Research On Data Origin Authentication In Secure Group Communications

With the development of computer networks, Internet has spread to every aspect of the social life. Many network applications, such as on-line multimedia conference, distributed cooperating work and transferring sea information are based on group communications, which has been one of the most important concepts in the new network architecture. However, group communications are less secure than point-to-point communications, so security problems have blocked the development of group communications, especially for the secrecy conferences, military commands and some other applications. Although point-to-point communications have the mature security models, they could not be extended to group communications and there are not mature security models in group communications now. On one hand, group communications must maintain the shared contexts of the group, but the group scalability and dynamic make it very difficult; on the other hand, the varieties of application requirements make group communications more complex. Usually, there are some demands in secure group communications as below:(1)Access Control, permit and deny some communication entities to join the group;(2)Communication Secrecy, ensure the entities outside of the group not to get the information;(3)Group Authentication, prevent the entities outside of the group from sending the information to the group;(4)Source Authentication, know the source entities who sent the information; (5)Non-repudiation, the sender could not deny the data after sending and the receiver could not deny the data after receiving, which is the senior to the source authentication.Data origin authentication is one of the most important and difficult problems in secure group communications, and it is also the foundation to implement secure group communications. Data origin authentication must consider the details of all sorts of applications, such as computation (time) overhead, communication (space) overhead, data buffer, network delay, loss probability and so on, so at present there is not an efficient way to solve it really. At present, there are some difficult problems in data origin authentication:(1)Authenticating real-time streams. Many proposed schemes keep the balance between resisting the packet loss and network bandwidth, but all of them need time delay not only at the sender's side, but also at the receiver's side. So the authentication protocols having both low buffer and low delay is difficult to realize.(2)Many-to-many communication is also a problem. Each receiver has to manage the buffer of each packet according to the proposed protocols. The public key of the sender is difficult to keep for the receivers having the limit resources. These problems are only to resolve with the development of cryptography.(3)Packet loss is diffucult to resolve. The packet loss ratio could change with the time and network, and it could not be assigned at the same time in the large networks. Hence, the packet loss ratio is important to the authentication protocols.(4)Collusion attack is a serious problem in mobile and wireless neworks. The time asymmetry is useless in mobile networks, since the packect delay changes with the topography of mobile networks.Hence, this dissertation researches on the data origin authentication in secure group communications. Since multicast and anycast are the two important technologies in group communications, this dissertation attaches more attentions to multicast authentication, and anycast authentication is also researched. The major content includes:(1)unreal-time multicast data origin authentication. More unrealtime multicast applications are distributing remote files, and the sender is powerful but the receiver is weak, so which has to be considered to authenticate unrealtime multicast data. First, both hash star and hash tree, which are two major schemes for authenticating unreal-time multicast data, is introduced. Then considering the high communication overhead of hash star, IHAP (Improved Hash-treeing Authentication Protocol) is proposed based on hash tree. Compared the computation overhead, communication overhead, resistance to the packet loss, data buffer, time delay, and authentication probability with hash tree by the performance analyses and simulation results, the computation overhead of IHAP is less than SAIDA, the communication overhead of IHAP is less than hash star and hash tree, and the authentication probability of IHAP could reach 90% if the packet loss ratio is less than 25%. So IHAP could adapt to authenticate unreal-time multicast data very well.(2)real-time multicast data stream origin authentication. Authenticating real-time multicast streams is the most difficult problem, especially for the loss channels and unreliable networks. First, forward hash chain that is the most efficient scheme for authenticating real-time multicast data streams is introduced. Then HMAM(Hybrid Multi-chaining Authentication Model)is proposed. HMAM contains the merits of both random chaining sequence and periodical chaining sequence, and authenticates the important data first of all. Compared the computation overhead, communication overhead, resistance to the packet loss, data buffer, time delay, and authentication probability with some other similar schemes by the performance analyses and simulation results, HMAM could adapt to authenticate real-time multicast data very well, especially for the loss channels and unreliable networks.(3)Multicast data origin authentication in Wireless Sensor Network(WSN). Secure group communications is efficient to WSN, so multicast authentication is also the important and difficult problem. However, digitial signature is not efficient in WSN for the high computation and communication overheads. TESLA and the simililar protocols based on MAC require the time sychronization in the group, but it is difficult to realize in WSN. So LAMA (Lightweight Approach to Multicast Authentication) is proposed based on Hashing Message Authentication Code (HMAC). LAMA has the low computation overhead and does not require the time synchronization in the group. Furthermore, every receiver could authenticate each data packet at once, and ensure the high authentication probability.(4)Anycast data origin authentication. Both AH and ESP, the two extension headers of IPv6 packets, are the most security components in IPv6. An approach to authenticate anycast data is proposed base on symmetrical key. It makes the sender's router could control anycast, and the receiver's router could manage the group. Besides, the shared keys are not required in the group members and they could join and leave the group dynamically. At the same time, each anycast client could connect the anycast group with the anycast router, which resolves the limitation that anycast address could not be assigned to IPv6 clients. This approach has the low computation and communication overheads since it is based on symmetrical key. Moreover, it could also improve the performance to authenticate multicast data and make the nodes of shared trees amotize the computation and communication overheads.