2 Optimization Concepts
advertisement
Efficient Security Mechanisms for Multicast and Group Communication V. Zorkadis Computer Science, Hellenic Open University, Data Protection Authority Omirou 8 (6th floor), 105 64 Athens GREECE Abstract: -Properties such as security, performance and robustness characterize the quality of services provided by distributed systems. However, security mechanisms may degrade the system performance due to the security-related processing and the communication of security-related data. In this paper, we try to compensate the tradeoff between security and performance requirements in multicast and group communication. We present optimization concepts, which refer to authentication and integrity, digital signatures and confidentiality mechanisms. These concepts mainly base on precomputation capabilities, which become feasible due to appropriate security functions. The efficient security mecahnisms examined in this paper may lead to an elimination of the performance degradation caused by security mechanisms, which is particularly important for secure high-performance or real-time applications. Key words: Secure Group Communication, Secure Multicast Communication, High-Performance Security Mechanisms, Quality of Service, Performance Optimization 1 Introduction Authentication of interacting entities, data confidentiality and integrity, prevention of unauthorized transmissions and receptions and utilization of the system resources according to the security policy may be required by application management in a distributed systems environment [1]. These security services rely on mechanisms like encryption and checksum exchange that may result in degradation of the system performance due to the processing and transmission of the security-related data. This paper refers to mechanisms, that may be employed to securing the communication among processes in a distributed system environment, and aims to reduce the performance degradation. The organization of the paper is as follows. In this section we present communication mechanisms in distributed systems, and mechanisms required to securing the communication. In the second section, we discuss optimization concepts, that offer the security functionality and efficiency required in a distributed systems environment. In the third section we evaluate the performance behavior of the proposed secure communication mechanisms and assess the performance benefit we may achieve by means of the concepts presented in the second section. Finally, we summarize the paper with conclusions and future research directions. In distributed systems may be supported various forms of communication such as group communication and remote procedure call (RPC). As an example of such a communication form we can consider the reliable broadcast or multicast protocol for group communication in the Amoeba [2]. Reliable multicast or broadcast means that when a user process sends a message to the group this message is correctly delivered to all members of the group, even though the transmission components may lose packets [2]. In Fig. 1 is shown the hardware/software configuration required for reliable group communication [2]. The elected as a sequencer machine has a special role. One of the possible methods that may be employed to achieve reliable group communication can be briefly described as follows (see [2] and the references therein). When an application, for instance in the machine C (Fig. 1), wants to send a message to the group, its kernel sends it first to the machine A which is elected as the sequencer. The sequencer, after it gets the message, it allocates for it the next available sequence number, puts the sequence number in the protocol header, and broadcasts or multicasts it to the group. By means of the sequence numbers and further parameters such as unique message identifiers can the kernels check whether they received all the messages sent to the applications the kernels act for. Fig. 1 System structure for group communication in Amoeba [2]. Processes in a distributed systems environment may require for their communication various security services that fall according to ISO/OSI 7498-2 [3] in five classes: authentication, access control, confidentiality, integrity, and non-repudiation. Authentication services ensure entities, that their peer entities and/or the source of data received are as claimed. Access control protects against unauthorized use of system resources, e. g., files, processing nodes, communication channels, etc. Confidentiality services protect against unauthorized disclosure of applicationrelated and/or traffic-related data. Data integrity protects against active threats like data modification. Often, in the bibliography authentication is used with the meaning of both ISO/OSI-related definitions of authentication and integrity. Finally, non-repudiation provides the recipient and/or the sender of data the proof of the origin and/or delivery and the integrity