Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Collusion-Resistant Group Key Management Using Attribute-

Published byBaldric Chandler Modified over 8 years ago

Similar presentations

Presentation on theme: "Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Collusion-Resistant Group Key Management Using Attribute-"— Presentation transcript:

1 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Collusion-Resistant Group Key Management Using Attribute- based Encryption Presented by: Anurodh Joshi

2 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Presents a ciphertext-policy attribute-based encryption (CP-ABE) scheme to solve the collusion issue of Group Key Management  CP-ABE scheme proposed by Bethencourt, Sahai, and Waters is (BSW) used to implement collusion resistant flat-key group key management  Mechanism for refreshing the keys (for added security) are discussed 2 Overview of the Paper

3 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Setting & Motivation:  IP Multicast: an efficient way to distribute information to a large group of users  However, any host can join (access control issue)  Solution: Encrypt Data using Data Encryption Key(DEK)  DEK can be generated and distributed securely to the Group Members (GMs). However, the main challenge is efficiency of selective key distribution; this problem is called Group Key Management  Related issues: Group Backward Secrecy (new member joins) Group Forward Secrecy (old member leaves) 3 Group Key Management

4 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Existing Group Key Management approach:  Most schemes use key encryption keys (KEKs) on flat table key managment  Distribute unique set of KEK to each GM  Group controller (GC) encrypts DEK with a combination of KEKs  Problem?  Vulnerable to Collusion 4 Group Key Management

5 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Use CP-ABE instead of KEK  S = set of Attributes ; SK = secret Key  Associate GM with S, SK rather than KEK  GC computes access structure that is satisfied by SK of current members only  Advantage  SKs are computed based on S using a randomization factor  collusion resistant (follows from CP-ABE) 5 Proposed solution

6 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Background  Flat table key management  CP-ABE  Proposed scheme for Group Key Management  Results & Performance  Concluding Remarks 6 Outline of the paper

7 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Flat table key management  A way to manage group key  Each GM has a n bit unique ID: X n, X n-1,.. X 0  X i є [0,1]  So maximum size of the group is 2 n  Two KEKs corresponding to each n bit KEKs {k i,b | i є Z n, b є Z 2 }. So total 2n KEKs 7 Background X0X0 X1X1 X3X3 X2X2 k 0,1 k 0,0

8 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  The GC maintains the DEK (K) + 2n KEKs  Each GM has n KEKs + 1 DEK  Join:  Group backward secrecy: Suppose id: X n, X n-1,.. X 0 is joining N KEKs + K is refreshed Example: (3 bit group ids) |1| 1|0 | (New) KEK => k 2,1 | k 1,1 | k 1,0 8 Background Contd.

9 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Join: GC encrypts the new keys with corresponding old keys and multicasts new member is given k’ i,b | i є Z n, b є Z 2 and K’ via secure unicast  Leave:  Suppose id X n, X n-1,.. X 0 is leaving  Forward Secrecy: The n KEKs + 1 (K) held by the leaving member is refreshed The GC multicasts the new DEK encrypted once with each of the n KEKs not held by the leaving GM {K’} k n-1, x’ n-1, …, {K’} k 0,x’ 0 – leaving GM can’t decrypt any of these messages – rest of the GMs should be able to decrypt at least one of these messages hence obtaining K’ The GC multicasts the new KEKs encrypted with both the new DEK and the KEKs. Again existing GMs can decrypt and update appropriate KEK but the leaving GM can not. 9 Background Contd.

10 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Multiple Leaves:  Leave procedure can be repeated to remove multiple members from the group  More efficient approaches such as using Boolean function minimization (m) has been proposed m(X n, X n-1,.. X 0 ) = 0 if it is leaving id m(X n, X n-1,.. X 0 ) = 1 if it is existing id  The GC runs the Quine-McCluskey algorithm which returns sum of products expression (SOPE)  Example: 011 and 101 are to be removed from the group. The membership function `m’ can be reduced to m(X 2, X 1, X 0 ) = X 2 X 1 + X’ 2 X’ 1 + X’ 0 m(0, 1, 1) = 0(1) + (1)(0) + 0 = 0 m(1, 0, 1) = 1(0) + 0(1) + 0 = 0  To Update the DEK three messages are multicast by GC {K’} k2,1, k1,1, {K’} k2,0, k1,0 and {K’} k0,0 10 Multiple Leaves

11 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Collusion  Leaving group members can collude to possibly figure out the new DEK and KEKs  Example: If leaving ids are |0|1|1| and |1|0|1| Can start to collectively figure out rekey messages {K’} k 2,1, k 1,1 and {K’} k 2,0, k 1,0 11 Multiple Leaves Contd.

