Group Key Agreement

1. 1 Group Key Agreement- Theory and Practice - Ph.D Defense Presentation September 9, 2012 Yongdae Kim Hello! The title of this talk is �group key agreement�.Hello! The title of this talk is �group key agreement�.

2. 2 Outline Definitions and concepts Related work Contribution Background Work Done TGDH STR Performance Comparison Conclusion The outline of this talk is as follows: To provide the motivation and goals of this proposal, we need some prior knowledge� Hence I firstly introduce some concepts. While explaining new concepts, I�ll narrow down my research focus one by one. After that, I will explain what are our motivations and goals. Related work will follow. And I�ll explain the proposed protocol and the current status of implementation and integration� I�ll conclude with research plan and evaluation plan.The outline of this talk is as follows: To provide the motivation and goals of this proposal, we need some prior knowledge� Hence I firstly introduce some concepts. While explaining new concepts, I�ll narrow down my research focus one by one. After that, I will explain what are our motivations and goals. Related work will follow. And I�ll explain the proposed protocol and the current status of implementation and integration� I�ll conclude with research plan and evaluation plan.

3. 3 General Background:Security in Group Communication Let me introduce a basic background of my work first. Let�s assume that 4 people have a group conference� Then very skillful eve always can eavesdrop the group conference. However, if the group members have a common key, then they can encrypt the traffic, and hence eve cannot eavesdrop the conference� This is the main background of my work. Let me introduce a basic background of my work first. Let�s assume that 4 people have a group conference� Then very skillful eve always can eavesdrop the group conference. However, if the group members have a common key, then they can encrypt the traffic, and hence eve cannot eavesdrop the conference� This is the main background of my work.

4. 4 Group Communication Settings One-to-Many (or Few-to-Many) Single-source broadcast: Cable/sat. TV, radio Multi-source broadcast: Televised debates, GPS Any-to-Any Collaborative applications need underlying peer group communication Video/Audio conferencing, collaborative workspaces, interactive chat, network games and gambling Rich communication semantics, tighter control, more emphasis on reliability and security Nowadays, group oriented applications are very popular and can be divided into one-to-many, few-to-many, and any-to-any applications. Among these, we are interested in any to any applications. Usually this kind of application, for example, video conference, is collaborative and such collaborative applications needs peer group underlying. This group also requires rich communication semantics and tighter control of members and put emphasis on reliability and security� Nowadays, group oriented applications are very popular and can be divided into one-to-many, few-to-many, and any-to-any applications. Among these, we are interested in any to any applications. Usually this kind of application, for example, video conference, is collaborative and such collaborative applications needs peer group underlying. This group also requires rich communication semantics and tighter control of members and put emphasis on reliability and security�

5. 5 Dynamic Peer Groups (DPG) Relatively small (<100 of members) No hierarchy Frequent membership changes Any member can be sender and receiver So what is dynamic peer group? Size is relatively small, no hierarchy among members, and it also has frequent membership changes� Last any member can be sender and receiver� OK� We can narrow down my interest little bit more� My focus on the proposed work is the key management in dynamic peer groups. Why key management?So what is dynamic peer group? Size is relatively small, no hierarchy among members, and it also has frequent membership changes� Last any member can be sender and receiver� OK� We can narrow down my interest little bit more� My focus on the proposed work is the key management in dynamic peer groups. Why key management?

6. 6 Key Management is a building block Key management is a building block for all other cryptographic and secure applications� Key management is a building block for all other cryptographic and secure applications�

7. 7 Group Key Management Group key: a secret quantity known only to current group members Group Key Distribution One party generates a secret key and distributes to others. Group Key Agreement Secret key is derived jointly by two or more parties. Key is a function of information contributed by each member. No party can pre-determine the key Group key management methods can be divided into group key distribution and agreement.Group key management methods can be divided into group key distribution and agreement.

8. 8 Can we use Key Distribution in DPG? Centralized key server Single point of failure Attractive attack target Can key server be sufficiently replicated? ? Very costly Availability of a key server in any and all possible partitions Network can have arbitrary faults!

