1.1 Distributed and Collaborative Key Agreement Protocols with Authentication and Implementation for Dynamic Peer Groups Patrick Pak-Ching LEE

1.2 Presentation Outline n To identify the motivation of group key management; n To introduce Tree-based Group Diffie-Hellman (TGDH); n To propose three interval-based distributed rekeying algorithms: Rebuild, Batch and Queue-batch. n To present performance evaluation results; n To explain the authentication mechanism incorporated into the rekeying algorithms; n To describe an implementation library, SGCL, and n To suggest future research directions.

1.3 What are the Applications? n Many group-oriented applications demand communication confidentiality. For example, F chat-rooms, F audio/video conferencing applications, F file sharing tools, F router communication paradigms, F secure communication for network games in strategy planning. n We need a secure group key management scheme so that the group can encrypt communication data with a common secret group key.

1.4 Desired Properties of Gp. Key Mgt. n Distributed: there is no centralized key server, which has the following limitations: F A single point of failure; and F Not suitable for peer groups and ad hoc networks. n Collaborative: all group members contribute their own part to generate a group key. n Dynamic: the protocol remains efficient even when the occurrences of join/leave events are very frequent.

1.5 Our Work n Focused on group key agreement schemes which do not rely on centralized key management. n Designed three interval-based distributed rekeying algorithms that have the distributed, collaborative and dynamic features. n Conducted performance evaluation analysis to illustrate the performance merits of the interval-based algorithms. n Incorporated an authentication mechanism into the interval- based algorithms. n Implemented a library for the development of secure group- oriented applications.

1.6 Tree-based Group Diffie-Hellman (TGDH) n A binary key tree is formed. Each node v represents a secret (private) key K v and a blinded (public) key BK v. n BK v = α K v mod p, where α and p are public parameters. n Every member holds the secret keys along the key path n For simplicity, assume each member knows the all blinded keys in the key tree. 0 M1M1 M2M M3M3 M4M4 M5M5 M6M K 0 = Group Key

1.7 TGDH: Node Relationships K v = (BK 2v+1 ) K 2v+2 = (α K 2v+1 ) K 2v+2 mod p v The secret key of a non-leaf node v can be generated by: K v = (BK 2v+2 ) K 2v+1 = (α K 2v+2 ) K 2v+1 mod p 2v+12v+2 BK 2v+1 BK 2v+2 K v = α K 2v+1 K 2v+2 mod p The secret key of a leaf node is randomly selected by the corresponding member.

1.8 TGDH: Group Key Generation 0 M1M1 M2M M3M3 M4M4 M5M5 M6M6 n E.g., M 1 generates the group key via: K 7, BK 8  K 3 K 3, BK 4  K 1 K 1, BK 2  K 0 (Group Key)

1.9 TGDH: Membership Events n Rekeying (renewing the keys of the nodes) is performed at every single join/leave event to ensure backward and forward confidentiality. A special member called sponsor is elected to be responsible for broadcasting updated blinded keys. time JoinLeaveJoin Leave rekey

1.10 TGDH: Single Leave Case n M 4 becomes the sponsor. It rekeys the secret keys K 2 and K 0 and broadcasts the blinded key BK 2. n M 1, M 2 and M 3 compute K 0 given BK 2. n M 6 and M 7 compute K 2 and then K 0 given BK M4M4 M5M5 0 2 M1M1 M2M M3M3 M6M M7M M 5 leaves 5 M 4(S)

1.11 M4M4 0 TGDH: Single Join Case n M 8 broadcasts its individual blinded key BK 12 on joining. n M 4 becomes the sponsor again. It rekeys K 5, K 2 and K 0 and broadcasts the blinded keys BK 5 and BK 2. n Now everyone can compute the new group key M 4(S) M 8 joins 2 5 M8M8 M1M1 M2M M3M3 M6M M7M

1.12 Interval-based Distributed Rekeying Algorithms n We can reduce one rekeying operation if we can simply replace M 5 by M 8 at node 12. n Interval-based rekeying is proposed such that rekeying is performed on a batch of join and leave requests at regular rekeying intervals. This improves the system performance. n We propose three interval-based rekeying algorithms, namely Rebuild, Batch and Queue-batch. n Sponsors are elected at every rekeying event. They coordinate with each other in broadcasting new blinded keys.