of the data. 2 Optimization Concepts Encryption is the basic security mechanism by means of which almost all security services may be implemented by its own such as confidentiality or in combination with further mechanisms such as nonrepudiation. The key elements of the optimization concepts we propose in this paper are the encryption and decryption functions that rely, in some way, on strong (pseudo) random number sequences. For the computation of strong pseudorandom numbers, generators like ANSI X.9.17 may be used, which makes use of triple DES for encryption [4, 5, 6, 7, 8] or the output feedback mode of symmetric cryptosystems, for instance IDEA [9] or AES, in combination with an initialization value and a key. 2.1 Optimization concepts confidentiality mechanisms for data Group communication protocols [10, 11, 12] such as the multicast or broadcast communication in AMOEBA [2] or communication that bases on the connection-oriented transport protocol (ISO 8073, [13]) are highly reliable. In a highly reliable environment the problem of resynchronization is eliminated, since data loss is handled by the underlying communication mechanisms. The communication mechanisms deliver the messages correctly to all members of the group, even though the transmission components may lose packets [2]. The communicating peers, or the members of a group, have to agree, at connection set up or the registration of a group communication, upon which strong (pseudo) random bit generator algorithm to use and how to calculate and how often to change the initialization variables. In the case of the reliable group communication in AMOEBA the elected sequencer adds to each message a sequence number and maintains a history buffer with a number of messages sent most recently and their corresponding sequence numbers. This sequence number N i , which is unique for each message, along with the secret key K may be exploited by the security mechanism to compute the initialization variable I i and the random bit string R i required for the encipherment of the message M i and the decipherment of the corresponding cipher C i . For instance, it could be Vi N i when using IDEA or AES in an OFB-like operation mode to compute the R i under the secret key K . The sender and the receiver proceed as follows. Since the pseudorandom bit sequences must not be dependent on the message to be enciphered, it may be generated in advance, i.e., before the ‘send message’ service is called. For instance, when we use IDEA in the OFB [9], we can calculate a random bit string by means of an initial variable and the cryptographic key . The message is then XOR-ed with this random bit string, which results to the message cipher. The receiver takes the message in clear from the cipher by XOR-ing with the same random bit string. We may formally describe the encryption and decryption functions as follows: Encipherment: The sender generates asynchron the random bit strings . Upon arrival of a ‘send message ’-request and after the corresponding was calculated, the message and the are tied by the XOR-Operation. The result of the XOR-Operation is the cipher , which is sent to the receiver. G K Vi Ri M i Ri Ci Decipherment: The receiver generates asynchron the random bit strings . Upon arrival of a ‘receive enciphered message ‘-request and after the corresponding was calculated, the cipher and the tied by the XOR-Operation. The result of the XOR-Operation is the message . G K Vi Ri Ci Ri M i Furthermore, asymmetric algorithms may be used for confidentiality purposes, although the computation of the powers required introduces a significant delay. In this case, too, the time for encipherment and decipherment experienced by a message can be significantly reduced if we appropriately modify the cryptographic functions to only provide functionality comparable to that provided by symmetric cryptosystems. At the beginning of the communication session the sequencer sends to all members of the group (or the group members exchange), securely, a large prime p , a generation primitive Z P , an encryption k E and a decryption key k D and the identifier of a strong random bit generator G() . The decryption key is calculated as follows: k D k E mod p . Now, an effective confidentiality scheme by using asymmetric algorithms is as follows: Encipherment: The sender calculates in advance x k E mod p and ri . Upon arrival of a ‘send mi ’-request message block he computes ci (ri ( x.mi )) mod p and sends it to the group members. Decipherment: The receiver, upon arrival of a ‘receive enciphered message block ci ‘-request, calculates (ci ri ) mod p , which is the quantity xmi . The reciever obtains mi, somputing xmi k D mod p , since k D k S mod p and thus, xmi k D k E mi k E mod p mi mod p . According to this confidentiality scheme, only one modular multiplication and one XOR- operation is required for encipherment and decipherment of each message block. The above cryptographic functions for encipherment and decipherment allow exploiting the stochastic nature of ‘send and receive message’ requests in distributed systems. Therefore, the precomputation of the random sequences required for encipherment and decipherment of messages becomes possible, so that the messages experience as delay only the time required for the xor-operation and/or the time for the modular multiplication operation. Also, data origin authentication or integrity mechanisms can be constructed that base on similar cryptographic functions, in order to improve the performance behavior of secure group communication. In the following we describe such security mechanisms for data authentication and integrity. 