secure multicast (ii) xun kang. content batch update of key trees reliable group rekeying tree-based...
Post on 19-Dec-2015
217 views
TRANSCRIPT
Secure Multicast (II)
Xun Kang
Content
• Batch Update of Key Trees
• Reliable Group Rekeying
• Tree-based Group Diffie-Hellman
• Recent progress in Wired and Wireless Network
Batch Updates of Key Trees
• Any problem in previous solution?– Synchronization problems among rekey msgs
and between rekey and data msgs; How?– Individual rekeying can be inefficient;
especially when join/leave happens frequently, there will be a huge burden on server for signing keys;
Periodic Batch Rekeying• Rekey subtree;• Collect requests during a rekey interval and
rekey them in a batch;
• Advantage:– For a J join and L leave, only needs 1 signing;– Less number of encrypted keys;
• Disadvantage:– Delayed group access control;
• A balance between rekeying overhead and group access control, the degree of forward access control vulnerability.
Three Ways of Batch Rekeying
• Periodic batch rekeying;
• Periodic bath leave rekeying;
• Periodic bath join rekeying;
• Question:– What’s the advantage and disadvantage of each
one? Which one is better?
Batch Rekeying Algorithm (1)
• Strategy 1: always keep a balanced tree
Adv: reduce the encrypted key numberDis: key server needs to provide new IDs to new join users as well as existing users?
Batch Rekeying Algorithm (2)• Strategy 2
– New nodes form a subtree – Grafted to a departed node with smallest height?
• Advantage – only one existing node needs to modify ID
• Disadvantage– Balance problem
Batch Rekeying Algorithm (3)• Strategy 3
– K789’s null children will be first replaced with new users– If still new users, let user nodes at next level be split– If still new users after that, use next user nodes
• “next” means sequential number, for example root is 0, then at tree level 1, the three key nodes will be 1, 2, 3
What is the advantage? ID automatically discovered.
Reliable rekey protocol
• Eventual reliability– A receiver should receive all needed keys;
• Soft real-time requirement– A rekey msg is finished before the start of the
next rekey interval
• Solution– Send re-synchronization requests when cannot
recover a rekey msg in time;– Proactive FEC for reducing recovery latency;
Proactive FEC• Partition rekey msgs into blocks• Generate (p-1)k PARITY packets (FEC) for
each block
Contributory GKM
• Application environment– Many to many applications
• Tele conferencing
• Application supporting collaborative work
– Small size group
– Group Splitting problem
• Centralized GKM has some problems– Key generator (TTP) must be always available
– TTP must exist in every possible subset of a group
• Contributory GKM
Tree-based Group Diffie-Hellman
• TGDH– Key trees to efficiently compute and update
group keys;– Diffie-Hellman key exchange to achieve
provably secure and fully distributed protocols;
• A problem? What’s difference, effect?– EVS: extended virtual synchrony– VS: view synchrony
Cryptographic Properties
• For the security requirement of group key– Suppose a successive group key changes form
K0 to Km
• Group key secrecy
• Forward secrecy
• Backward secrecy
• Key independence
– More strong than typical ones, for example• New member can not know past keys
• New keys must keep secret from leaved guys
Some Definitions for TGDH• Mi: i-th group members
• <l,v>: v-th node at level l in a tree
• Ti: Mi’s view of the key tree
• T<i,j>: a subtree rooted at node <i,j>
• Ki: node Mi’s individual key
• BKi*: set of Mi’s blinded keys
– BK<l,v> = f(K<l,v>)
– ie. f(k) = a k mod p --- p is a large prime number
A TDGH Key Tree Example
* Calculate the group key
* Replicated on each node* Only BK are transmitted
TGDH Membership Events• Join
– a new member is added to the group
• Leave– a member is removed from the group
• Merge– a group is merged with the current group
• Partition– a subset of members are split from the group
• Key refresh– the group key is updated
TGDH - Join Protocol
•How to choose the insert point?o Full balanced or not
•How to choose sponsor? o A guy for computing new intermediate keys and broadcasting to the group
Join Protocol
TGDH - Leave Protocol
TGDH - Partition Protocol
TGDH - Merge Protocol
Multiple Subgroups Merging
• First, the trees are ordered by height in decreasing order; if same height, list them in lexicographic order of the first member in each tree
• Let T1 the original tree T
• For i = 2 to k, merge_trees(T, Ti)
Cascaded Events
All membership events are delivered in sequence after all outstanding messages are delivered ---- underlying group communication system.
Self-clustering
Performance
Please refer to the paper
Recent Progress of SM
• Classification of KM for wired networks
• Some hard problems
• A wireless network multicast security example
• Open issues in this area
Classification of KM Schemes
Some Hard Parts
• Synchronization
• Balanced key tree maintaining
• Watermarking – copyright protection problem
If we assume that no one will deliver illegal copy to unauthorized users, is there any difference between these two?
–Using individual secret key–Using shared group key to protect content
SM in Wireless Network
DKD generates DEK
DEK is protected by KEK
Rekeying algorithms:
1. Baseline rekeying
2. Immediate rekeying
3. Delayed rekeying
Open Issues
• Leave for your guys!