M1M1 M2M M3M3 M4M4 M5M5 M6M M7M7 Rebuild Algorithm n Intuition: Minimize the height of the key tree so that every member manages fewer renewed nodes in the subsequent rekeying operations. n Basic Idea: Reconstruct the whole key tree to form a complete tree. 0 M 1(s) M 3(S) M 4(S) M 6(S) M 8(S) M 2, M 5, M 7 leave M 8 joins n We can explore the situations where Rebuild is applicable.

1.14 Batch Algorithm n Intuition: Add the joining members to suitable positions. n Basic Idea: F Replace the leaving members with the joining members. F Attach the joining members to the shallowest positions. F Keep the key tree balanced. n Elect the sponsors who help broadcast new blinded keys.

M1M1 M2M M3M3 M4M4 M5M5 M6M M7M Batch – Example 1: L > J > 0 n M 8 broadcasts its join request, including its blinded key. n M 1 rekeys secret keys K 1 and K 0. M 4 rekeys K 5, K 2 and K 0. n M 1 broadcasts BK 1. M 4 broadcasts BK 5 and BK M 2, M 5, M 7 leave M 8 joins M 1(S) 3 M 8(S) 6 M 4(S) 11

M1M1 M2M M3M3 M4M4 M5M5 M6M M7M7 Batch – Example 2: J > L > 0 n M 8 and M 9 form a subtree T 1 ’. M 10 itself forms a subtree T 2 ’. n M 8 and M 9 compute K 6, and one of them broadcasts BK 6. n M 1 rekeys K 3 and K 1. M 6 rekeys K 2. n M 1 broadcasts BK 3 and BK 1. M 6 broadcasts BK M 8(S) M 9(S) T1’T1’ M 8, M 9, M 10 join M 2, M 7 leave M 10(S) 8 T2’T2’

1.17 Queue-batch Algorithm n Intuition: Pre-process the join events during the idle rekeying interval, hence reduce the processing load at the beginning of each rekeying interval. n Basic Idea: F Two stages: Queue-subtree and Queue-merge F Queue-subtree: Within the idle rekeying interval, attach each joining member to a subtree T’. F Queue-merge: At the beginning of the next rekeying interval, add the subtree T’ to the existing key tree, and prune all nodes of the leaving members.

1.18 Queue-batch – Example of Queue-merge n T’ is attached to node 6. n M 10, the sponsor, will broadcast BK 6. n M 1 rekeys K 1. M 6 rekeys K 2. n M 1 broadcasts BK 1. M 6 broadcasts BK M1M1 M2M M3M3 M4M4 M5M5 M6M M7M7 M 8, M 9, M 10 join M 2, M 7 leave 36 8 M 1(S) M8M8 M9M9 T’ 2728 M 10(S)

1.19 Performance Evaluation n Methods: mathematical models + simulation experiments n Performance Metrics: F Number of renewed nodes: This metric provides a measure of the communication cost. F Number of exponentiation operations: This metric provides a measure of the computation load. n Settings: F There is only one group. F The population size is fixed at 1024 users. F Originally, 512 members are in the group.

1.20 Evaluation 1: Mathematical Models n Start with a well-balanced tree with 512 members. n Obtain the metrics at different numbers of joining and leaving member in a single rekeying interval. n Queue-batch offers the best performance, and a significant computation/communication reduction when the group is very dynamic.

1.21 Evaluation 2: Simulation Experiments n Start with a well-balanced tree with 512 members. n Every potential member joins the group with probability p J, and every existing member leaves the group with probability p L. n Evaluate the average / instantaneous metrics at different join/leave probabilities over 300 rekeying intervals.