9. 9 Distribution vs. Agreement

10. 10 Settings for Group Key Management Now, it is clearer what is my research focus� As I explained before, I�m interested in dynamic small group with any-to-any communication semantics� Note that peer level collaboration does not scale well� And as just explained, since key distribution is not essentially appropriate for DPGs, we are interested in group key agreement, and hence the authority is distributed. Our interests lies on strong security, since for a large group providing strong security is very hard, and thus most key distribution method provides weaker security than ours. What is the meaning of secret which is known only to people living in Marina del Rey?Now, it is clearer what is my research focus� As I explained before, I�m interested in dynamic small group with any-to-any communication semantics� Note that peer level collaboration does not scale well� And as just explained, since key distribution is not essentially appropriate for DPGs, we are interested in group key agreement, and hence the authority is distributed. Our interests lies on strong security, since for a large group providing strong security is very hard, and thus most key distribution method provides weaker security than ours. What is the meaning of secret which is known only to people living in Marina del Rey?

11. 11 Group Communication System Offers Efficient messaging : any-to-any Dynamic membership Message / event ordering Fault-detection service Fault-tolerant : resistant against cascaded failure to peer group Different from IP Multicast Group communication system is a distributed system that offers This is different from IP multicast Why am I mentioning group communication system? Group communication system is a distributed system that offers This is different from IP multicast Why am I mentioning group communication system?

12. 12 Membership Operations

13. 13 Group key agreement protocols rely on group communication systems for: Protocol message transport Strong membership semantics (Notification of a group membership) Not for security reasons Group communication system needs specialized security mechanisms. Secure Group Communication One of basic requirements of group key management protocol is that we have to change key after each membership operation� Hence, we have to know immediately after any membership event happens� Since group key agreement is collaborative, some level of message ordering has to be provided� Therefore, we use group communication system for message transport and membership control� In turn, many applications of group communication need specialized security mechanism� Hence, we can say that mutual benefit and interdependency exist between group communication and group key agreement. Fake join: solved by authentication, out-of-scope , forced leave : denial-of-serviceOne of basic requirements of group key management protocol is that we have to change key after each membership operation� Hence, we have to know immediately after any membership event happens� Since group key agreement is collaborative, some level of message ordering has to be provided� Therefore, we use group communication system for message transport and membership control� In turn, many applications of group communication need specialized security mechanism� Hence, we can say that mutual benefit and interdependency exist between group communication and group key agreement. Fake join: solved by authentication, out-of-scope , forced leave : denial-of-service

14. 14 Motivation We need group key agreement methods satisfying the following: Strong security Dynamic operation Robustness Efficiency in communication and computation Implementation, integration, and measurement Now, we can introduce the motivation of our work. The main motivation of this work is that the previous methods lack one or more of the followings. Some methods were not secure, or some methods is hard to provide dynamic group operation or robustness against cascaded faults. Cascaded or nested faults happen when a membership event occurs while handling the prior event. Some of the prior methods were not so efficient in communication or computation. Till now, only Cliques has been integrated with group communication system. Now, we can introduce the motivation of our work. The main motivation of this work is that the previous methods lack one or more of the followings. Some methods were not secure, or some methods is hard to provide dynamic group operation or robustness against cascaded faults. Cascaded or nested faults happen when a membership event occurs while handling the prior event. Some of the prior methods were not so efficient in communication or computation. Till now, only Cliques has been integrated with group communication system.

15. 15 Why is computation overhead important? Most group key agreement methods rely on modular exponentiation. 512 bit modular exponentiation on Pentium 400 Mhz = 2 msec 1024 bit modular exponentiation = 8 msec Most methods require a lot of modular exponentiations for each membership operation, some as many as O(n) Before explaining the proposed goal, let me shortly explain why we care computation overhead� Before explaining the proposed goal, let me shortly explain why we care computation overhead�

16. 16 Security Requirements Group key secrecy computationally infeasible for a passive adversary to discover any group key Backward secrecy Any subset of group keys cannot be used to discover previous group keys. Forward secrecy Any subset of group keys cannot be used to discover subsequent group keys. Key Independence Any subset of group keys cannot be used to discover any other group keys. Forward + Backward secrecy

