Proceedings

IIT Kanpur Hacker’s Workshop

IITKHACK04

23 – 24 February, 2004

Department of CSE IIT Kanpur

Sponsored by

Prabhu Goel Research Centre for Computer and Internet Security

Indian Institute of Technology, Kanpur

http://www.security.iitk.ac.in/IITKHACK04/

Table of Contents IIT Kanpur Hacker’s Workshop (IITKHACK04)

Message from Director, IIT Kanpur …………………………………………………………………….. i

Message from Programme Chair ………………………………………………………………………... ii

Contributed papers Scout: An Improved Tool for Cracking WEP Keys

K. Vikram ……..........……………………………………………………………………………...…… 1

Cryptanalysis for VarietyCash Transactions

C. B. Pandey ...……………..…………………………………………………………………………… 9

An Intelligent Text Data Encryption and Compression for High Speed

and Secure Data Transmission over Internet

V. K. Govindan and B. S. Shajee Mohan ……………………………………………………………….. 14

Steganalysis of LSB Encoding in Uncompressed Images by Close Color Pair Analysis S. Mitra, T. K. Roy, D. Mazumdar and A. B. Saha ……………………………………………………… 20

Characterization of stochastic properties of embedded message and the

LSB pattern in colour and grayscale image s

C. Saha, N. Maji, A. Gupta, D. Mazumdar and A. B. Saha ………………………………………………. 23

Eliminating Covert Channels in TCP/IP Using Active Wardens

Sanjeev J. Wagh, Prashant M. Yawalkar and T. R. Sontakke ……………………………………………. 28

An Experimental Analysis of Proactive Detection of Distributed Denial of Service Attacks

Cobra Rahmani, Mohsen Sharifi and Tala Tafazzoli ……………………………………………………… 37

An Efficient and Secured Conference Key Agreement Protocol

T. Purusothaman and S. Annadurai ……………………………………………………………………….. 44

-mo ~ Tho ~~:.,! ~~~Iq,

~ -~.~. it., ~ - 208016('1rm)Post Office: I.I.T., Kanpur - 208016 (India)

Prof. S~njay G. qhandeDirector

OIR/IITK/ /2004F-ebruary 17,2004

MESSAGE

I ,aIJ1 pleased to know that Computer Sci~nce and Engineering Department is organizing ahackers' workshop (IITKHACK' 04), under the sponsorship of Prabhu Goel Research Center forComputer and Internet Security.

Security has become a' serious concern in the last few years. As the use of InfonIlationTechnology in~reases in the coun~~ and we move towards e-commerce and e-governance, wehave tb make sure that the IT infrastructure being created is secure and available. lIT Kanpur hasbeen working on various aspects of security for several years now.

However, the activities got a boost when Dr: Prabhu G.oel gifted one million dollars last year toset up a research center in liT Kaiipur, whose focus is computer and Internet security. This hasbrought together researchers from different disciplines.

I am sure that theHackers'Workshop will bring together researchers in security to find solutionsto various problems in '--this are~.

I wish the workshop all success.

Sanjay 1] Dhand,e

F~ : +91-0512-259.0260 (0)

~ : +91-0512-259 7180 (A)Ph. (0) : +91/-0512-259 7220

~ :+91-0512-2590763 i

Ph. (R) : +91-051~259 0200

~ : +91-0512-259 8333E-mail: director@iitk.ac.int-~ : sQd@iitk.ac.in

ii

Message from the Program Chair

It is my pleasure to welcome all participants to IIT Kanpur Hackers' Workshop (IITKHACK'04). The workshop will focus on security issues, which is becoming a major concern as we move towards e-governance and e-commerce in the country. There is not sufficient appreciation of the role of ethical hackers, and through this workshop we want to encourage people to get involved in hacking responsibly. During the workshop we have several invited talks. We have two very accomplished researchers talking about their research and the state-of-the-art in cryptanalysis. Dr. C. S. Jutla is coming all the way from IBM T J Watson Research Center in New York to give the keynote speech during the inaugural session. Prof. Bimal Roy leads one of the largest security group in the country. He is a faculty member in ISI Kolkata. NSDL is perhaps the most security conscious organization in the country as they deal with dematerialized assets of more than a trillion rupees, and daily transactions of 10s of billions. Mr. Rajesh Doshi will tell us how they manage security in NSDL. It is said that future wars will be fought sitting in front of computer terminals. Enemies will try to break into the IT infrastructure of the opponent, and bring down all economic activity. Lt. Col. Samir Dhaga from Military College of Telecommunication and Engineering, Mhow, will give us a glimpse of what Army is doing to defend its networks. Whenever there is a new technology, there will be people who will use it in disruptive ways. Cyber crimes are on the rise, and Mr. Manoj Agarwal from Gujarat Police will tell us how police is fighting back, and give us a few tips on forensics. We have technical sessions, consisting of invited papers also. We received over 60 papers. This was a large number considering that we sent the call for papers only in November, and gave only two months to people to submit papers. And also, security being an upcoming area, we expected that there would not be as many contributors. But we managed to get all the papers reviewed in time, and only eight papers could be selected for the technical program. There were many good papers, but we felt that we should only accept those papers which have very significant contribution to make. Finally, a hackers' workshop cannot be complete without a demonstration of hacking. We have a demonstration of hacking tools by a team from the security group in CDAC, Hyderabad. We wish all our visitors a pleasant stay on the campus. Dheeraj Sanghi Technical Prorgam Chair

SCOUTAN IMPROVED TOOL FOR CRACKING WEP KEYS

K. Vikram

Department of Computer Science and EngineeringIndian Institute of Technology Kanpur

Kanpur 208016Uttar Pradesh, India

Email: vikram@iitk.ac.in

ABSTRACT

With Network Security becoming more and more important,most network protocols provide some level of security againstattacks. The IEEE 802.11 protocol, designed for wireless localarea networks is no exception. In this protocol, the layer whichimplements this security is part of the data link layer and is calledWEP, which stands forWired Equivalent Privacy. As the namesuggests, it was intended to provide as much privacy in a wirelesssystem as in a wired one. Unfortunately, as is well known, it fellshort of the claims of its designers. Although a lot has been saidabout the potential insecurity of WEP, few have actually imple-mented a direct attack on an actual system. Here we shall alsodescribe a tool, Scout1, which implements a particular attack andwhich cracks both the 5 byte and the 13 byte key of WEP with agreater probability than that of existing tools.

1. INTRODUCTION

With the advent of a large number of wireless technologies, wire-less networking is becoming increasingly popular. The most pop-ular protocol until a few years ago was the Bluetooth[8], whichwas primarily used for short range digital communications, forinstance to connect a mobile phone and a digital camera to a lap-top. Towards the end of the last decade another protocol emerged,which could be used for communication over longer distances.The IEEE 802.11[11] protocol soon became a very popular stan-dard for building wireless networks, and has also been used inapplications where Bluetooth was used earlier. Even though mostof the devices that implement these standards have been used in-doors, there have also been attempts at using them outdoors andincreasing the range at which these off-the-shelf wireless devicescommunicate.

As wireless devices percolate into the market and as more andmore people start using them, there is an increasing demand forsecure communication links. People, using such devices for theirbusinesses or other sensitive operations, would sooner or laterhave to entrust their wireless systems with confidential data. Iftheir networks are susceptible to malicious attacks, it would provedetrimental to them and their business. Even for home use, auser would find it highly desirable to prevent their neighboursfrom snooping into their networks. Security, therefore, is a primeconcern for most users, more so for wireless networks, where onecannot impose a strict physical boundary to the data channel.

Communication protocol suites can be made secure at any of its

1A watcher who explores carefully in order to obtain information

layers. Introducing security features at the lowermost layers ofthe protocol stack would make the system more efficient, as muchof the computation would then be done in the hardware. Thiswould also reduce the load on the upper application layers whichcan assume the link to be secure and not bother about securityat all. The IEEE 802.11 committee probably had something ofthis nature in mind when they proposed the link layer securityprotocol, namely WEP[11]. WEP is not really what it claims tobe, though. It is fraught with security loopholes which makes itsusceptible to attacks.

Highly secure protocols, though desirable in certain situations,can pose a challenge for Internet crime investigators and law en-forcers. Using these protocols, criminal organizations can ex-change messages that would be difficult to intercept. There havebeen raging philosophical debates on whether such security tech-niques should be made public or not, but we shall not get into it.Our primary purpose is to investigate the WEP protocol specifi-cations and exploit its loopholes to make it possible to monitortraffic that is being sent over WEP. Of course, this is not as easyas it sounds and if WEP is used in a very careful manner, crackingit might not be possible except with high computing power.

In what follows we shall learn in more detail about the IEEE802.11 protocol in Section 2. In Section 3 we shall look at thesecurity features of WEP and their shortcomings. In the sectionafter that, we shall also see how these shortcomings could be ex-ploited to attack a system and obtain thesecret key. Section 5 hasmore details of the actual implementation of the attack on a real802.11 system.

2. IEEE 802.11

The IEEE 802.11b[11] standard contains the specification for thephysical and media access layer of a wireless network. Since itsrelease in 1997, it has been widely used for the formation of wire-less networks and has become a de facto standard for the build-ing of wireless LANs. The increased mobility that end users canenjoy has made the technology so attractive that it has replacedwired networks in many places. Also, with the proliferation of802.11 compliant devices, wireless communication has becomecheaper than wired communication in certain setups. There havealso been successful attempts in using these devices, which wereoriginally designed for indoor communication, for long rangeoutdoor links. Apart from increase mobility and low cost, wire-less networks are desirable also because of their flexibility. Set-ting up these networks takes up much less effort than wired ones.On the fly ad-hoc networks have also become popular and there

has been a lot of research lately in the area of mobile ad-hoc net-works or MANETS. The IEEE 802.11 protocol provides almostall of the above functionalities, and therefore has two modes ofoperation, an infrastructure mode and an ad-hoc mode. The pro-tocol has been designed in such a manner that to the upper layersit appears as a standard IEEE 802 LAN. Therefore the standardTCP/IP suite of protocols can be used over the MAC layer of the802.11 standard.

The protocol, as mentioned above, can operate in one of the twopossible modes. In thead-hoc mode, mobile stations form a net-work on the fly without any extra infrastructure. An instance ofsuch a network could be in a meeting or a conference where peo-ple arrive with their mobile devices and share information amongthemselves without the need for any devices to be installed at theconference site. Such a network is known as anIndependent Ba-sic Service Set or IBSS in the terminology of the 802.11 standard.

The other mode of operation, theinfrastructure mode, is morecommonly used. A network in this mode consists of one or moreAccess Points(AP) which can optionally be connected to a back-bone network. A mobile station will have toassociate itself withone of these access points to be a part of this network. If morethan one AP is visible to the mobile station, then it can chooseto associate with any AP. The mobile node can also dissociatefrom an AP and re-associate with another AP when it changesits location, a handoff occurring in such a case. At any instant astation could be associated to only one AP. If the security layer isenabled then the station also has to authenticate to the AP. The se-curity layer known as WEP is discussed in more detail in Section3.

Once a station is part of the network it can send packets to anyother node on the same network or even to the backbone network.All packets to and from a station is routed through the AP that itis associated to. In this mode, stations are not allowed to directlycommunicate with each other. Access Points have functionali-ties similar to that of the stations, plus some additional ones likebridging, etc. which enable it to forward packets either to otherAPs or to the backbone network. Further details about the proto-col and the architecture of the system can be found in the IEEE802.11 standard specifications manual.

3. WEP AND ITS INSECURITY[5, 12]

WEP which stands for Wired Equivalent Privacy, is the securitymechanism in the link layer of the 802.11 protocol. It was in-tended to provide as much privacy and security on a wirelessmedium as there is in the physical security inherent in a wiredmedium. The idea was, again, to make this protocol look like astandard Ethernet based LAN to the upper layers. The entire pri-vacy hinges on a secret key which is known only to the users ofthe network. The knowledge of the key in the wireless domain,therefore, is analogous to physical access to the network wire ona wired local area network. A user who does not have physicalaccess to the wire in a wired network would not be able to con-nect to it. Likewise, a user who does not possess the key wouldbe unable to connect to the wireless network.

3.1. Properties of the WEP algorithm

The IEEE 802.11 standard specifications mentions the followingproperties of WEP:

• It is reasonably strong. The security afforded by the algo-rithm relies on the difficulty of discovering the secret keythrough a brute force attack. This is in turn related to thelength of the secret key and the frequency of changing keys.

• It is self-synchronizing. WEP is self-synchronizing for eachmessage. In other words, nodes do not have to share stateinformation in order to understand the encrypted ciphertextssent by the other nodes and if a couple of packets in betweenare missed, it does not affect the operation of the algorithm.

• It is efficient. The WEP algorithm can efficiently be imple-mented either in hardware or in software.

• It is optional. The WEP security can be turned off or on, asand when desired.

Most of these properties are accurate enough, except that the se-curity provided is not as much as it should have been, primarilydue to the combination of certain sound cryptographic primitivesin insecure ways. We will visit the exact details of the weaknessesin the WEP algorithm in Section 3.2

3.2. The theory of its operation[11]

Crucial to the operation of WEP is a stream cipher[10]. Streamciphers possess certain features that sometimes make them thepreferred mechanism of encryption. The stream ciphers are syn-chronous, since their key bit stream is completely determinedby the random seed, which is the key. These ciphers are moreamenable to formal and mathematical analysis and their encryp-tion speed is much higher than that of block ciphers. In the WEPalgorithm, a particular stream cipher known as the RC4 is usedfor generating the key stream.

For discussing the cryptographic algorithm[5, 14], we start offwith assuming that both the nodes which would like to communi-cate know the secret key, sayk. Now, depending on the authen-tication mechanism, the station authenticates to the Access Point(AP). The standard specifies two kinds of authentication schemes,open system authentication and shared key authentication. Theformer is a trivial authentication algorithm that effectively doesnot provide any security. The latter uses the WEP algorithm andrequires that WEP also be enabled when it is used. It is essen-tially a challenge response protocol in which the AP throws aplaintext as a challenge and the station encrypts it according tothe WEP algorithm, using the secret key,k and sends it backto the AP which checks if the challenge had been encrypted cor-rectly. Once the station has authenticated to the AP, or if this is aninstance of a communication between two APs, packet exchangecan now begin.

Suppose the plaintext message that the sender wants to send isM . The sequence of steps that occur in the process are as followsSender:

• First, compute the checksumC(M) of this message,M andappend it to the message. The checksum algorithm is inde-pendent ofk.

• Choose a random number,v of a fixed length and prependit to k. Call this random number the Initialization Vector orIV.

• Compute the RC4 keystream using this combined key,<v, k >.

• Compute< M, C(M) > ⊕ RC4(< v, k >). This is theciphertext,K. Transmit this and the IV,v over the wirelesslink.

Receiver:

• Knowingv(from message) andk(shared), computeRC4(<v, k >)

• ComputeK ⊕ RC4(< v, k >) to obtain< M ′, C′ >

• Check ifC′ = C(M ′). If it is then accept the messageM ′,otherwise drop the packet.

The particular checksum algorithm used in the standard is theCRC-32 algorithm and is of 4 bytes. The size ofv is usually 24bits and the size ofk is either 40 bits or 104 bits, depending onthe mode that the system is running in.

3.3. Problems with WEP and relatedattacks[7, 5]

The security issues that WEP addresses can broadly be dividedinto three categories, namely privacy, data integrity and accesscontrol. Unfortunately, it seems, none of these issues are suc-cessfully addressed by WEP. Its loopholes are as follows.

With respect to Privacy:

• We can obtain more than one packet with the same keystream used for encryption and mount a dictionary basedattack.Key Idea:(A ⊕ X) ⊕ (B ⊕ X) = A ⊕ BWhy is an IV used at all? Suppose if we didn’t then all ci-phertexts would have been decrypted through the same key.Instead of decrypting the packets, if one simply obtains theXOR of two encrypted packets, he would obtain the XORof the plaintexts, as shown in the equation above. Then bysome statistical analyses, he could infer what the plaintextswere. Quite often the IP packets contain redundant data, andpredicting its headers is possible.

So the designers of WEP included this IV, so that the streamkeys are not generally identical for two packets. Unfortu-nately the IV space is typically only of 24 bits, and so after224 or 16 million packets we would have to repeat the IV.Thus it is practical to obtain many ciphertexts with the sameIV and hence the same keystream cipher. Moreover evenif the same machine is not reusing the IV, other machinesmight be using it at the same time. Also the IV values arenot that random. In the worst case each access point mightreuse its IV after around 5 hours. So obtaining packets withsame IVs and therefore same key streams is still easier. Allthis would be passive. We could even mount an active attackwhere we send some text that we are aware of. We then sniffthe ciphertext off the air.

After statistical analysis, when we get the plaintexts, we au-tomatically get the key stream corresponding to a particu-lar IV as well. We can create a dictionary of IVs and keystreams. This dictionary is enough for our purposes, al-though we do not know the key. The size of the dictionarywould approximately be224 × 1500 ≈ 25GB, which isquite a manageable size.

Not only this. Armed with this information, we can ac-cording to [6] also figure out the secret key, k used on thenetwork. For this we actually do not need the entire keystream (practically around 1500 bytes - the maximum sizeof a packet), but just the first word of the key stream. Theidea behind this is, as explained in [6], that there are classesof weak IVs which leak some information about the bytes ofthe key. This idea has been implemented in Airsnort[1] andeven in Scout. The theoretical details of these weaknessesof the RC4 algorithm will be discussed in Section 4.1

• Fool the Access Point (active):Once we authenticate ourselves to the network (authentica-tion spoofing - refer to problems with access control mech-anisms), we can change the destination IP field of an en-crypted packet read off the air (by using the technique men-tioned in the next section) to send it to one of our machinesout on the Internet through the base station (or AP). We canalso change the port number to 80, in case the firewall inbetween causes a problem. The access point will happilydecrypt it and send it to our machine on the Internet.

• Double Encryption (active):We can do the reverse of the above. After sniffing a packetoff the air, we send that packet from an Internet connectionto our mobile host (which is assumed to be authenticated).The AP will encrypt the packet again, effectively decryptingit. The problem with this is the usage of the same IV. Gettingthe timing right is quite difficult.

• Reaction Attacks (active):We flip just two particular bits in the encrypted packet, suchthat the checksum is maintained, and send it to some sta-tion. By going into the details of the CRC-32 algorithm, wecan convince ourselves that if the XOR of the correspond-ing plaintext bits was0, then the station will drop the packet.Otherwise it will return an ACK. By observing this reactionfor a whole lot of transformed packets, we can figure outwhich bits were flipped and therefore learn the key streamand the plaintext.

• Bad Key Management & Another Dictionary Attack:The WEP key, k, is usually required to be entered manually.So we can expect easily memorable keys to be used. More-over, these common strings are often not even hashed to ob-tain a key, instead their ASCII equivalent is directly used.A dictionary of possible keys can also prove to be anothermethod of intrusion into the network.

With respect to Integrity:

• We can change parts of the message and fix the checksum toreflect those changes.Key Idea:C(A ⊕ B) = C(A) ⊕ C(B)The problem arises because the CRC-32 algorithm is linearas shown above. So if I decide to change some bits of amessage, sayA, then I will first construct a bit sequenceB,

which has 1s in the positions which I want to flip. Then IgenerateC(B) and XOR it withC(A). This again meansflipping some bits inC(A). The effect flipping of bits wouldbe the same, whether it is done before the encryption of af-ter. Therefore even if we XOR C(B) with X XOR C(A), theeffect will be the same.

This attack can be used maliciously if additional knowledgeof the packets are available. For example, we can changejust the command bits of a telnet session packet to make theserver run whatever we want.

With respect to Access Control:

• Authentication mechanism is flawed.If I sniff the packets in an authentication session, then I haveboth the plaintext and ciphertext for a particular IV. Fromthis I can figure out the key stream and use this key streamto authenticate myself as well.

• By building the dictionary as mentioned above, we can evenconstruct packets. In fact for this only a single IV would beenough. Once we can construct packets and also read them,even if we have no knowledge of the key, we can use thisnetwork for our purposes. The authentication protocol itselfprovides us with one such plaintext/ciphertext pair.

4. THEORY BEHIND THEIMPLEMENTED ATTACK[9]

Most of the attacks given in Section 3.3 were statistical in nature.Although so much has been said about the insecurity of the WEPalgorithm, it is not trivial to actually crack a WEP key in practice.There are many problems involved, some of them even theoreticalin nature, due to the probabilistic nature of the attack.

One has to decide what one wants from an attack. There aretwo possibilities. Either you would be satisfied by obtaining thecapability of reading off the plaintext data from the encrypteddata and possibly inject encrypted traffic into the network, with-out ever getting to know the WEP secret key. Or you wouldn’trest in peace till you get to know the secret key, after which doinganything would be possible.

As regards the former, a lot of techniques are discussed in Section3.3, which try to get hold of ciphertext/plaintext message pairs.From this we obtain the RC4 stream’s first couple of thousandbytes which suffice in decrypting and encrypting packets withthe IV used in the pair. Most of the attacks in this category wereactive in nature. Active attacks are more difficult than passiveones for two reasons. One is that such attacks are more traceable,and secondly they are sometimes difficult to implement requiringfiddling with the low level driver software or even firmware onthe card. For these reasons, mostly passive attacks are spoken of.

