Presentation is loading. Please wait.

Presentation is loading. Please wait.

Group Key Distribution Xiuzhen Cheng The George Washington University.

Published byTamsin Holland Modified over 8 years ago

Similar presentations

Presentation on theme: "Group Key Distribution Xiuzhen Cheng The George Washington University."— Presentation transcript:

1 Group Key Distribution Xiuzhen Cheng The George Washington University

2 Paper List C.K.Wong et al: Secure Group Communications Using Key Graphs M.Waldvogel et al: the VersaKey Framework D.McGrew and A.T.Sherman: Key Establishment in Large Dynamic Groups Using One-way Function Trees

3 Introduction Secure group communication Pay-per-view video streaming Video On Demand (VOD) Secure teleconferencing Online games

4 Secure Group Communication Authorization Secure Multicasting Forward confidentiality (revocation) Backward confidentiality

5 Secure Group Multicasting u u2u2 u1u1

6 Our Assumptions Each node shares one or more Key Encryption Keys (KEK) with GC to encrypt TEK updates All nodes share a Traffic Encryption Key (TEK) to encrypt communication data. There is a Group Controller (GC) When membership changes, TEK needs to be updated

7 Traffic Encryption Key u A Group of Users E TEK (msg) u sends a message encrypted with TEK

8 Key Encryption Key u

9 u KEKs are used to encrypt TEK updates

10 An Easy Re-keying Scheme : Star-shaped Each user shares a secret KEK with GC When a user joins or leaves, GC sends each node a re-keying message encrypted with its own KEK

11 Star-shaped Re-keying Scheme : Join GC u u wants to join the group

12 Star-shaped: Join (Cont ’ d) GC u GC sends encrypted TEK to other nodes

13 Star-shaped: Leave GC u U tells GC that he’s leaving

14 Star-shaped: Leave (Cont ’ d) GC u GC sends encrypted TEK to other nodes

15 Analysis of Star- shaped Scheme Pros: Easy to implement Provides both forward and backward confidentiality Cons: Doesn't scale well ~ Θ(n) Oooooops!

16 Logical Key Hierarchy Proposed by C.K.Wong, M.Gouda, and S.S.Lam It provides both forward and backward confidentiality It scales well ~ Θ(logn)

17 LKH: Key Graphs u-nodes are real users k-nodes represent keys u knows k if there ’ s a path from u to k

18 LKH: Join u 9 is about to join the group

19 LKH: Leave u 9 is about to leave the group

20 User, Key, or Group? User-oriented re-keying is nothing more than grouping re-keying messages by users ~ less but bigger messages Key-oriented re-keying is just grouping them by keys ~ more but smaller messages Group-oriented is putting all re-keying messages together to generate a big, fat message ~ only one gigantic message

21 User-Oriented Rekeying Encryption Cost Join: 1 + 2 + … + h-1 + h-1 Leave: (d-1)(1+2+ … +h-1) Rekey Messages Join: h Leave: (d-1)(h-1) k9k9 u9u9 Join rekey messages Leave rekey messages

22 Key-Oriented Rekeying Encryption Cost Join: 2(h-1) Leave: d(h-1) Rekey Messages Join: 2(h-1) Leave: (d-1)(h-1) k9k9 u9u9 Join rekey messages Leave rekey messages

23 Group-Oriented Rekeying k9k9 u9u9 Two rekey messages for join: Encryption cost for join: 2(h-1) Leave Operation: Encryption cost: d(h-1) Rekey messages: 1

24 Analysis of LKH Re-keying messages are sent in a top- down fashion Complexity depends on the tree height, h=Θ(logn)

25 An Improvement: LKH+ Proposed by M.Waldvogel et al in “ The VersaKey Framework ” They use a one-way function to update TEK when a ‘ join ’ happens

26 LKH+: Join When u 9 joins, u 1 ~ u 8 feed the KEK into a one-way hash function to do the update

27 Analysis of LKH+ GC doesn't need to send re-keying messages when a join happens When a join happens, every member can compute the new TEK locally The newly joined member cannot compute the old TEK ~ backward confidentiality

28 Centralized Flat Key Management Proposed by M.Waldvogel et al as well Another logical tree- based re-keying scheme It greatly reduces GC ’ s storage requirement

29 Flat Key Table TEK ID Bit #0 KEK 0.0KEK 0.1 ID Bit #1 KEK 1.0KEK 1.1 ID Bit #2 KEK 2.0KEK 2.1 ID Bit #3 KEK 3.0KEK 3.1 Bit’s Value=0Bit’s Value=1 GC maintains the following table

