Algorithm for a robust Message Authentication

Transcription

1 Transaction on IoT and Cloud Computing 1(1) Algorithm for a robust Message Authentication Natasa Zivic University of Siegen, Hoelderlinstrasse 3, Siegen, Germany Abstract Message Authentication Codes are constructed in such a way, that they are very sensitive to any change of the message they are appended to. This sensitivity of Message Authentication Codes is their most important property known as an avalanche effect,, which enables a good protection against forgeries. Message Authentication Codes change about 50% of their bits, making the message useless due to the avalanche effect, if one or more bits of the message change. Therefore the successful verification of Message Authentication Codes demands equality of all of bits of the received Message Authentication Code and that one recalculated from the received message. This hard condition for the successful verification of messages protected by Message Authentication Codes is known as a standard or hard verification. Unfortunately the hard verification is not suitable for some applications, like multimedia applications for example. This paper introduces an algorithm with a softer condition for the successful verification, in order to enable the correction and improvement of the successful verification of messages corrupted by the noise on a transmission channel. Simulation results confirm the efficiency of the presented algorithm for correction and verification of messages corrupted during the noisy transmission. Keywords: Message Authentication Codes, hard verification, soft verification, robustness, soft decision, reliability values, Hamming distance, authentication 1 INTRODUCTION Message Authentication Codes (MACs) [1] provide data integrity (recognition of any modification or manipulation of the message during transmission) and authentication of data origin (the confirmation that the message originates by the sender, who shares the used secret key with the receiver). They are used very often in communication systems enabling a secure message transfer. MACs are concatenated to the message they have to protect and transmitted with the message over a transmission channel to the receiver. Their main property is a protection against forgeries. Therefore MACs are constructed in such a way, that any modification of the message results in changing about 50% of bits of a MAC (avalanche effect). In case that the verification fails, the message is regarded Corresponding author: natasa.zivic@unisiegen.de 1

2 as non-authentic and useless. In many applications, like multimedia or voice transmission, the digital content is continuously modified and manipulated as a result of compression and conversion. Although these modifications of the message are a result of standard multimedia operations, they would be considered as a forgery in case of MAC verification. This implies that such applications need a different, non-standard verification: the modifications of a single message bit or a few bits should not result in any modification of a MAC. The subject of this paper is to investigate new approaches to message authentication, i.e. the possibility to make the message authentication more robust, than it is by using standard Message Authentication Codes. Number of algorithms [2 5] were developed in last years for the construction of robust Message Authentication Codes, i.e. authentication codes which are less sensitive to modifications of messages. This paper presents also an algorithm for a robust verification, but also for correction of messages, which uses standard Message Authentication Codes. The main novelty of the algorithm is that the received Message Authentication Code and the one recalculated of the received message are compared, as by regular verification, but they will not have to be equal for a successful verification. The verification is successful also, if one, two, or few bits of both compared Message Authentication Codes are different: this verification will be called a soft or robust verification. The introduced algorithm for a soft verification is based on an algorithm of Soft Input Decryption [6]and uses earlier ideas from [7, 8]. It combines channel decoding and cryptographic verification in such a way, that the message gets corrected using both channel decoding and cryptographic redundancy, i.e. MACs. 2 STATE OF THE ART Algorithms for the robust message authentication are constructed with the aim to solve the problem of the sensitivity of standard MACs, whose verification fails even if only one bit is modified. One of such algorithms are Approximate Message Authentication Codes (AMACs) [2] from This algorithm was developed for voice and image communications, where an incidental noise or lossy compression would modify the message and lead to the unsuccessful MAC verification. It has the following design principles: 1. AMACs of two messages, that are slightly different, should be the same; 2. AMACs of two messages, that have slightly larger difference, should only be slightly different; 3. by changing the key, the AMACs should be affected just like the MAC i.e., each bit of the AMAC should change in 50% of the cases. AMACs use a one-time shared key (after one usage the key has to be discarded), a cryptographically strong pseudo-random generator and a family of pseudo-random permutations. They are constructed in several operations as partitioning of the document, permutation, encryption by using the secret key, generation of pseudo-random bits and calculation of majorities of zero s and one s. An AMAC is changed only if majorities of the document 2

