Key Management Schemes for Stateless Receivers Based on Time Varying Heterogeneous Logical Key Hierarchy Miodrag Mihaljevic ASIACRYPT 2003 December 1,

Slides:

Advertisements

Similar presentations

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Advertisements

ARCHITECTURES FOR ARTIFICIAL INTELLIGENCE SYSTEMS

1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang

Russell Martin August 9th, Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

©Silberschatz, Korth and Sudarshan12.1Database System Concepts Chapter 12: Indexing and Hashing Basic Concepts Ordered Indices B+-Tree Index Files B-Tree.

Broadcast Encryption – an overview Niv Gilboa – BGU 1.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.

Broadcast Encryption and Traitor Tracing Jin Kim.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.

© nCode 2000 Title of Presentation goes here - go to Master Slide to edit - Slide 1 Reliable Communication for Highly Mobile Agents ECE 7995: Term Paper.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

2010/3/81 Lecture 8 on Physical Database DBMS has a view of the database as a collection of stored records, and that view is supported by the file manager.

Learning to Advertise. Introduction Advertising on the Internet = $$$ –Especially search advertising and web page advertising Problem: –Selecting ads.

Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.

Group Key Distribution Chih-Hao Huang

Key Management in Cryptography

Chapter 9 Architecture Alignment. 9 – Architecture Alignment 9.1 Introduction 9.2 The GRAAL Alignment Framework  System Aspects  The Aggregation.

Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.

The RSA Algorithm Rocky K. C. Chang, March

Modularizing B+-trees: Three-Level B+-trees Work Fine Shigero Sasaki* and Takuya Araki NEC Corporation * currently with 1st Nexpire Inc.

NetworkProtocols. Objectives Identify characteristics of TCP/IP, IPX/SPX, NetBIOS, and AppleTalk Understand position of network protocols in OSI Model.

Cryptography and Network Security (CS435)

Guomin Yang et al. IEEE Transactions on Wireless Communication Vol. 6 No. 9 September

CS548 Advanced Information Security Presented by Gowun Jeong Mar. 9, 2010.

Computer Measurement Group, India Optimal Design Principles for better Performance of Next generation Systems Balachandar Gurusamy,

Simple and Fault-Tolerant Key Agreement for Dynamic Collaborative Groups David Insel John Stephens Shawn Smith Shaun Jamieson.

Information Security Lab. Dept. of Computer Engineering 182/203 PART I Symmetric Ciphers CHAPTER 7 Confidentiality Using Symmetric Encryption 7.1 Placement.

Dong Hoon Lee CIST Korea University Efficient Communication-Storage Tradeoffs for Broadcast Encryption Schemes ( will be published.

Korea University CRYPTO ‘05 Jung Yeon Hwang, Dong Hoon Lee, Jong In Lim Generic Transformation for Scalable Broadcast Encryption Schemes.

Broadcast Encryption Scheme Based on Binary Cubes Alexey Urivskiy JSC «InfoTeCS», Moscow, Russia

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Collusion-Resistant Group Key Management Using Attribute-

Content Addressable Network CAN. The CAN is essentially a distributed Internet-scale hash table that maps file names to their location in the network.

Improving MBMS Security in 3G Wenyuan Xu Rutgers University.

12.1 Chapter 12: Indexing and Hashing Spring 2009 Sections , , Problems , 12.7, 12.8, 12.13, 12.15,

Lecture # 3 & 4 Chapter # 2 Database System Concepts and Architecture Muhammad Emran Database Systems 1.

Module 2: Information Technology Infrastructure Chapter 5: Databases and Information Management.

Yu-Li Lin and Chien-Lung Hsu Department of Information Management, Chang-Gung University Information Science(SCI) Reporter: Tzer-Long Chen.

A secure re-keying scheme Introduction Background Re-keying scheme User revocation User join Conclusion.

Chapter 7 – Confidentiality Using Symmetric Encryption.

