Presentation is loading. Please wait.

Presentation is loading. Please wait.

1.1 Distributed and Collaborative Key Agreement Protocols with Authentication and Implementation for Dynamic Peer Groups Patrick Pak-Ching LEE.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1.1 Distributed and Collaborative Key Agreement Protocols with Authentication and Implementation for Dynamic Peer Groups Patrick Pak-Ching LEE."— Presentation transcript:

1 1.1 Distributed and Collaborative Key Agreement Protocols with Authentication and Implementation for Dynamic Peer Groups Patrick Pak-Ching LEE

2 1.2 Presentation Outline n To identify the motivation of group key management; n To introduce Tree-based Group Diffie-Hellman (TGDH); n To propose three interval-based distributed rekeying algorithms: Rebuild, Batch and Queue-batch. n To present performance evaluation results; n To explain the authentication mechanism incorporated into the rekeying algorithms; n To describe an implementation library, SGCL, and n To suggest future research directions.

3 1.3 What are the Applications? n Many group-oriented applications demand communication confidentiality. For example, F chat-rooms, F audio/video conferencing applications, F file sharing tools, F router communication paradigms, F secure communication for network games in strategy planning. n We need a secure group key management scheme so that the group can encrypt communication data with a common secret group key.

4 1.4 Desired Properties of Gp. Key Mgt. n Distributed: there is no centralized key server, which has the following limitations: F A single point of failure; and F Not suitable for peer groups and ad hoc networks. n Collaborative: all group members contribute their own part to generate a group key. n Dynamic: the protocol remains efficient even when the occurrences of join/leave events are very frequent.

5 1.5 Our Work n Focused on group key agreement schemes which do not rely on centralized key management. n Designed three interval-based distributed rekeying algorithms that have the distributed, collaborative and dynamic features. n Conducted performance evaluation analysis to illustrate the performance merits of the interval-based algorithms. n Incorporated an authentication mechanism into the interval- based algorithms. n Implemented a library for the development of secure group- oriented applications.

6 1.6 Tree-based Group Diffie-Hellman (TGDH) n A binary key tree is formed. Each node v represents a secret (private) key K v and a blinded (public) key BK v. n BK v = α K v mod p, where α and p are public parameters. n Every member holds the secret keys along the key path n For simplicity, assume each member knows the all blinded keys in the key tree. 0 M1M1 M2M2 2 46 7 1 53 81112 M3M3 M4M4 M5M5 M6M6 0 1 3 7 K 0 = Group Key

7 1.7 TGDH: Node Relationships K v = (BK 2v+1 ) K 2v+2 = (α K 2v+1 ) K 2v+2 mod p v The secret key of a non-leaf node v can be generated by: K v = (BK 2v+2 ) K 2v+1 = (α K 2v+2 ) K 2v+1 mod p 2v+12v+2 BK 2v+1 BK 2v+2 K v = α K 2v+1 K 2v+2 mod p The secret key of a leaf node is randomly selected by the corresponding member.

8 1.8 TGDH: Group Key Generation 0 M1M1 M2M2 2 46 7 1 53 81112 M3M3 M4M4 M5M5 M6M6 n E.g., M 1 generates the group key via: K 7, BK 8  K 3 K 3, BK 4  K 1 K 1, BK 2  K 0 (Group Key) 7 3 1 0 4 2 8

9 1.9 TGDH: Membership Events n Rekeying (renewing the keys of the nodes) is performed at every single join/leave event to ensure backward and forward confidentiality. A special member called sponsor is elected to be responsible for broadcasting updated blinded keys. time JoinLeaveJoin Leave rekey

10 1.10 TGDH: Single Leave Case n M 4 becomes the sponsor. It rekeys the secret keys K 2 and K 0 and broadcasts the blinded key BK 2. n M 1, M 2 and M 3 compute K 0 given BK 2. n M 6 and M 7 compute K 2 and then K 0 given BK 5. 5 11 12 M4M4 M5M5 0 2 M1M1 M2M2 46 7 1 3 8 M3M3 M6M6 1314 M7M7 5 12 2 0 M 5 leaves 5 M 4(S)