17. 17 Outline Definitions and concepts Related work Contributions Background Work Done TGDH STR Performance Comparison Conclusion The outline of this talk is as follows: To provide the motivation and goals of this proposal, we need some prior knowledge� Hence I firstly introduce some concepts. While explaining new concepts, I�ll narrow down my research focus one by one. After that, I will explain what are our motivations and goals. Related work will follow. And I�ll explain the proposed protocol and the current status of implementation and integration� I�ll conclude with research plan and evaluation plan.The outline of this talk is as follows: To provide the motivation and goals of this proposal, we need some prior knowledge� Hence I firstly introduce some concepts. While explaining new concepts, I�ll narrow down my research focus one by one. After that, I will explain what are our motivations and goals. Related work will follow. And I�ll explain the proposed protocol and the current status of implementation and integration� I�ll conclude with research plan and evaluation plan.

18. 18 Related Work Only provide formation of a group key Steer et. al (1988): fast join, slow leave Burmester and Desmedt (BD, 1993): fast but too many broadcasts Becker and Wille (1998): log n communication rounds and log n computation overhead Tzeng and Tzeng (1999, 2000): fast but no forward and backward secrecy

19. 19 Related Work (Continue) Cliques Key Agreement in Dynamic Peer Groups (1996, 1997, 2000) Steiner, Tsudik and Waidner Group Diffie-Hellman key agreement protocols Dynamic membership operations New Multi-party Authentication Services and Key Agreement Protocols (1998, 2000) Ateniese, Steiner and Tsudik A notion of group key authentication is considered Drawbacks Slow computation: O(n) computation for each membership event Communication overhead: k rounds for merge (k: # of new members)

20. 20 Contributions (TGDH) Simple and Fault-tolerant Group Key Agreement Y. Kim, A. Perrig, G. Tsudik ACM CCS 2000, Nov. 2000 TGDH Protocol: support for all membership changes Computation overhead reduced from O(n) to O(log n) Providing robustness against cascaded failure inherently Tree-based Group Diffie-Hellman Y. Kim, A. Perrig, G. Tsudik In submission Journal version of the above paper Security proof Self-Clustering effect TGDH: Originally proposed by Adrian Perrig Lacks a lot of requirement STR: Originally proposed by Steer et. alTGDH: Originally proposed by Adrian Perrig Lacks a lot of requirement STR: Originally proposed by Steer et. al

21. 21 Contributions (STR and GKA API) Communication-efficient Group Key Agreement Y. Kim, A. Perrig, G. Tsudik IFIP SEC 2001 STR Protocol Communication overhead is lower than any other methods Inherent robustness against cascaded faults The Design of a Group Key Agreement API G. Ateniese, O. Chevassut, D. Hasse, Y. Kim, G. Tsudik DARPA DISCEX 2000 High level design of Group Key Agreement API Detailed implementation TGDH: Originally proposed by Adrian Perrig Lacks a lot of requirement STR: Originally proposed by Steer et. alTGDH: Originally proposed by Adrian Perrig Lacks a lot of requirement STR: Originally proposed by Steer et. al

22. 22 Contributions (Integration) Secure Group Communication in Asynchronous Networks and Failures: Integration and Experiments Y. Amir, G. Ateniese, D. Hasse, Y. Kim, C. Nita-Rotaru, T. Schlossnagle, J. Schultz, J. Stanton, G. Tsudik ICDCS 2000 Integration of Cliques group key agreement and Spread group communication system Exploring Robustness in Group Key Agreement Y. Amir, Y. Kim, C. Nita-Rotaru, J. Schultz, J. Stanton, G. Tsudik ICDCS 2001 Providing robustness in Secure Spread Robust Contributory Group Key Agreement Y. Amir, Y. Kim, C. Nita-Rotaru, J. Schultz, J. Stanton, G. Tsudik In submission to ACM TOCS Journal Version of the above two TGDH: Originally proposed by Adrian Perrig Lacks a lot of requirement STR: Originally proposed by Steer et. alTGDH: Originally proposed by Adrian Perrig Lacks a lot of requirement STR: Originally proposed by Steer et. al