2.2 Concept for data integrity and data origin authentication We refer to data authentication or integrity mechanisms that employ hash functions to compute a message digest [15, 16], what is signed by the sender to protect against relevant attacks. The computation of the signature is timeconsuming comparing with the computation of the hash value, which can be performed very fast. In the reliable group communication, the sender can compute in advance the signature, Di , of the sequence number S i or the unique message identifier, concatenated with a random number R i and a timestamp Ti , that may be valid for the whole duration of the session if the sequence numbers are monotonically increased. When the application process passes the message M i to be send to the group communication mechanism, the communication mechanism can compute, by means of a hash function, H() , a digest, H i , of the message concatenated by the sequence number, the timestamp and the random number. 1 The sender precomputes: Di E KS ( Si Ti Ri ) , E KS () is the encipherment function with the secret key K S of the sender. Combining timestamps and random numbers we may strengthen the mechanism and prevent future replay attacks. 2 When the message to be sent is ready, the sender computes: Hi H ( Ri Ti M i Si Ri ) and U i Di H i and sends to the receiver, the message M i , maybe enciphered, appended by U i and by the Ti , if it is not negotiated at the beginning of the session. The R i must be sent enciphered at least the first time if it is used for the communication of several messages, unless there is a rule negotiated between the communicating entities for their generation. 3 The receiver upon receipt of the message M i , U i , and Ti and the enciphered Ri , computes the Hi H ( Ri Ti M i Si Ri) , derives Di U H i and deciphers it with the public key of the sender K P , DKP ( Di) Si Ti Ri . If S i S i , Ti Ti and Ri Ri the receiver accepts the message as authentic, since only the member who possesses the secret key K S can compute the Di . The digest of the message is tied up with a sequence number, a timestamp and a random number, that are possibly unique for each message, so replacement of the message by a bogus one is not possible without detection. We think, the uniqueness of the timestamps and the random numbers may not be required for each message. In this case, each sender needs to send only once the enciphered value of the random number. The use only of random numbers does not help detect replay attacks in a future session, since an attacker could store Di und try to use them in future group sessions by impersonating himself as the group member who possesses the secret key with which the Di was computed. Therefore, timestamps should be used along with random numbers, unless the use of random numbers is combined with challenge/response mechanisms. In the case of data origin authentication and integrity, the time for encipherment experienced by a message can be significantly reduced, too, if we exploit Schnorr’s preprocessing technique for digital signatures [9] taking into consideration of enabled attacks [10]. In the following we describe first this technique and then modify it to adapt for data authentication and signature mechanisms. The communicating users have exchanged a large prime p and a prime q that devides p 1 . Also, a primitive qth root of unity Z P , and a security parameter t [10]. It is suggested that p and q are in the order of 512 and 140 bits, respectively, and t 72 [9]. Each user has a secret and a public key, k S and k P kS mod p , respectively. The identification protocol is as follows: The sender computes x r mod p and sends it to the receiver, where r Z p* is a random number. The receiver returns a random number e 0,...,2 t 1 . Next, the sender computes and sends to the receiver y r k S e mod q . Finally, the receiver calculates x y k P e mod p and accepts if x x [10]. This mechanism is extended to a message authentication mechanism. If h() denotes a hash function, x as above, e h x m and y r k S e mod p , then the signature consists of e, y . The message will be accepted as authentic by the receiver if e e , where x y k Pe mod p and e h x m . According to the preprocessing algorithm, a set of random numbers ri Z p* is chosen and the corresponding x i ri