12 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Use a simplified version of BSW scheme (CP-ABE scheme)  Use SKs instead of KEKs  GM with id X n, X n-1,.. X 0 has SK associated with S := { A iX i | i є Z n }  Can decrypt a message only if S / SK satisfies the access structure  Advantage:  Leaving group members can not collude to breach the system 12 CP-ABE

13 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Algorithms in CP-ABE scheme:  Setup  Encrypt  KeyGen  Decrypt  Delegate (optional)  Setup:  Generates the public key PK := 13 CP -ABE

14 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Encrypt  Input: PK, M, T (access tree)  output: CT (cipher text)  KeyGen  Input: set S of attributes  output: SK associated with S  Decrypt  Input: CT, SK  Output: Message if S satisfies T (access structure)  Delegate  Used by Sub group controller (SGC) for decentralized management 14 CP-ABE (BSW)

15 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Concept:  Use flat table key management  Use CP-ABE for rekey operations in order to achieve collusion resistance instead of KEK  Group Initialization  GC plays the role of central authority (CP-ABE)  To initialize GC runs the setup algorithm and gets the PK (public key) and MK (master key)  Selects random DEK (K) є G  No KEKs needed 15 New Scheme for Group Key Management

16 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Group Members  n bit id: X n, X n-1,.. X 0 with attribute set: S:= {A i,b | i є Z n, b є Z 2 }  Join  Joining GM establishes a secure unicast with the GC  GC selects new DEK (K’) є G at random  Multicasts {K’} K. Current members can decrypt and update the DEK  GC runs KeyGen with attribute set S := {A i,b | i є Z n, b є Z 2 } to get SK  The joining member receives the secret key SK and K’ via secure unicast 16 New Scheme for Group Key Management Contd.

17 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Leave  Single leave and multiple leaves work exactly the same way  Let C’ be the set of active members in the group after some GMs leave  GC runs the Quine-McCluskey algorithm to obtain the SOPE, E = E 0 + E 1 + …. + E L  The GC selects a random K’ є G.  For each l, GC runs Encrypt on K’ and T l to obtain the CT l and multicasts CT 0,CT 1,…CT L.  Each active GM should be able to decrypt at least one message to recover K’  Inherits collusion resistance from CP-ABE. This ensures leaving GMs can not collude to decrypt K’ 17 New Scheme for Group Key Management Contd.

18 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  GC chooses random K’ є G and α є Z p  PK and MK are updated  PK’ =  MK’ =  GC broadcasts two messages  {K’} K – GMs know K so they can decrypt and update K’ and {g (α – β / β) } K – this is called the conversion factor and used to update the SKs by the GMs  SK’ =  K’ and α are random so do not reveal anything about older versions of the same 18 Periodic Refresh for perfect forward secrecy

19 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Current Scheme:  GC manages the whole group  Responsible for storage, KeyGen and overall communication  Workload can be distributed by assigning responsibilities to subgroup of trusted members who act as Subgroup Controllers (SGCs)  Number of SGCs is small so communication between SGC and GC is done via secure unicast (multicast for other direction) 19 Decentralized Management

20 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  SGCs maintain membership of their own subgroups using the delegate algorithm  GC generates DEK and α parameters when they are requested or periodic refresh  BFM computations are done by SGC and leave operations are also handled within a subgroup  Notations:  Given a subgroup identified by gid, every member of the subgroup possesses the attribute B gid and only SGC possesses attribute C gid  GC encrypts messages to SGC only and SGC encrypts messages to subgroup members 20 Decentralized Management Contd.

