pak-ching lee m.phil. oral defense june 2003
DESCRIPTION
Distributed and Collaborative Key Agreement Protocols with Authentication and Implementation for Dynamic Peer Groups. Pak-Ching LEE M.Phil. Oral Defense June 2003. Presentation Outline. To identify the motivation of group key management; To introduce Tree-based Group Diffie-Hellman (TGDH); - PowerPoint PPT PresentationTRANSCRIPT
1
Distributed and Collaborative Key Distributed and Collaborative Key Agreement Protocols with Authentication Agreement Protocols with Authentication
and Implementation for Dynamic Peer and Implementation for Dynamic Peer GroupsGroups
Pak-Ching LEE
M.Phil. Oral Defense
June 2003
2
Presentation Outline
To identify the motivation of group key management; To introduce Tree-based Group Diffie-Hellman (TGDH); To propose three interval-based distributed rekeying alg
orithms: Rebuild, Batch and Queue-batch. To present performance evaluation results; To explain the authentication mechanism incorporated i
nto the rekeying algorithms; To describe an implementation library, SGCL, and To suggest future research directions.
3
What are the Applications?
Many group-oriented applications demand communication confidentiality. For example, chat-rooms, audio/video conferencing applications, file sharing tools, router communication paradigms, secure communication for network games in
strategy planning.
We need a secure group key management scheme so that the group can encrypt communication data with a common secret group key.
4
Desired Properties of Gp. Key Mgt.
Distributed: there is no centralized key server, which has the following limitations: A single point of failure; and Not suitable for peer groups and ad hoc networks.
Collaborative: all group members contribute their own part to generate a group key.
Dynamic: the protocol remains efficient even when the occurrences of join/leave events are very frequent.
5
Our Work
Focused on group key agreement schemes which do not rely on centralized key management.
Designed three interval-based distributed rekeying algorithms that have the distributed, collaborative and dynamic features.
Conducted performance evaluation analysis to illustrate the performance merits of the interval-based algorithms.
Incorporated an authentication mechanism into the interval-based algorithms.
Implemented a library for the development of secure group-oriented applications.
6
Tree-based Group Diffie-Hellman (TGDH)
A binary key tree is formed. Each node v represents a secret (private) key Kv and a blinded (public) key BKv.
BKv = αKv mod p, where α and p are public parameters.
Every member holds the secret keys along the key path For simplicity, assume each member knows the all
blinded keys in the key tree.
0
M1 M2
2
4 6
7
1
53
8 11 12M3
M4 M5
M6
0
1
3
7
K0 = Group Key
7
TGDH: Node Relationships
Kv = (BK2v+1)K2v+2 = (αK2v+1)K2v+2 mod p
vThe secret key of a non-leaf node v can be generated by:
Kv = (BK2v+2)K2v+1 = (αK2v+2)K2v+1 mod p
2v+1 2v+2BK2v+1
BK2v+2
Kv = αK2v+1K2v+2 mod p
The secret key of a leaf node is randomly selected by the corresponding member.
8
TGDH: Group Key Generation0
M1 M2
2
4 6
7
1
53
8 11 12M3
M4 M5
M6
E.g., M1 generates the group key via: K7, BK8 K3
K3, BK4 K1
K1, BK2 K0 (Group Key)
7
3
1
0
4
2
8
9
TGDH: Membership Events
Rekeying (renewing the keys of the nodes) is performed at every single join/leave event to ensure backward and forward confidentiality.
A special member called sponsor is elected to be responsible for broadcasting updated blinded keys.
time
Join Leave Join Join Leave
rekey rekey rekey rekey rekey
10
TGDH: Single Leave Case
M4 becomes the sponsor. It rekeys the secret keys K2 and K0 and broadcasts the blinded key BK2.
M1, M2 and M3 compute K0 given BK2.
M6 and M7 compute K2 and then K0 given BK5.
5
11 12
M4 M5
0
2
M1 M2
4 6
7
1
3
8M3
M6
13 14
M7
5
12
2
0M5 leaves
5
M4(S)
11
M4
0
TGDH: Single Join Case
M8 broadcasts its individual blinded key BK12 on joining.
M4 becomes the sponsor again. It rekeys K5, K2 and K0 and broadcasts the blinded keys BK5 and BK2.
