Presentation is loading. Please wait.

Presentation is loading. Please wait.

Qiong Zhang, Yuke Wang Jason P, Jue 2008

Published by就 凤 Modified over 6 years ago

Similar presentations

Presentation on theme: "Qiong Zhang, Yuke Wang Jason P, Jue 2008"— Presentation transcript:

1 A Key Management Scheme for Hierarchical Access Control in Group Communication
Qiong Zhang, Yuke Wang Jason P, Jue 2008 International Journal of Network Security Vol7 Tae Hoon Kim Referenced ppt by Seung-Tae Hong A-Ra Jo

2 Contents 1. Introduction 2. Background and Related Work
2.1 Formalization of Partially ordered Relations 2.2 Related work 3. The HAC Scheme 4. Rekey Algorithm 5. Performance Analysis 5.1 Storage Overhead 5.2 Rekey Overhead 6. Performance Comparison 7. Conclusion

3 Introduction Emerging Internet application Access control
Teleconferencing, e-newspaper, IPTV Based on group communication In order to widely commercialize(Internet Application), the issue of access control must be addressed. Access control : User having different access rights to multiple data streams Hierarchical access control Include e-newspaper subscription and video multicast services Commercialize :상업화

4 Moderate Video Quality
Introduction Access Relation Sports Financial Stock Top News Weather Gold O Silver Sport Silver Finance Basic Access Relation EL2 EL1 BL Best Video Quality O Moderate Video Quality Basic For Example, consider two types of service E-newspaper subscription service Video multicast service BL : Best Layer EL : Enhancement Layer

5 Introduction What is need to implement access control for group communication? Data encryption keys Often used to encrypt data streams User Access If the user possesses the data encryption keys Must be update data encryption keys When a user dynamically joins or leaves a group Use backward secrecy and forward secrecy[12]

6 Introduction Key management schemes aim
update the data encryption keys in order to ensure backward secrecy and forward secrecy Two categories of key management scheme Centralized A centralized key server controls the entire group Generates keys and distribute keys to legitimate users via rekey messages Distributed No centralized group controller and generate group keys based on the contribution of users in the group

7 Introduction In this paper, focus on a centralized key management scheme It is critical to minimize rekey overhead in order to reduce the cost for communication and computation and computation at the key server and users

8 Formalization of partially ordered relation
Notation U : A set of users {u1, u2, …} R : A set of data streams {r1, r2, …} A : An access relation, where A ⊆ U × R Ui : Membership group i consisting of a subset of users Ri : Resource group i consisting of a subset of data streams Partial order of users(In an access relation A) If the data streams that user ui can access is a subset of data streams that user uj can access, then ui is smaller than uj If users ui and uj can access exactly the same subset of data streams, both users are equivalent

9 Formalization of partially ordered relation
Partial order of users (cont.) If the set of users that can access data stream rj is a subset of users that can access data stream ri, then ri is smaller than rj If the set of users that can access data stream ri is exactly same as the set of users that can access data stream rj , the two data streams are equivalent R:set of data streams U : set of Users Sports Financial Stock Top News Weather Gold O Silver Sport Silver Finance Basic U1 R3 U2 R1 U3 U4 R2

10 Formalization of partially ordered relation
DAG(Directed Acyclic graph)[3] The partially ordered relations of membership groups and resource groups can each be represented by a DAG

11 Formalization of partially ordered relation
Satisfy the following conditions 1)it must maintain the partial orders of the membership group DAG and the resource group DAG 2)a user u ∈ U has access to a resource r ∈ R iff vertex representing U is the same as the vertex representing R or is reachable to the vertex representing R in the unified DAG 3)the unified DAG is the smallest partial order satisfying the above conditions

12 Related work Logical key graph[22]
Important data structure to improve the efficiency of key management Consisting of k-nodes, U-nodes K-nodes : Represents a key U-nodes : Represents a user

13 Related work Keyset(U1) = { k1,k7,k9, k11} Userset(k9) = {u1,u2,u3,u4}
K-node that has no outgoing edges data encryption keys Data encryption key : used to data streams encryption keys key Key encryption key : used to data encryption keys Keyset(U1) One or more outgoing edges but no incoming edges Userset(k9) Keyset(U1) = { k1,k7,k9, k11} Userset(k9) = {u1,u2,u3,u4}

