocols. The strength of cryptographic protocols depends on the strength of secret key used. Therefore it is critical that the generated key be highly random and difficult to guess. Cryptographic requirement for random numbers and the inadequacies of software methods have created a need for inexpensive and secure methods of generating random numbers. We present a hardware based technique for random number generation based on Received Signal Strength Indicator (RSSI), which is a function of transmission power. Analysis shows that this method provides cryptographically secure random numbers without the use of any additional hardware.

1

Introduction

New advancements in wireless communication networks has facilitated the development of sensor networks that are low-cost and composed of a large number of sensor devices called ”motes” that are small in size, have limited computational power and are severely resource constrained. The sensor networks can be used in various applications areas including military, commercial, health, home and environmental monitoring etc. Each application area has different security issues and therefore, requires different security mechanisms to resolve these security issues. These sensor nodes are often deployed in open areas thus becomes insecure and vulnerable to different types of attacks. For example, message tampering, listening to the ongoing traffic, inject unauthorized messages, impersonation of network nodes, or intentionally supply deceptive information to other nodes. Communication should adopt certain security mechanisms in order to provide secure data communication within the network. The resource-starved nature of sensor nodes distinguishes these networks from traditional wireless networks and therefore, the existing security mechanisms cannot be applied directly to sensor networks and new security mechanisms are needed. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 732–740, 2009. c Springer-Verlag Berlin Heidelberg 2009


Hardware-Based Random Number Generation in WSNs

733

The key security issues in wireless sensor networks (WSN) are data confidentiality, data integrity, data freshness, message authentication, access control, semantic security and message replay protection [1]. The solution regarding these security issues depends on the use of cryptography, therefore, requires careful design of cryptographic random number generator. In cryptography, random numbers are in encryption keys, session keys, public key generation, and initialization vectors. The security of entire cryptographic application depends on how secure the random numbers are. In this work, we propose a hardware-based random number generation technique based on Received Signal Strength Indicator (RSSI), which is used to measure the power present in the received radio signal. The benefit of using Received Signal Strength Indicator (RSSI) is that it has low communication operating cost and it would not require additional hardware [2]. On the basis of these Received Signal Strength Indicator (RSSI) readings, random numbers are generated, which are used in large number of cryptographic operations. The remainder of this paper is organized as follows. In section 2, we present the related work, in which we discuss various random number generation techniques and their weaknesses when used in WSNs for cryptographic purposes. Section 3 describes the preliminaries, which discuss the basic terms used all through the paper. The proposed scheme is addressed in section 4. Section 5 presents results and analysis. Finally, we conclude the paper in section 6.

2

Related Work

Security is very important in wireless sensor networks (WSN) because it is vulnerable to various attacks. In WSNs, the security lies in cryptography which in turn needs the use of random numbers. Whether a random number generator (RNG) is software or hardware based makes a fundamental distinction in how it generates random numbers. Softwarebased techniques for random number generation are not considered secure because they use mathematical algorithms to generate random numbers, and these algorithms in turn needs seed values for initialization, which is derived from some repetitive in the computer such as elapsed time between keystrokes, mouse movement, system clock or running processes in operating system. So, it is very easy for someone to guess seed values, even if the seed value is purely unguessable, and someone can find out the algorithm, the repetitive sequence of numbers are easily generated. Furthermore, network timings can easily be monitored on wireless channels and the sensor clock being very slow, the timings are easy to predict [3]. Hardware-based techniques for random number generation are simple and to some extent secure because they do not require any seed value and also there is no algorithms for generating random numbers. Rather, hardware-based generators make use of randomness which occurs in some physical phenomena e.g., humidity, light, temperature, atomic nuclei, radioactive decay etc. As compared to software-based techniques, hardware-based techniques are considered to be truly random because if an adversary could find one key, it would be difficult to guess any future key [4].

734

R. Latif and M. Hussain

In recent past, many techniques have been proposed for random number generation which in turn used to generate cryptographic keys in order to protect messages, provide secure communication between sensor nodes, broadcasting authenticated data to the entire network and to achieve confidentiality, data authentication, and data freshness. In this section, we briefly describe some of the techniques for random number generation and their weaknesses, when used as cryptographic keys in wireless sensor networks (WSNs). The linear congruential generator (LCG) is the most commonly used random number generator (RNG). It is a software-based RNG and is generally used for implementing randomized algorithms. This generator produces a random sequence of numbers x1 , x2 according to the linear recurrence xn = axn−1 mod m, where a, m are parameters and x0 is a seed. This generator is insecure and inappropriate for cryptographic purposes because the output of LCG is predictable [5]. Another and probably simplest construction of random number generator is based on linear feedback shift register (LFSR). LFSRs can be very efficiently implemented in hardware, and is capable of generating very long random sequences with high quality statistical distribution. The LFSR itself is not secure due to its linearity therefore; it is typically used as a basic block of more complicated generators [5]. Inverse congruential generator is another method of pseudorandom number generation; these are similar to LCGs but are nonlinear, using xn+1 = −1 (ax−1 n + b)modm, where xn is the multiplicative inverse mod m, that is xn x−1 = 1(modm). These are expensive to compute due to the inverse operation, n and are not often used [5]. All of the above methods of random number generation are software-based and have some weaknesses when used for cryptographic operations. None of the above technique will recover from the compromised state. To avoid the disadvantages of random numbers generated by software and user input, hardware based random numbers could be generated using a physical process that provides a source of random noise. This noise is then sampled and recorded as random bits. Several characteristics must be met for this system to work. The noise must be from a random and unpredictable source. In general, these sources are natural analog processes that are based on fluctuations on an atomic scale such as thermal, nuclear decay and electromagnetic noise. These events are based on such a large number variables that it is impractical to predict the outcome. Many times the thermal noise, shot noise and flicker noise that are found in resistors are used. These sources are sufficiently random and can be designed compactly and cheaply, but have very small magnitudes, and must be amplified before they can be sampled. This creates two problems. The first is that no amplifier is perfect, so distortion and bandwidth limitations cause discrepancies between the initial pure noise and the amplified output noise. The second problem is the difficulty in shielding such a weak signal from the strong digital signals in its surroundings. Care must be taken that the noise generators environment is as shielded as possible. This shield will help keep predictable

Hardware-Based Random Number Generation in WSNs

735

digital signals from entering the system and also thwart attackers who may try to introduce a specific noise into the system to increase predictability. Once the signal is amplified, it must be sampled and converted to a usable binary format [6]. This method of generating random numbers still has weaknesses, so it is not suitable for random number generation when used in cryptographic operations.

3

Preliminaries

In this section, we first define our problem statement, in which we define that how we can generate random numbers and where they are used. We then define our implementation platform and in last we present the short summary of RSSI and how it helps in generating random numbers. 3.1

Problem Statement

In this research, we propose an efficient technique that generates hardware-based random numbers based on received signal strength indicator (RSSI). In WSN, these random numbers are used to generate cryptographic keys, which in turn provide secure communication between sensor nodes. We assume a mobile sensor network; in which all nodes are mobile i.e. they can change their locations after initial deployment. All nodes except base station can change their positions from time to time in order to get different RSSI readings. – Goal: If an adversary could determine one key, he would not be able to use it to predict future keys. – Testing: Testing the result of proposed technique by applying them on available ”NIST Randomness Testing Suite” in order to check randomness. 3.2

Platform

Hardware. The hardware we use is the Tmote with 250kbps 2.4GHz IEEE 802.15.4 Chipcon Wireless Transceiver. These motes have integrated humidity, temperature, and light sensors, and providing flexible interconnection with peripherals. Programming and data collection is done via USB ports. Telosb has 48k flash memory and 10k RAM. Software. The power of TinyOS coupled with NesC will be utilized to implement proposed security architecture for WSNs. We use the TinyOS version 2.02. This platform has been particularly selected because of its capability of being tested on real sensor network test bed and real time demonstration on sensor nodes. 3.3

Received Signal Strength Indicator (RSSI)

Received signal strength indicator (RSSI) is the measurement of the power present in a received radio signal [7]. RSSI measurements are unit less and in the range between 0-255, expressible as an 8 or 10 bit number obtained from

736

R. Latif and M. Hussain

physical layer. The number of bits used for RSSI is hardware dependent. Since RSSI is a function of transmission power, different transmission powers will lead to different RSSI readings [8].

4

Proposed Technique

In this paper, we implement a new technique for hardware-based random number generation in WSNs based on received signal strength indicator (RSSI). As compared to previous techniques for random number generation, the new technique is more efficient because it is hardware based technique and does not require any algorithm or seed value to start generating random sequences. It involves three phases: experimental setup, data collection and randomness testing phase. Now, we are going to explain each of the phases. 4.1

Experimental Setup

We conduct an in-door experiment for generating random numbers based on RSSI values. Fig. 1 shows the sketch of an experimental setup. It consists of a PC or Laptop with serial port, in which a mote is plugged in. The plugged in mote is a base station, which acts as a bridge between the PC serial port and motes network. The rest of the motes are mobile, battery powered and are placed at different locations from the base station. 4.2

Data Collection Phase

The Tmotes are equipped with the Chipcon CC2420 radio for wireless communication. The CC2420 measures the RSSI value for each packet and provides a digital received signal strength indicator (RSSI) that may be read any time. The

Fig. 1. Experimental Setup

Hardware-Based Random Number Generation in WSNs

737

mobile motes transmit packets to base station, which is attached to a PC or laptop. On receiving the packets over the radio network, the base station measures the RSSI value of each packet [9]. We can view these packets on the PC screen. The location of these motes changes from time to time in order to get different RSSI values. In the next process, the RSSI profiles are arranged at PC and converted into binary numbers [9]. The resulted binary output is random numbers. 4.3

Randomness Testing Phase

The generated binary output is tested on ”NIST randomness testing suite”, in order to check the randomness of the resulted data. The generated binary output is tested on ”NIST randomness testing suite”, in order to check the randomness of the resulted data. NIST Statistical Test Suite is a statistical package consisting of 16 tests that were developed to test the randomness of arbitrary long binary sequences produced by either hardware or software based cryptographic random or pseudorandom number generators.

5

Results and Analysis

In this section, we present an analysis of the results obtained after testing the generated binary output on ”NIST randomness testing suite”. The test statistic is used to calculate a P-value that summarizes the strength of the evidence against the null hypothesis (i.e., the sequence being tested is random). For these tests, each P-value is the probability that a perfect random number generator would have produced a sequence less random than the sequence that was tested, given the kind of non-randomness assessed by the test. If a P-value for a test is determined to be equal to 1, then the sequence appears to have perfect randomness. A P-value of zero indicates that the sequence appears to be completely nonrandom. A significance level α can be chosen for the tests. Typically, α is chosen in the range [0.001, 0.01]. Common values of α in cryptography are about 0.01. If P-value ≥ α, then the null hypothesis is accepted; i.e., the sequence appears to be random. If P-value < α, then the null hypothesis is rejected; i.e., the sequence appears to be nonrandom [10]. Table 1 shows the statistical tests and their corresponding p-values and concludes that either the sequence is random or non-random on the basis of these p-values. Randomness is indicated by ’SUCCESS’ and non-randomness is indicated by ’FAILURE’. For each test, A P-value ≥ 0.01 would mean that the sequence would be considered to be random with a confidence of 99% . A P-value < 0.01 would mean that the sequence is non-random with a confidence of 99%. Table 1 shows that a number of tests were conducted to check the randomness of binary sequences, these tests includes: – Frequency Test whose purpose is to determine whether the number of ones and zeros in a sequence are approximately the same as would be expected

738

R. Latif and M. Hussain Table 1. Result for the Statistical Test for Random Numbers Sr.No

Statistical Tests

P-Value Conclusion

1

Frequency Test (n,
)

2

Block Frequency Test (n,
)

0.2012 SUCCESS

0.731

SUCCESS

3

Runs Test (n,
, τ )

0.1749 SUCCESS

4

Test for the Longest Run of Ones in a Block (n,
)

1.0

SUCCESS

5

Poker Test (n,
)

0.679

SUCCESS

6

Non-overlapping Template Matching Test (n,
)

0.99

SUCCESS

7

Overlapping Template Matching Test (n,
)

1.0

SUCCESS

8

Maurer’s ”Universal Statistical” Test (n,
, L, Q)

0.42

SUCCESS

9

Cumulative Sums (Cusum) - Forward Test (n,
?)

0.459

SUCCESS

10

Cumulative Sums (Cusum) - Reverse Test (n,
)

0.762

SUCCESS

11

Linear Complexity Test (n,
, M)

0.481

SUCCESS

12

Random Excursions Variant Test (n,
)

0.79

SUCCESS

13

Serial Test (n,
, L, Q)

0.433

SUCCESS

14

Serial- Byte Test (n,
)

0.629

SUCCESS

15

Serial- Dibit Test (n,
)

0.216

SUCCESS

for a truly random sequence, for this test the P-value obtained in table 1 is 0.731, which is ≥ 0.01, so we are confident to accept the sequence as random bit sequence. – Runs Test whose purpose is to determine whether the number of runs of ones and zeros of various lengths is as expected for a random sequence, for this test the P-value obtained in table 1 is 0.2012, which is ≥ 0.01, so we are confident to accept the sequence as random bit sequence. – Test for the Longest Run of Ones in a Block whose purpose is to determine whether the longest run of ones within the tested sequence is consistent with the longest run of ones that would be expected in a random sequence, for this test the P-value obtained in table 1 is 1.0, which is ≥ 0.01, so we are confident to accept the sequence as random bit sequence. – Cumulative Sums Forward (Reverse) Test whose purpose is to determine whether the sum of the partial sequences occurring in the tested sequence is too large or too small, for this test the P-values obtained in table 1 is 0.459 (cusum forward) and 0.762 (cusum reverse), which is ≥ 0.01, so we are confident to accept the sequence as random bit sequence. – Universal Statistical Test whose purpose is to determine whether a binary sequence does not compress beyond what is expected of a truly random sequence, for this test the P-value obtained in table 1 is 0.42, which is ≥ 0.01, so we are confident to accept the sequence as random bit sequence.

Hardware-Based Random Number Generation in WSNs

739

– Linear Complexity Test whose purpose is to determine whether or not the sequence is complex enough to be considered truly random, for this test the P-value obtained in table 1 is 0.481, which is ≥ 0.01, so we are confident to accept the sequence as random bit sequence. – Serial Test whose purpose is to determine whether the number of occurrences of m-bit overlapping patterns is approximately the same as would be expected for a random sequence, for this test the P-value obtained in table 1 is 0.433, which is ≥ 0.01, so we are confident to accept the sequence as random bit sequence. – Random Excursion Variant Test whose purpose is to detect deviations from the distribution of the number of visits of a random walk to a certain state, for this test the P-value obtained in table 1 is 0.79, which is ≥ 0.01, so we are confident to accept the sequence as random bit sequence. Finally, in all of the above tests the P-value obtained is above 0.01, so these tests are successful and we can conclude that the numbers generated are truly random and can be used to provide security in almost all cryptographic operations.

Fig. 2. Statistical Tests and their corresponding P-values

6

Conclusion

Efficient solutions for the problem of key distribution are essential for the feasibility of secure group communication in sensor networks. In this paper, we develop a key distribution scheme for secure group communication in WSNs. The scheme provides a self-healing mechanism for session key-recovery on possible packet lost in the lossy environment using one-way key chain. Other features

740

R. Latif and M. Hussain

include periodic re-keying of group key and time-limited group node revocation. The analysis shows that the proposed scheme is computationally secure and meets the security requirement for forward and backward secrecy. The flexibility of our system allows it to be more efficient, scalable, and secure than alternatives.

References 1. Ren, X., Yu, H.: Security mechanisms for wireless sensor networks. IJCSNS International Journal of Computer Science and Network Security 6(3), 155–156 (2006) 2. Shen, X., Wang, Z., Jiang, P., Lin, R., Sun, Y.: Connectivity and rssi based localization scheme for wireless sensor networks 3032, 578–587 (2005) 3. Francillon, A., Castelluccia, C.: Tinyrng: A cryptographic random number generator for wireless sensors network nodes. In: WiOpt 2007: 5th International Symposium on Modeling and Optimization in Mobile, Ad Hoc and Wireless Networks and Workshops, pp. 1–7 (2007) 4. Uncrackable keys require hardware rngs, http://www.techriteassociates.com/tm uncrackable keys 5. Krhovj´ ak, J.: Analysis, demands and properties of pseudorandom number generators 6. Morrison, R.: Design of a true random number generator using audio input. Journal of Crytology 1(1), 1–4 (2001) 7. Received signal strength indication, http://en.wikipedia.org/wiki/RSSI 8. Demirbas, M., Song, Y.: An rssi-based scheme for sybil attack detection in wireless sensor networks. In: WOWMOM 2006: Proceedings of the 2006 International Symposium on World of Wireless, Mobile and Multimedia Networks, Washington, DC, USA, pp. 564–570. IEEE Computer Society, Los Alamitos (2006) 9. Aono, T., Higuchi, K., Taromaru, M., Ohira, T., Sasaoka, H.: Wireless secret key generation exploiting the reactance-domain scalar response of multipath fading channels: Rssi interleaving scheme. In: Proceedings of the 2005 The European Conference on Wireless Technology, pp. 173–176 (2005) 10. Rukhin, A., Soto, J., Nechvatal, J., Smid, M., Barker, E., Leigha, S., Levenson, M., Vange, M., Banks, D., Heckert, A., Dray, J., Vo, S.: A statistical test suite for random and pseudorandom number generators for cryptographic applications

Authenticated Encryption in WSN Using eSTREAM Ciphers Shakil Ahmad, Arif Wahla, and Firdous Kausar Department of Information Security, University of Science and Technology, Rawalpindi, Pakistan [email protected], [email protected], [email protected]

Abstract. Wireless Sensor Networks are gaining popularity due their wide spread application areas especially military, biomedical and cooperate sectors. Secure and authentic data exchange for sensitive and critical applications is a basic need. European Union’s project eSTREAM ciphers have identified set of software implement-able stream ciphers with efficiency and security comparable to AES. Integration of an authentication mechanism with these software implement able stream ciphers remained an open challenge. Situation is further aggravated once target application platform is resource constrained in terms of energy, processing power and memory as in the case of WSNs. In this research work we have analyzed known authenticated encryption mechanisms using eSTREAM ciphers and their implementation in resource limited WSN environment. Keywords: Authenticated Encryption, Stream Ciphers, Security, Wireless Sensor Networks.

1 Introduction Sensor network is usually composed of large number of sensor nodes deployed to observe certain environmental parameters, detect movements and communicate data to sink node or base using wireless media. Monitoring, collecting and processing environmental information through wireless sensor networks (WSNs) can be useful for civil and military applications [2]. WSNs suffer two major problems, firstly, there are several constraints on these devices namely their minimal energy, computational and communicational capabilities and secondly, due to their deployment in vast area or hostile territory (for military use) they are under threat of various attacks like node capture, physical tempering, monitoring or eavesdropping etc. These threats demand assurance for data confidentiality, authentication and data integrity for which variety of cryptographic solutions can be sought [1]. Resource constrained sensor nodes pose a real challenge for cryptographic community and information security specialists to research and define a secure environment fulfilling above mentioned security needs of these nodes without compromising their life cycle. Hence security issues in WSNs need to be addressed with highly light weight and robust solutions [3]. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 741–749, 2009. © Springer-Verlag Berlin Heidelberg 2009

742

S. Ahmad, A. Wahla, and F. Kausar

Paper has been organized as follow: first, an overview of security solutions in sensor networks and efforts of cryptographic community to test, analyze and standardize cryptographic algorithms. Then various methods of authenticated encryption using stream ciphers have been analyzed in section 3. Section 4 describes focused eSTREAM ciphers architecture, analysis and implementation for authenticated encryption in sensor networks. Future work has been described in section 5 and finally conclusions in section 6.

2 Related Work Besides having different network layer security protocols for specific fields like IPSec for IP and link layer security protocols TinySec and SPINS (SNEP, uTESLA) in WSNs [14] [15], cryptographic solutions are considered more reliable for ensuring security in networks. In the field of cryptology after the era of cipher machines, block ciphers remained area of focus, resulting in DES (Fiestel structured block cipher) selected as standard in 1974, and remained such till 2000 when again another block cipher Rijndael was selected as Advance Encryption Standard (AES). Block ciphers have been tested, implemented and have proven security for variety of applications. Although AES has been thoroughly tested for security as well as software and hardware implementation but in certain application like resource constrained WSNs, complex encryption hardware is undesired and efficient software implementation within meager resources and equivalent security is most needed. Stream ciphers by virtue of their design can have this characteristic especially in software implementation. Unlike block ciphers, stream ciphers do not have a standard model. In 2004, European Union took initiative and under the umbrella of ECRYPT (a consortium of European research organization) started a project named eSTREAM ciphers for selection of stream ciphers having security and efficiency comparable to AES. Initially 34 proposals were submitted for hardware and software implementations out of which few were short listed by the end of phase 1 and finally in July 2008 results of phase 2 have been announced describing Rabbit, Salsa 20, Sosemanuk and HC 128 best suited for software implementation and Trivium, Grain v1, and MICKEY v2 have been finally selected for hardware implementation [4].

3 Authenticated Encryption Using Stream Ciphers Typically various hash algorithms like HMAC are in practice to achieve authentication in a networked environment. Block ciphers once used in a particular mode like CBC do provide authenticated encryption, but their use in resource constrained sensor networks is not feasible due to processing cost required by block ciphers. Owing to their design architecture, stream ciphers are considered best suited in such applications where fast through put is required and energy/processing resources are limited. Following are few methods for authenticated encryption and their analysis for implementation in sensor networks.

Authenticated Encryption in WSN Using eSTREAM Ciphers

743

3.1 Method of Generating MAC Using Stream Ciphers A method of generating message authentication code using stream ciphers has been proposed by Woo Hwan KIM and Jung Keun LEE in [5]. Here MAC is calculated after dividing the plaintext in K packets, encrypting each packet with (Kmac XOR packet number), taking XOR of all outputs, and again encrypting the result using Kmac and the output is referred as MAC. Using MAC as IV plaintext is encrypted with Ke. MAC is appended with the cipher text and transmitted to receiver. On receiver side, decryption is performed using MAC as IV and key Ke. Extracted plaintext is processed to calculate MAC and authentication of received MAC. Details are shown in figure 1.

Fig. 1. Method of Generating MAC using Stream Ciphers [5]

Fig. 2. MAC Generation [5]

744

S. Ahmad, A. Wahla, and F. Kausar

This method is not suitable for implementation in sensor network environment due to following: 3.1.1 Processing Cost MAC generation requires two additional encryptions thus total three encryptions coupled with other minor operations will be involved for data security which may prove to be fetal for energy constrained sensor node. 3.1.2 Authenticate then Encrypt Method involves authenticate then encrypt process. It is suggested that strongest definition of security for authenticated encryption can be achieved via Encrypt-then-MAC approach [6]. 3.2 DRAGON-MAC Method proposed by Shu Yun Lim, Chuan Chin Pu, Hyo Taek Lim and Hoon Jae Lee in [7] [8]. The scheme is based on Encrypt-then-MAC approach. Data is first encrypted and then state update function is set using data fields extracted from packet header, cipher text is fed to stream cipher again to compute MAC. Different keys for encryption Ke and authentication Km are used. Detailed mechanism is as shown in Fig 3.

Fig. 3. Encryption Decryption Process of DRAGON-MAC

Authors have implemented and proposed the mechanism for Telos family motes in [8] while it can be implemented on any type of motes by carefully selecting packet header fields or adding few, if necessary. 3.3 Tail-MAC Scheme was proposed by Bartosz Zoltak in [10]. The scheme is based on an internal state being transformed along with the progress of the encryption process in a manner determined by cipher text, key and IV derived data. Definition assumes existence of a cipher generating a stream cipher generating a stream of b bit words. Internal state of the scheme consists of variable T and Xw. T is (8xd) element table of b bit words while t[n] denotes n-th element of T. X1, X2,X3…..Xd are b-bit variables and [X1, X2, X3…..Xd] denotes a (b x d)-bit word combining X1, X2, X3……Xd. F denotes a bijective function and iK(m) denote a part of the internal state of the cipher in time m.

Authenticated Encryption in WSN Using eSTREAM Ciphers

745

F and iK will be specified differently, depending on what cipher the Tail-MAC scheme is integrated with. H denotes a function combining T with key K, with the message unique IV and compressing them into a tag (MAC), h will also vary depending on what cipher is chosen. Primary goal of Tail-MAC is to keep a sufficiently long record of information derived from cipher text, key and IV in the tail comprising a set of variables X1, X2, …..Xd and mark the T table with the tail in an extent sufficient to make it infeasible to change cipher text in a way which could produce collisions in T table. Selection of iK and f function should be carried out in such a way as to ensure corruption of any predictable pattern of the cipher text which could be conveyed onto tail and T table in a cipher text attack. The purpose of Tail-MAC is not to give a set of complete and universal criteria for selecting iK, f and h function but rather to outline the general requirements and the roles of each of the components and leave the choice and analysis of specific implementations to the designers. Although author has shown its implementation a stream cipher called VMPC, but it may not be applicable to all stream ciphers to identify such suitable functions. Secondly this method is applicable to only those ciphers which are word based and all software implement able eSTREAM ciphers are not word based. 3.4 Other Methods There are certain other methods having inbuilt functionality for MAC generation like Helix [9] and Sober- 128 [11]. Focused eSTREAM ciphers do not have such inbuilt functionality of MAC generation.

4 Proposed Scheme for Authenticated Encryption Using Estream Ciphers Focusing on software implement able eSTREAM ciphers and resource constraints of wireless sensor networks, option of Dragon-MAC with necessary modification is most appropriate for implementation. As authors have proposed a scheme tightly bounded to frame format of Telos B family motes, modifications are required to generalize the scheme to be implemented on all TinyOS operated motes. Next section describes proposed implementation of Dragon-MAC using eSTREAM ciphers. 4.1 SOSEMANUK-MAC Cipher designed and submitted by C. Berbain, O. Billet, A. Canteaut, N. Courtois, H. Gilbert, L. Goubin, A. Gouget, L. Granboulan, C. Lauradoux, M. Minier, T. Pornin and H. Sibert in [12]. Basic design principal of SNOW 2.0 (stream cipher) and some transformations derived from SERPENT (block cipher) have been implanted. Key length is variable between 128 and 256 bits and it takes an IV of 128 bits. SOSEMANUK may be considered more suitable for implementation in resource limited sensor networks due to following:

746

S. Ahmad, A. Wahla, and F. Kausar

Fig. 4. An Overview of Sosemanuk [11]

• Its design reduces the internal state size of SNOW 2.0, allowing more direct mapping of data on processor registers thus improving efficiency. • It also requires a reduced amount of static data, thus data cache pressure yields better performance. • Key set up procedure is based on reduced version of SERPENT, improving classical initialization procedure for security and efficiency. FSM of the cipher consists of 64 bits of memory corresponding to two 32 bit registers R1 and R2. At each step, FSM takes as inputs some words from LFSR state, updates memory bits and produces a 32 bits output. Output of FSM is provided to modify SERPENT block cipher to generate key stream. IV is 128 bit value used as input to SERPENT 24 as initialized by key schedule. Initial states of R1 and R2 are calculated from outputs of 12th, 18th and 24th round of modified SERPENT. In our proposed scheme based on Dragon-MAC, Sosemanuk is run initially to encrypt plaintext with Ke (Encryption key), and then chosen fields from packet header are injected to fill in R1 and R2. Cipher text output of initial run is taken as IV and Sosemanuk is run to give 32 bit output referred as MAC. Cipher text output with appended MAC is transmitted to receiver. R1 and R2 states comprise of 4 bytes each. For MAC generation, chosen header fields are Src (2 bytes), Dest (2 bytes), AM type (1 byte), Len (1 byte) and Ctr ( 2 bytes). Here Src (2 bytes) are additional, where as Ctr (2 bytes) replace Gp (1 byte), thus a total addition of only 3 bytes is involved. 2 bytes of CRC in TinyOS packet format are replaced with 4 bytes of MAC. Ctr (2 bytes) provide additional security against message re-transmission. On receiver side, authentication will be carried out first, by injecting same chosen fields from packet header into R1 and R2 states. Received cipher text acts as IV and output MAC is compared with received MAC; if sender is authenticated then cipher text is decrypted using Ke.

