Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Membership Control in P2P and MANETs Nitesh Saxena, Gene Tsudik, Jeong H. Yi Computer Science Department University of California at Irvine {nitesh,

Published byBernice MargaretMargaret Daniels Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Membership Control in P2P and MANETs Nitesh Saxena, Gene Tsudik, Jeong H. Yi Computer Science Department University of California at Irvine {nitesh,"— Presentation transcript:

1 1 Membership Control in P2P and MANETs Nitesh Saxena, Gene Tsudik, Jeong H. Yi Computer Science Department University of California at Irvine {nitesh, gts, jhyi}@ics.uci.edu

2 2 Outline Introduction and Motivation Admission Control Distributed Cryptography System Design and Integration Performance Evaluation Conclusion

3 3 Peer Group Settings Decentralized P2P Common in MANETs and Internet At many protocol layers Many applications No centralized control No hierarchy Fault-tolerant Dynamic membership MANETs Distributed and scalable security services required

4 4 P2P Security: Prior Work Secure communication: Key management Authentication Anonymity Secure routing

5 5 Key Management A B C D E F

6 6 B C D E G F H I J A1 A2 A3 Sybil attack Douceur [IPTPS’02] An adversary may create multiple identities Lesson: Verify identities A2 A3 A1

7 7 Motivation Secure group communication does not address membership eligibility Without secure admission control, secure communication (e.g., key management) is useless

8 8 Outline Introduction and Motivation Admission Control Distributed Cryptography System Design and Integration Performance Evaluation Conclusion

9 9 Group Membership Issues Naming: Name  ownership? Location? Presence: on-line: e.g., replicated servers, MANETs off-line: e.g., Gnutella, MANETs Membership: Static, ad hoc: reflected where? Enumerated Dynamic: admission rules/policies? Longevity: Long-term Transient

10 10 What does a prospective member know? Group name, at least… Group location? Group membership? Group charter/policy? Group member(s)’ name(s)/address(es)?

11 11 Terminology Group Charter defines admission policies Group Membership Certificate (GMC) proves membership Group Authority (GAUTH) Bootstrapping entity Threshold Sig. Algo Dealer etc.

12 12 Admission Control Models Admission via Public ACL Not suitable for dynamic peer groups Admission by Centralized Authority Not suitable for dynamic peer groups Single point of failure Admission by Members  our focus

13 13 Admission Control Step 1: Join request Step 2: Join commit (Vote) Step 3: GMC issuance & share acquisition M new New member (M new ) wants to join the group A quorum of t current members need to issue M new a group membership certificate (GMC) If no quorum, membership is denied Vote 1 Vote 2

14 14 Threshold Types Fixed Threshold Expressed as minimum # of votes (e. g., 5) What if group size < threshold? Dynamic Threshold Expressed as percentage of # of current members (e.g., 30%) Threshold = percentage * group size Need to keep accurate state of up-to-date group size  Group Authority (GAUTH), as bootstrapping node, is only trusted to keep account of group size.

15 15 Relevant crypto techniques Plain signatures ASMs Aggregated Signatures Threshold Signatures Static Dynamic Group signatures

16 16 Plain Signatures Inefficient in bw/space Efficient in generation/verification Can be gathered asynchronously Can be used to prove membership No membership awareness Accountability Limited anonymity Linkable Lineage problem!

17 17 Accountable sub-Group Multi-Signatures Due to Ohta, et al. (CCS’01) Based on aggregating Schnorr signatures Efficient (but still linear in size) Synchronous (on-line protocol) Membership awareness Can be used to prove membership Accountability Limited anonymity Linkable Lineage Problem!

18 18 Threshold Signatures Desmedt/Frankel (1989) and many others Usually fixed t Function sharing to avoid reconstruction Inefficient Synchronous (on-line protocol) Membership awareness (partial) No Accountability Limited anonymity Linkable? (Usually) need trusted dealer to set up No lineage problem!

