Group Key Distribution Xiuzhen Cheng The George Washington University.

Slides:



Advertisements
Similar presentations
Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.
Advertisements

A Survey of Key Management for Secure Group Communications Celia Li.
A hierarchical key management scheme for secure group communications in mobile ad hoc networks Authors: Nen-Chung Wang and Shian-Zhang Fang Sources: The.
1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5.3 Group Key Distribution Acknowledgment: Slides on.
Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.
Broadcast Encryption – an overview Niv Gilboa – BGU 1.
Presentation By: Garrett Lund Paper By: Sandro Rafaeli and David Hutchison.
Ranveer Chandra , Kenneth P. Birman Department of Computer Science
KAIS T Scalable Key Management for Secure Multicast Communication in the Mobile Environment Jiannong Cao, Lin Liao, Guojun Wang Pervasive and Mobile Computing.
KAIS T Distributed Collaborative Key Agreement and Authentication Protocols for Dynamic Peer Groups IEEE/ACM Trans. on Netw., Vol. 14, No. 2, April 2006.
Secure and Efficient Key Management in Mobile Ad Hoc Networks Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, Spyros Magliveras Department of Computer.
B-Trees. Motivation for B-Trees Index structures for large datasets cannot be stored in main memory Storing it on disk requires different approach to.
Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.
Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.
© nCode 2000 Title of Presentation goes here - go to Master Slide to edit - Slide 1 Reliable Communication for Highly Mobile Agents ECE 7995: Term Paper.
CMPE 150- Introduction to Computer Networks 1 CMPE 150 Fall 2005 Lecture 22 Introduction to Computer Networks.
Secure Group Communications Using Key Graphs Chung Kei Wong, Member, IEEE, Mohamed Gouda Simon S. Lam, Fellow, IEEE Evgenia Gorelik Yuksel Ucar.
Distributed Collaborative Key Agreement Protocols for Dynamic Peer Groups Patrick P. C. Lee, John C. S. Lui and David K. Y. Yau IEEE ICNP 2002.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.
Scalable Secure Bidirectional Group Communication Yitao Duan and John Canny Berkeley Institute of Design Computer Science.
Internet Networking Spring 2002 Tutorial 13 Web Caching Protocols ICP, CARP.
Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.
Group Key Distribution Chih-Hao Huang
P2P Course, Structured systems 1 Introduction (26/10/05)
Multicast Security CS239 Advanced Network Security April 16 th, 2003 Yuken Goto.
Computer Science 1 CSC 774 Advanced Network Security Secure Group Communications Using Key Graphs Presented by: Siddharth Bhai 9 th Nov 2005.
Key Distribution and Update for Secure Inter- group Multicast Communication Ki-Woong Park Computer Engineering Research Laboratory Korea Advanced Institute.
Simple and Fault-Tolerant Key Agreement for Dynamic Collaborative Groups David Insel John Stephens Shawn Smith Shaun Jamieson.
Overlay Network Physical LayerR : router Overlay Layer N R R R R R N.
Secure Group Communication: Key Management by Robert Chirwa.
Project guide Dr. G. Sudha Sadhasivam Asst Professor, Dept of CSE Presented by C. Geetha Jini (07MW03)
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Collusion-Resistant Group Key Management Using Attribute-
Group Rekeying for Filtering False Data in Sensor Networks: A Predistribution and Local Collaboration-Based Approach Wensheng Zhang and Guohong Cao.
Improving MBMS Security in 3G Wenyuan Xu Rutgers University.
Yu-Li Lin and Chien-Lung Hsu Department of Information Management, Chang-Gung University Information Science(SCI) Reporter: Tzer-Long Chen.
A secure re-keying scheme Introduction Background Re-keying scheme User revocation User join Conclusion.
B-Trees. Motivation for B-Trees So far we have assumed that we can store an entire data structure in main memory What if we have so much data that it.
Multicast Security: A Taxonomy and Some Efficient Constructions By Cannetti et al, appeared in INFOCOMM 99. Presenter: Ankur Gupta.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Computer Science CSC 774 Adv. Net. Security1 Presenter: Tong Zhou 11/21/2015 Practical Broadcast Authentication in Sensor Networks.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE 419/478 Applied Cryptography ADVANCED KEY ESTABLISHMENT AND GROUP KEY MANAGEMENT.
Group-based Source Authentication in VANETs You Lu, Biao Zhou, Fei Jia, Mario Gerla UCLA {youlu, zhb, feijia,
Self-Healing Group-Wise Key Distribution Schemes with Time-Limited Node Revocation for Wireless Sensor Networks Minghui Shi, Xuemin Shen, Yixin Jiang,
1. Outline  Introduction  Different Mechanisms Broadcasting Multicasting Forward Pointers Home-based approach Distributed Hash Tables Hierarchical approaches.
Weichao Wang, Bharat Bhargava Youngjoo, Shin
4: Network Layer4-1 Chapter 4: Network Layer Last time: r Internet routing protocols m RIP m OSPF m IGRP m BGP r Router architectures r IPv6 Today: r IPv6.
Efficient Group Key Management in Wireless LANs Celia Li and Uyen Trang Nguyen Computer Science and Engineering York University.
UNIT 2 LESSON 8 CS PRINCIPLES. UNIT 2 LESSON 8 OBJECTIVES Students will be able to: Describe how routers develop routing tables to determine how to send.
Security Kim Soo Jin. 2 Contents Background Introduction Secure multicast using clustering Spatial Clustering Simulation Experiment Conclusions.
1 Security for Broadcast Network Most slides are from the lecture notes of prof. Adrian Perrig.
Project Orda Secure Key Distribution Over Ad Hoc Networks Security in Ad Hoc Networks – Team A Lane Westlund, Roderic Campbell, Mark Allen, Dima Novikov,
Design and Implementation of Secure Layer over UPnP Networks Speaker: Chai-Wei Hsu Advisor: Dr. Chin-Laung Lei.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5.3 Group Key Distribution Acknowledgment: Slides on.
17 th -21 st July nd APAN Meeting in Singapore ’06 Forwarding State Reduction for One-to-Many Group Communications Sahar A. Al-Talib (PhD. Candidate)
Computer Science Least Privilege and Privilege Deprivation: Towards Tolerating Mobile Sink Compromises in Wireless Sensor Network Presented by Jennifer.
Source: Computers & Security, Vol. 24, No. 5, pp , August 2005
Source: Computers & Security, vol.23, pp , 2004 Author: Heba K. Aslan
NSF Faculty Career Award
Qiong Zhang, Yuke Wang Jason P, Jue 2008
Announcements All Labs and Their Demo All HWs and Their Grading
Group Key Management Scheme for Simultaneous Multiple Groups with Overlapped Membership Andrew Moore 9/27/2011.
Efficient State Update for Key Management
به نام آنکه هستی نام از او یافت
Design and Implementation of SUPnP Networks
Design and Implementation of a Secure UPnP Environment
Scalable Group Key Management with Partially Trusted Controllers
Combinatorial Optimization of Multicast Key Management
Presentation transcript:

Group Key Distribution Xiuzhen Cheng The George Washington University

Paper List C.K.Wong et al: Secure Group Communications Using Key Graphs M.Waldvogel et al: the VersaKey Framework D.McGrew and A.T.Sherman: Key Establishment in Large Dynamic Groups Using One-way Function Trees

Introduction Secure group communication Pay-per-view video streaming Video On Demand (VOD) Secure teleconferencing Online games

Secure Group Communication Authorization Secure Multicasting Forward confidentiality (revocation) Backward confidentiality

Secure Group Multicasting u u2u2 u1u1

Our Assumptions Each node shares one or more Key Encryption Keys (KEK) with GC to encrypt TEK updates All nodes share a Traffic Encryption Key (TEK) to encrypt communication data. There is a Group Controller (GC) When membership changes, TEK needs to be updated

Traffic Encryption Key u A Group of Users E TEK (msg) u sends a message encrypted with TEK

Key Encryption Key u

u KEKs are used to encrypt TEK updates

An Easy Re-keying Scheme : Star-shaped Each user shares a secret KEK with GC When a user joins or leaves, GC sends each node a re-keying message encrypted with its own KEK

Star-shaped Re-keying Scheme : Join GC u u wants to join the group

Star-shaped: Join (Cont ’ d) GC u GC sends encrypted TEK to other nodes

Star-shaped: Leave GC u U tells GC that he’s leaving

Star-shaped: Leave (Cont ’ d) GC u GC sends encrypted TEK to other nodes

Analysis of Star- shaped Scheme Pros: Easy to implement Provides both forward and backward confidentiality Cons: Doesn't scale well ~ Θ(n) Oooooops!