Now everyone can compute the new group key.
1211
M4(S)
M8 joins
2
5
M8M1 M2
4 6
7
1
3
8M3
M6
13 14
M7
5
2
0
12
Interval-based Distributed Rekeying Algorithms
We can reduce one rekeying operation if we can simply replace M5 by M8 at node 12.
Interval-based rekeying is proposed such that rekeying is performed on a batch of join and leave requests at regular rekeying intervals. This improves the system performance.
We propose three interval-based rekeying algorithms, namely Rebuild, Batch and Queue-batch.
Sponsors are elected at every rekeying event. They coordinate with each other in broadcasting new blinded keys.
13
0
M1 M2
2
4 6
7
1
53
8 11 12M3
M4 M5
M6
23 24
M7
Rebuild Algorithm
Intuition: Minimize the height of the key tree so that every member manages fewer renewed nodes in the subsequent rekeying operations.
Basic Idea: Reconstruct the whole key tree to form a complete tree.
0
M1(s) M3(S)
2
4 6
7
1
53
8M4(S) M6(S) M8(S)
0
21
3
M2, M5, M7 leaveM8 joins
We can explore the situations where Rebuild is applicable.
14
Batch Algorithm
Intuition: Add the joining members to suitable positions.
Basic Idea: Replace the leaving members with the joining
members. Attach the joining members to the shallowest
positions. Keep the key tree balanced.
Elect the sponsors who help broadcast new blinded keys.
15
0
M1 M2
2
4 6
7
1
53
8 11 12M3
M4 M5
M6
23 24
M7
11
24
Batch – Example 1: L > J > 0
M8 broadcasts its join request, including its blinded key.
M1 rekeys secret keys K1 and K0. M4 rekeys K5, K2 and K0.
M1 broadcasts BK1. M4 broadcasts BK5 and BK2.
63
8
M2, M5, M7 leaveM8 joins
0
21
5
M1(S)
3
M8(S)
6
M4(S)
11
16
0
M1 M2
2
4 6
7
1
53
8 11 12M3
M4 M5
M6
23 24
M7
Batch – Example 2: J > L > 0
M8 and M9 form a subtree T1’. M10 itself forms a subtree T2’.
M8 and M9 compute K6, and one of them broadcasts BK6.
M1 rekeys K3 and K1. M6 rekeys K2.
M1 broadcasts BK3 and BK1. M6 broadcasts BK2.
0
21
3 6
8
6
13 14
M8(S) M9(S)
T1’
M8, M9, M10 joinM2, M7 leave
M10(S)
8
T2’
17
Queue-batch Algorithm
Intuition: Pre-process the join events during the idle rekeying interval, hence reduce the processing load at the beginning of each rekeying interval.
Basic Idea: Two stages: Queue-subtree and Queue-merge Queue-subtree: Within the idle rekeying interval, atta
ch each joining member to a subtree T’. Queue-merge: At the beginning of the next rekeying in
terval, add the subtree T’ to the existing key tree, and prune all nodes of the leaving members.
18
Queue-batch – Example of Queue-merge
T’ is attached to node 6.
M10, the sponsor, will broadcast BK6.
M1 rekeys K1. M6 rekeys K2.
M1 broadcasts BK1. M6 broadcasts BK2.
0
21
0
M1 M2
2
4 6
7
1
53
8 11 12M3
M4 M5
M6
23 24
M7
M8, M9, M10 joinM2, M7 leave
3 6
8M1(S)
3 6
13 14
M8 M9
T’
27 28M10(S)
19
Performance Evaluation
Methods: mathematical models + simulation experiments
Performance Metrics: Number of renewed nodes: This metric provides a measure of
the communication cost. Number of exponentiation operations: This metric provides a
measure of the computation load.
Settings: There is only one group. The population size is fixed at 1024 users. Originally, 512 members are in the group.
20
Evaluation 1: Mathematical Models
Start with a well-balanced tree with 512 members. Obtain the metrics at different numbers of joining and le
aving member in a single rekeying interval. Queue-batch offers the best performance, and a signific
ant computation/communication reduction when the group is very dynamic.