19 19 Dynamic Threshold Signatures Frankel, et al. (FOCS’97) Shrinkable t Very inefficient Synchronous (on-line protocol) Membership awareness (partial) No Accountability Limited anonymity Linkable? Still need trusted dealer

20 20 Dynamic Threshold Signatures Kong, et al. (ICNP’01) Supports growing t Efficiency unclear Synchronous (on-line protocol) Membership awareness (partial) No Accountability Limited anonymity Linkable? Still need trusted dealer to set up

21 21 Group Signatures Chaum & Van Heijst (1991) and many others Inefficient Asynchronous No membership awareness Can be used to prove membership Accountability (off-line, by Gr. Mgr) Anonymity Unlinkable (except by Gr. Mgr)

22 22 Outline Introduction and Motivation Admission Control Distributed Cryptography System Design and Integration Performance Evaluation Conclusion

23 23 Shamir ’ s Secret Sharing Dealing Secret Shares Dealer randomly selects polynomial f(x) of degree t-1 Note: f(0) = S Dealer distributes secret shares to users f(x) = S + a 1 x + a 2 x 2 + … + a t-1 x t-1 (mod q) ss i = f(id i ) (mod q) Secret Recovery Distributed Share Computation What if users are malicious?

24 24 Verifiable Secret Sharing (VSS) P. Feldman [FOCS ’ 87] Select f(x) over Z q as in Shamir ’ s f(x) = a 0 + a 1 x + a 2 x 2 + … + a t-1 x t-1 (mod q) Setup p, q (q divides p-1) b  Z p *, Witness generation (publicly known) W i = g a i (mod q) (mod p) Secret share verification (mod q) (mod p) - Exponent is in mod q - q, p : large prime - q | p-1

25 25 Threshold RSA (TS-RSA) J.Kong, et al. [ICNP ’ 01, ISCC ’ 02, WCMC ’ 02] Setup Generate RSA key pairs: d, e, N Dealer randomly selects polynomial f(x) of degree t-1 f(x) = d + a 1 x + a 2 x 2 + … + a t-1 x t-1 (mod N) Signature generation 7 5 2 3 m m m m SK3 m SK2 m SK5 m SK2 + SK3 + SK5 SK 2 + SK 3 + SK 5  d (mod N) - d is never reconstructed. - mod N (composite)

26 26 TS-RSA: t-bounded offsetting 7 5 2 3 m m m m SK3 m SK2 m SK5 m SK2 + SK3 + SK5 SK 2 + SK 3 + SK 5  d (mod N) SK 2 + SK 3 + SK 5 = tN + d m SK2+SK3+SK5 = m tN+d = m tN m d Y = m tN+d ; for (i=0; i <= t; i++) { Y = Y * m -N mod N; if (Y e = m mod N) break; } return Y (= m d mod N) 22 msec -CRT not applicable -Prime factors of N are known only to the dealer

27 27 TS-RSA: VSS failure Example: f(x) = 77 + 2x + 5x 2 (mod 119), g=3 Witnesses: w 0 =3 77 =12, w 1 =3 2 =9, w 2 =3 5 =5 (mod 119) 7 5 2 3 7 7 7 pss 3 (7)=74 pss 2 (7) =71 pss 5 (7)=72 pss i (id j ) = ss i l i (id j ) mod N ss 7 = pss 2 (7) + pss 3 (7)+ pss 5 (7) = 98 Impossible to verify if ss i is correct. (mod 119) mod  (N) Impossible to detect malicious members, i.e, no robustness provided!

28 28 TS-RSA: Summary No verifiability of secret shares Gennaro [Crypto ’ 96] and Shoup [Eurocrypt ’ 00] proposed schemes to provide verifiability  require trusted dealer to generate a key-pair Boneh & Franklin [Crypto ’ 97] distributed RSA key generation  very high communication and/or computation overhead  impractical in many group setting such as MANETs Trusted dealer involved at initialization phase

29 29 Threshold DSA (TS-DSA) Extention of threshold DSS scheme by Jarecki, et al. [Eurocrypt ’ 96] group size (n) can be increased. threshold (t) can be changed. No dealer involved VSS holds

30 30 TS-DSA: Setup Self-initialization by founding members uses Joint Secret Sharing (JSS), Pedersen [Eurocrypt ’ 91] User 1 User 2 User n Each user computes f i (j) (j=1..n, j != i), and sends it to others. Each user computes his own secret share No one knows S.

