Key Agreement for Heterogeneous Mobile Ad-hoc Groups (µSTR-H) Mark Manulis Horst-Görtz Institute, Bochum (Germany)

Slides:



Advertisements
Similar presentations
Key Management Nick Feamster CS 6262 Spring 2009.
Advertisements

A Survey of Key Management for Secure Group Communications Celia Li.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
The Attestation Mechanism in Trusted Computing. A Simple Remote Attestation Protocol Platform TPM Verifier Application A generates PK A & SK A 2) computes.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.
Cyber Security and Key Management Models Smart Grid Networks The Network System Key Management and Utilization Why Hardware Security Christopher Gorog,
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
Position Based Cryptography* Nishanth Chandran Vipul Goyal Ryan Moriarty Rafail Ostrovsky UCLA CRYPTO ‘09.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
Securing Information Transfer in Distributed Computing Environments AbdulRahman A. Namankani.
ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Computer Science Public Key Management Lecture 5.
Brian Padalino Sammy Lin Arnold Perez Helen Chen
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
Trusted Computing BY: Sam Ranjbari Billy J. Garcia.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Key Management and Diffie- Hellman Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther.
Cyrtographic Security Identity-based Encryption 1Dennis Kafura – CS5204 – Operating Systems.
GZ06 : Mobile and Adaptive Systems A Secure On-Demand Routing Protocol for Ad Hoc Networks Allan HUNT Wandao PUNYAPORN Yong CHENG Tingting OUYANG.
Trusted Computing Or How I Learned to Stop Worrying and Love the MPAA.
Computer Science CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu.
COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.
Cryptography and Network Security (CS435) Part Eight (Key Management)
Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
出處 :2010 2nd International Conference on Signal Processing Systems (ICSPS) 作者 :Zhidong Shen 、 Qiang Tong 演講者 : 碩研資管一甲 吳俊逸.
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
Chapter 7 – Confidentiality Using Symmetric Encryption.
PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Cryptography and Network Security Key Management and Other Public Key Cryptosystems.
Scott CH Huang COM 5336 Lecture 7 Other Public-Key Cryptosystems Scott CH Huang COM 5336 Cryptography Lecture 7.
Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)
Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.
Hyunsung Kim Dept. of Cyber Security, Kyungil University Korea Non-interactive Hierarchical Key Agreement Protocol over WHMS.
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Cryptographic Security Identity-Based Encryption.
Establishing authenticated channels and secure identifiers in ad-hoc networks Authors: B. Sieka and A. D. Kshemkalyani (University of Illinois at Chicago)
Digital Rights Management and Trusted Computing Kari Kostiainen T Special Course in Operating System Security April 13 th 2007.
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
Elliptic Curve Cryptography Celia Li Computer Science and Engineering November 10, 2005.
Interleaving and Collusion Attacks on a Dynamic Group Key Agreement Scheme for Low-Power Mobile Devices * Junghyun Nam 1, Juryon Paik 2, Jeeyeon Kim 2,
Key Management Network Systems Security Mort Anvari.
1 Information Security – Theory vs. Reality , Winter Lecture 12: Trusted computing architecture (cont.), Eran Tromer Slides credit:
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.
Key Management public-key encryption helps address key distribution problems have two aspects of this: – distribution of public keys – use of public-key.
Asymmetric-Key Cryptography
Cryptography Lecture 24.
Key Management Network Systems Security
Presentation transcript:

Key Agreement for Heterogeneous Mobile Ad-hoc Groups (µSTR-H) Mark Manulis Horst-Görtz Institute, Bochum (Germany)

2 Mark Manulis, Horst-Görtz Institute, Bochum, Germany Heterogeneous Mobile Ad-Hoc Group

3 Outline Elliptic Curve Cryptography Performance of Mobile Devices Device Architecture µSTR-H Protocol Suite  Setting  Requirements  Protocols: Setup, Join, Leave, Merge, Partition Performance Analysis Current and Future Work Mark Manulis, Horst-Görtz Institute, Bochum, Germany

4 Elliptic Curve Cryptography (ECC) Elliptic curve E over a finite field F q  q  Primes : y 2 = x 3 + ax +b, x,y,a,b  F p and 4a b 2  0  q = 2 m, m  N : y 2 + xy = x 3 + ax 2 + b, x,y,a,b  F 2 m and b  0 Group of elliptic points E( F q ) is commutative. Let P,Q  E( F q )  Negation: –P  Addition: P + Q = R(x R, y R )  E( F q )  Doubling: 2P = R(x R, y R )  E( F q ) Let G  E( F q ) of prime order t with t | q-1  Generated additive subgroup = {O, G, 2G, …, (t-1)G}  Scalar-Point Multiplication: r  {1,…,t-1}, rG = R  G Note: R = G + … + G It is hard to compute r given R and G (EC-Discrete Logarithm Problem) r times Mark Manulis, Horst-Görtz Institute, Bochum, Germany