11 1.11 M4M4 0 TGDH: Single Join Case n M 8 broadcasts its individual blinded key BK 12 on joining. n M 4 becomes the sponsor again. It rekeys K 5, K 2 and K 0 and broadcasts the blinded keys BK 5 and BK 2. n Now everyone can compute the new group key. 12 11 M 4(S) M 8 joins 2 5 M8M8 M1M1 M2M2 46 7 1 3 8 M3M3 M6M6 1314 M7M7 5 2 0

12 1.12 Interval-based Distributed Rekeying Algorithms n We can reduce one rekeying operation if we can simply replace M 5 by M 8 at node 12. n Interval-based rekeying is proposed such that rekeying is performed on a batch of join and leave requests at regular rekeying intervals. This improves the system performance. n We propose three interval-based rekeying algorithms, namely Rebuild, Batch and Queue-batch. n Sponsors are elected at every rekeying event. They coordinate with each other in broadcasting new blinded keys.

13 1.13 0 M1M1 M2M2 2 46 7 1 53 81112 M3M3 M4M4 M5M5 M6M6 2324 M7M7 Rebuild Algorithm n Intuition: Minimize the height of the key tree so that every member manages fewer renewed nodes in the subsequent rekeying operations. n Basic Idea: Reconstruct the whole key tree to form a complete tree. 0 M 1(s) M 3(S) 2 46 7 1 53 8 M 4(S) M 6(S) M 8(S) 0 21 3 M 2, M 5, M 7 leave M 8 joins n We can explore the situations where Rebuild is applicable.

14 1.14 Batch Algorithm n Intuition: Add the joining members to suitable positions. n Basic Idea: F Replace the leaving members with the joining members. F Attach the joining members to the shallowest positions. F Keep the key tree balanced. n Elect the sponsors who help broadcast new blinded keys.

15 1.15 0 M1M1 M2M2 2 46 7 1 53 811 12 M3M3 M4M4 M5M5 M6M6 2324 M7M7 11 24 Batch – Example 1: L > J > 0 n M 8 broadcasts its join request, including its blinded key. n M 1 rekeys secret keys K 1 and K 0. M 4 rekeys K 5, K 2 and K 0. n M 1 broadcasts BK 1. M 4 broadcasts BK 5 and BK 2. 6 3 8 M 2, M 5, M 7 leave M 8 joins 0 21 5 M 1(S) 3 M 8(S) 6 M 4(S) 11

16 1.16 0 M1M1 M2M2 2 46 7 1 53 81112 M3M3 M4M4 M5M5 M6M6 2324 M7M7 Batch – Example 2: J > L > 0 n M 8 and M 9 form a subtree T 1 ’. M 10 itself forms a subtree T 2 ’. n M 8 and M 9 compute K 6, and one of them broadcasts BK 6. n M 1 rekeys K 3 and K 1. M 6 rekeys K 2. n M 1 broadcasts BK 3 and BK 1. M 6 broadcasts BK 2. 0 21 3 6 8 6 1314 M 8(S) M 9(S) T1’T1’ M 8, M 9, M 10 join M 2, M 7 leave M 10(S) 8 T2’T2’

17 1.17 Queue-batch Algorithm n Intuition: Pre-process the join events during the idle rekeying interval, hence reduce the processing load at the beginning of each rekeying interval. n Basic Idea: F Two stages: Queue-subtree and Queue-merge F Queue-subtree: Within the idle rekeying interval, attach each joining member to a subtree T’. F Queue-merge: At the beginning of the next rekeying interval, add the subtree T’ to the existing key tree, and prune all nodes of the leaving members.

18 1.18 Queue-batch – Example of Queue-merge n T’ is attached to node 6. n M 10, the sponsor, will broadcast BK 6. n M 1 rekeys K 1. M 6 rekeys K 2. n M 1 broadcasts BK 1. M 6 broadcasts BK 2. 0 21 0 M1M1 M2M2 2 46 7 1 53 81112 M3M3 M4M4 M5M5 M6M6 2324 M7M7 M 8, M 9, M 10 join M 2, M 7 leave 36 8 M 1(S) 3 6 1314 M8M8 M9M9 T’ 2728 M 10(S)

19 1.19 Performance Evaluation n Methods: mathematical models + simulation experiments n Performance Metrics: F Number of renewed nodes: This metric provides a measure of the communication cost. F Number of exponentiation operations: This metric provides a measure of the computation load. n Settings: F There is only one group. F The population size is fixed at 1024 users. F Originally, 512 members are in the group.