21
Evaluation 2: Simulation Experiments
Start with a well-balanced tree with 512 members. Every potential member joins the group with probability
pJ, and every existing member leaves the group with probability pL.
Evaluate the average / instantaneous metrics at different join/leave probabilities over 300 rekeying intervals.
22
Evaluation 2: Simulation Experiments
Average number of exponentiations at different fixed join probabilities:
pJ=0.25 pJ=0.5
pJ=0.75
23
Evaluation 2: Simulation Experiments
Average number of renewed nodes at different fixed join probabilities:
pJ=0.25 pJ=0.5
pJ=0.75
24
Discussion of Evaluation Results
Queue-batch offers the best performance among the three interval-based algorithms.
The performance of Queue-batch is even superior under frequent joins/leaves. Frequent join: queue-batch gains from pre-
processing Batch doesn’t have the pre-processing advantage.
Frequent leave: queue-batch prunes departure nodes
Batch replaces departure nodes with joins.
25
Authenticated TGDH (A-TGDH)
Motivation: Non-authenticated TGDH is subject to the man-
in-the-middle attack. Simple signature is not enough.
Basic idea: Authenticate every short-term (or session)
blinded key with a certified long-term (or permanent) private component.
The group key contains both short-term and long-term components.
26
A-TGDH: Concepts Each member Mi holds two pairs of keys:
Short-term secret and blinded keys (rmi, αrmi mod p), which remain valid from the time Mi joins until it leaves.
Long-term private and public keys (xmi, αxmi mod p), which remain permanent and are certified by a trusted party.
Mi generates an authenticated short-term blinded key using Mj’s long-term public key:
(αxmj)rmi mod p = (αrmi)xmj mod p Physical meaning:
L.S.: generator α is authenticated, i.e., α becomes αxmj
R.S.: the short-term blinded key αrmi is encrypted with a long-term private key xmj.
27
A-TGDH: 2-Party Case It is based on the AK protocol (Indocrypt ’00). Assume
M1 and M2 occupy the long-term public key of the other member.
The authenticated short-term secret key is:
K = αrm1rm2 + rm1xm2 + rm2xm1 (mod p)
M1 M2
(αxm2)rm1
(αxm1)rm2
Retrieves αr2.Gets K as:
(αrm2)rm1 (αxm2)rm1 (αxm1)rm2
Retrieves αr1.Gets K as:
(αrm1)rm2 (αxm2)rm1 (αxm1)rm2
28
A-TGDH: Multi-Party Case
Idea: Encrypt the blinded key of node v with long-term private key of Mi: α
Kvxmi mod p.
The authenticated short term secret key of node v is the product of: Non-authenticated short-term secret key Authenticated blinded keys of left child by the
long-term components of right child’s descendants
Authenticated blinded keys of right child by the long-term components of left child’s descendants
29
A-TGDH: Multi-Party Case
Secret key at leaf nodes: rmi mod p Authorized secret key of K1 is:
K1 =αrm1rm2 + rm1xm2 + rm2xm1 mod p Authorized group key K0 is:
K0 = αK1K2 + K1(xm3+xm4) + K2(xm1+xm2) mod p Double-protection on the group key (with rmi and xmi)
0
M1 M2
2
4 6
1
53
M3 M4
30
A-TGDH: Characteristics
Key authentication: no outsiders access the keys.
Key confirmation: every member possesses the same group key.
Known-key secrecy: past short-term keys cannot deduce future short-term keys.
Perfect forward secrecy: current long-term keys cannot deduce past short-term keys.
31
SGCL Implementation
We realized our algorithms via the Secure Group Communication Library (SGCL): Linux-based C language API
SGCL facilitates developers to build secure group-oriented applications.