The only public domain software tools[3] for attacking WEP alluse a particular passive method of procuring the secret key. Allof them make use of the theoretical results given in [6]. The at-tack described here relies heavily on the weaknesses in the RC4algorithm itself and without its understanding, one cannot reallyappreciate the details of the attack. This attack is popular for thesimple reason that it is the most powerful and gets us straight to

the secret key. Airsnort[1] is one such open source cracking toolwhich implements this attack. Our tool is an improvement overAirsnort and makes use of the same theoretical results stated in[6].

4.1. The RC4 algorithm and itsweakness[11, 6]

RC4, designed by Ron Rivest in 1987, is a particular stream ci-pher. In other words, the RC4 algorithm takes an input aran-dom seed of any length and outputs apseudo random numbersequence. The random number sequence acts like a key streamfor the encryption algorithm of WEP as explained in Section3.2. RC4 consists of two parts, a key scheduling algorithm(KSA)which turns a random key (whose typical size is40 − 256 bits)into an initial permutation ofS of {0, ...., N − 1}, whereN is apower of 2 and is typically 256. The other part is a pseudo ran-dom number generator(PRGA), which uses this permutation togenerate a pseudo-random number sequence. The KSA and thePRGA algorithms are shown in Figure 1.

KSA(K)

Initialization:For i = 0..N − 1S[i] = i

j = 0

Scrambling:For i = 0..N − 1j = j + S[i] + K[i mod l]Swap(S[i], S[j])

PRGA(K)

Initialization:i = 0j = 0

Generation loop:i = i + 1j = j + S[i]Swap(S[i], S[j])Output x = S[S[i] + S[j]]

Figure 1: The KSA and the PRGA Algorithms

The PRGA initializes two indicesi andj to 0 and then loops overfour simple operations which incrementi as a counter, incrementj pseudo randomly, exchange the two values ofS pointed to byi and j, and output the value ofS pointed to byS[i] + S[j].The KSA consists ofN loops that are similar to the PRGA roundoperation. It initializesS to be the identity permutation andi andj to 0, and applies the PRGA round operationN times, steppingi acrossS, and updatingj by addingS[i] and the next word ofthe key (in cyclic order). Each round of the KSA is called astep

We shall now look at a particular key attack that is mounted bymost tools available for this purpose, including ours. We will as-sume that the same secret key is used with numerous different ini-tialization vectors, as is done in WEP, and the attacker knows the

first word RC4 output corresponding to each initialization vector.Armed with this the attacker can reconstruct the secret part of thekey.

The attack is as follows. Suppose we know the firstA words ofthe secret key (K[3], ..., K[A + 2]; with A = 0 initially) and wewould want to know the next word,K[A + 3]. We run the KSAfor IVs of the form (A+3,N −1, X) for various different valuesof X. At the first stepj is advanced byA + 3, and thenS[i] andS[j] are swapped, resulting in the key setup state shown in Figure2. The array on the top is is the secret key prepended with the IVand the array below is a window into the permutation where thepointersi andj are shown.

Then, on the next step,i is advanced, and then the advance onj iscomputed, which comes out to be0 (moduloN ). Subsequently,S[i] andS[j] are swapped, resulting in the permutation as givenin Figure 3.

Following this, at the next step,j is advanced byX + 2, whichmeans that for eachX, j is assigned a different value and forall further steps in the KSA, each IV acts differently. Since theattacker knows the value ofX and K[3], ...K[A + 2], he cancompute the exact behaviour of the key setup until he reachesstepA + 3. At this point, he knows the value ofjA+2 and theexact values of the permutationSA+2. If the value atSA+2[0] orSA+2[1] has been disturbed, the attacker discards this particularIV. Otherwise,j is advanced bySA+2[i] + K[A + 3], and thenthe swap is done, resulting in the permutation given in Figure 4.

The attacker now knows the permutationSA+2 and the value ofjA+2. In addition, if he knows the value ofSA+3[A + 3], heknows its location inSA+2, which is the value ofjA+3, and hencehe would be able to computeK[A + 3]. We also mention here,without proof, that in such a condition the attacker can obtain thecorrect value ofK[A + 3] with a confidence level of5%. By ob-serving enough IVs with the above configuration, the attacker canget to the value ofK[A] with a fair amount of confidence. Whatis given here is a brief idea of the attack and for the interestedreader, further details about the weakness of the RC4 algorithmand related attacks can be found in [6].

It is worthy to note, that the IVs that reveal key bytes are notjust the kind that have been mentioned here. In fact, any IVof n words that, aftern steps, leavesSn[1] < n andSn[1] +Sn[Sn[1]] = n + B will be good enough for the above attack.HereB is that byte of the secret key that we are seeking. SuchIVs are more popularly known asweak IVs. IVs of the form(A + 3, N − 1, X) form a subset of the set ofweak IVs. Thus ifone has less number of IVs to go by and has enough computingpower, then he can extract information from all such IVs.

5. IMPLEMENTATION DETAILS OFTHE ATTACK

The actual implementation of the attack, starting from the stream-lining of the operation of collecting the packets to getting to theactual secret WEP key involved a lot of effort. Though theoreti-cally the attack seems quite feasible, there are quite a few practi-cal difficulties. The major difficulty lies in the fact that the crack-ing operation is highly probabilistic and one can never be sureif he has enough packets to arrive at the key. In the following

sections we shall look at the specific implementation issues thatcame up during the development and testing of the tool.

5.1. Sniffers

For the purpose of collecting enough packets, a packet sniffer forwireless interfaces was required. There are a host of such sniffersavailable, quite a lot of which are open source as well. Sniffersare nothing but programs which put the network device, on whichthey are sniffing, into what is known as thepromiscuous mode.In the promiscuous mode, a network device will read all packetson the medium whether they are addressed to it or not. For wire-less network cards, this is typically known as the RF monitoringmode. Although, any of these sniffers could have been used forour purposes, a sniffer customized for our needs would be moreefficient and sufficiently flexible. Moreover, with the availabilityof a packet capture library such aspcap writing a sniffer of ourown is quite easy. An additional issue for wireless cards is thatputting them into the RF monitoring mode requires support fromthe driver. We used the Linuxwlan-ng driver[15] along with awireless card with a Prism2 chipset as this combination was themost convenient among others.

5.2. Description of Scout

Scout, the tool we have developed for cracking WEP keys, hastwo components. One is the sniffer which can be deployed on aseparate machine to incessantly listen for packets on the wirelessmedium. The sniffer logs three pieces of information correspond-ing to each encrypted data packet. They are, the InitializationVector used to encrypt that packet, the first byte of the encryptedpart of the packet and the BSSID of the AP to which this packetbelongs. All packets which do not possess these pieces of infor-mation, possibly because they are not encrypted at all, are simplyignored. These three information fields add up to 10 bytes perpacket. Therefore only 10 bytes of data is kept for each packetand the rest is discarded. This ensures that a considerable amountof relevant data can be collected without using too much diskspace. On a 10Mbps connection used under full load, assumingan average packet size of 1KB, a maximum of 1GB of disk spacewould be used up if the sniffer is left running for a day. Otherthan this information, some number of full encrypted data pack-ets corresponding to each BSSID are also stored, so that they canbe later used to verify the secret key. In our tool, we store upto10 encrypted packets for each AP in the network.

The mechanism for verifying a secret key, once you have thepackets, is quite straightforward. All that one has to do is todecrypt a packet assuming that the given key was the one thatwas actually used for encrypting it and check whether the packetchecksum is correct. If it is, then it is very likely that the given keywas used for encrypting this packet. The same operation could beperformed on a few more packets and if the results concur, thenwe can be pretty sure that the key is correct. If indeed that wasthe key used for encryption, then for all the packets the checksumshould match correctly. In our case, where we check against 10different packets, the probability that an incorrect key is passedoff as correct is too small to be of any significance.

The second component reads the information that the first part hasdumped into a file, for its processing. It first separates out the in-formation for each BSSID and also checks for theweak IVs. The

A + 3

0 1 2 A+3

i j0 0

N − 1 X K[3] K[A+3]

A + 3 1 2 0

Figure 2: State of the permutation after the first step of KSA

A + 3

0 1 2 A+3

j

N − 1 X K[3] K[A+3]

A + 3 20 1

1i

1

Figure 3: State of the permutation after the second step of KSA

iA+3

A + 3

0 1 2 A+3

N − 1 X K[3] K[A+3]

A + 3 0 S[2] S[j]

Figure 4: State of the permutation after theA + 3th step of KSA

criteria for the weakness of IVs is described in detail in Section4.1. This tool actually operates in one of the two possible modes.In the faster mode, the set of IVs recognized to be weak is a sub-set of all the weak IVs. The testing of such IVs can be done withvery little computation and is used by Airsnort [1] to check forIV weakness while sniffing packets itself. Such IVs can also beclassified as to which key byte they reveal. In the otherenhancedmode, the exact criterion for weakness as given in end of Sec-tion 4.1 is used. As the program reads the file, it builds the datastructures which systematically keep track of such informationas which IV would reveal information about which byte and forwhich AP. No information is gleaned from the packets for whichthe IVs are not weak. After the file has been read, the structuresare all ready to be used for the cracking procedure. The advan-tage of having two different components is that they can be run ondifferent machines. Existing tools have both these functionalitiescombined into one program. This would not be appropriate whenwe would like to run the sniffer on a small Linux box with highspeed network cards but low computational power. With our de-sign, it would be possible to run the sniffer on a separate machinethat could be placed anywhere which would dump that data intoa central location. From that location then, the cracker runningon a high performance machine can read off this data and crackthe key. In many cases, especially while cracking the 13 byte keyof WEP, the time required for cracking might be very high andmight run into weeks. For such instances, we can also run thecracker on a computational grid that might be geographically dis-tant from the site where the packet data is collected. This wouldbe possible since the rate of output of information from the snifferis low enough that the data can be sent over the Internet. Scout,

therefore, is a potentially powerful tool that can be used to crackvirtually any 802.11 network secured using WEP.

The cracking procedure is the same as discussed in Section 4.1.To obtain the first word (a byte in this case) output of the RC4key stream, we need to know the first byte of the data part of theunencrypted packet. If we XOR that with the first byte of theencrypted packet, we get the first byte of the key stream. Inciden-tally, all 802.11 data packets begin with the SNAP header the firstbyte of which is0xAA. So knowing this we can always infer thefirst byte of the RC4 output.

The cracking algorithm which makes use of results from Section4.1 is shown in Figure 5:

The functioncheckKey checks if the key is correct using themechanism for checking keys given earlier and returns SUC-CESS if the key is correct and FAILURE otherwise. ThesuggestForIV function takes in an IV, checks for its weak-ness and returns the value of the key byte it suggests, using alsothe first word output of the corresponding RC4 key stream out-put. This value is correct around5% of the time. In theen-hanced mode, each IV collected is checked for weakness on thefly whereas in the faster mode the IVs would be statically checkedfor weakness and classified depending on which key byte they re-veal. The functionsort sorts the input array using the frequencyvalue for defining an ordering among the elements. The functionbreadth returns the search breadth corresponding to a particu-lar key byte and can in general depend on how much information

TryByte(whichByte, guess, keyLength):

if(keyLength==whichByte)return checkKey(guess, keyLength);

for i in 0..255beginbytes[i].index=i;bytes[i].frequency=0;

endfor each weak IV, vbeginsuggestedByte = suggestForIV(v);bytes[suggestedByte].frequency++;

end/* sort using the bytes[i].frequency */sort(bytes);for i in 0..breadth(whichByte)beginguess[3+which] = bytes[i].index;if(TryByte(whichByte+1, guess, keyLength)

== SUCCESS)return SUCCESS;

endreturn FAILURE;

Figure 5: The Cracking Algorithm

is there to reveal that byte. TryByte is a recursive function andis initially called asTryByte(0, guess, keyLength),where keyLength would either be 5 or 13 depending on the modethat WEP is being used in. When the function returns a SUC-CESS, the parameterguess would contain the secret part of thekey.

The above procedure is almost the same as the one used byAirsnort[1], except for the breadth parameter for each recursivecall being a variable in our case, instead of a constant value asin Airsnort. This breadth parameter can be chosen intelligentlyfor each key byte, depending on how much information has beenrevealed for that byte. We have used a heuristic for the breadthparameter which works well for us but which can be further tunedfor other setups. If the number of IVs that reveal informationabout this byte is greater than 25, we let the breadth remain as itis. If it is between 8 and 25, we set the breadth equal to the num-ber of IVs. This means that all the bytes suggested by some orthe other IV is checked for correctness. If the number is below 8,then we conclude that enough information is not available for thisbyte and we perform a blind searchonly for this byte. Such anarrangement would especially be useful in cases when the pack-ets do not seem to be enough to crack the key and a somewhatblind search has to be performed on particular key bytes only.The design of Scout is also more suited for such cases, in whichthe cracker which requires high computational power can run ona different machine than the one which is sniffing.

The tool was tested by running it on a Compaq laptop withthe Linux Operating System. Two wireless cards were pluggedinto this machine, with one of them sniffing packets from theair and the other injecting packets into the wireless network.Netperf[13], a network throughput analyzer was used for inject-ing packets into the network. For the 5 byte key, packets collectedover a period of 4 hours was enough to crack the key in a few sec-onds. For the 13 byte key, packets collected for around 15 hours

was enough to crack the key in about 50 hours.

6. CONCLUSION AND FUTURE WORK

Considering the performance of our tool, it is clear that the se-curity offered by WEP can be bypassed with little effort. WEP,therefore, is not a complete solution to protect wireless networksfrom attacks. Moreover, it has been noticed that most wirelessnetworks do not even have WEP enabled simply because it is notenabled by default. The manual key exchange and key manage-ment involved brings in a human element and this increases thescope for a compromise in security. Nevertheless, even a properkey management does not ensure complete safety against attack-ers. With reasonable amount of computational power most wire-less network could be broken even if they are careful in configur-ing its security using WEP. For instance, the cracker part of thetool can be comfortably parallelized and run on a cluster or a grid.Such a mode of operation would lead to a dramatic decrease in thetime required to obtain the secret key of a network. Parallelizingthe cracking algorithm is conceptually simple. All that has to bedone is to break up the search space of keys into disjoint parts andsearch for the key in each of them parallely. Since the searches ineach of them are independent of each other, the communicationbetween the parallel threads is practically zero. Parallelizing thealgorithm is something that has still not been attempted actuallyand is a promising lead that might conclusively demonstrate thecomplete insecurity of the WEP algorithm.

Keeping the insecure nature of WEP in mind, a new 802.11X[4]standard has been proposed that is aimed at providing enhancedsecurity[2]. This standard makes use of user authentication anddynamic key exchange. This is currently supported using theExtensible Authentication Protocol (EAP)[2] available in vari-ous Remote Authentication Dial-In User Service (RADIUS)[2]implementations. In this authentication method, with the helpof a centralized EAP/RADIUS server a different set of encryp-tion keys is negotiated for each session. Therefore, if the key isat all leaked, only the data of that session is vulnerable. Otherstandards are also under review but none of them have been ac-tually approved as yet. Meanwhile, the best security solution isto encrypt at higher layers. End to End Security by using PublicKey Infrastructures (PKI) or the use of Virtual Private Networks(VPN) are currently the safest approaches to protect a wirelessnetwork against attacks and they would be so for at least a fewmore years.

7. REFERENCES

1. Airsnort. http://airsnort.shmoo.com/.

2. The Unofficial 802.11 Security Web Page.

3. Wireless Technology Comparison.

4. 3COM. 802.1X Security - Designing a Secure Network.

5. Nikita Borisov, Ian Goldberg, and David Wagner. Inter-cepting Mobile Communications: The Insecurity of 802.11.http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html, 2001.

6. Scott Fluhrer, Itsik Mantin, and Adi Shamir. Weaknessesin the Key Scheduling Algorithm of RC4.Lecture Notes inComputer Science, 2259, 2001.

7. Ian Goldberg. The Insecurity of 802.11.

8. J. Haartsen, M. Naghshineh, J. Inouye, O. Joeressen, andW. Allen. Bluetooth: Vision, Goals, and Architecture.Mobile Computing and Communications Review, October1998.

9. David Hulton. Practical Exploitation of RC4 Weaknesses inWEP Environments, February 2002.

10. Michael R A Huth. Secure Communicating Systems: De-sign, Analysis and Implementation. Cambridge UniversityPress, 2001.

11. IEEE Computer Society LAN MAN Standards Committee.Wireless LAN Medium Access Control (MAC) and Physi-cal Layer (PHY) Specifications. IEEE Std. 802.11, 1997.

12. Intel Corp. Overview of ieee 802.11b security.

13. Rick Jones. Netperf. http://www.netperf.org/.

14. Adam Stubblefield, John Ioannidis, and Aviel D. Rubin. Us-ing the Fluhrer, Mantin, and Shamir Attack to Break WEP.

15. Absolute Value Systems. Linux wlan-ng. http://www.linux-wlan.com/linux-wlan/.

CRYPTANALYSIS FOR VARIETYCASH TRANSACTIONS

Chandra Bhusan Pandey

Indian Institute of Information Technology-Calcutta

ABSTRACT

Electronic Payment Systems have paved long since the pathway for Electronic Commerce and the technologies for Card based and Network based transactions. VarietyCash is yet another multi purpose electronic payment system which does guarantees a secure incorporation the Merchant, the Bank and the Customer in providing anonymity in e-Money transactions.

However there does exist security flaws and redundancies in the cryptographic transaction protocols of the system, which needs be analyzed and altered for achieving a robust and an attack-proof message exchange. The online transactions part of the system, which is Network based is vulnerable to attacks, viruses and other adversary's effects which might infringe on the integrity of the data involved. In this paper a close analysis of the existing protocols is provided followed by an easy implementation of a new, secure protocol which does not involve any redundancies.

1. INTRODUCTION

1.1 The VarietyCash System

The Multi-Purpose Electronic Payment system proposed by BELLARE et.al.[1]does ensure anonimity through some degree of trust shown in by the participating parties. It integrates the Network based and the Card based system to provide a fully functional and a versatile inter-operating system. There are three major entities in this system viz. the Issuer, the Merchant and the Customer ( Card holder). The online system involves interactions among these three entities. Anonimity by trust is a major aspect of this system, the Issuer holds the Master Key and maintains a Coin database where all the spent coins are recorded. The Merchant checks into the Issuer for any coin that has previously not been spent. The coins are dispensed cor- responding to the Withdrawer's ID and this data is stored in a separate database, from which the Merchant inquires double spending. Moreover the coins may be paid in a variety of ways ( Refer [1] for more detail ). The inference we are looking to exploit in this system is that the service provider is deemed to be a trusted entity. For secure transmission of data, cryptographic means are adopted and use the shared secret key, which might be (as we will see in the later sections) vulnerable to Replay attacks and/or be affected by illicit attacks, thereby increasing Debit of the customer or have the encrypted data modified[4]. Moreover there exist problems for handling a lot of transactions quickly and securely, thus there is a need to reduce the protocols in the number of messages and at the same time upgrade the security and robustness of the system. The protocol proposed for the two major processes in this e-Money system viz. the

Purchase and the Payment, which resembles the CCITT X.509 [2] protocol with minor alterations. The BAN logic [ 3 ] justifies this protocol.

1.2 Organisation of The Paper

In this paper the main focus is on the message exchange protocols in the Network based part of the transactions as the CardCash system is offline and is generally not in the eye of the attacker, they may involve attempts to break in the smart cards or affect the Load/Unload Server ,which transits the cash. The paper is segmented as follows, in the first section the meaning and usage of VarietyCash is explained, the second section deals with an analysis of the Purchase and Payment protocols which are online processes, the third section deals with the new proposed protocol for the same , in the fourth section a BAN analysis of the new protocol is examined and finally the concluding section.

2. EXISTING PROTOCOL SECURITY ANALYSIS

Our major focus in this paper is on evaluating the security flaws that could be exploited by potential attackers to break into the system by some falsified authentication, resulting in a modif- ication of the encrypted data to their own desires. However it is, worth noting that such acts are not meant for personal gains and the malicious intruder can go no further than to disrupt a single transaction. Having said this, we would focus only on the security primitive and pitfalls that would allow such malicious activities to be carried on. The mainframe of the processes involved do abide by the legal aspects of e-money transactions and need no subsequent change. Thus this section is built upon the proposals for VraietyCash as suggested by BELLARE et.al. [1].

2.1 Coins, Keys and Cryptographic

The VarietyCash system uses an e-Coin which is a unique cryptographic token and is considered the encoded form,bearing relevance to the customer ID and the value of the transaction requested. This object bears an identifier ( serial number and counter) called the Coin ID, the Amount (denomination) to be transacted, the Expiry Date of the e-Coin and an Authentication cryptographic tag computed with MAC (message authentication code) Triple DES on the rest of the information using the symmetric key which is kept secret by the Issuer.

MAC - Random Coin ID Amount Expiry Date

TAG

Figure 1. MAC computation over the Coin

Keys :

PK , SK Public and Secret keys of Party X

Public Key Certificate of party X issued by CA which includes X, PK and signature of CA on PK

Cryptographic Primitives :

Table 1. The Cryptographic Primitives used in the Variety Cash transactions specify the encryptions and signatures used.

