Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authenticating streamed data in the presence of random packet loss February 8 th, 2001 Philippe Golle Nagendra Modadugu Stanford University.

Published byJessica Hunter Modified over 8 years ago

Similar presentations

Presentation on theme: "Authenticating streamed data in the presence of random packet loss February 8 th, 2001 Philippe Golle Nagendra Modadugu Stanford University."— Presentation transcript:

1 Authenticating streamed data in the presence of random packet loss February 8 th, 2001 Philippe Golle Nagendra Modadugu Stanford University

2 Internet Radio Station 1234 =... 56

3 Signing Streams Goal: authenticity, non-repudiation Digital Signature 3 requirements for signing streams ‘On the fly’ authentication Low overhead (computation and communication) Robustness (resist packet loss)

4 Outline 1. Existing solutions Efficient signatures Amortized signatures 2. Our scheme Construction Optimally resistant to bursty packet loss Implementation

5 Sign each packet Sign each packet (RSA, DSA,…) Properties + Immediate authentication + Robust: packets individually verifiable - Computational load too high Optimization Numerous tricks (CRT, precomputations, etc…) Maximum: 100 signatures / second 1234

6 Amortization: hash function 12 Hash(2) Digital signature Collision-resistant hash function h: Given h(x), hard to find y such that h(x)=h(y) Hash 100 times faster than digital signature

7 Hash chain (Gennaro, Rohatgi) Sender processes the stream backwards Append the hash of P i+1 to P i Sign only the first packet Properties + Immediate authentication + Extremely efficient: 1 hash computation / packet Overhead: 20 bytes / packet - Vulnerable to packet loss - Offline stream only 1234 h(2) h(3)h(4) …

8 OTS chain (Gennaro, Rohatgi) Packet P i contains the public-key to verify P i+1 Faster than “sign each” for online streams Limitations: Overhead: 1000 bytes / packet (optimized: 300 bytes) Issue of packet loss 1234 K(2) K(3)K(4)

9 Packet groups (Wong & Lam) Sender: Packet 3 is sent as: Robust against worst-case packet-loss Trade-off More packets per group: buffering, communication overhead Fewer packets per group: computational overhead 134562 h(1) Sign hash 3 24561

10 Packet groups: Tree Packet 3 is sent as: Properties Robust against worst-case packet loss Traded a few more hash computations for lower communication overhead 134562 Sign 3 78

11 Recap Started with a hash chain Immediate authentication Low computation and communication overhead Vulnerable to packet loss Offline streams only Improvement: tree scheme Immediate authentication Higher computation and communication overhead (trade-off) Resists packet loss Some buffering on sender side, none on receiver side

12 Our scheme Existing solutions Resistant to worst-case packet loss Trade-off between Computation/Communication cost Communication overhead matters: Standardized packet format USER_DATA section (MPEG video and audio) Open parallel connection not a realistic solution We propose a solution which is Resistant to average loss New trade-off: computational cost and authentication speed

13 Our scheme (contd) Model of packet loss Bursts (UDP) Goal: maximize length of single worst-case burst Resists multiple bursts Authentication complete delayed 1345627891110 … XXXX

14 Construction: hash chain with redundancy 13452 Divide the stream into sequences of fixed length (say 50 or 100 packets) The last packet in each sequence is signed (and is presumed never lost) Property: the signature on the last packet ‘covers’ the hash of every packet in the sequence Generation and verification algorithm

15 Simple case: no packet buffering on sender side Chain of strength a: the hash of packet P i is appended to two other packets: P i+1 and P i+a Only the last packet is signed. 1345672 Example: chain of strength 3

16 Characteristics of a chain Sender: Buffers 1 packet Stores a hashes Receiver Buffers 2 hashes Can authenticate at the end of the sequence Resistance to loss Maximum burst length = a-1 (optimal)

17 Generic Construction (packet buffering on the sender side) If the sender can buffer a single packet: 1345672 Example: augmented chain of strength 3

18 Generalization Sender buffers: p packets h hashes Start with a chain of strength (h-p) Insert (p-1) new packets in-between 1913175 234 101112 678 141516

19 Insertion 1 Very simple to implement Optimally resistant to loss But: the maximum number of hashes appended to a packet grows linearly with p

20 Insertion 2 Constant m Recursive embedding AB21 AB21

21 Characteristics Sender Buffers p packets Hash buffer of size h = a+p Receiver Buffers (p+3)/2 hashes Resistance to loss: maximum burst length =p(a-1) (optimal) fast recovery

22 Comparison with other schemes SchemeSignaturehashOverhead (bytes) lossverification WL star 117340anyimmediate WL tree 121160anyimmediate LW tree full 131120anyimmediate Chains 11643burstsdelayed

23 Implementation

24

25 Conclusion Efficient stream authentication scheme. Strength: resistance to random loss (bursts) New trade-off: between computational complexity and time to authentication Implemented as plug-in to Real Audio Player

Download ppt "Authenticating streamed data in the presence of random packet loss February 8 th, 2001 Philippe Golle Nagendra Modadugu Stanford University."

