Digital Signatures for Flows and Multicasts by Chung Kei Wong and - PowerPoint PPT Presentation

Digital Signatures for Flows and Multicasts by Chung Kei Wong and Simon S. Lam in IEEE/ACM Transactions on Networking , August 1999 Digital Signatures (Simon S. Lam) 1 3/8/2017 1

Digital Signature  Examples: RSA, DSA  Provide authenticity integrity and non  Provide authenticity, integrity and non- repudiation  How to sign and verify?  signing key k s , verification key k v , message digest h ( m ) d h ( )  signature = sign ( h ( m ), k s )  verify ( signature h ( m ) k ) = True/False  verify ( signature , h ( m ), k v ) = True/False  Signing & verification operations are slow g g p compared to symmetric key operations Digital Signatures (Simon S. Lam) 2 2

Motivation  Traditional network applications (circa 1998) d l k l ( 1998)  message-oriented unicast, e.g., email, file transfer, client-server e g email file transfer client server  Emerging network applications  flow-oriented e g  flow-oriented, e.g., audio, video, stock quotes audio video stock quotes  multicast, e.g., teleconference, software distribution  Problem: How to sign/verify efficiently for high-speed transmissions?  real-time generated flows  delay-sensitive packet flows Digital Signatures (Simon S. Lam) 3 3

All-or-nothing flows All or noth ng flows  The signer generates a message digest of  The signer generates a message digest of the entire flow (file) and signs the message digest  But many Internet applications do not y pp create all-or-nothing flows  a flow is sent as a sequence of packets – also, a subsequence may be usable b b bl  each packet is used as soon as it is received Digital Signatures (Simon S. Lam) 4 4

Sign-each Approach  A flow is a sequence of data packets  Sign each packet individually  Inefficient: one signing/verification operation per packet  Rates on a Pentium-II 300 MHz using 100% processing time (with 512-bit modulus) Packet Rate (packets/sec) size Signing Verification (bytes) RSA DSA RSA DSA 512 78.8 176 2180 128 1024 78.7 175 1960 127 Update: today s processor speed is much higher but Cisco s recommended Update: today’s processor speed is much higher but Cisco’s recommended RSA modulus size is 2048 bits to 4096 bits Digital Signatures (Simon S. Lam) 5 5

Prior work on signing digital streams  [Gennaro and Rohatgi 1997]  One signing/verification op for an entire flow—only the first packet is signed  Each packet contains authentication info for n xt next  Verification of each packet depends on previous ones previous ones  Reliable delivery required P 1 P 2 P 3 P 4 message digest of message digest of digital signature following packet Digital Signatures (Simon S. Lam) 6 6

Flow Signing Problem  Each packet may be used as soon as it is received received  Subsequences of a flow are received and used  best-effort delivery, e.g., UDP, IP multicast best effort del very, e.g., UDP, IP mult cast  different needs/capabilities, e.g., layered video  How to efficiently sign flows with each packet being individually verifiable ?  Actually, packets do not have to belong to the same flow to reduce signing cost! E.g. in a multicast Digital Signatures (Simon S. Lam) 7 7

Our Approach: Chaining  Partition a flow into blocks of packets  Sign the digest of each block instead of each packet individually  Each packet carries its own authentication i f information to prove it is in the block ti t it i i th bl k  Authentication info provided by chaining . . . P 1 P 2 P 3 P 4 P 5 P 6 P 7 Block Block signature Block signature Chaining info Chaining info Digital Signatures (Simon S. Lam) 8 8

Star Chaining – Signing Block digest D 1-8 = h ( D 1 , …, D 8 ) Packet digests D 1 D 2 D 3 D 4 D 5 D 6 D 7 D 8  Block signature = sign ( D  Block signature = sign ( D 1-8 ) )  Packet signature for packet P 3 : sign ( D 1 ) D 1 D sign ( D 1-8 ), D 1 , D 2 , D 4 , …, D 8 D 4 D  Chaining overhead is O (block size) Digital Signatures (Simon S. Lam) 9 9

Star Chaining – Verification  Verifying first received packet (say P 3 ) Block digest D 1-8 = h ( D 1 , D 2 , D 3 , D 4 , …, D 8 ) Block digest D' = h ( D D ) D D' D  verify ( D 1-8 , sign ( D 1-8 ))  verify ( D' 1 8 , sign ( D 1 8 )) D 1 D 2 D' 3 D 4 D 5 D 6 D 7 D 8 Packet digests  Caching of verified nodes  Caching of verified nodes  no verification op for other packets in the block Digital Signatures (Simon S. Lam) 10 10