Two testing applications: Chatter and Gauger Chatter: secure chat-room Gauger: performance testing tool
32
SGCL: Overview
Leader: responsible for notifying others to start
a rekeying operation
REKEYREKEYREKEYREKEYREKEYREKEYREKEY
REKEY
The one which stays the longest
33
SGCL: Overview
Leader
Blinded keyBlinded keyBlinded keyBlinded keyBlinded keyBlinded keyBlinded keyBlinded key
Sponsors: responsible forbroadcasting new
blinded keys Blinded key
Blinded key
Blinded key
34
SGCL: Architecture
Keytreeengine
Sesskeyengine
Memberengine
Leaderengine
Certkeyengine
Packetengine
Message queue
Packet queue
Spread daemonMaintain reliable
and ordered communication
SGCLAPI
Receivethread
Processthread
verify verify
sign sign
35
SGCL: API Functions
SGCL_init() SGCL_set_passwd()
SGCL_join()SGCL_send()SGCL_recv()
SGCL_read_membership()
SGCL_send()SGCL_recv()
SGCL_read_membership()SGCL_leave()SGCL_leave()
SGCL_destroy()
SGCL sessionobject
36
SGCL: Experiments
Gauger: study the performance of the interval-based algorithms under real network settings.
Metrics: 1) Rekeying duration, 2) no. of exponentiations, 3) no.
of blinded keys, and 4) no. of broadcasts of blinded keys
Settings: 40 Gaugers, even located in eight P4/2.5GHz’s Inter-connected in a single LAN
37
SGCL: Result Highlights
Highlights: Average analysis of no. of exponentiations and no. of blinded keys
Queue-batch shows dominant performance under the high membership dynamics.
38
SGCL: Applications
Chatter
39
Conclusion
Three interval-based distributed rekeying algorithms: Rebuild, Batch and Queue-batch
Performance evaluation: mathematical models and simulation experiments
Authentication Implementation of SGCL
40
Internet
Future Directions
LAN B
LAN C
LAN DLAN A
41
Internet
Future Directions
A hybrid key tree with both physical and logical properties:
LAN B
LAN C
LAN DLAN A
42
Future Directions Robustness against attacks:
Erroneous key confirmation Forged packets/signatures Leader masquerade
Security in Spread daemons Encryption between a Spread daemon and SGCL Encryption among the Spread daemons
Key tree updates: Interval-based Threshold-based
43
SGCL: Leader and Sponsors
Leader: Election: the one which stays the longest in the group.
Sponsors: Election: the rightmost member
of the subtree whose root is not renewed but root’s parent is.
Coordination: the blinded key of a renewed node is broadcast by the sponsor which can broadcast a sequence of blinded keys in one round. Ml(s) Mr(s)
44
SGCL: Leader Components
Keytreeengine
Sesskeyengine
Memberengine
Leaderengine
Certkeyengine
Packetengine
Rekey queue
Spread daemon
Rekeypoll
thread
Rekeysend
threadsign sign
45
Q: Related Work
Intra Domain Group Key Management Protocol Domain Key Distributor + Area Key Distributor
Iolus Rekeying in subgroup level Subgroup manager re-encrypt data sessions
Centralized Physical Hierarchical Schemes
DKD
AKD
AKD
AKD
M
M
M
MM
M
M
M
M
46
Q: Related Work
Kronos Periodic rekeying
Reversible Parametric Sequences (RPS) Router tree Group key encryption along the tree path
Centralized Physical Hierarchical Schemes
a1
a6 a7
a3
a2a4 a5
Leaf 1
Leaf 2
Leaf 3
S0 (group key)
S1S2
S3 H0,3(S3) = S0
47
Q: Related Work
Logical Key Hierarchy Key graph
One-way Function Tree The key of a node is a function of the keys of its
left and right children
Centralized Logical Hierarchical Schemes
48
Q: Related Work
Cliques A linear chain
Tree-based Group Diffie-Hellman STR
Form a skewed tree
Decentralized Schemes
M1 M2 M3 M4
49
Q: Instantaneous Analysis Instantaneous number of exponentiations at different pairs of
join/leave probabilities for Batch and Queue-batch:
pJ=0.25pL=0.25
pJ=0.5pL=0.5
pJ=0.75pL=0.75
50
Q: Instantaneous Analysis Instantaneous number of renewed nodes at different pairs of join/leave
probabilities for Batch and Queue-batch:
pJ=0.25pL=0.25
pJ=0.5pL=0.5
pJ=0.75pL=0.75
51
Q: N-ary tree
Do we have to stick to binary tree? Can we have ternary tree, or N-ary tree?
Answer: Not necessary good for N-ary tree, though it reduces t
he tree height Use one-round tripartite Diffie-Hellman based on Weil
pairing 512-bit Weil pairing ~ 3 x 1024-bit exponentiation