Logical Key Hierarchy Proposed by C.K.Wong, M.Gouda, and S.S.Lam It provides both forward and backward confidentiality It scales well ~ Θ(logn)

LKH: Key Graphs u-nodes are real users k-nodes represent keys u knows k if there ’ s a path from u to k

LKH: Join u 9 is about to join the group

LKH: Leave u 9 is about to leave the group

User, Key, or Group? User-oriented re-keying is nothing more than grouping re-keying messages by users ~ less but bigger messages Key-oriented re-keying is just grouping them by keys ~ more but smaller messages Group-oriented is putting all re-keying messages together to generate a big, fat message ~ only one gigantic message

User-Oriented Rekeying Encryption Cost Join: … + h-1 + h-1 Leave: (d-1)(1+2+ … +h-1) Rekey Messages Join: h Leave: (d-1)(h-1) k9k9 u9u9 Join rekey messages Leave rekey messages

Key-Oriented Rekeying Encryption Cost Join: 2(h-1) Leave: d(h-1) Rekey Messages Join: 2(h-1) Leave: (d-1)(h-1) k9k9 u9u9 Join rekey messages Leave rekey messages

Group-Oriented Rekeying k9k9 u9u9 Two rekey messages for join: Encryption cost for join: 2(h-1) Leave Operation: Encryption cost: d(h-1) Rekey messages: 1

Analysis of LKH Re-keying messages are sent in a top- down fashion Complexity depends on the tree height, h=Θ(logn)

An Improvement: LKH+ Proposed by M.Waldvogel et al in “ The VersaKey Framework ” They use a one-way function to update TEK when a ‘ join ’ happens

LKH+: Join When u 9 joins, u 1 ~ u 8 feed the KEK into a one-way hash function to do the update

Analysis of LKH+ GC doesn't need to send re-keying messages when a join happens When a join happens, every member can compute the new TEK locally The newly joined member cannot compute the old TEK ~ backward confidentiality

Centralized Flat Key Management Proposed by M.Waldvogel et al as well Another logical tree- based re-keying scheme It greatly reduces GC ’ s storage requirement

Flat Key Table TEK ID Bit #0 KEK 0.0KEK 0.1 ID Bit #1 KEK 1.0KEK 1.1 ID Bit #2 KEK 2.0KEK 2.1 ID Bit #3 KEK 3.0KEK 3.1 Bit’s Value=0Bit’s Value=1 GC maintains the following table

Flat Key Management TEK ID Bit #0 KEK 0.0KEK 0.1 ID Bit #1 KEK 1.0KEK 1.1 ID Bit #2 KEK 2.0KEK 2.1 ID Bit #3 KEK 3.0KEK 3.1 Bit’s Value=0Bit’s Value=1 Node 0110 knows highlighted KEKs

CFKM: Join Node #1101 is about to join the group

CFKM: Join GC first sends it the new TEK and highlighted KEKs (be updated first) TEK ID Bit #0 KEK 0.0KEK 0.1 ID Bit #1 KEK 1.0KEK 1.1 ID Bit #2 KEK 2.0KEK 2.1 ID Bit #3 KEK 3.0KEK 3.1 Bit’s Value=0Bit’s Value=1

CFKM: Join GC then encrypts new TEK with the complementary KEKs (the highlighted ones) TEK ID Bit #0 KEK 0.0KEK 0.1 ID Bit #1 KEK 1.0KEK 1.1 ID Bit #2 KEK 2.0KEK 2.1 ID Bit #3 KEK 3.0KEK 3.1 Bit’s Value=0Bit’s Value=1