14 Related work Logical key graph be used to
Maintained at key server in order to efficiently distribute keys to dynamically joining or leaving users Many key management schemes[2,7,8,10,16,22,23] Proposed to construct a logical key graph and to update keys in the logical graph efficiently Problem : only provide key management for equivalent users and equivalent data stream

15 Related work Constructing a single logical key graph for hierarchical access control[17,19,24] [19] : User have different level and higher-level users can access more data streams than lower-level users Problem : higher-level user are able to access all data streams [24] : Chinese Reminder Theorem based hierarchical access control scheme Problem : only suitable for users having a tree-based partially ordered hierarchy [17] : Users form a partially ordered relation while the data streams are not partially ordered(MG Scheme)

16 Related work MG Vs. HAC scheme
MG HAC Data stream2 : Financial Data stream3 : Stock HAC(Hierarchical Access control)

17 The HAC Scheme Four steps to construct the logical key graph
Next slide In the key graph Users in Ui form a balanced binary tree mki is root represents the memebership-group Key Ri is Resource group Encrypted by a resource-group key, dki The membership-group-keys are connected with resource-group keys by the relation subgraph Use greedy algorithm To explore the unified DAG For constructing the sub graph

18 R1 R2 R3 Unified DAG Relation subgraph dk3 rk4 k25 dk2 dk1 rk1 rk3 rk2
① For each resource group, encrypt all data streams in the resource group with a single data encryption key, called the resource-group key Unified DAG dk3 rk4 Relation subgraph k25 dk2 dk1 rk1 rk3 rk2 ④ Connect the roots of membership-group subtrees to the corresponding resource-group keys ② For each membership group, construct a balanced logical key tree called the membership-group subtree, where each user is represented by a u-node and the root of the subtree is associated with a key, called the membership-group key ③ Construct a relation subgraph to connect the resources-group keys based on a unified DAG Balanced logical key tree (membership-group subtree)

19 Greedy algorithm of the HAC Scheme
Notation M = set of membership group in Vi K = set of k-nodes; cover disjoint set of membership group C = set of membership group in M; that has been covered by k-nodes in K U = set of uncovered membership groups in M RK = set of representative k-nodes; has been generated Userset = set of membership groups covered by a representative k-node rkj

20 Rekey Algorithm Update the keys in the key graph
User join, leave, or switch membership groups dynamically The service provider changes access relations dynamically Case1)User u8 switches from U2 to U1 k26 k8 k20 k17 dk1 mk1 mk2 dk3 k26 dk2 k8 Send {k26}k8 to u8 {k26}k1 to u1 Send {mk’2}k19 to u5, u6 {mk’2}k7 to u7 u8

21 Rekey Algorithm Case2)Update the access relations(new data stream, new membership group) R4 dk3’ rk4’ dk4 rk5

22 Performance Comparison
Experiment environment Compare the performance of the HAC scheme with the MG scheme Measured storage overhead and rekey overhead Develop a simulation model to construct logical key graphs with d =2 based on access relation and to simulate user actions in the system Consider three cases where equivalent data streams to group, and the number of data streams per resource group is shown in Table3

23 Performance Comparison
Note that, Case III is much higher than the differerce between the HAC scheme and Case II Why HAC experiment is only one? All data streams in a resource group are encrypted by the same resource-group key HAC Scheme 1 1 1 3 1 1 1 3

24 Performance Comparison
We can see that HAC scheme results in less rekey overhead than the MG Scheme HAC Scheme 1 1 1 3 1 1 1 3

25 Conclusion In the HAC scheme In the key graph Future work
Proposed a hierarchical access control key management scheme for group communication Employed an algorithm to construct a key graph based on a unified relation of membership groups and resource group Can handle complex access relations In the key graph Equivalent data streams are grouped in a resource group and are encrypted by a single data encryption key Future work To employ the batch rekeying[23] scheme in order to further improve the key management efficiency

Download ppt "Qiong Zhang, Yuke Wang Jason P, Jue 2008"

Similar presentations

A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
A hierarchical key management scheme for secure group communications in mobile ad hoc networks Authors: Nen-Chung Wang and Shian-Zhang Fang Sources: The.