20 1.20 Evaluation 1: Mathematical Models n Start with a well-balanced tree with 512 members. n Obtain the metrics at different numbers of joining and leaving member in a single rekeying interval. n Queue-batch offers the best performance, and a significant computation/communication reduction when the group is very dynamic.

21 1.21 Evaluation 2: Simulation Experiments n Start with a well-balanced tree with 512 members. n Every potential member joins the group with probability p J, and every existing member leaves the group with probability p L. n Evaluate the average / instantaneous metrics at different join/leave probabilities over 300 rekeying intervals.

22 1.22 Evaluation 2: Simulation Experiments n Average number of exponentiations at different fixed join probabilities: p J =0.25p J =0.5 p J =0.75

23 1.23 Evaluation 2: Simulation Experiments n Average number of renewed nodes at different fixed join probabilities: p J =0.25p J =0.5 p J =0.75

24 1.24 Discussion of Evaluation Results n Queue-batch offers the best performance among the three interval-based algorithms. n The performance of Queue-batch is even superior under frequent joins/leaves. F Frequent join: queue-batch gains from pre- processing 4 Batch doesn’t have the pre-processing advantage. F Frequent leave: queue-batch prunes departure nodes 4 Batch replaces departure nodes with joins.

25 1.25 Authenticated TGDH (A-TGDH) n Motivation: F Non-authenticated TGDH is subject to the man- in-the-middle attack. F Simple signature is not enough. n Basic idea: F Authenticate every short-term (or session) blinded key with a certified long-term (or permanent) private component. F The group key contains both short-term and long-term components.

26 1.26 A-TGDH: Concepts n Each member M i holds two pairs of keys: F Short-term secret and blinded keys (r mi, α r mi mod p), which remain valid from the time M i joins until it leaves. F Long-term private and public keys (x mi, α x mi mod p), which remain permanent and are certified by a trusted party. n M i generates an authenticated short-term blinded key using M j ’s long-term public key: (α x mj ) r mi mod p = (α r mi ) x mj mod p n Physical meaning: F L.S.: generator α is authenticated, i.e., α becomes α x mj F R.S.: the short-term blinded key α r mi is encrypted with a long-term private key x mj.

27 1.27 A-TGDH: 2-Party Case n It is based on the AK protocol (Indocrypt ’00). Assume M 1 and M 2 occupy the long-term public key of the other member. The authenticated short-term secret key is: K = α r m1 r m2 + r m1 x m2 + r m2 x m1 (mod p) M1M1 M2M2 (α x m2 ) r m1 (α x m1 ) r m2 Retrieves α r 2. Gets K as: (α r m2 ) r m1 (α x m2 ) r m1 (α x m1 ) r m2 Retrieves α r 1. Gets K as: (α r m1 ) r m2 (α x m2 ) r m1 (α x m1 ) r m2

28 1.28 A-TGDH: Multi-Party Case n Idea: Encrypt the blinded key of node v with long- term private key of M i : α K v x mi mod p. n The authenticated short term secret key of node v is the product of: F Non-authenticated short-term secret key F Authenticated blinded keys of left child by the long-term components of right child’s descendants F Authenticated blinded keys of right child by the long-term components of left child’s descendants

29 1.29 A-TGDH: Multi-Party Case n Secret key at leaf nodes: r mi mod p n Authorized secret key of K 1 is: K 1 =α r m1 r m2 + r m1 x m2 + r m2 x m1 mod p n Authorized group key K 0 is: K 0 = α K 1 K 2 + K 1 (x m3 +x m4 ) + K 2 (x m1 +x m2 ) mod p n Double-protection on the group key (with r mi and x mi ) 0 M1M1 M2M2 2 46 1 53 M3M3 M4M4

30 1.30 A-TGDH: Characteristics n Key authentication: no outsiders access the keys. n Key confirmation: every member possesses the same group key. n Known-key secrecy: past short-term keys cannot deduce future short-term keys. n Perfect forward secrecy: current long- term keys cannot deduce past short-term keys.