Authenticated Encryption in WSN Using eSTREAM Ciphers

747

4.2 HC 128-MAC HC 128 stream cipher was designed by Honjun Wu in [13]. Ciphers accepts 128 bit secret key and produces 32 bit word output in each step. Main part of HC 128 is made up of two secret tables with 512, 32 bit entries each. At every step, one element from one of these tables is updated by a non linear feedback function (internal state update of cipher). A 32 bit output is generated by non linear filtering function. For detailed specification and design please see [13]. For encryption, Ke is used as encryption key. Cipher is run for one complete cycle and output cipher text is referred as Ct. for authentication. Chosen header fields are fed in to state update function to update two secret tables. Ct is fed as input and cipher is again run using MAC key Km to generate 32 bit output referred as MAC. While transmission to receiver side, MAC is appended along with Ct. On receiver side, state update is done using same chosen header fields; Ct is encrypted using Km to generate MAC. If generated MAC equals received MAC, then Ct is decrypted using Ke, otherwise packet is discarded. In this proposed scheme, code size does not increase much. It is made possible due to TinyOS functionality for calling functions at required instance [17]. During authentication, only state update function is called and after state updating, cipher is run using Ct as plaintext and Km as key. Diagrammatic representation is same as Figure 3 except cipher being used is HC-128. 4.3 Rabbit-MAC Rabbit stream cipher was first proposed by Martin Boesgaard, Mette Vesterager, Thomas Christensen and Erik Zenner [14]. It takes 128 bit secret key and a 64 bit IV as input. Each iteration generates an output block of 128 pseudo random bits from a combination of internal state bits. Encryption/decryption is done by XORing pseudorandom data with plaintext/cipher text. Size of internal state is 513 bits divided between eight 32 bit sate variables, eight 32 bit counter and one carry bit. Eight state variables are updated by eight coupled non linear functions. For key setup, cipher is initialized by expanding the 128 bit key into both eight state variables and eight counter variables. Key is divided into eight sub keys and the state and counter variables are initialized from sub keys. System is iterated four times and counter variables are modified. Authenticated encryption using Rabbit on the design of Dragon MAC was first proposed by Ruhma Tahir in [18]. Rabbit –MAC employs next state function for calculating MAC. Sender computes MAC on encrypted packet with Km and appends with the encrypted packet for authentication. IV is computed from header of the data packet.

5 Future Work In future proposed scheme will be implemented using power of TinyOS coupled with NesC on Telos family Tmotes. This platform has been particularly selected because of its capability of being tested on real sensor network test bed and real time demonstration on sensor nodes [17]. Results will be sought to carry out comparative analysis for

748

S. Ahmad, A. Wahla, and F. Kausar

efficiency and resource saving by above mentioned eSTREAM ciphers once implemented in authenticated encryption mode. Focused parameters for comparative analysis will be code size, memory consumed, required processing power and processing time taken by above mentioned eSTREAM ciphers.

6 Conclusion The eSTREAM ciphers have proven efficiency and security comparable to AES. Authenticated encryption using these ciphers in resource limited WSNs fulfills requirements of data security against attacks like node capture, physical tempering, monitoring or eavesdropping. Designing such stream ciphers by modifying existing ciphers to provide in built functionality of authentication appears to be a better solution. But it may question security and efficiency of the cipher. Work done in WSN environment may prove equally implement able in similar resource constrained wireless communication devices networks. This will be more true and useful if such devices are being used for military applications under hostile environment.

References [1] Perrig, A., Stankovic, J., Wagner, D.: Security in Wireless Sensor Networks. Communications of ACM 47(6), 53–57 (2004) [2] Akyildiz, I., Su, W., Sankarasubramaniam, Y., Cayirci, E.: Wireless Sensor Networks: A survey. Computer Networks 38(9), 393–422 (2002) [3] Zia, T., Zomaya, A.: Security Issues in Wireless Sensor Networks. In: Proc. of Int. Conf. on Systems and Networks Communications, vol. 11(9), pp. 40–45 (2006) [4] Ecrypt Stream Ciphers (September 2008), http://www.ecrypt.eu.org/ [5] Kim, W.H., Lee, J.K.: Method of Generating Message Authentication Code Using Stream Ciphers. United States Patent Application, Pub. No: 2008/0112561 A1(May 2008) [6] Bellare, M., Namprempre, C.: Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 531. Springer, Heidelberg (2000) [7] Chen, K., Henricksen, M., Millan, W., Fuller, J., Simpson, L., Dawson, E., Lee, H., Moon, S.: Dragon: A fast word based stream cipher. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 33–50. Springer, Heidelberg (2005) [8] Lim, S.Y., Pu, C.C., Lim, H.T., Lee, H.J.: Dragon-MAC: Securing Wireless Sensor Networks with Authenticated Encryption, http://www.eprint.iarc.org/2007/204.pdf [9] Ferguson, N., Whiting, D., Schneier, B., Kelsey, J., Lucks, S., Kohno, T.: Helix, Fast Encryption and Authentication in a Single Cryptographic Primitive, http://www.schneier.com/paper-helix.pdf [10] Zoltak, B.: Tail-MAC: An Efficient Message Authentication Scheme for Stream Ciphers , http://www.citeseerx.ist.psu.edu/viewdoc/summery? doi=10.1.1.4.6611 [11] Hawkes, P.: Michael Paddon and Gregory G. Rose, Primitive Specification for SOBER128, http://www.qualcomm.com.au/PublicationsDocs/SOBER-128-v2.pdf

Authenticated Encryption in WSN Using eSTREAM Ciphers

749

[12] Berbain, C., Billet, O., Canteaut, A., Courtois, N., Gilbert, H., Goubin, L., Gouget, A., Granboulan, L., Lauradoux, C., Minier, M., Pornin, T., Sibert, H.: Sosemanuk, a fast software oriented stream cipher, http://www.ecrypt.eu.org/stream/p2ciphers/sosemanuk/ sosemanuk_p2.pdf [13] Wang, J.: Fundamentals of erbium-doped fiber amplifiers arrays; Wu, H.: A new stream cipher HC-256. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 226–244. Springer, Heidelberg (2004) [14] Boesgaard, M., Vesterager, M., Christensen, T., Zenner, E.: The Stream Cipher Rabbit. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 307–329. Springer, Heidelberg (2003) [15] Perrig, A., Szewczyk, R., Wen, V., Culler, D., Tygar, J.D.: SPINS: Security protocols for Sensor Networks. ACM Transactions on Wireless Networks 8(5), 521–534 (2002) [16] Karlof, C., Sastry, N., Wagner, D.: TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. In: Proceedings of the second ACM Conference on Embedded Networked Sensor Systems, Baltimore, USA, November 2004, pp. 162–175 (2004) [17] Fok, C.: TinyOSTutorial (2004), http://www.princeton.edu/~wolf/EECS579/imotes/ tostutorial.pdf [18] Tahir, R., Javed, M.Y., Cheema, A.R.: Rabbit-MAC: Light Weight Authenticated Encryption in Wireless Sensor Networks. In: IEEE Int. Conf. on Information and Automation (ICIA 2008), ZhangjiajaeCity, Hunan, China, June 20-23 (2008)

Aggregate and Verifiably Encrypted Signatures from Multilinear Maps without Random Oracles Markus R¨ uckert1,
and Dominique Schr¨ oder2,

1

Cryptography and Computeralgebra [email protected] 2 Minicrypt TU Darmstadt, Germany [email protected] Abstract. Aggregate signatures provide bandwidth-saving aggregation of ordinary signatures. We present the first unrestricted instantiation without random oracles, based on the Boneh-Silverberg signature scheme. Moreover, our construction yields a multisignature scheme where a single message is signed by a number of signers. Our second result is an application to verifiably encrypted signatures. There, signers encrypt their signature under the public key of a trusted third party and output a proof that the signature is inside. Upon dispute between signer and verifier, the trusted third party is able to recover the signature. These schemes are provably secure in the standard model.

1

Introduction

Boneh et al. present aggregate signature schemes (AS) and verifiably encrypted signature schemes (VES) in [2]. In essence, an AS allows any party to combine q signatures σ1 , . . . , σq on q messages m1 , . . . , mq of q signers into a single aggregate signature S, which has roughly the same size as an ordinary signature. VES schemes serve a different purpose, typically in fair exchange protocols [1]. Signers encrypt their signatures under the public key of a trusted party, the adjudicator, while preserving signature verifiability. The adjudicator is able to extract a regular signature from a verifiably encrypted signature in the case of a dispute. Note that we use the revised security model from [15]. A variant of AS, called sequential aggregate signature (SAS), is organized like a chain. The i-th signer receives an “aggregate-so-far”, adds its own signature and sends the new aggregate to the (i+1)-th signer. Thus, SAS are a slightly restricted variant of AS as they do not support simultaneous aggregation. Basically, security of AS is formalized in the chosen-key model, where an adversary gets as input a challenge public key and is allowed to choose all other user keys. The adversary has access to a signing oracle for the challenge key and is successful if it outputs a valid aggregate signature containing a signature that verifies under the challenge public key.




This work was supported by CASED (www.cased.de). Dominique Schr¨ oder was supported by the Emmy Noether Program Fi 940/2-1 of the German Research Foundation (DFG).

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 750–759, 2009. c Springer-Verlag Berlin Heidelberg 2009


Aggregate and Verifiably Encrypted Signatures from Multilinear Maps

751

Typical applications for aggregate signatures are, e.g., secure routing [10] or certificate chain compression [2]. The main advantage of AS is that it saves bandwidth, which makes it an optimal solution for networks of small, batterypowered devices that communicate over energy-consuming wireless channels [14]. Other important applications, mentioned by Bellare et al. [3], are sensor networks such as the “Tsunami early warning system” located the Indian Ocean. There, each sensor node collects data from the environment and sends it — digitally signed — to a monitoring station. Typically, a sensor node does not send its data directly to the station, but rather forwards it over several nodes to the station, which is why there is a need to ensure authenticity. Random Oracle Model vs. Registered-Key Model. The random oracle model [5], due to Bellare and Rogaway, treats hash function like truly random function. This approach allows researchers to give confidence about their construction as long as the hash function is ideal. However, Canetti, Goldreich, and Halevi [7] disputed the soundness of the random oracle model and encourage researchers to find efficient schemes, provably secure without them. In the context of multi-message-signatures, such as multisignatures or aggregate signatures, the known schemes either rely on the random oracle model or on a different proof model, known as certified-key model. There, each user has to prove knowledge of the secret key during a key registration protocol. We follow this idea and model this by forcing the adversary to certify all key pairs. Note that this methodology follows the work of, e.g., Boldyreva [4] or Lu et al. [12]. Related Work. After Boneh et al. [2] proposed the notion of aggregate signatures schemes and presented a construction, there were, to the best of our knowledge, only sequential aggregate signature schemes such as [2,11,12,3,14]. As for VES schemes, we refer the reader to the instantiations in, e.g., [2,12]. Our Contribution. The results of this paper are twofold. As the first result, we present an aggregate signature scheme in the certified-key model without random oracles. The scheme is based on the Boneh-Silverberg signature scheme [6], which in turn is a variant of the signature scheme by Lysyanskaya [13]. In fact, our scheme provides the first (unrestricted) aggregate signature in the standard model. Moreover, our scheme can be used as a multisignature scheme without any modifications. We prove its security in the standard model while maintaining an optimal signature size and reasonable efficiency. The construction is based on multilinear maps, whose practicability is yet unknown. Boneh and Silverberg show that multilinear maps cannot be build from Weil or Tate pairings, however, they mention that such maps might come from algebraic geometry but much rather from other areas. Nevertheless, our work widens the range of possible applications for those maps, and we are sure that this will encourage researchers to explore possible realizations. The second result covers a different area, namely verifiably encrypted signatures. In [2], the authors observe that AS schemes give rise to VES schemes if the extraction of individual signatures from an aggregate signature is hard.

752

M. R¨ uckert and D. Schr¨ oder

Therefore, based on our aggregate signature scheme, we construct a VES scheme that is secure in the standard model. Organization. Some basic notations and the necessary assumptions are briefly recalled in Section 2. In Section 3, we review the security model for aggregate signature schemes and subsequently present our construction in Section 3.2. Finally, in Section 4, we deal with an application to verifiably encrypted signatures along with the according security proofs.

2

Preliminaries

In this section, we recall some background on multilinear (n-linear) maps, following the notation of [6]. By (G1 , ∗) and (GT , ∗), we denote two groups of prime order  such that: all group actions can be computed efficiently; if a1 , . . . , an ∈ Z a a ···a and x1 , . . . , xn ∈ G1 then e (xa1 1 , xa2 2 , . . . , xann ) = e (x1 , x2 , . . . , xn ) 1 2 n ; if g ∈ G1 is a generator of G1 then e (g, g, . . . , g) generates GT . In the rest of this paper, we assume that G1 , GT , g, and e are fixed and public parameters. The security parameter is 1k and the length of the message is n. Let |S| denote the size of the finite set S. An adversary is an efficient algorithm. A function, which is not negligible, is noticeable. 2.1

Complexity Assumption

This section deals with the complexity assumption for the proposed aggregate signature scheme and for the novel verifiably encrypted signature scheme. The following definition can be found in [6]. Generalized Diffie-Hellman Assumption. An algorithm A, breaking the generalized Diffie-Hellman problem, takes as input (g a1 , . . . , g an ) ∈ G1 for randomly chosen (a1 , . . . , an ) ∈ Z∗ and has access to an oracle OGDH ((a1 , . . . , an ), ·) which, when queried with
any strict subset S ⊂ {1, . . . , n}, responds with ai

OGDH ((a1 , . . . , an ), S) = g i∈S ∈ G1 . The probability that A returns g a1 a2 ...an is defined as AdvGDH := Prob[AOGDH (g, g a1 , . . . , g an ) = g a1 a2 ...an : (a1 , . . . , an ) ∈ Z∗ ] . A The GDH problem is (t, qGDH , )-hard if for any algorithm A, running in time at most t, querying OGDH no more than qGDH times, the probability AdvGDH is less A than . Secure Signature Schemes. We briefly recall the Boneh-Silverberg (BS) signature scheme [6] and the definition of secure signature schemes. Roughly speaking, a digital signature scheme is secure if there is no adversary which (adaptively) queries a signing oracle and outputs a valid message-signature pair (m∗ , σ ∗ ) such that it never queried m∗ to the signing oracle. The formal definition can be found in [9].

Aggregate and Verifiably Encrypted Signatures from Multilinear Maps

753

BS Signature Scheme. The signature scheme of Boneh and Silverberg, which builds upon the unique signature scheme proposed by Lysyanskaya [13], is defined through the following algorithms. KeyGen: The key generation algorithm Kg(1k ) takes as input the security parameter 1k . It randomly selects 2n elements a1,0 , a1,1 , . . . , an,0 , an,1 ∈ {1, . . . ,  − 1}. The algorithm computes u1,0 ← g a1,0 , u1,1 ← g a1,1 , . . . , un,0 ← g an,0 , un,1 ← g an,1 and returns the private key sk = (a1,0 , a1,1 , . . . , an,0 , an,1 ) and the public key pk = (u1,0 , u1,1 , . . . , un,0 , un,1 ). Signing: Sign(sk, m) accepts as input a message m = (m1 , . . . , mn ) ∈ {0, 1}n as well as a signing key sk = (a1,0 , a1,1 , . . . , an,0 , an,1 ) and computes the sign


ai,mi

nature σ ← g i=1 ∈ G1 . Note that the message space {0, 1}n can always ∗ be extended to {0, 1} by hashing the messages first. Verification: Vf(pk, σ, m) returns 1 iff e (σ, g, . . . , g) = e (u1,m1 , u2,m2 , . . . , un,mn ). Boneh and Silverberg follow the proof of Lysyanskaya ([13,6]) and show that their scheme is unforgeable under chosen message attacks.

3

Unrestricted Aggregate Signatures

Basically, an aggregate signature [2] is a signature of q different signers on q different messages such that the signature has roughly the same size as a single signature. In such a scheme, the aggregation algorithm can be executed by anyone, including untrusted parties. Bellare, Namprempre, and Neven [3] generalize aggregate signatures to unrestricted aggregate signatures, removing the restriction that all messages as well as all signers have to be distinct. For brevity, we just write aggregate signature instead of unrestricted aggregate signature. An aggregate signature scheme is a tuple of algorithms AS = (AggKGen, Sign, Agg, Vf, AggVf), where Key Generation. AggKGen(1k ) generates a key pair (sk, pk) for each user independently. Signature Issue. The signing algorithm Sign(sk, m) takes as input the secret key sk as well as a message m ∈ {0, 1}n and outputs a signature σ. Signature Aggregation. Agg((pk(1) , m(1) , σ (1) ), . . . , (pk(q) , m(q) , σ (q) )) builds an aggregate S on messages M = (m(1) , . . . , m(q) ) under public keys pk = (pk(1) , . . . , pk(q) ) and outputs the triple (pk, M, S). Signature Verification. The signature verification algorithm Vf(pk, m, σ) accepts as input a public key pk, the message m, and a signature σ. It outputs a bit, indicating the validity of σ. Aggregate Verification. The algorithm AggVf(pk, M, S) takes as input a set of public keys pk = (pk(1) , . . . , pk(q) ), a set of messages M = (m(1) , . . . , m(q) ) as well as an aggregate S. It returns 1 iff S is a valid aggregate signature on messages (m(1) , . . . , m(q) ) under public keys (pk(1) , . . . , pk(q) ). The scheme is complete if for any set of q key-pairs (sk (i) , pk (i) ) ← AggKGen(1k ), for any set of q messages m(i) ∈ {0, 1}n, for any honestly generated set of q signatures σ (i) ← Sign(sk, m(i) ), and for any aggregate S returned by Agg((pk(1) ,

754

M. R¨ uckert and D. Schr¨ oder

m(1) , σ (1) ), . . . , (pk(q) , m(q) , σ (q) )) we have that for all i ∈ {1, 2, . . . , q} : Vf(pk(i) , m(i) , σ (i) ) = 1 and AggVf(pk, M, S) = 1. 3.1

Security

The security of aggregate signatures is formalized in the aggregate certifiedkey model, which combines the chosen-key model of [2] with the certified-key approach presented in [4] and [12]. Informally, an adversary is given a challenge public key and tries to forge an aggregate signature on messages of its choice and users (keys) of its choice. This adversary has access to a signing oracle O for the challenge key and wins if it is able to output an aggregate signature including a signature σ  on m under the challenge key, without querying the signing oracle with m . In addition, the adversary has to certify all signature keys, using a method that allows secret key extraction. To keep it simple, we avoid rewinding the adversary during complex proof protocols and simply force it to provide the secret key during the key certification process. An aggregate signature scheme AS is secure in the certified-key model if the probability that following game evaluates to 1 is negligible (as a function of k). Setup. Choose the challenge key pair (pk, sk) ← AggKGen(1k ), initialize the set of certified keys with C ← ∅, and execute algorithm A on input pk. Certification Queries. Algorithm A provides a key pair (sk , pk ) in order to certify pk . If (sk , pk ) is a valid key pair, add (sk , pk ) to C. Signing Queries. Algorithm A adaptively queries qO messages. For any message m, it receives the signature σ ← Sign(sk, m) under the private key sk. Output. A stops, outputting a triple (pk, M, S). This triple consists of a set of public keys pk, a set of messages M, and a forged aggregate signature S. The game outputs 1 iff AggVf(pk, M, S) = 1, all keys in pk (except for pk) are in C, ∃i : pk(i) = pk, and A never invoked Sign(sk, ·) on m(i) . An aggregate signature scheme is (t, qO , qmax , )-secure if for any adversary A, running in time at most t, querying the sign oracle at most qO times, the probability that it outputs a valid forgery using at most qmax public key-message pairs, is less than . 3.2

Our Construction

The proposed aggregate signature scheme AS is defined as follows. Key Generation, Signature Issue, Signature Verification. Same as in the Boneh-Silverberg signature scheme. Signature Aggregation. The algorithm Agg((pk(1) , m(1) , σ (1) ), . . . , (pk(q) , m(q) , σ (q) )) sets pk (pk(1) , pk(2) , . . . , pk(q) ), M ← (m(1) , m(2) , . . . , m(q) ), com
q ← (i) putes S ← i=1 σ , and outputs the triple (pk, M, S). Aggregate Verification. AggVf(pk, M, S) returns 1 iff  q  (i) e u i=1

 (i)

(i) , u

1,m1

(i) , . . . , u

2,m2

(i) (i)

n,mn

= e (S, g, . . . , g) .

Aggregate and Verifiably Encrypted Signatures from Multilinear Maps

755

In the following we show that our aggregate signature scheme is complete. Let (sk(1) , pk(1) ), . . . , (sk(q) , pk(q) ) be the honestly generated key pairs of all participating users and let (m(1) , σ (1) ), . . . , (m(q) , σ (q) ) be the corresponding messagesignature pairs that verify under Vf. Now, let S be the output of Agg under those messages, signatures, and keys. AggVf evaluates  q  (i) e u i=1

⎛

= e ⎝g

(i)

(i) , u

1,m1

q i=1

(i) , . . . , u

2,m2


n

j=1 a

(i) j,m

(i) j

(i)

q
n (i)   q   j=1 a i=1 (i) j,m (i) j = e σ , g, . . . , g =e (g, g, . . . , g) (i)

n,mn

⎞

i=1

, g, . . . , g ⎠ = e



q 

σ

(i)

, g, . . . , g

= e (S, g, . . . , g) .

i=1

Aggregate Security. We prove that our scheme is secure in the chosen-key model as long as the BS signature scheme is unforgeable. Theorem 1. Let TSign be the cost function for BS signature generation. Our  scheme is (t, qO , qmax , )-secure if the BS signature scheme is (t , qO ,  )   unforgeable with t = t + (qmax − 1) TSign , qO = qO , and  = . The proof is a black-box reduction. We build an algorithm B against unforgeability of the underlying signature scheme. B gets as input a public key pk and has access to a signing oracle Sign(sk, ·). The adversary A, which is a forger against the aggregate signature scheme, is given the challenge public key pk and, if successful, outputs a forged aggregate signature (pk, M, S) containing a forged (ordinary) signature under the key pair (sk, pk). Algorithm B can extract this signature and thus returns a forgery against the underlying signature scheme. Proof. Assuming there exists a successful adversary A against the aggregate signature scheme, we construct an algorithm B via a black-box simulation, which is an equally successful forger against the BS signature scheme. Setup. B receives the challenge key pk, initializes the set of certified keys (C ← ∅), and runs A on input pk. Certification Queries. A wants to certify a key pk and hands over the pair (sk , pk ). If sk is the corresponding secret key to pk , then add the pair to the list C ← C ∪ {(sk, pk)}, otherwise reject. Signature queries. B answers A’s queries on a message m by querying its own signature oracle σ ← Sign(sk, m) and returns σ. Output. A halts, outputting an aggregate signature triple (pk, M, S). If A is successful, all public keys (except the challenge key) are registered. B extracts the message-signature pair (m∗ , σ ∗ ), corresponding to the public key pk, outputs (m∗ , σ ∗ ), and stops. W.l.o.g., let (sk1 , pk1 ) be the key pair of B’s signing oracle, i.e. pk1 = pk. The extraction of the corresponding message-signature pair from (pk, M, S), with |pk| = q, works as follows: (i) (i) (i) (i) 1. Let sk be the sequence of secret keys (a1,0 , a1,1 , . . . , an,0 , an,1 ) for i = 2, . . . , q, obtained from the certified key store C, which were chosen by A.

756

M. R¨ uckert and D. Schr¨ oder

∗

2. Let m ← m

(1)

∗

and σ ← S


n

q


g

j=1

a

−1

(i) j,m

(i) j

.

i=2 ∗

3. Output the forged signature (m , σ ∗ ). Analysis. We first show that the extraction yields a valid signature. We have ⎛

⎛

e (σ , g, . . . , g) = e ⎝S ⎝ ∗

⎛ = e ⎝g

q 


n j=1

g

a

⎞−1

(i) j,m

(i) j

⎠

⎞ , g, . . . , g ⎠

i=2 q i=1


n

j=1

a

(i) j,m

(i) j

−

q i=2


n

j=1

a

⎞

(i) j,m

(i) j

, g, . . . , g ⎠ = e(u1,m1 , u2,m2 , . . . , un,mn ) .

Therefore, σ ∗ verifies under pk. Moreover, algorithm B answers all of A’s queries as expected and therefore simulates the environment perfectly. Whenever A invokes the signing oracle, algorithm B queries its signing oracle. Since B has access to the secret signing keys, which A generates prior to outputting a corresponding forgery, B can always extract a valid forged signature. Thus, B is successful whenever A is. The overhead of the extraction algorithm is (qmax − 1) TSign (we omit the list processing cost induced by C). 

4

Verifiably Encrypted Signatures

Boneh et al. [2] introduced verifiably encrypted signature schemes (VES) along with a security model that is extended in [15]. In a VES, a signer encrypts its signature under the public key of a trusted third party (the adjudicator) and proves that the encrypted value contains a valid signature. A verifiably encrypted signature scheme VES = (VesKGen, VesAdjKGen, Sign, Vf, Create, VesVf, Adj) consists of the following seven algorithms. Key Generation, Signing, Verification. Defined as in a standard digital signature scheme. Adjudicator Key Generation. VesAdjKGen(1k ) outputs (ask, apk), where ask is private and apk is public. VES Creation. Create(sk, apk, m) takes as input a secret signature key sk, the adjudicator’s public key apk, and a message m ∈ M. It returns a verifiably encrypted signature ω on m. VES Verification. VesVf(apk, pk, ω, m) takes as input the adjudicator’s public key apk, a public verification key pk, a verifiably encrypted signature ω, and a message m. It returns a bit. Adjudication. Adj(ask, apk, pk, ω, m) accepts as input the key pair (ask, apk) of the adjudicator, the public key pk of the signer, a verifiably encrypted signature ω, and a message m. It extracts an ordinary signature σ on m. For brevity, we sometimes omit the key parameters. A verifiably encrypted signature scheme is complete if for all honestly generated keys (ask, apk) ← VesAdjKGen(1k ) and (sk, pk) ← VesKGen(1k ), and for all m ∈ M we have VesVf(Create(m), m) = 1 ∧ Vf(Adj(Create(m)), m) = 1.

