Presentation is loading. Please wait.

Presentation is loading. Please wait.

Key Distribution and Update for Secure Inter- group Multicast Communication Ki-Woong Park Computer Engineering Research Laboratory Korea Advanced Institute.

Similar presentations


Presentation on theme: "Key Distribution and Update for Secure Inter- group Multicast Communication Ki-Woong Park Computer Engineering Research Laboratory Korea Advanced Institute."— Presentation transcript:

1 Key Distribution and Update for Secure Inter- group Multicast Communication Ki-Woong Park Computer Engineering Research Laboratory Korea Advanced Institute Science & Technology Dec 11, 2007 The Third ACM Workshop on Security of Ad Hoc and Sensor Networks 1/17

2 COMPANY LOGO Prologue  Secure Group Communication  To accelerate the improve propagation speed  To improve the energy efficiency  Location based services  Location information according to the security level Location Based Services Location Free Conference In this paper,  Focus on the problem for secure intergroup communication  key distribution  Key update UFC 2005 UFC 2006 UFC 2007 2/17

3 COMPANY LOGO 1 2 3 4 Introduction to Group Communication Related Works Secure Group Communication Key Update during Group Changes Contents 3/20 5 Conclusion & Discussion  Performance Evaluation In terms of Communication / Operation Efficiency 3/17

4 COMPANY LOGO Introduction  Computation overhead  Key update (overhead for generating secure key pairs frequently) Operation Complexity – AES : 1, RSA-Private Key : 1000, Public/Private Key Generation : 3000  Identity of sender  Contribution  Switching from asymmetric  symmetric key operation Avoids heavy computation  Distributed update of the personal key  Flat table Reduce the key storage overhead  Challenge of asymmetric key based group communication 4/17

5 COMPANY LOGO Related Works  Group Key Management Protocol (GKMP)  Key Encryption Key (KEK)  Traffic Encryption Key (TEK) One-to-One Distribution  do not scale to large network Scalability Problem  Logical Key Hierarchy  Tree, flat table Broadcast traffic during key refreshment Backward and forward secrecy Avoid single point of failure  Divide the nodes into multiple subgroups –inter-subgroup traffic must be translated by the agents  Dual Encryption protocol To deal with the trust of the third parties Re-Keying Mechanism  Cipher Sequences Time-Synchronized group key distribution protocol periodically rekeying of the group GKMP Re-Keying Mechanism ScalabilityRobustness Today’s Paper Considering - Node mobility - Frequent link changes - Limited resources 5/17

6 COMPANY LOGO Notations G1G1  F q : Finite Field:  E K (msg) /D K (msg) : Encryption / Decryption of the message with K  H(msg) : Hash Function  h(x) : t-degree polynomial in F q [x]  GM : Group Manager  S GM (msg) : digital signature of the group manager  r : the number of bits required to record a node ID  i 1, i 2, …, i r : node i’s ID G2G2 G3G3 GM i1i1 i2i2 i3i3 i4i4 i5i5 00110 r = 5 ID : (6) 10 6/17

7 COMPANY LOGO Secure Group Communication (1/2)  Network Initiation Procedure  Every node will get a set of secret keys from the centralized manager through secure channel such as the physical contact TEK (Traffic encryption keys) : protect the group communication packets KEK (Key Encryption Keys) : support secret refreshment  t-degree polynomial : to determine the personal key shares (inter group traffic)  h 21 (x) : determine the personal key shares of the members in G 1 to G 2  To recover the multicast packets sent by the nodes in G 1 and G 3  h 21 (x), h 23 (x)  Ex) Node v in G 1 sends a packet to the nodes in G 2 G1G1 G2G2 G3G3 GM v i h 21 (v) ( v,G 2,E h 21 (v) (msg,H(msg)) ) E K2 (h 21 (x)) h 21 (v) K 2 : used to encrypt/decrypt the multicast traffic within the group 7/17

8 COMPANY LOGO Secure Group Communication (2/2)  Personal Key Shares  For multicast packets to G 2 Different personal keys h 21 (v), h 21 (w) –Information Isolation  More difficult for attacker to impersonate another node in the same group Unless it can collect t+1 personal keys G1G1 G2G2 v ( v,G 2,E h 21 (v) (msg,H(msg)) ) h 21 (v) z ( x,G 2,E h 21 (x) (msg,H(msg)) ) h 21 (z) GM h 21 (x) 8/17

9 COMPANY LOGO Refresh of the keys  Using flat tables  One flat table per a group r: required bits to represent a node ID Flat table : consists of 2r keys z1z1 z2z2 z3z3 z4z4 z5z5 z 1.0 z 1.1 z 2.0 z 2.1 z 3.0 z 3.1 z 4.0 z 4.1 z 5.0 z 5.1 Position of the bit Binary Value  Ex) Node ID = 10 (01010) 2  Keys: z 1.0, z 2.1, z 3.0, z 4.1, z 5.0  Every Node will have exactly a half of the bits in its node ID  Transmission E z1.0 E z2.1 E z3.0 E z4.1 E z5.0 (msg)  Only “Node 10” has all the keys to decrypt the packet E z1.1 (msg) ||E z2.1 (msg) ||E z3.0 (msg) ||E z4.1 (msg)||E z5.0 (msg)  Send a message to all the members but Node 10  9/17

10 COMPANY LOGO Key Update during Group Changes (1/4)  Joining operations (1/2)  Node i want to joining the group G 1  K1’ should be established For backward secrecy  To establish the new flat table Node can get an entry in the new flat table only if it has the old key at the same position. G1G1 i GM z1z1 z2z2 z3z3 z4z4 z’ 1.0 z’ 1.1 z’ 2.0 z' 2.1 z' 3.0 z' 3.1 z' 4.0 z' 4.1 10/17