The E is used to encrypt the plaintext and the decryption either results in the plaintext itself or the flag for non-validity. According to [1], all the messages are plaintext aware which means that a correct decryption of E will result in the original plaintext and this is how the party would know that the transmitter is aware of the original plaintext.

The ciphertext on the other hand cannot be altered to yield a plaintext that would be the same as the valid one.(it does provide for non-malleability [1 ]). This awareness is a robust means for a fool proof security. Moreover the randomized function E computes and generates a differently encrypted value for each plaintext message. Finally this encryption provide NO non-repudiation.

Figure 2. Transactions of the Purchase process.

2.2. Purchase Protocol Analysis

As, I mentioned above there are two generic processes involving e-monetary transactions , the Purchase and the Payment. All the details for these processes apply as in [1], but in the domain of our analysis, lies certain cryptographic field which we shall consider prior to taking up the protocol study.

Figure 3. Message flow for the Purchase process

R. Coin ID Amount Expiry Date

In the Purchase process the step are as follows:

• The Withdrawer(WD), encrypts his ID and a random number chosen by him, with the public key of the issuer.

• The issuer again uses plaintext aware decryption to get the public key of WD (from his ID) and encrypts a chosen random number(K ) and a random challenge chosen by him ( R which acts as a nonce to ensure freshness) along with his ID, under the public key of the WD. Note that there exists a vulnerability in the use of such a nonce, which will be analysed later in the section.

• The WD after validating the Issuer's ID ( ID ) whether it is not a bogus one ), computes the sessions key(K) by XORing the random numbers chosen by the parties ( K ,K ). It then encrypts the digital signature and W-Desc under K. Note here that the nonce R is still involved in the hashed digital signature.

• The Issuer uses K to decrypt the cyphertext and obtains the W-Desc and checks the signature for validity. If correct it send the denomination of Coins (found in W-Desc) to the Bank, in an ACH Request.

• Finally the Issuer encrypts the coins under K, computes the authentication mac under K and send it to WD, which then checks the validity of the mac and returns an acknowledgement to the Issuer using a new mac computed on its ID and the same nonce.

Note that the nonce (R ) is used as a single source to ensure freshness in all the messages.

2.2.3. BAN Analysis of the Purchase Protocol

We will verify the most crucial messages of the protocol, which might be exploited by an intruder and result in subsequent impersonation of any party or the disruption of the transactions. Using BAN analysis of the second and third messages of the protocol. We assume that the WD knows the Issuer's public key and his own secret key and believes the nonce supplied by Issuer to be fresh (same implies for the Issuer too). The following assumptions hold:

I believes -------> I

WD believes ------> WD

I believes ------> WD

WD believes ------> I

I believes fresh ( R )

Although in this case the PK is bieng derived by the Issuer from ID , we assume that it is correctly received. Now taking the second message the nonce R is sent by the Issuer, but this message is not accompanied by any timestamp, which does not guarantee fully the freshness of the message. The impact might be seen in the third message.

E ( W-Desc, S (ID , R , W-Desc)) : WD ---> I

I <| H ( ID , R ,W-Desc )

I |= WD |~ ID , R , W-Desc

I |= # ( ID , R , W-Desc )

I |= WD |= ID , R , W-Desc

I |= WD |= W-Desc

Thus we can derive the following:

I believes WD believes W-Desc

WD believes I believes ID

There is however some redundancy in this message, the nonce R which has been included in the signature is the only means to ensure freshness. Unfortunately the VarietyCash sytem makes use of the same nonce for all of its transactions. In short if there are no time stamps included we cannot perform nonce-verification for the third message which would leave us with the a weaker outcome.

I believes WD said W-Desc

WD believes I said ID

Moreover it must have been assumed that the nonce R would be able to link all the transactions. Again this leads to a fallacy, and the problem still remains as to how would we assure, that received the message from WD recently. This weakness might ease the way for an intruder (say X) who may very easily to perform spoiling attacks on the MACed messages or impersonate the withdrawer (WD) totally.

The following illustrates the flow.

X --> I : E ( ID , K )

X simply replays the first message (sent byWD) note that no timestamps are involved in it will respond to it as though the message came from WD.

I --> X : E (ID , K , R )

X --> WD : E (ID ,K , R )

WD --> X -->: E (W-Desc, S ( ID ,R ,W-Desc ) )

Now, X has attained the Issuer ID and forwards it to WD as if it has been sent by the Issuer. The WD then sends the third message along with its signature which is then forwarded by X to the Issuer or in a more sophisticated attack, he may decrypt the message and remove the existing signature, add his own and blindly copy the encrypted part in it. The ACH Request might take several days to respond, but during Issuance X may scramble the MAC, by flipping some bits.

2.2.4. Payment Protocol Analysis

The message flows for the Payment protocol are as follows (note that the fields differ in this protocol) :-

Figure.4. Message flow for the Payment Protocol

Table 3: Cryptographic Fields for the Payment protocol

In the Payment protocol the fields enclosed in square brackets are optional ie. the signatures might not be included in the messages. For more details of the message exchanges refer to [1]. Here again we shall glue our eyes to the Payee- Issuer transactions taking place in the third, fourth and fifth messages.

Since there are none nonces or timestamps , it would be hard to prove that the message actually arrived from the valid party. Which implies that firstly an intruder might change the Validation Request by simply altering the random number sent by the Payer (K ). Secondly an attempt to flip the bits in mac encoded message thereby resulting in an incorrect Issuance by the Payer. The one simple fix to such spoiling attacks is the use of timestamps and nonces. As there is no secret data involved, the use of signatures still holds some degree of relaxation. The following messages for the Payer-Issuer transactions might be efficient according to the BAN analysis in counteracting such malicious activities.

PY --> I :

E (T , N , ID ,K , TID ,V-Desc, Enc C1)

I --> PY:

E (T , N ,N ,ID ,K ), mac (ID ,TID ,N ,Enc C2)

PY --> I:

mac ( T +1, ID ,TID )

2.2.5. BAN Analysis of the proposed Payment protocol

The following assumptions hold for the above protocol:-

I believes ------> I

PY believes ------> PY

I believes -------> PY

PY believes -------> I

I believes fresh (N )

PY believes fresh (N )

I believes fresh (T )

PY believes fresh (T )

Now we can easily derive the following result.

I believes PY believes K

PY believes I believes K

One possible fix to secure the mac secret data is to include the name of the sender or some identity in the message itself.

3. CONCLUSION

This paper presents the security analysis of the two major protocols involved in the VarietyCash system. To summarize there does exist flaws with respect to the freshness of the messages. As a result Replay attacks might be an easy tool for the malicious intruders. The use of proper Timestamps and nonces do guarantee the integrity of the messages involved and preservation of the secret signed data.

However there still exists future work in reducing the number of message exchanges taking place such that a number of transactions can be handled in lesser time. Notwithstanding the fact that security holes should not be availed by the malicious intruders or attackers in any case.

4 . REFERENCES

1. M. Bellare, C.Jutla, J. Garay, M.Yung, VarietyCash: A Multi-purpose electronic payment system. Proceedings of the 3rd USENIX Workshop on Electronic Commerce 1998.

2. CCITT Draft Recommendation X.509. The Directory Authentication Framework, Version 7. Gloucester, November 1987

3. Burrows M., Abadi M. & Needham, R.M. 1989 A Logic of Authentication. Proceedings of the Royal Society of London Series A, 426, pp 233- 271.

4 . www.gi-de.de/eng/products/03/index.php4 ? product_id316/42

AN INTELLIGENT TEXT DATA ENCRYPTION AND COMPRESSION FOR

HIGH SPEED AND SECURE DATA TRANSMISSION OVER INTERNET

Dr. V.K. Govindan1 B.S. Shajee mohan2

1. Prof. & Head CSED, NIT Calicut, Kerala 2. Assistant Prof.,CSED, L.B.S.C.E., Kasaragod, Kerala.

ABSTRACT

Compression algorithms reduce the redundancy in data representation to decrease the storage required for that data. Data compression offers an attractive approach to reducing communication costs by using available bandwidth effectively. Over the last decade there has been an unprecedented explosion in the amount of digital data transmitted via the Internet, representing text, images, video, sound, computer programs, etc. With this trend expected to continue, it makes sense to pursue research on developing algorithms that can most effectively use available network bandwidth by maximally compressing data. It is also important to consider the security aspects of the data being transmitted while compressing it, as most of the text data transmitted over the Internet is very much vulnerable to a multitude of attacks. This presentation is focused on addressing this problem of lossless compression of text files wit an added security. Lossless compression researchers have developed highly sophisticated approaches, such as Huffman encoding, arithmetic encoding, the Lempel-Ziv (LZ) family, Dynamic Markov Compression (DMC), Prediction by Partial Matching (PPM), and Burrows-Wheeler Transform (BWT) based algorithms. However, none of these methods has been able to reach the theoretical best-case compression ratio consistently, which suggests that better algorithms may be possible. One approach for trying to attain better compression ratios is to develop new compression algorithms. An alternative approach, however, is to develop intelligent, reversible transformations that can be applied to a source text that improve an existing, or backend, algorithm’s ability to compress and also offer a sufficient level of security of the transmitted information. The latter strategy has been explored here

Michael Burrows and David Wheeler recently released the details of a transformation function that opens the door to some revolutionary new data compression techniques. The Burrows-Wheeler Transform, or BWT, transforms a block of data into a format that is extremely well suited for compression. The block sorting algorithm they developed works by applying a reversible transformation to a block of input text. The transformation does not itself compress the data, but reorders it to make it easy to compress with simple algorithms such as move to front encoding. The basic philosophy of our secure compression is to preprocess the text and transform it into some intermediate

form which can be compressed with better efficiency and which exploits the natural redundancy of the language in making the transformation. A strategy called Intelligent Dictionary Based Encoding (IDBE) is discussed to achieve this. It has been observed that a preprocessing of the text prior to conventional compression will improve the compression efficiency much better. The intelligent dictionary based encryption provides the required security.

Key words: Data compression, BWT, IDBE, Star Encoding, Dictionary Based Encoding, Lossless

1. RELATED WORK AND BACKGROUND In the last decade, we have seen an unprecedented explosion of textual information through the use of the Internet, digital library and information retrieval system. It is estimated that by the year 2004 the National Service Provider backbone will have an estimated traffic around 30000Gbps and that the growth will continue to be 100% every year. The text data competes for 45% of the total Internet traffic. A number of sophisticated algorithms have been proposed for lossless text compression of which BWT and PPM out perform the classical algorithms like Huffman, arithmetic and LZ families of Gzip and Unix compress. The BWT is an algorithm that takes a block of data and rearranges it using a sorting algorithm. The resulting output block contains exactly the same data elements that it started with, differing only in their ordering. The transformation is reversible; meaning the original ordering of the data elements can be restored with no loss of fidelity. The BWT is performed on an entire block of data at once. Most of today's familiar lossless compression algorithms operate in streaming mode, reading a single byte or a few bytes at a time. But with this new transform, we want to operate on the largest chunks of data possible. Since the BWT operates on data in memory, you may encounter files too big to process in one fell swoop. In these cases, the file must be split up and processed a block at a time. The output of the BWT transform is usually piped through a move-to-front stage, then a run length encoder stage, and finally an entropy encoder, normally arithmetic or Huffman coding. The actual command line to perform this sequence will look like this:

BWT < input-file | MTF | RLE | ARI > output-file

The decompression is just the reverse process and look like this

UNARI input-file | UNRLE | UNMTF | UNBWT > output-file

An alternate approach to this is to perform a lossless, reversible transformation to a source file prior to applying an existing compression algorithm. The transformation is designed to make it easier to compress the source file. The star encoding is generally used for this type of pre processing transformation of the source text. Star-encoding works by creating a large dictionary of commonly used words expected in the input files. The dictionary must be prepared in advance, and must be known to the compressor and decompressor.

Each word in the dictionary has a star-encoded equivalent, in which as many letters a possible are replaced by the '*' character. For example, a commonly used word such the might be replaced by the string t**. The star-encoding transform simply replaces every occurrence of the word the in the input file with t**.

Ideally, the most common words will have the highest percentage of '*' characters in their encoding. If done properly, this means that transformed file will have a huge number of '*' characters. This ought to make the transformed file more compressible than the original plain text. The existing star encoding does not provide any compression as such but provide the input text a better compressible format for a later stage compressor. The star encoding is very much weak and vulnerable to attacks. As an example, a section of text from Project Guttenburg’s version of Romeo and Juliet looks like this in the original text:

But soft, what light through yonder window breaks?

It is the East, and Iuliet is the Sunne,

Arise faire Sun and kill the enuious Moone,

Who is already sicke and pale with griefe,

That thou her Maid art far more faire then she

Running this text through the star-encoder yields the following text:

B** *of*, **a* **g** *****g* ***d*r ***do* b*e***?

It *s *** E**t, **d ***i** *s *** *u**e,

A***e **i** *un **d k*** *** e****** M****,

*ho *s a****** **c*e **d **le ***h ****fe,

***t ***u *e* *ai* *r* f*r **r* **i** ***n s**

You can clearly see that the encoded data has exactly the same number of characters, but is dominated by stars. It certainly

looks as though it is more compressible and at the same time does not offer any serious challenge to the hacker!

2. AN INTELLIGENT DICTIONARY BASED ENCODING

In these circumstances we propose a better encoding strategy, which will offer higher compression ratios and better security towards all possible ways of attacks while transmission. The objective of this paper is to develop a better transformation yielding greater compression and added security. The basic philosophy of compression is to transform text in to some intermediate form, which can be compressed with better efficiency and more secure encoding, which exploits the natural redundancy of the language in making this transformation. We have explained the basic approach of our compression method in the previous sentence but let us use the same sentence as an example to explain the point further. Let us rewrite it with a lot of spelling mistakes: Our philosophy of compression is to trasfom the txt into som intermedate form which can be compresed with bettr efficency and which xploits the natural redundancy of the language in making this tranformation. Most people will have no problem to read it. This is because our visual perception system recognizes each word with an approximate signature pattern for the word opposed to an actual and exact sequence of letters and we have a dictionary in our brain, which associates each misspelled word with a corresponding, correct word. The signatures for the word for computing machinery could be arbitrary as long as they are unique. The algorithm we developed is a two step process consisting

Step1: Make an intelligent dictionary

Step2: Encode the input text data

The entire process can be summerised as follows.

2.1 Encoding Algorithm

Start encode with argument input file inp

A. Read the dictionary and store all words and their codes in a table

B . While inp is not empty

1.Read the characters from inp and form tokens.

2. If the token is longer than 1 character, then

1.Search for the token in the table

2. If it is not found,

1.Write the token as such in to the output file.

Else

1.Find the length of the code for the word.

2.The actual code consists of the length concatenated with the code in the table, the length serves as a marker while decoding

and is represented by the ASCII characters 251 to254 with 251 representing a code of length 1, 252

3. Write the actual code into the output

file.

4. read the next character and neglect the it if it is a space. If it is any other character, make it the first character of the next token and go back to B, after inserting a marker character (ASCII 255) to indicate the absence of a space

Else

1. Write the 1 character token

2. If the character is one of the ASCII characters 251 �255, write the character once more so as to show that it is part of the text and not a marker

Endif

End (While)

C. Stop.

2.2. Dictionary Making Algorithm

Start MakeDict with multiple source files as input

1. Extract all words from input files.

2. If a word is already in the table increment the number of occurrence by 1, otherwise add it to the table and set the number occurrence to 1.

3. Sort the table by frequency of occurrences in descending order.

4. Start giving codes using the following method:

i). Give the first 218 words the ASCII characters 33 to 250 as the code.

ii). Now give the remaining words each one permutation of two of the ASCII characters (in the range 33 � 250), taken in order. If there are any remaining words give them each one permutation of three of the ASCII characters and finally if required permutation of four characters.

5. Create a new table having only words and their codes. Store this table as the Dictionary in a file.

6. Stop.

As an example, a section of the text from Canterbury corpus version of bible.txt looks like this in the original text:

In the beginning God created the heaven and the earth.

And the earth was without form, and void; and darkness was upon the face of the deep. And the Spirit of God moved upon the face of the waters.

And God said, Let there be light: and there was light.

And God saw the light, that it was good: and God divided the light from the darkness.

And God called the light Day, and the darkness he called Night. And the evening and the morning were the first day.

And God said, Let there be a firmament in the midst of the waters, and let it divide the waters from the waters.

And God called the firmament Heaven. And the evening and the morning were the second day.

Running the text through the Intelligent Dictionary Based Encoder (IDBE) yields the following text:

û©û!ü%;ûNü'�û!ü"�û"û!û�ÿ. û*û!û�û5ü"8ü"}ÿ, û"ü2Óÿ; û"ü%Lû5ûYû!ü"nû#û!ü&�ÿ. û*û!ü%Ìû#ûNü&ÇûYû!ü"nû#û!ü#Éÿ.

û*ûNûAÿ, ü"¿û]û.ü"�ÿ: û"û]û5ü"�ÿ.

û*ûNü"Qû!ü"�ÿ, û'û1û5û²ÿ: û"ûNü(Rû!ü"�û;û!ü%Lÿ.

û*ûNûóû!ü"�ü%�ÿ, û"û!ü%Lû-ûóü9[ÿ. û*û!ü'·û"û!ü#¹ûSû!ûºûvÿ.

û*ûNû�û!ü6�ÿ, û"ü(Rû!ü#Éû:ûSü"2û!ü6�û;û!ü#Éû:ûSü"�û!ü6�ÿ: û"û1û5ûeÿ.

û*ûNûóû!ü6•ü#Wÿ. û*û!ü'·û"û!ü#¹ûSû!ü"ßûvÿ

It is clear from the above sample data that the encoded text provide a better compression and a stiff challenge to the hacker! It may look as if the encoded text can be attacked using a conventional frequency analysis of the words in the encoded text, but a detailed inspection of the dictionary making algorithm reveal that it is not so. An attacker can decode the encoded text only if he knows the dictionary. The dictionary on the other hand is a dynamically created one. It depends on the nature of the text being encoded. The nature of the text differs for different sessions of communication between a server and client. In addition to this fact we suggest a stronger encryption strategy for the dictionary transfer. A proper dictionary management and transfer protocol can be adopted for a more secure data transfer.

2.3. Dictionary Management and Transfer Protocol

In order to make the system least vulnerable to possible attacks by hackers, a suitable dictionary management and transfer protocol can be devised. This topic is currently in our consideration, but so far we haven�t implemented any models for this as such. One suggested method for dictionary transfer between server and client can be as per SSL (Secure Socket Layer) Record Protocol, which provides basic security services to various higher-level protocols such as HyperText Transport Protocol (HTTP). A typical strategy can be accepted as follows:

The fist step is to fragment the dictionary in to chunks of suitable size, say 16KB. Then an optional compression can be applied. The next step is to compute a message authentication code (MAC) over the compressed data. A secret key can be used for this purpose. Cryptographic hash algorithm such as SHA-1 or MD5 can be used for the calculation. The compressed dictionary fragment and the MAC are encrypted using symmetric encryption such as IDEA, DES or Fortezza. The final process is to prepend the encrypted dictionary fragment with the header.

3. PERFORMANCE ANALYSIS

The performance issues such as Bits Per Character (BPC) and conversion time are compared for the three cases i.e., simple BWT, BWT with Star encoding and BWT with Intelligent Dictionary Based Encoding (IDBE). The results are shown graphically and prove that BWT with IDBE out performs all other techniques in compression ratio, speed of compression (conversion time) and have higher level of security.

Fig.1.0: BPC & Conversion time comparison of transform with BWT, BWT with *Encoding and BWT with IDBE for Calgary corpus files.

Table 1.0: BPC comparison of simple BWT, BWT with *Encode and BWT with IDBE in Calgary corpuses

Calgary corpuses

BWT BWT with

*Encode

BWT with

IDBE

File

Names

File

size

Kb BPC Time

BPC Time

BPC Time

bib 108.7 2.11 1 1.93 6 1.69 4

book1 750.8 2.85 11 2.74 18 2.36 11

book2 596.5 2.43 9 2.33 14 2.02 10

geo 100.0 4.84 2 4.84 6 5.18 5

news 368.3 2.83 6 2.65 10 2.37 7

paper1 51.9 2.65 1 1.59 5 2.26 3

paper2 80.3 2.61 2 2.45 5 2.14 4

paper3 45.4 2.91 2 2.60 6 2.27 3

Paper4 13.0 3.32 2 2.79 5 2.52 3

Paper5 11.7 3.41 1 3.00 4 2.8 2

Paper6 37.2 2.73 1 2.54 5 2.38 3

progc 38.7 2.67 2 2.54 5 2.44 3

prog1 70.0 1.88 1 1.78 5 1.70 3

trans 91.5 1.63 2 1.53 5 1.46 4

Fig.2.0 :BPC & Conversion time comparison of transform with BWT, BWT with *Encoding and BWT with IDBE for Canterbury corpus files.

Table 2.0: BPC comparison of simple BWT, BWT with *Encode and BWT with IDBE in Canterbury corpuses

Cantebury corpuses

BWT BWT with

*Encode

BWT with

IDBE

File Names File

size

Kb BPC Ti

me

BPC Ti

me

BPC

Ti

me

alice29.txt 148.5 2.45 3 2.39 6 2.11 4

Asyoulik.txt 122.2 2.72 2 2.61 7 2.32 4

cp.html 24.0 2.6 1 2.27 4 2.13 3

fields.c 10.9 2.35 0 2.20 4 2.06 3

grammar.lsp 3.60 2.88 0 2.67 4 2.44 3

kennedy.xls 1005.

