distributed group key securing a dynamic peer groups

8/6/2019 distributed group key securing a dynamic peer groups

1/33

Efficient GroupEfficient Group Authenticated KeyAuthenticated KeyAgreement Protocol for Dynamic GroupAgreement Protocol for Dynamic Groupss

Kui Ren*, Hyunrok Lee*, Kwangjo Kim*, and Taewhan Yoo**

* IRIS, Information and Communications University, Daejeon, Korea** Electronics and Telecommunications Research Institute, Daejeon, Korea

WISA 2004 (23-25, Aug)


2/33

22

Contents

Introduction

EGAKA Overview

Notation and Primitives

EGAKA

EGAKA-KE (Key Establishment)

EGAKA-KU (Key Update)

Complexity & Security Analysis

Conclusion

Q & A


3/33

33

Introduction (1/3)

Secure group communication

A (large) group of users communicate with one another ina secure way

Ex) Teleconferencing, Collaborative work,

Multiple interactive game, VPN (Virtual Private Networks),Wireless Ad-hoc Networks

Dynamic Peer Groups

Relatively small (~ 100 of members)

No hierarchy

Frequent membership changes

Any member can be sender and receiver


4/33

44

Introduction (2/3)

Group Key Management

A group key

Shared only by current group members

Communication encrypted/decrypted by the group key

Difficult aspect Dynamics

Join Backward secrecy

Allow the joining member(s) to decrypt future messages, but notprevious messages

Leave:

Forward secrecy Prevent the leaving member(s) from decrypting future messages

Burst behavior: Multiple joins and/or multiple leaves simultaneously.


5/33

55

Introduction (3/3)

Classification Group Key Distribution

One party generates a secret key and distributes to others

Not suitable for dynamic groups

Group Key Agreement

Secret key is derived jointly by two or more parties Key is a function of information contributed by each member

No party can pre-determine the key

Motivation Need Group Key Agreement

Strong security Dynamic membership management

Adapt to heterogeneous environments

Efficiency in communication and computation


6/33

66

EGAKA Overview (1/2)

EGAKA Efficient Group Authenticated Key Agreement protocol Important Properties

Distributed Fault-tolerant Efficient dynamic group membership management Mutual authentication among group members Secure against both passive and active attacks

Can be built on any two-party authenticated key exchangeprotocols E.g. Diffie-Hellman protocol, password based protocol

Achieves scalability and robustness in heterogeneousenvironments

provides efficient member join services Low communication and computation costs, and they are constant

to the group size.


7/33

77

EGAKA Overview (2/2)

Trust Model

Any single current member can authenticate thenew members and accept them.

Assumption Do not consider insider attacks

The secrecy of group keys and the integrity of groupmembership

The size of dynamics group < 200

Group members in dynamic groups have different securityprimitives

For generating the group key

Use Common two-party key exchange protocol


8/33

88

Notation and Primitives (1/4)


9/33

99

GK

1M

6M

5M

4M

2M

3M

3K

4K15K

135K

26K

246K

123456K! 0!l

3!d

3!l

2!l

1!l

6!N

15B B

)K( 1 51 5 hB !

2B

4B

4B

1N

22N2N

24N

11N 12N

1N 2N N 4N1 6 2

Root node

Interior node

Isolated Leaf node

Key pair: Kij & BijLeaf node



10/33

1010

GK

M M5M

M

M

M

K K5K

5K

K

K

5K! 0!l

3!d

3!l

2!l

1!l

6!N

15B B

)K( 1 51 5 hB!

26B

4B

46B

NN

N4

N

N N

N N N 4

NK 5K 6K K

KP5* = {N32, N21, N11}

CP5* = {N31, N22, N12}



11/33

1111

GK

1M

6M

5M

4M

2M

3M

3K

4K

15K

135K

26K

246K

123456K! 0!l

3!d

3!l

2!l

1!l

6!N

1B B

)( 11 hB !

26B

4B

246B

2N

22N23N

24N

11N 12N

31N 32N 33N 34N1K 5K 6K 2K

M2s view of the group which could be divided into l subgroups



12/33

1212

EGAKA

Two basic sub-protocol

EGAKA-KE : Key Establishment Protocol

EGAKA-KU : Key Update Protocol

Both sub-protocols are subtle integrations of above

mentioned binary key tree structure, one way functions

and two-party key agreement protocol, as well assymmetric encryption algorithm.


13/33

1313

EGAKA-KE

EGAKA-KE includes two phases:

Phase I

To complete group entity authentication by applying any

chosen two-party authenticated key agreement protocol

Phase II

The group key generation process.


14/33

1414

EGAKA-KE: Phase I (1/6)

Tasks to accomplish

choose the two-party protocol in common

generate the key tree structure

perform mutual authentication according to generated tree

structure

establish peer-to-peer session keys among members.


