A Tag Encoding Scheme against Pollution Attack to Linear Network Coding Abstract Network coding allows intermediate nodes to encode data packets to improve network throughput and robustness. However, it increases the propagation speed of polluted data packets if a malicious node injects fake data packets into the network, which degrades the bandwidth efficiency greatly and leads to incorrect decoding at sinks. In this paper, insights on new mathematical relations in linear network coding are presented and a key pre distribution-based tag encoding scheme KEPTE is proposed, which enables all intermediate nodes and sinks to detect the correctness of the received data packets. Furthermore, the security of KEPTE with regard to pollution attack and tag pollution attack is quantitatively analyzed. The performance of KEPTE is competitive in terms of: 1) low computational complexity; 2) the ability that all intermediate nodes and sinks detect pollution attack; 3) the ability that all intermediate nodes and sinks detect tag pollution attack; and 4) high fault-tolerance ability. To the best of our knowledge, the existing key pre distribution-based schemes aiming at pollution detection can only achieve at most three points as described above. Finally, discussions on the application of KEPTE to practical network coding are also presented. Introduction Network coding, where an intermediate node encodes incoming packets before forwarding, has been theoretically proven to maximize network throughput and enhance network robustness. It has received extensive attentions and been applied to various computer network systems, such as multicast networks, wireless networks, and P2P systems. However, when there is a malicious node in a network and the malicious node injects fake data packets into its downstream nodes, the fake data packets will be encoded together with correct data packets by the downstream nodes and the outputs of the downstream nodes will be polluted and fake. The pollution propagates in the network quickly with the transmission of polluted data packets, which not only leads to incorrect decoding at sinks, but also wastes network resources. So it is crucial to prevent pollution attacks in practical applications of network coding. The existing approaches against pollution attack to network coding can be categorized into three classes, error correction, malicious node localization, and pollution detection. Error correction-based approaches, only allow a small portion of packets to be polluted, and focus on correcting error only at sinks. The pollution will inevitably propagate in networks with t he error correction approaches. Some schemes are proposed to locate malicious nodes and make those nodes unable to further inject polluted data packets. Those schemes either assume that there exists a powerful controller that knows the entire topology of a network or assume a clock synchronization of all nodes in a network. Those schemes are of limited practicality when multiple malicious nodes exist. The existing schemes of pollution detection, which are mainly based on key delay distribution, public key cryptography (PKC), and key pre distribution, focus on detecting and filtering fake or polluted data packets at intermediate nodes or sinks directly and can prevent pollution propagation efficiently. The schemes based on key delay distribution require a clock synchronization of all the nodes in a network. So it is difficult to implement them in an adversarial distributed environment. The implementation of the schemes based on PKC or key pre distribution are relatively simple. However, the PKC-based schemes in require a large field, for example, the field is F397, which implies that the computational complexities of PKC-based schemes are very high. The schemes are based on key pre distribution. The computational complexities of the schemes are low, but they experience tag pollution attack that leads to numerous correct data packets being discarded. With the scheme the correctness of a data packet will be verified after several hops (usually at least 3 hops). The MacSig scheme requires a field of size 128 bits with very high computational complexity. In addition, even if the schemes in tolerate less nodes to be compromised, very large redundancy is needed to append to each data packet. For example, if the most recent MacSig scheme allows 15 nodes to be compromised with a probability 99.5 percent, the size of redundancy appended to an IP data packet of 1,400 bytes will be 5,144 bytes. This paper will present some insights on mathematical relations in linear network coding and propose a key pre distribution-based tag encoding (KEPTE) scheme to detect polluted data packets. The basic idea of KEPTE is as follows: A source s uses N keys to generate N tags for each data packet. Each node g except the source holds a unique pair of keys (Zg,Vg), where Zg,Vg, and the N keys held by s satisfy a certain relation. Literature Review Cooperative Defense Against Pollution Attacks in Network Coding Using SpaceMac A novel homomorphic MAC scheme called SpaceMac, which allows an intermediate node to verify if its received packets