Aggregate and Verifiably Encrypted Signatures from Multilinear Maps

4.1

757

Security

VES schemes must satisfy unforgeability, opacity [2], extractability, and abusefreeness [15]. Unforgeability requires that it is hard to forge a verifiably encrypted signature. The adversary is given access to two oracles: oracle VESig gets a message m as input and returns a verifiably encrypted signature ω, and oracle VEAdj, which extracts a signature σ from a given ω. The adversary is successful if it outputs a pair (m∗ , ω ∗ ) such that it never queried m∗ to VESig or VEAdj. A scheme is (t, qVESig , qVEAdj , )-unforgeable if there is no adversary A that runs in time at most t, makes at most qVESig queries to the VESig, at most qVEAdj queries to VEAdj, and AdvVSigFA is at least , where AdvVSigFA = ⎡ ⎤ VesVf(apk, pk, ω ∗ , m∗ ) = 1 : ⎢ (apk, ask) ← VesAdjKGen(1n ) ⎥ ⎥. Prob ⎢ ⎣ (pk, sk) ← VesKGen(1n ) ⎦ (m∗ , ω ∗ ) ← AVESig,VEAdj (apk, pk) Opacity states that it is difficult to extract an ordinary signature from ω. Again, the adversary is given access to the oracles VESig and VEAdj. A scheme is (t, qVESig , qVEAdj , )-opaque if there is no adversary B that runs in time at most t, makes at most qVESig queries to the VESig, at most qVEAdj queries to VEAdj, and AdvVSigOA is at least , where AdvVSigOA = ⎡ ⎤ Vf(pk, σ ∗ , m∗ ) = 1 : ⎢ (apk, ask) ← VesAdjKGen(1n ) ⎥ ⎥ . Prob ⎢ ⎣ (pk, sk) ← VesKGen(1n ) ⎦ ∗ ∗ VESig,VEAdj (m , σ ) ← A (apk, pk) An additional requirement is weak-extractability, stating that for all (ask, apk) ← VesAdjKGen(1k ), (sk, pk) ← VesKGen(1k ), and all verifiably encrypted signatures ω on some message m, we have VesVf(ω, m) = 1 =⇒ Vf(Adj(ω, m), m) = 1, i.e. if ω is valid then the adjudicator can always extract a valid ordinary signature. This can be improved to extractability by a standard transformation in [15]. Moreover, VES schemes have to satisfy abuse-freeness, which ensures that signer and adjudicator cannot collude in order to forge verifiably encrypted signatures on bahalf of a third party. 4.2

Our Construction

Our verifiably encrypted signature scheme VES is defined as follows. Key Generation, Signing, Verification. As in BS. Adjudicator Key Generation. Pick a random element β ← Z∗p and return the secret key ask ← β along with the public key apk ← g β . VES Creation. Create(sk, apk, m) takes as input a signing key sk, the adjudicator’s public key apk, as well as a message m ∈ {0, 1}n. It selects a random value r ∈ Z∗p and computes the verifiably encrypted signature as σ ← g a1,m1 ···an,mn . The algorithm sets K ← (apk)r , µ ← g r , and calculates ω ← σ · K. It returns (ω, µ).

758

M. R¨ uckert and D. Schr¨ oder

VES Verification. VesVf(apk, pk, (ω, µ), m)returns1iffe (u1,m1 , u2,m2 , . . . , un,mn ) −1 = e (ω, g, . . . , g) · e (µ, apk, g, . . . , g) . Adjudication. Adj(ask, pk, (ω, µ), m) extracts the signature σ ← ω · µ−β if (ω, µ) is valid. It is easy to see that the scheme is complete. For the following security proofs, let TVesKGen , TVesAdjKGen , TCreate , TAdj be the cost functions for user key generation, adjudication key generation, verifiably encrypted signature generation, and adjudication.  Theorem 2. If the BS-signature is (t , qO ,  )-unforgeable then our scheme is  (t, qVESig , qVEAdj , )-unforgeable, where t = t+qVESig TCreate +TVesAdjKGen +(qVEAdj +  1) TAdj , qO = qVESig , and  = .

The proof is a straightforward black-box reduction against the BS signature. The presented verifiably encrypted signature scheme is opaque. The reduction is somewhat different to the one of Boneh et al. [2] as well as Lu et al. [12]. Both require the aggregate extraction problem to be hard, for which Coron and Naccache [8] showed that it is equivalent to the Diffie-Hellmann problem. In our case, however, the security of the underlying signature scheme is not based on the Diffie-Hellmann assumption and we therefore cannot base any security property on the aggregate extraction problem. Instead, we show that it is opaque under the GDH assumption. Theorem 3. If the GDH problem is (t ,  )-hard, our scheme is (t, qVESig , qVEAdj , )opaque with t = t+TVesAdjKGen +TVesKGen +(qVESig +qVEAdj ) TCreate and  = /O(t). The reduction immediately follows the idea of the proof of Lysyanskaya [13, Theorem 1] but differs in an important aspect. We first explain the main idea and then the difference. Due to space restrictions, the full proof is omitted. The main idea is to guess s-bits, along with their positions, of the adversary’s output message. Once the reduction has guessed s bits B = (b1 , . . . , bs ), it puts the values (Y1 , . . . , Ys ) (which the reduction gets as input from the GDH instance) into the corresponding parts of the public verification key and selects all other keys on its own. The difference to the proof in [13] is that, here, the adversary is allowed to invoke VESig on the message it outputs, but not VEAdj. Thus, the adversary is allowed to invoke VESig on a message, which contains the bits B, each at the guessed position. In order to simulate VESig upon this query, we query the GDH oracle on the index set (0, 1, . . . , 1) and set ω and µ such that they pass the VesVf algorithm. By correctly guessing some bits of A’s output message during the setup phase, the reduction forces A to output a signature that contains a valid answer to the GDH problem.   Extractability. The scheme is weakly-extractable because e ω µ−β , g, . . . , g = e (u1,m1 , u2,m2 , . . . , un,mn ) for all valid ω (on m) for honestly chosen keys.

Aggregate and Verifiably Encrypted Signatures from Multilinear Maps

759

Abuse-freeness. Since our scheme employs the signature and encryption algorithms independently of each other, a theorem in [15] applies, which states that extractability is sufficient for abuse-freeness in this case.

References 1. Asokan, N., Shoup, V., Waidner, M.: Optimistic Fair Exchange of Digital Signatures. IEEE Journal on Selected Areas in Communications 18(4), 593–610 (2000) 2. Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and Verifiably Encrypted Signatures from Bilinear Maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003) 3. Bellare, M., Namprempre, C., Neven, G.: Unrestricted aggregate signatures. In: Arge, L., Cachin, C., Jurdzi´ nski, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 411–422. Springer, Heidelberg (2007) 4. Boldyreva, A.: Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2002) 5. Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: Proceedings of the Annual Conference on Computer and Communications Security (CCS). ACM Press, New York (1993) 6. Boneh, D., Silverberg, A.: Applications of Multilinear Forms to Cryptography. Topics in Algebraic and Noncommutative Geometry, Contemporary Mathematics 324, 71–90 (2003) 7. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004) 8. Coron, J.-S., Naccache, D.: Boneh et al’s k-Element Aggregate Extraction Assumption is Equivalent to the Diffie-Hellman Assumption. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 392–397. Springer, Heidelberg (2003) 9. Goldwasser, S., Micali, S., Rivest, R.L.: A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM J. Comput. 17(2), 281–308 (1988) 10. Kent, S.T., Lynn, C., Mikkelson, J., Seo, K.: Secure Border Gateway Protocol (SBGP) - Real World Performance and Deployment Issues. NDSS. Internet Society (2000) 11. Lysyanskaya, A., Micali, S., Reyzin, L., Shacham, H.: Sequential Aggregate Signatures from Trapdoor Permutations. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 74–90. Springer, Heidelberg (2004) 12. Lu, S., Ostrovsky, R., Sahai, A., Shacham, H., Waters, B.: Sequential Aggregate Signatures and Multisignatures Without Random Oracles. In: Fuhrmann, A., Morreau, M. (eds.) The Logic of Theory Change. LNCS, vol. 465, pp. 465–485. Springer, Heidelberg (1991) 13. Lysyanskaya, A.: Unique Signatures and Verifiable Random Functions from the DH-DDH Separation. In: Guesgen, H.W., Hertzberg, J. (eds.) A Perspective of Constraint-Based Reasoning. LNCS, vol. 597, pp. 597–612. Springer, Heidelberg (1992) 14. Neven, G.: Efficient Sequential Aggregate Signed Data. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 52–69. Springer, Heidelberg (2008) 15. R¨ uckert, M., Schr¨ oder, D.: Security of Verifiably Encrypted Signatures. Number 2009/027 in Cryptology eprint archive. eprint.iacr.org (2009)

Device Authentication/Authorization Protocol for Home Network in Next Generation Security*† Jong Sik Moon1, Deok Gyu Lee2, and Im-Yeong Lee1,**‡ 1

Computer Science and Engineering, Soonchunhyang University, #646, Eupnae-ri, Shinchang-myeoyn, Asan-si, Chungnam, Korea {comnik528,imylee}@sch.ac.kr 2 Electronics and Telecommunications Research Institute, 138 Gajeongro, Yuseoung-gu, Daejeon, Korea [email protected]

Abstract. In modern society, as the rapid development of IT technology combined with the computer-based high-speed communication networks makes it possible to provide a wide spectrum of services and devices, we have been confronting a new cultural transformation era, referred to as the information society. However, the requirements to be considered in security aspect have became more complicated and diversified, and there remains the same security vulnerability as in the preexisted media or protocol. Particularly, the smart homenetwork device is susceptible to the different kinds of attacks such as terminal hacking, virus attacks, and information leakage because the computing capacity is relatively low and the loading of already developed security functions is difficult. Although developed as one solution to this problem, PKI security authentication technology isn't suitable for multi-domain environments providing ubiquitous intelligent home-service, and so the development of a modified authentication system is urgent. Therefore, in this paper we proposed device authentication/authorization protocol using an ID-based public key. Our protocol provides to contribute to the development of the secured and efficient technology. Keywords: Authentication, Authorization, Home Network, Roaming.

1 Introduction Advanced network device technologies in conjunction with various information technologies such as the broadcasting, tele-communicating, networking, and other services have been changing the social environments in its entirety, including the rapid transition to u-knowledge society. In this circumstances, the preexisted networks infra has been going toward home-network technology undergoing rapid advance in terms *

This research was financially supported by the Ministry of Education, Science Technology (MEST) and Korea Industrial Technology Foundation (KOTEF) through the Human Re source Training Project for Regional Innovation ** Corresponding Author. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 760–768, 2009. © Springer-Verlag Berlin Heidelberg 2009

Device Authentication/Authorization Protocol for Home Network

761

of the wireless sector as well as wire sector. And many studies have aimed at developing the integrated services into which the different preexisted technologies were condensed. However, as the degree of individual dependence on the computing environments will increase in ubiquitous computing society where anytime/anywhere computing comes true, so in addition to cyber attack, it's possible to get a illicit access to an in-home networks watching for its unguarded points, and therefore the procedure of security verification to ensure that home-networks give access only to a verified device should be taken. Also there is increasing necessity for more reinforced security making it sure to be serviced only through the verified device and interrupting the use of non-verified users by adding security technologies to the device which various security technologies or network services are provided. As a result of the evolution to u-knowledge society home-network, home-device mobility in various service domains as well as new home-services by collaboration among many devices will increase. Subsequently, it's necessary to develop slim-sized home-device authentication/authorization protocol ensuring the secured mobility and provision of unceasing services. Therefore, in this paper, we propose the authentication/authorization protocol using Smart All-in-One device, in an intention of developing the technology whose security and efficiency is ensured, in consideration of different requirements in home-network environments. The organization of this paper is as follows. Section 2 will discuss the trend of home-network authentication/authorization technology and security requirements, and introduce the summary of background. Section 3 will propose Smart All-in-0ne device authentication/authorization technology whose security is ensured, and Section 4 analyzes the proposed scheme in terms of the security requirements given in Section2. Finally, Section 5 presents the conclusion and future work.

2 Background This section explains the technological trends of home network authentication/authorization, and the security requirements. 2.1 Home Network Authentication/Authorization There is no case of home network device authorization, home and abroad, yet. Home network device authentication technology focuses on the certification based confirming technology led by researchers in VeriSign, USA. Since PKI authentication solution is being operated in a private certification form, this is not suitable for home network environment where different certifications are required of each home device to provide services. Besides, since PKI certification uses encryption algorithm that needs a large amount of calculating loads, this is not proper for home devices. Many companies, home and abroad, have developed PKI authentication based server authentication solutions, and in the current device authentication system, private certification methods issuing certification for each home network entity are commonly used. To use this type of certification, home services by service providers are used. When there is a need to move to a home network by another provider, a new certification should be reissued for services. Besides, as for public devices, all private

762

J.S. Moon, D.G. Lee, and I.-Y. Lee

certification for each service provider should be equipped for various service access routes. When home services rather than device based services are activated, each user needs their own device certification, which results in increasing the necessary certification kept in a device. When the ubiquitous computing environment emerges in the future, the need for devices to move to another home network for different services will be increasing, and thus user-centered, more convenient unified authentication system and technology development are required. TTA adopted the profile standard for home device certification applicable to home networks in Dec, 2007. This standard divides the authentication system for home network device authentication into two parts. One is the system for an external authentication agency to issue and manage home device certification, and the other for one authentication agency within the home network to issue and manage certification needed only within the home network. The system where the authentication agency issuing home device certification is located outside home, and still responsible for confirmation of certification issued by itself. Besides, HRA(Home RA), the device functioning as RA within home, helps issuing certification s to home devices. Upon registering a new home device, HRA confirms the device, and applies for issuing a home device certification to an external authentication agency. When an external authentication agency issues the home device certification and distributes it to HRA, HRA takes it and transmits it to the home device. When HRA transmits the certification to the home device, there can be various methods such as out-of-band media or wire media. To use internal or external services by means of home devices, the certification is confirmed by the external authentication agency to use services. The system where an authentication agency to issue home device certification(in general, home gateway) is within home, and certification is issued to home devices within or outside home. In this case, the authentication agency within home should have the self-sign certification to issue home device certification, not those issued to external authentication agencies. Authentication agencies within home issue home device certification to internal or external devices, and are responsible for confirmation and management of the certifications. When home network service users want to use external services by means of home devices, the device certification issued by an internal authentication agency is the representative home certification, and used to confirm device certification issued by internal authentication agencies so that home devices can receive external services too. As for ETRI, the home devices based authorizations is used to minimize the workload of authorization servers, supports various home service models, defines the home device authorization system that can accommodate security mechanism requiring a small amount of calculating loads, and develops proper systems[2,5]. 2.2 Security Requirements Unlike existing wireless networks, home networks require security requirements suitable for home network environment as well as existing general requirements. Besides, since not only services provided by one's own home network, but also those by another service provider should be provided at the same time, requirements in that regard as well should be considered.

Device Authentication/Authorization Protocol for Home Network •

•

•

•

• • • •

•

763

Confidentiality: The data source, number, and length and the communication traffic specifications should not be exposed. Confidentiality is ensured by using passwords to protect the information. Integrity: The data saved in the system and that transferred through the network should not be detected or altered. If this does occur, tracking must be performed. Methods such as digital signatures are used to detect the alteration of transferred data. Authentication: Authentication services are important since they ensure communication secrecy. Users can confirm the source of sent messages and email precisely and verify whether the proper identification has been used. Access Control: The access management function is used within the system, and within the network, invasion interception is used to supplement access management. Further, unauthorized users should not get access to services. Eavesdropping: Although some transferred data may be exposed to others, data can be secured from eavesdropping as long as the passwords are not exposed. Replay attack: During communication, attempts by others to obtain the data and resend it with authentication should be blocked. Password guessing attack: In an insecure channel, attackers can analyze passwords by intercepting transferred messages. Therefore, such activities must be blocked. Fast roaming Authentication: to move from one's own home network environment to another service provider's home network, taking too much time for authentication prevents smooth services. Thus, to provide seamless services to mobile devices, the authentication time should be short in a lightened way. Home Authentication server overhead: To use a home network service provided by another provider, when authentication request from a remote place to the home authentication server is too frequent, home authentication server overhead may take place. Thus, the authentication and access in one's own home network authentication server should be distributed to reduce overhead.

3 Related Work This section describes existing home network as well as their characteristics and advantages/ disadvantages. 3.1 Inter-domain Device Authentication/Access Control Inter-domain device authentication/access control protocol propose a device authentication and access control scheme based on two-layered PKI approach for efficient communication and user convenience. The two layers of this model are Global PKI layer and Localized PKI layer[3,4]. Global PKI layer uses conventional PKI model. There is only one global root CA, and certificate verification is performed by validating the certificate-chain linked to the root CA. Otherwise, in Localized PKI layer, each home gateway takes a role of root CA which is responsible for issuing device certificates to the devices belong to its domain. This scheme use Global PKI layer for device registration and authentication of inter-home-network, but use Localized PKI layer to authenticate each end-device. Based on this separating, this model provides secure, efficient and user friendly multi-domain device authentication protocols. Also provide a convenient access control scheme using Attribute Mapping Certificate.

764

J.S. Moon, D.G. Lee, and I.-Y. Lee

3.2 S/Key-Based Home Device Authentication S/Key-based home device authentication protocol describes home device authentication which is the basic and essential element in the home network security. The LAP(Lightweight Authorization Protocol) is divided into the out-home network and in-home network protocols. Out-home network protocol allows Device in external networks to access the home network through HRA. In-home network protocol is designed for the case that Device is in the home network. This protocol proposed S/Key based authentication, scheme for secure remote access in smart home networks. And device authentication concept can offer home network service users convenience and security[1]. However, this protocol has a weakness the replay attacks and information leakage.

4 Device Authentication/Authorization Protocol Because PKI authentication technology is the type how the mutual authentication among individuals within a singular domain is executed through the signature verification of the third official authentication authority, the additional technology is required for being applied to multi-domain environment which provides the ubiquitous intelligent home-service, and also too heavy to be applied to sensor device. Therefore, it's necessary to develop the modified authentication system compatibly applicable to the ubiquitous multi-domain environments. Accordingly, the authentication/authorization protocol type using roaming and device authentication/authorization protocol and device ticket was proposed in order to solve this problem. In case of the roaming and device authentication/authorization protocol type, although the device serviced in one in-home networks may move to another home networks, it can continue to be serviced based upon the roaming ticket issued in-home networks. The home networks defined in this article includes a company or other intranet networks as well as the home itself.

Fig. 1. Flowchart of device authentication/authorization protocol

Device Authentication/Authorization Protocol for Home Network

765

Unlike this, in the authentication/authorization protocol type using the sub device ticket, the home networks service continues to be provided base upon the tickets requested by, and issued to the main device in the home network environments. Also when wishing to be serviced to through the sub device which lacks in its computer capacity, the home network service continue to be provided based on the tickets which home server issued to the main device and which main device distributed to the sub server. Thus, the convenient ID-based authentication/authorization can be provided, together with security and efficiency. 4.1 System Parameter The system parameters used in this scheme are as follows. •

* ( Device : User’s Device, IAS : Internal Home Network Authentication Server, EAS : External Home Network Authentication Server • ID* : Identity of * • OTP : One-Time Password •

g : Generator with order n − 1 in Z n*

•

h( ) : Secure one-way hash function

e : G1 × G1 → G2 Bilinear Map • CT : Counter value • TS : Time value • E*[ ] : Encryption with key of * •

•

Sign* : Signature of *

•

KU * : Public key of *

•

KR* : Private key of * KS : Shared key between Device and IAS

•

4.2 Proposed Protocol

The proposed protocol consists of the phase of authentication in in-home networks and ticket issue and the phase of authentication when roams to another home networks, and both the symmetric key and synchronization values shared between the device and the authentication server of the in-home networks is assumed to be distributed and set up in advance. 4.2.1 Authentication and Ticket Issue Phase in Internal Home Networks. On this phase, the device requests the authentication server of the in-home networks for the authentication, the authentication server of the in-home issues the roaming tickets if its validity is verified, and the device can be serviced based on the roaming. Step 1. Device and IAS (Internal Home Network Authentication Server) generates ID-based public key and private key. And then the Device generates OTP . KU Device = IDDevice , KRDevice = IDDevice • g KS

766

J.S. Moon, D.G. Lee, and I.-Y. Lee

KU IAS = IDIAS , KRIAS = IDIAS • g KS OTP = h( PIN ⊕ KS ⊕ CT ⊕ TS ) Step 2. Device encrypts the OTP and CT (Counter Values) with the public key of IAS ( KU IAS ) and transmits ID of the Device and ID of the IAS . IDDevice , IDIAS , E KS [OTP, CT ] Step 3. IAS decrypts transmitted message, and generates OTP ' , then compare OTP . If they are identical, IAS authenticates Device . OTP ' = h( PIN ⊕ KS ⊕ CT ⊕ TS )

OTP ? OTP ' Step 4. If the authentication is completed, IAS generates Roami ng Value

( = e( KRIAS , KS • IDDevice ) ) and

Roami ng Ticket ( = IDDevice , IDIAS , SignIAS [h( Roam ing Value)] ). Then IAS encrypts with public key of Device , and transmits it.

EKU Device [ Roami ng Value, Roami ng Ticket ] Step 5. Device decrypts the transmitted message and generates Roami ng Value' , then compare Roami ng Value by using Admissible Bilinear Map.

Roami ng Value' = e( KRDevice , KS • IDIAS ) Roami ng Value ? Roami ng Value' e( KRIAS , KS • IDDevice ) ? e( KRDevice , KS • IDIAS ) 4.2.2 Authentication Phase in External Home Networks On this phase, the in-home network authentication server authenticates device and can continue to provide the services by broadcasting roaming tickets to external home network authentication server and verifying the roaming tickets offered in the time of the device's roaming. Step 1. IAS broadcasts Device 's Roami ng Ticket to EAS (External Home Network Authentication Servers). IAS → EAS Broadcasting : Roami ng Ticket Step 2. When roaming from internal home network to external home network, Device encrypts Roami ng Ticket with public key of EAS and transmits it with ID of Device . IDDevice , E KU EAS [ Roami ng Ticket ] Step 3. EAS decrypts E KU EAS [ Roam ing Ticket ] and verifies it. Roami ng Ticket = IDDevice , IDIAS , SignIAS [h( Roam ing Value)]

Step 4. After verification of Roami ng Ticket , Device will be able to provided services, and access to internal home network via EAS.

Device Authentication/Authorization Protocol for Home Network

767

5 Analysis of Proposed Scheme •

•

• •

•

•

•

•

The proposed method is encrypted by using ID-based public key method to be secure from external attack during movement and communication and provides securely through the signature. The proposed method to have access to in-home network from external home network or to receive continuous service is to authenticate device on the base of Roami ing Value and Roami ing Ticket . The proposed method provides fast authentication based on roaming ticket for device to provide ceaseless roaming services. The proposed method used ID-based public key to provide roaming and authentication not only between homogeneous networks but also between heterogeneous networks, and can provide a secure and efficient authentication by transmitting roaming ticket to an external authentication server. Considering ubiquitous environment and the device's operating power, the proposed method reduced the amount of the operation of the device by using the IDbased public key method instead of authentication-based public key method, and reduced the load of Device and authentication server due to the reduction of traffic amount. However, I assume that further consideration should be taken for Exponentiation Computation. The proposed method is encrypted by using ID-based public key method to be secure from external attack during movement and communication and provides securely and efficiency through the signature. Considering ubiquitous environment and the device's operating power, the proposed method reduced the amount of the operation of the device by using the IDbased public key method instead of authentication-based public key method, and reduced the load of Device and authentication server due to the reduction of traffic amount. Fast authentication is provided by submitting Authorization Ticket in order to receive home network service, and also Main Device can provide fast authentication by receiving and distributing Authorization Ticket for Sub-Device issued by home authentication server.

6 Conclusion In modern society, as the rapid development of IT technology combined with the computer-based high-speed communication networks makes it possible to provide a wide spectrum of services and devices, we have been confronting a new cultural transformation era, referred to as the information society. However, the requirements to be considered in security aspect have became more complicated and diversified, and there remains the same security vulnerability as in the preexisted media or protocol. In addition, the usage area of home device and home service is expanding due to the rapid development of networks and devices and the spread of Internet and computers through high-speed networks. However, because there is a problem that existing network-based cyber attack techniques can be applied directly to the home

768

J.S. Moon, D.G. Lee, and I.-Y. Lee

network, measures to protect the home device from existing hacking attacks including a variety of issues over IP network is incomplete. Therefore, in this paper, we proposed device authentication/authorization protocol using an ID-based public key. Our protocol provides to contribute to the development of the secured and efficient technology. The protocol for roaming between home networks and Device authentication/authorization used ID-based public key method and Admissible Bilinear Mapbased roaming tickets for fast roaming authentication and lightweight method of authentication/authorization. With this method, the overhead of the home authentication server and the number of communication could be reduce, and secure and efficiency can be provided. Further research is deemed necessary on the method of Device authentication/authorization which is suitable for the structure of external certificatebased authentication/authorization and in-home certificate-based authentication/authorization standardized by TTA, and also a research on the method of authentication using a variety of devices owned by users is deemed necessary. And a research on authentication/authorization in heterogeneous networks according to the roaming of Main Device and Sub-Device is deemed necessary.

References 1. Lee, D.-G., You, I.-S., Kim, S.-C., Lee, Y.-k., Han, J.-W., Chung, K.-I.: Intelligent home network authentication: S/Key-based home device authentication. In: Thulasiraman, P., He, X., Xu, T.L., Denko, M.K., Thulasiram, R.K., Yang, L.T. (eds.) ISPA Workshops 2007. LNCS, vol. 4743, pp. 214–223. Springer, Heidelberg (2007) 2. Lee, H., Han, J., Chung, K.: Security Architectrue for Authentication and Authorization in the Intelligent and Ubiquitous Home Network. In: ICIC 2007, pp. 1110–1118 (2007) 3. Hwang, J.-B., Lee, H.-K., Han, J.-W.: Efficient and User Friendly Inter-Domain Device Authentication/Access Control for Home Networks. In: Sha, E., Han, S.-K., Xu, C.-Z., Kim, M.-H., Yang, L.T., Xiao, B. (eds.) EUC 2006. LNCS, vol. 4096, pp. 131–140. Springer, Heidelberg (2006) 4. Hwang, J.-B., Han, J.-W.: A security model for home networks with authority delegation. In: Gavrilova, M.L., Gervasi, O., Kumar, V., Tan, C.J.K., Taniar, D., Laganá, A., Mun, Y., Choo, H. (eds.) ICCSA 2006. LNCS, vol. 3983, pp. 360–369. Springer, Heidelberg (2006) 5. Lee, Y.-k., Lee, D.G., Han, J.-w.: Home Device Authentication Method based on PKI. In: FGCN 2007, pp. 7–11 (2007)

A Study on Feasibility and Establishment of a Security Grade Certification Scheme for the New IT Services Hangbae Chang1, Jonggu Kang1, and Hyukjun Kwon2 1 Daejin University, San 11-1, Sundan-Dong, Gyeonggi-Do, 487-711, Korea [email protected], [email protected] Daejin.ac.kr 2 Yonsei University New Millenium Hall, 262 Seongsanno, Seodaemun-Gu, Seoul, 120-749, Korea [email protected]

Abstract. In this study we analyzed and gauged the information security needs for the new IT service which will be proceeding. Then we designed Information Security Rank Authentication System to raise the level of information security. To achieve this study, we analyzed rank authentication system of the inside and outside of the country and developed the practical propulsive system and the evaluation model which reflects IT service’s own feature differing from the general evaluation of IS information security. The result of this study can be utilized to assess the level of domestic IT service information security objectively, and it can be applied as the means of rational decision making for establishing a policy to raise degree of information security of corporations providing IT service. Keyword: Information Security, Authentication system, IT Service, IS security.