6

0.81 10 0.82 17 0.98 17

Icet10.txt 416.8 2.38 7 2.25 12 1.87 7

plrabn12.txt 470.6 2.80 10 2.69 13 2.30 8

ptt5 501.2 0.85 27 0.85 33 0.86 31

sum 37.3 2.80 2 2.75 4 2.89 4

xrgs.1 4.1 3.51 1 3.32 4 2.93 2

4. CONCLUSION

In an ideal channel, the reduction of transmission time is directly proportional to the amount of compression. But in a typical Internet scenario with fluctuating bandwidth, congestion and protocols of packet switching, this does not hold true. Our results have shown excellent improvement in text data compression and added levels of security over the existing methods. These improvements come with additional processing required on the server/nodes

3. REFERENCES

1. M. Burrows and D. J. Wheeler. “A Block-sorting Lossless Data Compression Algorithm”, SRC Research Report 124, Digital Systems Research Cente

2. H. Kruse and A. Mukherjee. “Data Compression Using Text Encryption”, Proc. Data Compression Conference, 1997, IEEE Computer Society Press, 1997, p. 447.

3 H. Kruse and A. Mukherjee. �Preprocessing Text to Improve Compression Ratios�, Proc. Data Compression Conference, 1998, IEEE Computer Society Press, 1997, p. 556.

4. N.J. Larsson. “The Context Trees of Block Sorting Compression”, Proceedings of the IEEE Data Compression Conference, March 1998, pp. 189-198.

5 A. Moffat. “Implementing the PPM Data Compression Scheme”, IEEE Transactions on Communications, COM-38, 1990, pp. 1917-1921.

6 T. Welch, �A Technique for High-Performance Data Compression�, IEEE Computer, Vol. 17, No. 6, 1984.

7 R. Franceschini, H. Kurse, N. Zhang, R. Iqbal and A. Mukherjee, �Lossless, Reversible Transformations that Improve Text Compression Ratios�, submitted to IEEE Transactions on Multimedia Systems (June 2000).

8 F. Awan, and A. Mukherjee, �LIPT: A losskess Text Transform to Improve Compression�, Proceedings of International Conference on Information and Theory: Coding and computing, IEEE Computer Society, Las Vegas Nevada, April 2001.

9. N. Motgi and A. Mukherjee, �Network Conscious Text Compression Systems (NCTCSys)�, Proceedings of International Conference on Information and Theory: Coding aand Computing,

IEEE Computer Society, Las Vegas Nevada, April 2001.

10. F. Awan, Nan Zhang N. Motgi, R.Iqbal and A. Mukherjee, �LIPT: A reversible Lossless Text Transformation to Improve Compression Performance�, Proceedings of data Compression Conference, Snowbird, Utah, March, 2001.

11. Dr. V. K. Govindan, B.S. Shajee Mohan �IDBE - An Intelligent Dictionary Based Encoding Algorithm for Text Data Compression for High Speed Data Transmission Over Internet� Proceeding of the International Conference on Intelligent Signal Processing and Robotics IIIT Allahabad February 2004.(Selected for presentation.).

STEGANALYSIS OF LSB ENCODING IN UNCOMPRESSED IMAGES BY CLOSE COLOUR PAIR ANALYSIS

S.Mitra, T.Roy, D.Mazumdar and A.B.Saha All the authors are affiliated to CDAC, Kolkata

ABSTRACT

In this paper we have described a steganalytic tool to detect the presence of hidden message in LSB steganography. It is a stego -only attack in LSB insertion for uncompressed color images encoded in 24 bit BMP format. The detection theory is based on statistical analysis of pixel pairs using their RGB components. The necessity of a variable threshold to mark the stego images is explained .The threshold value depends on correlation between pixel pairs in terms of color components. The probability of false detection rate and false alarm rate are detected experimentally using an image database of 200 images. Key words: LSB insertion, Stego-image, Unique color, Close color pair.

INTRODUCTION Steganography is the art of hiding information in an innocuous cover[1]. It’s basic purpose is to make communication unintelligible to those who do not possess the right keys. The message can be hidden inside of images or, other digital objects, which remains imperceptible to a casual observer. By embedding a secret message into a cover image, a stego -image is obtained. As the stego -image does not contain any easily detectable visual artifacts due to message embedding, techniques, known as Steganalysis tools[2] are required for detection of the existence of hidden message bits. The common approaches for message hiding in images include Least Significant Bit (LSB) insertion methods, Frequency Domain Techniques, Spread Spectrum Techniques, statistical methods, Cover Generation methods and Fractal Techniques. The change in behavior of the stego-image is dependent on the specific approach used for hiding information. Attacking on stego-images is also of different natures to take care different steganographic approaches. LSB insertion and noise manipulation is the simplest steganographic technique and are widely used. The tools used in this group include StegoDos, S-Tools, MandelSteg, Ezstego, Hide and Seek, Hide4PGP, Jpeg-Jsteg, Steganos [3] etc. The image formats typically used in such steganography methods are loss less and the data in this method can be directly inserted and recovered in presence of stego-key. In this paper, we introduce a particular stego-only attack in LSB insertion for color images. Stego-only attack is applied when the stego-image is available

only and the attacker has no idea about the original cover image, stego key and, or encoding algorithm. It is probably the most feasible attack that occurs in real world. In the current paper, the goal is to inspect a set of images for statistical artifacts due to message embedding in color images using the LSB insertion method and to find out, which images out of them are likely to be stego. The decision is based on a threshold value. Judicious selection of the threshold value determines the robustness of the software in terms of false detection in positive and negative sides. A variable threshold selection scheme based on the image characteristics has been proposed in the current paper. The improvement in the performance has been shown using experimental data. In section 1, an algorithm utilizing some statistical property based on unique colors and close color pairs of an uncompressed 24 bit BMP is described. The algorithm is able to detect a stego -image within tolerable limits. The conclusion of the paper is drawn in Section 2.

2. CLOSE COLOR PAIR ANALYSIS TO DETECT LSB

INSERTION Neil F. Johnson and Sushil Jajodia [4] identified a few characteristics, known as signatures in currently used steganography software that directs the stego attacker to detect the existence of a hidden message. This methodology can be utilized for automatic detection and destruction of a stego-image. They pointed out that probably all the signatures (close color pair, duplication of palette entry etc.) are introduced when information is hidden in a palette image like 8 bit BMP or, GIF images. Of all the palette signatures, identified by them, the close color pair signature is also applicable for uncompressed high -density color images like 24 bit BMP, PGM etc. In this paper we have identified a Steganalysis method for uncompressed high-density color image format using the close color pair signature. In a natural uncompressed image ( like 24 bit BMP ) each pixel is represented by three color channels ( Red, Green and Blue), each of the channel is 8 bits wide. The LSB of any color channel of a typical scanned real image taken with a digital camera contains least information about the image and is most random in nature. Hence, most of the methods for hiding information in an uncompressed natural image is based on replacing the LSB of color channels by

message bits. Thus, on the average only half of the LSB’s are changed and it is assumed that, embedding message in this way will not hamper the statistics of the cover-image and in turn no detectable signature will be generated. This assumption is true if and only if the number of unique colors in the cover-image is comparable to the total number of pixels in the image. However, it is observed that, in a natural uncompressed image, the ratio of the number of unique colors to the total number of pixels is approximately 1:6. Hence after LSB embedding, which is equivalent of introducing noise, the randomness of LSB pattern will increase. This increase in randomness is reflected in increase in the number of close color pairs, which is utilized as the distinguished signature for these type of images. The close color pair ( P ) and unique color (U) is defined as follows: Two colors (R1, G1, B1) and (R2, G2, B2) are close if | R1 – R2 | = 1, | G1 – G2 | = 1 and | B1 – B2 | = 1 or, (R1 – R2)2 + (G1 – G2)2 + (B1 – B2)2 = 3 ….. (1) Two colors (R3, G3, B3) and (R4, G4, B3) are unique if any one of the following is true | R3 – R4 | = 1 or | G3 – G4 | = 1 or | B3 – B4 | = 1 ….. (2) For any uncompressed real image, the ratio R gives us an idea about the relative number of close color pairs with that of unique colors where, R = P/U ….. (3) Now, it is observed that, for an untampered image, which does not have any embedded message, the value of R is greater in comparison with an image which has a message already embedded in it. This happens as embedded message behaves as a random noise, which increases the number of unique color U abruptly. As an example, we have taken four 24 bit BMP images having wide variation in color composition and have experimented with tampered images when different length of message bits are embedded by LSB insertion. The ratio R for both untampered and tampered images are compared in Table 1. Table 1: Experimental data to show the variation of the relative values of unique color with packing density.

Value of R Class of Image

% of message bit insertion

Waterbody

Sky &

Cloud

People

Land

Untampered 4.91 1.63 0.98 0.21 10% 2.97 1.27 0.83 0.20 20% 2.54 1.11 0.75 0.19 30% 2.31 1.03 0.71 0.19 40% 2.21 1.00 0.68 0.187 50% 2.11 0.95 0.67 0.182 60% 2.04 0.94 0.65 0.17 70% 1.95 0.90 0.63 0.16

It is observed that, due to wide variation in U, i.e. the number of Unique colors in different images, it is almost impossible to find a threshold for R to differentiate uniquely a stego-image from a non-stego one. The graphical representation of R with different percentage of data embedded in different nature of images is shown in Fig 1. An absolute threshold at R=1 declares a tampered waterbody image as untampered (false detection) one and an untampered land image as tampered (false alarm) one.

Fig 1: Variation of relative values of unique color with packing density. The initial value of each curve gives the cardinality of the unique color set in untampered image. The rate of change of relative values of the unique color depends on the nature of the image. After prolonged testing with different kinds of images having wide color variation, a particular property is observed which enables us to reliably distinguish a tampered image from an untampered one. It is noticed that, if any test image is already tampered with a message, embedding it further with additional bit-streams will not modify the R value significantly. Alternately, if the test image is untampered one, the ratio R decreases significantly when it is further tampered by additional bit streams. We have artificially packed the test image with data through a standard Steganographic software Stools. If U' and P' are the number of unique colors and close color pairs respectively then, R' = P' / U', ….. (4) gives the relative number of close color pair in the artificially tampered image I'. The change in the ratio R is measured in terms of m where, m is the percentage change in R defined as: R – R′ m = X 100 % ….. (5) R m can now be properly thresholded to distinguish a tampered image from an untampered one. The rate of change of R for four images (two untampered and two 20% tampered) is tabulated in Table 2.

Table 2: Experimantal data to show the saturation effect in the change in the relative number of unique color in untampered and partially tampered images. The table shows that the rate of change is more in case of untampered images in comparison to partially tampered images. Image Name Size

in pixels

Value of R

Percentage change in R when 20% data is packed artificially

Sky&land 1.63 Sky&land_20 1.11

31.90 non-stego

Hiddensky&land 1.11 Hiddensky&land_20

128 x 128

1.00 9.90 stego

People 0.98 People_20 0.75

23.47 non-stego

Hiddenpeople 0.75 Hiddenpeople_20

128 x 128

0.69 8.00 stego

It is observed that, the percentage change in R is quite small in case of stego images in comparison with its value for non-stego images. The algorithm is tested on an image database of 200 color images in 24-bit BMP format having (128 x 128) pixels. The images are classified into different classes namely greenery, people, object, face, waterbody, land, sky & cloud, building and animal. A message approximately 1228 bytes ( 20% of the maximal capacity) was embedded in each image to generate the new database of 200 number of tampered images. The algorithm was executed both for tampered and untampered databases. The value of percentage change in R for different classes of images is shown in Fig 2. If we select the threshold at a fixed value (say at 9.00), then classification in greenery, people, object, waterbody, land and building types of images are quite satisfactory while for face, sky & cloud and animal classes, the probability of erroneous detection is very high.

Fig 2: Detection of stego-images using fixed and variable thresholding. The red dots represent untampered images while the blue dots represent tampered images. The false alarm rate and the false detection rate, both are improved when variable thresholding has been used. The result was verified over an image database of 200 images of different nature.

To mitigate this problem, we use a variable threshold selected on initial image statistics. The values of false detection rate and false alarm rate in both the cases of fixed threshold and variable threshold are shown in Table 3, which shows satisfactory improvement in the performance of the algorithm. Table 3: Experimental results showing the improvement in FAR and FDR in case of variable thresholding. Image Class

False Detection Rate (FDR)

False Alarm Rate (FAR)

Fixed Threshold

Variable Threshold

Fixed Threshold

Variable Threshold

Face 88.88% 0% 5.56% 5.56% Sky & cloud

38.46% 0% 0% 0%

Animal 0% 4.65% 48.83% 16.27%

3. CONCLUSION The experimental results suggest that it is possible to reliably detect the presence of secret message embedded in uncompressed color images using LSB insertion technique. The reliability of detection depends on selection of threshold, which is an open-ended problem. The variable threshold based on image statistics improves the correct detection rate. In this paper, we have selected the threshold heuristically based on initial image statistics. The algorithm will be much more robust if the threshold can be automatically selected based on 1st and 2nd order statistics including the color density and pixel pair correlation. The work in this direction is in progress in our laboratory.

4. ACKNOWLEDGEMENT The authors are grateful to Prof. S.Pal, ISI, Kolkata, Dr.S.Basu, Sr. Director, DIT, Govt. of India and Dr.P.S.Nageswara.Rao, Director, DIT, Govt. of India for their constant inspiration and encouragement. This work is supported by Department of Information Technology (DIT), Govt. of India

5. REFERENCES [1] Jhonson,N.F. and Jajodia,S. “Exploring Steganography : Seeing the Unseen”, IEEE, Computer, February 1998. [2] Westfeld,A. and Pfitzman, A “Attacks on Steganographic Systems”, Department of Computer Science, Dresden University of Technology, Germany. [3] Wayner, P. : Disappearing Cryptography, Morgan Kaufmann Publisher, 2002 [4] Jhonson, N. F and Jajodia, S. “Steganalysis of Images Using Current Steganography Software”, 2nd International Workshop on Information Hiding, April 1988.

Fixed Threshold

Variable Threshold

CHARACTERIZATION OF STOCHASTIC PROPERTIES OF EMBEDDED MESSAGE AND THE LSB PATTERN IN COLOUR

AND GRAY-SCALE IMAGES

C.Saha, N.Maji, A.Gupta, D.Mazumdar and A.B.Saha All the authors are affiliated to CDAC, Kolkata

ABSTRACT

LSB steganography is one of the popular ways of message embedding in different multimedia cover objects. A number of commercial steganography software tools use LSB insertion as a method of message packing. In the present work the detailed study has been made regarding the stochastic properties of the embedded message and LSB pattern in colour and gray scale images. The influence of the initial noise already existing within the LSB pattern of the cover image on the embedded bit stream has been studied experimentally. A higher order statistic based method has been proposed to eliminate the initial noise level to estimate the extracted bit stream length robustly.

Keywords:LSB Steganalysis, Bit Stream Length, Trace Submultiset, Finite State Machine.

INTRODUCTION The prevalence of the Internet as a mass communication means and the proliferation of digital multimedia circulated via the web has brought the ancient art of steganography into the digital era. Recent years have seen increased interests even in commercial software for using digital media data, such as images, audio and video files. The basic aim of the steganographer is to find room in different file formats, encoding techniques, to embed message so that the composite file does not change perceptively. Talking in terms of communication theory the S/N ratio of the composite file should not differ drastically from the S/N ratio of the original cover media data. These demand a number of structured actions to select the proper room for embedding message innocuously. More specifically, the blank areas should contain perceptibly irrelevant or redundant information. The LSB embedding technique is one of the popular ways of steganography. It takes the advantage of random noise present in the LSB pattern of the acquired media data, such as images, video and audio. Since the magnitude of S/N ratio is comparable to that of the LSB, embedding message bit in the LSB plane will not cause any discernable difference from the original visual or audio signals. Sorina Dumitrescu et. al [1] has already proposed a Steganalysis tool based on characterization of pixel pairs into different multisets and studying the state transition rules under different

combination of LSB embedding. Other works on Steganalysis of LSB embedding can be found in [2]-[5], and the survey of steganalysis technique is presented in [6]. The main effort in all these works goes to extraction of the possible length of the bit stream embedded within a cover image from a measure of probability. A number of factors influence the robustness of these steganalytic techniques. The most prominent factor is the initial level of noise ( i.e the randomness) present in the cover image. The measurement of the initial noise level is important; so far the accuracy of the measurement of length of bit stream is concerned. In this paper, a thorough investigation has been done to understand the stochastic noisy properties of LSB pattern in colour and gray scale images. How the noise behaviour changes with different degrees of packing density has also been studied. A higher order statistics has been used to find the role of the correlation of the pixel pairs on elimination of initial noise. The results have been tested on an image database of 200 images of different characteristics. The relative error in detecting the length of the bit stream has been studied experimentally for a large number of images. Attempt has been made to develop a mathematical description of the error generated due to the initial imbalance in the properties of different multisets. The paper is arranged in the following way: in section 1, we explain the composition of basic trace multisets defined in [1]. The physical properties of the multisets and their sensitivity to LSB embedding have been explained using state transition diagram. The explanation is supported with experimental data. In section 2, we have presented the results of our study on the effects of noise on message length estimation. The role of the initial imbalance in the cardinalities of the multi sets over the estimated message length is also explained with experimental data. Effects of the influence of the correlation present in the higher order bits on the LSB pattern are included in section 3. Section 4 includes conclusion and discussion.

1. BASIC MULTISETS AND THEIR SENSITIVITY TO LSB

EMBEDDING:

Assuming that the digital signal is represented by the succession of the samples S1,S2,….,SN (the index represents the location of the samples in discrete waveform), a sample pair means a two-tuple (Si, Sj)

where1 ≤ i, j ≤ N. Sorina Dumitrescu et al [1] used sample pairs as the basic unit in their Steganalysis to utilize higher order statistics such as sample correlation in a run length of two. The set of all such pixel pairs (u, v) is denoted by P. Depending on the difference between u and v, the set P is divided into submultisets Dn and Cm. Dn includes pixel pairs with n unit difference in between u,v values (colour or gray-scale) i.e. sample pairs of the form (u,u+n) or (u+n,u) where 0 ≤ n ≤ 2b-1, b is the number of bits to represent each sample value. In order to analyze the effect of LSB embedding on Dn , they further introduced some other submultisets of P that are closed under the embedding operation in terms of the pair wise difference of sample values. Since the embedding affects only the LSB, they used the most significant (b-1) bits in choosing these closed submultisets. The difference in the u,v values for the first (b-1) bits is denoted by a real number m where 0≤ m ≤ 2b-1-1.Thus Cm is the submultisets of P which includes all the sample pairs whose values differs by m in the first (b-1) bits. The interrelationship of the submultisets can be expressed as: 1. D2m ⊆ Cm 2 . D2m+1 ⊆ Cm; sample pairs of the form (2k-2m, 2k+1) or (2k+1,2k-2m). 3. Cm+1 ⊆ D2m+1; sample pairs of the form (2k-2m-1, 2k) or (2k,2k-2m-1). The sample pairs of D2m+1 ∩ Cm are designated as Y2m+1. In the same way X2m+1 are the representative sample pairs of the sub multisets D2m+1 ∩ Cm+1. The relationship among the submultisets can be visualized using the venn diagram as shown in Fig 1 below : Fig 1: Venn diagram showing the interrelationship between the multisets. The subset D2m is again divided in to two subsets X 2m and Y2m where X2m is defined as the submultiset containing sample pairs of the form (2k-2m,2k) or (2k+1,2k-2m). Y2m is defined as the subset consisting of all pairs of the form (2k-2m+1,2k+1) or (2k,2k-2m). In natural images a balance exists in the cardinalities of different submultisets as expressed in the following identity: E| X | = E| Y | …(1)

where, X = {|∪127m=0 X2m+1| ∪ |∪127

m=0 X2m|} Y = {|∪127

m=0 Y2m+1| ∪ |∪127m=0 Y2m|}

The basic physics behind this is that in case of natural images there exists no directional bias ( a-priori ) in the gradient of the colour or gray scale values when the sample pairs are collected at random fashion. This identity was also obtained by Sorina Dumitrescu, Wu, Memon [7] statistically and used as the key assumption in their LSB Steganalysis. To understand the effects of embedding over the behaviour of the trace multisets we start with the definition of an operator o : 00,01,10,11 with 1 indicating which sample(s) of pair has(have) the LSB reversed, 0 indicating intact samples(s). With this operator we get the finite state machine whose states are trace multisets as described in Fig 2.

Fig 2: State Transition Diagram Z is the subset of P which contains sample pairs of the form (u,u). W is the subset of Y containing sample pairs of the form (u,u+1) or (u+1,u) and V = Y – X. The significance of finite state machine of Fig 2 is that one can statistically measure the cardinalities before and after the LSB embedding applied to each multisets. Moreover, it is possible to show that their probabilities are the function of the length of the hidden message if the embedding is done randomly in the time domain. All of their calculations depend on the balance in the cardinalities of X and Y expressed in identity (1). In natural images any small difference (termed as initial noise) in the cardinalities of X and Y will misclassify a normal image as a stego-image. The measurement of the length of the bit-stream of a stego -image will also be erroneous. In the next section, we will describe in details the role of the ‘initial noise’ in detection and measurement of the bit stream length in case of stego -images embedded with different packing density.

