Key Agreement for Heterogeneous Mobile Ad-hoc Groups (µSTR-H) Mark Manulis Horst-Görtz Institute, Bochum (Germany)

2 Mark Manulis, Horst-Görtz Institute, Bochum, Germany Heterogeneous Mobile Ad-Hoc Group

3 Outline Elliptic Curve Cryptography Performance of Mobile Devices Device Architecture µSTR-H Protocol Suite  Setting  Requirements  Protocols: Setup, Join, Leave, Merge, Partition Performance Analysis Current and Future Work Mark Manulis, Horst-Görtz Institute, Bochum, Germany

4 Elliptic Curve Cryptography (ECC) Elliptic curve E over a finite field F q  q  Primes : y 2 = x 3 + ax +b, x,y,a,b  F p and 4a b 2  0  q = 2 m, m  N : y 2 + xy = x 3 + ax 2 + b, x,y,a,b  F 2 m and b  0 Group of elliptic points E( F q ) is commutative. Let P,Q  E( F q )  Negation: –P  Addition: P + Q = R(x R, y R )  E( F q )  Doubling: 2P = R(x R, y R )  E( F q ) Let G  E( F q ) of prime order t with t | q-1  Generated additive subgroup = {O, G, 2G, …, (t-1)G}  Scalar-Point Multiplication: r  {1,…,t-1}, rG = R  G Note: R = G + … + G It is hard to compute r given R and G (EC-Discrete Logarithm Problem) r times Mark Manulis, Horst-Görtz Institute, Bochum, Germany

5 Performance of Mobile Devices Benchmark function F  Input: device’ hardware parameters CPU clocks memory size storage capacity battery power consumption …  Process: application-specific operations cryptographic and network operations  Output: performance ratio µ Mark Manulis, Horst-Görtz Institute, Bochum, Germany run F(input) get µ

6 Performance Ratio Order Mobile Ad-Hoc Group: M 1, …, M n Performance ratio order:  P = (M 1, …, M n ),  M i, M i+1 : µ i  µ i+1  e.g.: Assumption:  µ i can be figured out from P M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 M7M7 M8M8 M9M9 Mark Manulis, Horst-Görtz Institute, Bochum, Germany

7 Homogeneous & Heterogeneous Mobile Ad-Hoc Groups Homogeneous Mobile Ad-Hoc Group:   µ i, µ j  P : |µ i - µ j |   Heterogeneous Mobile Ad-Hoc Group:   µ i, µ j  P : |µ i - µ j | >   : limit of homogeneity Mark Manulis, Horst-Görtz Institute, Bochum, Germany

8 CGKA Protocol Requirements Usual security requirements against passive adversary Cost fairness (performance requirement)  Homogeneous Groups: uniform distribution of protocol costs between devices  Heterogeneous Groups: distribution of protocol costs between devices with respect to P Performance Honesty (security requirement)  Adversary cannot cheat on its device performance Remark: Adversary is active  Concerns only heterogeneous groups Mark Manulis, Horst-Görtz Institute, Bochum, Germany

9 Abstract Device Architecture based on TCG Mark Manulis, Horst-Görtz Institute, Bochum, Germany Trusted Computing Base Components  Trusted Platform Module (TPM) Tamper-resistant Limited computational capabilities Platform Configuration Registers (PCRs) Attestation Identity Key Pair (PK AIK, SK AIK )  Trusted Software Component (TSC) Its measurement S is included in PCRs Better computational capabilities Non-Trusted Components  Application isolated from other processes Hardware Plattform PCR 1 PCR 2 PCR l... TPM TSC Common OS S Application

10 µSTR-H: Pre-Requisites Communication Channel  public broadcast / multicast  reliable Authentication  Every device has Cert TPMi = (ID TPMi, PK AIK, Sig CA (ID TPMi, PK AIK ))  Assumption: All protocol messages are authentic Explicit indication of authentication procedure is omitted Mark Manulis, Horst-Görtz Institute, Bochum, GermanyHGI-Seminar 2005

11 µSTR-H: Parameters and Notations E(F q ), q is prime or 2 m, m  N = {O, G, 2G, …, (t-1)G}, t is prime, t | q-1 public keys R1R1 K2K2 K3K3 K4K4 secret keys r1r1 k2k2 k3k3 k4k4 k5k5 k i = (k i, …, k n ) blinded session randoms R1R1 R2R2 R3R3 R4R4 R5R5 R i = (R i, …, R n ) secret session randoms r1r1 r2r2 r3r3 r4r4 r5r5 M1M1 M2M2 M3M3 M4M4 M5M5 P User M i computes:  r i  R {1, …, t-1}  R i = r i G  k i = map(r i K i-1 ); for all 2<i<j≤n: k j = map(k j-1 R j ) exception: k 2 = map(r 1 R 2 ) = map(r 2 R 1 )  K i = k i G Example M 3 :  r 3  R {1, …, t-1}  k 3 = map(r 3 K 2 )  k 4 = map(k 3 R 4 )  k 5 = map(k 4 R 5 ) group keyauxiliary keys Mark Manulis, Horst-Görtz Institute, Bochum, Germany (performance ratio order) HGI-Seminar 2005