30 Flat Key Management TEK ID Bit #0 KEK 0.0KEK 0.1 ID Bit #1 KEK 1.0KEK 1.1 ID Bit #2 KEK 2.0KEK 2.1 ID Bit #3 KEK 3.0KEK 3.1 Bit’s Value=0Bit’s Value=1 Node 0110 knows highlighted KEKs

31 CFKM: Join Node #1101 is about to join the group

32 CFKM: Join GC first sends it the new TEK and highlighted KEKs (be updated first) TEK ID Bit #0 KEK 0.0KEK 0.1 ID Bit #1 KEK 1.0KEK 1.1 ID Bit #2 KEK 2.0KEK 2.1 ID Bit #3 KEK 3.0KEK 3.1 Bit’s Value=0Bit’s Value=1

33 CFKM: Join GC then encrypts new TEK with the complementary KEKs (the highlighted ones) TEK ID Bit #0 KEK 0.0KEK 0.1 ID Bit #1 KEK 1.0KEK 1.1 ID Bit #2 KEK 2.0KEK 2.1 ID Bit #3 KEK 3.0KEK 3.1 Bit’s Value=0Bit’s Value=1

34 CFKM: Join GC then broadcasts these message to everybody Since other nodes differ from it in at least 1 position, they can decrypt the re- keying message and get the updated TEK

35 CFKM: Leave Node 1010 is about to leave TEK ID Bit #0 KEK 0.0KEK 0.1 ID Bit #1 KEK 1.0KEK 1.1 ID Bit #2 KEK 2.0KEK 2.1 ID Bit #3 KEK 3.0KEK 3.1 Bit’s Value=0Bit’s Value=1

36 CFKM: Leave GC sends everybody a new TEK encrypted with complementary KEKs TEK ID Bit #0 KEK 0.0KEK 0.1 ID Bit #1 KEK 1.0KEK 1.1 ID Bit #2 KEK 2.0KEK 2.1 ID Bit #3 KEK 3.0KEK 3.1 Bit’s Value=0Bit’s Value=1

37 CFKM: Leave (Cont ’ d) Similarly, since other nodes differ from it in at least 1 position, they can decrypt the re-keying message and get the updated TEK Now, all KEKs known by the leaving node become invalid and need to be updated

38 CFKM: Leave (Cont ’ d) For each of the invalid KEKs, GC selects a new replacement encrypted with both the old KEK and the new TEK For those who are not supposed to know the replacement KEKs, they cannot decrypt the message as they don ’ t know the old value

39 CFKM: Leave (Cont ’ d) For each of the invalid KEKs, GC selects a new replacement encrypted with both the old KEK and the new TEK The evicted node cannot decrypt the message either, as it doesn't know the new TEK

40 CFKM: Pros and Cons Pros: It greatly reduces GC ’ s memory requirement ~ only one table needed It maintains the same logarithmic bound as LKH, LKH+ ~ it ’ s efficient Cons: Removal of multiple nodes

41 CFKM: Multiple Leaves Node 1001 and 0110 are leaving … TEK ID Bit #0 KEK 0.0KEK 0.1 ID Bit #1 KEK 1.0KEK 1.1 ID Bit #2 KEK 2.0KEK 2.1 ID Bit #3 KEK 3.0KEK 3.1 Bit’s Value=0Bit’s Value=1

42 One-way Function Trees Proposed by D.A.McGrew and A.T.Sherman Logical tree-based scheme as well Even it ’ s still of logarithmic bound, the coefficient is smaller than LKH

43 Structure of OFT f k left k right unblinded key gg f(g(k left ),g(k right )) G is one-way

44 Blinded & Unblinded Keys Unblinded Key: the value that hasn ’ t been passed though g Blinded Key: the value that has already been passed though g If you know the unblinded key, you can compute the blinded key The reverse is not true

45 OFT Algorithm Each member knows the blinded keys which are siblings to its path to the root Each member knows its unblinded key Each member can then compute the key of the root, which is the TEK (root maintains only one key)

46 OFT Algorithm (Cont ’ d) Node u knows the blinded keys of all green nodes u

47 OFT: Join/Leave If a blinded key changes, its new value must be communicated to all members who store it For a join/leave operation, Θ(logn) nodes need to update the blinded keys, where n is the distance to the root