belong to a specific subspace, even if the subspace is expanding over time. Then, we use SpaceMac as a building block to design a cooperative scheme that provides complete defense against pollution attacks: (i) it can detect polluted packets early at intermediate nodes and (ii) it can identify the exact location of all, even colluding, attackers, thus making it possible to eliminate them. Our scheme is cooperative: parents and children of any node cooperate to detect any corrupted packets sent by the node, and nodes in the network cooperate with a central controller to identify the exact location of all attackers. We implement SpaceMac in both C/C++ and Java as a library, and we make the library available online. Our evaluation on both a PC and an Android device shows that (i) SpaceMac’s algorithms can be computed quickly (28s in C/C++) and efficiently (64 KB in C/C++), and (ii) our cooperative defense scheme has both low computation (190s in C/C++) and low communication (2%) overhead, significantly less than other comparable state-of-the-art schemes. The construction of SpaceMac is new and significantly more efficient than our old construction. This construction is an improvement of the homomorphic MAC construction, HomMac. The key difference between SpaceMac and HomMac is the security property that SpaceMac brings: SpaceMac allows for signing spaces that expand over time, while HomMac only allows for signing fixed spaces. This is directly reflected in the difference between the security games of SpaceMac and HomMac, and consequently the difference between the constructions. SpaceMac improves and generalizes of HomMac. Therefore, SpaceMac can also be used to sign fixed spaces as well, e.g., in the place of HomMac in the detection scheme. However, it is not possible to use HomMac to support either our detection scheme or our locating scheme because any intermediate node does not know about the entire source space (to use Sign of HomMac) at the time of tag generation. A (q,n,m) homomorphic MAC scheme is defined by three probabilistic, polynomial-time algorithms: Mac, Combine, and Verify. The Mac algorithm generates a tag for a given vector; the Combine algorithm computes a tag for a linear combination of some given vectors; and the Verify algorithm verifies whether a tag is a valid tag of a given vector. Identifying Malicious Nodes in Network-Coding-Based Peer-to-Peer Streaming Networks A novel scheme (MIS) to limit network-coding pollution attacks by identifying malicious nodes. MIS can fully satisfy the requirements of P2P live streaming systems. It has high computational efficiency, small space overhead, and the capability of handling a large number of corrupted blocks and malicious nodes, and does not require repeatedly pre-distributing verification information. MIS is block-based and can repaidly identify malicious nodes, ensuring that the system quickly recovers from pollution attacks. Researchers show that network coding can greatly improve the quality of service in P2P live streaming systems (e.g., IPTV). However, network coding is vulnerable to pollution attacks where malicious nodes inject into the network bogus data blocks that will be combined with other legitimate blocks at downstream nodes, leading to incapability of decoding the original blocks and degradation of network performance. In this paper, we propose a novel approach to limiting pollution attacks by identifying malicious nodes. In our scheme, the malicious nodes can be rapidly identified and isolated, so that the system can quickly recover from pollution attacks. Our scheme can fully satisfy the requirements of live streaming systems, and achieves much higher efficiency than previous schemes. Each node in our scheme only needs to perform several hash computations for an incoming block, incurring very small computational latency in the range of several microseconds. The space overhead added to each block is only 20 bytes. The verification information given to each node is independent of the streaming content and thus does not need to be redistributed. The simulation results based on real PPLive channel overlays show that the process of identifying malicious nodes only takes a few seconds even in the presence of a large number of malicious nodes. The correctness of MIS is based on the condition that no node can lie when reporting a suspicious node that has sent a corrupted block, and an evidence associated with the corrupted block is necessary to demonstrate to the servers that the reported node has really sent the block. We design a non-repudiation transmission protocol to achieve this. We let X be the suspicious node, and Y be the reporting node. In network-coding pollution attacks, malicious nodes send bogus blocks to their downstream neighbors. An innocent node that receives a bogus block is infected, and the blocks it produces with this bogus block are also corrupted and may further infect its downstream peers. The contaminated links and infected nodes form a connected component (or several components if multiple malicious nodes exist) in the network. Our goal is to track the origin of corrupted blocks. To achieve