CFKM: Join GC then broadcasts these message to everybody Since other nodes differ from it in at least 1 position, they can decrypt the re- keying message and get the updated TEK

CFKM: Leave Node 1010 is about to leave TEK ID Bit #0 KEK 0.0KEK 0.1 ID Bit #1 KEK 1.0KEK 1.1 ID Bit #2 KEK 2.0KEK 2.1 ID Bit #3 KEK 3.0KEK 3.1 Bit’s Value=0Bit’s Value=1

CFKM: Leave GC sends everybody a new TEK encrypted with complementary KEKs TEK ID Bit #0 KEK 0.0KEK 0.1 ID Bit #1 KEK 1.0KEK 1.1 ID Bit #2 KEK 2.0KEK 2.1 ID Bit #3 KEK 3.0KEK 3.1 Bit’s Value=0Bit’s Value=1

CFKM: Leave (Cont ’ d) Similarly, since other nodes differ from it in at least 1 position, they can decrypt the re-keying message and get the updated TEK Now, all KEKs known by the leaving node become invalid and need to be updated

CFKM: Leave (Cont ’ d) For each of the invalid KEKs, GC selects a new replacement encrypted with both the old KEK and the new TEK For those who are not supposed to know the replacement KEKs, they cannot decrypt the message as they don ’ t know the old value

CFKM: Leave (Cont ’ d) For each of the invalid KEKs, GC selects a new replacement encrypted with both the old KEK and the new TEK The evicted node cannot decrypt the message either, as it doesn't know the new TEK

CFKM: Pros and Cons Pros: It greatly reduces GC ’ s memory requirement ~ only one table needed It maintains the same logarithmic bound as LKH, LKH+ ~ it ’ s efficient Cons: Removal of multiple nodes

CFKM: Multiple Leaves Node 1001 and 0110 are leaving … TEK ID Bit #0 KEK 0.0KEK 0.1 ID Bit #1 KEK 1.0KEK 1.1 ID Bit #2 KEK 2.0KEK 2.1 ID Bit #3 KEK 3.0KEK 3.1 Bit’s Value=0Bit’s Value=1

One-way Function Trees Proposed by D.A.McGrew and A.T.Sherman Logical tree-based scheme as well Even it ’ s still of logarithmic bound, the coefficient is smaller than LKH

Structure of OFT f k left k right unblinded key gg f(g(k left ),g(k right )) G is one-way

Blinded & Unblinded Keys Unblinded Key: the value that hasn ’ t been passed though g Blinded Key: the value that has already been passed though g If you know the unblinded key, you can compute the blinded key The reverse is not true

OFT Algorithm Each member knows the blinded keys which are siblings to its path to the root Each member knows its unblinded key Each member can then compute the key of the root, which is the TEK (root maintains only one key)

OFT Algorithm (Cont ’ d) Node u knows the blinded keys of all green nodes u

OFT: Join/Leave If a blinded key changes, its new value must be communicated to all members who store it For a join/leave operation, Θ(logn) nodes need to update the blinded keys, where n is the distance to the root

OFT: Join/Leave (Cont ’ d) If u wants to join, all green nodes must update blinded keys u

Analysis of OFT OFT has the same log-bound as LKH LKH ’ s leading coefficient is 2 (binary), since updates must be sent to both children along the path to the root OFT ’ s leading coefficient is 1, since updates has only to be sent to the sibling along the path to the root

Why OFT is better? If u wants to leave, then only the green nodes need to be updated The blue nodes can always compute the blinded key locally u

Conclusion Star-shaped: most na ï ve approach, no scalability LKH: the basic of everything, good performance and functionality LKH+: a slight improvement of LKH CFKM: reducing GC ’ s storage need OFT: best of all algorithms so far

In-Class Exercise Design a protocol that can automatically update the group key as time evolves. Must guarantee backward and forward confidentiality Each group member joins/leaves at some specific instance of time: join at the beginning of a time slot and leave at the end of a time slot Time is discretised into slots with fixed length The time schedule (join/leave) of each node is known ahead of time Assume a GC is available to assist the job Hint: use two one-way hash chains