Cm

D2m Y2m+1

X2m+1 Cm+1 D2m+1

2. INFLUENCE OF INITIAL NOISE LEVEL ON THE MEASUREMENT

OF BIT-STREAM LENGTH

To extract the bit-stream length using the finite state machine, we define p as the length of the embedded message in bits divided by the total number of samples in a file. Then the fraction of the samples modified by LSB embedding is p/2. For each modification pattern o ∈{00,01,10,11} and any submultiset A ⊆ P, denote by ρ( o , A) the probability that the sample pairs are modified by the pattern o as a result of the embedding. Assuming that the message bits of LSB steganography are randomly distributed in the cover object we have the following rules: 1. ρ(00 , p) = (1-p/2)2; 2. ρ(01 , p) = ρ (10 , p) = p/2(1-p/2); 3. ρ(11 , p) = (p/2)2; Using the finite state machine and the above probabilistic rules, we have the formula for state transition involving p, as follows: 0.5γp2 + (2X'- P)p + Y' - X' = 0 ... (2) (2) where, the primed quantities denote the cardinalities after embedding and γ = | W' | ∪ | Z' |. Physically this means that the difference in the cardinality i.e | Y | - | X | should be ideally zero for any natural image. Deviation from the zero by an amount ε will mean the existence of additional information within the cover image. ε can be measured as a function of p and the cardinalities of different submultisets. Solving this stochastic equation for p one can extract the bit stream length. But the proposed LSB steganalysis technique strongly hinges on assumption (1). The accuracy of the estimated hidden message length p made by equation (2) primarily depends on the actual difference ε = | Y | - | X |. In Table 1, we give the values of the ε = | Y | - | X | for different images. The result clearly shows that even for natural images a finite difference exists in many cases. This difference, termed as initial noise level makes the measurement of p erroneous. Table 1: The values of the ε = | Y | - | X | for different images.

Sl. No. Name of the Image

ε = | Y | - | X |

1. Land28.bmp 6 2. Face11.bmp 11 3. Sky15.bmp 20 4. Water7.bmp 137 5. Building16.bmp 295 6. Animal19.bmp 375 7. Sky12.bmp 472

In Fig 3, we have plotted estimated message length against inserted message length for different images. The curves are more or less linear and increase monotonically with the packing density. Curve1 represents an image having perfect balance in the cardinalities before tampering. But in other cases, the initial imbalance in cardinalities causes a finite intercept with the vertical axis. The linearity of the curves proves that the noise created by the embedded message signal is additive by nature. Also the initial noise level is additive with the noise generated by the embedded message. Peculiarly enough there may be some cases where the initial noise level can be particularly complemented by the noise created by the embedded message. But our study shows that the initial noise level not always follow the simple linear additive relation with the embedded message.

Fig 3 : Plot of estimated message length against Inserted message length. Curve 1: for an image with no initial noise; Rest of the curves are for images with initial noise. In those images message bits alter the LSB patterns of the cover image in such a way that the initial difference ε = | Y | - | X | tends to 0 (Fig 4).

Fig 4 : Plot of estimated message length against Inserted message length for images in which message bits alter the LSB patterns of the cover image in such a way that the initial difference ε = | Y | - | X | tends to 0. The effects of the initial noise level can be eliminated using a threshold. J. Fridrich et.al [8] has obtained a Gaussian distribution with a standard deviation of 0.5 % for the initial noise pattern based on which they gave an empirical formula to estimate an initial noise

level. But our study shows that initial noise level not always follow simple linear additive relation with the embedded message. Hence, in the next chapter we discuss in details how the influence of the correlation in higher order bit pattern can be utilized to arrest the initial noise level more accurately.

3. ELIMINATION OF INITIAL NOISE USING THE

CORRELATION IN HIGHER ORDER BIT PATTERN

In section I, already we have given the definition and properties of submultisets. Out of them X2m , X2m+1, Y2m, Y2m+1 represent submultisets of pixel pairs considering only their b-1 higher order bits. For arbitrary 1 ≤ i ≤ j ≤ 2b-1 –1, the finite state machines can be obtained combining the multisets X2m -1, X2m , Y2m-1, Y2m (Fig 5).

Fig 5: State transition machine for a particular m. The four unions of trace multisets ∪j

m=i X2m+1, ∪j

m=i

X2m, ∪jm=i

Y2m+1, ∪jm=i

Y2m have the same finite state machine structure as in Fig 5. Based on this finite-state machine structure the following quadratic equation for estimating p can be obtained: P2/4 (|Ci| - |Cj+1|) – p/2 [|D’

2i| - | D ’2j+2| +

2∑jm=i(|Y’

2m+1| - |X’2m+1|)] +

∑ jm=i(|Y’

2m+1| - |X’2m+1|) = 0, i ≥ 0 ...(3)

(3) The relative error (|∪j

m=i X2m+1| - |∪j

m=i Y2m+1|)/(|∪j

m=i

X2m+1| + |∪jm=i

Y2m+1|) is plotted in Fig 6.

Fig 6: Plot of Relative Error. Curve 1: for an image having no initial noise. Curve 2: for an image having an initial noise.

The empirical formula, which fits for a wide range of images, is as follows: εj = α[e -β j + κ j u(j-γ )] ...(4) where, α,β,γ,κ are numerical constants which vary from image to image. u(j-γ) is a unit step function defined as: u(j-γ )] = 1 for j≥ γ = 0 for j<γ From this curve we can draw a number of inferences as discussed below: First of all it is observed that for higher values of j, error is very low for an image. The reason behind this is that the population of the pixel pairs of high j value is very low for an image. Hence, E{|∪j

m=i X2m+1| + |∪j

m=i X2m |} = E{|∪j

m=i Y2m+1|

+ |∪jm=i

Y2m|} is assured in most robust way for higher values of j. This fact can be utilized to form combine multisets for higher values of j. Calculation of bit string length from the finite state machines of the combined multisets will give minimum error. In presence of initial noise, relative error follows the curve 2 of Fig 6. The saturation level of the curve is lifted up due the presence of initial noise.

4. CONCLUSION AND DISCUSSIONS

In the present paper, experimental verification of the stochastic behaviour of the LSB pattern of stegoimage has been discussed. The influence of the initial noise level on the estimation of the message length has been tested on a large number of images of varying composition. An experimental result has been obtained which explains the proportion of initial noise in different multisets. An empirical formula involving higher order bits has been given which fits very closely to the experimental results. The formula involves a number of parameters, which strongly depend on the image property. Extraction of the value of these parameters from the image property is a challenging task. Work is continuing towards this direction. In contradiction to other works, we proposed a variable threshold scheme based on image information to eliminate the initial noise level and to make the estimation of message bit length more robust. All the experimental results are verified on an image database of 200 images, 128X128 in size, coded in 24bit BMP format. To embed messages in these images we have used S-Tools as the Steganography tool.

5. ACKNOWLEDGEMENT

The authors are grateful to Prof. S.Pal , ISI , Kolkata, Dr.S.Basu, Sr. Director, DIT, Govt. of India and

X2m -1 X2m

Y2m Y2m+1

10

01

10 01

00

00 00

00

Dr.P.S.Nageswara.Rao Director, DIT, Govt of India for their constant inspiration and encouragement. This work is supported by Department of Information Technology, Govt. of India.

6. REFERENCES

[1] Sorina Dumitrescu, Xiaolin Wu and Zhe Wang. “Detection of LSB steganography via sample pair analysis”. Proc. of 5th International Workshop on Information Hiding, October 2002. [2] J.Fridrich, R.Du and L.Meng, “Steganalysis of LSB Encoding in Color Images”, Proc. IEEE Int’ Conf. Multimedia and Expo, CD-ROM, IEEE Press, Piscataway, N.J,2000. [3] Siwei Lyu and Hany Farid, “Detecting Hidden Messages using Higher Order Statistics and support vector machines”, Proc. of 5th International Workshop on Information Hiding, October 2002. [4] J.Fridrich and M.Goljan, “ Practical Steganalysis: State of the Art”,in SPIE Photonocs West, Electronic Imaging, San Jose. CA, 2002.

[5] A.Westfeld, A.Pitfzmann, “Attacks on Steganographic Systems” in Andres Pitfzmann (Ed.):Information Hiding, LNCS 1768,pp. 61-76, Springer –Verlag 1999. [6] N.F.Johnson, S. Katzenbeisser, “A Survey of steganographic techniques”,in S. Katzenbeisser and F. Petitcolas (Eds.): Information Hiding, pp. 43-78, Arctech House, Norwood, MA,2000. [7] Sorina Dumitrescu, Xiaolin Wu and Nasir Memon. “On Steganalysis of Random LSB Embedding in Images”. Department of Computer Science, University of Western Ontario, London, ON, Canada. [8] J. Fridrich, M. Goljan and Rui Du. “Detecting LSB Steganography in Colour and Gray Scale Images”. Proc. Of the ACM Workshop on Multimedia and Security, Oct -Dec 2001.

Eliminating covert channels in TCP/IP using active wardens

Sanjeev J. Wagh M.E. (Computer Engg)[1] Prashant M Yawalkar M.E. (Computer Engg)[2]

Asst. Prof. College of Engineering, Kopergaon, Lecturer, College Of Engineering, Kopergaon E-Mail Id: sjwagh@rediffmail.com E-Mail Id: yprashant123@rediffmail.com Mobile: 9822408573

Dr. T. R. Sontakke[3]

Principal & Professor, SGGS COE&T, Nanded

E-Mail Id: trsontakke@yahoo.com

ABSTRACT

For nearly two decades Active wardens have been an area of postulation in the community, but there have been no implementations that can be used to stop steganography as it transits networks. In this paper we examine the techniques and challenges of a high-bandwidth, unattended, real-time, active warden in the context of a network firewall. In particular, we concentrate on structured carriers with objectively defined semantics, such as the TCP/IP protocol suite rather than on the subjective, or unstructured carriers such as images that dominate the information hiding literature. We introduce the concept of Minimal Requisite Fidelity (MRF) as a measure of the degree of signal fidelity that is both acceptable to end-users and destructive to covert communications. For unstructured carriers, which lack objective semantics, wardens can use techniques such as adding noise to block subliminal information. However, these techniques can break the covert communications of structured carriers, which have strict semantics. We therefore use a specification-based approach to determine MRF. We use MRF to reason about opportunities for embedding covert or subliminal information in network protocols and develop both software’s to exploit these channels, as well as an active warden implementation that stops them. For unstructured carriers, MRF is limited by human perception, but for structured carriers, well known semantics give us high assurance that a warden can completely eliminate certain subliminal or covert channels.

1. INTRODUCTION Network security is one of the most pressing and difficult problems facing modern private organizations and governments. In addition to the daily barrage of unwanted traffic from network scans, viruses, worms, exploit tools, and other unauthorized attempts to gain access, sites must be concerned with malicious insiders using digital carriers to secretly disperse information through the very perimeter that is supposed to be protecting the network. The ubiquitous use of

protocols and file structures laden with loose semantics and unused or marginally significant bits that can be freely used for covert communication channels only furthers those challenges.

2. THREAT MODEL Historically, the malicious insider has been one of the greatest threats to organizations [2], but techniques to stop these insiders are often time-consuming and inadequate. In the example of the admitted FBI spy Robert Hanssen, his espionage activities were not detected and stopped for over a decade [11]. Meanwhile, he distributed some of the US government’s most classified information directly into the hands of the KGB. According to his own affidavit, various forms of steganography and other undercover techniques to communicate and transfer information facilitated Hanssen’s success. Secure organizations go to great lengths to secure their machines and networks from outside attackers. However, the vast number of insiders is largely trusted in order to maintain productivity. As a result, most insiders are able to gain complete control of several in ternal computer systems. Inevitably, there is some communication between these systems and external systems that may cooperate in the transfer of covert data. Since the insiders have access to both restricted data and machines, which they can use to covert ly distribute that data, the problem of detecting and stopping this unwanted behavior is extremely challenging.

Even where personnel security is not of great concern, malicious software agents provide equivalent threats. There are many paths for viruses, worms, etc. to enter a network. Once active, these agents have all the electronic capabilities of a malicious individual. Further, network communications may be the only communications path these agents have.

Our model is designed for high-security environments where the network is not a free channel, but is instead frequently monitored or restricted against unauthorized usage. Wardens are not a form of censorship themselves, but merely enforce that all

communications are overt. We recognize that our framework may not be appropriate for the Internet as a whole, but only for restricted environments where there is an infinite threat that a malicious insider could do permanent damage. Figure 1: Partial Rule Sets for IP, TCP, UDP & ICMP

In addition to using covert channels in Internet traffic, there are a plethora of other ways that a malicious insider could extract data from a given site, such as copying the data onto a floppy disk and carrying it home. However, our research is limited to network security and not physical security, and as such, we do not address this threat. 2.1. Potential Damage Each steganographic algorithm has a data to carrier ratio that defines the bandwidth of the carrier. For images, this can be very high (over 50%). Using specific embedding algorithms such as BPCS [19], a 1 MB image could contain up to 500K of hidden data. Perhaps the highest-bandwidth carrier is network traffic itself. Each packet has the potential to carry over 8 bytes of data (See Figure 1). We analyzed traffic at one large site

where over 500 million packets left the site each day. Assuming a malicious insider could control timing of packets to get 1 bit of data out per packet, the site could lose over 26 GB annually. If a malicious insider could manipulate 8 bytes in each packet, the site could loose over 4 GB daily. When ` combined with the potential that each e -mail attachment can have embedded data, the potential loss rates are staggering. Completely eliminating the leakage of information is very difficult. However, we are primarily concerned with relatively high-bandwidth leakage of information. While it is feasible that a malicious insider could transit a very small amount of information per day that would not be stopped by our warden, we feel that this is a problem that is best addressed once the high-bandwidth leakage is curbed. 2.2. Deficiencies of Detection Techniques We argue that security mechanisms must adopt proactive as well as reactive defenses. As evidenced by the need for both firewalls

and intrusion detection, prevention is an equally, if not more important problem than detection. While there are several techniques currently in use that reactively attempt to detect steganography in images, this is understandably an impossible task to complete, as there are many places to hide data, and many ways to hide the data in those places. In this section we discuss some of these detection techniques and their limitations.

Johnson has done extensive work in identifying signatures for specific steganographic techniques [12, 15]. By closely monitoring the artifacts left from several commercial products, he noticed several distinguishing traits for many commercial products. Since all of the commercial techniques modify the carrier in some way, he was able to document many of these signatures. However, his published observations were limited to commercial steganographic packages, and the majority of malicious insiders would not opt to use such public techniques in their covert transfers.

In [8], Fridrich et al. discuss a simple technique to detect hidden information in the least-significant bits of images by observing the number close colors in images. While their technique works relatively well to detect large hidden messages, small embedded messages produce an error rate of up to 40%.

In Provos attempted to find images containing steganography on the Internet. He downloaded 3 million JPEG images from Ebay and Usenet, and performed s everal tests to attempt to determine if they had embedded data from JP-Hide [16], J-Steg [17], or Outguess [23]. Provos’ detection tool Stegdetect identified over 54,000 images with these detection signatures, but was unable to find the passwords for any o f these images. As such, his results were inconclusive.

While it is useful to gain intelligence about the activities of attackers, our primary goal is to provide system and information security rather than to collect attack information or spend time finding and defining steganographic signatures. This does not mean that we have abandoned the task of discovering the perpetrators. However, this potentially time-consuming task may be best done off-line after the necessary modifications have been made to prevent the covert channels, but before the original connection state is purged from our warden.

3. RELATED WORK

The terms covert channel and subliminal channel are often used interchangeably, but in this paper we use the following definitions from the litera ture. Lampson defines a covert channel as a channel that is not intended for information transfer [20, 9]. Simmons describes a subliminal channel as one where hidden data piggybacks on an innocuous-looking

legitimate communication. By definition, steganographic carriers are subliminal channels since the communication appears to be innocent, but really has ulterior information embedded below the threshold of perception.

In [3], Anderson shows that there are methods ‘more contrived than practical’ where embedded data could survive a pass through an active warden.

In [6], Ettinger develops the idea of critical distortion in an active warden scenario between two game players, a data hider and a data attacker. Equilibria for the game is achieved when the communication channel is distorted to a level where covert channels will not survive. Ettinger observed that due to the large number of bits that both the data hider and the data attacker could modify, this problem was extremely complex. While we don’t dispute this fact, our approach fundamentally differs from his in that Ettinger attempted to determine the critical distortion dynamically, without any prior knowledge of the steganographic carrier. Our technique implements static rule sets for a given carrier that are applied to the data as it traverses the network. By restricting the problem in this fashion, we are able to successfully eliminate steganography from certain carriers in Internet traffic.

In 1997, Petitcolas published Stirmark [26, 25], which has some of the functionality of a warden, but does not automatically change all network information as it traverses a network. Instead, Stirmark is an application program that will attempt to remove steganography in a given image. If modified, Stirmark could be used as a networked warden for certain types of unstructured carriers. In contrast, our contributions in this paper focus primarily on structured carriers such as TCP/IP.

Also in the area of unstructured carriers, Johnson [12] tested several contemporary steganographic systems for robustness. His tests involved embedding information into an image, and then testing its survivability against a myriad of techniques including format translation, bit -density translation, blurring, smoothing, adding and remo ving noise, edge sharpening, rotation, and dilation. Johnson noted that tools that rely of bitwise embedding methods failed all of the tests.

Digital watermarking [25, 13] uses many of the same techniques as steganography, but sometimes with an emphasis on robustness more than secrecy. Watermarks are designed to be tolerant of attempts to remove them by altering or transforming the carrier. An active warden would have a more difficult time removing a good watermark, but the detection of that watermark may also be proportionately easier.

A network intrusion detection system is a form of passive warden that observes network traffic in search of malicious attacks. However, there have been several studies of ways to subvert intrusion detection systems using techniques known as

packet evasion [24], which exploit ambiguities in the semantics of network protocols and differences in perspective between intrusion detection systems and end hosts. Recently, it has been shown that this kind of attack can be defended against through the use of a protocol scrubber [21] or a traffic formalizer [10], which reduces ambiguous traffic to a canonical form that can be more reliably monitored. Similar techniques have been used to limit the amount of information leaked to a system fingerprinting mechanism such as nmap. While some of the mechanisms used to perform scrubbing and normalization are similar to that of an active warden, the problem domains differ.

4. MINIMAL REQUISITE FIDELITY Wardens have frequently been discussed as actors in a security system, but in our model, an active warden is a network service that is architecturally similar to a firewall, but functionally quite different. Like a firewall, a warden implements a site’s security policy. To prevent attacks from the outside, inside, or both, the warden modifies all traffic to remove many, if not all, of the carriers that can be used for covert channels, subliminal channels, intrusion detection evasion, and even some forms of attacks. Because this warden is a network service, it must be concerned not only with the application data that it handles, but also with the network protocols used to exchange data.

One way to prevent the use of covert channels and subliminal channels across a network is to drastically alter all data that passes across that network and that may be used as a carrier. For example, if it is believed that data is embedded in color detail, all images can be converted to monochrome. However, this level of modification would disrupt users and is not generally acceptable.

An alternate technique for preventing the successful use of covert channels is to distort potential carriers just enough that any covert and subliminal channels in those carriers become unusable. If done carefully, the overt users of t he carriers remain unaware of these modifications. We describe this modification of traffic as imposing MinimalRequisite Fidelity. This term captures the essence of both the opportunity for data embedding and a warden’s defense. The basic premise is that for any communication there is some fidelity at which the recipient interprets the data. For example, an image displayed in a web browser is intended for human consumption and need not possess any more information than is apparent to a human eye viewing a c omputer screen. However, the transmitted data may contain more detailed information than is perceptible to the viewer. As described in the following section, minute differences in color, textures, saturation, or other measures can be used to hide a wealth of information. The paradigm of Minimal Requisite Fidelity refers to determining the threshold of fidelity that is required for overt communications with the recipient and then limiting the fidelity of network transmissions so that no additional informatio n is preserved.

Since MRF preserves functionality while altering the exact values seen by the receiver, it makes the job of an attacker much more difficult, if not impossible. In this regard, an active warden enforcing MRF is very much like a network proxy. Such a warden acts as a semantic proxy by relaying the semantics of the protocol while insulating each end-point from the specific syntax created by that end-point. To date, there has been no theory behind proxies, but MRF could be used to define one.

The ability to perform this fidelity modification varies with the type of carrier being used. In the next section, we break carriers into two broad classes of structured and unstructured carriers and provide examples of how the Minimal Requisite Fidelity paradigm can be applied to them. We will show that the paradigm is equally applicable, but that additional constraints present with structured carriers allow for much stronger guarantees to be made.

5. CARRIER TAXONOMY In this section, we will examine techniques for embedding data in some common examples of unstructured carriers and structured carriers. The definition of MRF for the two different types of carriers is quite different. 5.1. Unstructured Carriers A subliminal channel is based on modifying a carrier in imperceptible ways. For what we call unstructured carriers, fuzzy notions such as perception define the limits to what can be changed. Perception can be quantified and carriers can be subjected to statistical analysis, but there is no universal, objective bound to how much information can be altered for purposes of embedding. Below this level of perception, arbitrary changes can be made to the data in order to embed information. However, an active warden can make use of the exact same freedoms to destroy any embedded information.