31 1.31 SGCL Implementation n We realized our algorithms via the Secure Group Communication Library (SGCL): F Linux-based C language API n SGCL facilitates developers to build secure group-oriented applications. n Two testing applications: Chatter and Gauger F Chatter: secure chat-room F Gauger: performance testing tool

32 1.32 SGCL: Overview Leader: responsible for notifying others to start a rekeying operation REKEY The one which stays the longest

33 1.33 SGCL: Overview Leader Blinded key Sponsors: responsible for broadcasting new blinded keys Blinded key

34 1.34 SGCL: Architecture Keytree engine Sesskey engine Member engine Leader engine Certkey engine Packet engine Message queue Packet queue Spread daemon Maintain reliable and ordered communication SGCL API Receive thread Process thread verify sign

35 1.35 SGCL: API Functions SGCL_init()SGCL_set_passwd()SGCL_join() SGCL_send() SGCL_recv() SGCL_read_membership() SGCL_send() SGCL_recv() SGCL_read_membership() SGCL_leave() SGCL_destroy() SGCL session object

36 1.36 SGCL: Experiments n Gauger: study the performance of the interval-based algorithms under real network settings. n Metrics: F 1) Rekeying duration, 2) no. of exponentiations, 3) no. of blinded keys, and 4) no. of broadcasts of blinded keys n Settings: F 40 Gaugers, even located in eight P4/2.5GHz’s F Inter-connected in a single LAN

37 1.37 SGCL: Result Highlights n Highlights: Average analysis of no. of exponentiations and no. of blinded keys n Queue-batch shows dominant performance under the high membership dynamics.

38 1.38 SGCL: Applications Chatter

39 1.39 Conclusion n Three interval-based distributed rekeying algorithms: Rebuild, Batch and Queue- batch n Performance evaluation: mathematical models and simulation experiments n Authentication n Implementation of SGCL

40 1.40 Internet Future Directions LAN B LAN C LAN D LAN A

41 1.41 Internet Future Directions n A hybrid key tree with both physical and logical properties: LAN B LAN C LAN D LAN A

42 1.42 Future Directions n Robustness against attacks: F Erroneous key confirmation F Forged packets/signatures F Leader masquerade n Security in Spread daemons F Encryption between a Spread daemon and SGCL F Encryption among the Spread daemons n Key tree updates: F Interval-based F Threshold-based

43 1.43 SGCL: Leader and Sponsors n Leader: F Election: the one which stays the longest in the group. n Sponsors: F Election: the rightmost member of the subtree whose root is not renewed but root’s parent is. F Coordination: the blinded key of a renewed node is broadcast by the sponsor which can broadcast a sequence of blinded keys in one round. M l(s) M r(s)

44 1.44 SGCL: Leader Components Keytree engine Sesskey engine Member engine Leader engine Certkey engine Packet engine Rekey queue Spread daemon Rekey poll thread Rekey send thread sign

45 1.45 Q: Related Work n Intra Domain Group Key Management Protocol F Domain Key Distributor + Area Key Distributor n Iolus F Rekeying in subgroup level F Subgroup manager re-encrypt data sessions Centralized Physical Hierarchical Schemes DKD AKD M M M M M M M M M

46 1.46 Q: Related Work n Kronos F Periodic rekeying n Reversible Parametric Sequences (RPS) F Router tree F Group key encryption along the tree path Centralized Physical Hierarchical Schemes a1 a6a7 a3 a2 a4a5 Leaf 1 Leaf 2 Leaf 3 S 0 (group key) S1S1 S2S2 S3S3 H 0,3 (S 3 ) = S 0

47 1.47 Q: Related Work n Logical Key Hierarchy F Key graph n One-way Function Tree F The key of a node is a function of the keys of its left and right children Centralized Logical Hierarchical Schemes