Tree Chaining – Signing  Merkle tree (hash tree) [1989] Block digest D 1-8 = h ( D 1-4 , D 5-8 )  Block signature = sign ( D 1-8 ) D 1-4 D 5-8 1-4 5-8  Packet signature for packet P 3 : D 1-2 D 3-4 D 5-6 D 7-8 sign ( D 1-8 ), D 4 , D 1-2 , D 5-8 ( D ) D D D D 1 D 2 D 3 D 4 D 5 D 6 D 7 D 8 Packet digests Packet digests  Chaining overhead is O ( log (block size)) Digital Signatures (Simon S. Lam) 11 11

Tree Chaining – Verification  Verifying first received packet (say P 3 )  verify ( D' 1 8 , sign ( D 1 8 )) ver fy ( D 1-8 , s gn ( D 1-8 )) Block digest D' 1-8 = h ( D' 1-4 , D 5-8 )  Caching of verified nodes g  no verification op for other packets in the block D' 1-4 D 5-8 D 1-2 D' 3-4 D 5-6 D 7-8 D 1 D 2 D' 3 D 4 D 5 D 6 D 7 D 8 Packet digests P k t di t Digital Signatures (Simon S. Lam) 12 12

Chaining Technique: Signer Overhead Compute packet digests Compute packet digests Digest comp time Digest comp time Build authentication tree Tree build time Sign block digest Signature comp time Build packet signatures Packet signature build time Chaining time = Tree build time + Packet signature build time Digital Signatures (Simon S. Lam) 13 13

Chaining Technique: Verifier Overhead Build authentication tree Tree build time Compute packet digests Di Digest comp time t ti Verify chaining information Verify chaining information Chaining verification time Chaining verification time Verify block signature Signature verifying time Chaining time = Tree build time + Chaining verification time time Digital Signatures (Simon S. Lam) 14 14

Chaining Time Overheads 10.00 10.00 iver (ms) der (ms) tree deg 2 tree deg 2 tree deg 4 tree deg 4 tree deg 8 tree deg 8 tree deg 8 tree deg 8 ng time at send 1 00 1.00 1.00 ng time at rece star star 0.10 0.10 chaini chaini 0.01 0.01 2 4 8 16 32 64 128 2 4 8 16 32 64 128 block size (no. of packets) block size (no. of packets) at receiver at sender  Overheads increases with block size (both  Overheads increases with block size (both axes in log scale)  Much smaller than signing/verification  Much smaller than signing/verification times Digital Signatures (Simon S. Lam) 15 15

Chaining Overhead Size 300 erhead star 200 haining ove ) tree deg 8 (bytes tree deg 4 100 tree deg 2 g ch 0 2 4 8 16 32 64 128 block size (no. of packets) ( p )  Smallest when tree degree is 2  Increases linearly with logarithm of block  Increases linearly with logarithm of block size  Packet signature block signature  Packet signature = block signature + chaining overhead Digital Signatures (Simon S. Lam) 16 16

Flow Signing/Verification Rates 5000 10000 star n rate 4000 8000 tree deg 8 rate /sec) /sec) tree deg 4 g 3000 3000 verification 6000 6000 signing r (packets/ (packets/ tree deg 2 4000 2000 sign-each 2000 1000 0 0 2 4 8 16 32 64 128 2 4 8 16 32 64 128 block size (no. of packets) block size (no. of packets)  1024-byte packets, RSA with 512-bit modulus  Increases with block size  Varies only slightly with tree degree y g y g  we recommend degree 2 tree chaining Digital Signatures (Simon S. Lam) 17 17

Real-time Generated Flows  Fixed block size for non-real-time generated flows  Fixed time period T for real time generated  Fixed time period T for real-time generated flows o Bounded delay signing since for any packet: y g g y p delay ≤ T + T chain + T sign T chain ( m 1 ) + T sign T chain ( m 2 ) + T sign period T period T time m 1 packets m packets m packets m 2 packets  T should be larger than T chain + T sign  delay cannot be smaller than 2( T chain + T sign )  delay cannot be smaller than 2( T + T ) Digital Signatures (Simon S. Lam) 18 18

Selecting a Signature Scheme  RSA: signing rate not high enough  DSA: both rates not high and verification rate < signing rate  In a group, receivers may have widely different resources, e.g., sensors, phones, notebooks, desktops desktops  We proposed several extensions to FFS  We proposed several extensions to FFS [Feige, Fiat and Shamir 1986] Digital Signatures (Simon S. Lam) 19 19

FFS Signer FFS S gner  choose two large primes p and q  choose two large primes p and q  compute modulus n = pq  choose integers  choose integers v 1 , …, v k v 1 v k s 1 , …, s k such that s 2 = v –1 mod n 2 = v i 1 mod n such that s i  signing key is { s 1 , …, s k , n }  verification key is { v  verification key is { v 1 , …, v k , n } v n } Digital Signatures (Simon S. Lam) 20 20