23. 23 Contributions (Performance and Access Control) On the Performance of Group Key Agreement Protocols Y. Amir, Y. Kim, C. Nita-Rotaru, G. Tsudik In submission to ICDCS 2002 Comparison of 5 group key agreement/distribution schemes Peer Group Access Control Y. Kim, D. Mazzocci, G. Tsudik In submission Access control mechanism for peer group TGDH: Originally proposed by Adrian Perrig Lacks a lot of requirement STR: Originally proposed by Steer et. alTGDH: Originally proposed by Adrian Perrig Lacks a lot of requirement STR: Originally proposed by Steer et. al

24. 24 Outline Definitions and concepts Related work Contributions Cryptography Background Work Done TGDH STR Performance Comparison Conclusion The outline of this talk is as follows: To provide the motivation and goals of this proposal, we need some prior knowledge� Hence I firstly introduce some concepts. While explaining new concepts, I�ll narrow down my research focus one by one. After that, I will explain what are our motivations and goals. Related work will follow. And I�ll explain the proposed protocol and the current status of implementation and integration� I�ll conclude with research plan and evaluation plan.The outline of this talk is as follows: To provide the motivation and goals of this proposal, we need some prior knowledge� Hence I firstly introduce some concepts. While explaining new concepts, I�ll narrow down my research focus one by one. After that, I will explain what are our motivations and goals. Related work will follow. And I�ll explain the proposed protocol and the current status of implementation and integration� I�ll conclude with research plan and evaluation plan.

25. 25 Diffie-Hellman Setting p � large prime (e.g. 512 or 1024 bits) Zp* = {1, 2, � , p � 1} g � base generator A ? B : NA = gn1 mod p B ? A : NB = gn2 mod p A : NB n1 = gn1n2 mod p B : NA n2 = gn1n2 mod p Diffie-Hellman Key : gn1 n2 Blinded Key of n1 : NA = gn1 mod p

26. 26 Diffie-Hellman Problem Computational Diffie-Hellman Assumption (CDH) Loose Definition: Having known ga, gb, computing gab is hard. CDH is not sufficient to prove that Diffie-Hellman Key can be used as secret key. Eve may recover part of information with some confidence One cannot simply use bits of gab as a shared key Decision Diffie-Hellman Assumption (DDH) Loose Definition Knowing ga and gb, and guessing gc, can you check gc = gab ? Stronger than CDH


28. 28 TGDH Simple: Two functions enough Fault-tolerant: Robust against cascaded faults Secure Contributory Provable security (including key independence) Efficient d is the height of key tree ( < O(log 2 N)), N is the number of users Maximum number of exponentiation = 4(d-1) # of exp. in Cliques = 2N+1

29. 29 Key Tree (General)

30. 30 Key Tree (n3�s view)

31. 31 Join (n3�s view)

32. 32 Join (n3�s view)

33. 33 Leave (n2�s view)

34. 34 Leave (n2�s view)

35. 35 Leave (n2�s view)

36. 36 Partition (n5�s view)



39. 39 Partition: Both Sides

40. 40 Partition: Both sides (N5 and N6�s view)

41. 41 Merge (to intermediate node, N2�s view)

42. 42 Merge (to intermediate node)

43. 43 Tree Management: do one�s best Join or Merge Policy Join to leaf or intermediate node, if height of the tree will not increase. Join to root, if height of the tree increases. Leave or Partition policy No one can expect who will leave or be partitioned out. No policy for leave or partition event Successful Still maintaining logarithmic (height < 2 log2 N)

44. 44 Security Group key secrecy Intuitive Definition Given all blinded keys of a random key tree, can we distinguish the group key from a random number? Proof If we can distinguish, we can distinguish 2-party DDH on a special group Key independence