1 New IT Service and Information Security Due to the advancement of globalization, the government has developed IT policies leading to IT industry development, enhancing competitiveness of IT industry steadily to leap toward global leader of IT industry and deal with bruising reality where the only nation or corporation which have preoccupied the best technology may survive. But we have to be reminded that as the coverage of the informatization benefit gets bigger, the information security problems emerge more frequently from the IT service which will be implemented by driving these IT policies. The extent of damage and level of reverse functions such as spam mail, hacking, and private information leakage and theft are rapidly increasing compared with past. To diffuse the newly designed IT service, establishing the evaluation system for the level of information security. Accordingly, in this study, as information security grade authentication for the new IT service is being adopted, we deducted the requirements and indicated the solutions for them, we progressed the development of realistic and effective regime. First, we J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 769–777, 2009. © Springer-Verlag Berlin Heidelberg 2009

770

H. Chang, J. Kang, and H. Kwon

analyzed the current status of domestic information security grade authentication to provide basic data for institutionalization and justice of information security grade authentication. We also analyzed the determining method and success factor of grade authentication. Next, we deducted information security needs and characteristic of WiBro to analyze current status and characteristic of new IT service. Finally, we developed evaluation system and model with framework for information security grade authentication of new IT services based on previously organized status analysis.

Fig. 1. Research Methodology

2 Informatization Maturity and Information Security Authentication Case Analysis (1) Inormatization Maturity Model ‘Information Technology Architecture’ is used same as ‘Enterprise Architecture’. It is an infrastructure which plans and manages business process and IT of the whole enterprise for efficient propulsion of informatization. The similarity between ‘Information Technology Architecture’ maturity and new IT service information security grade authentication is the evaluation objectives(obtaining governance and return on investment) Both evaluation system consider not only IT itself or information security aspect but also objective and output of business process aspect. They also need to assess IT or alignment with process system of information security system. So, when evaluating new IT service information security grade, we have to grasp output and business objective and evaluate the appropriability of process objective support for information security system. In contrast, 'Information Technology Architecture' maturity is for the organization, but new IT service information security grade evaluation is for the service. The service range doesn’t include the whole organization, but it can be affiliated with external organization or resources. Therefore, when execute the new IT service information security grade evaluation, we have to consider internal / external organization and relation with resources. 'Capability Maturity Model Integration' is a software quality measure model, developed by Software Engineering Institution. It is an improved version of 'Software SW-Capability Maturity Model Integration'. Comparing 'Capability Maturity Model

A Study on Feasibility and Establishment of a Security Grade Certification Scheme

771

Integration' maturity scale model with new IT service information security grade evaluation, the evaluation objective and subject are different. But still evaluation step and method of 'Capability Maturity Model Integration' indicate improvement area direction so it is needed to be applied to the new IT service information security grade evaluation. ‘IT Infrastructure Library’ is a series of document to implement IT service management framework, and it indicates service / process-oriented framework regarding a certain corporation’s internal complex IT environment. Form a comparison ‘IT Infrastructure Library’ maturity scale evaluation and new IT service information security grade evaluation, we can realize that there exists commonness for evaluation objective and subject, but there emerge difference in evaluation range. That the he evaluation objective aims at improvement of organization’s governance and evaluation subject assesses the service capability is common factor. But, ‘IT Infrastructure Library’ just evaluates the process and function, on the other side, the new IT service information security grade evaluation includes service architecture. (2) Information Security Verification Case Analysis ‘Systems Security Engineering-Capability Maturity Model’ is a process-improved model which promote the cost reduction and process execution capability through process improvement. This method is defining Information Security Managing Process as Risk Process, Certification Process, and Circulate Activity of Engineering Process. It is consist of deducting risk of Information Security through risk process, removing the risk by engineering process, and a series of circulate activity.

Fig. 2. Systems Security Engineering-Capability Maturity Model

‘Federal Information Security Management Act’ requires the administration to develop Enterprise Information Security Program for protecting the information and IS(Information System). It also requires the administration to documentate and implement Enterprise Information Security Program. To secure efficiency and sufficiency of information security control, ‘Federal Information Security Management Act’ requires responsible person to implement an annual checkup for information security program and report them. It also forces organizations to informatize.

772

H. Chang, J. Kang, and H. Kwon

3 Features of New IT Service and Analysis of Current Status of Information Security (1) Introduction of WiBro Service WiBro is a service that provides people with Internet access at anytime, anywhere like mobile phone. It is located between wireless LAN and mobile phone. The features of this service is that WiBro service provides mid-low speed(about 60km/h) mobility and data transmission rate of more than 1Mbps. The general usages of WiBro are in the public transportation such as bus, and subway, including car. But WiBro service has some problems under the environments such as in the highway and train which travel faster than 60km/h. To supply commercial WiBro service securely, a variety of technical problems have to be solved. Among those problems, the most important technical factor is security. Security needs are like below.

①

Needs for Authentication and Information Security Service: WiBro service has to provide certification service which prevents the third user to execute an illegal use or access through Network. Also it has to provide security service which prevents an exposure of users’ request/response information to third person.

②

Network Security Needs: It is necessary to provide verification function by access control function and has to be possible to provide verification and security protocol based on a Extensible Authentication Protocol. When it is necessary, an expansion has to possible based on a public key infrastructure. Also it has to be able to provide other network with service verification under the link with other network and supply IP mobility with mobile IP.

③

Endpoint Security Needs: It has to possible to provide verification and security protocol based on a Extensible Authentication Protocol. When it is necessary, an expansion has to be possible based on a public key infrastructure.

4 New IT Service Information Security Evaluation Framework (1) Feature of New IT Service ‘IT Service’ which is defined in this study is that IT service is business of ICT service provider itself and pursuits value or profit by providing IT service with customer. It needs to be differentiated from ordinary IT service. That is, the study subject of this research is the new IT service which is defined as that IT service provider supplies the a variety of services to customer to make profit based on collaboration with other service providers. So, the new IT service information security architecture is based on these concepts of IT service and it is essential to deduct information security needs and reflect them.

A Study on Feasibility and Establishment of a Security Grade Certification Scheme

773

(2) Information Security Architecture regarding New IT Service Information Security Architecture regarding New IT Service reflects the feature of New IT Service and information security needs for every element to provide IT Service. In this study, we used ‘People’, ‘Process’, and ‘Technology’ models which are frequently used to establish IT architecture, and we founded a new Information Security Architecture regarding New IT Service as shown in table 1. Table 1. Security Architecture for New IT Service Process Business Process

People

IT

Service

Service

Provider,

Process

Supplier

Customer

Technology

Infrastructure

Application

Terminal

IT Service Common Information Security Needs Information Security Needs for Each IT Service

(3) Framework for developing New IT Service Information Security Evaluation System To develop new IT service information security evaluation system, we have developed the framework for a conceptual form to grasp basic elements as evaluation system. The basic elements may be understood by ‘5W 1H’. First, ‘Why’ aspect is embodied as evaluation objective and evaluation system and ‘Who’ aspect means evaluation propulsion system which determines who is going to be a main body to plan, execute, supervise, and manage the evaluation. Also respective main bodies’ status and ability have to be regulated. ‘What’ aspect means evaluation subject which determines evaluation subject field and chosen standard. ‘When’ aspect means evaluation schedule which determines evaluation subject chosen schedule and actual evaluation schedule. ‘Where’ aspect means evaluation type which determines if we mainly examine with document or actual inspection. Finally, ‘How’ aspect means evaluation execution method which determines procedure, standard and technique.

5 New IT Service Information Security Grade Authentication Model (1) Evaluation Model Design Principle and Method Generally, evaluating the level of information security synthetically is not only complex but also difficult. And its standardization is not easy because there is diversified variables situational application. Although there is an evaluation model, there appears a question about its utilization. Therefore, in this study, our aim is developing model

774

H. Chang, J. Kang, and H. Kwon

which can evaluate IT service information security synthetically and objectively with more simple and efficient way.. We executed a research to achieve objective of this study as below. First, we organized the needs for designing IT service information security grade authentication evaluation model and mapped out the conceptual architecture of evaluation model which is satisfying these needs. At next stage, we finish the composition of evaluation model elements which meets development needs for actual evaluation model regarding conceptually designed model. The universal evaluation model design principles to design IT service information security evaluation model are divided into three. First, we tried to reflect IT service’s own characteristic which tends to differentiate from IS information security. And we include an individual IT service characteristic which is expressed differently according to service purpose into the evaluation model. Finally, we tried to design the evaluation model which can cause a continuous information security improvement to indicate information security propulsion directionality. In the way of designing an actual evaluation model, we applied characteristic of IT service based on the new IT service information security architecture and tried to reflect information security evaluation items on evaluation model. To reflect an individual IT service characteristic, we tried to apply information security needs and grades which are defined by respective IT service to evaluation items. And we made adjustment by changing evaluation items, means of measure, and weight. Finally, to make it possible to continue a steady information security improvement, we tried to assess them by means of measure regarding detail evaluation item based on information security maturity model. (2) Evaluation Model Design The evaluation model commonly consists of evaluation area, detail evaluation item, means of measure, and evaluation result. In this study, we set a design principle concerning detail elements that form each item and composed a model.

①

Evaluation Area In this study, we avoided interfering with natural business process(tried to shorten evaluation time) and tried to deduct the evaluation items from a view point of information security architecture, including control and process for IT service information security.

②

Evaluation Item The evaluation item and detail evaluation item are affiliated with the evaluation area. We investigated and organized information security evaluation items(information security level evaluation, information security safety inspection, individual information security, information security product review, information security management architecture…etc). Especially, to reflect information security needs for each IT service, we made changes to detail evaluation item, weight, means of measure. According to the detail evaluation item’s objective, we designed the evaluation measure method based on the detail evaluation item’s objective, because the aim of evaluation measure method is to indicate directionality for information security improvement. Finally, the evaluation result sums each evaluation area, and detail evaluation items then connected the result by score section from 1st step to 5th step.

A Study on Feasibility and Establishment of a Security Grade Certification Scheme

775

The reason why we didn’t make definitions for each step is that it is difficult for arithmetically summed evaluation result to represent the characteristic of each step section. We are planning to organize each characteristic of step composing an evaluation result through further study.

③

Evaluation Contents In this study, we organized informatization elements and asset identification that are composing IT service. Then we defined the information security evaluation area as IT service information security support environment, IT service information security infrastructure, and IT service information security management with information security coverage to protect informatization elements and asset identification. And we organized evaluation items belonging to evaluation area according to new IT service information security framework which was defined previously. For the evaluation items and detail evaluation items affiliated with evaluation area, we investigated and organized the information security evaluation items(information security level evaluation, information security safety inspection, individual information security, information security product review, information security management architecture…etc) which are studied and executed in domestic. Especially, to reflect information security needs for each IT service, we made changes to detail evaluation item, weight, means of measure for the detail evaluation items. IT service information security support environment consist of information security policy, IT service provider, service providers’ information security activity, information security for relate workers, and IT service user protection. The information security policy means guideline and procedures which have to be observed to establish and achieve the information security objective customized for characteristic of IT service. And the IT service providers’ information security activity means executing risk assessment according to stakeholder composing IT service. Finally, IT service user protection means information security range and specific activity for IT service user. IT service information security infrastructure means an actual operation and maintenance after the information security object is implemented. And it measures information security activities to maintain authentication, confidentiality, integrity, and availability for information assets such as network security, server, terminal, application and information service(contents). IT service information security operation management means management method required for safe and efficient operation of security policy which is implemented in an infrastructure construction stage.

④ Information Security Grade Decision

As previously explained, according to an evaluation model, we computated evaluation score for each section through totaling evaluation item score. Then we computated relative weight for evaluation area, evaluation item, and detail evaluation item through study of literature and professionals’ opinion collection then we summed those result. It is going to rational to decide the final information security grade by setting the final result on the place where it is located in the information security maturity model.

776

H. Chang, J. Kang, and H. Kwon Table 2. Security Evaluation Grade Authentication Framework for New IT Services

Evaluation Area

Evaluation Item

Detail Evaluation Item classification of information security

establishing policy for

needs based on characteristic of service

information security information security policy and observance information security for service IT Service

provider and supplier

Information Security Support

IT service asset identification and assessment of sensitivity / evaluation of IT service risk activity and composition of service

information security for service

operation organization / Execution of

operation organization

training program / personnel security /

Environment

document security proper step for collecting personal information security for customer

information / Usage and management if personal information / right of service user / disclose and responsibility of personal information / limit of right for service user

protection of service infrastructure(access control, IT Service Information Security

adoption of security system and renewal, analysis of operation

network security / server security / terminal security

log)

Infrastructure application service security risk management

application program security / information service contents security risk / weakness management

IT Service from management / change management /

Information Security

after the fact management

and recovery

Operation Management

maintenance / countermeasure for accident

monitoring and reassess

analysis of outcome and reflection / assessment and approval

The classification of grade indicates the level of information security improvement and it seems to be suitable to have at least 5 steps for grade to promote a free competition among service providers. 3 step-classification is too small to represent

A Study on Feasibility and Establishment of a Security Grade Certification Scheme

777

differentiation for each step, so we consider 5 step a general method, referring to the previous study. Step feature is based on information security maturity model and drawn similarly to an ordinary maturity model which shows the level of implementation and information security control. Accordingly, the name of grade has to be clear and relatively simple, and the characteristic of grade indicates the level of information security maturity. So we designed them with fragmentary setup, systematic setup, management and measure, and optimism. This model adopted the information security model which is indicating relatively simple maturity step and designed the information security level maturity step in accordance with each area’s sum score. Via these measures, we made standard of current level of information security for the new IT service. Then we became able to indicate information security propulsion direction whether we can improve the level of information security or not.

6 New IT Service Information Security Feasibility Evaluation Result Recently, a new intellectual service environment where virtual cyber space and physical space are combined has emerged by IT users’ self produce and consume of information based on acquired information and IT. These services feature easy access to information provided by corporations. But, these features are considered differently from other point of view. Shared information may cause exposure of information without certain purpose or be modified. It is going to be more difficult to maintain safety of information due to various security weaknesses. In this study, we analyzed and measured information security needs regarding new IT services, then designed ‘New IT Service Information Grade Authentication’ to raise the level of information security. The result of this study may be utilized to assess level of domestic information security objectively and used as a rational decision making tool for founding policy to raise the level of information security of domestic IT service providers. Particularly, we analyzed the transition about consciousness and status of information security of IT service users and these processes can be defined as pre-condition for designing the new IT services. Also through developing evaluation standard that can investigate and analyze the new IT service information security objectively, it may help understand the current status of IT service information security and encourage IT service providers to promote information security.

References 1. King, C.M., Dalton, C.E., Osmanoglu, T.E.: Security Architecture Design,Development & Operations. RSA Press (2001) 2. NIST SP 800-18, Revision 1, Guide for Developing Security Plans for FIS, 2 (2006) 3. NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, 6 (2004) 4. Leopoldi, R.: A Business Based Approach to ITIL Maturity, RL Consulting (2005) 5. Karen, M.Z.: Secure and Mature; Combining a CMMI with SSE-CMM Appraisal, 4. 8 (2004) 6. Carnegie Mellon-Software Engineering Institute, CMMI Overview (2005)

Domain Specific Intended Use Evaluation Method: Intrusion Detection Specific Intended Use Evaluation Method Albert Park Center for Information Security Technologies (CIST) Asan Science Building #226 Department of Computer Science and Engineering Korea Univ. 5ga Anam-dong Sungbuk-gu Seoul Korea [email protected]

Abstract. Intrusion Detection (ID) specific intended use evaluation method is a rare and much needed usability study in ID field. It investigates only the most important or frequently faced activities that are discovered through field studies, surveys, interviews, and other previously conducted researches. This research effort aims to capture ID analysts’ first order needs and tailor the criteria according to the needs. The goal of this evaluation is to learn Intrusion Detection Systems’ (IDS’s) potential strength and limitation towards these needs. This research presents detailed descriptions of evaluation methodology, procedures, and the rationales behind the criteria. It considers the whole aspects of ID work, including their daily routines, monitoring tasks, and the corresponding activities.

1 Introduction Ever since the introduction of networks, there has been ongoing cyber warfare between those who attack and those who try to avoid. Reports of security incidents are growing [1, 2], but they are only a fraction of the actual number of attacks. General Accounting Office estimates that only about 1% to 4% of attacks are being detected; and only about 1% of attacks are being reported [1]. As a result, more and more security options and products have been introduced in the marketplace over the past decade, yet many organizations and individuals still struggle. It is often cheaper to prevent some attacks and detect the rest than trying to prevent all the attacks [2], so Intrusion Detection Systems (IDS) is becoming an essential part of a network system. Since the introduction of Intrusion Detection (ID) in 1980, many commercial and noncommercial IDSs have been pouring out. With an overwhelming number of products, it is not apparent which IDS is the most suitable for a situation. This study suggests an evaluation method for choosing the best suited IDS based on usability and its strengths and weaknesses on assisting ID analysts to carry out their daily tasks. With limited performance of automated systems, up to 99% false positive [3], human end-users still need to be operating IDSs; so maybe IDS should be evaluated according to the effectiveness on supporting ID analysts’ needs. This study is an evaluation method for IDS capabilities and usability and not the implementation of IDS. The remainder of this paper is structured as follows: background information in section 2, classification of ID analysts’ tasks, activities, and criteria in section3, and conclusion and future work in section 4. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 778–787, 2009. © Springer-Verlag Berlin Heidelberg 2009

Domain Specific Intended Use Evaluation Method

779

2 Background While an overwhelming number of IDSs are available, there are relatively limited numbers of researches of evaluating IDS. Effort to evaluate IDS starts in 1996 by Puketza [4]. He describes a methodology and software platform for testing intrusion detection systems. His testing method aims at the performance of IDS. Some other methods approach the matter by benchmarking or modeling [1, 5]. Cost-benefit evaluations also have been performed [6]. Alessandri has suggested an evaluation method by analyzing design principle [7]. To the author’s knowledge, there is only one usability study on IDS [8]. It is a mixture of quantitative and qualitative evaluation methods which measures functionality, performance, and usability. His usability criteria are user interface usability, ease of use, ease of configuration, ease of filter customization, and alert capabilities in a weighted evaluation system. However, a detailed description of their procedures and the rationale that led to their adoption of the criteria are missing. 2.1 Intended Users, ID Analysts, Tasks, and Corresponding Activities New researches focusing on the complex nature of ID analysts’ work [9-13] have been studied since 2003. These researches were written based on the authors’ experience [13] or through contextual interviews [9, 10, 12]. The researches provided a backbone of understanding ID analysts, their tasks, routines, and work environments. In this study, intended use represents IDS’ place to assist analysts with tasks which are considered the most important or frequently faced by the actual users. Repeatedly mentioned tasks and tasks identified to be frequently faced by analysts, come to represent the intended use for the domain. Extrapolating on established researches, analysts’ work and IDS’ functionality, then analysts’ main tasks and corresponding activities were formed. A summary is illustrated in figure 1. Intrusion Detection Analysts’ Main Activities System

Network Activity Information

Monitoring the Analyst’s Network/Environment Daily Routine Investigating log

Monitoring

A security event is triggered

Monitoring Network

Maintaining Keeping up Environment Related

Identifying Alerts

False Positive

Analyzing

Positive match

Responding

Quick Verification

Immediate Response Reporting

Detailed Verification

Long Term Response Patching

Diagnosing attack Consulting

Reconfiguring IDS Recovery

Transferring Expertise

Responding to attacks, Updating IDS and sending Patches

Fig. 1. Intrusion Detection Analysts’ Main Activities

780

A. Park

There are mainly two types of ID work, daily routine tasks and monitoring the network. The daily routine consists with tasks like investigating the previous night’s log, keeping up with the latest ID news, getting to know the details of analysts’ environment, and transferring the expertise. They are the tasks that need to be done in order to monitor a network effectively. To monitor a network, analysts follow three steps, monitoring, analyzing, and responding [10, 12]. In the monitoring phase, analysts need to identify all the alerts while monitoring the network. When a security event is triggered the analyzing phase begins. In the analyzing phase, analysts need to make quick verifications, detailed verifications, diagnosing attacks, and get help from ID community when needed. After attacks are thoroughly diagnosed, analysts need to respond. In the responding phase, analysts’ tasks are responding to attacks and reporting them. There are two different types of responses, immediate and long term.

3 Classification of ID Analysts’ Tasks, Activities, and Criteria 3.1 Daily Routine A very important but often neglected facet of ID work is the daily routine phase. The daily routine is made up with two activities, investigating the previous night’s log file and maintaining. Those two are the first two tasks that analysts engage each day [9]. Maintaining task is neglected by many IDS developers, perhaps because it is carried out through means of many ways, such as mailing lists, informal contacts, online information, and ID forums [9]. More structuralized maintaining method could benefit analysts to organize ID related information and to transfer the information to novice analysts. The difficulty and importance of transferring expertise and needs of creating a database with ID related information were expressed in previous works [9, 10]. Saving knowledge of a unique condition of one’s network environment and how network protocols are manifested in that particular environment will have a great positive impact on transferring expertise. This phase consists with two main activities, investigating the previous night’s log and maintaining. Investigating the previous night’s log [9] – Even considering the low network activities during the night, there are still going to be an overwhelming number of logs. Since ID analysts need to investigate the previous night’s log while monitoring the network activities, the process is preferably performed quickly. Log file contains information such as system accesses, IDS alarms, and summaries of network activity. These logs can be up to several thousand lines, which also require expertise on the subject to fully understand [14]. This process can be evaluated with three criteria, visualization, navigation/interaction method, and detailed verification. They are all explained in monitoring analyzing phase, except for one aspect of navigation/interaction method, animation. Animation –ID analysts agrees that the single most important data attribute in the domain is time [11]. Its value magnifies for investigating the previous night’s log process, because ID analysts are force to analyze vast amount network activities as

Domain Specific Intended Use Evaluation Method

781

quickly as possible. Animation feature can gracefully show the flow of network activities [15]. Also, animation is effective in understanding time-transition of warms and even slowly progressing attacks. Maintaining – As a part of daily routine, analysts obtain, update, and document the latest attacks, vulnerabilities, and ID signatures. Maintaining with new ID information is a full time job of itself [9, 10]. It takes time and it is done individually. Also since there is not a clear way to transfer this knowledge, novice analysts would have to go through the process over again. IDSs should offer a structuralized method for the following activities: keeping up with the latest ID information and the environment, and learning/transferring expertise. Keeping up with the latest ID information – Keeping up with new information regarding the latest attacks, vulnerability, and IDS signature updates is a demanding job [9, 10]. A systematic notification and organized library system can save tremendous effort and time for the analysts. Keeping up the environment - This activity includes IDS (re)configurations and new significant updates on each machine. Due to the situated nature of protocol responses, knowing such information in ID domain is crucial. A certain behavior means an attack in one environment, while it is a valid activity in another environment [9]. Saving previous settings, retrieving back to previous settings, and saving related notes are important in this activity. Learning the environment and transferring expertise – Note analyzing 3.2 Monitoring the Analyst’s Network Monitoring network is consists with 3 phases, monitoring, analyzing, and responding [12]. The detailed information is specified below. 3.2.1 Monitoring Before embarking upon monitoring phase, there is one notable aspect that needs to be addressed. Monitoring is a constantly enduring process. It takes place even when other activities are performing. Not to mention, in addition to ID work, ID analysts do have other duties and responsibilities, such as system development and testing, which all happen simultaneously with monitoring [10, 12]. Consequently, this will limit their time and attention in monitoring a network. With other tasks at hand, it is best to monitor a network flow at a glance. Visual representation and effort are the criteria for monitoring. Visual representation – Visualization allows analysts to view massive data at once. It needs to be pre-attentive and efficient enough to detect abnormal network activities. Node and link diagram had been the most commonly used visual representation form in visualizing networks [16]. Visual representations, such as parallel coordinates [17], and scatter-plots [18] have been the popular choice in IDS. However, node and link diagrams, scatter-plots, and parallel coordinates found to be problematic for detailed analysis of network data [11]. Finding the right visual representation for IDS is an open-ended research topic, and it will be not addressed in this study. However, the following need to be addressed as they are established criteria or features that can improve ID work.