3 are changed, i.e. if modifications of the document are significant. If modifications of the message are local, i.e. have no influence to the whole document, they also won t influence the AMAC: this point introduces robustness into message authentication. Approximate Image Message Authentication Codes (IMACs) [3] from are a variation of AMACs. They are constructed for the soft image authentication, tolerating small to moderate image compression. The next algorithm for the robust authentication are Noise Tolerant Message Authentication Codes (NTMACs) [4] from NTMACs are constructed for image and other multimedia communications, as well as AMACs. They tolerate a few errors: they are less strict then the standard MAC, but they tolerate less errors than AMACs. NTMACs are designed by division of the message into partitions and partitions into blocks. The bits of the partitions are accompanied with different blocks, whereby secret sub-keys have to be used. Afterwards standard MACs are calculated and punctured for each block C they are called sub-macs. Punctured sub-macs are concatenated, forming an NTMAC. NTMACs have a nice property to detect erroneous blocks, which are then discarded, claiming the other blocks to be authentic. The security is guaranteed by using secret keys in two places: for computing MACs and for pseudo-random secret partitioning. A similar algorithm which uses CRCs instead of punctured MACs, and enciphering of concatenated CRCs, is called CRC-NTMAC [5]. Although the above named algorithms enable soft or robust verification of messages, there is no correction of the accepted messages. Accepted messages are simply, in a received form, sent to the next entity of the communication system, i.e. to the source decoder. 2.1 ALGORITHM FOR CORRECTION AND SOFT VERIFICATION OF MESSAGES The algorithm which is the subject of this paper (see Fig. 1) [9] uses the fact, that statistically 50% of the bits of CCV = CCV (M) are different from CCV = CCV (M ), if a message M is changed to a message. It is based on the idea of Soft Input Decryption [6]. Soft Input Decryption searches for a matching pair of message M and CCV = CCV (M ) by bit flipping of M and CCV. In the algorithm for soft verification a message M is searched by bit flipping only of M, whose CCV = CCV (M ) is neighbored to the received CCV. Therefore the Hamming Distance (HD) is calculated: d = HD(CCV,CCV ), which has to be smaller than a given threshold dmax for the acceptance of M. d max will be discussed in Chapter 4. The background for the success of the algorithm is the (error) avalanche effect of CCV : If M and CCV do not result in a positive verification, M or CCV or both of them are modified during the transmission. If M is correct and CCV has been modified by the noise of the channel, d = HD(CCV,CCV ) will correspond to the BER (Bit Error Rate) after the channel decoder. After d is known, the probability can be computed, that this number of bit errors happened. If M is not correct, the probability is very high, that around 50 % of the bits of CCV are different. Therefore, of course, the number d max has to be chosen much smaller than n/2. By this way, it can be assumed if M or CCV has been modified during transmission. If both M and CCV have been modified during the transmission, then the behavior is like the case of a modified M. If d is higher than 3

4 Figure 1: Algorithm for correction and soft verification of messages the threshold d max, M is tried to be corrected by knowing the least reliable bits. The successful correction is recognized, if CCV smaller than the threshold. M, CCV and the L-values of M are the input to (now called) Soft Input Trust Output after SISO channel decoding. CCV = CCV (M ) by application of the shared secret key K. If HD(CCV,CCV ) < d max, message M is assumed to be correct, i.e. equal to the sent message M. If HD(CCV,CCV ) d max, M is assumed to be wrong and the process of changing of the message bits starts: the bit or a combination of bits with the lowest L values of the message M are flipped, which results in a message M. CCV = CCF (M ) by application of the key K. If HD(CCV,CCV )< d max, message M is assumed to be correct, otherwise message M is assumed to be wrong and followed by the next round of flipping other bits of M as chosen by the bit flipping strategy. This iterative process is finished, if HD(CCV,CCV )< d max, or the provided resources are consumed. If all attempts of correction fail, the number of errors is too high as a result of the noise of the channel or of an attack. The statistical distribution of d = HD(CCV,CCV ) helps us to determine the appropriate value for the decision threshold d max. Therefore the probability mass function pmf of different values of d for BER after channel decoding with length m of the message has to be calculated: pmf(d) = pmf 1 (d) P correct + pmf 2 (d) P wrong (1) Pcorrect and Pwrong are the probabilities that M does not contain errors, i.e. that M contains errors respectively: P correct = (1 BER) m (2) P wrong = 1 (1 BER) m (3) The Hamming distance d should be small in case of successful verification, i.e. smaller than the decision threshold dmax. Then CCF (M ) is equal to the original CCV of M (because M is equal to original M) and d is equal to the number of errors in CCV only. d max has to be defined in such a way, that it is not smaller than the expected number of errors in CCV. The remaining errors after SISO channel decoder are assumed to be uniformly distributed over CCV (with the length of n bits), and the number of errors in 4