Examples of techniques to embed data in unstructured carriers are Null Ciphers -hiding data in plain text [18]; Least-Significant Bit Embedding - modifying the least significant bit of specified pixels that result in color variations that are not distinguishable to the human eye [14]; Bit-Plane Embedding - identifying noisy regions of each bit -plane in an image and replacing those regions with embedded data [19]; and Discrete Cosine Transformation - modifying and converting pixel values into frequency values using the IDCT [13]. Quantifying MRF for Unstructured Carriers: In each of these examples of unstructured carriers, Minimal Requisite Fidelity can be defined. This would be the minimum amount of purity in an unstru ctured carrier that is needed to convey the meaning of the carrier. In the example of an image, this MRF would be the set of minimal colors that displays the

image as seen by the human eye. In a null cipher, slightly rewording phrases and adding spaces and tabs to the end of lines so the same meaning is conveyed, but in a slightly different format could achieve the MRF. However, finding the correct Minimal Requisite Fidelity for unstructured carriers is challenging. Because there are not objective bounds to the carrier, a threshold of requisite fidelity must be chosen subjectively. This threshold can be based upon knowledge of human perception, or the typical use of data. However, there remains the possibility that a determined adversary will risk making perceptible changes for the sake of getting a signal through. For instance, a warden may thwart Bit Plane Complexity Segmentation, BPCS steganography, (BPCS uses a complexity measure to identify regions of the image, which can accommodate more embedding without affecting the visual quality of the image) by modifying all noisy regions in an image, but the threshold for defining a noisy region is arbitrary. An adversary could embed data in less noisy regions at the expense of making them appear grainy. While a warden might not be able to make all images grainy, grainy images might legitimately occur and be let through. Nonetheless, a warden may be able to assume that preserving graininess is not a requirement. In this case, smoothing or randomizing of grain could be employed.

Clearly, there is a cycle of measure and counter-measure to this game. However, any time a warden can afford to reduce the fidelity of the carrier, the adversary’s job gets harder. While this cycle may be arduous, it at least makes forward progress towards security. 5.2. Structured Carriers In contrast to unstructured carriers such as plain text, structured carriers are instantiations of some well-defined syntax and semantics. In this section we focus on a significant example of the structured carrier, network protocols. We first present an example of network traffic embedding and then examine how this technique exploits the syntax and semantics of the protocol. This examination leads to a formal expression of Minimal Requisite Fidelity. The ability to make such formal expressions is a unique characteristic of structured protocols and enables wardens to more thoroughly apply the concept of Minimal Requisite Fidelity.

Network protocols such as the TCP/IP family of Internet protocols define both syntax for network packets as well as the semantics used by systems exchanging packets. The syntax is the data format for packets that traverse the network. This syntax is not unlike the image-encoding format of some unstructured carriers. What makes structured carriers different is the additional specification of semantics that describe how a packet is interpreted and what actions the end host will make based upon that packet.

For example, the Covert TCP program manipulates TCP/IP header information to encode ASCII values in header fields. Covert TCP makes use of the fact that IP uses arbitrarily assigned numbers to identify packets. Each packet has an ID field containing a 16-bit number. This ID has no notion of order and is used purely to let a packet be fragmented while allowing the receiver to identify related fragments and reassemble the larger packet. Every associated fragment will contain the same ID, while fragments of different packets will contain different IDs. Covert TCP chooses IDs that contain data to be sent. As a simplified example, the string ‘STEG’ can be embedded in a series of four packets where the first packet has an ID equal to the ASCII value of ‘S’, the second has an ID equal to ‘T’ and so on.

Because the semantics of the ID field are so clearly defined, Covert TCP is able to fully exploit the protocol without the risk that its choice of ID numbers will cause changes that are perceptible to the recipients of the packet. However, an active warden can use the same fact to renumber IDs to thwart such channels. In the following sections, we provide a concrete analysis of the semantics of this example and how MRF can be absolutely applied to this type of carrier. Quantifying MRF for Structured Carriers: Information theory provides a basis for analyzing the fidelity required to support the semantics of structured carriers. While the identifier field is not required to be a random variable, the difference between the amounts of information contained in the field, 1 of 216 values, and the amount of information provided to the receiver is startling. The receiver need only match a fragment to 1 of the n packets where n is the number of packets that the receiver may be reassembling at any point in time. For TCP, which accounts for the vast majority of traffic, the value of n is bounded by the receiver’s advertised window size and is typically zero since most upper-layer protocols tend to avoid fragmentation for performance reasons. Thus, in the typical case, the amount of entropy present in t he identifier is much greater than the amount required by the protocol semantics.

Programs such as Covert TCP or more sophisticated steganography can use this extra entropy in order to create a covert or subliminal channel. However, our definition of the amount of entropy required by the protocol semantics also leads us to search for a bijective transformation that randomizes this extra information while preserving semantics. With such a transformation, a warden can randomly permute the identifiers chosen by untrusted end systems.

Assuming that a warden used some permutation function, f(x), an attacker could potentially learn the values of the renumbered packets and attempt to engineer an inverse function so that she may transmit packets with an inverted ID, f1(x), that, when transformed by the warden, becomes the intended value, f(f1(x)) = x. However, this kind of security feature is the very

problem that encryption systems address. Therefore, we can employ an encryption algorithm to perform this permutation. Thus, we can recast the problem of randomizing excess entropy as a solved problem of encrypting the packet field. Covert TCP provides us with an example second problem with slightly different semantics. This example will exercise our reasoning and shows that our method for enforcing Minimal Requisite Fidelity has promise for additional carriers. Covert TCP can also embed data in the TCP initial sequence number, which is another arbitrarily chosen number. However, the semantics of this number are somewhat different in that subsequent packets from the initial sender will contain a sequence number computed by incrementing the initial sequence number. Further, the receiver will acknowledge the receipt of these sequence numbers back to the sender. Thus, the permutation must be applied only to the initial sequence number of a connection. If the warden saves the difference between the original and modified initial sequence number, it can re -apply this offset to all subsequent packets in that connection.

6. MRF ANALYSIS OF IP Having seen that Minimal Requisite Fidelity can be precisely identified and manipulated in structured carriers, we now perform a more complete examination of the protocol headers and semantics in IP. We choose to look a t IP because it has well-defined semantics and because without addressing IP, no Internet traffic can be considered completely protected. This case study will validate the applicability of the MRF model and demonstrate how a warden can provide some assurances about entire protocol layers. This analysis differs from previous work in [10] and [21] in that we are stopping the covert flow of data rather than attacks by a malicious outsider. The MRF analysis of all IP fields is presented below as taxonomy of field semantics. For the sake of brevity, we do not discuss the individual IP option fields, which are rarely used and in general are quite open to modification by both adversaries and wardens. Constant: (Version, Padding) These fields are effectively constants than cannot be changed without fundamentally changing the functions of the protocol. The version field specifies which version of the protocol is being used. Any value other than 4 IPversion 4) will cause the remainder of the packet to be interpreted with a completely different set of syntax and semantics. For instance, version 6 is the latest version, and while not widely supported, has similar, but slightly different definitions for syntax and semantics. An IPv4 packet cannot be turned into a valid IPv6 packet by simply changing the version number. For the sake of brevity, we assume IPv4 and term this field a constant. However, a more holistic analysis would examine all other versions of IP.

Free: (Type of Service, Don’t Fragment Flag, Reserved Bits) These fields can hold arbitrary values while preserving the basic functionality of the protocol. Thus, wardens should modify these variables religiously. Due to nuances of these fields, we suggest that a warden not randomize them, but instead set them to safe defaults for the warden’s network environment. Note that this categorization of the type of service field may change if Differentiated Services [22] becomes widely deployed. However the Different Server architecture assumes that this field will be administered according to local network policy and the warden may be a party to that policy. Decreasing: (Time To Live) The time to live is a counter value that is decremented at each hop. When the time to live reaches zero, the packet is discarded. This causes packets in routing loops to eventually be dropped. The TTL can be changed, but in order to preserve the routing loop behavior, the new TTL should always be lower than the existing TTL. Note that decreasing the TTL will prevent trace route from working properly since it depends on TTL values being decremented only once per hop. Tokens: (Identification, Source Address) These fields, as described earlier, serve to correlate packets. The values themselves are arbitrarily chosen and can be mapped to different values, but this mapping must be stable across packets. Source address has some additional constraints in that it will be used to form reply and error messages. Thus, it must refer to the originator’s address or the address of system willing to proxy these messages to the originator. Network Address Translation is a widely-deployed technology that rewrites source addresses on traffic passing through a gateway [5]. Derivative: (Header Length, Header Checksum) These fields are determined by other aspects of the header. The length is determined by the number of options included in the header, while the header checksum is computed from all other fields in the IP header (excluding payload). If the checksum alone is changed, the packet will be dropped in transit. Fragmentation: (More Fragments Flag, Fragment Offset, Total Length) The maximum amount of data that can be sent is bounded by what the upper-layer protocol provides, but the IP layer has flexibility in how a payload is fragmented and sent. Fragments can be reassembled into a larger packet and then re-fragmented along different boundaries. Dependent: (Destination Address, Protocol, Payload) These fields are determined by upper-layer protocols. In general, every value is legal, but the legality of any specific value is determined by the upper-layer using the protocol. As a result, neither an adversary nor a warden can directly alter these values without altering the behavior of the protocol. However, a warden operating at a higher layer should cause these fields to be changed wherever possible. For instance, an adversary or a

warden could segment the upper-layer packets differently in order to embed or remove information in packet sizes.

A warden cannot change the destination address. However, it does exhibit a property common to other fields in the dependent category. If an adversary is creating packets that do not contain legitimate data streams, arbitrary values can be chosen for these fields. For instance, a malicious party could generate traffic to incorrect or fictitious destinations knowing that the route to that address will cause the packets to traverse a link where a collaborating receiver can eavesdrop on traffic and observe the message. Additionally, an adversary could target specific machines on a subnet to sent covert messages.

Figure 2: Observations based on simulation model

Although the IP header is compactly designed, it is worth noting that other protocols have additional fields that are predicated. These fields are always present, but are unused in some circumstances. In situations where the protocol does not use these fields, they are essentially reserved bits. As such, they are exceptional opportunities for embedding and should be modified by wardens.

Of the six types of fields that we have defined, the application of Minimal Requisite Fidelity is most complicated for the token category, for which we have already described a solution. We have shown that, at least for the IP layer, MRF can be precisely defined and applied to each header field. Thus an active warden can give a level of assurance that IP headers are not being used for subliminal channels. In addition, this description of semantics sheds light on what kind of semantic detail is necessary to describe a structured carrier. The previous examination of IP was based on the protocol specification. However, the specification is not necessarily indicative of real use. For example, a protocol implementation

may make use of reserved bits that have not been standardized. To validate our examination and determine which fields can be safely modified, we therefore performed several feasibility studies. For analyzing network traffic, we present this information as a case study, and are not trying to make any observ ations about traffic composition as a whole on the Internet. The purpose of this study was to determine which fields in IP, TCP, UDP and ICMP can be safely modified by our Wardens without breaking any applications. Our final rule sets for IP, TCP, UDP, and ICMP will be dependent on our observations from these studies.

In Figure 2, we list part of the results that we observed during our analysis based on a simulated model. In some instances, the results showed several discrepancies. Why, for example, is TCP’s urgent bit set in 13934 packets, but the urgent pointer is non-zero in 1479773 packets? Why are TCP’s reserved bits set in 429164 packets? While it is possible that these inconsistencies are due to faulty implementations of TCP or network errors, we must rule out the possibility that legitimate communication channels are using these fields for justifiable purposes before we modify these bits with an active warden.

In addition to determining legitimate uses of each field, we must also ensure that the c orrectness of the IP and TCP protocols and associated applications don’t change. For example, changing the TTL without a proxy would break traceroute. Clearing the TCP reserved bits could interfere with Explicit Congestion Notification. For each rule that we define for each bit in the packet header, we will need to verify that a legitimate service will not be broken.

7. IMPLIMENTATION CONCEPTS.

The purpose of this study was to determine which fields in IP, TCP, UDP, and our wardens can safely modify ICMP without breaking any To implement the techniques introduced in this paper, we suggest the following issues 1. If the TCP Reset flag is set, there should be no TCP payload. Recalculate the the IP packet length to make sure that the only payload is the TCP header. 2. The IP identification field can be used as a covert channel. Assign a new IP ID to packets. 3. The TCP Initial Sequence Number (ISN) can be used as a covert channel. Assign a new ISN at the beginning of a connection. Correct subsequent packets accordingly. 4. Reserved bits in TCP can be used as a covert channel. Zero out these bits. 5. If URG = 0, the urgent pointer is ignored and can be used to send covert data. Zero out the urgent pointer in this instance. 6. Bounds checking on the urgent poin ter. The pointer is an offset of data in the payload. If the pointer is larger than the payload size, it is illegal and should be reset to 0 and the urgent flag removed.

Though this issues only exercises a few rules, we may conclude that we can minimize delay of the network traffic and eliminate the embedded data in these fields. A complete warden implementation for IP, TCP, UDP, and ICMP is in progress.

8. CONCLUSION In this paper, we presented and discussed the paradigm of proactively preventing steganography, covert channels, and other forms of network attack. This paradigm uses a notion of Minimal Requisite Fidelity (MRF) to define the level of signal perturbation that is both acceptable to users and destructive to steganography. To develop the idea of MRF, we introduced the concepts of unstructured and structured carriers and gave several examples of how an attacker can exploit the use of anything more than the minimal fidelity that is required for overt communications. For structured carriers, we were able to take the analysis a step further and examine the feasibility of an active warden that rewrites all network packets to remove the opportunity for covert channels and steganography at the IP layer. These initial explorations show a paradigm and a model with great promise. However, much work remains to define Minimal Requisite Fidelities for other carriers, and to integrate this model in with traditional layered security models. Wardens won’t stop every form of attack, but part of a more comprehensive security model for a site can greatly reduce the bandwidth of these attacks. In addition to the techniques that we presented, there are additional dimensions of fidelity, such as timing, that must also be examined. As we have suggested, defining an objective Minimal Requisite Fidelity for unstructured carriers is a difficult problem, but not impossible. For structured carriers such as network protocols, we believe that much more precise definitions of fidelity can be made and enforced through detailed analysis of protocol semantics. Excitingly, we have found that this paradigm transcends specific categories such as steganography, network intrusions, and covert channels. The development of this paradigm has been a stimulating synthesis of experience in each of these areas, and, as such, we believe that the deployment of active wardens is a necessary addition to site security perimeters. Technologies such as active wardens are a new opportunity to create bi-directional security perimeters that protect against the malicious insider as well as the outside attacker.

9. REFERENCES

1. R. J. Anderson, “Stretching the limits of steganography,” Springer Lecture Notes in Computer Science, pp. 39–48, 1996, Special Issue on Information Hiding.

2. R. J. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, John Wiley and Sons, New York, New York, USA, 2001.

3. R. J. Anderson and F. A. P. Petitcolas, “On the limits of steganography,” IEEE Journal of Selected Areas in Communications, vol. 16, no. 4, pp. 474–481, May 1998, Special Issue on copyright and privacy protection.

4. S. Craver, “On public -key steganography in the presence of an active warden,” in Proceedings of the Second Information Hiding Workshop, Apr. 1998.

5. K. Egevang and P. Francis, “RFC 1631: The IP network address translator (NAT),” May 1994.

6. M. Ettinger, “Steganalysis and game equilibria,” in Information Hiding, 1998, pp. 319–28.

7. M. Fisk and G. Varghese, “Agile and scalable analysis of network events,” in Proceedings of the SIGCOMM Internet Measurement Workshop. ACM, Nov. 2002. 15

8. J. Fridrich, R. Du, and M. Long, “Steganalysis of LSB encoding in color images,” in Proceedings of the IEEE International Conference on Multimedia and Expo, Aug. 2000.

9. V. D. Gilgor, “A guide to understanding covert channel analysis of trusted systems,” Tech. Rep., National Computer Security Center, U.S. Department of Defense, 1993.

10. M. Handley, C. Kreibich, and V. Paxson, “Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol sema ntics,” in Proceedings of USENIX Security Symposium, 2001.

11. A. Havill, The Spy Who Stayed Out In The Cold: The Secret Life of Double Agent Robert Hanssen, St. Martin’s Press, 2001.

12. N. F. Johnson, “Steganalysis of images created using current steganographic software,” in Proceedings of the Second Information Hiding Workshop, Apr. 1998.

13. N. F. Johnson, Z. Duric, and S. Jajodia, Information Hiding: Steganography and Watermarking - Attacks and Countermeasures , Kluwer Academic Publishers, 2000.

14. N. F. Johnson and S. Jajodia, “Exploring steganography: Seeing the unseen,” IEEE Computer, pp. 26–34, Feb. 1998.

15. N. F. Johnson and S. Jajodia, “Steganalysis: The investigation of hidden information,” in Proceedings of the IEEE Information Technology Conference, Sept. 1998.

16. “JP Hide and Seek,” http://linux01.gwdg.de/alatham/stego.ht

17. 17.“JStegShell,” http://www.tiac.net/users/korejwa/jsteg. 18. D. Kahn, The Codebreakers - The Story of Secret Writing,

Scribner, New York, New York, USA, 1996. 19. E. Kawaguchi and R. O. Eason, “Principle and applications

of BPCS steganography,” in Proceedings of SPIE’s International Symposium on Voice, Visdeo, and Data Communications, Nov. 1998.

20. B. W. Lampson, “A note on the confinement problem,” Communications of the ACM, vol. 16, no. 10, pp. 613–615, 1973.

21. G. R. Malan, D. Watson, and F. Jahanian, 1“Transport and application protocol scrubbing,” in Proceedings of IEEE InfoCom, Mar. 2000.

22. K. Nichols, S. Blake, F. Baker, and D. Black, “RFC 2474: Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 headers,” Dec. 1998.

23. “Outguess,” http://www.outguess.org 24. V. Paxson, “Bro: A system for detecting network intruders

in real-time,” Computer Networks, vol. 31, no. 23-24, pp. 2435–2463, Dec. 1999.

25. F. A. P. Petitcolas, “Watermarking schemes evaluation,” I.E.E.E. Signal Processing, vol. 17, pp. 58–64, 2000.

26. F. A. P. Petitcolas, R. J. Anderson, and M. G. Kuhn, “Attacks on copyright marking systems,” in Proceedings of Information Hiding, Second International Workshop, IH’98, 1998.

An Exprimental Analysis of Proactive Detection of Distributed Denial of Service Attacks

Cobra Rahmani, Mohsen Sharifi, Tala Tafazzoli

Computer Engineering Department,

Iran University of Science and Technology {rahmani_cobra, mshar}@iust.ac.ir

Iranian Telecommunications Research Center

tafazzoli@itrc.ac.ir

ABSTRACT

Detection methods in Distributed Denial of Service attacks try to detect attacks before the target machine is shutdown. There are two major methods for attack detection in target, Anomaly and Pattern-Based. Pattern-based methods are sensitive to attack signatures and as such cannot detect attacks when the attack patterns change slightly. Anomaly methods, on the other hand, work on the basis of network traffic volume and measure abnormal traffic volume. So they can detect attacks more easily. One of the best solutions for anomaly detection of attacks is proactive detection in Network Management System (NMS), represented by Wenke Lee et al. in NCSU university. This method tries to detect precursors of attacks before the traffic reaches the target. It uses Management Information Base (MIB) variables in NMS to detect precursors of attacks. MIB variables that change in the attacker through the attack can be precursors of the attack. These MIB variables are related to some target MIB variables that change when the bogus traffic reaches the target. They can be extracted using statistical tests for causality. This paper presents an experimental analysis of this method. In contrast to previous work, the results of our experiments have shown lower computational overhead in finding the key MIB variables at the attacker. When the key MIB variables were found at the attacker, comparison between their normal and attack runs determined the attack signatures. When these signatures were observed in the Network Management System (NMS), it meant that an attack has occurred. Futhermore, we have implemented an SNMP-based system to detect some attacks in our network test bed. Five attacks were tested and analyzed in our experiment and MIB variables were recorded for each type of attack: Trin00, Targa3, TFN, Mstream and PingFlood.

Keywords: Distributed Denial of Service (DDoS), Auto Regressive Models, System Identification, Granger Causality Test (GCT), Network Management System (NMS), Management Information Base (MIB) Variables, Simple Network Management Protocol (SNMP), Security.

1. Introduction Availability is defined broadly as the property of data and services being accessible to an authorized party within a reasonable time of request [15]. Each networked system must be available for its users, that is minimum security. DDoS attacks can destroy or exhaust resources by generating large amounts of bogus traffic towards victim. They prevent permissive access to the resources of the victim. A taxonomy of DDoS attacks and their respective defensive mechanisms are given in [16].

There are basically three main approaches for defeating attacks: 1) Detection, 2) Prevention, and 3) Response. Detection mechanisms try to detect attacks after they have happened. Preventive mechanisms try to secure systems and protocols against attacks, while response mechanisms try to detect attack sources and reduce their after shock.