11 COMPANY LOGO Key Update during Group Changes (2/4)  Joining operations (2/2)  Update of h 12 (x), h 13 (x) GM choose 2 t-degree polynomials  With the h 12 (x), h 13 (x) Personal key shares of the nodes in G 2 and G 3 must be updated as well. Propose a distributed mechanism to release new polynomials –GM broadcast an authenticated message and notification for new personal key shares –v acquire new personal key share from w –Intersection of theh 12 (v) and h 21 (w)  Secure Channel between two nodes  GM distribute the keys to node i using K i-GM G1G1 E h 12 (x) (Msg) E h 13 (x) (Msg) G1G1 G2G2 v w h’ 12 (v) request 11/17

12 COMPANY LOGO Key Update during Group Changes (3/4)  Leaving Operations (1/2)  Node i leaves group G 2  Key replacement of K 2  Broadcast generated the new flat table to the remaining nodes in G 2  Replacement of h 21 (x), h 23 (x) z1z1 z2z2 z3z3 z4z4 z’ 1.0 z’ 1.1 z’ 2.0 z' 2.1 z' 3.0 z' 3.1 z' 4.0 z' 4.1 G2G2 E h 21 (x) (Msg) E h 23 (x) (Msg) 12/17

13 COMPANY LOGO Key Update during Group Changes (4/4)  Leaving Operations (2/2)  Distributed broadcast of h 21 (x), h 23 (x) GM broadcast an authenticated message and notification for new personal key shares v : acquire new personal key share from w  To prevent usage of h 12 (i), h 32 (i) Maintain a list of the expelled nodes until the new h’ 12 (i) and h’ 32 (i) are established. G2G2 G1G1 v w h’ 21 (v) request 13/17

14 COMPANY LOGO Conclusion & Discussion (1/3)  Overhead Consideration  Reduce the data processing time at the wireless nodes Improve the system efficiency  Switching to symmetric ciphers Consumed energy by 100 times  Additional transmission and reception overhead for key refreshment is totally paid off Scheme using public/private key Proposed Mechanism Key Storage overhead (r + 4) log q(r + 4 + 1 + 2t) log q Broadcast traffic during join (2r + 2) log q(2r + 2 + 1 + 2t) log q Broadcast traffic during leaving event (3r + 1) log q(3r + 1 + 1 + 2t) log q Encryption/Decryption overhead Asymmetric key operationst-degree polynomial+ symmetric 14/17

15 COMPANY LOGO  A new key distribution and update for secure inter-group communication  Polynomials to support the distribution of personal key shares  Flat tables to achieve efficient key refreshment  Reduce the computation overhead  Power usage  Discussion (1/2)  Overhead by Group Manager (GM) Important role in the proposed mechanism –Generation of the polynomials and flat tables Who? ( Base Station / Election ) in Mobile Environment Conclusion & Discussion (2/3) [1] “PKASSO: Towards Seamless Authentication providing Non-Repudiation on Resource-Constrained Devices," 21st IEEE Pervasive Computing and Ad Hoc Communications, May 2007. [2] "Computationally Efficient PKI-Based Single Sign-On Protocol, PKASSO, for Mobile Devices," IEEE Transactions on Computers (under minor revision)"Computationally Efficient PKI-Based Single Sign-On Protocol, PKASSO, for Mobile Devices," [1,2]

16 COMPANY LOGO Conclusion & Discussion (3/3)  Discussion (2/2)  Ratio of client operation to server operation  Vulnerable to DoS Attacks  Defending against Collusive Attacks Collusion by reconstructing the polynomials of other group – t-degree polynomial is resistant to the coalition up to t compromised members  Multiple Changes Simultaneously PKIX(RSA) KerberosM-PKINITPKASSO : Server : Client 76% 24% This Paper 16/17

17 COMPANY LOGO 17/17

18 COMPANY LOGO 18/23 Symmetric KeyAsymmetric Key Key One Key - One Key to encrypt the data - One Key to decrypt the data Two keys - Public key to encrypt the data - Private key to decrypt the data ConfidentialityYes Digital Signature NoYes Non-repudiationNoYes Key DistributionNoYes Speed (ARM PXA270) 3ms472ms Usage T-money (300ms), SpeedPass (100ms) [1] Internet Banking, E-Commerce  Symmetric Key vs. Asymmetric Key [1] F.Vieira, J.Bonnet, C.Lobo, R.Schmitz, and T.Wall “ Security Requirements for Ubiquitous Computing, ” EURESCOM. 2005 [2] A.Pirzada and C.McDonald, “ Kerberos Assisted Authentication in Mobile Ad-hoc Networks," in Proceedings of ACM International Conference Proceeding Series; Vol. 56, 2004. Discussion 18/18

19 COMPANY LOGO  Security Aspect  Computation Efficiency Additional Experiment Authentication Digital signature Non- repudiation Secure key distribution Kerberos YESNo PKIX YES M-PKINIT YES No YES ARSA YES No YES System MobileService Device Total Operation Time PuPrSPuPrS PKIX(RSA-1024bit)221200 34491035 ms Kerberos008006 8.122.4 ms M-PKINIT TGT117115 3305.1991.53 ms M-PKINIT SGT008004 8.082.42 ms ARSA Inter-domain AKA210111 3373.021011.9 ms ARSA Intra-domain AKA200110 1799539.7 ms ARSA Client-Client AKA201201 301.0290.31 ms 19/19


Download ppt "Key Distribution and Update for Secure Inter- group Multicast Communication Ki-Woong Park Computer Engineering Research Laboratory Korea Advanced Institute."

Similar presentations


Ads by Google