1 Membership Control in P2P and MANETs Nitesh Saxena, Gene Tsudik, Jeong H. Yi Computer Science Department University of California at Irvine {nitesh,

Slides:



Advertisements
Similar presentations
SPLASH Project INRIA-Eurecom-UC Irvine November 2006.
Advertisements

Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.
A Survey of Key Management for Secure Group Communications Celia Li.
Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE.
Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Optionally Identifiable Private Handshakes Yanjiang Yang.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
URSA: Providing Ubiquitous and Robust Security Support for MANET
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
PROVIDING ROBUST AND UBIQUITOUS SECURITY SUPPORT FOR MOBILE AD- HOC NETWORKS Georgios Georgiadis 6/5/2008.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
SPLASH Project INRIA-Eurecom-UC Irvine November 2006.
Secure and Efficient Key Management in Mobile Ad Hoc Networks Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, Spyros Magliveras Department of Computer.
SPLASH Sécurisation des ProtocoLes dans les réseAux mobileS ad Hoc 12 Décembre 2003 Refik Molva Institut EURECOM.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.
1 A few challenges in security & privacy in the context of ubiquitous computing Gene Tsudik SCONCE: Secure Computing and Networking Center UC Irvine
Vault: A Secure Binding Service Guor-Huar Lu, Changho Choi, Zhi-Li Zhang University of Minnesota.
1 Key Management in Mobile Ad Hoc Networks Presented by Edith Ngai Spring 2003.
FRIENDS: File Retrieval In a dEcentralized Network Distribution System Steven Huang, Kevin Li Computer Science and Engineering University of California,
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
Distributed Collaborative Key Agreement Protocols for Dynamic Peer Groups Patrick P. C. Lee, John C. S. Lui and David K. Y. Yau IEEE ICNP 2002.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
A Secure Network Access Protocol (SNAP) A. F. Al Shahri, D. G. Smith and J. M. Irvine Proceedings of the Eighth IEEE International Symposium on Computers.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
MOCA : Mobile Certificate Authority for Wireless Ad Hoc Networks The 2nd Annual PKI Research Workshop (PKI 2003) Seung Yi, Robin Kravets September. 25,
Computer Science Public Key Management Lecture 5.
Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.
Whitacre College of Engineering Panel Interdisciplinary Cybersecurity Education Texas Tech University NSF-SFS Workshop on Educational Initiatives in Cybersecurity.
30/04/2004Gene Tsudik, UCLA CSD Research Review1 Some Security Issues & Challenges in MANETs and Sensor Nets Gene Tsudik SCONCE: Secure Computing and Networking.
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
1 Anonymous Roaming Authentication Protocol with ID-based Signatures Lih-Chyau Wuu Chi-Hsiang Hung Department of Electronic Engineering National Yunlin.
Decentralized key generation scheme for cellular- based heterogeneous wireless ad hoc networks ► Gupta, Ananya; Mukherjee, Anindo; Xie, Bin; Agrawal, Dharma.
02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.
1 ? Admission Control in Peer Groups Gene Tsudik, School of ICS, UC Irvine Yongdae Kim, CS Dept., U. of Minnesota Peer Groups:
Signcryption Parshuram Budhathoki Department of Mathematical Sciences Florida Atlantic University April 18, 2013
Yu-Li Lin and Chien-Lung Hsu Department of Information Management, Chang-Gung University Information Science(SCI) Reporter: Tzer-Long Chen.
Intrusion Tolerant Software Architectures Bruno Dutertre, Valentin Crettaz, Victoria Stavridou System Design Laboratory, SRI International
WISTP’08 ©LAM /05/2008 A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup Christer Andersson Markulf Kohlweiss.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Secure and efficient key management in mobile ad hoc networks Authors: Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, and Spyros Magliveras Sources:
On Detecting Pollution Attacks in Inter-Session Network Coding Anh Le, Athina Markopoulou University of California, Irvine.
Pairing Based Cryptography Standards Terence Spies VP Engineering Voltage Security
Optimizing Robustness while Generating Shared Secret Safe Primes Emil Ong and John Kubiatowicz University of California, Berkeley.
Data Integrity Proofs in Cloud Storage Author: Sravan Kumar R and Ashutosh Saxena. Source: The Third International Conference on Communication Systems.
10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 1/22 An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol.
A Simple Traceable Pseudonym Certificate System for RSA-based PKI SCGroup Jinhae Kim.
PROACTIVE SECRET SHARING Or: How to Cope With Perpetual Leakage Herzberg et al. Presented by: Avinash Ravi Kevin Skapinetz.
A Mechanism for Communication- Efficient Broadcast Encryption over Wireless Ad Hoc Networks Johns Hopkins University Department of Computer Science Reza.
1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.
ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.
1 Self-Certified Group Key-Generation for Ad Hoc Clusters in Wireless Sensor Networks Ortal Arazi, Hairong Qi Dept. Electrical & Computer Engineering The.
Key Generation Protocol in IBC Author : Dhruti Sharma and Devesh Jinwala 論文報告 2015/12/24 董晏彰 1.
 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.
29/Jul/2009 Young Hoon Park.  M.Bellare, D.Micciancio, B.Warinschi, Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and.
1 Secret Handshakes or Privacy-Preserving Interactive Authentication Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia,
Presented by Edith Ngai MPhil Term 3 Presentation
Further Simplifications in Proactive RSA Signatures
Providing Secure Storage on the Internet
Threshold RSA Cryptography
SCONCE: Secure Computing and Networking Center
Presentation transcript:

1 Membership Control in P2P and MANETs Nitesh Saxena, Gene Tsudik, Jeong H. Yi Computer Science Department University of California at Irvine {nitesh, gts,

2 Outline Introduction and Motivation Admission Control Distributed Cryptography System Design and Integration Performance Evaluation Conclusion

3 Peer Group Settings Decentralized P2P Common in MANETs and Internet At many protocol layers Many applications No centralized control No hierarchy Fault-tolerant Dynamic membership MANETs Distributed and scalable security services required

4 P2P Security: Prior Work Secure communication: Key management Authentication Anonymity Secure routing

5 Key Management A B C D E F

6 B C D E G F H I J A1 A2 A3 Sybil attack Douceur [IPTPS’02] An adversary may create multiple identities Lesson: Verify identities A2 A3 A1

7 Motivation Secure group communication does not address membership eligibility Without secure admission control, secure communication (e.g., key management) is useless

8 Outline Introduction and Motivation Admission Control Distributed Cryptography System Design and Integration Performance Evaluation Conclusion

9 Group Membership Issues Naming: Name  ownership? Location? Presence: on-line: e.g., replicated servers, MANETs off-line: e.g., Gnutella, MANETs Membership: Static, ad hoc: reflected where? Enumerated Dynamic: admission rules/policies? Longevity: Long-term Transient

10 What does a prospective member know? Group name, at least… Group location? Group membership? Group charter/policy? Group member(s)’ name(s)/address(es)?

11 Terminology Group Charter defines admission policies Group Membership Certificate (GMC) proves membership Group Authority (GAUTH) Bootstrapping entity Threshold Sig. Algo Dealer etc.

12 Admission Control Models Admission via Public ACL Not suitable for dynamic peer groups Admission by Centralized Authority Not suitable for dynamic peer groups Single point of failure Admission by Members  our focus

13 Admission Control Step 1: Join request Step 2: Join commit (Vote) Step 3: GMC issuance & share acquisition M new New member (M new ) wants to join the group A quorum of t current members need to issue M new a group membership certificate (GMC) If no quorum, membership is denied Vote 1 Vote 2

14 Threshold Types Fixed Threshold Expressed as minimum # of votes (e. g., 5) What if group size < threshold? Dynamic Threshold Expressed as percentage of # of current members (e.g., 30%) Threshold = percentage * group size Need to keep accurate state of up-to-date group size  Group Authority (GAUTH), as bootstrapping node, is only trusted to keep account of group size.

15 Relevant crypto techniques Plain signatures ASMs Aggregated Signatures Threshold Signatures Static Dynamic Group signatures

16 Plain Signatures Inefficient in bw/space Efficient in generation/verification Can be gathered asynchronously Can be used to prove membership No membership awareness Accountability Limited anonymity Linkable Lineage problem!

17 Accountable sub-Group Multi-Signatures Due to Ohta, et al. (CCS’01) Based on aggregating Schnorr signatures Efficient (but still linear in size) Synchronous (on-line protocol) Membership awareness Can be used to prove membership Accountability Limited anonymity Linkable Lineage Problem!

18 Threshold Signatures Desmedt/Frankel (1989) and many others Usually fixed t Function sharing to avoid reconstruction Inefficient Synchronous (on-line protocol) Membership awareness (partial) No Accountability Limited anonymity Linkable? (Usually) need trusted dealer to set up No lineage problem!