31 31 TS-DSA: Signature Generation 7 5 2 3 u 3, v 3 u 2, v 2 u 5, v 5 7 5 2 3 r, m s3s3 s2s2 s5s5 DSA signature: (r, s) extra exp. (t+1)/2-secure O(t 2 ) comm.

32 32 TS-DSA: VSS holds Example: f(x) = 7 + 2x + 5x 2 (mod 11), g=9, q=11, p=23 Witnesses: w 0 =9 7 =4, w 1 =9 2 =12, w 2 =9 5 =8 (mod 23) 7 5 2 3 7 7 7 pss 3 (7)=7 pss 2 (7) =2 pss 5 (7)=4 pss i (j) = ss i l i (j) mod p ss 7 = pss 2 (7) + pss 3 (7)+ pss 5 (7) = 2 (mod 11)

33 33 TS-DSA: Summary Pros: VSS guaranteed Key generation fully distributed Cons: Robust only if fewer than  t+1)/2  malicious users Extra O(t 2 ) communications between signers to jointly generate random secret k

34 34 Feature Summary RSAASMTS-RSATS-DSA Dealer involved  Simultaneous on- line presence  Accountability  Unlinkability  Verifiable Secret Sharing NA 

35 35 Outline Introduction and Motivation Admission Control Distributed Cryptography System Design and Integration Performance Evaluation Conclusion

36 36 System Design - ”Bouncer” toolkit Peer Group Applications (Gnutella, Secure Spread, etc.) GAC APIs Certificate Management Module Policy Management Module Data Encoding Module Protocol Handling Module ASMTS-RSATS-DSA Distributed Cryptography General Crypto. Functions SHA-1,AES,RSA,DSA,etc. Crypto Primitives: OpenSSL Linux

37 37 Dynamic Threshold Update

38 38 GAC APIs Plain RSA APIs GAC_PACKET *PS_Join_Reqest(); GAC_PACKET *PS_Join_Commit(); GAC_PACKET *PS_GMC_Request(); /* optional */ GAC_PACKET *PS_GMC_Reply(); /* optional */ TS-DSA APIs GAC_PACKET *TSD_Join_Request(); GAC_PACKET *TSD_Join_Commit(); GAC_PACKET *TSD_Chal_Req(); GAC_PACKET *TSD_Chal_Rly(); GAC_PACKET *TSD_Rnd_Req(); GAC_PACKET *TSD_Rnd_Rly(); GAC_PACKET *TSD_Sign_Request(); GAC_PACKET *TSD_Part_Sign(); GAC_PACKET *TSD_GMC_Request(); /* optional */ GAC_PACKET *TSD_GMC_Reply(); /* optional */ TS-RSA APIs GAC_PACKET *TSS_Join_Request(); GAC_PACKET *TSS_Join_Commit(); GAC_PACKET *TSS_Sign_Request(); GAC_PACKET *TSS_Part_Sign(); GAC_PACKET *TSS_GMC_Request(); /* optional */ GAC_PACKET *TSS_GMC_Reply(); /* optional */ ASM APIs GAC_PACKET *ASM_Join_Request(); GAC_PACKET *ASM_Join_Commit(); GAC_PACKET *ASM_Sign_Request(); GAC_PACKET *ASM_Part_Sign(); GAC_PACKET *ASM_GMC_Request(); /* optional */ GAC_PACKET *ASM_GMC_Reply(); /* optional */

39 39 Integration with Gnutella Ping Pong New Member Current Members SPing SPong Query QueryHit Push (Download by http) Gnutella Protocol Join Commit SigReq SigRly Admission Protocol Secure Gnutella