1.22 Evaluation 2: Simulation Experiments n Average number of exponentiations at different fixed join probabilities: p J =0.25p J =0.5 p J =0.75

1.23 Evaluation 2: Simulation Experiments n Average number of renewed nodes at different fixed join probabilities: p J =0.25p J =0.5 p J =0.75

1.24 Discussion of Evaluation Results n Queue-batch offers the best performance among the three interval-based algorithms. n The performance of Queue-batch is even superior under frequent joins/leaves. F Frequent join: queue-batch gains from pre- processing 4 Batch doesn’t have the pre-processing advantage. F Frequent leave: queue-batch prunes departure nodes 4 Batch replaces departure nodes with joins.

1.25 Authenticated TGDH (A-TGDH) n Motivation: F Non-authenticated TGDH is subject to the man- in-the-middle attack. F Simple signature is not enough. n Basic idea: F Authenticate every short-term (or session) blinded key with a certified long-term (or permanent) private component. F The group key contains both short-term and long-term components.

1.26 A-TGDH: Concepts n Each member M i holds two pairs of keys: F Short-term secret and blinded keys (r mi, α r mi mod p), which remain valid from the time M i joins until it leaves. F Long-term private and public keys (x mi, α x mi mod p), which remain permanent and are certified by a trusted party. n M i generates an authenticated short-term blinded key using M j ’s long-term public key: (α x mj ) r mi mod p = (α r mi ) x mj mod p n Physical meaning: F L.S.: generator α is authenticated, i.e., α becomes α x mj F R.S.: the short-term blinded key α r mi is encrypted with a long-term private key x mj.

1.27 A-TGDH: 2-Party Case n It is based on the AK protocol (Indocrypt ’00). Assume M 1 and M 2 occupy the long-term public key of the other member. The authenticated short-term secret key is: K = α r m1 r m2 + r m1 x m2 + r m2 x m1 (mod p) M1M1 M2M2 (α x m2 ) r m1 (α x m1 ) r m2 Retrieves α r 2. Gets K as: (α r m2 ) r m1 (α x m2 ) r m1 (α x m1 ) r m2 Retrieves α r 1. Gets K as: (α r m1 ) r m2 (α x m2 ) r m1 (α x m1 ) r m2

1.28 A-TGDH: Multi-Party Case n Idea: Encrypt the blinded key of node v with long- term private key of M i : α K v x mi mod p. n The authenticated short term secret key of node v is the product of: F Non-authenticated short-term secret key F Authenticated blinded keys of left child by the long-term components of right child’s descendants F Authenticated blinded keys of right child by the long-term components of left child’s descendants

1.29 A-TGDH: Multi-Party Case n Secret key at leaf nodes: r mi mod p n Authorized secret key of K 1 is: K 1 =α r m1 r m2 + r m1 x m2 + r m2 x m1 mod p n Authorized group key K 0 is: K 0 = α K 1 K 2 + K 1 (x m3 +x m4 ) + K 2 (x m1 +x m2 ) mod p n Double-protection on the group key (with r mi and x mi ) 0 M1M1 M2M M3M3 M4M4

1.30 A-TGDH: Characteristics n Key authentication: no outsiders access the keys. n Key confirmation: every member possesses the same group key. n Known-key secrecy: past short-term keys cannot deduce future short-term keys. n Perfect forward secrecy: current long- term keys cannot deduce past short-term keys.

1.31 SGCL Implementation n We realized our algorithms via the Secure Group Communication Library (SGCL): F Linux-based C language API n SGCL facilitates developers to build secure group-oriented applications. n Two testing applications: Chatter and Gauger F Chatter: secure chat-room F Gauger: performance testing tool

1.32 SGCL: Overview Leader: responsible for notifying others to start a rekeying operation REKEY The one which stays the longest

1.33 SGCL: Overview Leader Blinded key Sponsors: responsible for broadcasting new blinded keys Blinded key

1.34 SGCL: Architecture Keytree engine Sesskey engine Member engine Leader engine Certkey engine Packet engine Message queue Packet queue Spread daemon Maintain reliable and ordered communication SGCL API Receive thread Process thread verify sign

