Group signature revocable anonymity scheme for network monitoring

Subscriber’s Privacy is in a constant conﬂict with security and accountability providing controls employed for network monitoring activities of service providers and enterprises. This paper presents the results of the author’s research in the ﬁeld of distributed network security monitoring architectures and the proposal of such a system that incorporates cryptographic protocols and a group signature scheme to deliver privacy protecting, network surveillance system architecture that provides subscriber’s accountability and controlled, revocable anonymity.


Introduction
The internet has grown to become the major means of communication for economy, industry education, politics as well as for people. It is very important for the contemporary world but it also brings threats and risks that are exploited successfully by a new type of cyber criminals. The security monitoring is one of the essential means of control that allows security individuals to know its enemy and to counter security threats. Network security monitoring is one of vital elements that provides visibility and accountability for network owners or network providers.
In a nutshell a typical network monitoring system shall satisfy the following functional requirements: • acquiring necessary information for operation and maintenance processes [1], • measurement of traffic parameters for service level agreements or quality of service validation, • controlling of communication services, • providing security for network subscribers and network resources, • providing input for security incident and event management systems [2].
Network traffic monitoring has, however, some serious implications on the subscriber's privacy and thus privacy-aware property is very important especially in the case of the Internet service providers and mobile incumbents. The authors of PRIsm framework [1,3] were among the first to address this problem in the professional literature and they have also put forward appropriate standardization proposals.
This paper presents a proposal for the privacy mechanism based on the group signature scheme that drives a network security monitoring system called the MANSF † . The MANSF provides conditional anonymity for the monitored subjects and provides subject's accountability in the case of security incident.

Privacy Aware Network Monitoring Architecture
The MANSF (Multi-Agent Network Surveillance Framework) is designed for packet networks running Internet protocol suite and performs distributed passive network traffic analysis. The passive interception ensures that no alteration is imposed on the inspected network flows. Packet interception is performed in key network locations for maximal visibility and accountability (see Fig. 1). The targeted audience for this platform are Internet service providers, mobile operators, enterprise security and management teams or the security incident management organizations. The proposed platform is designed to satisfy security monitoring and network measurement goals at the same time with ensuring that no network subscriber experiences a privacy or anonymity degradation. Functional requirements with respect to the subscriber's privacy, have been satisfied by incorporating the following controls into the design: • Layered communication architecture that limits interfaces available for a potential attacker. • Pseudonyms representing subscribers in the central repository of network events. • Dynamic group signature scheme that allows sensor agents to send trusted messages anonymously. • Multilayer distributed data aggregation and normalization are used to enhance privacy. • Revocation of anonymity is controlled by the cryptographic mechanism secured by a secret sharing scheme.
The key elements of architecture are the multi-agent framework, centralized data repository, management and monitoring and the user interface. The multiagent framework consists of autonomous computer agents and supporting nodes used by agents for registration (Agent Directory) and as the repository of the topology (Service Directory). Agents are divided into two classes that process network traffic at different levels of abstraction: • Agent Collector: network probe and network topology discovery function. • Agent Processor: data aggregation and normalization agent that associates a group of agent collectors.
The Central Repository is a special node that collects network security events and evidence from collector agents. It also stores the knowledge in a form of frame system that contains network baseline profile and calculated subscriber profile classes. This knowledge may be further used for detecting anomalies or characterizing the observed traffic. Evidence data is anonymized and privacy protected. The Management and Monitoring element is used for system's operations management. The User Interface is hosting applications for system's end-users. The important example of such applications is the Privacy Controller that is the interface for subscribers' anonymity control and revocation.
Most of those properties is achieved by using an efficient and dynamic group signature scheme that allows agents to revocably identify a source of network incident. The group signature scheme used in the MANSF is based on the robust and rigorously defined BSZ05 [4] scheme that has been extended by the author with a group member revocation procedure and by the group opening manager secret key control.