48 1.48 Q: Related Work n Cliques F A linear chain n Tree-based Group Diffie-Hellman n STR F Form a skewed tree Decentralized Schemes M1M2M3 M4

49 1.49 Q: Instantaneous Analysis n Instantaneous number of exponentiations at different pairs of join/leave probabilities for Batch and Queue-batch: p J =0.25 p L =0.25 p J =0.5 p L =0.5 p J =0.75 p L =0.75

50 1.50 Q: Instantaneous Analysis n Instantaneous number of renewed nodes at different pairs of join/leave probabilities for Batch and Queue-batch: p J =0.25 p L =0.25 p J =0.5 p L =0.5 p J =0.75 p L =0.75

51 1.51 Q: N-ary tree n Do we have to stick to binary tree? Can we have ternary tree, or N-ary tree? n Answer: F Not necessary good for N-ary tree, though it reduces the tree height F Use one-round tripartite Diffie-Hellman based on Weil pairing F 512-bit Weil pairing ~ 3 x 1024-bit exponentiation

Download ppt "1.1 Distributed and Collaborative Key Agreement Protocols with Authentication and Implementation for Dynamic Peer Groups Patrick Pak-Ching LEE."

Similar presentations

A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.

Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.
1 Performance Char’ of Region- Based Group Key Management --- in Mobile Ad Hoc Networks --- by Ing-Ray Chen, Jin-Hee Cho and Ding-Chau Wang Presented by.

1 Performance Char’ of Region- Based Group Key Management --- in Mobile Ad Hoc Networks --- by Ing-Ray Chen, Jin-Hee Cho and Ding-Chau Wang Presented by.
TAODV: A Trusted AODV Routing Protocol for MANET Li Xiaoqi, GiGi March 22, 2004.

TAODV: A Trusted AODV Routing Protocol for MANET Li Xiaoqi, GiGi March 22, 2004.
Presentation By: Garrett Lund Paper By: Sandro Rafaeli and David Hutchison.

Presentation By: Garrett Lund Paper By: Sandro Rafaeli and David Hutchison.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style A Survey on Decentralized Group Key Management Schemes.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style A Survey on Decentralized Group Key Management Schemes.
Optimizing Buffer Management for Reliable Multicast Zhen Xiao AT&T Labs – Research Joint work with Ken Birman and Robbert van Renesse.

Optimizing Buffer Management for Reliable Multicast Zhen Xiao AT&T Labs – Research Joint work with Ken Birman and Robbert van Renesse.
KAIS T Distributed Collaborative Key Agreement and Authentication Protocols for Dynamic Peer Groups IEEE/ACM Trans. on Netw., Vol. 14, No. 2, April 2006.

KAIS T Distributed Collaborative Key Agreement and Authentication Protocols for Dynamic Peer Groups IEEE/ACM Trans. on Netw., Vol. 14, No. 2, April 2006.
Secure and Efficient Key Management in Mobile Ad Hoc Networks Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, Spyros Magliveras Department of Computer.

Secure and Efficient Key Management in Mobile Ad Hoc Networks Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, Spyros Magliveras Department of Computer.
Small-world Overlay P2P Network

Small-world Overlay P2P Network
Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.

Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.
Nov.6, 2002 Secure Routing Protocol for Ad Hoc Networks Li Xiaoqi.

Nov.6, 2002 Secure Routing Protocol for Ad Hoc Networks Li Xiaoqi.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.

Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Secure Group Communications Using Key Graphs Chung Kei Wong, Member, IEEE, Mohamed Gouda Simon S. Lam, Fellow, IEEE Evgenia Gorelik Yuksel Ucar.

Secure Group Communications Using Key Graphs Chung Kei Wong, Member, IEEE, Mohamed Gouda Simon S. Lam, Fellow, IEEE Evgenia Gorelik Yuksel Ucar.
Distributed Collaborative Key Agreement Protocols for Dynamic Peer Groups Patrick P. C. Lee, John C. S. Lui and David K. Y. Yau IEEE ICNP 2002.

Distributed Collaborative Key Agreement Protocols for Dynamic Peer Groups Patrick P. C. Lee, John C. S. Lui and David K. Y. Yau IEEE ICNP 2002.

Similar presentations

Ads by Google