Multicast Security: A Taxonomy and Some Efficient Constructions By Cannetti et al, appeared in INFOCOMM 99. Presenter: Ankur Gupta.

Slides:



Advertisements
Similar presentations
A Survey of Key Management for Secure Group Communications Celia Li.
Advertisements

Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio)
SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.
Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.
Scalable Secure Bidirectional Group Communication Yitao Duan and John Canny Berkeley Institute of Design Computer Science.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Group Key Distribution Chih-Hao Huang
Multicast Security CS239 Advanced Network Security April 16 th, 2003 Yuken Goto.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
1 Lecture 18: Security issues specific to security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.
Security Considerations for Wireless Sensor Networks Prabal Dutta (614) Security Considerations for Wireless Sensor Networks.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Guomin Yang et al. IEEE Transactions on Wireless Communication Vol. 6 No. 9 September
CS548 Advanced Information Security Presented by Gowun Jeong Mar. 9, 2010.
An IPSec-based Host Architecture for Secure Internet Multicast R. Canetti, P-C. Cheng, F.Giraud, D. Pendarakis, J.R. Rao, P. Rohatgi, IBM Research D. Saha.
Information Security Fundamentals Major Information Security Problems and Solutions Department of Computer Science Southern Illinois University Edwardsville.
Cryptography, Authentication and Digital Signatures
CSCD 218 : DATA COMMUNICATIONS AND NETWORKING 1
EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.
Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.
Crowds: Anonymity for Web Transactions Michael K. Reiter Aviel D. Rubin Jan 31, 2006Presented by – Munawar Hafiz.
Improving MBMS Security in 3G Wenyuan Xu Rutgers University.
Network Security7-1 CIS3360: Chapter 8: Cryptography Application of Public Cryptography Cliff Zou Spring 2012 TexPoint fonts used in EMF. Read the TexPoint.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
A secure re-keying scheme Introduction Background Re-keying scheme User revocation User join Conclusion.
Csci5233 computer security & integrity 1 Cryptography: an overview.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Digital Signatures, Message Digest and Authentication Week-9.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Computer Science CSC 774 Adv. Net. Security1 Presenter: Tong Zhou 11/21/2015 Practical Broadcast Authentication in Sensor Networks.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Multi-user Broadcast Authentication in Wireless Sensor Networks Kui Ren, Wenjing Lou, Yanchao Zhang SECON2007 Manar Mahmoud Abou elwafa.
COEN 351 E-Commerce Security
Group Key Distribution Xiuzhen Cheng The George Washington University.
Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.
Security for Broadcast Network
Jonathan Katz University of Maryland Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-108 Aggregate Message- Authentication.
ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.
Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes Haowen Chan, Adrian Perrig Carnegie Mellon University 1.
Network Topologies for Scalable Multi-User Virtual Environments Lingrui Liang.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Data Integrity: Applications of Cryptographic Hash Functions
Efficient State Update for Key Management
Cryptography Lecture 9.
Combinatorial Optimization of Multicast Key Management
Operating Systems Concepts
Cryptography Lecture 23.
Presentation transcript:

Multicast Security: A Taxonomy and Some Efficient Constructions By Cannetti et al, appeared in INFOCOMM 99. Presenter: Ankur Gupta

Muliticast Communication Examples: Internet video transmissions, news feed, stock quotes, live broadcast, on-line video games, etc. Challenges: 1.Security: Authentication, secrecy, anonymity, etc. 2.Efficiency: the overhead associated in providing security must be minimized: communication cost, authentication/verification time.

Multicast Issues Member characteristics: similar computing power or some more powerful than others? Membership static or dynamic? Key revocation is an issue for dynamic scenes. Number and type of senders? Single or multiple? Can non-members send data? Volume and type of traffic? Is communication in real-time?

Multicast Security Issues Secrecy 1.Ephemeral: Avoid easy access to non- members. Ok if non-members receive after a delay. 2.Long-term: protecting confidentiality of data for a long duration. Authenticity: 1.Group authenticity: each member can recognize if a message was sent by a group member. 2.Source authenticity: each member can identify the particular sender in the group.

Multicast Security Issues: Contd. Anonymity: keeping identity of group members secret from non-members and/or from other group members. Non-repudiation: ability of receivers of data to prove to 3 rd parties that data was received from a particular entity. Contradicts anonymity. Access control: only registered and legitimate users have access to group communication. Requires authentication of users. Service Availability: keeping service available in presence of clogging attacks.

Performance Issues Latency Work overhead per sending Bandwidth overhead Group management activity should be minimized: 1.Member initialization 2.Member addition/deletion

General Solution Impossible! Impossible to find a general solution that address all the above issues. Identify scenes representative of practical multicast communication. 1.Single source broadcast. 2.Virtual Conference.