Revocable Anonymity Scheme
The key cryptographic primitive delivering anonymity properties which is the MASF architecture is a dynamic group signature scheme secure with the assumption of existence of trapdoor permutations based on the formal description and the rigorous security model BSZ05 first proposed in paper [4].
The set of procedures for this scheme consists of the following items: Issue, Join, Judge, Open, Remove, Sign, Verify, where Remove is an extension of BSZ05. The key requirement assumed for the group signature construct is the distribution of group manager roles into the separate modules realized by different physical servers within the MANSF. Additionally the set of group signature scheme procedures is partitioned into the public and protected classes thus limiting the number of the oracles available for a potential attacker in the internal or external perspective.
It is assumed that the Agent Collector is provisioned in the secure environment where it is not possible to retrieve the group signature private part of an agent. It is assumed that the Join and Issue procedures are executed in a trusted environment. The secrecy of the agent internal structures, which are retaining sensitive subscriber information, should be also protected by the hardware means of protection. From the operations security perspective, the separation of duties and restricted console functionality are used to ensure that agent collector nodes are managed securely.
The key elements of the MANSF group signature framework are the following: Group Manager: (GM) -that is responsible for the provisioning of group members and maintenance of the secret database of member certificates. The Group Manager has a gmsk key used for provisioning new members and implements group signature scheme procedures like Join, Judge, Revoke and Verify. It is located on the Central Repository and provides the following public services for the multiagent framework: • Verify, used by Agent Processors and the Central Repository to verify the authenticity of agent collector's messages, • Remove, used to disable compromised or decommissioned agent collector, • Judge, used by an user-plane application like the Privacy Controller, performing a revocation of subscriber's anonymity. Group Opening Manager: (GOM) -implemented on the Agent Directory. GOM has a key gomk that is used to open a signature and reveal the identity of the signer. Provides Open procedure and hosts the Group Member Revocation List (abbr. GMRL) that is used to verify whether the signature is issued by an authorized group member without disclosing the identity of the signer. Group Controller: (GC) -implemented on the monitoring system of the MANSF. It is used to decomission an agent collector in the case of compromise. GC uses the Agent Directory for a reference to the list of agent collectors and uses the Remove procedure hosted on he Central Repository. Group Member: -any agent collector agent within the MANSF multiagent platform, implements the Sign procedure.
The Privacy Controller is not a part of the group signature scheme, but it plays an important role within the MANSF framework. It is an application layer module responsible for the evidence inspection and subscriber incident reporting. It may revoke the identity of a subscriber based on the decision of an operator and the authority responsible for privacy protection.
Agent collectors, the members of the group signature scheme, use the Sign procedure to authenticate messages broadcast toward their associated agent processor. In general, the signature is constructed over the digest of the exchanged message and the time stamp to record the time of sending a message.
Following the group signature construct proposed in [4], the result of the Open procedure may be verified with the second procedure Judge that is hosted on a separate system: the Central Repository. This solution is necessary to eliminate the scenario when one of the key group signature scheme members, like GM or GOM, is compromised. The Privacy Controller, aiming at revoking anonymity of a given subscriber, first follows the Open procedure and then checks the validity of results with the Judge procedure.

Scheme Details
Using the BSZ05 [4] proposal as the basis, let ρ 1 and ρ 2 are the NP relations over the domain D and (P 1 , V 1 ), (P 2 , V 2 ) are the NIZK proofs for those relations and k ∈ N be the security parameter. Let DS = (Sign, V er) be a digital signature scheme, ES = (Encrypt, Decrypt) be the public key encryption scheme and H k () is the k-bit message digest, as defined in the BSZ05. In addition to the base scheme cryptographic primitives this proposal extends it with the following items: • public key infrastructure certificate authority on the Agent Directory with the public key K AD and the private key K −1 AD that issues certificates cert name , Compose is the procedure that takes k key parts out of total n in order to derive a secret key value that is protected, • GMRL list of revoked group members that contains the following records: (T K i , T r ), where the token T K i is the revocation token of an agent ag i of index i, created during the Join procedure and T r is the time when revocation happened. • a message digest function Hash used for revocation token integrity protection and satisfying the requirements of the PKI scheme.
The setup phase of the group signature scheme is identical with the base scheme proposal except for the initialization of the additional elements that extend the original scheme. 3 , pk e , pk s ), group public key gmsk ← (sk s ), group manager key gomk ← SSEC(sk e , r e ), GOM private key protected with the secret sharing scheme

Procedure 3.1 Group Signature Scheme Setup
The Group Manager and Group Member Revocation List certificates are issued and signed by the certificate authority that is implemented in the agent directory of the MANSF multi-agent framework. The public key of the Agent Directory PKI service does not belong to the group signature scheme. In detail, the agent verifying the group signature uses the Verify oracle located on the central repository and it has to validate the integrity of the gpk or the response from the GMRL service by inspecting an appropriate certificate. The mere certificate's validity is checked using the self-signed certificate of the Certification Authority of the MANSF platform. This certificate is also provided by the agent directory node.