this, we first propose an approach to detecting the existence of malicious nodes. If the decoding result matches the specific formats of video streams, and any node having an inconsistent decoding result will send an alert to the servers to trigger the process of identifying malicious nodes. From the standpoint of the whole overlay, the existence of malicious nodes can be detected with very high probability. After receiving an alert, the servers compute a checksum based on the original blocks, and disseminate it to the nodes using the streaming overlay. The checksum will help the nodes identify which neighbor has sent it a corrupted block. The checksum, node I (or K) finds out that the block received from node F (or J) is corrupted. Note that, at this point, one cannot confirm that the discovered nodes ( F, J) are malicious, since they may be innocent and receive corrupted blocks from their upstream neighbors. For instance, J is an innocent node and the corrupted block it produces is due to the bogus block it has received from F; whereas, node F discovered by I is indeed a malicious node. To this end, the discovered nodes (F, J) are temporarily treated assuspicious nodes, and are reported (by I, K) to the servers. Then, the reporting nodes (I,K) further forward the checksum to their suspected upstream neighbors (I,K). If a suspected node is truely innocent (e.g., J), then with the received checksum it will identify at least one corrupted block it has received from its upstream neighbors (i.e., F), and correspondingly it will report its suspected neighbors (F) to the servers. On the contrary, if a suspected node is malicious (e.g., F), it cannot find a suspicious neighbor that sent it a corrupted block. Therefore, we let the servers judge a suspicious node based on whether it can report another suspicious node. The correctness of the above process of identifying malicious nodes relies on the condition that no one can lie when reporting a suspicious node. To be concrete, any malicious node cannot disparage an innocent node that does not send a corrupted block, or cannot deny having sent a corrupted block (when being suspected). For example, F cannot disparate C, or deny having sent a bogus block to I. Homomorphic MACs: MAC-based Integrity for Network Coding A homomorphic MAC suitable for networks using network coding. The homomorphic MAC can be converted to a broadcast homomorphic MAC using cover free set systems. The resulting broadcast MAC is collusion resistant up to a pre-determined collusion bound c. The tag size grows quadratically with c. Network coding has been shown to improve the capacity and robustness in networks. However, since intermediate nodes modify packets en-route, integrity of data cannot be checked using traditional MACs and checksums. In addition, network coded systems are vulnerable to pollution attacks where a single malicious node can flood the network with bad packets and prevent the receiver from decoding the packets correctly. Signature schemes have been proposed to thwart such attacks, but they tend to be too slow for online perpacket integrity. They also force network coding coefficients to be picked from a large held which causes the size of the network coding header to be large. Here we propose a homomorphic MAC which allows checking the integrity of network coded data. Our homomorphic MAC is designed as a drop-in replacement for traditional MACs (such as HMAC) in systems using network coding. The tag on a vector v is a single element in F q, there is a homomorphic MAC adversary that can break the MAC (i.e. win the MAC security game) with probability 1=q. When q= 28 the MAC can be broken with probability 1=256. Security can be improved by computing multiple MACs per vector. For example, with 8 tags per vector security becomes 1=q8. The resulting tag is 8 bytes long. The proof of Theorem 2 easily extends to prove these bounds for HomMac using multiple tags. We note, however, that a homomorphic MAC with security 1=256 may be sufficient for the network coding application. The reason is that the homomorphic MAC is only used by recipients to drop malformed received vectors. The sender can, in addition, compute a regular MAC (such as HMAC) on the transmitted message prior to encoding it using network coding. Recipients, after decoding a matrix of vectors with valid homomorphic MACs, will further validate the HMAC on the decoded message and drop the message if its HMAC is invalid. Hence, success in defeating the homomorphic MAC does not mean that a rogue message is accepted by recipients. It only means that recipients may need to do a little more work to properly decode the message (by trying various m-subsets of the received vectors with a valid homomorphic MAC). As mentioned above, this issue can be avoided by increasing the security of the homomorphic MAC by computing multiple tags per vector. An Efficient Signature-based Scheme for Securing Network Coding against Pollution Attacks An efficient signature-based scheme against pollution attacks for securing linear network coding. Our scheme utilizes a novel homomorphic signature function and allows a source to delegate its