19 Dynamic Threshold Signatures Frankel, et al. (FOCS’97) Shrinkable t Very inefficient Synchronous (on-line protocol) Membership awareness (partial) No Accountability Limited anonymity Linkable? Still need trusted dealer

20 Dynamic Threshold Signatures Kong, et al. (ICNP’01) Supports growing t Efficiency unclear Synchronous (on-line protocol) Membership awareness (partial) No Accountability Limited anonymity Linkable? Still need trusted dealer to set up

21 Group Signatures Chaum & Van Heijst (1991) and many others Inefficient Asynchronous No membership awareness Can be used to prove membership Accountability (off-line, by Gr. Mgr) Anonymity Unlinkable (except by Gr. Mgr)

22 Outline Introduction and Motivation Admission Control Distributed Cryptography System Design and Integration Performance Evaluation Conclusion

23 Shamir ’ s Secret Sharing Dealing Secret Shares Dealer randomly selects polynomial f(x) of degree t-1 Note: f(0) = S Dealer distributes secret shares to users f(x) = S + a 1 x + a 2 x 2 + … + a t-1 x t-1 (mod q) ss i = f(id i ) (mod q) Secret Recovery Distributed Share Computation What if users are malicious?

24 Verifiable Secret Sharing (VSS) P. Feldman [FOCS ’ 87] Select f(x) over Z q as in Shamir ’ s f(x) = a 0 + a 1 x + a 2 x 2 + … + a t-1 x t-1 (mod q) Setup p, q (q divides p-1) b  Z p *, Witness generation (publicly known) W i = g a i (mod q) (mod p) Secret share verification (mod q) (mod p) - Exponent is in mod q - q, p : large prime - q | p-1

25 Threshold RSA (TS-RSA) J.Kong, et al. [ICNP ’ 01, ISCC ’ 02, WCMC ’ 02] Setup Generate RSA key pairs: d, e, N Dealer randomly selects polynomial f(x) of degree t-1 f(x) = d + a 1 x + a 2 x 2 + … + a t-1 x t-1 (mod N) Signature generation m m m m SK3 m SK2 m SK5 m SK2 + SK3 + SK5 SK 2 + SK 3 + SK 5  d (mod N) - d is never reconstructed. - mod N (composite)

26 TS-RSA: t-bounded offsetting m m m m SK3 m SK2 m SK5 m SK2 + SK3 + SK5 SK 2 + SK 3 + SK 5  d (mod N) SK 2 + SK 3 + SK 5 = tN + d m SK2+SK3+SK5 = m tN+d = m tN m d Y = m tN+d ; for (i=0; i <= t; i++) { Y = Y * m -N mod N; if (Y e = m mod N) break; } return Y (= m d mod N) 22 msec -CRT not applicable -Prime factors of N are known only to the dealer

27 TS-RSA: VSS failure Example: f(x) = x + 5x 2 (mod 119), g=3 Witnesses: w 0 =3 77 =12, w 1 =3 2 =9, w 2 =3 5 =5 (mod 119) pss 3 (7)=74 pss 2 (7) =71 pss 5 (7)=72 pss i (id j ) = ss i l i (id j ) mod N ss 7 = pss 2 (7) + pss 3 (7)+ pss 5 (7) = 98 Impossible to verify if ss i is correct. (mod 119) mod  (N) Impossible to detect malicious members, i.e, no robustness provided!

28 TS-RSA: Summary No verifiability of secret shares Gennaro [Crypto ’ 96] and Shoup [Eurocrypt ’ 00] proposed schemes to provide verifiability  require trusted dealer to generate a key-pair Boneh & Franklin [Crypto ’ 97] distributed RSA key generation  very high communication and/or computation overhead  impractical in many group setting such as MANETs Trusted dealer involved at initialization phase

29 Threshold DSA (TS-DSA) Extention of threshold DSS scheme by Jarecki, et al. [Eurocrypt ’ 96] group size (n) can be increased. threshold (t) can be changed. No dealer involved VSS holds

30 TS-DSA: Setup Self-initialization by founding members uses Joint Secret Sharing (JSS), Pedersen [Eurocrypt ’ 91] User 1 User 2 User n Each user computes f i (j) (j=1..n, j != i), and sends it to others. Each user computes his own secret share No one knows S.

31 TS-DSA: Signature Generation u 3, v 3 u 2, v 2 u 5, v r, m s3s3 s2s2 s5s5 DSA signature: (r, s) extra exp. (t+1)/2-secure O(t 2 ) comm.