Role Data Structures Agent Directory
Agents The notation used in the cryptographic attributes descriptions is as follows: (pk i , sk i ) : public and private key of a given agent collector instance  The exchange of messages in the join procedure is done only between applications during the provisioning procedure and it is not traversing the multi-agent communication network. The secret key generation procedure is according to the BSZ05 model assumed as trusted. The adversary cannot see the result of generation procedure. The appropriate security controls have to be deployed to satisfy this functional requirement.
The signature generation, the Sign procedure, is used by an agent collector instance to prove authenticity of the anonymous message it is distributing. An agent collector sends also its revocation token R GM RL to claim its revocation status.
Verification of the revocation status for the group signature's owner is implemented by the GMRL procedure. The Group Member Revocation List (GMRL) is the database of all revoked agents which is used to check whether the signer has a right to sign in a given point of time. The time stamp is used to record The agent collector generates a key pair (pk i , sk i ) ← K s (1 k ) and signs it to produce sig i ← E(sk i : pk i ). It also creates a revocation token RT i ← (R 3 , T a ) and creates its signature rsig i ← E(sk i : R 3 , T a ). Both items are sent to the Central Repository that is the Group Manager: The Agent Directory verifies the signatures sig i and sig R before continuing the procedure. When signatures match it generates the certificate cert i ← Sign(sk s : (i, pk i )) and formulates the response [4]. The response from the central repository agent is encrypted with the challenge K r proposed by the agent collector: : H(agent))) The Agent Directory receives the new agent collector registration information and populates Agents[. . .] the table with the new entry. Additionally, the list of valid tokens V alidT okens[. . .] is appended with the digest of the revocation token. The variable T K i is discarded after making the digest out of it. The revocation token is protected by the key gomk and secure secret sharing scheme in order to limit the possibility in using the token for traffic analysis by the corrupted Agent Directory:

Procedure 3.3 Sign procedure GSig(gpk, m)
H k (m) is a k-bit message digest function run on the original message m being signed. (pk e , pk s , h m , c), (i, pk i , cert i , s, r) a time since when the signatures issued by a given member are treated as non trusted. In general, the GMRL procedure is a service implemented on the agent directory node. The agent directory is also the owner of the Open procedure. The revocation check procedure takes a revocation token R GM RL as the parameter and the time T s to verify that it is consistent with the time stamp embedded in the encrypted token. The token is always sent in an encrypted form protected with random nonces and a time stamp to ensure that given transmitted token is always fresh for a particular agent. This technique is used to protect anonymity of the group signature member and security of the whole scheme. This procedure also verifies that the revocation token value belongs to the valid group member by consulting the V alidT okens[. . .] table.

Procedure 3.4 Revocation status check procedure GM RL(gpk, T s , R GM RL ))
This procedure uses the object notation for the entries of the GMRL CRL table. The Open procedure is hosted on the Agent Directory of the MANSF platform. This procedure checks whether the signature is correct and then returns the set of identifiers pointing to the Agent table along with the NIZK proof verifiable by the Judge procedure. It is necessary to retrieve the secret key sk e that is protected by the secure secret sharing scheme SSEC (N, K), where K out of N part-key holders are required to commit the procedure.
Judge procedure is used for validation of opening manager output. Opening manager uses NIZK proof over ρ 2 to prove the knowledge of his signing key material. This is mandatory procedure in case there is a possibility of disgruntled opening manager. This concept has been introduced in [5,4].
Remove procedure is, in fact, applicable for disabling an agent collector instance and populating the GMRL database with the reference to the revoked agent. The agent entry from the Agents[] table is never erased. This is the requirement that allows identifying the source of evidence event even after the the availability of the historic or archive data from agent collectors. In order to provide the accountability of subscribers an appropriate data retention policy has to be in place. This entails the retention of regular backups of given agent collector database of subscribers and pseudonym maps. Those backups have to be stored outside the multi-agent platform and have to be encrypted with the secret key also protected with additional means.
The Verify a procedure is used in order to validate the authenticity and correctness of a group signature. This procedure is implemented on the central repository and on agent processor agents. The verification is implemented as the zero knowledge proof check issued by a group member signing the message m. If the result of the NIZK proof is positive than it is confirmed that the message, the signing time and the revocation token are issued by a valid group member. The final check consists of verification of the revocation status of the signer using the revocation token R GM RL .

Procedure 3.8 Verify procedure V erify(gpk, m, π 1 , c, T s , R GM RL )
H k (m) is a k-bit message digest function run on the original message m that has been signed by a group member. (pk e , pk s , h m , c), π 1 ) then return GM RL(gpk, T s , R GM RL ) Else return false