signing authority to forwarders, which means that the forwarders can generate the signatures for their output messages without contacting the source. This property allows the forwarders to verify received messages, but prevent them from creating the valid signatures for polluted or forged ones. Thus, the pollution attacks can be efficiently and effectively filtered out at the forwarders. Our scheme does not need any extra secure channels, and can support source authentication and batch verification. Experimental results show that our scheme can improve verification efficiency up to 10 times compared to some existing one. In addition, we presented an alternate lightweight scheme which utilizes a simpler signature function. This scheme is much faster and more suitable for resource-constrained networks such as wireless sensor networks. However, it introduces a trade-off between computation efficiency and security. Network coding provides the possibility to maximize network throughput and receives various applications in traditional computer networks, wireless sensor networks and peer-to-peer systems. However, the applications built on top of network coding are vulnerable to pollution attacks, in which the compromised forwarders can inject polluted or forged messages into networks. Existing schemes addressing pollution attacks either require an extra secure channel or incur high computation overhead. In this paper, we propose an efficient signature-based scheme to detect and filter pollution attacks for the applications adopting linear network coding techniques. Our scheme exploits a novel homomorphic signature function to enable the source to delegate its signing authority to forwarders, that is, the forwarders can generate the signatures for their output messages without contacting the source. This nice property allows the forwarders to verify the received messages, but prohibit them from creating the valid signatures for polluted or forged ones. Our scheme does not need any extra secure channels, and can provide source authentication and batch verification. Experimental results show that it can improve computation efficiency up to ten times compared to some existing one. In addition, we present an alternate lightweight scheme based on a much simpler linear signature function. This alternate scheme provides a tradeoff between computation efficiency and security. A Homomorphic Signature Scheme, the source generates the signature for each message using RSA private key and appends the signature to the corresponding message. Other nodes (including both forwarders and sinks) verify the received messages using the source’s public key. Our scheme is based on a homomorphic signature function, which guarantees that any encoded message’s signature can be composed from those of input messages (that are used to generate the encoded message). Thus, a forwarder can generate the valid signatures for its output messages even without knowing the source’s private key, as long as every node appends the signatures to its output messages. The nice property of our scheme is that the forwarders have no ability to create the valid signature for any polluted or forged message. The problem of securing network coding systems against the pollution attacks. Our goal is to design an efficient scheme for filtering pollution attacks in network coding systems, especially in those resource-constrained networks such as wireless sensor networks that adopt network coding. The scheme should enable the forwarders to detect and filter polluted messages as early as possible and must be highly efficient for the use in resource-constrained networks in terms of computation. In addition, it does not require any extra secure channels. The Framework of Hashing or Signature Schemes, e first propose a framework of the hashing or signature schemes include our scheme and existing ones that address the pollution attacks for linear network coding systems. In this framework, we roughly divide the schemes into three phases. Parameter setup phase: In this phase, the source chooses security parameters, calculates its private and public keys, and determines the hash or signature function. Hash or signature calculation phase: In this phase, the source calculates the hashes or signatures for its messages. These hashes or signatures may be securely transmitted to forwarders and sinks, or directly attached to the messages Message verification phase: In this phase, the forwarders and the sinks verify the received messages. Verification is based on the encoding vectors embedded into the messages, the hashes or signatures of the messages, and the source’s public keys. If verification succeeds, the received messages will be accepted and used for further encoding or decoding. Otherwise, they are discarded. The first phase can be done offline, but the other two must be executed online. So, the efficiency of schemes is mainly determined by the computation overhead occurring in the second and third phases. An Authentication Code against Pollution Attacks in Network Coding An unconditionally secure authentication scheme that provides multicast linear network coding