5 Performance of Mobile Devices Benchmark function F  Input: device’ hardware parameters CPU clocks memory size storage capacity battery power consumption …  Process: application-specific operations cryptographic and network operations  Output: performance ratio µ Mark Manulis, Horst-Görtz Institute, Bochum, Germany run F(input) get µ

6 Performance Ratio Order Mobile Ad-Hoc Group: M 1, …, M n Performance ratio order:  P = (M 1, …, M n ),  M i, M i+1 : µ i  µ i+1  e.g.: Assumption:  µ i can be figured out from P M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 M7M7 M8M8 M9M9 Mark Manulis, Horst-Görtz Institute, Bochum, Germany

7 Homogeneous & Heterogeneous Mobile Ad-Hoc Groups Homogeneous Mobile Ad-Hoc Group:   µ i, µ j  P : |µ i - µ j |   Heterogeneous Mobile Ad-Hoc Group:   µ i, µ j  P : |µ i - µ j | >   : limit of homogeneity Mark Manulis, Horst-Görtz Institute, Bochum, Germany

8 CGKA Protocol Requirements Usual security requirements against passive adversary Cost fairness (performance requirement)  Homogeneous Groups: uniform distribution of protocol costs between devices  Heterogeneous Groups: distribution of protocol costs between devices with respect to P Performance Honesty (security requirement)  Adversary cannot cheat on its device performance Remark: Adversary is active  Concerns only heterogeneous groups Mark Manulis, Horst-Görtz Institute, Bochum, Germany

9 Abstract Device Architecture based on TCG Mark Manulis, Horst-Görtz Institute, Bochum, Germany Trusted Computing Base Components  Trusted Platform Module (TPM) Tamper-resistant Limited computational capabilities Platform Configuration Registers (PCRs) Attestation Identity Key Pair (PK AIK, SK AIK )  Trusted Software Component (TSC) Its measurement S is included in PCRs Better computational capabilities Non-Trusted Components  Application isolated from other processes Hardware Plattform PCR 1 PCR 2 PCR l... TPM TSC Common OS S Application

10 µSTR-H: Pre-Requisites Communication Channel  public broadcast / multicast  reliable Authentication  Every device has Cert TPMi = (ID TPMi, PK AIK, Sig CA (ID TPMi, PK AIK ))  Assumption: All protocol messages are authentic Explicit indication of authentication procedure is omitted Mark Manulis, Horst-Görtz Institute, Bochum, GermanyHGI-Seminar 2005

11 µSTR-H: Parameters and Notations E(F q ), q is prime or 2 m, m  N = {O, G, 2G, …, (t-1)G}, t is prime, t | q-1 public keys R1R1 K2K2 K3K3 K4K4 secret keys r1r1 k2k2 k3k3 k4k4 k5k5 k i = (k i, …, k n ) blinded session randoms R1R1 R2R2 R3R3 R4R4 R5R5 R i = (R i, …, R n ) secret session randoms r1r1 r2r2 r3r3 r4r4 r5r5 M1M1 M2M2 M3M3 M4M4 M5M5 P User M i computes:  r i  R {1, …, t-1}  R i = r i G  k i = map(r i K i-1 ); for all 2<i<j≤n: k j = map(k j-1 R j ) exception: k 2 = map(r 1 R 2 ) = map(r 2 R 1 )  K i = k i G Example M 3 :  r 3  R {1, …, t-1}  k 3 = map(r 3 K 2 )  k 4 = map(k 3 R 4 )  k 5 = map(k 4 R 5 ) group keyauxiliary keys Mark Manulis, Horst-Görtz Institute, Bochum, Germany (performance ratio order) HGI-Seminar 2005

12 Achieving Performance Honesty Mark Manulis, Horst-Görtz Institute, Bochum, GermanyHGI-Seminar 2005 Tasks of TPM i  Choose r i and compute R i  Seal r i under µ i and S i  Generate σ i = Sign SK_AIK_i (R i, µ i )  Compute r i K i-1 given K i-1 Tasks of TSC i  Compute all secret keys k i, …,k n  Compute all public keys K i, …, K n-1 Tasks of untrusted µSTR-H  Send and receive protocol messages  Verify received σ j  Compute P  Store R i riri Hardware Plattform PCR TPM i TSC i Common OS SiSi µSTR-H k i, …,k n riri performance ratio µ i

