Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scalable Group Key Management with Partially Trusted Controllers

Published byZuzana Ševčíková Modified over 6 years ago

Similar presentations

Presentation on theme: "Scalable Group Key Management with Partially Trusted Controllers"— Presentation transcript:

1 Scalable Group Key Management with Partially Trusted Controllers
Kroot KA KB KC K1 K2 K3 K4 K5 K6 K7 K8 M1 M2 M3 M4 M5 M6 M7 M8 Scalable Group Key Management with Partially Trusted Controllers Himanshu Khurana, Adam Slagell, Rafael Bonilla, Raja Afandi, Hyung-Seok Hahm and Jim Basney

2 Introduction Secure Group Communications (SGC) needed to support many military/commercial applications; e.g., Conferencing (Video and/or Audio) Command-and-Control Systems Digital White-boards Publish-Subscribe Systems Interactive Distance-Learning Group Key Management (GKM) cornerstone of SGC Involves distribution of symmetric key to group members for encrypting data Must be efficient and scalable to handle large, dynamic groups Shared key changed every time a member joins/leaves group

3 Current GKM Solutions Logical Key Hierarchies (LKH)
Advantage: Very efficient log(n) computation and storage (O(n) storage for GC) Constant number of rounds Drawback: GC is completely trusted Single point of compromise of short and long term keys Adversary can read messages and make recovery very costly Problem is exacerbated when managing multiple groups Decentralized or Contributory Schemes Advantage: Does not involve GC so no single point of security failure Drawback: Scale poorly E.g., O(n) communications rounds in GDH

4 TASK - Tree-based w/ Asymmetric Split Keys
Efficient and Scalable O(log(n)) computation and storage Constant number of communication rounds Partially Trusted GC GC does not store encryption keys Confidentiality maintained even if GC is compromised Therefore, GC no longer single point of security failure Instead, GC uses proxy encryption to transform messages between members for key establishment Simpler recovery from GC compromise Re-key of entire group is not necessary

5 Difference between LKH & TASK

6 TASK Encryption Use of proxy re-encryption
GC translates key material encrypted with one key into messages encrypted with another key Protocol messages are always encrypted with a valid El Gamal Key pair Bulk or Data communications secured by shared symmetric encryption key We have shown confidentiality is preserved by reducing TASK proxy encryption to El Gamal We assume presence of an external PKI Other schemes assume for signing, we use for signing and encryption

7 Member Join We can use existing keys to distribute changes to users
GC We can use existing keys to distribute changes to users No need for proxy re-encryption GC only one with whole tree structure, thus GC chooses sponsor and insertion node Sponsor helps new member create a key Sponsor only knows intermediary key, new member changes before use After join completes DEK changes as well as every key split Different random number added to member splits and GC splits Still holds that any two splits add to the same number, however, this GKEK diff. now K’1-8 K’123 K’456 K’78 K’1 K’2 K’3 K’4 K’5 K’8 K’6 K’7 K1 K123 K1-8 K2 K3 K4 K456 K5 K6 K7 K78 K8 M1 M2 M4 M3 M5 M6 M7 M8

8 Member Leave Details Proxy re-encryption with help of GC is necessary
Not necessarily a single key shared by all but leaving member GC translates random value encrypted with sponsor's key to a minimal set of newly encrypted messages, O(log(n)) Really all combined into one O(log(n)) multicast message After leave completes DEK changes as well as every key split Different random number added to member splits and GC splits Still holds that any two splits add to the same number, however, this GKEK diff. now K’1-8 K’123 K’456 K’78 K’1 K’2 K’3 K’4 K’5 K’8 K’6 K’7 K’9 K1 K123 K1-9 K2 K3 K4 K456 K5 K6 K7 K789 K8 K789 K1-9 K9 K789 K1-9 M1 M2 M4 M3 M5 M6 M7 M8 M9

9 LKH versus TASK Costs Sche- mes Enti- ty Even- ts Communication
Computation Stor- age Rou- nds Messages Expone- ntiations Signa t-ures Verific- ations Unicast Multicast # Msgs Msg Size TASK GC Join 2 1 O(1) N/A 3 O(n) Leave O(dh) dh Mem ber O(h) 7 LKH (Wong et al) LEGEND n: number of current group members d: degree of tree h: height of tree

10 Conclusions & Ongoing Work
GKM solutions to date sacrifice efficiency or resilience TASK Resilient - Allows for GC compromise Simple recovery Scales with LKH schemes TASK accomplishes this with split asymmetric keys and proxy re-encryption Future Work Performance optimizations and reliable re-keying techniques for LKH may apply to TASK Fully Implement TASK and empirically verify scalability