782

A. Park

Visual representation with time variable as an attribute – With many choices of visual representation, a representation with time variable is desirable. Time is already universally recognized to be the most important attribute in network analysis [11]. To support this idea, analysts themselves unanimously considered time as the single most important attribute [11, 12]. Viewing network flow over time may allow analysts to identify distributed and slow attacks, which are hard to detect [19]. Flexible control over the attribute is preferable. It allows analysts to view in different perspectives when they stretch and compress time slots [11]. Maximum input and output number – Since the size of network data is gigantic, it is important to mention the maximum input number of IDS visualization. Also data density for the representation is crucial for analysts’ work. The representation needs to allow as many data as possible without getting unreadable; because attacks against human analysts on the unreadable points of representation is possible [20]. A representation with less empty space and less clustering is desirable. IDS needs to offer either automatic or manual mechanism to distinguish clusters. Simplicity and familiarity - Analysts prefer simple 2D displays over complicated visual representation [12]; and familiar representation would only help the cause. Information – Monitoring a network and analyzing an alert require different pieces of information. Also, different types of information are preferably presented in different visual representations [21]. Great attention has been shown to the question of figuring out best suitable representation for different situations and types of available information. The best way to deal with the situation is allowing users to have control over this matter or having many choices available. Effort – Monitoring often becomes a second priority task. Effective alerting methods and interaction allow analysts to concentrate on another task while monitoring. Interaction – Note Analyzing for detailed information. 3.2.2 Analyzing Once an alert has been generated, ID analysts need to perform post-intrusion detection tasks. These tasks include, alert verification, alert aggregation, alert correlation, intrusion response, and forensics. [22]. Once the alert has been verified as an attack, and then analysts need to diagnose the attack’s severity and correlation with other attacks. If there is a logical connection among alerts, the alerts need to be aggregated and IDS signature configuration needs to be reconfigured accordingly. This phase requires domain and environment expertise; and it is also the most cognitively demanding phase [10]. Quick alert verification, detailed verification, diagnosing attacks, and consulting with ID community are the main activities for this phase. Quick alert verification – The first step in analyzing is quick alert verification. This process usually takes less than a few seconds, however the process requires expertise. An automated error checking can help novice analysts to do a quick verification while a database with environment information can help transfer and learn the environment. Learning the environment and transferring expertise - Quick alert verification is accomplished through experts’ memory that was formed from years of experience [10]. Consequently someone without the knowledge, a novice ID analyst per se, needs to rely on help of experts. If there is a database that contains information on how network protocols manifest in a particular environment, it would allow a novice

Domain Specific Intended Use Evaluation Method

783

analyst to learn the environment on his own. Learning and saving every little detail about the network can be a tedious and mundane work; recording clips of quick verifications may improve the procedure. Automated error checking – This feature checks if an alert contains any error or obviously wrong information, such as invalid time stamp, before analysts engage on verification [23]. Detailed alert verification/analyzing alerts – Depending on the result of the earlier stage, detailed alert verification or diagnosing alert would follow next. Analysts spend hours on one alert and analyze several alerts a day [10]. Previous works indicates that alert rate can be reduced by aggregation of logically related alerts [22, 23]. For a human analyst, visual representation, navigation/interaction, effort and presence of annotating mechanism are the criteria for detailed alert verification. Visual representation – Detailed alert verification/analyzing visual representation is quite similar to ones in monitoring phase except for multiple views. There are a number of ways to visualize network data. Typical ones are parallel coordination, scatter-plots, links & nodes, overview + detail, and tree map. With challenges of evaluation visualization [24] it is not clear which visual representation could have most positive effect. However, presence of multiple views seemed to elevate ID analysts’ performance [21]. This being said, the main emphasis lies in navigation/interaction activities and effort as ID analysts are required to interact with the system, unlike the monitoring phase. Multiple views – First, multiple views can provide a better perception of data and its relations [21]. It can provide an opportunity to perceive data in a different perceptive. Second, there is not a single visualization technique works best for understanding network information [25]. Therefore, having multiple views provides a better chance to operate with the best suited representation for the situation. Navigation/Interaction and user control – Analysts should be able to control what attributes to visualize, manipulate data, group and filter data. By visualizing different attributes, it has helped analysts to engage in different perspectives. Analysts should allow to manipulate data from the display. It will help analysts to maintain on a matter. The experience of accessing detailed information and re-visualizing can determine the quality of interaction. Getting detailed information – Experience of accessing detail information from an overview is critical in analyzing. ID analysts’ concentration and thought process can be hampered if accessing detailed information is not seamless. To accommodate analysts with a seamless interaction, some IDSs are equipped with overview + detail view, fish eye, or multiple views. However, the basic navigation techniques such as, zoom, pan, rotate, reset, title, etc., are still the main interactive methods. Re-visualize – Due to clusters or overwhelming amounts of data, visualized data could become unreadable. In such case, a system should provide a way to re-visualize perhaps after grouping the clustered data. In parallel-coordination, one of the most popular ID visualizations, lines get undistinguishable after certain amount of data [26]. Features like grouping, filtering, data manipulating, and searching can be useful. Effort – The whole point of using IDS is to lessen the effort, while ameliorating the system. Analyzing effort can be reduced with features like visualizing other logs, visualizing multiple logs/attacks, exploring related data and annotating mechanism.

784

A. Park

Visualizing other logs [15] – According to Yusuke, comparing various types of logs, such as firewall log, system log, packet sniffer log, is important. It has been said that the current IDS generates a high rate of false positives and the best way to reduce false positives is to compare with other logs [15]. Visualizing multiple logs and attacks [15]- Display of previously occurred attacks and logs can be used to verify an alert. Attacks can be visually recognized [19], and novice analysts can use previously saved information as a measuring stick. Exploring/Analyzing related data – As mentioned above, multiple views allow analysts to perceive matters differently and notice overlooked information and correlation. While analyzing multiple views simultaneously, features like brush-andlinking can help analysts follow data across the views. The feature lets ID analysts engage into multiple representations by connecting the same data across the multiple views. Also, it is useful when ID analysts are viewing any related data. It is quite necessary for them to view related information [21]. Annotating mechanism – While it is necessary to document attacks and followed response method, it is desirable to document analyzing part as well. Features like markup/labeling (on visualization, setting), save visualization (screen capture), view history (attacks and responses), save highlight, filtered parameter, save as video/animation, and review configuration setting may come to use. Diagnosing attack – As the third step of analyzing ID analysts need to diagnose the attack. Then analysts aggregate logically relate alerts and rank. Aggregate logically relate alerts – Alert correlation is necessary, because it would reduce the total number of alerts. The goal is to reconfigure IDS so there is one alert per attack [23]. Visual alert aggregation would reduce the stress level. Attack ranking by severity – Analysts rank attacks, because then they can attend to the attacks in an orderly manner. The severity of an alert can be determined by a relevance score, which assess per alert the likelihood of successful intrusion. The relevance score can be generated through a comparison of the alert target’s known topology against the vulnerability requirements of the incident type [22]. Automating this process can allow ID analysts to work on other matters. Consulting with ID community- At times, analysts need to get help from ID community to either diagnose, or verify an alert. This may be one of the most neglected and misunderstood aspects of ID analysts’ work; both experts and novices turn to ID community when they are facing an emergency or a difficult problem [9]. Many Internet warms propagate from already contaminated network without their act of will [15]. It is likely that some information regarding the attack is available in ID community. The same applies for other types of attacks. More structuralized way of obtaining and sharing such information could improve ID analysts’ work rate. 3.2.3 Responding Once an alert has been determined as an actual attack, ID analysts need to respond to the attack. There are many different ways and processes for ID analysts to respond, ranging from unplugging a network connection to preparing for legal action. A common responding procedures are consisted with immediate responses, long term solutions, and reporting attacks.

Domain Specific Intended Use Evaluation Method

785

Immediate response to attacks – Immediate response is most effective against currently progressing attacks or propagating attacks like Internet warms. Two types of responding mechanisms, manual and automatic, can be expected. Manual response - Unplug or Shut down - It’s the first step they take [10]. If there is a systematic way to terminate manually, it might save few minutes of progression of an attack. Automatic termination might cause more problems against Denial of Service (DoS) and Denial of Information (DoI) attacks. More costly but more effective responding method is controlling manually. Automatic responses – The purpose of automatic responses is to halt the inprogressing attacks and containing of propagating attacks. Some of the currently available technologies are termination of the offending connection or session, rebooting the targeted system, recording the session for evidence gathering purposes and further investigation, or implementation of a packet-filtering rule, and notification [27]. Although manually controlled immediate response is more reliable, these techniques may come in handy in the absence of ID analysts. Long term solution to attacks – Coming up with a long term solution is the more common responding method ID analysts have to deal with [10]. They need to eradicate the problem and recover the damages from the attack. Patching the vulnerability [10]– It is analysts’ job to figure out how an intrusion was made. In process, network vulnerability assessment and reasoning of generated alerts may be conducted. Once it’s done, analysts need to make a patch for the vulnerability. A feature that can assist analysts to assess vulnerability is desirable. Reconfiguring the IDS signature [10]– Configuring IDS signature has been described as the most challenging task [10]. Increasing the IDS signature is likely to produce more false negatives; and restricting the IDS signature is likely to produce more false positives. ID analysts update IDS signature often, because of increasing IDS signatures, increasing intrusion attempts, and high false rates. Features like annotating mechanism, for example save previous settings, retreat back to previous settings, and markup/labeling notes, would help this task. Recovery – Damages have been done; now it’s time for recovery. The main task in recovery is to reinstall the compromised machine with a backup [10]. Backups are needed in order to reinstall the compromised machine, which means ID analysts are to make backups. If there is an easy and faster way to create a backup, it would save some effort and time. Reporting attacks – As the last part of responding phase, reporting is performed. Usually managers, legal counselors, ID community, and future ID analysts would get a report. Although analysts may be reporting the same attack, the material would be different depending on the group. Managers need to obtain briefs on impacts, damages, recovery methods, and cost. Legal counselors need evidences of intrusion which are good enough to serve in a court of law. ID community would get brief technical information on the attack. Lastly all the mentioned information plus vulnerabilities and responding methods need to be saved for a future reference. Capability to turn selected data into pie, bar and line graphs would be helpful to explain impacts, damages, and cost to managers. Also, annotating mechanism which can save network activities (perhaps as a video), IDS settings, and related notes could allow great source of information for the future.

786

A. Park

4 Conclusion and Future Work It all goes back to the needs of intended users. ID analysts have a certain expectation of IDSs. However, those expectations are rarely met mainly because the unique needs of the analysts have not been considered in a design phase [12]. The main strength of this evaluation method is that the criteria have been calibrated toward ID analyst’s first-order needs. The preconditioning narrows the criteria to those that are the top priorities for the intended users. It is also expect to reduce the risk in evaluation by preventing missteps. In order to obtain the first-order needs, the method requires some up-front effort to analyze main tasks, corresponding activities, and criteria. This can end up costing more compare to other evaluation methods. The goal of this evaluation method is to learn IDSs’ potential strengths and limitations towards to these verified needs. Relying on established works, this research addresses some of the most important or frequently faced ID tasks and criteria to evaluate those tasks. The author puts the idea forward that longitudinal and empirical study of this evaluation method is imperative. A uniqueness of network environment and dataset can determine network activities. In other words, depending on the environment and dataset, there could be unused features of IDSs. In such a case, the unused features should not be a part of evaluation. Therefore, a longitudinal study of the evaluation method is needed to strengthen or weaken the confidence level. Also, an empirical study of the evaluation method’s effectiveness compare to other evaluation method and correlation between the little up front effort (to analyze key activities) and effectiveness should be conducted.

References 1. Durst, R., et al.: Testing and evaluating computer intrusion detection systems. Commun. ACM 42(7), 53–61 (1999) 2. Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Inc., New York (2001) 3. Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining. ACM, Edmonton (2002) 4. Puketza, N.J., et al.: A methodology for testing intrusion detection systems. IEEE Transactions on Software Engineering 22(10), 719–729 (1996) 5. Debar, H., et al.: An Experimentation Workbench for Intrusion Detection Systems. Research Division, IBM, New York (1998) 6. Butler, S.A.: Security attribute evaluation method: a cost-benefit approach. In: Proceedings of the 24th International Conference on Software Engineering. ACM, Orlando (2002) 7. Alessandri, D.: Using Rule-Based Activity Descriptions to Evaluate Intrusion-Detection Systems. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 183– 196. Springer, Heidelberg (2000) 8. Richards, K.: Network based intrusion detection: A review of technologies. Computer & Security 18(8), 671–682 (1999) 9. Goodall, J.R., Lutters, W.G., Komlodi, A.: I know my network: collaboration and expertise in intrusion detection. In: Proceedings of the 2004 ACM conference on Computer supported cooperative work. ACM, Chicago (2004)

Domain Specific Intended Use Evaluation Method

787

10. Goodall, J.R., Lutters, W.G., Komlodi, A.: The Work of Intrusion Detection: Rethinking the Role of Security Analysts. In: The Tenth Americas Conference on Information Systems, New York (2004) 11. Goodall, J.R., et al.: A user-centered approach to visualizing network traffic for intrusion detection. In: CHI 2005 extended abstracts on Human factors in computing systems. ACM, Portland (2005) 12. Komlodi, A., Goodall, J.R., Lutters, W.G.: An Information Visualization Framework for Intrusion Detection. In: CHI 2004 extended abstracts on Human factors in computing systems. ACM, Vienna (2004) 13. Yurick, W., et al.: Two Visual Computer Network Security Monitoring Tools Incorporting Operator Interface Requirements. In: ACM CHI Workshop on Human-Computer Interaction and Security Systems (HCISEC) (2003) 14. Lee, C.P., et al.: Visual Firewall: Real-time Network Security Monitor. In: Workshop on Visualization for Computer Security, pp. 129–136. IEEE, Minneapolis (2005) 15. Yusuke, H., Hideki, K.: STARMINE: a visualization system for cyber attacks. In: Proceedings of the 2006 Asia-Pacific Symposium on Information Visualisation, vol. 60. Australian Computer Society, Inc., Tokyo (2006) 16. Eick, S.G.: Aspects of Network Visualization. In: IEEE Computer Graphics and Applications, pp. 69–72. IEEE, Los Alamitos (1996) 17. Yin, X., et al.: VisFlowConnect: netflow visualizations of link relationships for security situational awareness. In: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security. ACM, Washington (2004) 18. Lakkaraju, K., Yurcik, W., Lee, A.J.: NVisionIP: netflow visualizations of system state for security situational awareness. In: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security. ACM, Washington (2004) 19. Conti, G., Abdullah, K.: Passive visual fingerprinting of network attack tools. In: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security. ACM, Washington (2004) 20. Conti, G., Ahamad, M., Stasko, J.: Attacking information visualization system usability overloading and deceiving the human. In: Proceedings of the 2005 symposium on Usable privacy and security. ACM, Pittsburgh (2005) 21. da Silva Kauer, A.L., et al.: An Information Visualization Tool with Multiple Coordinated Views for Network Traffic Analysis. In: 12th International Conference on Information Visualisation, IV 2008 (2008) 22. Mu, C., Huang, H., Tian, S.: Intrusion Detection Alert Verification Based on Multi-level Fuzzy Comprehensive Evaluation. In: Hao, Y., Liu, J., Wang, Y.-P., Cheung, Y.-m., Yin, H., Jiao, L., Ma, J., Jiao, Y.-C. (eds.) CIS 2005. LNCS, vol. 3801, pp. 9–16. Springer, Heidelberg (2005) 23. Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001) 24. Plaisant, C.: The challenge of information visualization evaluation. In: Proceedings of the working conference on Advanced visual interfaces. ACM Press, Gallipoli (2004) 25. Kwan-Liu, M.: Visualization for security. SIGGRAPH Comput. Graph. 38(4), 4–6 (2004) 26. Hertzog, P.: Visualizations to improve reactivity towards security incidents inside corporate networks. In: Proceedings of the 3rd international workshop on Visualization for computer security. ACM, Alexandria (2006) 27. Lee, W., et al.: Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security 5(22), 5–22 (2002)

A Study of International Trend Analysis on Web Service Vulnerabilities in OWASP and WASC Soonseok Kim1, Haeyoung Han2, Donghwi Shin3, Inkyung Jeun4, and HyunCheol Jeong5 1 Department of Computer Engineering, Halla University San 66, Heungup-Li, Heungup-myon, Wonju-shi, Kangwon-do, Korea [email protected] 2 Department of English, Halla University San 66, Heungup-Li, Heungup-myon, Wonju-shi, Kangwon-do, Korea [email protected] 3 IT Infrastructure Protection Division, Korea Information Security Agency, Korea IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea [email protected] 4 IT Infrastructure Protection Division, Korea Information Security Agency, Korea IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea [email protected] 5 IT Infrastructure Protection Division, Korea Information Security Agency, Korea IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea [email protected]

Abstract. All projects conducted in both the OWASP (Open Web Application Security Project) and the WASC (Web Application Security Consortium) are open-projects in which a company and an individual have voluntarily participated with a vision for web application security. Specifically, these open type projects have studied the web application vulnerabilities and thus have provided their results. Therefore, all these projects can be considered as very influential open-projects. This paper will examine overall introduction of the OWASP and the WASC and then, the major features of their different projects which have been currently conducting as analyzing the similarities and differences between the OWASP and the WASC. Based on the results, the study may suggest a type of synergetic effects from their cooperative work. Finally, with related to the web application security area, this research will discuss about the latest trends in industrial as well academic fields and further directions toward its development. Keywords: Web service vulnerability, OWASP, WASC.

1 Introduction The OWASP is a worldwide free and open community focused on improving the security of application software. Their mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks [1]. In particular, the OWASP Top 10 has been using by most of the security consulting companies and organizations as a standard as well as a guide to diagnose the degree J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 788–796, 2009. © Springer-Verlag Berlin Heidelberg 2009

A Study of International Trend Analysis on Web Service Vulnerabilities

789

of security since the OWASP publicly presented the most serious 10 vulnerabilities of web application security field and its recovery schemes in 2007. According to the conducting procedures, the OWASP projects usually divided into 4 types such as Release Quality Projects (14 projects), Beta Status Projects (31 projects), Alpha Status Projects (58 projects), and Inactive Projects (3 projects). In addition to all 4 categories, the Current Summer of Code 2008 (31 projects) has recently completed. Each category is classified as tools and documents. Similar to the OWASP, the WASC is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web [2]. As an active community, the WASC facilitates the exchange of ideas and organizes industry projects. The WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize their materials to assist with the challenges presented by web application security. The WASC projects have been currently conducting within 9 categories such as the web application security evaluation criteria, web security articles, the web hacking incidents database, the script mapping project, web security glossary, distributed open proxy honeypots, web security threat classification, web application firewall evaluation criteria, and web application security statistics. All projects conducted in both the OWASP and the WASC are open-projects in which a company and an individual have voluntarily participated with a vision for web application security. Specifically, these open type projects have studied the web application vulnerabilities and thus have provided their results. Therefore, all these projects can be considered as very influential open-projects. This paper will examine overall introduction of the OWASP and the WASC and then, the major features of their different projects which have been currently conducting as analysing the similarities and differences between the OWASP and the WASC. Based on the analysis results, the study may suggest a type of synergetic effects from their cooperative work. Finally, with related to web application security area, this research will discuss about the latest trends in industrial as well as academic fields and further directions toward its development. This study consists of 5 major chapters. Chapter 2 will describe overall conducting procedures of the projects presented in the OWASP and the WASC. Chapter 3 will analyze the main features of each project in the OWASP and the WASC as comparing their similarities and differences. Chapter 4 will examine the latest trends in industrial and academic fields with related to the OWASP Top 10, and then will discuss about further directions. Finally, Chapter 5 will conclude this study with some of remaining tasks for further researches.

2 Conducting Process in OWASP and WASC Projects 2.1 Conducting Process in OWASP Projects [1] The OWASP is a worldwide free and open community focused on improving the security of application software. Their mission is to make application security visible, so

790

S. Kim et al.

that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in the OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a not-for-profit charitable organization that ensures the ongoing availability and support for our work with your support. The OWASP project is a collection of related tasks that have a defined roadmap and team members. The OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. Tools and documents are organized into the following 3 categories: Protect. These are tools and documents that can be used to guard against securityrelated design and implementation flaws. Detect. These are tools and documents that can be used to find security-related design and implementation flaws. Lifecycle. These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC). Moreover, the OWASP projects are usually divided into 4 main types such as Release Quality Projects, Beta Status Projects, Alpha Status Projects, and Inactive Projects as follows: Release Quality Projects. Release quality projects are generally the level of quality of professional tools or documents. They can be divided into 3 categories of protect, detect, and lifecycle within two major criteria of tools and documentation. Beta quality projects. Beta quality projects are complete and ready to use with documentation. Similar to the release quality projects, they can be classified as 3 categories according to two major criteria of tools and documentation. Alpha quality projects. Alpha quality projects are generally usable but may lack documentation or quality review. They are classified as two major criteria of tools and documentation. Inactive projects. Inactive projects are unrated projects (projects that have not reached any one of Alpha, Beta, or Release status) which may have been abandoned. Efforts are being made to contact project leads to determine status and plans for future work. They can simply divided into two major areas of tools and documentation. Additionally, the 2008 Summer of Code shows the latest activities in the OWASP. It has been launched in the beginning of April 08 as an open sponsorship program where participants or developers are paid to work on the OWASP (and web security) related projects. Currently, having the project’s selection period closed, we are pleased to announce that 31 projects have been selected which represent an investment of roundly 104,000 U.S. dollars [1]. The projects are now being developed and the 15th September is the expect date for project completion. Now, the OWASP Season of Code 2009 project has started from the solicitation of project ideas (February 01, 2009) and then, the project selection and notification completed will be conducted until April 21st. The following Table 1 shows the current projects (in March 2009).

A Study of International Trend Analysis on Web Service Vulnerabilities

791

Table 1. Current Status Projects (March 24, 2009) Project Status Closed & Completed Projects

Closed & Non Completed Projects

Almost Completed Projects 50% or Less Completed Projects Inactive Projects

Projects OWASP Application Security Verification Standard OWASP Testing Guide v3 OWASP Ruby on Rails Security Guide v2 OWASP Live CD 2008 Project OWASP Code Review Guide, V1.1 OWASP Source Code Review OWASP Projects OWASP AppSensor OWASP Backend Security Project OWASP Securing WebGoat using Mod Security OWASP Teachable Static Analysis Workbench OWASP Access Control Rules Tester OWASP Skavenger OWASP Open Sign Server OWASP Code Crawler OWASP Open PGP Extensions for HTTP OWASP AntiSamy .NET OWASP JSP Testing Tool OWASP SQL Injector Benchmarking Project OWASP-Spanish Project OWASP Internationalization Guidelines OWASP Book Cover & Sleeve Design OWASP Individual & Corporate Member Packs GTK+ GUI for W3af Project OWASP Orizon Project OWASP ASDR Project OWASP Application Security Tool Benchmarking OWASP Education Project OWASP Python Static Analysis OWASP NET Project Leader OWASP Classic ASP Security Project OWASP WeBekci Project OWASP Positive Security Project OWASP Corporate Application Security Rating Guide OWASP Interceptor Project

2.2 Conducting Process in WASC Projects [2] The WASC is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web. As an active community, the WASC facilitates the exchange of ideas and organizes industry Projects. The WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize their materials to assist with the challenges presented by web application security. The WASC projects are usually divided into 9 types as follows:

792

S. Kim et al.

The Web Application Security Evaluation Criteria. Web Application Security Scanners are automated tools to check a website's applications for common security problems such as Cross Site Scripting, SQL Injection, Directory Traversal, Misconfigurations, and remote command execution vulnerabilities. These web application security scanners crawl through a website and parse the url to identify vulnerabilities in the website by injecting various attack vectors while maintaining the session state. The Web Application Security Evaluation Criteria is a set of guidelines to evaluate web application security scanners on their identification of web application vulnerabilities and its completeness. Web Security Articles. The WASC is seeking contributed 'Guest Articles' by industry professionals on the latest in trends, techniques, defenses, best practices and lessons learned relevant to the field of web application security. The Web Hacking Incidents Database. The Web Hacking Incident Database (WHID) is the WASC project dedicated to maintaining a list of web applications related security incidents. The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. The Web Hacking Incidents Database is sponsored by Breach Security Inc. The Script Mapping Project. The purpose of the WASC Script Mapping Project is to come up with an exhaustive list of vectors to cause a script to be executed within a web page without the use of <script> tags. This data can be useful when testing poorly implemented Cross-site Scripting blacklist filters, for those wishing to build an html white list system, as well as other uses. Web Security Glossary. The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to clarify the language used within the community. In this Glossary, 92 terms in total are introduced including ActiveX controls. Distributed Open Proxy Honeypots. Recently, standard honeypot technologies have not bared much fruit in the way of web attack data. In other words, Web-based honeypots have not been as successful as OS level or other honeypot applications (such as SMTP) due to the lack of their perceived value. For the future, this project will use one of the web attacker's most trusted tools against him - the Open Proxy server. Instead of being the target of the attacks, we opt to be used as a conduit of the attack data in order to gather our intelligence. By deploying multiple, specially configured open proxy server (or proxypot), we aim to take a birds-eye look at the types of malicious traffic that traverse these systems. The honeypot systems will conduct real-time analysis on the HTTP traffic to categorize the requests into threat classifications outlined by the Web Security Threat Classification and report all logging data to a centralized location. Web Security Threat Classification. The Web Security Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language for web security related issues. Web Application Firewall Evaluation Criteria. The Web Application Firewall Evaluation Criteria is to develop the industry standard testing criteria for evaluating

A Study of International Trend Analysis on Web Service Vulnerabilities

793

the quality of web application firewall solutions. Web application firewalls (WAF) are a new breed of information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code. The goal of this project is to develop a detailed web application firewall evaluation criteria; a testing methodology that can be used by any reasonably skilled technician to independently assess the quality of a WAF solution. Web Application Security Statistics. The WASC Web Application Security Statistics Project 2007 focuses on a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. Furthermore, the purpose of Industry statistics such as those compiled by Mitre CVE project is to provide valuable insight into the types of vulnerabilities discovered in open source and commercial applications. More detailed statistics is represented in [2] as a useful reference.

3 Comparison between OWASP and WASC The WASC is different from other groups by acting as a public resource for industry guidance, freely exchangeable literature and documented standards. The focus of the WASC is to help facilitate web application security standards of best practice. In other words, community such as the OWASP are goal-oriented and focused on easing information exchange through creating standard XML formats. The OWASP currently has open-source web security software development projects underway as well as documentation initiatives. As shown in Table 2, the OWASP has adopted the folksonomy tagging approach to solving this problem while the WASC has performed its projects (See 2.2) that are divided into a category or several categories. In Table 1, the items in each category are classified as sub-categories (however, some items do not have any sub-category), and the participants are using them partially as a type of project based on their needs. For instance, the Cross Site Scripting (XSS) as one of the web vulnerabilities, is differently described between the WASC and the OWASP. In the WASC, it is conducted as a part of the Web Application Security Scanner Evaluation Criteria Project. Technically, it introduces attack methods and recovery schemes as reference, and thus the WASC presents overall evaluation criteria for the XSS. However, in the OWASP, the XSS is described more specifically within three different OWASP projects. First, the OWASP TOP 10 Project presents overall introduction of the XSS and its recovery schemes. Second, the OWASP Testing Project deals with the XSS as a part of the OWASP Testing Guide V3 and the techniques for its penetration testing. Last, the OWASP Code Review Project explains more specifically about the description of the XSS and its recovery schemes according to each programming language. While the WASC deals with the most part of web application security such as articles, statistics, hacking incidents, and so on., the OWASP focuses on a security part related to the web service vulnerability, especially on developing a security software. As evidence, the projects of the Web Hacking Incidents Database, Distributed Open Proxy Honeypots, and Web Application Security Statistics have been conducting in the WASC, but they have not so in the OWASP (See Table 3).

794

S. Kim et al. Table 2. Classified Categories of the OWASP

Category Type of Article Level of Abstraction Countermeasures Likelihood Factors Business Impact Factors Application Platforms Software Lifecycle Activities Application Security Activities Vulnerability Analysis Technique Other Application Security Categories

Subcategory Principle, Threat, Attack, Vulnerability, Countermeasure, Code Snippet, How To, Activity Implementation, Design, Architecture, Business Authentication, Session Management, Access Control, Validation, Encoding, Error Handling, Logging, Encryption, Quotas Attractiveness, Tools Required, Expertise Required Confidentiality, Integrity, Availability, Accountability, NonRepudiation Java, .NET, PHP, C/C++ Planning, Requirements, Architecture, Design, Implementation, Test, Deployment, Operation, Maintenance Threat Modeling, Security Architecture, Security Requirements, Secure Coding, Penetration Testing, Code Review, Secure Deployment Vulnerability Scanning, Penetration Testing, Static Analysis, Code Review Role, Tool

Table 3. Comparison of Categories between OWASP and WASC

Classification Items

WASC (Project) Web Application Security Scanner Evaluation Criteria Web Security Articles The Web Hacking Incidents Database The Script Mapping Project

OWASP (Relating Categories) Application Security Activites Vulnerability Analysis Technique Other Application Security Categories OWASP AppSec Conference OWASP Presentations

Type of Article Countermeasures Application Platforms Application Security Activites Vulnerability Analysis Technique

Distributed Open Proxy Honeypots Web Security Glossary Glossary Web Security Threat Classification Type of Article Vulnerability Analysis Technique Threat Agent Web Application Firewall Countermeasure-Web Application Firewall Evaluation Criteria Web Application Security Statistics

A Study of International Trend Analysis on Web Service Vulnerabilities

795

As a result, the WASC and the OWASP have been working most actively in the field of web application security even though they conduct their projects differently in range and depth. To maximize the effects of recovering the vulnerabilities, they need to cooperatively work, especially emphasizing on their related areas. This study suggests some possible guidelines for how these WASC and OWASP could work collaboratively for the future after examining their commonalities and differences.

