1 / 28

CSC 774 Advanced Network Security

CSC 774 Advanced Network Security. Topic 5 Group Key Management. Group Communication. A group consists of multiple members Messages sent by one sender are received by all the other group members Example application: Pay per view. Secure Group Communication.

gerik
Download Presentation

CSC 774 Advanced Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CSC 774 Advanced Network Security Topic 5 Group Key Management CSC 774 Adv. Net. Security

  2. Group Communication • A group consists of multiple members • Messages sent by one sender are received by all the other group members • Example application: Pay per view CSC 774 Adv. Net. Security

  3. Secure Group Communication • Messages sent by a valid group member can only be understood by the other valid members • Others may receive the messages, but are unable to understand them • Typical approach: Encrypt the group messages with a key only known to the valid group members CSC 774 Adv. Net. Security

  4. Group Key Management • Group key management • Ensure only valid group members have access to the group key • The REAL problem for secure group communication CSC 774 Adv. Net. Security

  5. Desired Properties of Group Key Management • Group key secrecy • It is at least computationally infeasible for an adversary to discover any group key • Forward secrecy • A passive adversary who knows a contiguous subset of old group keys cannot discover subsequent group keys • Do not confuse with PFS • Backward secrecy • A passive adversary who knows a contiguous subset of group keys cannot discover preceding group keys • Group key independence • The combination of forward and backward secrecy. CSC 774 Adv. Net. Security

  6. Statefule v.s. Stateless • Stateful • Decryption of new key depends on previous keys • Group member should keep track of all rekeying messages • Members should be online • Stateless • Decryption of new key depends on establishment key setthat is assigned when member join • Group members don’t need to keep track of rekeying messages • Members can be offline CSC 774 Adv. Net. Security

  7. Types of Group Key Management • Group key agreement • Group keys are determined collectively by all group members • Usually extended from D-H key exchange • Group key distribution • Group keys are determined and distributed by a group key manager CSC 774 Adv. Net. Security

  8. CSC 774 Advanced Network Security Topic 5.1 Group Diffie-Hellman Protocols CSC 774 Adv. Net. Security

  9. Outline • Review of the basic two-party D-H key exchange • Generic n-party D-H key agreement • Three specific protocols • GDH.1 • GDH.2 • GDH.3 CSC 774 Adv. Net. Security

  10. Two-Party Diffie-Hellman Key Exchange Alice Bob Pick secret Sb randomly Compute TB = gSb mod p Send TB to Bob Compute TASb mod p Pick secret Sa randomly Compute TA = gSa mod p Send TA to Bob Compute TBSa mod p Shared key is reached at both parties: gSaSb mod p CSC 774 Adv. Net. Security

  11. Notations • n: number of participants in the protocol • : exponentiation base • q: order of the algebraic group • Mi: i-th group member, i is the index • Ni: random exponent generated by group member Mi • S: subsets of {N1, …, Nn} • (S): product of all elements in subset S • Kn: group key shared among n members CSC 774 Adv. Net. Security

  12. Generic n-Party D-H Key Agreement • Setup • Alln participants agree on a cyclic group G, of order q and the base  • Each member Mi chooses a random value Ni G CSC 774 Adv. Net. Security

  13. Generic n-Party D-H Key Agreement (Cont’d) • Generic Protocol: • Distributively revealing and computing a subset of {(S)|S{N1, …, Nn}} • From these subsets, member Mi computes N1…Ni-1Ni+1…Nn mod q • Finally, Mi computes the shared key K = N1…Nn mod q CSC 774 Adv. Net. Security

  14. Generic n-Party D-H Key Agreement (Cont’d) • Security • The generic n-party D-H protocol is secure if the 2-party D-H protocol is security • Proof: by induction on n • Remaining problem • Consider {(S)|S{N1, …, Nn}} • What (S) to distribute, and how? CSC 774 Adv. Net. Security

  15. GDH.1 • Consists of an upflow stage and a downflow stage … Mn Upflow: M1 M2 M3 … Mn M1 M2 M3 Downflow: CSC 774 Adv. Net. Security