11 Member Join Details GC K’1-8 K’123 K’456 K’78 K’1 K’2 K’3 K’4 K’5 K’8

12 Member Join Details Step 1
GC Step 1 M8 generates random number r & adds to his keys K8K8+r, K789 K78+r, K1-9 K1-8+r DEK h(K1-9) M8 generates random value r9 and computes temp key TK9 K8+r9 M8 M9:EncPK9(g,p,q,TK9,K789, K1-9) M8 GC:EncPKGC(r9) M8 M1…M7:AEncPK1-8(r) K’1-8 K’123 K’456 K’78 K’1 K’2 K’3 K’4 K’5 K’8 K’6 K’7 K1 K123 K1-8 K2 K3 K4 K456 K5 K6 K7 K78 K8 M1 M2 M4 M3 M5 M6 M7 M8

13 Member Join Details Step 1
GC Step 1 M8 generates random number r & adds to his keys K8K8+r, K789 K78+r, K1-9 K1-8+r DEK h(K1-9) M8 generates random value r9 and computes temp key TK9 K8+r9 M8 M9:EncPK9(g,p,q,TK9,K789, K1-9) M8 GC:EncPKGC(r9) M8 M1…M7:AEncPK1-8(r) K’1-8 K’123 K’456 K’78 K’1 K’2 K’3 K’4 K’5 K’8 K’6 K’7 K1 K123 K1-8 K2 K3 K4 K456 K5 K6 K7 K78 K8 K789 K1-9 TK9 K789 K1-9 M1 M2 M4 M3 M5 M6 M7 M8 M9

14 Member Join Details Step 2
GC Step 2 M1…M7 decrypt message, add r to their keys, & update DEK DEK h(K1-9) GC decrypts message, temporarily stores r9 M9 decrypts keys and generates new random number r9 to change K9 K9 TK9+r9 M9 GC:EncPKGC(r9) K’1-8 K’123 K’456 K’78 K’1 K’2 K’3 K’4 K’5 K’8 K’6 K’7 K1 K123 K1-8 K2 K3 K4 K456 K5 K6 K7 K78 K8 K789 K1-9 TK9 K789 K1-9 M1 M2 M4 M3 M5 M6 M7 M8 M9

15 Member Join Details Step 2
GC Step 2 M1…M7 decrypt message, add r to their keys, & update DEK DEK h(K1-9) GC decrypts message, temporarily stores r9 M9 decrypts keys and generates new random number r9 to change K9 K9 TK9+r9 M9 GC:EncPKGC(r9) K’1-8 K’123 K’456 K’78 K’1 K’2 K’3 K’4 K’5 K’8 K’6 K’7 K1 K123 K1-9 K2 K3 K4 K456 K5 K6 K7 K789 K8 K789 K1-9 K9 K789 K1-9 M1 M2 M4 M3 M5 M6 M7 M8 M9

16 Member Join Details Step 3
GC Step 3 GC computes corresponding private key for M9 K’9 K’8 - r9 - r9 GC adds random value to all corresponding private keys K’1-8 K’123 K’456 K’78 K’1 K’2 K’3 K’4 K’5 K’8 K’6 K’7 K1 K123 K1-9 K2 K3 K4 K456 K5 K6 K7 K789 K8 K789 K1-9 K9 K789 K1-9 M1 M2 M4 M3 M5 M6 M7 M8 M9

17 Member Join Details Step 3
GC Step 3 GC computes corresponding private key for M9 K’9 K’8 - r9 - r9 GC adds random value to all corresponding private keys K’1-8 K’123 K’456 K’78 K’1 K’2 K’3 K’4 K’5 K’8 K’6 K’7 K’9 K1 K123 K1-9 K2 K3 K4 K456 K5 K6 K7 K789 K8 K789 K1-9 K9 K789 K1-9 M1 M2 M4 M3 M5 M6 M7 M8 M9

18 Member Leave Details GC K’1-8 K’123 K’456 K’78 K’1 K’2 K’3 K’4 K’5 K’8

19 Member Leave Details Step 1
GC Step 1 M8 generates random value r and adds to its private keys & computes new session key K8 K8+r, K78 K789+r, K1-8 K1-9+r DEK h(K1-8) M8 sends message to GC proxy re-encrypt and forward to group M8 GC:X=AENCPK8(r) K’1-8 K’123 K’456 K’78 K’1 K’2 K’3 K’4 K’5 K’8 K’6 K’7 K’9 K1 K123 K1-9 K2 K3 K4 K456 K5 K6 K7 K789 K8 K789 K1-9 K9 K789 K1-9 M1 M2 M4 M3 M5 M6 M7 M8 M9