mod p is precomputed. Each user stores n pairs ri , x i , where n is a security parameter and for each signature, the pair r , x is chosen as a combination of the n stored ri , x i [9, 10]. In [10] an attack of signature schemes employing this type of preprocessing is described, whose complexity in terms of the security parameter n is expressed. An obvious way to cope with this attack would be a significantly greater value for the security parameter n . We may simply modify this signature scheme, if we require that the sender (or signer/prover) precompute, in advance, pairs of ri , x i . So, when a message digest is to be signed, the sending process and ei h xi mi y i ri k S ei mod p and sends the signature computes e , y along with the message and the quantity x i . The receiver (or verifier) can check the validity of the signature as above. Each ith pair is used once for the computation of the ith signature. i i 3 Performance Analysis Results We model a security mechanism facility as a singleserver queueing system and messages to be protected by confidentiality, integrity and data origin authentication mechanisms as jobs. The precomputing possibility of the described mechanisms is modeled by a preprocessing property we introduce to a queueing system [18, 19, 20, 21, 22, 23]. Therefore, we consider an M/G/1 [18, 20, 22, 23] queueing system that has the additional capability to carry out work for a job prior to its arrival, when the server would be otherwise idle. When the server completes the work for a job, which can be accomplished prior to its arrival, the server enters in an idle period. For instance, the generation of the strong (pseudo) random bit sequences or the computation of modular exponentiations and encryption operations can be performed in advance. The restriction, only for one job in advance to accomplish work, will be removed by simulation experiments. For the analysis of the M/G/1 system with the preprocessing property we can use results obtained in [21] for the M/G/1 queue with exceptional first service. The system with the preprocessing property acts exactly as a classical queueing system as long as there are jobs present in the system [22]. At the instant of time the last job in the system leaves, the system begins to accomplish work for the job next to arrive. When the whole work of a job is accomplished prior to its arrival, when regarding constant service times, the system becomes idle. We further partially assume that the time for the xor-operation can be neglected, compared to the time required for the generation of the random bit sequences or the computation of the hash values or the computation of modular exponentiation or multiplication. However, the analysis we present does not require this restriction. Let time of the system with the precomputing property and the service time conditioned on the case that the server is idle or busy with preserving a job, respectively. The analysis of this model leads to the following results [22]: T x W x x2 21 - x x2 x np x np . 21 21 T is the the mean delay and the mean waiting time. x and x 2 are the first and the second moment of service time in the system with the precomputing property, and is the part of , which cannot be accomplished prior to the arrival of a job. Next, we will present numerical examples based on the formulas above and simulation results by removing the restriction only work for one job to accomplish in advance, when there is no job in the system. Additionally, the simulation results serve as validation means of the previous mathematical analysis as well. Fig. 2 shows the performance behavior of the ordinary system and the system with the preprocessing property, for various utilization values and for x 20 msec in the case of an M/D/1 system with x np 2 msec. As we expect for low utilized system the average delay in the system with the precomputing property is near 2 msec and for high utilization values we have almost no performance benefit when comparing with the ordinary system, since the benefit remains constant and the delays increase exponentially. , f X x , f X ( x ) , and f X x 2 be the 2 probability density functions (pdf) of the random variables describing the interarrival times, the ordinary service time of the conventional system, the service msec 90 70 50 ordinary system system optimized 30 10 2 Utilization 0,2 0,4 0,6 0,8 Fig. 2 The average delay in the ordinary system, and in the system with the precomputing property, as a function of the utilization of the ordinary system Beside the mathematical analyses we carried out above, we studied the performance behaviour of the system with the precomputing property by simulations as well, where we examined the impact of a different number of jobs, for which work can be accomplished prior to their arrivals (Fig. 3). We can see the performance impact of the security mechanisms can be eliminated if we choose a suitable number of messages for which the strong pseudo random bit strings will be generated or modular exponentiations calculated in advance. mean delay msec 30 25 20 15 10 5 0 ρ=08 ρ=ο.6 0 1 2 ρ=0.7 3 4 5 6 number of preprocessable jobs Fig. 3 The mean delay in the system with the precomputing property M/D/1 with as a function of the number of jobs, for which work can be accomplished in advance for three different utilization values of the ordinary system. 