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
CprE 458/558: Real-Time Systems

CprE 458/558: Real-Time Systems
1 The Pollution Attack in P2P Live Video Streaming: Measurement Results and Defenses Prithula Dhungel Xiaojun Hei Keith W. Ross Nitesh Saxena Polytechnic.

1 The Pollution Attack in P2P Live Video Streaming: Measurement Results and Defenses Prithula Dhungel Xiaojun Hei Keith W. Ross Nitesh Saxena Polytechnic.
Giuseppe Bianchi Lecture 6.1: Extras: Merkle Trees.

Giuseppe Bianchi Lecture 6.1: Extras: Merkle Trees.
Introduction to Algorithms

Introduction to Algorithms
Advanced Security Constructions and Key Management Class 16.

Advanced Security Constructions and Key Management Class 16.
Lecture 11-12 Implementations. The efficiency of a particular cryptographic scheme based on any one of the algebraic structures will depend on a number.

Lecture Implementations. The efficiency of a particular cryptographic scheme based on any one of the algebraic structures will depend on a number.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Chapter 6 outline r 6.1 Multimedia Networking Applications r 6.2 Streaming stored audio and video m RTSP r 6.3 Real-time, Interactive Multimedia: Internet.

Chapter 6 outline r 6.1 Multimedia Networking Applications r 6.2 Streaming stored audio and video m RTSP r 6.3 Real-time, Interactive Multimedia: Internet.
Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.

Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.
Mohamed Hefeeda 1 School of Computing Science Simon Fraser University, Canada Analysis of Multimedia Authentication Schemes Mohamed Hefeeda (Joint work.

Mohamed Hefeeda 1 School of Computing Science Simon Fraser University, Canada Analysis of Multimedia Authentication Schemes Mohamed Hefeeda (Joint work.
Mohamed Hefeeda 1 School of Computing Science Simon Fraser University, Canada End-to-End Secure Delivery of Scalable Video Streams Mohamed Hefeeda (Joint.

Mohamed Hefeeda 1 School of Computing Science Simon Fraser University, Canada End-to-End Secure Delivery of Scalable Video Streams Mohamed Hefeeda (Joint.
Dynamic Internet Congestion with Bursts Stefan Schmid Roger Wattenhofer Distributed Computing Group, ETH Zurich 13th International Conference On High Performance.

Dynamic Internet Congestion with Bursts Stefan Schmid Roger Wattenhofer Distributed Computing Group, ETH Zurich 13th International Conference On High Performance.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
An Error-Resilient GOP Structure for Robust Video Transmission Tao Fang, Lap-Pui Chau Electrical and Electronic Engineering, Nanyan Techonological University.

An Error-Resilient GOP Structure for Robust Video Transmission Tao Fang, Lap-Pui Chau Electrical and Electronic Engineering, Nanyan Techonological University.
Distributed Video Streaming Over Internet Thinh PQ Nguyen and Avideh Zakhor Berkeley, CA, USA Presented By Sam.

Distributed Video Streaming Over Internet Thinh PQ Nguyen and Avideh Zakhor Berkeley, CA, USA Presented By Sam.
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
Multiple Sender Distributed Video Streaming Thinh Nguyen, Avideh Zakhor appears on “IEEE Transactions On Multimedia, vol. 6, no. 2, April, 2004”

Multiple Sender Distributed Video Streaming Thinh Nguyen, Avideh Zakhor appears on “IEEE Transactions On Multimedia, vol. 6, no. 2, April, 2004”
KIANOOSH MOKHTARIAN SCHOOL OF COMPUTING SCIENCE SIMON FRASER UNIVERSITY 3/24/2008 Secure Multimedia Streaming.

KIANOOSH MOKHTARIAN SCHOOL OF COMPUTING SCIENCE SIMON FRASER UNIVERSITY 3/24/2008 Secure Multimedia Streaming.

Similar presentations

Ads by Google