1264 IEICE TRANS. COMMUN., VOL.E88–B, NO.3 MARCH 2005 LETTER Security Analysis of DoS Vulnerability in Stream Authentication Schemes Using Hash Chaining Namhi KANG †a) and Christoph RULAND † , Nonmembers SUMMARY In this letter, we show that some stream authentication schemes using hash chaining are highly vulnerable to denial of service (DoS) attacks. An adversary can disrupt all receivers of group by making use of modifying a few packets in those schemes. key words: stream authentication schemes, hash chaining, denial of ser- vice(DoS) attack 1. Introduction Hash chaining provides a cost effective means with a real- time streaming application which needs to support data ori- gin authentication and integrity protection in multicast. To reduce the cost of digital signature including both the com- putation and the communication overhead in some stream authentication schemes [1]–[4], the source generates an amortizing signature over a set of packets called a block. As a result, a signature can be generated and transmitted once a block at the beginning or at the end of a block, which contains the hash value of the first or the last packet in a block. In addition, each packet, which contains only a few hash values of its previous or succeed packets as an authen- tication tag, is transmitted continuously, thus this is called hash chaining. From the viewpoint of efficiency, previous work using hash chaining may be appropriate but can be suffered from the denial of service attack. In particular, the DoS attack on the receiver side is much serious problem in multicast than those in the case of unicast since a single adversary can disrupt thousands of receivers at a time. In this letter, we show that just one or a few packet’s modifications can cause the failed verification of all packets in the block. 1.1 Notations We use the following notations throughout this letter: H(·) denotes a collision-resistant hash function. σ is a signature which is generated by a signing function denoted Sig( sk, h k ), where sk is the private key of the source and h k denotes the hash value of the kth packet, namely h k = H(P k ). The ver- ification function is denoted by Ver( pk, σ, h k ), where pk is the public key of the source. α||β denotes the concatena- tion of data α and β. Adv and GR stands for an adver- Manuscript received June 8, 2004. † The authors are with Institute for Data Communications Sys- tems, University of Siegen, Hoelderlin str. 3, 57068 Siegen, Ger- many. a) E-mail: kang@nue.e-technik.uni-siegen.de DOI: 10.1093/ietcom/e88–b.3.1264 sary and receiver group respectively. Finally, we refer to modF (∃{·}) and modF (∀{·}) as the modifying processing of an Adv, where ∀{·} and ∃{·} denote all and some elements of the set given to an Adv respectively. 2. Review of Authentication Schemes Using Hash Chaining In order to reduce the cost of digital signature on stream- ing data, several researchers have proposed authentication schemes employing hash chaining [1]–[4]. In 1997, Gen- naro and Rohatgi proposed the off-line solution where only the first packet is digitally signed [1]. The source gener- ates the first packet, P 0 = [σ||h 1 ], where σ = Sig( sk, h 1 ), and then continuously sends each packet which contains the hash value of its next packet. The kth packet, for exam- ple, contains message and the hash value of the next packet, namely P k = [ M k ||h k+1 ]. Therefore, if the receiver is able to verify the first signature, namely Ver( pk, σ, h 1 ) is true, then whole packets in a stream are verifiable. That is, the receiver calculates the hash value of the arriving packet and compares it with the stored hash value which was extracted from the previous packet. If both are equal, the receiver ac- cepts the packet. Otherwise, he/she rejects it. Shortcomings of the off-line solution are that it is not loss tolerant and the source must know the entire stream in advance. Thus the off-line solution is impractical to use for an application which wishes to send a real-time stream over an unreliable channel such as Internet. To overcome these shortcomings, [2]–[4] have been proposed recently. Main difference between [1] and these schemes, on one hand, each packet contains several hash values of previous packets and a signature is also generated with several hash values to achieve robustness against packet loss. On the other hand, the source transmits a signature packet periodically for sup- porting real-time streaming. Authors of those schemes have commonly used a graph representation to explain their hash chaining authentication scheme simply. A packet in a stream is regarded as a node and each hash link from node to node is regarded as an edge in the graph representation as described in Fig. 1. The re- ceiver is able to verify a packet if there exists at least one unbroken path from the packet node to the signature node. Any node which is regarded as a packet loss are removed from the graph. Copyright c  2005 The Institute of Electronics, Information and Communication Engineers