48 OFT: Join/Leave (Cont ’ d) If u wants to join, all green nodes must update blinded keys u

49 Analysis of OFT OFT has the same log-bound as LKH LKH ’ s leading coefficient is 2 (binary), since updates must be sent to both children along the path to the root OFT ’ s leading coefficient is 1, since updates has only to be sent to the sibling along the path to the root

50 Why OFT is better? If u wants to leave, then only the green nodes need to be updated The blue nodes can always compute the blinded key locally u

51 Conclusion Star-shaped: most na ï ve approach, no scalability LKH: the basic of everything, good performance and functionality LKH+: a slight improvement of LKH CFKM: reducing GC ’ s storage need OFT: best of all algorithms so far

52 In-Class Exercise Design a protocol that can automatically update the group key as time evolves. Must guarantee backward and forward confidentiality Each group member joins/leaves at some specific instance of time: join at the beginning of a time slot and leave at the end of a time slot Time is discretised into slots with fixed length The time schedule (join/leave) of each node is known ahead of time Assume a GC is available to assist the job Hint: use two one-way hash chains

Download ppt "Group Key Distribution Xiuzhen Cheng The George Washington University."

Similar presentations

Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.

Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
A hierarchical key management scheme for secure group communications in mobile ad hoc networks Authors: Nen-Chung Wang and Shian-Zhang Fang Sources: The.

A hierarchical key management scheme for secure group communications in mobile ad hoc networks Authors: Nen-Chung Wang and Shian-Zhang Fang Sources: The.
1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang

1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5.3 Group Key Distribution Acknowledgment: Slides on.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5.3 Group Key Distribution Acknowledgment: Slides on.
Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.

Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.
Broadcast Encryption – an overview Niv Gilboa – BGU 1.

Broadcast Encryption – an overview Niv Gilboa – BGU 1.
Presentation By: Garrett Lund Paper By: Sandro Rafaeli and David Hutchison.

Presentation By: Garrett Lund Paper By: Sandro Rafaeli and David Hutchison.
Ranveer Chandra , Kenneth P. Birman Department of Computer Science

Ranveer Chandra , Kenneth P. Birman Department of Computer Science
KAIS T Scalable Key Management for Secure Multicast Communication in the Mobile Environment Jiannong Cao, Lin Liao, Guojun Wang Pervasive and Mobile Computing.

KAIS T Scalable Key Management for Secure Multicast Communication in the Mobile Environment Jiannong Cao, Lin Liao, Guojun Wang Pervasive and Mobile Computing.
KAIS T Distributed Collaborative Key Agreement and Authentication Protocols for Dynamic Peer Groups IEEE/ACM Trans. on Netw., Vol. 14, No. 2, April 2006.

KAIS T Distributed Collaborative Key Agreement and Authentication Protocols for Dynamic Peer Groups IEEE/ACM Trans. on Netw., Vol. 14, No. 2, April 2006.
Secure and Efficient Key Management in Mobile Ad Hoc Networks Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, Spyros Magliveras Department of Computer.

Secure and Efficient Key Management in Mobile Ad Hoc Networks Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, Spyros Magliveras Department of Computer.
B-Trees. Motivation for B-Trees Index structures for large datasets cannot be stored in main memory Storing it on disk requires different approach to.

B-Trees. Motivation for B-Trees Index structures for large datasets cannot be stored in main memory Storing it on disk requires different approach to.
Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.

Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.

Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.
Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.

Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.
© nCode 2000 Title of Presentation goes here - go to Master Slide to edit - Slide 1 Reliable Communication for Highly Mobile Agents ECE 7995: Term Paper.

© nCode 2000 Title of Presentation goes here - go to Master Slide to edit - Slide 1 Reliable Communication for Highly Mobile Agents ECE 7995: Term Paper.
CMPE 150- Introduction to Computer Networks 1 CMPE 150 Fall 2005 Lecture 22 Introduction to Computer Networks.

CMPE 150- Introduction to Computer Networks 1 CMPE 150 Fall 2005 Lecture 22 Introduction to Computer Networks.
Secure Group Communications Using Key Graphs Chung Kei Wong, Member, IEEE, Mohamed Gouda Simon S. Lam, Fellow, IEEE Evgenia Gorelik Yuksel Ucar.

Secure Group Communications Using Key Graphs Chung Kei Wong, Member, IEEE, Mohamed Gouda Simon S. Lam, Fellow, IEEE Evgenia Gorelik Yuksel Ucar.

Similar presentations

Ads by Google