4 Further Directions in OWASP Top 10 The OWASP Top 10 deals with the possible vulnerabilities which can be representatively on web. It is considered as very useful for protecting web hacking security. Most of the consulting companies practically diagnose the degree of security for web applications based on the list for vulnerable items in the OWASP Top 10. Comparatively, in Korea, the KISA (Korea Information Security Agency) has released the content of ‘4 Types of Web Security Guide’, however, the OWASP has provided much more information. Specifically, the OWASP cooperatively develops the information of code review techniques, security testing methods, and different tools (vulnerability, scanner, or code review tools). But, to prevent from a special industrial company's profit, the OWASP Top 10 can be considered as a guideline, not be an international standard. Some of companies may misunderstand that a web server is completely 100% safe if the vulnerabilities presented in OWASP Top 10 are removed. In reality, the web vulnerabilities have been constantly studied and protected by the hackers. Therefore, the OWASP Top 10 is only considered as the classified 10 vulnerabilities which are very popular on web. In Korea, the diverse papers suggest new techniques to prevent the vulnerabilities which were presented in the OWASP Top 10. For example, in those papers, first, Kim[3] recommended a new method to solve the lack of the validation of user input value by installing structural database of web application in advance, and to verify and detect an attack against illegal request by using the profiling identifier of database. Moreover, Chang and Oh[4] proposed the techniques to analyse web application attack patterns from the abnormal traffics based on the weak points discussed in the OWASP, design a system which can detect and isolate attacks in real time, and increase an efficiency of preventing attacks. Internationally, the developers and students have currently used the various guidelines that were recommended by the OWASP as the educational materials [5]. Meanwhile, based on the criteria to classify the security vulnerabilities represented in the OWASP Top 10, it is very obvious to develop new techniques to be responded to the special web services or new analysis methods to detect the vulnerabilities [6], [7]. As discussed in Chapter 4 of this study, KISA published a book titled 4 Types of Web Security Guide last September of 2007. In this book, the current trends of web application vulnerabilities and hacking techniques with security methods are described. More specifically, the book consists of some of security considerations for developing a homepage for vulnerabilities and its recovery schemes, the vulnerabilities and safe web programming techniques for installing a web server, the testing methods for a sever, network, database, and applications, and lastly a guide CD.

796

S. Kim et al.

However, currently in the OWASP, the comprehensively diverse information about code review and testing guide in the web application security software field, has consistently updated as mentioned in Current Status Projects (March 24, 2009) in Table 1. Thus, the further researches in Korea would be needed for the security developers or the administrators to actively utilize the results from the constant analysis of the latest trends by the professionals in industrial as well as academic fields including KISA.

5 Concluding Remarks This work examined overall introduction of the OWASP and the WASC and the major features of their different projects which have been currently conducting. After analysing the similarities and differences between the OWASP and the WASC, the study recommended synergetic effects that would be maximized through their cooperative working. However, due to a large amount of information about the recent projects of the OWASP and the WASC, this paper had to have some of inevitable limitations in terms of the data analysis. Therefore, to discuss about the analysis results that could not be presented in this research, further studies seem to need to more specifically examine and analyse the main characteristics of an individual project conducted from the OWASP and the WASC.

References 1. OWASP (Open Web Application Security Project), http://www.owasp.org 2. WASC (Web Application Security Consortium), http://webappsec.org 3. Kim, S.: A Study of Web Application Attack Detection extended ESM Agent. J. Korea Society Computer & Information 12(1), 161–168 (2008) 4. Chang, M., Oh, C.: Web Application Attack Prevention by Traffic Analysis. J. Korea Society Computer & Information 13(3), 139–146 (2008) 5. Jacobs, F., Joosen, B.: Software Security: Experiments on the.NET Common Language Run-time and the Shared Source Common Language Infrastructure. Software: IEE Proceedings 150(5), 303–307 (2003) 6. Vanden-Berghe, C., Piessens, F., Riordan, J.: A Vulnerability Taxonomy Methodology applied to the Web Services. In: Proc. the 10th Nordic Workshop on Secure IT Systems (2005) 7. Benjamin-Livshits, V., Monica, S.: Finding Security Vulnerabilities in Java Applications with Static Analysis. Technical Report, Dept. Computer Science, Stanford University (2005)

Cryptanalysis of Secure Key Exchange Protocol between STB and Smart Card in IPTV Broadcasting Song-Hee Lee1 , Nam-Sup Park2, Soo-Kyun Kim3 , and Jin-Young Choi1 1

Dept. of Computer Science and Engineering, Korea University, Korea {shlee,choi}@formal.korea.ac.kr 2 LG Electronics Inc., Korea [email protected] 3 Dept. of Game Engineering, PaiChai University, Korea [email protected]

Abstract. In 2006, Yoon et al. [1] proposed a new secure key exchange protocol based on a one-way hash function and Diffie-Hellman key exchange algorithm for secure communication between STB and Smart Card in IPTV Broadcasting. In this paper, we show that Yoon et al.’s protocol is vulnerable to impersonation attack and can not achieve mutual authentication. Further, we recommend some modifications to the protocol to correct these security problems. Keywords: IPTV broadcasting, Diffie-Hellman key exchange, Security analysis.

1

Introduction

In internet protocol television (IPTV) broadcasting, service providers charge a subscription fee by scrambling the program with conditional access system (CAS). This also prevents non-subscribers receiving the program [2,3,4,6,7]. A smart card is used to decrypt the control words (CWs) and transfer them back to the set-top box (STB) to descramble the scrambled program [2,3]. Hence, secure key exchange between STB and smart card is needed. Moreover, without mutual authentication in the communication between STB and smart card, one smart card can be used in different STB of the same type. This will cause McCormac Hack [5] problems. McCormac Hack occurs when the data line from the smart card to STB is trapped and directed to another STB that acts as if it has the same smart card inside. Therefore, secure key exchange with mutual authentication is an essential part of secure communication that, will significantly improve the security of the system. In [2], Jiang et al. first proposed a key exchange with mutual authentication protocol between STB and smart card based on a one-way hash function and Schnorr’s digital signature protocol. However, Jiang et al.’s protocol is vulnerable to an impersonation attack and does not provide perfect forward secrecy [1]. J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 797–803, 2009. c Springer-Verlag Berlin Heidelberg 2009


798

S.-H. Lee et al.

Yoon et al. suggested a new key exchange protocol for secure communication in [1]. In [4], Hou et al. proposed a more efficient protocol for the communication between smart card and STB. Unfortunately, the message transmitted in the mutual authentication phase can be forged by the adversary [8]. Hyo suggested a countermeasure to the attacks for the scheme in [8]. In this paper, we show that the Diffie-Hellman key agreement protocol based Yoon et al.’s protocol suggested in [1] is vulnerable to an impersonation attack. We also present an improved protocol for the security problems with Yoon et al.’s protocol. The remainder of this paper is arranged as follows. Section 2 reviews and discusses the work of Yoon et al. Cryptanalysis is discussed in section 3. An improved protocol is given in section 3. Finally, we conclude in section 5.

2

Review of Yoon et al.’s Protocol

Yoon et al.’s protocol consists of five phases: registration, login, mutual authentication, key agreement, and CW transmission phase. The detailed description of the protocol is shown in Figure 1. The notations used throughout this paper are shown in Table 1. Registration phase. When a new user(U) applies to subscribe the subscribed program with his/her smart card identity IDc and password P W , U sends IDc and P W to subscriber management system (SMS). SMS computes R as follows: R = h(IDc ⊕ xs ) ⊕ h(P W ) −1 It stores {R, g, IDs , h(·), EK (·)/EK (·), M P K} with other account information in the smart card and issues it to the user.

Login phase. When U wants to receive the subscribed program, he/she must attach his smart card to his/her STB and inputs IDc and P W . The smart card generates a random number a in Zq∗ and computes A, X, Y as follows, and sends {IDc , Y, A} to the STB. A = g a mod p X = R ⊕ h(P W ) = h(IDc ⊕ xs ) ⊕ h(P W ) ⊕ h(P W ) = h(IDc ⊕ xs ) Y = h(X, A, IDc , IDs ) Table 1. Notation Notation IDc IDs xs h(·) −1 EK (·)/EK (·) ⊕

Description Identity of the smart card. Identity of the STB. secret key of STB. One-way hash function whose output length is 128bits. Symmetrical encryption/decryption algorithm using key K. Bitwise exclusive-or exclusion operation.

Cryptanalysis of Secure Key Exchange Protocol

799

Mutual authentication phase. Upon receiving the login request, STB and smart card need complete the following steps to realize mutual authentication: – Step 1: STB first checks the validity of IDc . If it is invalid, STB rejects this request. – Step 2: STB computes h(IDc⊕xs ) and checks if Y=h(h(IDc⊕xs ), A, IDc , IDs ). If true, STB receives the login request and takes the next step; otherwise, rejects this login request. – Step 3: STB generates a random number b in Zq∗ and computes B, K, M as follows, and sends {B, M } to the smart card for identification. B = g b mod p K = Ab = g ab M = h(K, A, IDc , IDs ) – Step 4: Smart card computes K = B a = g ab mod p and M  = h(K, A, IDc , IDs ), and checks if M  = M ; if true, accepts STB’s identity and take the next step, otherwise denies this communication. – Step 5: Smart card computes D = h(K, B, IDc , IDs ) and sends it to STB. STB checks if D = h(K, B, IDc , IDs ) = D. If it is true, STB accepts the smart card; otherwise, STB rejects the smart card. Key agreement phase. If the mutual authentication passes successfully for both STB and the smart card, then they use the following equation to compute a common session key SK = h(K, IDc , IDs ). It includes both the random number chosen by STB and the smart card. CW transmission phase. After decrypting CW, the smart card uses SK to encrypt it as CWe = ESK (CW ) and sends CWe back to STB to descramble the −1 program. STB can decrypt CW as CW = ESK (CWe ).

Fig. 1. Yoon et al.’s protocol

800

3

S.-H. Lee et al.

The Cryptanalysis

In this section we prove that Diffie-Hellman based Yoon et al.’s secure key exchange protocol is not secure against an impersonation attack, where an adversary can easily impersonate other legal users (or the STB) to get useful information, as shown in Figure 2. As it is well-known that the DiffieHellman key agreement scheme is resistant against eaves dropper attacks, but not against man-in-the-middle attacks. In this kind of attacks, the adversary is located between the legal parties taking the role of the other party. In the mutual authentication phase, an impersonation attack is possible. Assume that an adversary has intercepted and blocked the message transmitted in Step 3 i.e.,{B, M }. If the adversary attempts to impersonate STB to authenticate mutually with the smart card, an impersonation attack can be performed, as follows: – Step 3’: The adversary generates a random number m in Zq∗ , computes BAd , KAd , MAd as follows, and sends {BAd , MAd } to the smart card for identification. BAd = g m mod p KAd = Am = g am MAd = h(KAd , A, IDc , IDs ) – Step 4’: Upon receiving the messages, the smart card computes KAd = a   BAd = g am mod p and MAd = h(KAd , A, IDc , IDs ), and checks if MAd = MAd ,; if true, accepts the adversary’s identity and takes the next step; otherwise, denies this communication. – Step 5’: Smart card computes DAd = h(KAd , BAd , IDc , IDs ) and sends it  to the adversary. The adversary checks if DAd = h(KAd , BAd , IDc , IDs ) = DAd . If it is true, the adversary accepts the smart card, the adversary shares the key KAd with the smart card. In the key agreement phase, the smart card computes a common session key using the shared key KAd as follows: SKAd = h(KAd , IDc , IDs ) In the CW transmission phase, the smart card encrypts CW using SKAd as CWe = ESK Ad (CW ) and sends CWe to the Adversary. The adversary can de−1 crypt CW as CW = ESK (CWe ). Therefore, the adversary can successfully Ad impersonate STB to fool the smart card to believe the smart card is communicating with STB. Hence, Yoon et. al.’s protocol fails to achieve mutual authentication. Moreover, without mutual authentication in the communication between the STB and smart card, one smart card can be used in different STBs of the same type. This gives rise to the McCormac Hack problem [5].

Cryptanalysis of Secure Key Exchange Protocol

801

Fig. 2. Impersonation attack in yoon et al.’s protocol

4

Improved Protocol

In Yoon et al.’s protocol, the smart card and the STB cannot verify if the party is authentic. Therefore, the adversary can corrupt any legitimate party to an impersonation attack. Clearly, the weakness of Yoon et al.’s protocol mainly arises because Diffie-Hellman key agreement is not resistant against man-in-the-middle attack and the message transmitted in Step 3 of the mutual authentication phase is independent. Therefore, our improved protocol modified the Diffie-Hellman key agreement and messages in login phase and mutual authentication phase as follows: Login phase. When U wants to receive the subscribed program, he/she must attach his/her smart card to the STB and inputs IDc and P W . The smart card generates a random number a in Zq∗ and computes A, X, Y as follows, and transmits {IDc , Y } to the STB. A = g a mod p X = R ⊕ h(P W )

Fig. 3. Improved protocol

802

S.-H. Lee et al.

= h(IDc ⊕ xs ) Y = h(X, IDc , IDs ) · A Mutual authentication phase. Upon receiving the login request, the STB and smart card must do the following steps to realize mutual authentication: – Step 1: STB first checks the validity of IDc . If it is invalid, STB rejects this request. – Step 2: STB generates a random number b in Zq∗ and computes B, K, M as follows, and sends {B, M } to the smart card for identification. B = g b mod p K = ( h(h(IDc ⊕xYs ),IDc ,IDs ) )b c ⊕xs ),IDc ,IDs )·A b = ( h(h(ID h(h(IDc ⊕xs ),IDc ,IDs ) ) = Ab = g ab M = h(K, X, B, IDc , IDs )

– Step 3: Smart card computes K=B a = g ab mod p and M =h(K, X, B, IDc, IDs ), and checks if M  = M ; if true, accepts STB’s identity and takes the next step; otherwise, denies this communication. – Step 4: Smart card computes D = h(K, A, B, IDc , IDs ) and sends it to STB. STB checks if D = h(K, A, B, IDc , IDs ) = D. If it is true, STB accepts the smart card; otherwise, STB rejects the smart card.

5

Conclusions

In this paper, we have shown that Yoon et al.’s protocol is vulnerable to an impersonation attack. This weakness arises because Diffie-Hellman key agreement is not resistant against man-in-the-middle attack and the message transmitted in Step 3 of the mutual authentication phase is independent. To correct the security problems of Yoon et al.’s protocol, we have suggested a countermeasure to resist the attacks described. The merits of the original protocol are not changed.

References 1. Yoon, E.J., Yoo, K.Y.: A new secure key exchange protocol between STB and smart card in DTV broadcasting. In: Chen, H., Wang, F.-Y., Yang, C.C., Zeng, D., Chau, M., Chang, K. (eds.) WISI 2006. LNCS, vol. 3917, pp. 165–166. Springer, Heidelberg (2006) 2. Jiang, T., Hou, Y., Zheng, S.: Secure communication between set-top box and smart card in DTV broadcasting. IEEE Trans. on Consumer Electronics 50, 882–886 (2004) 3. Jiang, T., Hou, Y., Zheng, S.: Key distribution based on hierarchical access control for conditional access system in DTV broadcast. IEEE Trans. on Consumer Electronics 50, 225–230 (2004)

Cryptanalysis of Secure Key Exchange Protocol

803

4. Hou, T.W., Lai, J.T., Yeh, C.L.: Based on cryptosystem secure communication between set-top box and smart card in DTV broadcasting. In: TENCON 2007, IEEE Region 10 Conference, pp.1–5 (2007) 5. Kanjanarin, W., Amornraksa, T.: Scrambling and key distribution scheme for digital television. In: IEEE International Conference on Networks, pp. 140–145 (2001) 6. Tu, R.: On key distribution management for conditional access system on Pay-TV system. IEEE TRans. on Consumer Electronics 45, 151–158 (1999) 7. Huang, Y.L., Shieh, S., Ho, F.S., Wang, J.C.: Efficient key distribution schemes for secure media delivery in Pay-TV systems. IEEE Trans. on Mutimedia 6(5), 760–769 (2004) 8. Kim, H.: Secure communication in digital TV broadcasting. IJCSNS 8(9) (2008)

Free-Form Deformation Axis Aligned Bounding Box Sunhwa Jung1, Min Hong2, and Min-Hyung Choi1 1

Department of Computer Science and Engineering, University of Colorado Denver, Campus Box 109, PO Box 173364, Denver, CO 80217, USA [email protected], [email protected] 2 Division of Computer Science and Engineering, Soonchunhyang University, 646 Eupnae-ri Shinchang-myeon Asan-si, Chungcheongnam-do, 336-745, Korea [email protected]

Abstract. We present a new efficient collision-handling technique of free-form deformation (FFD) of an embedded surface. By adapting FFD, modeling deformation has been substantially simplified to make possible interactive rate animation of a deformable object even for a complex embedded mesh. However, the lack of effective collision detection and resolution schemes for an FFD-embedded surface hinders the overall performance and often becomes a bottleneck. Most existing collision handling techniques can be directly applied to an FFD grid for fast computation, but surface approximation error would be apparent and it could cause noticeable visual artifacts. On the other hand, applying collision detection and resolution techniques directly to the embedded surface is extremely expensive and can obliterate the viability of real-time FFD simulation because the embedded surface has a high resolution in most cases. We present a fast collision detection and resolution method for the embedded surface in an FFD-enhanced simulation maintaining the approximation error of the embedded surface. Our techniques for detection and resolution provide an ability to balance speed and quality. Keywords: Free-Form Deformation, Collision Detection and Resolution.

1 Introduction Recent advances in real-time deformable object simulation have led to interactive animation of high resolution meshes becoming a viable solution for many applications. A fast deformation computation was done using reduced deformable models [4], but the degree of freedom for a deformable object is limited, and modeling for such a structure is still not trivial. A promising direction for a fast deformable object animation is based on a free-form deformation (FFD) grid placed over a complex embedded surface [7], providing efficiency and flexibility without placing any limitation on the underlying geometric mesh. However, one of the most prominent downsides of the FFD grid approach is that it lacks a proper collision and contact resolution scheme pertinent to the deformation solution method. Applying a conventional collision handling method to the FFD grids generates severe surface approximation error resulting in significant visual artifacts of floating. On the other J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 804–813, 2009. © Springer-Verlag Berlin Heidelberg 2009

Free-Form Deformation Axis Aligned Bounding Box

805

hand, performing a primitive level of exact collision detection for complex objects is not practical and can eliminate the benefits of having FFD-based simulation in terms of computational cost. We present efficient collision detection and resolution method based on a freeform deformation axis aligned bounding box (FFD AABB) to support fast collision detection and resolution for the FFD grid-based simulation. Our specific contributions are: • •

new FFD AABB techniques for an efficient collision detection and resolution that can be tightly integrated into an FFD embedded surface simulation, and fast culling in broad-phase collision detection using spatial hashing of deforming AABB that does not require any modification of structure in topological changes such as fracturing and cutting.

2 Related Work Free-form deformation-based simulation is well known for its ease of modeling and fast real-time performance. Free-form deformation has been already employed for real-time deformation of a complex geometry based on the mass-spring system, finite element method [1], [2], [3], [8] and lattice shape matching [6]. Although it limits the degree of deformation freedom, uncomplicated adaptation to physically-based simulations makes the overall modeling process simple. Especially for the applications that do not require accuracy (e.g., animation and gaming), it is a sensible choice over sophisticated yet slower methods. Collision detection and resolution of deformable objects has been intensively studied and significant progress has been made in accuracy and speed [10], [11], [12]. But no collision handling technique for the FFD-embedded surface has been proposed yet to our knowledge. Lately fast collision detection methods using bounding sphere tree employing deformation bounded update techniques are proposed. Bounded Deformation Tree (BD-tree) [5] updates bounding spheres according to the functions of the reduced coordinates independently from geometry for reduced deformable objects. An efficient bounding sphere hierarchy update technique [9] is proposed for matrix-based deformation. These approaches are appropriate for the aimed deformation techniques, but it is not trivial to use them for FFD-based simulation because FFD-based deformation is not represented by a matrix or reduced coordinates. In addition bounding sphere can easily overestimate an FFD-embedded surface without re-estimating the radius for all the primitives. In contrast to the previous methods, our method tightly estimates the embedded surface and similarly handles massive collision detection efficiently without any expensive hierarchy update costs.

3 Free-Form Deformation Axis Aligned Bounding Box 3.1 FFD AABB for Embedded Objects An Axis aligned bounding box (AABB) consists of six boundary float variables (maximum x, minimum x, maximum y, minimum y, maximum z, and minimum z)

806

S. Jung, M. Hong, and M.-H. Choi

that are updated at each time step by traversing the primitives in the AABB. In general the cost of an AABB update cost is at least O (N). Unlike AABB, FFD AABB consists of a set of eight boundary nodes (BN) with local coordinates (s, t, and u) and a set of outside surfaces (OS) that represent the surface of AABB (see Eq. 1).

(a)

(b)

(c)

Fig. 1 FFD AABB building process: voxelizing (a), building AABB of voxels (b), and calculating the FFD local coordinates of boundary nodes for BN and set OS (c)

Fig. 1 illustrates FFD AABB building process. Each BN is updated at each time through FFD. Since six surfaces exist for one FFD cell and the orientation of AABB is fixed (see Fig. 2), six Boolean variables can represent an OS set. Inner FFD AABBs are equivalent to their grid cells and can be excluded from the collision handling process. A BN is updated at each time step using an FFD formulation along with embedded surface nodes. As a result, FFD AABB contains the embedded surfaces of an FFD cell while the cell undergoes dynamic deformation.

FFD AABB = {BN , OS}

3 4 1 2

4

7 8

1 5

(1)

5 6

y 2

3

z

x

6

Fig. 2. FFD AABB Components: Eight BNs and six OSs are indexed matching to FFD cell nodes (left) and FFD cell surfaces (middle), respectively. The index is preset according to the axis x, y, and z (right).

3.2 FFD AABB for Deformed Embedded Objects According to the movements of control points in the FFD grid, the embedded objects may go through various deformations. Since FFD involves scaling and shearing frequently, bounding spheres do not approximate the FFD embedded surfaces, but FFD AABB represents the embedded surfaces efficiently. As compared to the conventional FFD algorithm, the cost of an FFD AABB update is only adding eightnodes update to the embedded surface nodes updates. Figure 3 shows a relationship between the embedded surfaces, FFD AABB, and the FFD grid.

Free-Form Deformation Axis Aligned Bounding Box

807

Fig. 3. The embedded surface of letters (first and forth lines), FFD AABB (second and fifth lines), and FFD Grid (third and sixth lines), under free-form deformation: FFD AABB is used for collision detection and resolution and the FFD grid is used to simulate objects. FFD AABB tightly holds the embedded surface.

4 Collision Detection and Resolution Our method consists of two phases. In the first phase spatial hashing is applied to determine the potential collision pairs of FFD AABB. In the second phase FFD AABBs in the same voxels undergo collision checking and collision correction at the same time. Typically collision detection is separate from collision response. Collision detection returns the collision result, such as a list of the collided primitive pairs (e.g., bounding sphere/bounding sphere). Then the collision response is calculated and applied to the pair. In this process, one of the most time-consuming steps is to remove duplicated collision result in order to avoid applying multiple collision corrections. The key idea of our method is to apply the collision correction and update the FFD AABBs of the corrected cells at the collision detection time. Instead of returning a list of potential collision pairs (PCP) after performing collision detection, the collision response is applied and the state of the FFD AABB is updated. Removing redundant pairs from the list of PCPs is expensive when the number of collisions is relatively large. To remove the repetition of collision detection and resolution for the same pair, collision-involved FFD AABBs are updated after the collision correction has been applied. This guarantees that the state of FFD AABB is synchronized throughout the whole collision detection process.

808

S. Jung, M. Hong, and M.-H. Choi

4.1 Spatial Hashing of Deforming AABB In the broad phase of collision detection, bounding volume hierarchy or spatial subdivision can be used, and we chose spatial subdivision similar to the optimized spatial hashing [11] that supports topological changes efficiently. Axis aligned bounding box of FFD AABB (deforming AABB) is used for spatial hashing. Deforming AABB is easily calculated at each time step for FFD AABB and spatial hashing performs on deforming AABBs. After performing voxelization of deforming AABB, PCP is determined. For optimal performance of spatial hashing, the size of the spatial hashing cell should be close to the largest length of the edges in optimal hashing. For our case, the FFD cell size is proper for the size of spatial hashing cell because the FFD cell is the spatial hashing primitive. We used 4,000 for the hash table size because it gives the optimal performance. Spatial hashing time is the constant (4 ms) throughout the simulation when the number of objects is the same even if the number of collisions is increasing. 4.2 FFD AABB Collision Detection In narrow phase collision detection, FFD AABB of PCP is checked for collision. We performed point to FFD AABB and surface to FFD AABB collision checks. A and B are the FFD AABB in the same PCP. If one of BNs of A is inside of all OSs of B or vice versa, the possibility of a collision is determined by evaluating the plane equations for the OSs. In the case of a collision, the result is BNs inside of the other FFD AABB. For a surface to FFD AABB collision check, the center of mass point is calculated and performed point/FFD AABB collision check. The collision detection can be made more accurate by adding more points from the surface into the point to FFD AABB collision check. This scheme can be used as another level of culling for exact collision detection between embedded surfaces, but we applied the response based on the collision detection result between point and FFD AABB. If the number of the FFD AABB for a simulated object is large, the approximation of FFD AABB is accurate. A

N

B Fig. 4. Calculating collision normal: The collision normal is the average surface normal vectors of OS

Free-Form Deformation Axis Aligned Bounding Box

809

4.3 Impulse Response For collision response, we use impulse-based collision correction and geometric corrections. Collision normal ( N ) is the average of the surface normal vectors of OS weighted with the penetration depth (Eq. 2). The velocity of the cell node i ( Vi∈A , Vi∈B ) of A and B is corrected according to N . The response velocity ( V i∈A , V i∈B ) is calculated using Eq. 3 and applied to the cell nodes in case the relative velocity between A and B is negative (getting closer).