32 TS-DSA: VSS holds Example: f(x) = 7 + 2x + 5x 2 (mod 11), g=9, q=11, p=23 Witnesses: w 0 =9 7 =4, w 1 =9 2 =12, w 2 =9 5 =8 (mod 23) pss 3 (7)=7 pss 2 (7) =2 pss 5 (7)=4 pss i (j) = ss i l i (j) mod p ss 7 = pss 2 (7) + pss 3 (7)+ pss 5 (7) = 2 (mod 11)

33 TS-DSA: Summary Pros: VSS guaranteed Key generation fully distributed Cons: Robust only if fewer than  t+1)/2  malicious users Extra O(t 2 ) communications between signers to jointly generate random secret k

34 Feature Summary RSAASMTS-RSATS-DSA Dealer involved  Simultaneous on- line presence  Accountability  Unlinkability  Verifiable Secret Sharing NA 

35 Outline Introduction and Motivation Admission Control Distributed Cryptography System Design and Integration Performance Evaluation Conclusion

36 System Design - ”Bouncer” toolkit Peer Group Applications (Gnutella, Secure Spread, etc.) GAC APIs Certificate Management Module Policy Management Module Data Encoding Module Protocol Handling Module ASMTS-RSATS-DSA Distributed Cryptography General Crypto. Functions SHA-1,AES,RSA,DSA,etc. Crypto Primitives: OpenSSL Linux

37 Dynamic Threshold Update

38 GAC APIs Plain RSA APIs GAC_PACKET *PS_Join_Reqest(); GAC_PACKET *PS_Join_Commit(); GAC_PACKET *PS_GMC_Request(); /* optional */ GAC_PACKET *PS_GMC_Reply(); /* optional */ TS-DSA APIs GAC_PACKET *TSD_Join_Request(); GAC_PACKET *TSD_Join_Commit(); GAC_PACKET *TSD_Chal_Req(); GAC_PACKET *TSD_Chal_Rly(); GAC_PACKET *TSD_Rnd_Req(); GAC_PACKET *TSD_Rnd_Rly(); GAC_PACKET *TSD_Sign_Request(); GAC_PACKET *TSD_Part_Sign(); GAC_PACKET *TSD_GMC_Request(); /* optional */ GAC_PACKET *TSD_GMC_Reply(); /* optional */ TS-RSA APIs GAC_PACKET *TSS_Join_Request(); GAC_PACKET *TSS_Join_Commit(); GAC_PACKET *TSS_Sign_Request(); GAC_PACKET *TSS_Part_Sign(); GAC_PACKET *TSS_GMC_Request(); /* optional */ GAC_PACKET *TSS_GMC_Reply(); /* optional */ ASM APIs GAC_PACKET *ASM_Join_Request(); GAC_PACKET *ASM_Join_Commit(); GAC_PACKET *ASM_Sign_Request(); GAC_PACKET *ASM_Part_Sign(); GAC_PACKET *ASM_GMC_Request(); /* optional */ GAC_PACKET *ASM_GMC_Reply(); /* optional */

39 Integration with Gnutella Ping Pong New Member Current Members SPing SPong Query QueryHit Push (Download by http) Gnutella Protocol Join Commit SigReq SigRly Admission Protocol Secure Gnutella

40 Integration with Secure Spread Secure Spread GKA_API Encryption Access control Crypto Library Engine Bouncer Spread: A wide area reliable group communication system Secure Spread: Integrates security services with Spread Supports only static access control daemon level ACL’s flush mechanism No notion of secure, dynamic, distributed admission. Modified Spread APIs SP_GAC_Join(); /* new */ SP_receive(); /* modified */ Application

41 Outline Introduction and Motivation Admission Control Distributed Cryptography System Design and Integration Performance Evaluation Conclusion

42 Performance Evaluation Gnutella Experiment: Integrated decentralized protocol with Gnut Tested on a high-speed LAN Secure Spread Experiment: Integrated centralized protocol with Secure SPREAD Spread daemons on 10 machines at Johns Hopkins Univ. A client at UCI Measurements Fixed threshold Dynamic threshold Source code available at

43 Computation Cost Signature generation Signature verification

44 Signature Size Signature length RSAt * ( |K| + |id| ) ASM|q| + |E| + t * |id| TS-RSA|K| TS-DSA2*|q| t: threshold K: private key id: signer’s id q: modulus q E: challenge (hash size)

45 Fixed Threshold Experiments Secure Spread Gnutella

46 Dynamic Threshold Experiments Secure Spread Gnutella

47 Conclusions Designed several P2P admission control mechanisms Assessed practicality of distributed cryptography for dynamic peer groups. Threshold signatures are currently NOT PRACTICAL in MANETs and sensor networks Reasonable for Internet-based P2P systems that operate in (at least partially) synchronous mode Difficult to identify one scheme best-suited for all peer group admission scenarios. If admission is difficult, distributed membership revocation is even harder!

48 Future Work TS-RSA Efficient RSA distributed modulus generati on VSS in Dynamic setting TS-DSA Better communication efficiency? Aggregated Signatures? Other, more “systems” approaches? Revocation?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.