290 likes | 480 Views
The Performance of Group Diffie-Hellman in Simulated Ad-Hoc Networks. Hans-Peter Bischof Kieran Hagzan Rochester Institute of Technology Rochester/NY. Agenda. Background Communication Scheme Problem description Work Done Result Conclusion. Future Hardware Infrastructure. Ad hoc
E N D
The Performance of Group Diffie-Hellman in Simulated Ad-Hoc Networks Hans-Peter Bischof Kieran Hagzan Rochester Institute of Technology Rochester/NY
Agenda • Background • Communication Scheme • Problem description • Work Done • Result • Conclusion
Future Hardware Infrastructure • Ad hoc • Minimized Resources • Battery power • Computing power • Dynamic • Devices come • and leave unannounced • No server • No system administrator
Software Infrastructure Anhinga Project www.cs.rit.edu/~anhinga • An invocation is broadcast throughout the network and every object that implements the method executes the method. Photographs courtesy Philip Greenspun
Security In the New World? • Left out in the initial Anhinga Project • Why was it not included? • Was considered a separate problem • To solve both problems had been considered too big
Traditional Solutions Security is enabled by centralized, dedicated entities: • Perimeter defenses • Authentication servers • Localized access policies • Security administrators
Ad Hoc Security Ideas Ungulate Project www.cs.rit.edu/~ungulate • Nodes cannot rely on the presence of a fixed, well-defined entity to protect them from security threats • Nodes must levy their trust in other nodes to form an infrastructure for secure communication Photograph by Hans-Peter Bischof
Ad Hoc Network Security Requirements • Security paradigm must accommodate the networking paradigm • distributed, • dynamic, and • fault-tolerant • Cannot rely on persistent or centralized entities • Underlying algorithms should minimize bandwidth consumption and computation cycles
Problem Definition • Dynamic nature of the network requires modified security techniques to preserve backwards/forwards security • Form contributory keys by extending a two-party algorithm to an arbitrary number of participants • Algorithm must be robust and scalable
Two-Party Diffie-Hellman (DH) Well know g and m g, m g, m Bob Alice Picks b Picks a Ka = ga mod m Kb = gb mod m Kb Kb Kab = gab mod m = Kab = gba mod m
Two-Party Diffie-Hellman Security • An instance of the discrete logarithm problem [Riv92a], • Since it is assumed an attacker does not know a/b, the problem reduces to computing the value a * b by finding the discrete logarithm of both the public values ga and gb. • Computing the discrete logarithm in this fashion is considered as hard as factoring, making Diffie-Hellman a candidate algorithm (Purdue mathematician claims proof for Riemann hypothesis)
Extension • Two part DH does not work for a group, if the group size is ≥ 2 • Additional structure is needed • List • Tree • Hyber Cube
Linear Group Diffie-Hellman (LGDH) • Nodes are arrange in a sequential list • Exchange goes from left to right • Parallelism is not possible • All nodes can then compute the final shared key.
Tree Based Group Diffie-Hellman (TGDH) • TGDH is an algorithm attempting to reduce the computation per device by utilizing the O(log2(n)) traversal properties of a binary-tree. • Structure is a tree • Parallelism is possible
Hypercube Group Diffie-Hellman (HGDH) • Parallel Programming: • The hypercube is a structure commonly used in parallel programming that boasts no storage waste and fully parallelized traversal. • Minimize the Computational Overhead: • The HGDH algorithm is an effort to minimize the computational overhead seen with LGDH, but also to avoid the communication overhead and structure waste experienced due to the intermediary nodes in LGDH. • Parallelism is possible
Theoretical Complexity Bounds of LGDH, TGDH, and HGDH • N nodes • LGDH: • Communication: 2(n-1) keys transferred + 1 broadcast. • Complexity: each node must perform (n-1) DH computations. • TGDH • Communication: For n nodes, there are at most 2(n-1)-1 intermediates, each requiring 1 key transfer. The entire tree's worth of blinded keys are also broadcast. • Complexity: Each node will require at most h = tree height = log2(n) computations. • HGDH: • Communication: 2 *ceiling(log2(n)) keys • Complexity: Each node will perform at most log2(n) DH computations
Implementation Notes • A modular framework was implemented to handle all basic I/O functions. • The framework supports any Group Diffie-Hellman paradigm that defines the operations of • add(), • remove(), • merge(), • partition(), and • keyUpdate(). • The 100 result sets were averaged, and Taylor- Expansion performed on the data to map a well-fit curve.