13 Message Exchange between Components Mark Manulis, Horst-Görtz Institute, Bochum, Germany TPM i TSC i µSTR-H (non trusted) K i-1 r i K i-1 µ i, R i, σ i, Cert TPMi R i+1,…,R n K i,…,K n-1 µ i, R i, σ i, Cert TPMi Hardware Plattform PCR TPM i TSC i Common OS SiSi µSTR-H k i, …,k n riri performance ratio µ i

14 µSTR-H: Setup TPM i selects r i, computes R i and σ i. M i broadcasts (µ i, R i, σ i, Cert TPMi ). M i verifies all σ j, computes P, stores R i+1,…, R n. TPM 1 computes r 1 R 2. TSC 1 computes k 1 = (k 2,…, k n ) and (K 2,…, K n-1 ). M 1 broadcasts (K 2,…, K n-1 ). M i stores K i-1. TPM i computes r i K i-1. TSC i computes k i = (k i,…, k n ). M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 M7M7 M8M µiµi P k1k1 K2K2 K3K3 K4K4 K5K5 K6K6 K7K7 k2k2 k3k3 k4k4 k5k5 k6k6 k7k7 k8k Mark Manulis, Horst-Görtz Institute, Bochum, Germany

15 M1M1 M2M2 M3M3 M4M4 M5M5 µSTR-H: Join µjµj µ 3 >µ j >µ 4 M4M4 M1M1 M2M2 M3M3 M5M5 M6M6 R´ 3, K´ 3 K´ 4 K´ 5 P MjMj sponsor k´ 3 k´ 1 k´ 2 k´ 4 k´ 5 k´ 6 Mark Manulis, Horst-Görtz Institute, Bochum, Germany

16 M4M4 M1M1 M2M2 M3M3 M5M5 M6M6 M3M3 M1M1 M2M2 M4M4 M5M5 µSTR-H: Leave P sponsor R´ 2, K´ 2 K´ 3 K´ 4 k´ 2 k´ 1 k´ 3 k´ 4 k´ 5 Mark Manulis, Horst-Görtz Institute, Bochum, Germany

17 µSTR-H: Merge P1P1 R11R11 M11M11 M12M12 M13M13 M14M14 M21M21 M22M22 M23M23 M24M24 P2P2 µ1iµ1i µ2iµ2i R21R21 M3M3 M5M5 M6M6 M7M7 M1M1 M2M2 M4M4 M8M8 P µiµi sponsor R´ 2, K´ 2 K´ 3 K´ 4 K´ 5 K´ 6 K´ 7 k´ 2 k´ 1 k´ 3 k´ 4 k´ 5 k´ 6 k´ 7 k´ 8 Mark Manulis, Horst-Görtz Institute, Bochum, Germany

18 M3M3 M5M5 M6M6 M7M7 M1M1 M2M2 M4M4 M8M8 P µiµi M2M2 M3M3 M4M4 M1M1 M5M5 P µiµi µSTR-H: Partition sponsor R´ 1 K´ 2 K´ 3 K´ 4 k´ 1 k´ 2 k´ 3 k´ 4 k´ 5 Mark Manulis, Horst-Görtz Institute, Bochum, Germany

19 Performance Analysis CommunicationComputationMemory RoundsMessagesSizeSP-MultiplicationsSize S 2n+12n-2 2n-1 i=1: 2n-1 i>1: n-i+2 i=1: 2n 3n-2 i>1: 2n-2i+4 3n-i J 122n-2s+3 2n i<s: n-s+2 2 i=s: 2n-2s+4 4 i>s: n-i+2 1 L 11n-s 2n-4 i<s: n-s i=s: 2n-2s i>s: n-i M 232n‘+2n‘‘-s+1 4n‘+4n‘‘-6 i<s: n‘+n‘‘-s+1 n‘‘+1 i=s: 2n‘+2n‘‘-2s+2 i>s: n‘+n‘‘-i+1 P 11n-v-s+1 2n-2v-2 i<s: n-v-s+1 i=s: 2n-2v-2s+2 i>s: n-v-i+1 S – setup, J – join, L – leave, M – merge, P – partition, original STR costs n – initial group size, i (s) – index of member (sponsor), v – size of partition Mark Manulis, Horst-Görtz Institute, Bochum, GermanyHGI-Seminar 2005

20 Future Work  Consider various protocols in MANETs where applied techniques (non- uniform distribution of protocol costs, enforcement of a property compliance) are useful, e.g. multicast routing, threshold crypto, … Mark Manulis, Horst-Görtz Institute, Bochum, Germany Thank You !!!