Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scalable Secure Bidirectional Group Communication Yitao Duan and John Canny Berkeley Institute of Design Computer Science.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Scalable Secure Bidirectional Group Communication Yitao Duan and John Canny Berkeley Institute of Design Computer Science."— Presentation transcript:

1 Scalable Secure Bidirectional Group Communication Yitao Duan and John Canny http://www.cs.berkeley.edu/~duan Berkeley Institute of Design Computer Science Division University of California, Berkeley

2 Outline Secure bidirection group communication Model, security definitions, etc. The Duan-Canny (DC) multicast encryption construction Extension of DC and the new SBGC scheme Construction, complexity, security, GDI, etc.

3 Group Communication Center Members n members, up to t < n may need to be evicted

4 Multicast Center Members

5 Aggregation Center Members

6 Security Challenges Confidentiality and authenticity Different challenges for the two modes Multicast: single sender, authenticity easy Aggregation: single receiver, confidentiality easy So we will focus on confidentiality for multicast and authenticity for aggregation

7 Security Properties: Multicast Non-group Confidentiality: non-group members can’t access Forward Confidentiality: deleted members can’t have access after deletion Collusion Freedom: no subset of deleted users should be able to decrypt future group communication Backward Confidentiality: new members can’t access old data

8 Security Properties: Aggregation Non-group Authenticity: non-group members can’t generate group messages Forward Authenticity: deleted member can’t generate group messages Collusion Freedom: no subset of t or less active members, nor any subset of deleted members, should be able to forge messages that the center accepts as originated from another member not in the colluding subset Backward Authenticity: a user added at time τ should not have the ability to forge messages that the center accepts as coming from a member who was in the group before τ.

9 Secure Multicast LKH:[Wallner et al., Wong et al.] Asymmetric key based schemes Traitor tracing [CFN94] Broadcast encryption [FN93, BGW05, etc] Duan-Canny: construstion O(1) member key, O(t) center key, O(t) message Members don ’ t have to participate in every re-key operation K 3.8 K 3.1 K 3.2 K 3.3 K 3.4 K 3.5 K 3.6 K 3.7 K 2.1 K 2.2 K 2.3 K 2.4 K 1.1 K 1.2 K0K0 M1M1 M2M2 M5M5 M4M4 M3M3 M6M6 M7M7 M8M8 Keys Assigned to M 1 Member Leaf Node Root Node + Use symmetric key crypto + O(logn) storage, message - Members stateful

10 Aggregation Authentication: What don’t Work Well Pair-wise secret between center and each of the members Works but not scalable Using the traffic encryption key (TEK) Global Authenticate using PRGN(ID i ) IDs are public information Identity Based Signature Complex setting: trusted KGC Message authentication separate from membership authentication: Center has to store list of legitimate users. O(n) storage overhead

11 Our Results Extended a new multicast enc. to support temporal security in both multicast and aggregation Membership authentication is embedded in message authentication. Aggregation message authentication also serves as membership authentication. Center doesn’t need keep a list of legal members O(t) center storage, O(t) message, O(1) member storage The scheme can be made to protect group dynamics information (GDI)

12 Duan-Canny Construction [DC06] Center Members x1x1 x2x2 x3x3 xnxn... x n+1, x n+2, …, x n+t (y, x)  y, x 1, …, x n, x n+1, …, x n+t

13 Duan-Canny Construction c = E y ( m ) φ = { c, D( x n+1, c ), D( x n+2, c ), …, D( x n+t, c )} m = η (D( x i, c ), D( x n+1, c ), D( x n+2, c ), …, D( x n+t, c )) Encryption: Decryption: DC construction preserves or improves the security of the underlying threshold cryptosystem (e.g. IND-CCA) Decrypting t times using revoked users keys

14 Extensions Alternating Bit DC (ABDC) to evict more than t members In-place update for backward confidentiality Novel use of its key structure for authenticating aggregation messages Protecting GDI

15 In-place Update ξ x f(ξ) 123 n

16 In-place Update ξ x f(ξ) 123 n δ n+1

17 DC Construction: Key Structure Center Members x1x1 x2x2 x3x3 xnxn... x n+1, x n+2, …, x n+t

18 DC Construction: Key Structure Center Members x1x1 x2x2 x3x3 xnxn... x n+1, x n+2, …, x n+t, x n+t+1

19 DC Construction: Key Structure Center Members x1x1 x2x2 x3x3 xnxn... x n+1, x n+2, …, x n+t, x n+t+1

20 Authenticating Aggregation Messages and Group Membership

21 Protecting Group Dynamics Information (GDI) An issue raised by [Sun et al 04] Info about group size, join, departure rate, etc., leaked by multicast rekey messages – a problem for almost all existing multicast schemes Batch rekeying and phantom users to fix – don’t really work well

22 Protecting GDI Why is it hard? Size of rekey message dependent on group size Insider can separate rekey messages for member join from those for member departure Our scheme Message size O(t) So we only need to mix join and departure Members are given random indexes. Use a mixing pool to mix join and departure Center storage becomes O(n) – all other schemes same even w/o protecting GDI

23 Summary Defined models and security for bidirectional group communication Extended the DC multicast cryptosystem for backward and authentication security O(t) center storage, message size, O(1) member storage Protecting GDI

24 More Info duan@cs.berkeley.edu http://www.cs.berkeley.edu/~duan Thank You!

Download ppt "Scalable Secure Bidirectional Group Communication Yitao Duan and John Canny Berkeley Institute of Design Computer Science."

Similar presentations

Keiji Maekawa Graduate School of Informatics, Kyoto University Yasuo Okabe Academic Center for Computing and Media Studies, Kyoto University.

Keiji Maekawa Graduate School of Informatics, Kyoto University Yasuo Okabe Academic Center for Computing and Media Studies, Kyoto University.
Chris Karlof and David Wagner

Chris Karlof and David Wagner
Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.

Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang

1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang
Self-Healing in Wireless Networks. The self-healing property is expected in many aspects in wireless networks: – Encryption algorithms – Key distribution.

Self-Healing in Wireless Networks. The self-healing property is expected in many aspects in wireless networks: – Encryption algorithms – Key distribution.
Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.

Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.
Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Russell Martin August 9th, Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.
Broadcast Encryption – an overview Niv Gilboa – BGU 1.

Broadcast Encryption – an overview Niv Gilboa – BGU 1.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.

1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.
Broadcast Encryption and Traitor Tracing 2001. 12. 2001507 Jin Kim.

Broadcast Encryption and Traitor Tracing Jin Kim.
Computer Science 1 Efficient Self-healing Group Key Distribution With Revocation Capability Archana Rajagopal CSC 774 Presentation Based on Original Slides.

Computer Science 1 Efficient Self-healing Group Key Distribution With Revocation Capability Archana Rajagopal CSC 774 Presentation Based on Original Slides.
Roberto Di Pietro, Luigi V. Mancini and Alessandro Mei.

Roberto Di Pietro, Luigi V. Mancini and Alessandro Mei.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Cashmere: Resilient Anonymous Routing CS290F March 7, 2005.

Cashmere: Resilient Anonymous Routing CS290F March 7, 2005.
Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.

Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.

Similar presentations

Ads by Google