Analysis • As expected, Linear Group Diffie-Hellman becomes unusable for large networks. Surprisingly enough, it performs very well for small networks. • Hypercubic Group Diffie-Hellman performs far worse than expected. Being the most mathematically scalable algorithm, why does it perform worse than TGDH and even LGDH?? Two Reasons: 1. Parallelism causes synchronization issues. This is a common experience in parallel programming. 2. There is no elimination of backward-propagation for HGDH. Each exchange in HGDH is actually twice as expensive as an LGDH or TGDH exchange.
Analysis - cont • Synchronization issues arise when one node attempts to begin an exchange with another, not ready node. • LGDH is not parallelized at all. Therefore, there are never synchronization issues. • TGDH is logarithmically parallelized. That is, all nodes are active in the first round, then half drop-out. Each subsequent round, the number of active nodes also drops by half. Therefore, the probability of synchronization issues occurring is halved in each round as well. • HGDH is fully parallelized. In every round, all nodes have the probability of facing some synchronization problems.
Conclusion - LGDH • LGDH is a suitable algorithm for networks of ~75 devices or less. • The algorithm is memory-efficient by wasting no storage space for the structure, and the elimination of backward-propagation causes it to perform well for small environments. • Therefore it very useful for small devices. • For larger networks of 100 devices or more, LGDH is overwhelmed by computational complexity and is unusable.
Conclusion - HGDH • HGDH is a fully parallel algorithm. • HGDH suffers from tremendous synchronization issues, and is communication-intensive. • The key-generation and topology-maintenance algorithm are non-intuitive.
Conclusion - TGDH • TGDH offers the best of both worlds. • The logarithmic-parallelism improves scalability as group size increases, and backward propagation is eliminated. The structure does however, waste 2(n-1)-1 memory portions. • Most likely not well suited for small devices
Future Work • An Ad-hoc network is a set and not an ordered structure • Synchronization is a problem • Should a tuple space be used? • Authentication is not solved yet • Zero Knowledge Proofs are great but not practical
References 1.) Stevens, W. Richard., UNIX Network Programming, Volume 1, Second Edition: Networking APIs: Sockets and XTI, Prentice Hall, 1998, ISBN 0-13-490012-X. 2.) Amir, Y., Nita-Rotaru, C., Stanton, J., Tsudik,G., Scaling Secure Group Communication Systems: Beyond Peer-to-Peer., 2003 DARPA Information Security Conference and Exposition (DISCEX 03), April 2003. 3.) Amir, Y., Kim, Y., Nita-Rotaru, C., Tsudik, G., On the Performance of Key Agreement Protocols. IEEE ICDCS 2002, July 2002. 4.) Amir, Y., Kim, Y., Nita-Rotaru, C., Schultz, J., Stanton, J., Tsudik, G., Exploring Robustness in Group Key Agreement. IEEE ICDCS 2001, April 2001. 5.) Obraczka, K., Tsudik, G., Viswanath, K., Pushing the Limits of Multicast in Ad Hoc Networks. IEEE ICDCS 2001, April 2001. 6.) Steiner, M. Tsudik, G., Waidner, M., CLIQUES: A New Approach to Group Key Agreement. IEEE ICDCS 98 , May 1998. 7.) Steiner, M. Tsudik, G., Waidner, M., Diffie-Hellman Key Distribution Extended to Groups. 1996 ACM Conference on Computer and Communications Security, March 1996. 8.) Kim, Y., Perrig, A., Tsudik, G., Tree-based Group Key Agreement. IEEE ICDCS 2002, July 2002. 9.) Lee, P.P.C., Lui, J.C.S., Yau, D.K.Y., Distributed Collaborative Key Agreement Protocols for Dynamic Peer Groups. IEEE ICDCS 2002, July 2002. Page 21 10.) McGraw, D. A., Sherman, A. T., Key Establishment in Large Dynamic Groups Using One-Way Function Trees. IEEE ICDCS 98 , May 1998. 11.)Adamson, B., Bormann, C., Handley, M., Macker, J., NACK-Oriented Reliable Multicast Protocol (NORM). I.E.T.F. Reliable Multicast Transport, draft-ietf-rmt-pi-norm-06