with message integrity protection and source authentication. The resulting scheme offers robustness against pollution attacks from outsiders and from k−1 insiders. Our solution allows the source to generate authentication tags for up to M messages with the same key and the intermediate nodes to verify the authentication tags of the packets received an d thus to detect and discard the malicious packets that fail the verification. The performance analysis showed that our scheme offers good put gains that tend towards 1 with increasing corrupted packets in the network. Our scheme can be used to authenticate with the same key a file download of at most 18 N2 MBytes when one tagged message is carried over N IP packets. Systems exploiting network coding to increase their throughput suffer greatly from pollution attacks which consist of injecting malicious packets in the network. The pollution attacks are amplified by the network coding process, resulting in a greater damage than under traditional routing. It we address this issue by designing an unconditionally secure authentication code suitable for multicast network coding. The proposed scheme is robust against pollution attacks from outsiders, as well as coalitions of malicious insiders. Intermediate nodes can verify the integrity and origin of the packets received without having to decode, and thus detect and discard the malicious messages in-transit that fail the verification. This way, the pollution is canceled out before reaching the destinations. We analyze the performance of the scheme in terms of both multicast throughput and good put, and show the good put gains. We also discuss applications to file distribution network coding authentication codes, let us start by recalling the setting for classical authentication schemes model for unconditionally secure authentication where one transmitter communicates to multiple receivers who cannot all be trusted. In this scenario, the transmitter first appends a tag to a common message which is then broadcasted to all the receivers, who can separately verify the authenticity of the tagged message using their own private secret key. There is among the receivers a group of malicious receivers, who use their secret key and all the previous messages to construct fake messages. A (k, V) multi-receiver authentication system refers to a scheme where V receivers are present, among which at most k−1 can cheat. The malicious nodes can perform either an impersonation attack, if they try to construct a valid tagged message without having seen any transmitted message before, or a substitution attack, if they first listen to at least one tagged message before trying to fake a tag in such a way that the receiver will accept the tagged message. Perfect protection is obtained if the best chance of success in the attack is 1/|T| where |T| is the size of tag space, namely, the attacker cannot do better than make a guess, and pick randomly one tag. The scheme has been generalized to the case where the same key can be used to authenticate up to M messages. The network coding scenario that we consider a multicast setting, where one source wants to send a set of messages to T destinations. In order to propose a definition of network coding authentication scheme, let us first understand the main differences with respect to the classical multi-receiver scenario: 1. The source does not broadcast the same message on all its outgoing edges, but sends different linear combinations of the n messages x1, . . . ,xn, which means that the key used by the source to sign the messages will be used more than once, actually at least as many times as there are outgoing edges from the source. 2. We are interested in a more general network scenario, where intermediate nodes play a role. In particular, it is relevant in the context of pollution attacks that not only destination nodes but also intermediate nodes may check the authenticity of the packets. We call such nodes in the network verifying nodes. This set may include part or all of the destination nodes D1, . . . , DT. This makes a big difference in network coding, since while the destination nodes do have a transfer matrix to recover the message sent, this is not the case of regular intermediate nodes, which must perform the authentication check without being able a priori to decode. A Source S, which wants to multicast n messages to T destinations D1, . . . , DT. We will denote the set of messages by s1, . . . ,sn to refer to the actual data to be sent, while we keep the notation x1, . . . ,xn∈FNq for the whole packets, including the authentication tag. Each message s I is of length l,si= (si,1, . . . , si,l), so that while each symbols i,j belongs to Fq, we can see the whole message as part of Flq≃Fql. We also assume a set of nodes R1, . . . , RV which can verify the authentication. A priori, this set can include the destinations, but can also be larger . Typically we will assume that V >> T, in the context of pollution attacks. RIPPLE Authentication for Network Coding An efficient in-network authentication scheme that is well-matched to distributed random linear network codes. Operating