N=

∑D

S ∈OS

∑D

S ∈OS

where

S

NS ,

S

(2)

NS

DS is the penetration depth and N S is the surface normal of S . V i∈ A = α (Vi∈ A ⋅ (− N ))(− N ) + β (Vi∈ A − (Vi∈ A ⋅ (− N ))(− N ))

(3)

V i∈B = α (Vi∈B ⋅ N ) N + β (Vi∈B − (Vi∈B ⋅ N ) N )

4.4 Geometric Correction for Embedded Surface Geometric correction ( C A and CB ) is half of the minimum penetration depth (Eq. 4) among OS in the opposite direction (see Fig. 5). To correct an embedded surface, the correction is applied to the nodes of the cells (A and B) matching to the penetrated FFD AABB. After applying geometric correction, FFD AABB must be updated, and the next collision correction will be calculated correctly. A

C

B Fig. 5. Geometric correction: the surface normal vectors of OS are compared to get minimum depth penetration

810

S. Jung, M. Hong, and M.-H. Choi

1 min( N S , S ∈ OS A ) 2 1 C B = − min( N S , S ∈ OS A ) 2 CA =

(4)

5 Results We checked the accuracy of surface proximity of FFD AABB and the performance of overall collision detection through simulation of many different shapes of objects using fast lattice shape matching. The example simulations were run on a PC with Pentium D 3.0 and 2.99 GHz CPU and 2G ram.

before collision

after collision

in contact

before collision

after collision

in contact

Fig. 6. Stacking two teapots: snapshots of collision handling with FFD AABB (left), and the snapshots of collision handling with an FFD grid (right). The surface estimation of FFD AABB is more accurate than the FFD grid. The teapots are staked without visual artifacts such as penetration or a gap between objects.

Teapot simulation: To test if our method produces close proximity of the embedded surface between complex curved and non-convex surfaces, we simulated teapots. Each teapot in Fig. 6 has 3,644 nodes, 6,320 triangles, and 602 FFD grid cells used for simulation. FFD AABB deforms with FFD grid and contains the embedded surface mesh more tightly than FFD grid. The proximity of FFD grid for the embedded surface is too rough. Results of collision detection by FFD grid show a large gap between the embedded surface meshes and between the embedded surface mesh and the floor. On the other hand the proximity between contact surfaces are tightly maintained by our method and doesn’t show floating artifacts. Still both the collision handling by the FFD grid and the collision handling by FFD AABB manages 1.7 ms for collision detection and response altogether.

Free-Form Deformation Axis Aligned Bounding Box

811

Fig. 7. Alphabet letters simulation: the snapshots of 1014 alphabet letters simulation at 165 (top left), 825 (top right), 1605 (middle left), 2280 (middle right), and 3225 (bottom)

Alphabet simulation: To verify whether our method can handle massive collisions, where exact contact is not called, we simulated 1,014 alphabet letters. The deforming shapes of 26 alphabets are various and FFD AABB efficiently holds the embedded objects. Each alphabet model is dropped with a group toward a confined area to create a large number of sustained collisions and contacts. Initial conditions for velocity and orientation or torque for the objects are randomly generated. Figure 7 shows a series of snapshots of the simulation time-stamped as it progresses. The typical FFD grid for each alphabet model is between 8 to 16 depending on the shape and topology of the model. The number of objects in Fig. 7 is 1,014 and the number of triangles is roughly three million. Initially the number of collision is relatively small but as alphabets piled up the total number of collision/contact grows accordingly. Processing time per collision/response is kept relatively constant. Our method scales up reasonably as the collision handling instances are increased. Our procedure manages the collision handling process within an interactive rate at 30 FPS up to 300 collisions (see Fig. 8). The average number of nodes in the embedded surface mesh of alphabets is 1,118 ranging from 766 to 1,434. The average number of triangles is 2,234 ranging from 1,528 to 2,872. The average collision handling time is 279 MS throughout the whole simulation.

812

S. Jung, M. Hong, and M.-H. Choi

Fig. 8. Collision handling performance and the number of collisions for the alphabet simulation

6 Conclusion Free-form-deformation-based simulation can be utilized in many areas, but collision detection and resolution can be a bottleneck of the simulation. We propose FFD AABB which deforms along with the embedded surface and its collision detection and resolution method, which performs fast and efficiently with FFD-based simulation techniques. Our technique has a few limitations. Our method is meant for FFD-based simulation and only node/FFD AABB and the center of mass/FFD AABB collision checks are performed, so edges can penetrate each other. But it does not produce a serious artifact in our example simulations. Adaptively adding more nodes in the edges for the collision check will treat the slight artifacts without changing the algorithm with a little bit of additional computational cost. Self-collision, excluded in this paper, will be the future direction of this project.

References 1. Capell, S., Green, S., Curless, B., Duchamp, T., Popović, Z.: Interactive Skeleton-Driven Dynamic Deformations. In: Proc. ACM SIGGRAPH 2002, pp. 586–593. ACM, New York (2002) 2. Capell, S., Green, S., Curless, B., Duchamp, T., Popović, Z.: A Multiresolution Framework for Dynamic Deformations. In: Proc. the 2002 ACM SIGGRAPH/ Eurographics Symposium on Computer Animation (SCA 2002), pp. 41–47. ACM, New York (2002) 3. Frisch, N., Ertl, T.: Deformation of Finite Element Meshes Using Directly Manipulated Free-Form Deformation. In: Proc. the Seventh ACM Symposium on Solid Modeling and Applications (SMA 2002), pp. 249–256. ACM, New York (2002) 4. James, D.L., Pai, D.K.: Dyrt: Dynamic Response Textures for Real Time Deformation Simulation with Graphics Hard-ware. In: Proc. ACM SIGGRAPH 2002, pp. 582–585. ACM, New York (2002)

Free-Form Deformation Axis Aligned Bounding Box

813

5. James, D.L., Pai, D.K.: BD-Tree: Output-Sensitive Collision Detection for Reduced Deformable Models. ACM Trans. Graph (SIGGRAPH 2004) 23(3) (2004) 6. Rivers, A.R., James, D.L.: FastLSM: Fast Lattice Shape Matching for Robust Real-Time Deformation. In: Proc. ACM SIGGRAPH 2007, p. 82. ACM, New York (2007) 7. Spillmann, J., Becker, M., Teschner, M.: Efficient Updates of Bounding Sphere Hierarchies for Geometrically Deformable Models. J. Vis. Comun. Image Represent. 18(2), 101–108 (2007) 8. Sederberg, T.W., Parry, S.R.: Free-Form Deformation of Solid Geometric Models. SIGGRAPH Computer Graphics 20(4), 151–160 (1986) 9. Sela, G., Subag, J., Lindblad, A., Albocher, D., Schein, S., Elber, G.: Real-Time Haptic Incision Simulation Using FEM-Based Discontinuous Free Form Deformation. In: Proc. the 2006 ACM Symposium on Solid and Physical Modeling (SPM 2006), pp. 75–84. ACM, New York (2006) 10. Sud, A., Govindaraju, N., Gayle, R., Kabul, I., Manocha, D.: Fast Proximity Computation among Deformable Models Using Discrete Voronoi Diagrams. ACM Trans. Graph. 25(3), 1144–1153 (2006) 11. Teschner, M., Heidelberger, B., Müller, M., Pomeranets, D., Gross, M.: Optimized Spatial Hashing for Collision Detection of Deformable Objects. In: Proc. the 8th Int’l Fall Workshop Vision, Modeling, and Visualization (VMV 2003), pp. 47–54 (2003) 12. Teschner, M., Kimmerle, S., Zachmann, G., Heidelberger, B., Raghupathi, L., Fuhrmann, A., Cani, M.-P., Faure, F., Magnetat-Thalmann, N., Strasser, W.: Collision Detection for Deformable Objects. Computer Graphics Forum 24(1), 61–81 (2005)

A Study on Mosaic Based CCTV System Using Localization *

Jong-Min Kim1 and Myung-A Kang2,* 1

Computer Science and Statistic Graduate School, Chosun University, Korea [email protected] 2 Dept. of Computer Engineering, GwangJu University, Korea [email protected]

Abstract. This paper proposes a combined recognition method related to frames based on a combined CCTV system using local partial images. The goal of the proposed algorithm is to reduce the combining speed and increase the overall recognition rate compared to existing methods. Since the SIFT algorithm, an existing method, has the disadvantages of being patented and slow, speed was raised to actually match the processing speed of CCTV in this paper by using an improved local image regeneration method. This paper consists of a description of the overall system based on the recognition rate and speed and use of localized images that was built along with an introduction to the algorithm. Performance was comparatively evaluated through actual tests. By applying this method to CCTV operating in real time, a low cost inline system which reduces monitoring fatigue since each individual screen need not be observed was built. In addition to being economically effective, it can also be used by regular users.

1 Introduction It is well known that mosaic of images is a panorama. Panorama refers to a mechanism that provides a sense of watching a real view. They are mainly techniques that synthesizes low resolution images into high resolution images[1]. They have been widely used in space and aviation photograph analysis, computer vision and photoconsistent graphics systems. As examples of actual application like robots have increased recently, research value of this area has also increased. Image synthesis is an area that is especially wide spread in everyday life. In synthesis, finding the overlapping area of an image is difficult. In general, algorithms for finding distinguishing points are essential and a fast processing speed required for the analysis and recognition of the images that are found is also a factor that needs to be considered. There are many instances of existing research that use the SIFT[2] library. The major disadvantage of this method is the slow speed due to the massive amount of computation that is required. Much research is being conducted to improve this problem. The representative examples include the technique in which PCA[3] is used with SIFT and the method that uses the Levenberg Marquardt algorithm[4]. Unlike these methods that *

Corresponding Author.

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 814–822, 2009. © Springer-Verlag Berlin Heidelberg 2009

A Study on Mosaic Based CCTV System Using Localization

815

make recognition decisions based on vector values, this paper proposes a domain based recognition technique that uses distinguishing features of an image. By applying this method to CCTV operating in real time, a low cost inline system which reduces monitoring fatigue since each individual screen need not be observed was built. In addition to being economically effective, it can also be used by regular users.

2 Existing Recognition Method between Frames Existing interframe recognition method includes techniques based on the RANSAC algorithm, employing the SIFT library, and the Levenberg Marquardt algorithm. 2.1 SIFT The SIFT method first determines the size and position of the distinguishing feature. The points that are not useful for distinguishing are then removed through DOG by discriminating between the ratio of the long and short axes. Then directional components are determined by a histogram and the distinguishing feature is expressed again in this method. 2.2 Levenberg Marquardt This method calculates the vertical and horizontal motion components through Phase Correlation first proposed by Reddy and Chatterji and synthesizes after applying the Levenberg Marquardt algorithm

3 Algorithm Flowchart The algorithm for the proposed inter frame recognition system extracts only frames from the CCTV camera and produces video again by carrying out the recognition in

Fig. 1. Algorithm flowchart

816

J.-M. Kim and M.-A Kang

real time. Figure 1 shows the flowchart for the algorithm proposed in this paper. To extract the distinguishing feature of a frame, preprocessing is needed for the image. The preprocessing process is used to remove noise and as condition to find the optimum distinguishing feature point. In the recognition part, a partial frame of 41*41 pixels from the extracted points is generated. Then the optimum point is found from the critical value obtained through difference calculation. If the input image is recognized, the recognized part is combined optimally to one screen.

4 Recognition of Distinguishing Features Using Critical Value from Difference Calculation 4.1 Size Transformation of an Image Image size was set to 256*256 to facilitate the calculation in the frequency domain. The cubic convolution interpolation method was used to reduce the stair-case phenomenon with a user defined equation to execute 2^. The cubic convolution interpolation method is an interpolation using higher-order polynomials. After the weight function is defined, the pixel value is calculated by multiplying the value of the pixels around the original image with the weight and finding their total. Figure 2 shows the original pixels used in cubic convolution interpolation.

Fig. 2. 16 Point original pixel

The resultant image pixel value is calculated by referencing a total of 16 pixels. If the center point is the real number coordinate for the original image that must be referenced in the resultant image, the surrounding 16 circular points are the pixels used for cubic convolution interpolation. A total of five interpolations are used in this method. From the 16 points, 4 triangle locations are used to carry out a cubic convolution interpolation. Then an interpolation is carried out for the 4 triangles to estimate the location of the center point Therefore, a total of 4+1 = 5 interpolations are carried out. Figure 3 shows how Equation 1 is derived from 4 points.

A Study on Mosaic Based CCTV System Using Localization

817

Fig. 3. 4 Point original pixel

v1 , v2 , v3 , v4 are the four coordinates and d, a real number with a value between 0 to 1, is the distance between the second pixel and the real number coordinate. In this case, the value of the weight for the pixel corresponding to v1 is determined by f(1+d). The value of the weight for the pixel corresponding to v2 is determined by f(d). Continuing this line of reasoning leads to Equation 1, shown below. ⎧( a + 2) | x |3 −( a + 3) | x 2 |3 +1 0 ≤| x |≤ 1⎫ ⎪ ⎪ f ( x ) = ⎨ − | x |3 +5 | x | 2 +8a | x | −4a 1 ≤| x |≤ 2 ⎬ ⎪ 0 2 ≤| x | ⎪⎭ ⎩

(1)

If this equation is rewritten with -1 substituted for a, Equation 2 results. ⎧ | x |3 −2 | x 2 + 1 ⎪ f ( x ) = ⎨ − | x | 3 +5 | x | 2 +8 | x | +4 ⎪ 0 ⎩

0 ≤| x |≤ 2 ⎫ ⎪ 1 ≤| x |≤ 2 ⎬ 2 ≤| x |⎪⎭

(2)

If the value v interpolated with this function is calculated and the equation is expanded, Equation 3 results. This equation is used to transform the size.

v = (−v1 + v2 − v3 + v4 )d3 + (2v1 − 2v2 + v3 + v4 )d4 (v1 − v3 )d + v2

(3)

4.2 Gaussian High Pass Filter All signals created in nature can be expressed as a combination of specific functions. Fourier Transform refers to a method which expresses sine function and cosine function as the basis functions. FFT, a popular method, was used in this paper to improve the speed. Figure 4 is a display of the Fourier Transform domain. In Fourier Transform, parts in which pixel values change suddenly are referred as high frequency components. They are distributed in the middle and low frequency components are distributed on both sides. Equation 4 is used to pass a high pass filter.

818

J.-M. Kim and M.-A Kang

Fig. 4. Fourier transform domain

H (u, v) = 1 − e − D

2

( u ,v ) / 2 D02

(4)

In Equation 4, D(u, v) represents the (u , v ) coordinate from the center coordinate of the filter and D0 is the cutoff frequency. The cutoff frequency is a value that determines the amount of frequency components that will be filtered by the high pass filter. 4.3 Harris Corner Point Detection Corner points of an image are widely used to analyze images. The Harris corner point is basically determined by analyzing the change in pixel values due to window movement. In Figure 5, the first figure shows window movement in a flat domain. The pixel value is always constant even if the window moves. The second figure shows that case for a boundary. While there is change in the value for horizontal movement, there is no change in value for vertical movement. The last figure shows the Harris corner point. For this case, there is change in value for the vertical movement as well. Harris corner points are found with this method.

(a)

(b) Fig. 5. Point location for each domain

(c)

A Study on Mosaic Based CCTV System Using Localization

819

If this is expressed with Equation 5, ∆x and ∆y represent a small change in the and y directions and w represents the window.

x

c(x, y) = ∑[I (x, y) − I (x + ∆x, y + ∆y)]2 w

⎡I x2 I x I y ⎤ M = ∑w(∆x, ∆y)⎢ 2⎥ ∆x∆y ⎢⎣I x I y I y ⎥⎦

(5)

c( x, y ) , the function that expresses the amount of change, has a small value in flat areas and large values in corners as shown in Figure 5. This relation can be expressed as Equation 6 with Taylor series. If the unique value for matrix M is expressed as λ1 and λ2 , it is possible to know whether it is a boundary or a corner point as shown in Figure 6. R = Det (M ) − K • Tr ( M ) 2 ⎧Det ( M ) = λ1 • λ2 ⎫ ⎬ ⎨ ⎩ Tr ( M ) = λ1 + λ2 ⎭

(6)

If the values for λ1 , λ2 are both small, it is flat. If one is small and the other is large, it is a boundary. If both are large, it is a corner point.

Fig. 6. Distribution according to the R value

4.4 Recognition after Recreating a Localized Recognition was carried out by recreating an image of 41*41 size with respect to the corner point detected from the image and finding a fixed ratio from the difference calculation between the two images. Figure 7 is the reproduced image. Difference calculation Equation 7, widely used to detect intruders, was used. Only those points that display a difference of 92.16% or higher were extracted. Then points with a change period at the Max point were selected again by applying the Max&Min

820

J.-M. Kim and M.-A Kang

Fig. 7. 41*41 Image generation

algorithm to the extracted points. A domain was created from 70% or more of these points having two points or more. Finally, a union based on the domains was carried out.

h ( x, y ) = f ( x, y ) − g ( x, y )

(7)

5 Experiment Result Tests were carried out for combination accuracy from still images and synthesis speed. The test environment is shown in Figure 8.

Fig. 8. Experiment Environment

Tests were carried out with two types of images. The recognition rate is discussed first. It can be seen that the recognition rate for a 640*480 sample is slightly lower than SIFT or Levenberg. However, for a 768*1024 sample, it can be seen that the result is almost identical as shown in Figure 9. This phenomenon occurred because image size adjustment had an affect. Second is the speed issue. Since there is a clear difference in time with respect to SIFT, only comparison with Levenberg was made. Table 1 shows that the proposed method is faster than Levenberg by about 1 second. It is possible to conclude that

A Study on Mosaic Based CCTV System Using Localization

821

while the recognition rate for domain recognition without using vectors is slightly lower, the speed is faster than the other methods. Raising the recognition rate is the future research goal.

Fig. 9. Graph for the two sample test Table 1. Experiment Result

Algorithm

Levenberg (Sec)

640 * 480

1.56749

1024 * 768

2.12447

Size

InlineCCTV (Sec) 2.395820 3.681138

6 Conclusion The inline CCTV proposed by this paper has a high recognition rate even in complex backgrounds and demonstrated a stable recognition rate by recognizing a certain level of direction change. Today, efforts to make CCTV utilization more efficient like controlling the CCTV directly and even finding the overlapping domains for the CCTV and expressing them efficiently in one line by using Inline CCTV techniques are being pursued. Physically, these new methods will be able to reduce monitor fatigue. Economically, they will reduce costs and offer practical advantages in CCTV location selection as well. However, improvements are still needed in selecting principal factors that are required during recognition. Problems that occur when the image rotates must also be solved. Continued research is needed to tackle these issues.

822

J.-M. Kim and M.-A Kang

References 1. Szeliski, R.: Video mosaics for virtual environments. IEEE computer Graphics and Applications, 22–30 (March 1996) 2. Lemuz-López, R., Arias-Estrada, M.: Iterative Closest SIFT Formulation for Robust Feature Matching. In: Bebis, G., Boyle, R., Parvin, B., Koracin, D., Remagnino, P., Nefian, A., Meenakshisundaram, G., Pascucci, V., Zara, J., Molineros, J., Theisel, H., Malzbender, T. (eds.) ISVC 2006. LNCS, vol. 4292, pp. 502–513. Springer, Heidelberg (2006) 3. Murase, H., Shree K, N.: Visual Learning and Recogntion 3-Dobject from appearance. International Journal of Computer Vision 14 (1995) 4. Zhang, J.Z., Chen, L.H.: Nonmonotone Levenberg–Marquardt Algorithms and Their Convergence Analysis. Journal of Optimization Theory and Applications 92(2) (1997) 5. Burschka, D., Cobzas, D., Dodds, Z., Hager, G., Jagersand, M., Yerex, K.: Recent Methods for Image-based Modeling and Rendering. IEEE Virtual Reality tutorial 1 (March 2003) 6. Kim, J.-M., Yang, H.-S., Lee, W.-K.: Network-Based Face Recognition System Using Multiple Images. In: Shi, Z.-Z., Sadananda, R. (eds.) PRIMA 2006. LNCS (LNAI), vol. 4088, pp. 626–631. Springer, Heidelberg (2006) 7. Bennett, A., Magee, D.: Learning Sets of Sub-Models for Spatio-Temporal Prediction. In: Research and Development in Intelligent Systems, vol. XXIV, pp. 123–136 (November 2007)

Selecting the Wireless Communication Methods for Establishing Ubiquitous City-Gas Facilities in Korea∗ Jeong Seok Oh, Jang Sik Park, and Jeong Rock Kwon Institute of Gas Safety R&D, Korea Gas Safety Corporation, Shihung-Shi, Gyounggi-Do, Korea {dbstar,pjsik,jrkwon}@kgs.or.kr

Abstract. Ubiquitous technologies are different from previous technologies, as constructing intelligent network to all objects. In order to apply ubiquitous technologies to city-gas facilities, it is necessary to analyze characteristics of the surrounding environment, design the applicable infrastructure per facility, and enhance the safety and reliability. This paper investigate the status of citygas safety management using IT technologies in Korea, analyze the characteristics of context-aware in city-gas facilities, experiment the applicable wireless communication method per city-gas facility. The object of this paper supports the cornerstone in order to construing the framework of intelligent infrastructure and service for autonomically managing related facilities. Keywords: Ubiquitous, safety management, intelligent infrastructure.

1 Introduction Ubiquitous technologies are capable of innovating public services, increasing the quality of life, and enhancing business productivity as constructing intelligent network to all objects[8]. However, it is necessary to develop network infrastructures based on ubiquitous technologies on considering particularly industry characteristics and intelligent service which by analyzing the collected context-aware information in order to apply ubiquitous technologies to legacy industries [1,2,3]. We Although a few industries might be introduced ubiquitous technologies, there are little convergence cases between ubiquitous and gas fields such as GASNET[5]. GASET (Gasline Network Sensor System) is developed by NETL. This system could provide increased understanding of distribution network, leading to cost benefits estimated to be over $10 million annually, nationwide. However, this system is only applicable in natural gasline on USA. Furthermore, applying ubiquitous technologies to city gas facilities must design the applicable infrastructure through analyzing characteristics of the surrounding environment, and require essentially information architecture service for enhancing the safety and reliability. ∗

This work was supported by MIKE (Ministry of Knowledge Economy) under the program of ETI (Energy Technology Innovation). This paper is a result of “Research Group of Energy Safety for Next Generation”. (Project No 2007-M-CC23-P-03-1-000)

J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 823–828, 2009. © Springer-Verlag Berlin Heidelberg 2009

824

J.S. Oh, J.S. Park, and J.R. Kwon

This paper investigates the status of city-gas safety management using IT technologies in Korea, analyzes the characteristics of the thirteen city-gas facilities, derives parameters of context-aware information in the target facilities, executes tests for selecting the applicable wireless communication methods according to target facilities. The object of this paper will support cornerstone in order to construct the framework of intelligent infrastructure and service for autonomically managing related facilities in Korea.

2 The Current Status of City Gas Safety Management Systems Using IT in Korea The city gas safety management might be divided into status, facility, operation system in Korea. The status management system aims to manage pre optimal maintenance and post emergency restoration such as SCADA, the total control center, and the facility real-time management system. The facility management system aims to correctly estimate safety by collecting and accumulating a huge facility resource database as followings: geographical information system, SPC/QRA, and pipeline network analysis. The operating management system aims to increase business efficiency through the estimation and improvement of operation, including the basic design of system, safety diagnosis to the facility status, status simulation, and facility control.

Fig. 1. Arguments in Legacy System.

The city gas safety management systems in Korea have made an effort to control context aware information, and are mostly based on wired communication system using IT. Furthermore, a few systems are introduced partly by remote AMRs (Automatics Meter Reading System) using mobile communication (CDMA). The architecture of these systems is followings: firstly, end utilities send data packet to WAP server using commercial mobile network. Next, WAP server translates mobile data into internet data and sends data to management server through internet. Finally management server calculates and analyzes the received data and alert when the target is abnormal. Therefore, these systems are not applicable to control end utilities and collect the surrounding status, because of monitoring only the value of remote meters.

Selecting the Wireless Communication Methods

825

However, arguments shown as Fig. 1 are resolved to introduce ubiquitous technologies that can provide the controllable wireless infrastructures and intelligent service platforms in city gas safety management in Korea. First of all, using ubiquitous technologies requires protocols and data types that are based on international standard because of not providing dynamic wireless network infrastructures and the consistent software platforms.

3 Analyzing Characteristics on City-Gas Facilities in Korea Principal city gas facilities are approximately divided into pipeline, governor, test box, gas meter, and others. Context aware parameters in these facilities are classified by environmental parameters (earthquake, ground subsidence, etc) and maintenance parameters (pressure, vibration, leakage gas, etc). Table 1 shows monitorable contextaware parameters by analyzing characteristics of city gas facilities Table 1. Parameters in City-gas Facilities Target Underground pipeline Open pipeline Governor Valve box Test box Meter Rectifier RTU CNG station

parameter Corrosion, stress, earthquake, ground subsidence Pressure, leakage gas, stress, ground subsidence, earthquake Temperature, stress, vibration, earthquake, AC/DC Pressure, leakage gas, stress, gas subsidence, earthquake, water level, leakage current Corrosion Pressure, leakage gas, temperature Corrosion, AC/DC Communication status, AC/DC Vibration, stress, ground subsidence

We select four facilities, which require preferentially ubiquitous technologies through negotiation with two city gas corporations in Korea. Also, we define corrosion in the underground pipeline, stress/vibration in open pipeline, leakage gas/water level/leakage current in gas valve box, and pressure in special pressure monitoring places as target context-aware parameters like as Table 2. Table 2. Target Measurement Parameters Target facilities Underground pipeline Open pipeline

Parameters Corrosion Stress, vibration

Valve box

Leakage gas, water leakage current Pressure

Special pressure places

Unit V 2 Pa(kg/cm ) Cm/s level, ppm V 2 Mpa(kg/cm )

826

J.S. Oh, J.S. Park, and J.R. Kwon

4 Applicable Wireless Communication Analysis and Experiment on City Gas Facilities in Korea In order to send context aware information in city gas facilities, various methods may be used. Although the existing methods used wired communication such as PLC, wireless communication methods are introduced with a few benefits. Based on analysis results to measurable parameters and characteristics of city gas facilities, the facilities differ with the others on data domain characteristics, and should select the applicable wireless communication method by analyzing field status information. In addition, considering the cost of establishing wireless short distance network to city gas facilities, distance length between target facility and gas governor because governor is already loaded with wire communication unit. According to our investigation, the gas governor is generally set up per 1 km distance length in city gas of Korea. Therefore, if the distance length between target facility and gas governor is less than 1 km, the wireless short distance network might be applicable, otherwise, the wireless medium/long distance network in city gas environments. Table 3 shows the field characteristics and the applicable communication method to target facilities in Korea. The underground pipeline and the third-party damage pipeline are capable of developing wireless short distance network, but open pipeline and valve box are able to apply both short distance network and medium/long distance network as the location of the exclusive communication facility. Based on investigation, we regard RF, Bluetooth, Zigbee and UWB as wireless short distance communication, and look upon CDMA, Wibro, 6LoPan, and TRS as wireless medium/long distance communication in Korea [6,7,9]. Table 3. The Applicable Communication Method and Characteristics on the Facility Target

Underground pipeline

Open pipeline The 3rd-party damage pipeline

Characteristics - Middle/high pressure -The difficulty of supplying power -Only communication on the ground -The average pipeline length of 50m -A open environment -The difficulty of supplying power -A half-closed environment -Possibility of supplying power

-A closed environment -The difficulty of supplying power Special pressure places -Concrete/steel cover Valve box

Method Short distance network

Short or long distance network Short distance network Long distance network Short distance network

Selecting the Wireless Communication Methods

827

Test-bed for wireless short distance network has been set up to monitor and control pressure and corrosion in the underground pipeline and s. This test-bed consisted of ten pressure monitoring areas and three gas governor rooms. The distance among monitoring areas are shown as Fig. 2, and would be appointed as the maximum of 495 meters and minimum of 43 meters.