Chapter 7 Confidentiality Using Symmetric Encryption.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

REECH ME: Regional Energy Efficient Cluster Heads based on Maximum Energy Routing Protocol Prepared by: Arslan Haider. 1.

Databases Illuminated

Computer Science CSC 774 Adv. Net. Security1 Presenter: Tong Zhou 11/21/2015 Practical Broadcast Authentication in Sensor Networks.

NEW DIRECTIONS IN CRYPTOGRAPHY Made Harta Dwijaksara, Yi Jae Park.

Group Key Distribution Xiuzhen Cheng The George Washington University.

Computer Science Revocation and Tracing Schemes for Stateless Receivers Dalit Naor, Moni Naor, Jeff Lotspiech Presented by Attila Altay Yavuz CSC 774 In-Class.

Review of Parnas’ Criteria for Decomposing Systems into Modules Zheng Wang, Yuan Zhang Michigan State University 04/19/2002.

Author: Haoyu Song, Murali Kodialam, Fang Hao and T.V. Lakshman Publisher/Conf. : IEEE International Conference on Network Protocols (ICNP), 2009 Speaker:

Chair for Network- and Data-Security

Introduction to Active Directory

Efficient Resource Allocation for Wireless Multicast De-Nian Yang, Member, IEEE Ming-Syan Chen, Fellow, IEEE IEEE Transactions on Mobile Computing, April.

A Mechanism for Communication- Efficient Broadcast Encryption over Wireless Ad Hoc Networks Johns Hopkins University Department of Computer Science Reza.

Security Kim Soo Jin. 2 Contents Background Introduction Secure multicast using clustering Spatial Clustering Simulation Experiment Conclusions.

Design and Implementation of Secure Layer over UPnP Networks Speaker: Chai-Wei Hsu Advisor: Dr. Chin-Laung Lei.

Key Management and Distribution Anand Seetharam CST 312.

9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.

1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.

Verification vs. Validation Verification: "Are we building the product right?" The software should conform to its specification.The software should conform.

Security of Broadcast Networks 1. Overview r Broadcast networks are used mostly for TV r Historical development r Commercial models r One-way or Two-way.

Database Applications (15-415) DBMS Internals- Part III Lecture 13, March 06, 2016 Mohammad Hammoud.

Chapter 14: System Protection

NSF Faculty Career Award

Qiong Zhang, Yuke Wang Jason P, Jue 2008

Outline Announcements Fault Tolerance.

Indexing and Hashing Basic Concepts Ordered Indices

Authors: Barry Smyth, Mark T. Keane, Padraig Cunningham

Combinatorial Optimization of Multicast Key Management

Presentation transcript:

Key Management Schemes for Stateless Receivers Based on Time Varying Heterogeneous Logical Key Hierarchy Miodrag Mihaljevic ASIACRYPT 2003 December 1, 2003

Reconfigurable Key Management for Broadcast Encryption or Secret Bits with Multiple Roles: A Novel Paradigm for Broadcast Encryption Schemes - two alternative titles of this talk -

Broadcast Encryption – A Brief Introduction Broadcast encryption (BE) schemes define methods for encrypting content so that only privileged users are able to recover the content from the broadcast which is a ciphertext obtained based on a Session Encryption Key (SEK). Ensuring that only the valid members of the selected group have SEK at any given time instance is the key management problem in BE. On the other hand, for the SEK updating, a system needs another set of keys called the Key-Encrypting Keys (KEKs) that can be used to encrypt and transmit the updated SEK to the valid members of the group. Hence, the key management problem reduces to the problem of distributing the KEKs to the members such that at any given time instant all the valid members can be securely reached and updated with the new SEK.