Proposal's Security
The group signature scheme relies on the BSZ05 [4] model that, under the assumption of trapdoor permutation's existence, provides correctness, anonymity, non-frameability and traceability and delivers a dynamic signature scheme. The cryptographic primitives implied by this scheme are very complicated and inefficient and thus the mere scheme is not practical. However, the scheme offers a rigorous and sound formal structure that is a good basis as the reference model.
The BSZ05 scheme also introduces separate roles for the group manager and opening manager which enhances security by reducing frameability threats. From the anonymity perspective the scheme ensures that the group signature cannot be forged which implies the accountability for a group member issuing a signature.
Group Member Cadence Security Impact. The dynamics of the BSZ05 scheme is delivered in a sense of flexible expanding of the number of group members with the use of the Join procedure. The group public key is not dependent on the group size as the signature is based on the non-interactive zero knowledge proofs. The BSZ05 scheme is extended with the revocation mechanism based on the GMRL list (Group Member Revocation List) that is available via the GMRL oracle to the public requesters without a threat for the group signature scheme members' anonymity. The GMRL oracle returns true or false and the only advantage of the party that verifies the group signature is the knowledge of the fact that it is issued by a group member during his cadence. If we assume that GMRL Oracle is only available for the Verify Oracle that we further limit the knowledge acquired by a potential adversary. In the worst case the GMRL oracle will not help in reducing the anonymity of the group member unless the attacker knows the list of revoked agents and thus the anonymity set can be significantly reduced. In the case if there is only one revoked member, the identity of the agent may be broken. The corruption of the Agent Directory allows the adversary to obtain access to the Agents[] table and to the GM RL[] table and is able to retrieve the group manager opening key. Taking into account the fact that this key is protected with the secure secret sharing scheme this type of event requires stakeholders to collude. As an additional security control, the public key infrastructure is used to protect integrity and deliver non-repudiation for the group signature message exchange, like in the case of the GRML procedure.
The signer cadence check, has to have a minimal impact on the information that may be leaked during the verification process. Therefore the GRML list contains only the date and time when an agent has been Removed. The lower bound check is realized as implementation security control in a way where every message is checked for the time stamp window. When arrival time and creation time stamps are too distant from the received time stamp that the message has to be discarded as invalid. Of course, this area may easily become a weakness if the protocol is not maintained properly.
Architectural Strengths.From the architectural point of view, the security level is further enhanced with the use of the following concepts related to the specifics of the MANSF platform: • Communication platform layering -different procedures are invoked over the separate network planes like for instance the Remove procedure can only be done by the management platform whereas the Verify procedure may be invoked by any agent processor agent or the central repository agent. • Protected group signature procedures -Open and Remove oracles are not available for the attacker in the adversary model of the MANSF. Also the GMRL contents are private from the agent directory perspective.
The adversary model assumes that the Remove oracle is not available for the multi-agent members. Also the GMRL oracle is only available for the Agent Directory agent. In the case the Agent Directory is compromised, in normal conditions when the access to the group opening secret key is not protected, the anonymity would be broken. In our case the secure secret sharing scheme removes this weakness.
Weaknesses. Potential weaknesses are concentrated around the corruption of individual group signature elements. First, the agent collector which is the group signature scheme member, is a weak point in the case the adversary hijacks the secret keys used to generate signatures. In such a case a group member may forge messages until the fact of corruption is detected. The second weak point is the agent directory that is the group opening manager which hosts GMRL. The potential adversary may try to get the number of revoked members, however, it is not possible to deanonymize them without colluding with the secure secret sharing scheme's stakeholders.
Efficiency. The original formal BSZ05 model relies on the very complicated and CPU-intensive cryptographic primitives. For instance the GMR digital signature scheme that is claimed to be secure under chosen ciphertext attack (CCA-secure) [4], has in its enhanced form [6] the computation cost comparable to the RSA (O(log(N ))) scheme. This, however, may not be efficient for an agent analyzing the intensive traffic and which has to produce signatures for thousands of generated messages. Fortunately, the latest advancements in the field of pairing based cryptography allow to compose schemes that have constant size group public keys and short group signatures. The most efficient schemes that use pairing based cryptography like [7,8,9], offer signatures as short as 6-8 group elements of a 520-bit prime order group constructed using an elliptic curve over a finite field.
Implementation. In the research work, the selection of the group signature scheme was dictated by the practical application requirements such as computation cost and the size of the signature domain. The choice was the scheme using a bilinear map over the prime number elliptic curve finite field. The basis for the implementation is a version of the GRO07 group signature scheme [8], which is anonymous under the chosen plain text attack (CPA-anonymous). The implementation is reinforced with the "PBC library" and the "PBC signature" libraries that implement the platform for bilinear maps generation and are easily extensible. The core cryptographic primitive used by [8] and in the implementation of MANSF group signature is the BB04 [10] short signature.

Conclusions
In conclusion, many existing dynamic group signature schemes may be extended with a fully dynamic option by adoption of architecture related or external techniques like public key cryptography and revocational lists maintained by one of the group managers. The scheme presented in the MANSF frameworks also implements this principle with success. The monitoring system is mostly concerned with maximal subscriber privacy and a verifiable evidence source. Signature cadence check of the MANSF, realized with the revocation list based on revocation tokens and protected with secure shared secret scheme introduces minimal impact on the privacy and anonymity of event source. Further research is, however, needed for ensuring resistance to GMRL Oracle corruption and ability for an adversary to infer on agent's identity knowing the date and time of given agent revocation.