15/33

1515


Hello, I want to use

DH protocol, and M4can be the one to

generate the key treestructure

M1

M2 M3

M4

M5M7

Hello, here is the

key tree structure

2M

3M

5M 1M 1M 1M 4M M 2M

2M

3M

7M

M6


16/33

1616


3rE

1r

E

M1

M2 M3

M4

M5

M7

M6

2r

E


17/33

1717


122Sr

E 133Sr

E

M1

M2 M3

M4

M5

M7

M6

155Sr

E

377Sr

E

266Sr

E

2 Sr

E


18/33

1818


151312 ,, KKK 3713,KK 262412 ,, KKK15K 37K

26K

24K

Execution Results of EGAKA-KE: Phase I

jirr

ij E

Session Key


19/33

1919


Rounds = 2 (except for protocol negotiation step)

Two-party key exchange protocol executesexactly n-1 times to finish the entityauthentication among group members


20/33

2020

EGAKA-KE: Phase II (1/5)

15B 15B 37B37B 26B37B

4B

37B

1357}{: 2461 KBM 246}{: 13572 KBM

246B

37B 15B 15B

1357B

4B 4B

26B

246B 246B 246B 1357B

1357B

)||(2461357

BKBKhKG

!

3!round

1

}{:151 K

24

}{:262 K

1

}{:

K

24

}{:44 K

15

15

7

7

26

4

1!round

26B 15B 15B 37B37B 26B

4B

37B

1215,

1357371 KKBBM

1226

,24642

KKBBM

37153 KBM

246B

37B 15B 15B

1357B

4B 4B

26B

2!round

26B


21/33

2121


15B

M1s view of the group

Round 1

M1 knows

M1 yet to know

M1 needs to

compute

37B

2 6B

1357B

KG


22/33

2222


15B


Round 2

M1 knows

M1 yet to know

M1 needs to

compute

37B

2 6B

1357B

KG


23/33

2323


15B


Round 3

M1 knows

M1 compute

37B

2 6B

1357B

KG

)||(2 61357

BKBKhKG!


24/33

2424


Rounds = d, where d equals to , n is the sizeof the group.

No computational expensive operation is neededin this phase.


25/33

2525

EGAKA-KU: Member Join Protocol (1/5)

6M

joinr,6E

Sponsor

1!round:broadca t

ubgrou

6M

2!round

Sponsor

subgroup

subgroup

,363S

E3

M :c mputes 6

6

rrK E! ),(, 3636 KhB !

:broadcasts ,}||{,}||{

5

5

KKMBMB

G

:computes 36K ,, 36B6M )||( 24 356'

BBhKG !

iM :computes])5,[i

3M

))|| 36 356 BBB !

)||( 24

!

"

#

'BBh

$

!

363,Sr

E36

}||||{ 32415 KMBB


26/33

2626

EGAKA-KU: Member Join Protocol (2/5)


27/33

2727

EGAKA-KU: Member Leave Protocol (3/5)

6M

7M

151312 ,, KKK 15K 3613 ,KK36K 47K 2447 ,KK

2412 ,KK

Sponsor

6M

Leaving

)(b

subgroup

subgroup

)(a

Sponsor

6M

7M

Leaving

1312 ,KK

subgroupsubgroup


28/33

2828

EGAKA-KU: Member Leave Protocol (4/5)


29/33

2929

EGAKA-KU (5/5)

In Member Join Protocol: only fixed 6 exponentialoperations are needed for any member to beadded to the group and update the group key.Moreover, this cost is constant to group size. This

property is very useful in scenarios with frequentmember additions.

Member Leave protocol is not as efficient asmember join protocol, but its robust and fault-tolerant.


30/33

3030

Complexity and Security Analysis

Complexity Analysis

Communication and computation costs

Comparison between EGAKA and other well known key

establishment protocols

A-DH is used as the underlying two-party authenticated key

agreement protocol in order to provide a quantificational

comparison.

Security Analysis

Provide informal security analysis. (Formal analysis is undergoing) Secure against both passive and active attacks

Do not consider insider attacks

Provide forward and backward secrecy


31/33

3131

Comparison


32/33

3232

Conclusion

In this paper, we propose EGAKA (Efficient GroupAuthenticated Key Agreement) protocol Distributed

Fault-tolerant

Efficient dynamic group membership management

Mutual authentication among group members

Secure against both passive and active attacks

Can be built on any two-party authenticated key exchangeprotocols

E.g. Diffie-Hellman protocol, password based protocol

Achieves scalability and robustness in heterogeneous environments

provides efficient member join services Low communication and computation costs, and they are constant to

the group size.

Support fault-tolerant property to achieve robustness in memberleave service


33/33

3333

Thank you for yourattention

Q&A

distributed group key securing a dynamic peer groups

Documents