Abstract of the Talk Scenario under consideration: broadcasting encryption – stateless receivers each receiver has a sequence of secret bits to be used during its entire life Main characteristics of the proposed key management: it is the re-configurable key management (time varying key management scheme): it is based on a collection of the underlying structures - at each instant of time a structure from the collection is employed for updating the session key segments of the secret bits sequence play different roles depending on employed key management scheme

Roadmap of the presentation I. Re-configurable Key Management II. Secret Key Bits Play Different Roles: Re-using of the Keys III. Illustrative examples

I. Reconfigurable Key Management Main Characteristics

Reconfigurable Key Management KM 1 KM 2 KM n Collection of Key Management (KM) schemes selection of the most appropriate KM for given revocation scenario currently employed KM

Reconfigurable Key Management “Jumping” from one underlying structure to the another to perform the best fit to different revocation scenarios in highly dynamical group of users.

Novel Scheme Versus Existing Ones Novel Scheme: Multiple underlying structures Multiple roles of the secret bits Time varying Local heterogeneous key management Adjustable to the revocation dynamics Existing Ones : Single underlying structure Single role of the secret bits Static Global homogeneous key management Non-adjustable to the revocation dynamics

Main Characteristics of Novel Approach Novel and Flexible Generic Paradigm for developing Broadcast Encryption Key Management schemes for Stateless Receivers. Novel technology is based on the reconfigurability concept (time varying heterogeneous logical tree hierarchy), and it yields the improved overall characteristics in comparison with the previously reported techniques.

Required Cryptographic Primitives Reconfigurable key management requires a number of underlying structures for assigning KEKs to the receivers, and in a general case it requires the following two cryptographic primitives: cryptographic pseudo-random number generator (keystream generator) hash functions

Illustrative Underlying Structures for Reconfigurable Key Management

... …… A general form of the sectioned heterogeneous logical key hierarchy (SH-LKH). The triangles play roles of certain substructures, and in a particular case they are sub-trees, with the root at the triangle up and the leaves at the triangle bottom.

An illustration of the sectioned key tree (SKT). As usually, the center is associated to the tree root, a receiver is at a leaf, and the keys are related to the tree nodes.

Reconfigurable Key Management: Main Implementation Issues Decision on and According to the above decision and the expected revocation scenarios, design of a suitable collection of the underlying structures which yield minimization of the communication overload. (Note that the collection could be established in a non-optimized (ad- hock) or an optimized manner).

Certain Implementation Issues of Reconfigurable Key Management - RKM (I) At the center side RKM implementation includes establishing RKM system. During the establishing phase the center selects the component key management schemes so that each of them is suitable for certain class of the revocation patterns. Accordingly, during the establishing phase the center forms a list of the following pairs: (revocation pattern class; key management scheme). Storage requirements for this list of pairs and related information on the component schemes is usually negligible in comparison with the number of keys which should be stored at the center. So, for each SEK updating, the current revocation patern directly determines the component key management scheme which will be employed.

Certain Implementation Issues of Reconfigurable Key Management – RKM (II) One-to-one correspondence between the revocation pattern and the component scheme implies that RKM employment does not require any additional processing for selecting a particular key management at any time instance. At a receiver side RKM operates in a manner very similar to a static key management scheme. During SEK updating a legitimate (non-revoked) receiver will be able to extract information about KEK it posses which was employed for obtaining one of SEK encrypted forms delivered via broadcasting. This information will tell the receiver which of its KEKs should be employed and how: in a general case, according to the extracted information, a mapping of a KEK should be performed. Note that the mapping itself is not a secret operation and usually it is the cryptographic one-way hashing.

Certain Implementation Issues of Reconfigurable Key Management – RKM (III) Accordingly, employment of RKM requires just a slight (almost negligible) increase of required processing at the both sides, at the center and at the receiver. On the other hand, it is true that RKM requires a moderate processing at the center side in order to establish the system, but this operation should be done just once.

II. Secret Key Bits Play Different Roles Re-using of the Keys

Reconfigurable Key Management and Secret Key Bits Reconfigurable key management includes reusing of the same secret bits segments in different modes An important implementation issue: methodology for reusing of the secret key bits so that they can play different roles.