45. 45 Discussion Efficiency Average number of mod exp: 2 log2 n Maximum number of rounds: log2 n Robustness is easily provided due to self-stabilization property Self-clustering Logical Key Tree: Not depending on the physical location of the group members After a partition, members on the same partition will form a cluster After merge, next partition on the same link is much easier

46. 46 Self-stabilization Four protocols actually represent different strands of a single protocol receive msg (msg type = membership event) construct new tree while there are missing blinded keys if (I can compute any missing keys && I�m the sponsor) compute missing blinded keys broadcast new blinded keys endif receive msg (msg type = broadcast) update current tree endwhile

47. 47 Cascaded Events A join, leave, merge, or partition takes place while a prior event is being handled receive msg (msg type = membership event) construct new tree while there are missing blinded keys if (I can compute any missing keys && I�m the sponsor) compute missing blinded keys broadcast new blinded keys endif receive msg if (msg type = broadcast) update current tree else (msg type = membership event) construct new tree endwhile

48. 48 STR Using completely unbalanced tree Communication efficient Max 2 rounds Max 2 b-casts Simple: two function enough Fault-tolerance: easier than TGDH Security: Contributory Provable security (including key independence) Computation is bit more expensive than TGDH Max # exps = 4(N-1) N is # users.

49. 49 Motivation Over WAN, communication is much more expensive than computation Multi-round protocol is slow Communication always has upper bound (speed of light) Computation speed increases much fast than communication Too many messages are also bad May require retransmission

50. 50 Merge

51. 51 Discussion Security Same as TGDH, since STR key tree is a special case of TGDH key tree Efficiency Average number of mod exp: 2 n Maximum number of rounds: 2 Maximum number of messages: 3 Robustness is easily provided due to self-stabilization property


53. 53 Theoretical Analysis

54. 54 Experimental Results (Computation) Simulation Results without communication Meaningful results for LAN Average time for each membership event Considerations 1024 Bit RSA signature with public exponent 3 for all messages Signing: 0.007 sec, Verifying: 0.0001 sec TGDH: Random Tree STR: picking random member for subtractive event

55. 55 Computational Cost (Join and Leave)

56. 56 Computational Cost (Merge)

57. 57 Computational Cost (Partition)

58. 58 Experimental Result (WAN) Using Spread over high delay WAN JHU: 11 machines UCI: 1 machine ICU (Korea): 1 machine Delay (msec) Ping: JHU � UCI = 70, UCI � ICU = 300, ICU � JHU = 270 Actual Spread delay from Sender at JHU: 392 at UCI: 328 at ICU: 334 DH parameter: |p| = 512, |q| = 160 bit 1024 RSA with public exponent 3 Membership cost is pretty high: 1 sec

59. 59 Experimental Result on WAN Computational cost does not matter much Communication cost is most important On high delay network, hard to use any group key agreement Imagine merge or partition cost Join: implemented with merge For smaller delay WAN, TGDH will be best performer overall

60. 60 Conclusion and Future Work TGDH performs best overall Self-clustering will cancel out rather expensive partition cost On high delay WAN, STR will perform best overall Future Work Security proof without assuming special group Extensive evaluation on WAN Medium delay WAN Partition and merge test Hierarchical design will provide better scalability over WAN

61. 61 Thank You!

Group Key Agreement - Theory and Practice -

Group Key Agreement - Theory and Practice -

Presentation Transcript

Mixing theory and practice

Authenticated Group Key Agreement and Friends

Entity Authentication and Key Agreement

Evolutions and researches on group key agreement (GKA) protocols

Group Communication: from practice to theory

Key Agreement

Pronunciation: Theory and Practice

Effective Group Discussion: Theory and Practice

Authentication and Key Agreement

Post-Quantum Key Agreement Protocols and Braid group cryptography

Efficient Group Key Agreement for Dynamic TETRA Networks

Theory and Practice

Secure Key Agreement for Group Communication A Team

Group Agreement

Key Establishment Techniques: Key Distribution and Key Agreement

Efficient Group Authenticated Key Agreement Protocol for Dynamic Group s

Agreement Practice

ERM Theory and Practice

Authentication and Key Agreement