This paper focuses on a detection mechanism which detects attacks at early stages. It analyzes the results of our experimentations with the proactive detection approach in our chosen test bed. The paper starts with a brief terminology. It then goes through proactive detection phases and reports the results of our experiments alongside our analyses. It ends with the description of our SNMP-based implementation and conclusion.

2. Terminology Denial of Service (DoS) refers to any technique that is used to prevent a host or network of hosts on the Internet from either accessing the Internet or responding to requests from other hosts on the Internet. There are three or four types of machines in each DoS attack: attacker, slaves and target.

The attacker finds computers and installs the DDoS tools on them. These are slave machines from which the disabling traffic is generated. This traffic sends to the victim.

Distributed Denial of Service (DDoS) is a kind of DoS Attack, which uses thousands or more slaves through the Internet. A schema from DDoS attack topology is depicted in Figure1. After the attacker commands the slaves, they send failure packets to the target. Even if the

target is not shutdown, the large amounts of bogus packets consume the target bandwidth and legitimate packets cannot pass through the artificial traffic towards the target.

Figure 1. DDoS attacks topology in proactive detection (Target and some Slaves are under NMS supervision)

Network Management System (NMS) is a system capable of recording the activity of the system. SNMP management is often called Internet management, and is most widly used in network management system [17].

Simple Network Management (SNMP) is a protocol defined by the Internet Engineering Task Force (IETF). SNMP defines a mechanism to monitor and manage network devices. An SNMP network management system consists of Managed Nodes, Management Stations and Management Protocol. One or more Managed Nodes, running one or more SNMP agents. An agent keeps information about its managed node in a database called a Management Information Base (MIB). One or more network Management Stations, which run network management software and display network information. The management station is called the host. A network Management Protocol determines how the managed node and the management station can communicate with each other over the network.

Management Information Base (MIB) defines the information that will be maintained by the associated SNMP agent. They are comprised of managed objects and are identified by object identifiers. MIB variables are used in the control and supervision of traffic in the network. Their values will change with passing packets. There are four types of MIB variables that are used in our experiments. They are from IP, ICMP, UDP and TCP groups.

3 Proactive detection scenario The proactive detection method presented by Wenke Lee et al. [1] consists of two steps: off-line and on-line steps. In off-line step, we should find some MIB variables at the attacker that change when disabling traffic is sent. These variables are called the key MIB variables at the target. By these variables it is possible to predict packet flooding before they reach the target.

In on-line step we must detect attacks by key MIB variables at the attacker. It has been assumed that some of slaves and target are under Network Management System. They are NMS agents and act autonomously. We have used Simple Network Management Protocol (SNMP) as NMS agents.

Seven computers were chosen as the test bed for our experimentation: one as master, one as target and others as potential attackers or slaves. During the attack, normal operations were undergoing on the computers and all computers were logged. These computers were a part of a LAN. The operating systems of these machines (master, target and slaves) were Redhat linux 7.2, and we used ucd-snmp-4.2.1 for logging.

We needed two Runs: Attack and Normal runs.

Attack Runs: Five DDoS attacks were run. During each attack, two machines were slaves, one was master, one was target and others were potential attackers. Each run took 2 hours long and the attack was run two times in each run. Master machine was not under NMS supervision.

Normal Runs: Six computers were logged at normal time for an hour. MIB variables in tcp, ip, udp and icmp groups were collected at a sample rate of 5 seconds.

There were three phases for finding the key MIB variables at the attacker in off-line step (Figure 2):

Phase 1) detecting attacks,

Phase 2) detecting correlations,

Phase 3) detecting precursors to attack.

3.1 Detecting attacks In this phase we defined MIB variables that changed when attack packets reached the Target. There were two ways for determining this variables at the target:

Using domain knowledge about the characteristics of the attack [2]. For example, we know in advance that in Mstream attack, the slaves send large amounts of TCPAck packets to the target. Therefore when the attack packets reach the target, tcpInSegs MIB changes.

Comparing MIB variables behavior during attack and normal operation. Variables whose behaviors changed significantly during attack, were known as key variables at the target. Time series were used to model the variables’ behavior. For the case of denial of

NMS agent

NMS agent

Slave

Master

Slave

Slave Target

NMS agent

Slave

Slave NMS agent

Figure 2. Off-line phases in proactive detection service attacks, the traffic variations at the target were high. Just by averaging time series along properly chosen intervals, it was possible to detect the presence of the attack.

3.2 Detecting correlation After finding MIB variables at the target, we must find key variables at the attacker. These variables change when slaves send packets to the target. They have causal relations with the key variables when packets reach the target. The causal relation between these MIB variables could be proven by Granger Causality Test (GCT).

Granger Causality Test is used in economics for analyzing time series, and determines whether knowledge about one econometric variable helps in predicting another variable or not [9]. Causality is defined as follows:

" u causes y if knowledge of past u reduces the variance of the errors in forecasting y beyond the variance of the errors which would be made from the knowledge of past y alone[13].”

Granger Causality Test uses statistical methods to test whether past information on a variable u provides any statistical information about a variable y. GCT compares the Mean

Squarer Error (MSE) of an Auto Regressive Moving Average (ARMA) model with the Mean Squarer Error (MSE) of an Auto Regressive model. By assuming delay with length p we first solve the following equation (1), whereby u does not affect y up to delay of p unit; we say Lag p instead of delay p. Also p is the order of model. Higher p causes higher computation rate in model and lower p causes lower computation.

y(k + 1) =∑=

p

i 1iα y(k - i + 1) +∑

=

p

i 1iβ u(k - i + 1) + 1e (k) (1)

The null hypothesis of GCT is as follows:

H0: iβ = 0, i = 1, 2, · · ·, p

With null hypothesis equation (1) is restricted to equation (2):

y(k + 1) =∑=

p

i 1iα y(k - i + 1)+ 1e (k) (2)

We have solved equations one and two with system identification in control, equation 1 as ARMA and equation 2 as AR.

if R1 and R0 be MSE of above models:

R1 = ∑=

T

tte

1

21 )( R0 =∑

=

T

tte

1

20 )(

g is granger value that presents causality relation between u and y.

g=)12/(1

/)10(−−

−pTR

pRR ≈ F(p,T-2p-1) (3)

If the g value is greater than a specified critical value (F(p,T-2p-1)), Then u have causality relation with y. F(p,T-2p-1) is the Fisher distribution function with parameters p and T-2p-1. Higher values of g represents stronger relation of causality between u and y. This estimation has been presented in Granger Test [13].

Another description for ARMA model that has been represented in system identification is:

)1(...)()(...)1()( 11 +−−++−=−++−+ nbnktubnktubnattatyaty nbna

System identification allows building mathematical models of a dynamic system based on measured data. We have tried to solve equations by estimating na, nb and nk in Matlab. nk is delay and equals zero; because in high-speed networks, the packets sent from slave to target, reach there in a fraction of second. In GCT, na=nb= p are the orders of AR and ARMA model. T is the number of samples.

We have used this test to determine whether we have any variable at the attacker that detects the attack before the target is down. This happens when master commands the slave and slave sends disabling traffic to the target. We have modeled key variables at the target with the AR model. Also we have modeled an input-output system in which the output was the key variable at the target and the inputs were one of the 78 MIB variables at the attacker with the ARMA model. Then we obtained the g value for each model.

3.3 detecting precursors to attack After detecting casual relations between MIB variables, we had to determine the key MIB variables at the attacker that occur before the attack. These MIB variables have been determined in the previous step, and had causal relations with the attack. Now we needed a trigger or a key event at the attacker MIB variables.

M

S

S

S

V M

S

S

S

V M

S

S

S

V

Phase1 Phase2 Phase3

Which MIBs changed at the victim in attack time? M1,M2

Which MIBs are relevant to M1 and M2 at the slaves? M3, M4

M1,M2 M1,M2

M3,M4 What are the thresholds for M3 and M4 in attack time?

M3,M4

Once these features are determined, we can extract proactive rules. These rules were used for implementing an alarm system in NMS. The way we determined the jumps in these MIB variables was through monitoring of the values of their time series, also through building a normal profile of jumps from normal run MIB variables. Attacks with MIB variables that had jumps larger than the largest jumps in normal runs, determined the key MIB variables [1].

4 Analysis and Experimental Results Five DDoS attacks (TFN2K pingflood[5], TFN2K targa3[5], TFN[2], Trinoo[2] and Mstream[4]) were run in Attack runs. During each attack, two machines behaved as slaves, one as master, one as target and others as potential attackers. Each run took 2 hours long and the attack was performed twice in each run. The master machine was assumed not to be under NMS monitoring .

Six computers were logged at normal run for an hour. MIB variables in tcp, ip, udp and icmp groups were collected at a sample rate of five seconds. Because of network topology, the time taken for the master to command the slaves to initiate the attack, the time taken for the slaves to start sending disabling network traffic to the target, and the time disabling traffic reached the target were almost the same.

Let us now analyze the results of the previously-mentioned three phases.

4.1 Detecting attacks We have used the two methods mentioned in section 3.1. We extracted the key variables at the target by using the domain knowledge. Then we analyzed the MIB variables’ graphs at the target. Extracted MIB variables for the five attacks at the target were as follows. In the following graph the horizontal axis is timestamp (the time of logging was five seconds) and the vertical axis is the value of the MIB variable.

Mstream

Mstream sent a large number of TCP ACK packets to the target and used IP spoofing, thus the values of TcpInSegs MIB increased at the target. TcpInSegs shows the total number of tcp segments entered to the machine (Figure 3). Furthermore, we averaged MIB variables at the target and found that ipInReceives, ipOutRequests, tcpInSegs and tcpOutSegs could be used as key variables at the target.

Figure 3. TcpInSegs diagram in Mstream attack.

Ping Flood

From the domain knowledge we know that ping flood sends a large volume of icmpEchoRequest packets to the target, so icmpInEchos is the key variable at the target. We averaged time series of MIB variables at the target, and found out that ipInReceives, ipOutRequests, icmpInMsgs, icmpInEchos and icmpOutEchoReps change significantly during attack and could be a candidate key variable at the target.

Targa3

In Targa3 attack, a combination of uncommon IP packets are sent to the target. These packets have problems such as invalid fragmentation, protocol, packet size, options, offsets, tcp segments and routing flags. The MIB variables that show IP errors are key variables. We chose ipReasmFails. This variable shows the number of IP packets that have problems when assembling [8]. By averaging time series of all MIB variables at the target we found that ipInReceives, icmpInMsgs, icmpOutDestUnreachs and udpInErrors could be the key variables at the target.

Trinoo

In Trinoo, packets are sent to a random UDP port at target. Because there is no process to receive these packets, udpNoPorts has a high value. The target computer sends icmpDestUnreachable packets in response to the received packets and icmpDestUnreachable variable increases. By Averaging MIB variables at the target we found that ipInReceives , ipIndelivers , icmpOutMsgs , icmpOutDestUnreachs also could be candidate MIB variables.

TFN

TFN can send four types of attacks (UDP flood, SYN flood, ICMP flood and Smurf). We have used TFN just for sending UDP flood. This attack is the same as Trinoo but is weaker. It sends the UDP packets to random ports at the target and increases the udpNoPorts on it. We analyzed the graphs of MIB variables at the target. We found that ipInReceives, icmpOutMsgs, icmpOutDestUnreachs, and ipOutRequests change significantly during attack.

4.2 Correlation Detection To solve statistical equations, we used system identification in Matlab [12]. MIB variables at the potential attackers with gct more than 95% significance level were considered to be granger cause of the key variables at the target. In this example we calculated p, T-2p-1 for degree of freedom and extracted the F value for each attack. MIB variables for which g were greater than the F value were a good candidate for the next step. Results are shown in the following tables.

In contrast to previous works we chose low order instead of high order: Because choosing high order results a model that matches exactly the data, but has more computation overhead. Also lower orders may give lower fits or high mean squarer error for given models. We once chose high orders as previous work and ones low orders; then achieve fitted values. The results are shown in table 1. In Lee's work, have chosen high lags but we found good fits with lower lags. In the worst case fitted value reduced 10%. Therefore we obtain Lower lags with less computational overhead. The GCT values for lower lags had the same results as higher lags. Tables 2 to 6 have shown g values at second choosing order.

Table 1. ARMA parameters in two time choise

Table 2. Key MIB variables at the attacker (Ping flood)

Table 3. Key MIB variables at the attacker (Targa3)

Rank MIB g

1 Udp Out Datagrams 3.29 2 IpOut Requests 2.91 3 Icmp inDest Unreacho 2.78 4 IcmpInMsgs 2.73 5 Udp In Datagrams 1.93

Table 4. Key MIB variables at the attacker (TFN)

Table 5. Key MIB variables at the attacker (Mstream)

Table 6. Key MIB variables at the attacker (Trinoo)

These g values are higher than critical levels corresponding to F(p,T-2p-1). Therefore related MIB variables to these g values may have causal relation to attack.

4.3. Attack precursors detection In this step we separated all MIB variables at the attacker that had causal relation with target MIB variables. Then calculated jumps of those MIBs and compared these jumps with normal jumps. We constructed the normal profile of jumps. If there were a great difference between normal jumps and attack jumps, they were extracted as key variables and were used in the detection; otherwise we did not use those MIB variables for detection. These MIB variables at the attacker machine are related to the time that master commands the slaves to initiate the attack and the time that the slaves start sending disabling network traffic to the target . ipOutRequests MIB values for five attacks during normal runs, recorded in our test bed, are shown

Fitted value

The order of

ARMA model in

GCT (second time)

Fitted value

The order of

ARMA model in

GCT (first time)

The order of

ARMA model in GCT ( Lee' s paper)

Attacks

80.35% 10 81% 100 120 Ping Flood 60.59% 10 72.15% 120 100 Targa3 57.4% 10 59% 80 100 Trinoo 90.59% 10 91.96% 120 - TFN 27.62% 10 34% 20 - Mstream

Rank MIB g 1 IpOutRequest 17.39 2 IcmpOutEchoReps 4.48 3 IcmpInMsgs 4.78 4 Udp Out Datagrams 4.35 5 Udp In Datagrams 4.33

Rank MIB g 1 IpOutRequest 10.05 2 IcmpInMsgs 8.77 3 icmpOutEchoReps 8.77 4 TcpInSegs 7.11 5 IpOut Discards 6.08

Rank MIB g 1 IpOutRequests 70.22 2 IcmpInMsgs 8.22 3 IcmpInEchos 8.22 4 IcmpOutEchos 8.22 5 IpInReceives 4.78 6 IpInDelivers 3.09 7 IcmpOutMsgs 1.99

Rank MIB g g [1] 1 IpOutRequest 5.23 5.26 2 UdpInErrors 1.99 2.63 3 IcmpInEchos 1.71 - 4 icmpOutEchoReps 1.71 - 5 IcmpInMsgs 1.69 1.99 6 IcmpInEchoReps 1.69 2.04 7 IcmpOutMsgs 1.58 - 8 TcpInSegs 1.45 1.31 9 IpInDelivers 1.44 2.65

in Figure 4. Thresholds extracted for other key MIB variables at the attacker are also shown.

Figure 4. MIB values at the slaves in the attack time

5. Implementation We have implemented SNMP-based agents sensetive to abrupt changes in key MIB variables at the attacker. IpOutRequests thresholds for five attacks are shown in Figure 4. In this way thresholds for other key MIB variables at the attacker were extracted in our test bed. Finally we have constructed the following proactive rules which were used for attack detection in our network:

If (ipOutRequests > 3000)

{

If ( udpInErrors > 0 || icmpInEchoReps > 5 )

{

If ( icmpOutDestUnreachs > 10 ) then

“TFN2K: PING FlOOD ”

else if ( ipOutDiscards > 10 ) then

“TFN2K: TARGA3 ”

else “TFN2K”

}

else If (udpOutDatagrams > 1000 ||

icmpInDestUnreachs > 4 ) then

“TRIN00”

}

else if ( ipOutRequests > 550 ) then “TFN”

If ( ipOutRequests > 100000 ) then “Mstream”

6. Conclusion and Further Work Our experiments indicated that the Lee’s method is a satisfactory method for proactive detection of DDoS attacks. Pattern-based methods which try to detect attack patterns, simply result in errors. They cannot detect attacks when the attack patterns change. Proactive detection methods do not suffer from such defect. Given that these attacks generate high volume of traffic, quite higher than normal traffic, it was shown reasonable to measure the volume of traffic in normal and attack conditions and compare them in order to detect such attacks. Although our experiments have shown a high rate of success in detecting attacks when using this kind of measurement, we are well aware of the shortcoming of our experiments: using the average traffic in our test bed. Further work is needed to train our system in high capacity networks to see the performance of the method. There is a high possibility that in high capacity networks, false alarms may increase and detection rate may decrease. TFN behaved like this in our average test bed. When intruders tried to install their slaves on high capacity machines, attacks were not detectable easily.

Acknowledgements This research was supported by the Iran Telecommunication Research Center (ITRC) and the experiments were carried out in network management group.

7.References 1. W. Lee, R. K. Prasanth, B. Ravichandran, R. K. Mehra,

“Proactive Detection of Distributed Denial of Service Attacks using MIB Traffic Variables, A Feasibility Study”, Proceedings of the 7th IFIP/IEEE International Symposium on Integrated Network Management, Seattle, WA - May 14-18, 2001.

2. P. J. Criscuolo. “Distributed Denial of Service - Trin00, Tribe Flood Network, Tribe Flood Network 2000, and Stacheldraht”, Technical Report CIAC-2319, Department of Energy - CIAC (Computer Incident Advisory Capability), February 2000.

3. K. Kendall.“A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems”, Master’s Thesis, Massachusetts Institute of Technology, June 1999.

4. David Dittrich, George Weaver, Sven Dietrich, Neil Long, The "mstream" Distributed Denial of Service Attack Tool, May 2000. http://packetstorm.decepticons.org/distributed/Mstream_Analysis.txt

5. Jason Barlow, Woody Thrower, TFN2K–An Analysis, February 2000. http://packetstorm.decepticons.org/distributed/TFN2k_Analysis.htm

6. M. Thottan and C. Ji. “Proactive Anomaly Detection using Distributed Agents”, IEEE Network, pages 21–27, September 1998.

7. Christopher Chatfield, The Analysis of Time Series: An Introduction, Chapman and Christopher, 1989.

2 0 0

4 0 06 0 0

1 0 0 0

2 0 0 0

5 0 0 0 0

1 0 0 0 0 0

M I B V a l u e ( C o u n t e r )

T i m e S t a m p ( s e c ) 5 1 5 2 5 3 5 1 0 0 2 0 0 3 0 0 4 0 0

M s t r e am

T r in o o

P in g F lo o d

T F N

T a r g a3

2 0 0 0 0 0

N o r m a l

i p . Ip O ut R e q u e st s

8. K. McCloghrie, M. Rose, Management Information Base for Network Management of TCP/IP-Based Internets: MIB-II, RFC 1158, March 1991.

9. Bivariate Granger Causality Test, http://www.sas.com/rnd/app/examples/ets/granger/index.htm.

10. Helmut Lütkepohl, Introduction to Multiple Time Series Analysis, Springer-Verlog, 1993.

11. Ljung Lennart, System Identification: Theory for the User, Prentice Hall, 1987.

12. System Identification Toolbox , Matlab Help. 13. G. William Schwert, “Tests of Causality, The message in

innovations”, University of Rochester, 1979. http://schwert.ssb.rochester.edu/message.pdf.

14. Richard A. Johnson , Gourik K. Bhattacharyya , Statistics Principles and Methods, 1992.

15. J. Leiwo, T. Aura, P.Nikander, “Towards Network Denial of Service Resistant Protocols”, In Proc. of the 15th International Information Security Conference (IFIP/SEC), August 2000.

16. Jelena Mirkovic, Janice Martin, and Peter Reiher, “A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms”, UCLA Technical Report #020018, 2002.

17. M. Subramanian, Network Management: Principles and Practice, Addison-Wesley, 2000.

An Efficient and Secured Conference Key Agreement Protocol

“ T.Purusothaman ,Dr. S. Annadurai “

“Lecturer , Dept of Computer Science & Engg.,Govt. College of Technology, Coimbatore, Tamilnadu ,

Professor, Dept of Computer Science & Engg., Govt. College of Technology, Coimbatore,Tamilnadu”

ABSTRACT

In many applications include teleconferencing, collaborative work, information distribution and interactive games, secure group communication indicates a scenario where all group members can send and receive messages destined to the group.

When a group of people want to communicate securely over an open network, they have to establish a common conference key K such that all their communications thereafter are encrypted with the key K. There are two typical categories of key management protocols for group communication. One is centralized key distribution and other is distributed key agreement. The later one is suitable for distributed environments, in this all participants together compute a common key without a coordinator. This paper deals with the distributed environment and it proposes a provably secure fault-tolerant conference-key agreement protocol under the authenticated broadcast channel model.

This paper shows that during the communication between honest participants, an eavesdropper (passive adversary) gets zero knowledge about the conference key established by the honest participants under the assumption of a variant Diffie-Hellman decision problem. It also shows that the honest participants can agree on a common conference key no matter how many participants are malicious. Suppose if a cheater sends a false message to disrupt the conference key, the model does not allow the cheaters to disrupt the conference key. The honest participants shall exclude the cheater from their participant sets.