4 Conclusion In this paper we tried to compensate the tradeoff between security and performance requirements in distributed systems. We showed that this becomes feasible when employing appropriate security mechanisms. We presented optimization concepts for confidentiality, data integrity and origin authentication and digital signatures that mainly base on precomputing capabilities. These allow exploiting the stochastic nature of communication requests in a distributed systems environment. We proposed the use of stream ciphers that base on strong pseudorandom bit generators taking into account the changing environment for security protocols and especially the provision of reliable underlying communication protocols and the affordability of large memory capabilities. We showed how we might use asymmetric algorithms for confidentiality in a functionally comparable way with that of symmetric systems so that precomputing is possible. Similarly, we proposed a concept for a data integrity and origin authentication mechanism, which permits the sender to precompute a signature of a sequence number, a timestamp and a pseudorandom bit sequence with which the message is tied by a hash value. Further, we proposed a scheme for data integrity and origin authentication that exploits Schnorr’s preprocessing technique for digital signatures. We studied the performance behavior of the proposed optimization schemes by means of queueing theory and simulation. We showed that the performance degradation caused by the security mechanisms is avoided if the sender, the sequencer and the receivers compute the strong pseudorandom bit sequences or the modular exponentiations in advance. In addition, the performance degradation may be eliminated if the prperocessing is extended to an appropriate number of messages, which is of great importance at least for high-performance and real-time applications. References: [1] Li Gong and Nachum Schacham, Multicast security and its extension to a mobile environment, Journal Wireless Networks, Vol. 1, 1995, pp. 281-295. [2] A. S. Tanenbaum, The Amoeba Microkernel, Distributed Open Systems, edited by F.M.T Brazier and D. Johansen, IEEE Computer Society Press, 1994, pp. 11-30. [3] ISO 7498-2: Security Architecture. [4] W. Stallings, Network and Internetwork Security Principles ande Practice, Prentice Hall, 1995. [5] Data Encryption Standard, National Bureau of Standards, Federal Information Processing Standards Publication (U.S.), FIPS PUB 6, 1977. [6] R. R. Jueneman, Analysis of Certain Aspects of Output Feedback Model, Proc. of CRYPTO 1982, Advances in Cryptology, Plenum Press 1983, pp. 99-127. [7] W. Diffie, M. E. Hellman, Exhaustive Cryptanalysis of the NBS Data Encryption Standard, Computer, Vol. 10, No. 6, 1977, pp. 74-84. [8] D. Chaum, J.-H. Evertse, Cryptanalysis of DES with a Reduced Number of Rounds, Proc. of CRYPTO 1985, Advances in Cryptology, [9] [10] [11] [12] [13] [14] Springer Verlag, Lecture Notes in Computer Science 218, 1986, pp. 192-211. C. P. Schnorr, Efficient Signature Generation by Smart Cards, Journal of Cryptology, Vol. 4, 1991, pp. 161-174. P. de Rooij, On Schnorr’s Preprocessing for Digital Signature Schemes, Journal of Cryptology, 10, 1997, pp. 1-16. J. Gait, A new Nonlinear Pseudorandom Number Generator, IEEE Transactions on Software Engineering, No. 5, 1977, pp. 359163. J. Chang and N.F. Maxemchuk, Reliable Broadcast Protocols, ACM Transactions on Computer Systems, Feb. 1984, Vol. 2, pp. 251273. H. Garcia-Molina, Elections in a Distributed Computing Systems, IEEE Transactions on Computers, Vol. 31, 1982, pp. 48-59. L. N. Tseung, Guaranteed, Reliable, Secure Broadcast Networks, IEEE Network Magazine, Nov. 1989, Vol. 3, pp. 33-37. [15] ISO 8073, Connection Oriented Transport Protocol Specification. [16] B. Preneel, Cryptographic Hash Functions, Eur. Transactions on Telecommunication, 1994, Vol. 5, pp. 431-448. [17] R. Rivest, The MD4 Message Digest Algorithm, Proc. of Crypto 90, Springer Verlag, 1991, pp. 303-311. [18] L. Kleinrock, Queueing Systems, Volume I: Theory, John Wiley and Sons, New York, 1975. [19] A. Papoulis, Probability, random variables and stochastic processes, MacGraw-Hill, 1991. [20] D. Bertsekas, R. Gallager, Data Networks, Englewood Cliffs, NJ: Prentice-Hall, 1987. [21] R. W. Wollf, Stochastic Modeling and the theory of queues, Prentice Hall, 1989. [22] V. Zorkadis, Leistungsanalyse und Optimierung sicherer Rechnernetze, Shaker-Verlag, 1995. [23] V. Zorkadis, Security versus Performance Requirements in Data Communication Systems, Proc. ESORICS 94, Springer-Verlag, 1994, pp. 19-30.