40 40 Integration with Secure Spread Secure Spread GKA_API Encryption Access control Crypto Library Engine Bouncer Spread: A wide area reliable group communication system Secure Spread: Integrates security services with Spread Supports only static access control daemon level ACL’s flush mechanism No notion of secure, dynamic, distributed admission. Modified Spread APIs SP_GAC_Join(); /* new */ SP_receive(); /* modified */ Application

41 41 Outline Introduction and Motivation Admission Control Distributed Cryptography System Design and Integration Performance Evaluation Conclusion

42 42 Performance Evaluation Gnutella Experiment: Integrated decentralized protocol with Gnut-0.4.21 Tested on a high-speed LAN Secure Spread Experiment: Integrated centralized protocol with Secure SPREAD-2.1.0 Spread daemons on 10 machines at Johns Hopkins Univ. A client at UCI Measurements Fixed threshold Dynamic threshold Source code available at http://sconce.ics.uci.edu/gac

43 43 Computation Cost Signature generation Signature verification

44 44 Signature Size Signature length RSAt * ( |K| + |id| ) ASM|q| + |E| + t * |id| TS-RSA|K| TS-DSA2*|q| t: threshold K: private key id: signer’s id q: modulus q E: challenge (hash size)

45 45 Fixed Threshold Experiments Secure Spread Gnutella

46 46 Dynamic Threshold Experiments Secure Spread Gnutella

47 47 Conclusions Designed several P2P admission control mechanisms Assessed practicality of distributed cryptography for dynamic peer groups. Threshold signatures are currently NOT PRACTICAL in MANETs and sensor networks Reasonable for Internet-based P2P systems that operate in (at least partially) synchronous mode Difficult to identify one scheme best-suited for all peer group admission scenarios. If admission is difficult, distributed membership revocation is even harder!

48 48 Future Work TS-RSA Efficient RSA distributed modulus generati on VSS in Dynamic setting TS-DSA Better communication efficiency? Aggregated Signatures? Other, more “systems” approaches? Revocation?

Download ppt "1 Membership Control in P2P and MANETs Nitesh Saxena, Gene Tsudik, Jeong H. Yi Computer Science Department University of California at Irvine {nitesh,"

Similar presentations

SPLASH Project INRIA-Eurecom-UC Irvine November 2006.

SPLASH Project INRIA-Eurecom-UC Irvine November 2006.
Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.

Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE.

Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE.
Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.

Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Optionally Identifiable Private Handshakes Yanjiang Yang.

Optionally Identifiable Private Handshakes Yanjiang Yang.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
URSA: Providing Ubiquitous and Robust Security Support for MANET

URSA: Providing Ubiquitous and Robust Security Support for MANET
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York 14853.

Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
PROVIDING ROBUST AND UBIQUITOUS SECURITY SUPPORT FOR MOBILE AD- HOC NETWORKS Georgios Georgiadis 6/5/2008.

PROVIDING ROBUST AND UBIQUITOUS SECURITY SUPPORT FOR MOBILE AD- HOC NETWORKS Georgios Georgiadis 6/5/2008.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
SPLASH Project INRIA-Eurecom-UC Irvine November 2006.

SPLASH Project INRIA-Eurecom-UC Irvine November 2006.
Secure and Efficient Key Management in Mobile Ad Hoc Networks Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, Spyros Magliveras Department of Computer.

Secure and Efficient Key Management in Mobile Ad Hoc Networks Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, Spyros Magliveras Department of Computer.
SPLASH Sécurisation des ProtocoLes dans les réseAux mobileS ad Hoc 12 Décembre 2003 Refik Molva Institut EURECOM.

SPLASH Sécurisation des ProtocoLes dans les réseAux mobileS ad Hoc 12 Décembre 2003 Refik Molva Institut EURECOM.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.

Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.
1 A few challenges in security & privacy in the context of ubiquitous computing Gene Tsudik SCONCE: Secure Computing and Networking Center UC Irvine

1 A few challenges in security & privacy in the context of ubiquitous computing Gene Tsudik SCONCE: Secure Computing and Networking Center UC Irvine

Similar presentations

Ads by Google