5 CCV has a binomial or Bernoulli distribution: pmf 1 (d) = ( n d) BER d (1 BER) n d (4) HD(CCV,CCV ) is large in the case of unsuccessful verification, i.e. it is above the decision threshold d max. Namely, if the message is wrongly decoded (M is incorrect, i.e. contains one or more errors) the number of errors in CCF (M ) is expected to be around n/2 due to the avalanche criterion and CCF (M ) can take any of 2n values of the same probability. Therefore pmf 2 (d) has also a binomial distribution with BER = 1/2 since every bit in CCV is expected to be 0 or 1 with the same probability: ( ) d n 1 pmf 2 (d) = (5) d 2 n Two areas can be clearly distinguished: D 1 for 0 d d 1 - if M is correct (M = M ) and D 2 for d 2 d n - if M is wrong (M M ). d 1 and d 2 are Hamming distances which define boundaries of areas D 1 and D 2. The threshold d max can get any value between areas D 1 and D 2, i.e. d 1 < d max < d 2. In that case, d 1 and d 2 can be considered as a lower and an upper limit of the threshold d max. 3 DEFINITION OF THE THRESHOLD The acceptance rate of messages by the verification process will be greater, if d max is set to a greater value. Non detection of a message means, that the correct decoded or by bit flipping iterations corrected message could not been verified because the value of d max is set to a low value, so that the condition for the successful verification is not fulfilled. For that reason the value of d 1 should not be too low, so that the threshold value d max is also not too low and non detection is avoided. The lower limit d 1 can be calculated in such a way, that the probability of non detection is less than 10 k 1. d 1 = min {d 1 0 d 1 n n d=d 1 +1 P correct pmf 1 (d) 10 k 1 } (6) The parameter k 1 can be chosen by the system designer, as he can define the accuracy of the used algorithm for correction and soft verification of messages. The greater d max causes a higher acceptance rate of messages and speeds up the verification process, as the number of bit-flipping for the successful verification is smaller. In the same time, a greater d max increases the probability of miscorrections: the verification algorithm can decide, that the wrongly decoded message or not corrected message is correct after bit-flipping iterations. The probability of miscorrection increases with increase of d max. For that reason, the upper limit d 2 should be set to a value, which reduces the probability of miscorrections. The upper limit d 2 of the threshold can be calculated from the probability of miscorrection which can be tolerated. This probability is defined by the use of parameter k 2, while d 2 will be the maximal integer that satisfies the following condition: d 2 = max 0 d 2 n {d 2 n P wrong pmf 2 (d) 10 k 2 } (7) d=0 5

6 Figure 2: Coding gain of the communication system using the algorithm for correction and soft verification of messages (b) in comparison to the standard communication system (a) 4 SIMULATION RESULTS In simulations a length of 192 bit has been chosen for the message and the length of. 160 bit of CCV was calculated using RIPEMD160. Simulations have been performed using a convolutional encoder of code rate r = 1/2 and constraint length m = 2. As usual BPSK modulation and an Additional White Gaussian Noise (AWGN) channel are used together with a SISO decoder based on the Maximum A-Posteriori (MAP) algorithm [10]. For each point of the resulting graphs, simulations have been performed, programmed in C/The results of simulations are presented in Fig. 2, showing the coding gain in comparison to the same communications scheme using standard MAC verification. As the measure of the correction and verification efficiency a parameter named Cryptographic Check Error Rate (CCER) is defined: CCER = Number of non verified messages N umber of received messages (8) 5 CONCLUSION The presented paper researches robustness of (secure) communication. There are two approaches for message authentication over noisy channels: 1. Usage of special error tolerant message authentication codes 2. Usage of error tolerant verification of standard message authentication codes by the receiver. The presented algorithm for correction and soft verification of messages uses cryptographic check values i.e. MACs for the correction of messages modified due to the channel noise. 6

7 The threshold in the verification process has a very important role and has to be determined under consideration of the probability of non detection and miscorrection. Simulations show that a significant coding gain can be achieved by the use of the introduced algorithm. References [1] ISO/IEC : 2nd edition waiting for publication Information technology - Security techniques - Message Authentication Codes (MACs) - Part 1: Mechanisms using a block cipher, [2] Graveman R. F., Fu K. E.: Approximate message authentication codes, in Proc. 3rd Annual Fedlab Symp. Advanced Telecommunications/Information Distribution, vol.1, College Park, MD, [3] Xie L, Arce G. R., Graveman R. F.: Approximate Image Message Authentication Codes, IEEE Trans. On Multimedia, vol.3, no.2, [4] Boncelet C. G. Jr.: The NTMAC for Authentication of Noisy Messages, IEEE Trans. On Information Forensics and Security, vol.1, no.1., [5] Liu Y, Boncelet C. G. Jr.: The CRC-NTMAC for Noisy Message Authentication. IEEE Military Communication Conference, MILCOM, [6] Ruland C., Živić N.: Soft Input Decryption, 4th Turbocode Conference, 6th Source and Channel Code Conference, VDE/IEEE, Munich, [7] Chase D.: A Class of Algorithms for Decoding Block Codes with Channel Measurement Information, IEEE Trans. Inform. Theory, IT- 18, pp , [8] Forney G. D. Jr.: Generalized Minimum Distance Decoding, IEEE Trans. Inform. Theory, IT-12, pp , [9] Bahl L, Jelinek J, Raviv J, Raviv F.: Optimal decoding of linear codes for minimizing symbol error rate, IEEE Transactions on Information Theory, IT-20, pp , [10] Zivic N.: Soft correction and verification of the messages protected by cryptographic check values, 45th Annual Conference on Information Sciences and Systems, March 2011, Baltimore USA. 7