in tandem, they provide a practical and low-complexity scheme for achieving rate- optimal throughput even in the presence of a disruptive adversary in the network. The low complexity of RIPPLE’s authentication scheme arises from using symmetric key authentication together with time-asymmetry, i.e., keys are transmitted after their corresponding messages. Hence we achieve security akin to that of public-key verification schemes, without their undesirable properties (prohibitive computational complexity for moderate key sizes). We show that RIPPLE is robust to arbitrary collusion among adversaries. It is also resilient against the subtle tag pollution attack discussed in this work, where in an adversary injected packet with a single corrupted tag may cause nodes in prior schemes to drop numerous packets allowing routers to randomly mix the information content in packets before forwarding them, network coding can maximize network throughput in a distributed manner with low complexity. However, such mixing also renders the transmission vulnerable to pollution attacks, where a malicious node injects corrupted packets into the information flow. In a worst case scenario, a single corrupted packet can end up corrupting all the information reaching a destination. It use RIPPLE, a symmetric key based in-network scheme for network coding authentication. RIPPLE allows a node to efficiently detect corrupted packets and encode only the authenticated ones. Despite using symmetric key based homomorphic Message Authentication Code (MAC) algorithms, RIPPLE achieves asymmetry by delayed disclosure of the MAC keys. Our work is the first symmetric key based solution to allow arbitrary collusion among adversaries. It is also the first to consider tag pollution attacks, where a single corrupted MAC tag can cause numerous packets to fail authentication farther down the stream, effectively emulating a successful pollution attack. Under our settings, the goals of in-network authentication of network coding are as follows: In-network source authentication. Any node in the network can verify that the received data originates from the source and was not modified enroute. Arbitrary collusion resistant. An honest node can verify the authenticity of the received data even in the presence of arbitrary colluding adversaries. Light-weight operation. Forwarders need little extra power to process message authentication. With these goals in mind, we present our RIPPLE scheme for network coding authentication in the next two sections. The main set of ideas behind our scheme are: 1) designing homomorphic MACs to allow in-network tag regeneration for coded messages, 2) utilizing symmetric key cryptography for light-weight innetwork message authentication, and 3) using time to create asymmetry in message authentication; RIPPLE has two main components. The first is a homomorphic MAC for broadcast authentication. The second is the RIPPLE transmission protocol for message distribution and authentication. Our homomorphic MAC is information theoretically secure, whereas the security of the RIPPLE transmission protocol relies on computational hardness A homomorphic MAC allows to linearly combine any sequence of given (vector, tag) pairs. That is, given a sequence of pairs {(Mi,ti)}mi=1, where M1,M2,...,Mm∈Fn+mq, anyone can create a valid tag t for the vector y=Pmi=1αiMi for any α1,α2,...,αm∈Fq. Loosely speaking, the security requirement is that, even under an adaptively chosen message attack, creating a valid tag t for a vector outside the linear span of the original messages is only possible with negligible probability. Syntax. We define a (q,n,m) homomorphic MAC via fourprobabilistic, polynomial time (PPT) algorithms, (Generate,MAC,Verify,Combine): Generate is a PPT algorithm that randomly samples a key K from a key space K. MAC is a PPT algorithm that takes as input a secret key K, a vector M and outputs a tag t for M. The MAC algorithm authenticates a vector space spanned by M1,M2,...,Mm∈Fn+mq by running MAC(K,Mi) for i=1,...,m. This produces a tag for each of the basis vectors. To authenticate a message (whose packets form the subspace spanned by M1,M2,...,Mm) the sender transmits the pairs (Mi,ti). In RIPPLE Transmission Protocol, a sender S schedules packet transmission based on two coordinates, space and time. The network space is hierarchically organized. A node is called a level j node if it is at most j hops away from S. We define the children of S to be level-1 nodes and assume a maximum of L levels in a network. Time is divided into uniform intervals. S sends zero or multiple packets during an interval. We refer to packets sent during interval I as interval-I packets. We name our network coding authentication scheme RIPPLE for packets moving in the network from level to level, in a wavelike fashion. A batch of packets reaches the nodes at a level, pauses for key disclosure, verification, coding, and finally flows to the next level. For ease of understanding, we first describe the RIPPLE scheme at a high level, and then break it into four stages and elaborate on each of them. S broadcasts a batch of packets in each time