Fig. 2. Test-bed for Wireless short distance infrastructures

The maximum transmission length of open environments was about 1km in Zigbee and bluetooh, while it was about 100m in RF by optimizing antenna and amplifier power. The maximum transmission length between close and open environments was about 35m in Zigbee, 10m in bluetooh, and 70m in RF. Although various wireless short distance technologies are progressed in the future, Zigbee is better than others to open environment, and low frequency bandwidth is preferable to close environment in our test-bed. In addition, Zigbee might show longer transmission length, lower transmission output power, and can set up self-organization network. However, Zigee is not applicable in close environment, because high frequency bandwidth method such as 2.4GHz did not get through concrete or steel environment in our test-bed. In other words, as the close environment exists generally under the ground, and is blocked on every direction, the communication from close to open environment runs parallel with low frequency bandwidth. The current status of low frequency bandwidth unit was not optimized, and for that reason the transmission length can be longer. Test-bed for wireless medium/long distance network has been set up to monitor and control the leakage gas, water level and the leakage current in the thirteen valve boxes. Gas valve box environment had generally outer steel cover, combined inner steel cover and the average depth of 2m. We tested communication success rate using CDMA and Wibro. Both communications are able to use commercially as wireless long distance network in Korea. As the view of safety and commercial services, TRS and 6LoPan will be tested. All experiments measured the bottom, the middle and the top in the thirteen gas valve boxes, and the results as shown in Table 4. Test in the middle and the top are able to communicate in open, inner cover close and inner/outer cover close, but only one valve box did not communicate in the bottom. Nevertheless, CDMA is applicable because the valve box is more depth of 2m. On the other hand, Wibro is not applicable.

828

J.S. Oh, J.S. Park, and J.R. Kwon Table 4. Transmission Test Results (CDMA) Valve status

CDMA

Wibro

Open Inner cover close Outer cover close

Possible except one

5 Conclusions Ubiquitous technologies have to differentiation to the legacy technologies as constructing intelligent network to all objects. Furthermore, ubiquitous services in city gas facilities must design the applicable infrastructure through analyzing characteristics of the surrounding environment owing to particular condition, and required essentially information architecture service for enhancing the safety and reliability. This paper investigated the status city gas management using IT in Korea, analyzed the characteristics of the city gas facilities, derived parameters of context aware information in the target facilities, and tested various wireless communications for selecting the applicable wireless communication according to target facilities. As results, our study derived four city gas facilities, which required preferentially ubiquitous technologies, and environmental characteristics. If distance between facility and gas governor room is more 1km, wireless short distance is applicable. Otherwise, wireless medium/long distance is applicable. Also, Zigbee out of short network is preferable in the underground pipeline and special pressure places, while CDMA out of long network is better in valve box.

References 1. Srisathapornphat, C., Jaikaeo, C., Shen, C.: Sensor Information Networking Architecture and Applications. IEEE Personal Communications 8(4), 52–59 (2001) 2. Culler, D.E., Hong, W.: Wireless Sensor Networks. Communications of the ACM 47(6), 30–33 (2004) 3. Akyidiz, F., Su, W., Sankara, Y.: A Survey on Sensor Network. IEEE Communication Magazine 40(8), 102–114 (2002) 4. Llays, D.: Handbook of Sensor Networks: Concept Wireless and Wired Sensing System. CRC Press, Boca Raton (2005) 5. Oil and Natural Gas Projects: Transmission, Distribution and Refining), NETL (2005) 6. Kohvakka, M., Kuorilehto, M., Hannikainen, M., Hamalainen, T.D.: Performance Analysis of IEEE 802.15.4 and ZigBee for Large-Scale Wireless Sensor Network Applictions. In: IEEEPE-WASUN, Spain, pp. 48–57 (2006) 7. Held, G.: Data Over Wireless Networks Bluettooh, WAP, and Wireless LANS. McGrawHill, New York (2001) 8. Wang, H., Zhang, Y., Cao, J.: Ubiquitous Computing Environments and Its Usage Access Control. In: Proceedings of the First International Conference on Scalable Information System, HongKong, pp. 1–10 (2006)

Safety High Accuracy Context-Aware Matrix (CAM) Making Based on X.509 Proxy Certificate Hoon Ko, Ning Chen, Goreti Marreiros, and Carlos Ramos GECAD – Knowledge Engineering and Decision Support Group, Institute of Engineering – Polytechnic of Porto, Portugal {hko,goreti}@isep.ipp.pt, [email protected], [email protected]

Abstract. Human Computer Interaction (HCI) is to interaction between computers and each person. And context-aware (CA) is very important one of HCI composition. In particular, if there are sequential or continuous tasks between users and devices, among users, and among devices etc, it is important to decide the next action using right CA. And to take perfect decision we have to get together all CA into a structure. We define that structure is Context-Aware Matrix (CAM) in this article. However to make exact decision is too hard for some problems like low accuracy, overhead and bad context by attacker etc. Many researcher has been studying to solve these problems. Moreover, still it has weak point HCI using in safety. In this Article, we propose CAM making include best selecting Server in each area. As a result, moving users could be taken the best way.

1 Introduction Usually, we define that 4G are the improved Multimedia service, Ubiquitous Service, and Global Service [4]. Most of all, the focus of 4G is to provide connectivity moving like cars, robots, pets, others, etc. However, there may be some situation, where these objects must communicate between them according to 4G’s features. Because of sharing features with many people, the owners need to protect their equipment with access control function or their access grant that has to offer the guarantee data integrity to the shared devices. In addition, there is a risk that pay according to service’s feature. In payment, the responsibility is originally belongs to the owners; However it should be changed depending on who is using the goods and services. Although many articles have been studying this issue, still we show those problems like the flexibility problem on security. Also, Human Computer Interaction (HCI) is for interaction between computers and human. HCI is one of HCI composition that to make active computing on extended Ubiquitous-Computing environment in future. If there is a security problem for users, it may lead to reliability problem. In particular, if those are sequential and continuous tasks, it is important to make a decision next action using the exact CA without pollution. We suggest making the needed certificate using J.H. Park et al. (Eds.): ISA 2009, LNCS 5576, pp. 829–837, 2009. © Springer-Verlag Berlin Heidelberg 2009

830

H. Ko et al.

X.509 Proxy Certificate. This article consists of five Chapters. In Chapter 2 is for analysis of problem so far, we put our proposal into Chapter 3. In Chapter 4, we explain the analysis of proposed idea; At last, you can read the conclusion include future works in Chapter 5.

2 Related Work Context-Aware was introduced in 1994 by Schilit and Theimer [8], and was defined as software that adapts according to their location, the collection of nearby people and objects, as well as changes to those objects over time. A more recent definition is by Dey [9] and he defines context aware software as systems that use context to provide relevant information and/or services to the user, where relevancy depends on the user’s task. Chen and Kotz [10] classified context in four categories: physical context, computing context, user context, time context. In [1], it pointed us some problems of identification and management on resource sharing of the distributed subscription. They have worked on the design and implementation of a system that it could control as remote network based on subscriptions through browsers. A third-party authentication protocol was designed and employed to exchange security assertions among the involved parties. Therefore, in this article, they have suggested how to take the subscribed resource with only one ID/Password. However, that was only IP based and there are many problems like flexibility, forcing off-campus, some mobility people, who are using the Proxy Server. In addition, it has accountability since it is vulnerability to Spoofing attack. In [2], an access delegation was issue. However, the structure of the certificate was not directly accessed. Therefore, it presents resistance in dynamic environment. In [3], there was the result that they was in the isolated place physically, access interface in general, using the flexibility of ACL in ubiquitous, but still there has flexibility problem. In [4], authors tried to solve the privacy and security issues. For example, In case of user A registers musics into Smart Office for User B, in addition user B is keeping the old access permission that already user B had been used it before (user A forgotten to delete it). Then, user B can access user A’s music as well as user A’s other contents (Of course, User A should only give the listen permission to User B). Finally, User B can see all contents, but sometimes user A may not want sharing. Authors defined that this problem may lead to potential security and privacy problems.

3 Making Context-Aware Matrix on X.509 Proxy Certificate X.509 proxy certificate defines the authorized list when the entity allows another entity to use the grant in order to use with temporary using in security system.

Safety High Accuracy Context-Aware Matrix (CAM) Making

831

Signature Algorithm Issuer Name Validity period Subject Name Subject Public Key Issuer unique ID Subject unique ID X.509v3 extensions PC extensions

X.509v3 Certificate

Version Serial Number

Version Depth of Certificate Chain Policy Restrictions

Fig. 1. X.509 proxy certificate

Fig. 1 shows the X.509 proxy certificate; we can understand the extension of proxy certificate in detail. There is all certificate information for most of devices in id-peproxyCertInfo Extent ions. Moreover, we propose how pCPathLenConstrain will be defined. In order to take user’s status in exact, various information near users is necessary. That is, a variety of variables is requested.

Fig. 2. User’s moving

Fig. 2 shows the user’s today plan. First, user goes to hospital to take a examination in morning and then goes to pharmacy to take his medicine. Next, he goes toward coffee shop and next destination is company. Last, he has to visit a restaurant to meet his customer. Each sensor should notice to user the user’s next processing using various information. Fig. 3 explains user’s status in each location.

832

H. Ko et al.

Fig. 3. Each states

3.1 Hospital (h) / Pharmacy (ph) First, he has to make a reservation to the hospital in the morning. The hospital has to provide the reservation quickly without any traffic jam for him [Fig. 4]. There are some factors like traffics, arrival time (or waiting time), distance to hospital and so on to make user’s good route. After that, he will go to optimized pharmacy for him near hospital using gathered pharmacy information in order to get there. As soon as take the good pharmacy, he sends his prescription to there by his device.

Fig. 4. Hospital / Pharmacy

Safety High Accuracy Context-Aware Matrix (CAM) Making

833

3.2 Coffee Shop (cs) User wants to go to the coffee shop to take a coffee before go to company. Usually, he goes there every morning. Therefore, the coffee shop has his information like his taking kind of coffee according weather, his taking time etc. That means the shop can recommend or guess his ordering today before his arriving with good place [Fig. 5].

Fig. 5. In coffee shop

3.3

Restaurant (r)

For meeting with customer, he is supposed to make a reservation a restaurant. Before reservation, since he is keeping the customer’s information like what kind of food the customer likes, what restaurant did they visit before, etc. so, he can make a reservation good restaurant for the customer [Fig. 6].

Fig. 6. In restaurant

4 Discussion Let us talk the optimized situation for reservation of hospital today morning. We can define distance (d), arrival time (t), waiting time (wt) as factors for hospital (h). Basic on Figure 1, we define Context-Aware Metrics (CAM) like below.

834

H. Ko et al.

h = [h1 ,h2 ,..., hh ] × wh ph = [ph1 , ph2 ,..., ph p ] × w p cs = [cs1 ,cs 2 ,...,cs3 ] × cscs c = [c1 ,c 2 ,...cc ] × wc n = [n1 ,n2 ,...,nn ] × wn r = [r1 , r2 ,...rr ] × wr CAM = {h, ph, cs, c, n, r} First, d is distances from his home to hospital include delaying time. In addition, t in guess can be computed depending on distance d. After user gets information of other patient in t time through hospital’s server, for example, arrival time of other patient, their staying time etc, user can choice his good time according to his analysis results. During this computing, usually user use information from AP that took an authentication recently. Of course, we usually decided AP that took an authentication recently is the most safety one of all AP. Therefore, according to this result, CAM can be computed.

in The maximum One of the computed values will be optimized status. In this article, we defined that w is an authentication time in recent. Therefore, the most recently authenticated device gets the highest weight (w). Using the same way like that, they can get the results of each step. Of course, one of Coffee shop’s using information; they can use w which already used before. According to this step, user can get the optimized plan for today [Table 1. Best Selection]. To adapt in dynamic changing, all changed data will be computed then it can be used to update for user. Therefore, already the decided route may be changed depending on the updated results immediately. For example, if it is not use n1 in the path (n) because of unknowing reason, to make new path, they have to notice about this situation in real time [Fig. 7].

Safety High Accuracy Context-Aware Matrix (CAM) Making

ph 1

h

ph 2

ph

h2

ph 2

ph

h2

cs 3

r1

n1

n2

n1

r

n

r2

cs 2

cs

ph 3

h3

r r3

h

cs 3

r1

cs 1

h1

cs 2

cs

ph 3

h3

ph 1

cs 1

h1

835

n2 n

r2

r3

n3

n3

Fig. 7. User's steps

Fig. 8. User's new steps

Table 1. The best selection (no considering with other environments)

Hospital

Cost Low (Best) <------------->High (Worst) H1 -> H3 -> H4 -> H2

Pharmacy

PH3 -> PH1 -> PH2 -> PH4

PH3

Coffee Shop

CS3 -> CS2 -> CS1 -> CS4

CS3

Company

C4 -> C1 -> C2 -> C3

C4

Restaurant

R1 -> R3 -> R4 -> R2

R1

H1 -> PH3 -> CS3 -> C4 -> R1

-

User Location

Best Selection

Selection H1

Table 2. Analysis Results Classfica tion

[1] Mingchao Ma’s

[2] Tuomas Aura’s

[3] David W. Chadwick’s

[4] Heeyoul Kim’s

Proposed Method

Flexibility

-

-

∆

∆

∆

Adaptable in dynamic changing

∆

-

∆

∆

O

Restric. / Temp. of Author.

-

∆

∆

∆

O

ContextAware

-

-

-

-

∆

Mobility

-

O

∆

O

∆

836

H. Ko et al.

Fig. 8 is the updated result for user. That is, if there is some problem in n1, then they try to take that problem. After make new path, they send it to user (n2->r2). Table 1 shows us the best status (best cost) for user. User can select the node ‘H1 > PH3 -> CS3 -> C4 -> R1’. We put the analysis results in Table 2. Table 2 is showing the comparison results of the previous according to important factors. As you see this table 2, there are some advantages in using adaptable in dynamic changing and restriction / temporary of authorization, and our proposed article can detect context-aware. Therefore, during the moving or meeting, if a device will be added the meeting room or any place some time, it can be run automatically involved LA / PKI (Public Key Infrastructure). However, still this article is having a weak attribute in Mobility because it was based on PKI not WPKI (Wireless Public Key Infrastructure) [Table 2].

5 Conclusion We studied on the way to make the optimized path according to the analysis result of the gathering data include user’s asking. Of course, we mentioned the users / devices authentication for safety using of each device in that environment. In addition, to take the accuracy user’s asking, we suggested CAM include each weight. The advantage of context-awareness is to process in activity to user’s asking without user’s interference. The accuracy of context-awareness is important to provide exact service to user. However, it is possible to get wrong results by attacker’s wrong data. The advantage of distributed server in hierarchy is to get the nearest server near the user, so users can get the service in efficiency. In this article, we propose only user’s authentication. Nevertheless, if attackers try to attack unauthorized devices in order to take user’s information, there is no protecting module in this article. So, it need to some module to avoid this dangerous.

Acknowledgments This work is partially supported under the support of the Portuguese Foundation for Science and Technology (FCT) in the aims of Ciência 2007 program for the hiring of Post-PhD researchers.

References 1. Ma, M., Woodhead, S.: Authentication delegation for subscription-based remote network services. Computers & Security 25, 371–378 (2006) 2. Aura, T.: Distributed Access Rights Management with Delegation Certificates. Secure Internet programming: security issues for mobile and distributed objects, 211–235 (2001) 3. Chadwick, D.W., Otenko, A., Ball, E.: Role-Based Access Control With X.509 Attribute Certificates. IEEE Internet Computing 7, 62–69 (2003) 4. Kim, H., Lee, Y., Chung, B., Yoon, H., Lee, J., Jung, K.: Digital Right management with right delegation for home networks. In: Rhee, M.S., Lee, B. (eds.) ICISC 2006. LNCS, vol. 4296, pp. 233–245. Springer, Heidelberg (2006)

Safety High Accuracy Context-Aware Matrix (CAM) Making

837

5. Ramos, C., Augusto, J.C., Shapiro, D.: Ambient intelligence the next step for artificial intelligence. IEEE Intelligent Systems 23(2), 15–18 (2008) 6. Vu, T.H.N., Ryu, K.H., Park, N.: A method for predicting future location of mobile user for location-based services system. Computers & Industrial Engineering (2008) 7. Zhuang, X., Serrano, M.J., Cain, H.W., Choi, J.-D.: Accurate, Efficient, and Adaptive Calling Context Profiling. In: PLDI 2006, June 10-16, pp. 263–271 (2007) 8. Schilit, B., Adams, N., Want, R.: Context-Aware Computing Applications. In: 1st International Workshop on Mobile Computing Systems and Applications, pp. 85–90 (1994) 9. Dey, A.: Providing Architectural Support for Building Context-Aware Applications. PhD thesis, Georgia Institute of Technology, Georgia (November 2000) 10. Chen, G., Kotz, D.: A Survey of Context-Aware Mobile Computing Research. Technical Report: TR2000-381 Dartmouth College, Hanover, NH, USA (2007) 11. Lee, W.-P.: Deploying personalized mobile services in an agent-based Environment. Expert Systems with Applications, pp. 1194–1207 (2007) 12. Lee, B.-H., Kim, H.-N., Jung, J.-G., Jo, G.S.: Location-based service with context data for a restaurant recommendation. In: Bressan, S., Küng, J., Wagner, R. (eds.) DEXA 2006. LNCS, vol. 4080, pp. 430–438. Springer, Heidelberg (2006) 13. Ramos, C.: Ambient Intelligence – A State of the Art from Artificial Intelligence Perspective. In: Neves, J., Santos, M.F., Machado, J.M. (eds.) EPIA 2007. LNCS, vol. 4874, pp. 285–295. Springer, Heidelberg (2007) 14. Yang, S.J.H.: Context-Aware Ubiquitous Learning Environments for Peer-to-Peer Collaborative Learning. In: Educational Technology & Society, Security, pp. 188–201 (2006) 15. Vieira, M.S., Rosa, N.S.: A Reconfigurable Group Management Middleware Service for Wireless Sensor Networks. In: MPAC 2005, pp. 1–8 (November 2005) 16. IST Advisory Group, Scenarios for Ambient Intelligence in 2010, European Commission (2001)

Author Index

Abawajy, Jemal H. 402 Abe, Yasuhiro 502 Abiyev, Rahib 90 Agarwal, Mayank 652 Agel, Bj¨ orn 210 Aghajani, Zahra 260 Ahmad, Shakil 741 Ahmed, H. Farooq 692 Ahmed, Usama 722 Akram, Attiya 692 Ali, Abdulghani 598 Ali, Ghassan Ahmed 598 Amar, Ebtisam 522 Anwar, Muhammad Waqas 223 Arshad, Qasim 223 Azgomi, Mohammad Abdollahi 260 Beaubrun, Ronald 432 Bem, Derek 110 Boumerdassi, Selma 522 Bressan, St´ephane 159 Cassez, Franck 21 Cha, ByungRae 662 Chang, Hangbae 769 Chang, Kai-Chi 301 Chen, Hao 250 Chen, Hua 588 Chen, Kefei 152 Chen, Kuan-Ta 270 Chen, Lily Shui-Lien 543 Chen, Ning 829 Chen, Zhimin 327 Cheng, Mao-Hua 347 Cheng, Qingfeng 135 Chiueh, Tzi-cker 307 Chivers, Howard 250 Cho, You-Ze 532 Choi, Jin-Young 797 Choi, Joongeun 1 Choi, Min-Hyung 804 Chou, Mei-Chun 347 Chung, Soon M. 41 Clark, John A. 250

Dave, Tushar 652 de Freitas, Edison Pignaton 422 Deng, Lingli 358 Dhinakaran, Beatrice Cynthia 578 El Mrabet, Nadia El-sisi, Ashraf b.

122 619

Ferreia, Armando Morado Freisleben, Bernd 210 Fujita, Chihiro 438

422

Gao, Chong-Zhi 145 Gao, Shengnan 588 Ge, Meng 392 Geng, Qin 588 Gong, Zheng 200 Gritzalis, Stefanos 280 Gwo-Jong, Yu 512 Haider, Syed 327 Han, Haeyoung 788 He, Hongjun 169 He, Yeping 358 Heimfarth, Tales 422 Hong, Dowon 190 Hong, Jinkeun 337 Hong, Min 804 Hong, Seokhie 11 Hori, Yoshiaki 51, 80 Hou Fangyong 169 Hu, Xuexian 135 Huang, Chao 70 Huang, Zheng 152 Huebner, Ewa 110 Hussain, Mukhtar 702, 712, 732 Hyuk-Park, Jong 280 Iltaf, Naima 702 Imran, Nomica 450 Ismail, Nabil 619 Jamzad, Mansour 317 Jantan, Aman 159, 598 Jeong, HyunCheol 788

840

Author Index

Jeong, Kitae 1 Jeun, Inkyung 788 Jho, Nam-Su 190 Joshi, Satyadhar 412 Jung, Sunhwa 804 Kambourakis, Georgios 280 Kamran, Farrukh 702 Kanan, Hamidreza Rashidy 100 Kang, Jonggu 769 Kang, Myung-A 814 Kang, So-Young 461 Kang, Yeonjung 1 Kausar, Firdous 682, 722, 741 Khalid, Asma 712 Khan, A.I. 450 Khan, Abid 223 Kilic, Kemal 90 Kim, Dong Seong 290 Kim, Jaeho 471 Kim, Ji-Hoon 461 Kim, Jong-Min 814 Kim, Jongsung 368 Kim, Ki-Hyung 692 Kim, Kihong 337 Kim, Soo-Kyun 797 Kim, Soonseok 788 Kim, Tae Hwan 290 Kim, Yongjin 239 Kim, YoungIl 662 Kishida, Kentaro 494 Ko, Hoon 829 Ko, Ren-Song 553 Kolias, Constantinos 280 Kum, Dong-Won 532 Kwon, Hyukjun 769 Kwon, Jeong Rock 823 Lai, Chih-Chung 553 Lai, Hsin-Kun 563 Lai, Yingxu 608 Lam, Ieng-Fat 270 Lam, Kwok-Yan 382, 392 Larsson, Tony 422 Latif, Rabia 732 Le, Anh-Ngoc 532 Lee, Changhoon 1 Lee, Deok Gyu 760 Lee, Im-Yeong 760 Lee, Jae-Kwang 578

Lee, Jesang 11 Lee, Joohyun 471 Lee, Ju-Hee 461 Lee, Kwang-Jo 461 Lee, Kyunghwa 471 Lee, Sang Min 290 Lee, Song-Hee 797 Lee, Yung-Hsin 543 Lee, Yuseop 1 Li, Bin 635 Li, Da 31 Li, Hui 570 Li, Qiang 152 Lin, Chu-Hsing 347 Lin, Chun-Yuen 301 Liu, Fang 169 Liu, Jung-Chun 347 Liu, Zenghui 608 Lu, Erl-Huei 563 Ma, Chia-Chin 563 Ma, Chuangui 135 Ma, Jianfeng 570 Mangal, Ashish 652 Marreiros, Goreti 829 Masuyama, Hiroshi 485, 494, 502 Mehra, Mahendra 652 Mei-Jhen, Chen 512 Mohaisen, Abedelaziz 190 Moin, M. Shahram 100 Molo, Badji 432 Moon, Jong Sik 760 Morioka, Yuichi 438 Muppavarapu, Vineela 41 Nagamalai, Dhinaharan 578 Naureen, Ayesha 682, 692 Nishikawa, Kenzoh 438 Niu, Xiamu 223 Niu, Xinxin 588 Nobles, Philip 250 Oh, Jeong Seok

823

Panchenko, Andriy 179 Park, Albert 778 Park, Haeryong 1, 11 Park, Jang Sik 823 Park, Jong Hyuk 672 Park, Jong Sou 290

Author Index Park, Nam-Sup 797 Patel, Dhiren 652 Pathak, Rohit 412 Pereira, Carlos Eduardo 422 Phan, Raphael C.-W. 368 Pimenidis, Lexi 179 Qiu, Weidong

152, 200

Ramos, Carlos 829 Ren, Kui 229 ´ Renault, Eric 522 Riaz, Rabia 692 Rodrigues, Joel J.P.C. 672 Ruan, Chun 110 R¨ uckert, Markus 750 Sajedi, Hedieh 317 Sakai, Akihiro 80 Sakoda, Kazuyuki 438 Sakurai, Kouichi 51, 80 Salleh, Mazleena 644 Sasama, Toshihiko 485, 494, 502 Schaumont, Patrick 327 Schr¨ oder, Dominique 750 Schridde, Christian 210 Shah, Deven 652 Shaikh, Siraj A. 250 Shi, Jinyang 382 Shin, Donghwi 788 Shin, Yongtae 471 Shohdy, Sameh m. 619 Si, Yuanjie 70 Smith, Matthew 210 Song, Jin-Woo 461 Su, Ming-Yang 301 Sun, Jianling 70 Sung, Jaechul 1, 11 Suzuki, Mitsuhiro 438 Syalim, Amril 51 Sze˙zy´ nska, Magdalena 110 Tang, Hongying 229 Tang, Yuhua 169

841

Tanimoto, Erica 438 Tian, Liwen 31 Toegl, Ronald 60 Vaidya, Binod

672

Wagner, Fl´ avio Rech 422 Wahla, Arif 741 Wahla, Muhammad Arif 722 Wang, Michael Chih-Hung 543 Wang, Szu-Chi 270 Wang, Xinyu 70 Wehrmeister, Marco Aur´elio 422 Wen, Mi 200 Westermann, Benedikt 179 Wu, Yanjun 307 Xiao, Nong 169 Xiao, Wei-Cheng 270 Xie, Dongqing 145 Xu, Ziyao 358 Yanaka, Takahide 485 Yang, Sung-Bong 461 Yang, Tsung-Che 347 Yang, Yixian 588 Yew, Teoh Chin 644 Yong, Zhang 223 Yuan, Yumin 31 Zare-Mirakabad, Mohammad-Reza Zhang, Bongduk 471 Zhang, Fangguo 145 Zhang, Jianhong 588 Zhang, Jingwei 145 Zhao, Chang-An 145 Zhao, Chen 307 Zheng, Yanfei 200 Zhou, Yaowei 200 Zhou, Yejun 570 Zhu, Bo 200, 229 Zhu, Haishan 31

159