12 Achieving Performance Honesty Mark Manulis, Horst-Görtz Institute, Bochum, GermanyHGI-Seminar 2005 Tasks of TPM i  Choose r i and compute R i  Seal r i under µ i and S i  Generate σ i = Sign SK_AIK_i (R i, µ i )  Compute r i K i-1 given K i-1 Tasks of TSC i  Compute all secret keys k i, …,k n  Compute all public keys K i, …, K n-1 Tasks of untrusted µSTR-H  Send and receive protocol messages  Verify received σ j  Compute P  Store R i riri Hardware Plattform PCR TPM i TSC i Common OS SiSi µSTR-H k i, …,k n riri performance ratio µ i

13 Message Exchange between Components Mark Manulis, Horst-Görtz Institute, Bochum, Germany TPM i TSC i µSTR-H (non trusted) K i-1 r i K i-1 µ i, R i, σ i, Cert TPMi R i+1,…,R n K i,…,K n-1 µ i, R i, σ i, Cert TPMi Hardware Plattform PCR TPM i TSC i Common OS SiSi µSTR-H k i, …,k n riri performance ratio µ i

14 µSTR-H: Setup TPM i selects r i, computes R i and σ i. M i broadcasts (µ i, R i, σ i, Cert TPMi ). M i verifies all σ j, computes P, stores R i+1,…, R n. TPM 1 computes r 1 R 2. TSC 1 computes k 1 = (k 2,…, k n ) and (K 2,…, K n-1 ). M 1 broadcasts (K 2,…, K n-1 ). M i stores K i-1. TPM i computes r i K i-1. TSC i computes k i = (k i,…, k n ). M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 M7M7 M8M µiµi P k1k1 K2K2 K3K3 K4K4 K5K5 K6K6 K7K7 k2k2 k3k3 k4k4 k5k5 k6k6 k7k7 k8k Mark Manulis, Horst-Görtz Institute, Bochum, Germany

15 M1M1 M2M2 M3M3 M4M4 M5M5 µSTR-H: Join µjµj µ 3 >µ j >µ 4 M4M4 M1M1 M2M2 M3M3 M5M5 M6M6 R´ 3, K´ 3 K´ 4 K´ 5 P MjMj sponsor k´ 3 k´ 1 k´ 2 k´ 4 k´ 5 k´ 6 Mark Manulis, Horst-Görtz Institute, Bochum, Germany

16 M4M4 M1M1 M2M2 M3M3 M5M5 M6M6 M3M3 M1M1 M2M2 M4M4 M5M5 µSTR-H: Leave P sponsor R´ 2, K´ 2 K´ 3 K´ 4 k´ 2 k´ 1 k´ 3 k´ 4 k´ 5 Mark Manulis, Horst-Görtz Institute, Bochum, Germany

17 µSTR-H: Merge P1P1 R11R11 M11M11 M12M12 M13M13 M14M14 M21M21 M22M22 M23M23 M24M24 P2P2 µ1iµ1i µ2iµ2i R21R21 M3M3 M5M5 M6M6 M7M7 M1M1 M2M2 M4M4 M8M8 P µiµi sponsor R´ 2, K´ 2 K´ 3 K´ 4 K´ 5 K´ 6 K´ 7 k´ 2 k´ 1 k´ 3 k´ 4 k´ 5 k´ 6 k´ 7 k´ 8 Mark Manulis, Horst-Görtz Institute, Bochum, Germany

18 M3M3 M5M5 M6M6 M7M7 M1M1 M2M2 M4M4 M8M8 P µiµi M2M2 M3M3 M4M4 M1M1 M5M5 P µiµi µSTR-H: Partition sponsor R´ 1 K´ 2 K´ 3 K´ 4 k´ 1 k´ 2 k´ 3 k´ 4 k´ 5 Mark Manulis, Horst-Görtz Institute, Bochum, Germany

19 Performance Analysis CommunicationComputationMemory RoundsMessagesSizeSP-MultiplicationsSize S 2n+12n-2 2n-1 i=1: 2n-1 i>1: n-i+2 i=1: 2n 3n-2 i>1: 2n-2i+4 3n-i J 122n-2s+3 2n i<s: n-s+2 2 i=s: 2n-2s+4 4 i>s: n-i+2 1 L 11n-s 2n-4 i<s: n-s i=s: 2n-2s i>s: n-i M 232n‘+2n‘‘-s+1 4n‘+4n‘‘-6 i<s: n‘+n‘‘-s+1 n‘‘+1 i=s: 2n‘+2n‘‘-2s+2 i>s: n‘+n‘‘-i+1 P 11n-v-s+1 2n-2v-2 i<s: n-v-s+1 i=s: 2n-2v-2s+2 i>s: n-v-i+1 S – setup, J – join, L – leave, M – merge, P – partition, original STR costs n – initial group size, i (s) – index of member (sponsor), v – size of partition Mark Manulis, Horst-Görtz Institute, Bochum, GermanyHGI-Seminar 2005

20 Future Work  Consider various protocols in MANETs where applied techniques (non- uniform distribution of protocol costs, enforcement of a property compliance) are useful, e.g. multicast routing, threshold crypto, … Mark Manulis, Horst-Görtz Institute, Bochum, Germany Thank You !!!