Shared Mail Box Problem Each user U i holds just one secret key K i. For each i=1,2,…,k, the mail box B i can only be opened by the user U i who possesses the secret key K i. The shared mail box SB can be opened by every user in the group, but not any outsider. Even when k-1 users conspire together, it is computationally difficult for the k-1 users to open the other user's private mail box. Important Note: The shared mail box problem can be solved by employment of appropriate one-way hash functions.

Reusing of the Secret Bits main issues

Reusing of the Secret Key Bits reusing of the independent keys reusing of the dependent keys - direct reusing - indirect reusing employment of appropriate mappings of the (dependent) keys

rules for secret bits processing secret key bits specification of the secret bits subsets subset-by-subset mapping collection of the keys selected instance of re-configurable key management block for secret bits processing

One-Way Hash Subset of Stored Secret Key Bits Desired KEK Mapping of the Keys

Sharing of the Secret Bits NOTE: Appropriate processing – mapping of the secret key bits yields a possibility for the shared use of the same secret bits even within joint framework of secret key and public key encryption techniques.

III: Illustrative Example Reconfigurable Key Management Based on Sectioned Key Tree

An illustration of the sectioned key tree (SKT). As usually, the center is associated to the tree root, a receiver is at a leaf, and the keys are related to the tree nodes.

Two Particular Key Management Schemes SKT-A and SKT-B

SKT-A CST LSD

SKT-B CST LSD

Analysis of the Proposed Schemes Storage, Communications and Processing Overheads

Characteristics of SKT-A Proposition 1. SKT-A key management requires the following overhead for R revocations in total which affect R 0 different sections: dimension of the overhead: O(H H 0 + log 2 N) dimension of the communications overhead: O(R + R 0 ((log 2 N) - H 0 ) – R 0 log 2 R 0 ) dimension of the overhead: O(H 0 ).

Characteristics of SKT-B Proposition 2. SKT-B key management requires the following overhead for R revocations in total which affect R 0 and R 1 different sections in the lower two layers, the bottom (0-th) and the middle (1-st) ones, respectively: dimension of the overhead: O(H H – H 0 – H 1 + log 2 N) dimension of the communications overhead: O(R + R 0 + R 1 ((log 2 N)-H 1 –H 0 ) – R 1 log 2 R 1 ) dimension of the overhead: O(max {H 0, H 1 })

Comparison techniquestorageprocessing CST (Crypto 2001)O(log N)O(log (log N)) SD (Crypto 2001)(O(log N)) 2 O(log N) Basic LSD (Crypto 2002) (O(log N)) 1.5 O(log N) SKT-A H 0 < log N O(H – H 0 + log N)O(H 0 ) SKT-B H 0 + H 1 < log N O(H – H H 0 – H 1 + log N) O(max{H 0, H 1 })

Advantages of the Novel Approach (Discussion of the previous Illustrative Example) Storage: In a system with a million users the novel technology based key management requires only 35 keys at the receiver in comparison with 400 and 90 keys required by SD and LSD methods, respectively. Processing: The novel technology based key management yields more than three times lower processing overhead at a receiver in comparison with SD and LSD methods. Communication Overhead: In a large number of the revocation scenarios the novel technology based key management implies the same communications overhead as SD and LSD methods.

Instead Conclusions (1) A novel framework for key management schemes based on reconfigurable logical key hierarchy is proposed which has a number of differences and advantages over the previously reported approaches. Recall that the main characteristics of the up to now reported key management schemes include employment of a static underlying structure for the key management, and addressing the subset covering problem over the entire underlying structure. Oppositely, the main underlying ideas for developing of the reconfigurable key management (RKM) include the following: (i) employment of a reconfigurable underlying structure; and (ii) in a general case employment of a divide-and-conquer approach over the underlying structure.

Instead Conclusions (2) RKM appears as a very suitable approach for highly dynamic revocation scenarios. Employment of RKM for a SEK updating requires just a slight (almost negligible) increase of required processing at the both sides, at the center and at the receiver. On the other hand, RKM requires a moderate processing at the center side in order to establish the system, but this operation should be done just once.

Thank You Very Much for the Attention, and QUESTIONS Please!