21 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  GC assigns a subgroup id gid and gives the SGC a secret key SK with the attribute set {A i,b | i є Z n, b є Z 2 } U {B gid, C gid }  gid is added to the list of active subgroups  SGC also receives instruction on who may join the group and how IDs for subgroup members are obtained (may be assigned from some ID space) 21 Add SGC

22 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  GM who wants to join contacts the SGC  SGC verifies the request and sends a secure unicast message to GC to signal a join  GC multicasts {K’} K to the whole group  SGC uses delegate algorithm with attribute set {A i,b | i є Z n, b є Z 2 } U {B gid } to get SK  SGC uses secure unicast to give the SK and K’ to the joining GM 22 Join

23 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  The leaving GM contacts the SGC from who he got his SK  SGC sends a leave signal to the GC  GC multicasts K’ to SGCs only by encrypting the new DEK with the C attributes  SGC performs the BFM computation within the subgroup and multicasts rekey messages with the additional attribute B gid 23 Leave

24 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Occurs when the GC makes a revocation decision based on malicious behavior from a GM  GC multicasts K’ to SGC  Works same way as a leave (Only difference is it is instigated by GC) 24 Global Revoke

25 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Periodic Refresh  Same as before. Still done by GC  Remove  Suppose GC decides to remove SGC with subgroup ID gid 0 or SGC decides to leave  GC multicasts K’ encrypted with CP-ABE with attributes C other than the SGC who is leaving  Each SGC does BFM computation and multicasts rekey messages within subgroup  Note:  The GMs that were in the gid 0 are effectively removed from the group because they can’t decrypt any rekey messages  They must contact another SGC to join the group again (downside) 25 Periodic Refresh and Remove

26 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  The number of messages do not go up a lot even for large number of members leaving 26 Results/Performance/Evaluation

27 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Simple Concept:  KEK is vulnerable to collusion attack  CP-ABE is collusion resistant  So replace KEK with CP-ABE in Flat Table Group Key Management Scheme  Use Decentralized System to distribute load of GC  Disadvantage: If SGC is removed, all GMs in that group loose membership and have to rejoin a different group 27 Concluding Remarks

Download ppt "Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Collusion-Resistant Group Key Management Using Attribute-"

Similar presentations

A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
A hierarchical key management scheme for secure group communications in mobile ad hoc networks Authors: Nen-Chung Wang and Shian-Zhang Fang Sources: The.

A hierarchical key management scheme for secure group communications in mobile ad hoc networks Authors: Nen-Chung Wang and Shian-Zhang Fang Sources: The.
1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang

1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang
Self-Healing in Wireless Networks. The self-healing property is expected in many aspects in wireless networks: – Encryption algorithms – Key distribution.

Self-Healing in Wireless Networks. The self-healing property is expected in many aspects in wireless networks: – Encryption algorithms – Key distribution.
Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.

Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.
Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Russell Martin August 9th, Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Presentation By: Garrett Lund Paper By: Sandro Rafaeli and David Hutchison.

Presentation By: Garrett Lund Paper By: Sandro Rafaeli and David Hutchison.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style A Survey on Decentralized Group Key Management Schemes.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style A Survey on Decentralized Group Key Management Schemes.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
KAIS T Scalable Key Management for Secure Multicast Communication in the Mobile Environment Jiannong Cao, Lin Liao, Guojun Wang Pervasive and Mobile Computing.

KAIS T Scalable Key Management for Secure Multicast Communication in the Mobile Environment Jiannong Cao, Lin Liao, Guojun Wang Pervasive and Mobile Computing.
Roberto Di Pietro, Luigi V. Mancini and Alessandro Mei.

Roberto Di Pietro, Luigi V. Mancini and Alessandro Mei.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.

Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.
Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.

Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.
1 Key Management in Mobile Ad Hoc Networks Presented by Edith Ngai Spring 2003.

1 Key Management in Mobile Ad Hoc Networks Presented by Edith Ngai Spring 2003.
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.

Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Scalable Secure Bidirectional Group Communication Yitao Duan and John Canny Berkeley Institute of Design Computer Science.

Scalable Secure Bidirectional Group Communication Yitao Duan and John Canny Berkeley Institute of Design Computer Science.
Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.

Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.

Similar presentations

Ads by Google