1. INTRODUCTION

1.1 Problem Domain

Secure group communication can be achieved by centralized or distributed environments. For a group communication either centralized or distributed, the members in the group should have the common group key in order to establish a communication within the group. In a centralized method, there is a coordinator who is responsible for the group key computation. So the centralized system completely depends upon the single coordinator for the group communication. But in the distributed environment, the case is different. The distributed environment has its own main advantages over centralized method. First, it does not depends upon a single coordinator to find the group key. So the single point failure will not cause serious damage to the whole system. Second,

each member in the group is autonomous in nature, hence the group key is arrived from the contribution of all the legitimate members in the group. Finally,it does not depends upon a single coordinator and hence the level of security has been increased.In a distributed environment, the conference key can be computed as follows.

Each user Ui in the group having n members has to broadcast the

subkey to the rest of the users in the group. After receiving all subkeys from the group members, each user U

i will have n

subkeys including his own subkey. By having n subkeys, all users can easily compute a common conference key using a function which is known to all.

The main objective of this paper is to distribute the subkey (each user’s contribution to find the conference key) of each user securely over an open network and to verify the received subkeys of others in the group using digital signature method. Since in a distributed environment, the group communication occurs after getting the each member’s contribution to find the final conference key, there is a possibility that a malicious participant (cheater) can also act as a group member and he may send a false message to disrupt the conference key. Here, the cheater’s goal is to disrupt the conference key. In this case, the honest participants who are all active members in the group should be able to find the malicious participant, so that the honest participants can remove him and to deny the cheater’s contribution to the conference key.

The proposed conference key agreement protocol uses the digital signature method to find the malicious participants in the existing group. During the digital signature verification process, the honest participants in the group can be able to find the malicious participants. If the signature verification is not correct, then the honest participants detect the malicious participant and reject him from the participant set. If the verification is correct, then all users in the group will compute the same conference key.

Finally, every honest participant can be able to find the malicious participant and rejects him from their participant set, so that the final conference key will be the same for all honest participants in the group.

1.2 Block Diagram

The block diagram shown in the figure 1.1 explains the function of the system using three users (U

1,U

2 U

3 )in the group. The flow

diagram shown in figure 1.2 explains the operation performed by each user and it is explained as follows.

1.2.1 Secret distribution and commitment

Using the paradigm of secure multiparty computation, each participant U

i, broadcasts w

i so that any participant U

j can

compute fi(…,k

i, … ) = k

i from w

i and his secret x

j. Since the

computation is secure, no passive adversary shall get any information about k

i. Also U

i broadcast c

i that commits to k

i so

that other participants can verify the correctness of k i . Make a

three degree polynomial h1(x)

Subkey computationon and verification

U i computes k’j of all other participants Uj, j ��� ������� �

i gets k’

j he can use c

j to check whether k’

j is correct.

1.2.2 Fault detection

If the above verification is not correct, Ui asks U

j to reveal

information about commitment ci and messages w

i so that all

participants can determine whether Ui is cheating. If U

i detects a

cheater, he deletes the cheater from his participant set and restarts the protocol.

Conference-key computation

When no faults are detected, all the subkeys are added together to get the conference key.

Actually, each participant Ui can use a different method for

securely computing f i

and committing to ki as long as the

methods are known by other participants.

2.1 Design Principles

The design of the protocol is component-based, that is the protocol uses cryptographic modules as building blocks. Component-based design has many merits. First, because of using modular design, it is easy to upgrade the components of the protocol in case better components in efficiency, cost, or security are available. Also in case security flaws are found in component, it is easy to replace the component only and need not abandon the whole established system. Second, it is easier to apply strong security analysis on the protocol. Since each component has a single security goal, it can be able to analyze each component for its focused security features. Third, it is flexible and suitable for use in large system, so the conference may be called among the participants all over the world. Flexibility of component-based design allows each user to choose adequate components for each conference session. Therefore, component-based design is suitable for large and heterogeneous systems.

The main design idea is decomposing the target function f of the secure multiparty computation into n sub functions fi 1 � � � ��Each participant, U

i handles one sub function, f

i , independently.

If participant Ui sends out messages such that any other participants cannot evaluate f

i, then U

i is a cheater. The other

participants exclude Ui from participation and restart the protocol. This process continues until all cheaters are found.

Suppose that each participant Ui holds a secret, x

i, 1� � � ���������

need to evaluate a function f to get the conference key K=f( k

1,k

2,...k

n ),where k

i is randomly selected secret(subkey) of U

i for

the conference session. In this protocol, let each participant Ui

handle a function fi and the conference-key function is

f ( k1,k2,…kn ) = ��� i ( k1,k2,…kn) (2.1)

U1

U2 U3

Send 3 points (n+1),w

11)

(n+2,w12),

(n+3,w13)

Make a three degree polynomial h

1(x)

Figure 1.1 Block diagram- Group view

subkey distribution &commitment

Subkey computation & Verification

A

A

Is Fault

Conference key Computation

Delete the cheater from

the participant set

Figure 1.2 Flow Diagram – Single User View

Fault Detection

Where fi ( k

1,k

2,…k

n) =k

i .Since the result k

i of f

i is independent

of other parameters kj, j ��� ������� � � !� ������"�

i can broadcast messages so that other participants can evaluate f

i, in a secure

computation way.

As mentioned previously, the protocol is component based. It contains the following components:

1. Component of secure multiparty computation for f.

2. Component of ki commitment and verification.

2.2 Concrete Protocol

The system has public parameters:

# P: a large prime number that is 2q+1, where q is also a large prime.

# H: a one-way permutation from Zq to Z

q .

# g : a generator for the subgroup Gq = { i2

� $ *

p }.

Each user Ui has two parameters:

# Private parameter xi : a number in Z*

q .

# Public parameter yi = gx

i mod p. Since q is a prime

number, yi is a generator for G

q .

The protocol starts with an initiator calling for a conference for a set U of participants. Without loss of generality, let U = {U1, U2…U

n} be the initial participant set. Each U

i , 1� � � ��%�&('*)

U.

2.2.1 Secret Distribution And Commitment

Each participant Ui does the following:

Step 1. Randomly select Ri , K

i • Z

q ,S

i • Z*

q .

Step 2. Compute a polynomial hi(x) of degree n that passes

points ( j , yj

R

i mod p mod q) , 1 � � � +�,��-/.102� % i

).

Step 3. Compute and broadcast

Wij

= h i (n+j) , 1 �435� � . 6�� 6�7

i = gR

i

mod p, (2.3)

i = gS

i mod p, (2.4)

i = Si

-1( H( Ki ) - i xi ) mod q. (2.5)

2.2.2 Subkey Computation And Verification

Each participant Ui does the following for j

�8��9

Step 1. On receiving wjl , 1 �;:�� 8��-

j ,compute polynomial

hj’(x) of degree n that passes ( n+l , w

jl ), 1�<:=� ;��- .>�?� j

x

i

mod p mod q ).

Step 2. Let k’j = h’

j(0)

Step 3. @ �,�A �%B'C���� ����D.j

�j ) is the ElGamal signature of

H(K’j) by Uj ,i.e ., check whether gH(k’

j

) mod p = yj j j j mod p. If so, broadcast V

ij = “success”. Otherwise, broadcast V

ij

= “failure”.

2.2.3 Fault Detection

Each participant Ui does the following for j

� �19

Step 1. On receiving Vji = “failure” for some U

j : U

j claims that

Ui itself is faulty.

i. Output Ri ,Ki ,Si .

Step 2. On receiving Vjm

=”failure” : Uj claims that U

m, m

�<�is faulty.

i. Wait for Um’s fault detection messages R

m,K

m,S

m.

ii. If Um’s fault detection messages are not received , set U

m as

a malicious participant.

iii. On receiving Rm,K

m,S

m , check whether w

ml, 1� EF� +� m

�m,

m

���G�2 !&A� �G�( �� �� � ��� �� ���( �%*'H���� �,���m = gRm mod p, whether there

is an n-degree polynomial over Zq passing points (0,K

m),( l, y

l

Rm

mod p mod q), and ( n+l , wml), 1��:�� ��2'H���� �,���". m

�m) is the

ElGamal signature of Um on H(K

m). If so, set U

j as a malicious

participant .Otherwise, set Um as a malicious participant.

Step 3. Restart the protocol by deleting malicious participants from his participant set U.

2.2.4 Conference-Key Computation

If no faults are detected in the fault detection stage, each participant U

i computes the conference

K=( K’i + K’

i2 +…+K’

im ) mod q (2.6)

Where the current participant set is

U’ = { Ui1, U

i2,…,U

im } (2.7)

2.3 Security Analysis

The security of the protocol in correctness and fault tolerance can be explained as follows:

2.3.1 Correctness

For correctness of the protocol, if all the participants follow the protocol, they compute a common conference key. It can be proved as follows:

From the broadcast messages of participant Uj , participant Ui can compute the polynomial h

j(x) passing the points (n+l,w

jl), 1��:��

n, and . � �

j

xi mod p mod q) (2.8)

Ui then computes Kj =hj

.10�7G�AIJ�/K���G� � � L��� � &A E �()M)��!N��() j

��,-j, Ui

can check whether Kj

� )� !&(�1�O�( ��O�QP� � !� � &A� � � R,�L- j

��,-j ,the

signed text H(Kj) • Z

q is unique, all participants compute the

same Kj .Thus they compute the same conference key

K= (K1 + K

2 +…+K

n) mod q (2.9)

2.3.2 Fault Tolerance

The fault tolerance can be proved by two things.

1. Any malicious participants Ui who tries to cheat honest

participants into accepting different Ki will be excluded from the participant sets of all honest participants.

2. An honest participant will not be excluded from the participant set of any other honest participant.

The first thing can be proved as follows:

Malicious participants can deviate from the protocol in two ways. First, a malicious participant U

i sends “wrong” w

il ,1�8:��

i

�i,

��-i so that two honest participant U

j and U

m compute

different Ki .In this case one of them , say U

j shall send V

ji S�T � �!� : U �O� T )M� � !� i,

��-i cannot be the Elgamal signature of two

different Ki s. Then Ui has to broadcast Ri, Ki, and Si for K,�!�O� � � L��� � &(V��W>K,���1�B�&A,�()O�X����1� � !� ������XK���O� � � �()H'C���� ���� i = gR

i E &�-Y��� . i, i) is the signature of H( Ki ) and the polynomial passing (n+l,w

il ), 1�8:� � ��-/.10�� Z i

) also passes the points (j,yj

R

i

mod p mod q), 1 �83*� ��[P� !� � �� �,&A� st Uj claims that Ki is wrong ,for all the participants, at least one of the above check cannot hold. Therefore, all the participants exclude U

i from their

participant sets.

Second, Ui sends V

ij =”failure” to claim that U

j is malicious,

while Uj is indeed honest. In this case U

j broadcasts R

j, S

j, and K

j

to prove his honesty. Since Uj is honest, all honest participants

decide that Ui is malicious. Therefore, the malicious U

i is

excluded by all honest participants.

The second thing can be proved as follows:

Since an honest participant Ui follows the protocol, his broadcast messages make all participants compute the same K

i .Even if

some malicious participant Uj claims that he is faulty, he can

send Ri ,K

i, and S

i to prove his honesty. Therefore no honest

participant shall exclude Ui from his participant set.

From the above two proofs, it can be shown that all honest participants compute the same conference key even if the majority of participants are malicious.

2.3.3 Security Against Passive Attackers

A passive attacker (eavesdropper) tries to learn information about the conference key by listening to the broadcast channel. It can be proved that an eavesdropper cannot get any information about Ki of Ui under the assumption of a variant Diffie-Hellman decision problem and it can be explained as follows:

Let p=2q+1 and Gq be the quadratic-residue subgroup of Zp*.

Given any generators y1,y2 \ q –{1}, the following two random-variable tuples are computationally indistinguishable:

(y1,y2,y1R mod p mod q, y2

R mod p mod q) (2.10)

and

(y1,y2,u1,u2 ) (2.11)

where R,u1,u2 Zq and equation 2.10 shows the real one and equation 2.11 shows the attacker’s view.

3.EXPERIMENTAL RESULTS

The following result has been obtained from the proposed model for the group which is having three members. The scalability of the algorithm is verified for 1024 users using simulation. Chosen prime values are p=863 and q=431.

3.1 User 1

ENTER A PRIVATE KEY VALUE

125

GROUP MEMBER JOINS, WAIT....

THE NUMBER OF USERS IN THE GROUP IS =3

ENTER THE SUBKEY VALUE

***********************************************

99

ENTER A RANDOM VALUE

************************************************

423

PUBLIC VALUES

************************************************

ID=1, VALUE=307

ID=2, VALUE=315

ID=3, VALUE=472

SECRET DISTRIBUTION

************************************************

1.000000 1.000000 1.000000 194.000000

8.000000 4.000000 2.000000 328.000000

27.000000 9.000000 3.000000 321.000000

THE POLYNOMIAL COEFFICIENTS ARE:

-13.500000 10.500000 197.000000 99

SUBKEY COMPUTATION

************************************************

64.000000 16.000000 4.000000 1.000000 861.000000

125.000000 25.000000 5.000000 1.000000 1997.000000

216.000000 36.000000 6.000000 1.000000 3820.000000

1.000000 1.000000 1.000000 1.000000 65.000000

SUBKEY=167

64.000000 16.000000 4.000000 1.000000 -1799.000000

125.000000 25.000000 5.000000 1.000000 -6267.000000

216.000000 36.000000 6.000000 1.000000 -14436.000000

1.000000 1.000000 1.000000 1.000000 49.000000

SUBKEY=363

ENTER A RANDOM VALUE WHICH IS RELATIVELY PRIME TO q:

3

SIGNATURE GENERATION

**********************************************

SIGNATURE PAIR: 8 418

SUBKEY VALUES

***********************************************

SUBKEY OF THE USER 1 IS 99

SUBKEY OF THE USER 2 IS 167

SUBKEY OF THE USER 3 IS 363

SIGNATURE VERIFICATION

************************************************

USER 2 SIGNATURE PAIR (512 170) VERIFIED VALUE

387

USER 3 SIGNATURE PAIR (516 144) VERIFIED VALUE

68

***********************************************

CONFERENCE KEY --------- 629

***********************************************

CONFERENCE STARTS U CAN TYPE HERE

I am member 1

USER 2 SENDS---> I am member 2

USER 3 SENDS---> I am member 3

3.2 User 2

ENTER A PRIVATE KEY VALUE

345

GROUP MEMBER JOINS, WAIT....

THE NUMBER OF USERS IN THE GROUP IS =3

ENTER THE SUBKEY VALUE

*********************************************

167

ENTER A RANDOM VALUE

*********************************************

378

PUBLIC VALUES

*********************************************

ID=1, VALUE=307

ID=2, VALUE=315

ID=3, VALUE=472

SECRET DISTRIBUTION

*********************************************

1.000000 1.000000 1.000000 -102.000000

8.000000 4.000000 2.000000 -121.000000

27.000000 9.000000 3.000000 94.000000

THE POLYNOMIAL COEFFICIENTS ARE:

25.166667 -34.000000 -93.166667 167

SUBKEY COMPUTATION

*********************************************

64.000000 16.000000 4.000000 1.000000 191.000000

125.000000 25.000000 5.000000 1.000000 -341.000000

216.000000 36.000000 6.000000 1.000000 -1257.000000

8.000000 4.000000 2.000000 1.000000 427.000000

SUBKEY=99

64.000000 16.000000 4.000000 1.000000 -1799.000000

125.000000 25.000000 5.000000 1.000000 -6267.000000

216.000000 36.000000 6.000000 1.000000 -14436.000000

8.000000 4.000000 2.000000 1.000000 294.000000

SUBKEY=363

ENTER A RANDOM VALUE WHICH IS RELATIVELY PRIME TO q: 9

SIGNATURE GENERATION

**********************************************

SIGNATURE PAIR: 512 170

SUBKEY VALUES

**********************************************

SUBKEY OF THE USER 1 IS 99

SUBKEY OF THE USER 2 IS 167

SUBKEY OF THE USER 3 IS 363

SIGNATURE VERIFICATION

************************************************

USER 1 SIGNATURE PAIR (8 418) VERIFIED VALUE

426

USER 3 SIGNATURE PAIR (516 144) VERIFIED VALUE

68

************************************************

CONFERENCE KEY ----------629

***********************************************

CONFERENCE STARTS U CAN TYPE HERE

USER 1 SENDS---> I am member 1

I am member 2

USER 3 SENDS---> I am member 3

3.3 User 3

ENTER A PRIVATE KEY VALUE 567

GROUP MEMBER JOINS, WAIT....

THE NUMBER OF USERS IN THE GROUP IS =3

ENTER THE SUBKEY VALUE

*********************************************

363

ENTER A RANDOM VALUE

*********************************************

21

PUBLIC VALUES

*********************************************

ID=1, VALUE=307

ID=2, VALUE=315

ID=3, VALUE=472

SECRET DISTRIBUTION

*********************************************

1.000000 1.000000 1.000000 -314.000000

8.000000 4.000000 2.000000 -69.000000

27.000000 9.000000 3.000000 -330.000000

THE POLYNOMIAL COEFFICIENTS ARE :

-177.500000 812.000000 -948.500000 363

SUBKEY COMPUTATION

*********************************************

64.000000 16.000000 4.000000 1.000000 191.000000

125.000000 25.000000 5.000000 1.000000 -341.000000

216.000000 36.000000 6.000000 1.000000 -1257.000000

27.000000 9.000000 3.000000 1.000000 420.000000

SUBKEY=99

64.000000 16.000000 4.000000 1.000000 861.000000

125.000000 25.000000 5.000000 1.000000 1997.000000

216.000000 36.000000 6.000000 1.000000 3820.000000

27.000000 9.000000 3.000000 1.000000 261.000000

SUBKEY=167

ENTER A RANDOM VALUE WHICH IS RELATIVELY PRIME TO q : 27

SIGNATURE GENERATION

*******************************************

SIGNATURE PAIR: 516 144

SUBKEY VALUES

**********************************************

SUBKEY OF THE USER 1 IS 99

SUBKEY OF THE USER 2 IS 167

SUBKEY OF THE USER 3 IS 363

SIGNATURE VERIFICATION

***** ****************************************

USER 1 SIGNATURE PAIR ( 8 418 ) VERIFIED VALUE

426

USER 2 SIGNATURE PAIR ( 512 170 ) VERIFIED VALUE

387

**********************************************

CONFERENCE KEY --------- 629

***********************************************

CONFERENCE STARTS U CAN TYPE HERE

USER 1 SENDS---> I am member 1

USER 2 SENDS---> I am member 2

I am member 3

The next chapter concludes the proposed model and the future work extension also discussed.

4. CONCLUSION

The proposed model presented a conference key agreement protocol which is suitable for distributed environments. The results obtained from this model shows that the group communication occurs securely under distributed environment among the honest participants, no matter how many participants are malicious. It has been proved that the eavesdropper gets zero knowledge about the conference key established by the honest participants under the assumption of a variant Diffie-Hellman decision problem.

The results obtained from this model shows that the malicious participants (cheater) cannot be able to disrupt the conference key. The proposed model deletes the cheater using digital signature verification process. Since each user sends the subkey as polynomial coefficients, the eavesdropper cannot be able to get the information about the conference key using these coefficients.

Furthermore, the protocol is efficient. It uses only two rounds to compute a conference key after all malicious participants are detected. Nevertheless, the size of messages that each participant sends is proportional to the number of participants .

REFERENCES

[1]. S.Berkovits,”How to broadcast a secret,” Proc. Advances in cryptology –Eurocrypt’91, pp. 535-541,1991.

[2]. R. Blom, “An optimal class of symmetric key generation systems,” proc. Advances in cryptology-Eurocrypt’84 pp 335-338, 1985.

[3]. C.Blundo, A.D.Santis, A.Herzberg, S.Kutten, U.Vaccaro,and M.Yung, “Perfectly-secure key distribution for Dynamic conferences,”Proc.Advances in cryptology-Crypto’92,pp.471-486,1993.

[4]. Bruce Schneier. “Applied Cryptography: Protocols Algorithms and Source code in C”.

[5]. M. Burmester and Y.Desmedt, ‘A secure and efficient conference key distributed systems,” proc. Advances in cryptology-Eurocrypt’ 94 pp 425-438, 1994.

[6]. C.C.Chang, T.C.Wu, and C.P.chen,” The design of the conference key distribution systems,” proc.Advances in cryptology- Auscript’92, pp.459-466, 1992.

[7]. I.Ingemarsson, D.T.Tang, and C.K.Wong, “A conference key Distribution system,”IEEE Trans.Information Theory, vol.28, no.5,pp.714-720,1982.

[8]. B.Klein, .Otten, and T.Beth,” conference key distribution protocols in distributed systems,”proc.codes and ciphers –cryptology and coding IV, pp.225-242 1995.

[9]. K.Koyama,”Secure conference key distribution schemes for conspiracy Attack,”proc.Advances in cryptology-Eurocrypt’92, pp 449-453, 1993.

[10]. A.Menezes, P.Van Oorschot, and S.Vanstone, “Handbook of applied cryptography”, CRC press,1996.

[11]. C.Mitchell,F.Piper, and P.Wild ,”Digital Signature”,contempary cryptography, The science of information Integrity,pp.325-378,1992.