  16. GDH.1 (Cont’d) • Upflow • Mi receives the set {N1, N1N2, …, N1…Ni-1} and forwards to Mi+1 {N1, N1N2, …, N1…Ni}, i  [1, n-1] • Example • M4 receives the set {N1, N1N2, N1N2N3} • and forwards to M5 {N1, N1N2, N1N2N3, N1N2N3N4} CSC 774 Adv. Net. Security

  17. GDH.1 (Cont’d) • Downflow • Mi uses the last intermediate value to compute Kn (1<i<=n) • Mi then raises all remaining values to the power of Ni and forwards the resulting set to Mi-1 • Example • M4 receives the set {N5, N1N5, N1N2N5, N1N2N3N5} • and forwards to M3 {N5N4, N1N5N4, N1N2N5N4} CSC 774 Adv. Net. Security

  18. GDH.1 (Cont’d) • How many rounds? • __________ • How many messages in GDH.1? • __________ • How many exponentiations per Mi? • __________ … Mn Upflow: M1 M2 M3 … Mn M1 M2 M3 Downflow: CSC 774 Adv. Net. Security

  19. GDH.2 • Consists of an upflow stage and a broadcast stage • Use broadcast to reduce communication overhead … Mn Upflow: M1 M2 M3 … Mn M1 M2 M3 Broadcast: CSC 774 Adv. Net. Security

  20. GDH.2 (Cont’d) • Upflow • Mi composes i intermediate values and one cardinal value and forwards the resulting set to Mi+1 (i < n) • Example: • M4 receives the set {N1N2N3, N1N2, N1N3, N2N3} • and forwards to M5 {N1N2N3N4, N1N2N3, N1N2N4, N1N3N4, N2N3N4} CSC 774 Adv. Net. Security

  21. GDH.2 (Cont’d) • Downflow • Mn raises every intermediate value to the power of Nn broadcasts the resulting values to all group members, in another word • Mn broadcasts the set {N1…Ni-1Ni+1…Nn} to Mi (i < n) • Example • M4 receives the set {N1N2N3N5 } from M5 (Assume n=5) CSC 774 Adv. Net. Security

  22. GDH.2 (Cont’d) • How many rounds? • __________ • How many messages in GDH.2? • __________ • How many exponentiations per Mi? • __________ … Mn Upflow: M1 M2 M3 … Mn M1 M2 M3 Broadcast: CSC 774 Adv. Net. Security

  23. GDH.3 • Consists of an upflow stage, a broadcast stage, a response stage, and final broadcast stage • Reduce the number of exponentiations per group member. … Mn-1 Upflow: M1 M2 M3 … Mn-1 M1 M2 M3 Broadcast: M1 M2 M3 Mn Response: … Mn M1 M2 M3 Broadcast: CSC 774 Adv. Net. Security

  24. GDH.3 (Cont’d) • Upflow • Mi (i  [1, n-2]) receives N1…Ni-1, and • forwards to Mi+1N1…Ni, • Broadcast • Mn-1 broadcasts N1…Nn-1to Mi (in-1) CSC 774 Adv. Net. Security

  25. GDH.3 (Cont’d) • Response • Mi (i < n) factors out its own component and forwards N1…Ni-1Ni+1…Nn-1to Mn • Broadcast • Mn raises every input to the power of Nn and broadcasts the resulting set {N1…Ni-1Ni+1…Nn} to Mi (i < n) CSC 774 Adv. Net. Security

  26. GDH.3 (Cont’d) • How many rounds? • __________ • How many messages in GDH.2? • __________ • How many exponentiations per Mi? • __________ CSC 774 Adv. Net. Security

  27. Comparison GDH.1 GDH.2 GDH.3 Rounds 2(n-1) n n+1 Messages 2(n-1) n 2n-1 Total message size n(n-1) (n-1)(n/2+2)-1 3(n-1) Exp ops per Mi i+1, n i+1, n 4, 2, n Total exp ops (n+3)n/2-1 (n+3)n/2-1 5n-6 CSC 774 Adv. Net. Security

  28. Alteration of Group Membership • GDH.1 does not support efficient member addition/deletion. • GDH.2 & GDH.3 • Member addition • Consider the new member as the new Mn+1 • Member deletion • Mn regenerates its secret Nn and re-executes the protocol from the second stage. CSC 774 Adv. Net. Security

More Related