Single source bcast: Issues 1.Source: high-end machine, expensive computation ok at server end. 2.Recipients low-end. Efficiency at recipients is a concern. 3.Membership is dynamic and changes rapidly. 4.High volume of sign-in/sign-off possible. 5.Ephemeral secrecy generally suffices. 6.Authenticity of data critical (e.g. stock quotes).

Issues in Single source bcast Ephemeral secrecy: solved by having a group management center that handles access control and key management. How to authenticate messages? How to make sure that a leaving member loses the capability to decrypt?

Virtual Conferencing Online meeting of executives, interactive lectures and classes, multiparty video games. Membership usually static. No. of receivers far less than single source bcast. Authenticity of data and sender is critical. Sender and receiver of similar computation power.

Efficient Authentication Schemes Public key cryptography signatures is very expensive. Instead, we will use message authentication codes (MAC), MAC(k,M)= secure hash MACs are computationally much more efficient than digital signatures.

MAC Attacks Per-Message unforgeability of MAC scheme 1.Complete attack: an attacker can break any message of its choice. 2.Probabilistic attack: an attacker can forge a random message with some fixed but small probability.

Q-per message unforgeable A MAC scheme is q-per message unforgeable if an adversary can guess its MAC value with probability at most q. Assumption: we will assume there are at most w corrupted users.

Authentication scheme for single source Source knows l=e(w+1)log(1/q) keys, R=hK 1,…,K l i. Each recipient u knows a subset of keys R u ½ R. Every key K i is included in R u with probability 1/(w+1), independently for every i and u. Message M is authenticated by S with each key K i using MAC and hMAC(K 1,M),…,MAC(K l,M)i is transmitted. Each recipient u verifies the all MACs which were created with keys in R u. If any of them is incorrect then rejects the message.

Performance Analysis of the scheme Source holds M S = l = e(w+1) log(1/q) keys. Each receiver holds M V = e log(1/q) keys. Communication overhead per message C= e(w+1)log(1/q) MACs. Running time overhead T S = e(w+1)log(1/q) MAC computations for source and T V = e log(1/q) per receiver.

Security of scheme Theorem: Assume probability of computing MAC without knowing key is q’. Then probability that a coalition of w users can falsely authenticate a message to a user is at most q+q’. Proof: Probability that key is good (contained in user u’s subset but not in any of colluders set) is:

Proof: Contd Therefore probability that R u is completely covered by subsets held by colluders is (1- g) l < q. If R u is not covered completely, then there is a key K i not known to any colluder. Therefore, its corresponding MAC can be guessed with probability at most q’. By union bound, we get guessing probability as q+q’. QED.

Multiple Dynamic Sources Assumption: Pseudo-random one-way hash functions {f k } Distinguishes between set of senders and receivers. Only a coalition of w or more receivers can falsely authenticate a message to a receiver. l primary keys hK 1,…, K l i where l is as in single source scheme. Receiver initialization: each receiver v obtains a subset R v of primary keys where each key K i is included with probability 1/(w+1) in R v Sender Initialization: every u receives a secondary set of keys hf k1 (u), …, f kl (u)i. Can be sent whenever a sender joins. Message authentication: each receiver verifies all MACs whose key its has.

Dynamic Secrecy: User Revocation How to manage keys when a user leaves a group? We want that the old user is not able to decrypt the current communication in the group. Application: pay-TV applications. Solution: A tree based scheme will be presented now.

Tree based scheme Assume we have n=2 m users. Scheme will require 2m-1 key encryptions to delete a member. Let u 0, u 1,…, u n-1 be n users. They all share a group key k with which messages are encrypted. When a user leaves, a new key k’ must be distributed. Users are associated with the leaves of a tree of depth m. Every node v is associated with a key k v and each user has all keys from its leaf node to the root node.

Graphic View of Initial Keys

Deleting a member Group controller associates a new key k’ v for every node v along the path from node u to root. k’ p(u) is encrypted with k s(u) where p(u) is parent and s(u) sibling of u. All other keys k’ p(v) is encrypted with k’ v and k s(v). All encryptions are sent to users. Every user is able to get every key it is intended to receive and nothing else.

Graphical View for Deletion

Improved Scheme Reducing communication overhead from 2m to m. Assume a PRG that doubles its input G(x)=L(x)R(x) where |x|=|L(x)|=|R(x)| Associate a value r v =R d(u)-d(v)-1 (r) where R 0 = r (a random value) and d(v)=depth of node v. Key k’ v =L(r v )=L(R d(u)-d(v)-1 (r)) Each r p(v) is encrypted with k s(v) and sent to all users.

Graphical view of improved scheme

Conclusions Secrecy in multicast communication comes in many flavors: group vs source authentication, long-term vs ephemeral secrecy, anonymity vs non-repudiation etc. Benchmarks: a) single source and large no. of recipients b) virtual conferencing: modest no. of senders and receivers. Authentication based on MAC codes. Key revocation using tree based approach.

Thank You!