A hierarchical key management scheme for secure group communications in mobile ad hoc networks Authors: Nen-Chung Wang and Shian-Zhang Fang Sources: The.
Multicast in Wireless Mesh Network Xuan (William) Zhang Xun Shi.

Multicast in Wireless Mesh Network Xuan (William) Zhang Xun Shi.
Yan (Lindsay) Sun and K. J. Ray Liu IEEE/ACM Transactions on Networking, Dec. 2007. Presented by Seo Bon Keun, 2008.

Yan (Lindsay) Sun and K. J. Ray Liu IEEE/ACM Transactions on Networking, Dec Presented by Seo Bon Keun, 2008.
Ranveer Chandra , Kenneth P. Birman Department of Computer Science

Ranveer Chandra , Kenneth P. Birman Department of Computer Science
KAIS T Distributed Collaborative Key Agreement and Authentication Protocols for Dynamic Peer Groups IEEE/ACM Trans. on Netw., Vol. 14, No. 2, April 2006.

KAIS T Distributed Collaborative Key Agreement and Authentication Protocols for Dynamic Peer Groups IEEE/ACM Trans. on Netw., Vol. 14, No. 2, April 2006.
Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.

Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.
A Comparison of Layering and Stream Replication Video Multicast Schemes Taehyun Kim and Mostafa H. Ammar.

A Comparison of Layering and Stream Replication Video Multicast Schemes Taehyun Kim and Mostafa H. Ammar.
Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.

Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.
2001 Winter CS215 Course Project Simulation Comparison of Routing Algorithms for Multicast with Bandwidth Reservation Zhihong Duan

2001 Winter CS215 Course Project Simulation Comparison of Routing Algorithms for Multicast with Bandwidth Reservation Zhihong Duan
Network Layer4-1 Spanning trees r Suppose you have a connected undirected graph m Connected: every node is reachable from every other node m Undirected:

Network Layer4-1 Spanning trees r Suppose you have a connected undirected graph m Connected: every node is reachable from every other node m Undirected:
Secure Group Communications Using Key Graphs Chung Kei Wong, Member, IEEE, Mohamed Gouda Simon S. Lam, Fellow, IEEE Evgenia Gorelik Yuksel Ucar.

Secure Group Communications Using Key Graphs Chung Kei Wong, Member, IEEE, Mohamed Gouda Simon S. Lam, Fellow, IEEE Evgenia Gorelik Yuksel Ucar.
Distributed Collaborative Key Agreement Protocols for Dynamic Peer Groups Patrick P. C. Lee, John C. S. Lui and David K. Y. Yau IEEE ICNP 2002.

Distributed Collaborative Key Agreement Protocols for Dynamic Peer Groups Patrick P. C. Lee, John C. S. Lui and David K. Y. Yau IEEE ICNP 2002.
1 IP Multicasting. 2 IP Multicasting: Motivation Problem: Want to deliver a packet from a source to multiple receivers Applications: –Streaming of Continuous.

1 IP Multicasting. 2 IP Multicasting: Motivation Problem: Want to deliver a packet from a source to multiple receivers Applications: –Streaming of Continuous.
Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.

Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.
1 An Overlay Scheme for Streaming Media Distribution Using Minimum Spanning Tree Properties Journal of Internet Technology Volume 5(2004) No.4 Reporter.

1 An Overlay Scheme for Streaming Media Distribution Using Minimum Spanning Tree Properties Journal of Internet Technology Volume 5(2004) No.4 Reporter.
1 CSE 417: Algorithms and Computational Complexity Winter 2001 Lecture 10 Instructor: Paul Beame.

1 CSE 417: Algorithms and Computational Complexity Winter 2001 Lecture 10 Instructor: Paul Beame.
Group Key Distribution Chih-Hao Huang

Group Key Distribution Chih-Hao Huang
P2P Course, Structured systems 1 Introduction (26/10/05)

P2P Course, Structured systems 1 Introduction (26/10/05)
Deliver Multimedia Streams with Flexible QoS via a Multicast DAG Yu Cai 02/26/2004.

Deliver Multimedia Streams with Flexible QoS via a Multicast DAG Yu Cai 02/26/2004.

Similar presentations

Ads by Google