computer science 1 efficient self-healing group key distribution with revocation capability archana...
TRANSCRIPT
1
Computer Science
Efficient Self-healing Group Key Distribution With Revocation Capability
Archana RajagopalCSC 774 Presentation
Based on Original Slides from Donggang Liu, Peng Ning, and Kun Sun
2Computer Science
Outline
• Motivation and background– Secure group communication in MANET
• Proposed solutions– Novel personal key distribution– Self-healing group key distribution– Improvements to reduce storage and
communication overheads
• Conclusions and future work
3Computer Science
Secure Group Communications in MANET
• Problem– How to distribute group keys?
• Challenges in MANET– Dynamic and volatile– Unreliable communication
• Lost packets, network partitions, relatively long term failures due to active attacks, …
4Computer Science
Related Work
• Extensive results on group key management– Group key distribution
• Tree-based scheme: LKH, Iolus, …
• Secret sharing-based scheme: Self-healing, …
– Group key agreement• GDH,TGDH, …
• Most existing techniques are not suitable for MANET– No fault tolerance => not applicable
– Simple fault tolerance => easy to disrupt, cannot deal with network partitions and active attacks
5Computer Science
Related Work (cont’d)
• Two potential candidates for MANET– Self-healing group key distribution
• Ability to recover lost session keys
• Staddon et al., Oakland 2002
– Stateless group key distribution• Ability to rejoin the group
• Cannot recover lost keys
• Naor, Naor, and Lotspiech (SDR), Crypto 2001
6Computer Science
Desirable Properties
• Unconditionally secure• Self-healing• t-revocation capability• t-wise forward secrecy
• t-wise backward secrecy
K1, K2, …, Ki, Ki+1…, Km
t comp. users
revoked
K1, K2, …, Ki, Ki+1…, Km
t comp. users
join
7Computer Science
Property of proposed scheme
• Processing,Communication and Storage overheads depend on number of compromised nodes that may collude together and not on group size.
8Computer Science
Scheme I: Personal Key Distribution
• Goal: distribute distinct keys to different members with one broadcast message– A key is a point on polynomial f(x), e.g., f(j)
• Idea: construct a single polynomial w(x) to distribute shares on f(x) such that– A valid member can only get its own key – Revoked members know nothing about
• Valid members’ keys
• Their own keys
9Computer Science
Scheme I (cont’d)
• Method: w(x)=g(x)f(x)+h(x)– h(x) is called a masking polynomial. Degree 2t
Each member i has one share on h(x), which is h(i).– g(x) is called a revocation polynomial. Degree
w(w<=t).If member v is revoked, g(v) =0; otherwise g(v)!=0
10Computer Science
Scheme I (cont’d)
• Group manager broadcasts – Revoked user ids {r1,…,rw} => g(x)=(x-r1)(x-r2)…(x-rw)– w(x)=g(x)f(x)+h(x)
• Communication overhead O(tlogq)
Member v is not compromised, but member v’ is compromised
)(
)()()(
vg
vhvwvf
)'()'()'()'()'( vhvhvfvgvw
w(x)=g(x)f(x)+h(x)
v v’
0
11Computer Science
Property of Scheme I
• Scheme I is an unconditionally secure personal key distribution scheme with t-revocation capability
12Computer Science
Scheme II: (Basic Session Key Distribution)• Main idea
– Combine the new personal key distribution scheme with the self-healing technique.
• Distribute p(x) part for all old session and q(x) part for all future sessions
K=
p(x) p(x)g(x)+h(x)
q(x) q(x)g(x)+h’(x)+
13Computer Science
Self Healing Property
• Group key Kj = pj(i) + qj(i)
• (m+1) polynomials broadcasted for all ‘m’ sessions– { p1(i)… pj(i) , qj(i) …. qm(i)}
• Ui receives messages from j1 and j2 but not j;where j1 < j < j2
• How to recover session key for ‘j’?– pj(i) from j2 and qj(i) from j1
14Computer Science
Broadcast
• Bj = • {Rj}• {Pj,i(x) = gj(x)pi(x) + hi,j(x)}i=1…j
• {Qi,j(x) = gj(x)qi(x) + hj,i+1(x)}i=j…m
15Computer Science
Scheme II (cont’d)
• In session j, given a set of revoked member ids Rj={r1,…,rwj}, the group manager broadcasts Rj and m +1 polynomials
• Communication overhead O(mtlogq)• Storage overhead O(m2logq)
)()()()(
)()()()(
)()()()(
)()()()(
1
1,1,,1,
1
vqvqvpvpv
xhxhxhxh
xqxqxpxp
xgxgxgxg
mjj
mjjjjjj
mjj
jjjj
•Member
Kj
16Computer Science
Properties of Scheme II
• Unconditionally secure, t-revocation capability
• Self-healing session key distribution
• t-wise forward secrecy and t-wise backward secrecy
17Computer Science
Scheme III: Reduce Storage Overhead
• Goal: reduce the storage overhead in scheme II• Source of storage overhead: shares on masking
polynomials
• Observation: each pi(x) or qi(x) is masked by different masking polynomials in different sessions– Having one masking polynomial for each pi(x) or qi(x) is
sufficient
– The broadcast messages are public. So it is unnecessary to protect the same polynomial multiple times using different masking polynomial
18Computer Science
Scheme III (cont’d)
• In session j, given the sets of revoked member ids {Ri}i=1,…,j, the group manager broadcasts {Ri}i=1,…,j and m+1 polynomials
• Communication overhead is still O(mtlogq)• Storage overhead is O(mlogq) instead of O(m2logq) in scheme
II
)()()()(
)()()()(
)()()()(
)()(
1
1
1
1
vqvqvpvpv
xfxfxhxh
xqxqxpxp
xgxg
mjj
mjj
mjj
j
•Member
Kj
19Computer Science
Properties of Scheme III
• Unconditionally secure, self-healing session key distribution and t-revocation capability
• t-wise forward secrecy and t-wise backward secrecy
20Computer Science
Scheme IV: (Less Broadcast Size)
• Goal: further reduce the communication overhead
• Observation: having redundant information for all the sessions may be unnecessary– Short term communication failures– Long term but infrequent communication failures
• Idea:– Sliding window.– Trade off between broadcast size and self-healing
capability
21Computer Science
Variant I
• For short term communication failures
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Scheme III
Variant I
m=20, l=3
l-1
l-1
l-session self-healing: self-healing capability in terms of l consecutive sessions
22Computer Science
Variant II
• For long-term but infrequent communication failures
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Variant I
m=20, l=3, d=2
l-1
l-1
Variant II
(l,d)-session self-healing: Can recover the lost session keys if a member receives d consecutive messages within ld sessions
23Computer Science
Conclusions
• Our new personal key distribution scheme can be used to– Develop more efficient self healing key
distribution schemes• Reduced the communication and the storage overhead
of session key distribution scheme
• Proposed two ways to trade off the broadcast size with the self-healing ability
24Computer Science
Future Work
• Long-lived self-healing key distribution
• Stateless group key distribution
• Supporting multiple groups
• Performance evaluation
25Computer Science
Thank You!
QUESTIONS?