20 Member Leave Details Step 1
GC Step 1 M8 generates random value r and adds to its private keys & computes new session key K8 K8+r, K78 K789+r, K1-8 K1-9+r DEK h(K1-8) M8 sends message to GC proxy re-encrypt and forward to group M8 GC:X=AENCPK8(r) K’1-8 K’123 K’456 K’78 K’1 K’2 K’3 K’4 K’5 K’8 K’6 K’7 K’9 K1 K123 K1-9 K2 K3 K4 K456 K5 K6 K7 K789 K8 K78 K1-8 K9 K789 K1-9 M1 M2 M4 M3 M5 M6 M7 M8 M9

21 Member Leave Details Step 2 GC deletes node K’9
GC multicasts proxy re-encrypted message to rest of group GC M1…M7: (K’8,K’123)(X), (K’8,K’456)(X), (K’8,K’7)(X) K’1-8 K’123 K’456 K’78 K’1 K’2 K’3 K’4 K’5 K’8 K’6 K’7 K’9 K1 K123 K1-9 K2 K3 K4 K456 K5 K6 K7 K789 K8 K78 K1-8 K9 K789 K1-9 M1 M2 M4 M3 M5 M6 M7 M8 M9

22 Member Leave Details Step 2 GC deletes node K’9
GC multicasts proxy re-encrypted message to rest of group GC M1…M7: (K’8,K’123)(X), (K’8,K’456)(X), (K’8,K’7)(X) K’1-8 K’123 K’456 K’78 K’1 K’2 K’3 K’4 K’5 K’6 K’7 K’8 K1 K123 K1-9 K2 K3 K4 K456 K5 K6 K7 K789 K8 K78 K1-8 M1 M2 M4 M3 M5 M6 M7 M8

23 Member Leave Details Step 3
GC Step 3 M1…M7 decrypt r, add to keys and update session key DEK h(K1-8) DC chooses random rGC and adds to all corresponding private keys K’1-8 K’123 K’456 K’78 K’1 K’2 K’3 K’4 K’5 K’6 K’7 K’8 K1 K123 K1-9 K2 K3 K4 K456 K5 K6 K7 K789 K8 K78 K1-8 M1 M2 M4 M3 M5 M6 M7 M8

24 Member Leave Details Step 3
GC Step 3 M1…M7 decrypt r, add to keys and update session key DEK h(K1-8) DC chooses random rGC and adds to all corresponding private keys K’1-8 K’123 K’456 K’78 K’1 K’2 K’3 K’4 K’5 K’8 K’6 K’7 K1 K123 K1-8 K2 K3 K4 K456 K5 K6 K7 K78 K8 K78 K1-8 M1 M2 M4 M3 M5 M6 M7 M8

Download ppt "Scalable Group Key Management with Partially Trusted Controllers"

Similar presentations

A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.

Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Presentation By: Garrett Lund Paper By: Sandro Rafaeli and David Hutchison.

Presentation By: Garrett Lund Paper By: Sandro Rafaeli and David Hutchison.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style A Survey on Decentralized Group Key Management Schemes.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style A Survey on Decentralized Group Key Management Schemes.
Gossip Algorithms and Implementing a Cluster/Grid Information service MsSys Course Amar Lior and Barak Amnon.

Gossip Algorithms and Implementing a Cluster/Grid Information service MsSys Course Amar Lior and Barak Amnon.
Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.

Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.
Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.

Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Scalable Secure Bidirectional Group Communication Yitao Duan and John Canny Berkeley Institute of Design Computer Science.

Scalable Secure Bidirectional Group Communication Yitao Duan and John Canny Berkeley Institute of Design Computer Science.
Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.

Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.
Group Key Distribution Chih-Hao Huang

Group Key Distribution Chih-Hao Huang
Security Management.

Security Management.
Computer Science 1 CSC 774 Advanced Network Security Secure Group Communications Using Key Graphs Presented by: Siddharth Bhai 9 th Nov 2005.

Computer Science 1 CSC 774 Advanced Network Security Secure Group Communications Using Key Graphs Presented by: Siddharth Bhai 9 th Nov 2005.
Scalable Security and Accounting Services for Content-based Publish/Subscribe Systems Himanshu Khurana NCSA, University of Illinois.

Scalable Security and Accounting Services for Content-based Publish/Subscribe Systems Himanshu Khurana NCSA, University of Illinois.
Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili

Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili
10. Key Management. Contents Key Management  Public-key distribution  Secret-key distribution via public-key cryptography.

10. Key Management. Contents Key Management  Public-key distribution  Secret-key distribution via public-key cryptography.

Similar presentations

Ads by Google