1.35 SGCL: API Functions SGCL_init()SGCL_set_passwd()SGCL_join() SGCL_send() SGCL_recv() SGCL_read_membership() SGCL_send() SGCL_recv() SGCL_read_membership() SGCL_leave() SGCL_destroy() SGCL session object

1.36 SGCL: Experiments n Gauger: study the performance of the interval-based algorithms under real network settings. n Metrics: F 1) Rekeying duration, 2) no. of exponentiations, 3) no. of blinded keys, and 4) no. of broadcasts of blinded keys n Settings: F 40 Gaugers, even located in eight P4/2.5GHz’s F Inter-connected in a single LAN

1.37 SGCL: Result Highlights n Highlights: Average analysis of no. of exponentiations and no. of blinded keys n Queue-batch shows dominant performance under the high membership dynamics.

1.38 SGCL: Applications Chatter

1.39 Conclusion n Three interval-based distributed rekeying algorithms: Rebuild, Batch and Queue- batch n Performance evaluation: mathematical models and simulation experiments n Authentication n Implementation of SGCL

1.40 Internet Future Directions LAN B LAN C LAN D LAN A

1.41 Internet Future Directions n A hybrid key tree with both physical and logical properties: LAN B LAN C LAN D LAN A

1.42 Future Directions n Robustness against attacks: F Erroneous key confirmation F Forged packets/signatures F Leader masquerade n Security in Spread daemons F Encryption between a Spread daemon and SGCL F Encryption among the Spread daemons n Key tree updates: F Interval-based F Threshold-based

1.43 SGCL: Leader and Sponsors n Leader: F Election: the one which stays the longest in the group. n Sponsors: F Election: the rightmost member of the subtree whose root is not renewed but root’s parent is. F Coordination: the blinded key of a renewed node is broadcast by the sponsor which can broadcast a sequence of blinded keys in one round. M l(s) M r(s)

1.44 SGCL: Leader Components Keytree engine Sesskey engine Member engine Leader engine Certkey engine Packet engine Rekey queue Spread daemon Rekey poll thread Rekey send thread sign

1.45 Q: Related Work n Intra Domain Group Key Management Protocol F Domain Key Distributor + Area Key Distributor n Iolus F Rekeying in subgroup level F Subgroup manager re-encrypt data sessions Centralized Physical Hierarchical Schemes DKD AKD M M M M M M M M M

1.46 Q: Related Work n Kronos F Periodic rekeying n Reversible Parametric Sequences (RPS) F Router tree F Group key encryption along the tree path Centralized Physical Hierarchical Schemes a1 a6a7 a3 a2 a4a5 Leaf 1 Leaf 2 Leaf 3 S 0 (group key) S1S1 S2S2 S3S3 H 0,3 (S 3 ) = S 0

1.47 Q: Related Work n Logical Key Hierarchy F Key graph n One-way Function Tree F The key of a node is a function of the keys of its left and right children Centralized Logical Hierarchical Schemes

1.48 Q: Related Work n Cliques F A linear chain n Tree-based Group Diffie-Hellman n STR F Form a skewed tree Decentralized Schemes M1M2M3 M4

1.49 Q: Instantaneous Analysis n Instantaneous number of exponentiations at different pairs of join/leave probabilities for Batch and Queue-batch: p J =0.25 p L =0.25 p J =0.5 p L =0.5 p J =0.75 p L =0.75

1.50 Q: Instantaneous Analysis n Instantaneous number of renewed nodes at different pairs of join/leave probabilities for Batch and Queue-batch: p J =0.25 p L =0.25 p J =0.5 p L =0.5 p J =0.75 p L =0.75

1.51 Q: N-ary tree n Do we have to stick to binary tree? Can we have ternary tree, or N-ary tree? n Answer: F Not necessary good for N-ary tree, though it reduces the tree height F Use one-round tripartite Diffie-Hellman based on Weil pairing F 512-bit Weil pairing ~ 3 x 1024-bit exponentiation