interval and a batch moves from level to level driven by delayed key disclosures. Specifically, assume that S transmits a batch of packets to its children during interval I. Each packet carries L tags, each for verification by nodes at a different level. A tag is produced with a key generated specifically for a particular interval and level. S reveals the key for interval I and level 1 after a fixed amount of delay to ensure that all level-1 nodes have received the interval-I packets. Upon receiving the key, a level-1 node verifies all the buffered interval-I packets by checking their level-1 tags and encodes only the authenticated packets. Due to the homomorphic property of our MAC, the level-1 nodes are able to produce new tags for the encoded packets for the remaining levels. Driven by one key disclosure, this batch of packets moves to level-2 nodes. Based on a predetermined key disclosure schedule, S distributes the keys for levels 2 through L in an increasing order of levels. Every key disclosure drives the batch one level forward. Eventually, this batch of packets reaches all the receivers. A. Sender Setup We now describe our RIPPLE transmission protocol in four stages. Recall that time is divided into intervals of a uniform length. We use the following notations: T0 denotes the starting time of a multicast transmission, N the maximum number of intervals in a multicast session, W the maximum number of packets sent in an interval, Ti the starting time of interval i, and δ the interval length. For the last three variables, we have the following equation Ti = T0+iδ,∀1≤i≤N. In the setup stage, S determines the network level L and network delay D. 1) Determining Network Level L: For each node v∈V−{S}, its level Lv(v) on a coding graph G=(V,E) is defined as the length (i.e., hop count) of the longest path from S to v. Network level L is thus defined as L, max v∈V−{S}Lv(v). For example, the level of node d on the butterfly coding graph, and the network level is 5. Given a coding graph 4, finding the length of the longest path from S to a node v∈V can be transformed to finding the shortest path between S and v by changing the signs of the weights on the edges. Hence, by using existing shortest path algorithms such as the Dijkstra’s algorithm, the length of the longest path can be computed in O(|V|log|V|+|E|) time when no adversary exists. In the presence of adversaries, the length of the longest path can be computed by using recently proposed passive network tomography schemes for network coding based multicast. Bounding Network Delay D: We define network delay D as the sum of these two terms: RTT(S,v), the maximum round trip time between S and a node v∈V−{S}, and Tp, the bound on a node’s processing time to authenticate up to W messages of an interval, encode authenticated messages, calculate new tags for the encoded messages, and forward the newly generated packets to the next level. More precisely D is thus an upper bound on the maximum time for messages of an interval to move one level forward. We emphasize that RIPPLE only requires S to know the upper bounds of L and D to operate. However, knowledge of accurate values of L and D reduces both the communication and computational overhead. 3) One-way Key Chain: For each level of nodes, we generate a different sequence of random values and use them in reverse order to derive the MAC keys each for a different time interval. We use a pseudo-random function F to generate the sequences. For each sequence, we choose a different random number r0 as the base value and generate the sequence recursively as ri=F(ri−1) where 1≤i≤N(recall that N is the maximal number of intervals in a broadcast session). We refer to the sequence as the one-way key chain. To authenticate the values in a one-way key chain, S signs the last value r N with a common public key signature scheme such as RSA or DSA. We refer to the signed r N a commitment to the key chain. Anyone can verify the authenticity of rN with S ’s public key. Given an authenticated rN and an index i, anyone can check if a value r is the ith value in the one-way key chain by checking if r N=FN−i(r), where Fn(x) denotes n consecutive applications of F. By convention, F0(x)=x. Existing System The existing approaches against pollution attack to network coding can be categorized into three classes, error correction, malicious node localization, and pollution detection. Error correction-based approaches only allow a small portion of packets to be polluted, and focus on correcting error only at sinks. The pollution will inevitably propagate in networks with the error correction approaches. Some schemes are proposed to locate malicious nodes and make those nodes unable to further inject polluted data packets. The existing schemes of pollution detection, which are mainly based on key delay distribution, public key cryptography (PKC), and key pre distribution, focus on detecting and filtering fake or polluted data packets at intermediate nodes or sinks directly and can prevent pollution propagation efficiently. Disadvantages: The schemes in based on key delay distribution require a clock synchronization of all the nodes in a network. So it is difficult to implement them in an adversarial distributed environment. Proposed System This paper proposed a key pre distribution-based tag encoding scheme KEPTE, which enables all intermediate nodes and sinks to detect the correctness of the received data packets. Furthermore, the security of KEPTE with regard to pollution attack and tag pollution attack is quantitatively analyzed. Before presenting KEPTE, this paper define three basic algorithms, namely Sign, Combine, and Verify. The algorithm Sign computes N tags for each of the n data packets P1,P2,... ,Pn, where N is a security parameter. Given multiple data packets, each with N tags, Combine produces N tags for a linear combination of those multiple data packets. Verify checks the correctness of a data packet with its N tags. Advantages: The advantage of KEPTE is 1) low computational complexity; 2) the ability that all intermediate nodes and sinks detect pollution attack; 3) the ability that all intermediate nodes and sinks detect tag pollution attack; and 4) high fault-tolerance ability. Hardware Requirements Processor Type : Pentium IV Speed : 2.4 GHZ RAM : 256 MB Hard disk : 20 GB Keyboard : 101/102 Standard Keys Mouse : Scroll Mouse Software Requirements • Operating System : Windows 7 • Programming Package : Net Beans IDE 7.3.1 • Coding Language : JDK 1.7 System Architecture: KDC Key Distribution 2 Secret Vector N Secret Vectors Source Tag Generation Intermediate node or Sink Packet Transmission Encoding Verification Attack Detection Modules 1. Network Formation 2. Key Distribution 3. Tag Generation & Encoding 4. Verification 5. Attack Detection Network Formation This network has one sink node and many sensor node. Source node send a file to sink through many intermediate nodes. Network coding, where an intermediate node encodes incoming packets before forwarding, has been theoretically proven to maximize network throughput and enhance network robustness. Key Distribution KDC is a common tool for key distribution. If KDC is not available, key distribution based on PKC can replace the function of KDC. By PKC, the source distributes secret information, which is also secret keys, to each node g except the source in a network. KDC generate private and public key pairs for each file blocks and announce the public key, both source and intermediate node g. It generate secret vector from private keys. This secret vector used for tag generation. Tag Generation & Encoding The source s is to multicast a file of n data blocks B1,B2,...,Bn. These data blocks are encoding by using secret vectors. The source uses the algorithm Sign(X1,...,XN,Pi) to generate N tags tPi,1,...,tPi,N. The algorithm Sign computes N tags for each of the n data packets P1,P2,... ,Pn, where N is a security parameter. Verification An intermediate node g receives a data packet W with its N tags tW,1,...,tW,N, a node g checks the correctness of W with algorithm Verify and its secret vectors Zg, Vg. If its output is true, g judges W being correct; otherwise, g judges W being fake or polluted, and discards W. Attack Detection Here KEPTE detect two types of attacks. One is Pollution Attack. Another one is Tag Pollution Attack. A Malicious node can inject fake data packets into its output links. The objective of pollution attack is to make intermediate nodes or sinks unable to detect error data packets, which not only leads to incorrect decoding at sinks but also makes polluted data packets be transmitted in a network, leading to bandwidth waste. But KEPTE Detect Pollution Attack. A malicious node can modify the verification tags of a correct data packet, and injects the correct data packet with modified tags to its output links, which is called tag pollution attack. The objective of tag pollution attack is to get correct data packets be judged as wrong and be discarded by intermediate nodes or sinks, which wastes bandwidth greatly. But all intermediate nodes and sinks detect tag pollution attack using KEPTE. Data Flow Diagram Tag Generation Attack Detection Verification Encoding Key Distribution Tag Generation Verification Attack Detection References A. Le and A. Markopoulou, “ Cooperative Defense against Pollution Attacks in Network Coding Using SpaceMac,” IEEE J. Selected Areas in Comm. on Cooperative Networking Challenges and Applications, vol. 30, no. 2, pp. 442-449, Feb. 2012. Q. Wang, L. Vu, K. Nahrstedt, and H. Khurana, “Identifying Malicious Nodes in Network-Coding-Based Peer-to-Peer Streaming Networks,” Proc. IEEE INFOCOM, Mar. 2010. S. Agrawal and D. Boneh, “Homomorphic MACs: MAC-Based Integrity for Network Coding,” Proc. Int’l Conf. Applied Cryptography and Network Security, June 2009. Z. Yu, Y. Wei, B. Ramkumar, and Y. Guan, “An Efficient Scheme for Securing XOR Network Coding against Pollution Attacks,” Proc. IEEE INFOCOM, Apr. 2009. F. Oggier and H. Fat hi, “ An Authentication Code against Pollution Attacks in Network Coding,” IEEE/ACM Trans. Networking, vol. 19, no. 6, pp. 1587-1596, Mar. 2011. Y. Li, H. Yao, M. Chen , S. Jaggi, and A. Rosen, “RIPPLE Authentication for Network Coding,” Proc. IEEE INFOCOM, Mar. 2010.
© Copyright 2024 Paperzz