1 / 25

Efficient Self-healing Group Key Distribution With Revocation Capability

Efficient Self-healing Group Key Distribution With Revocation Capability. Archana Rajagopal CSC 774 Presentation Based on Original Slides from Donggang Liu, Peng Ning, and Kun Sun. Outline. Motivation and background Secure group communication in MANET Proposed solutions

rumor
Download Presentation

Efficient Self-healing Group Key Distribution With Revocation Capability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient Self-healing Group Key Distribution With Revocation Capability Archana Rajagopal CSC 774 Presentation Based on Original Slides from Donggang Liu, Peng Ning, and Kun Sun

  2. Outline • Motivation and background • Secure group communication in MANET • Proposed solutions • Novel personal key distribution • Self-healing group key distribution • Improvements to reduce storage and communication overheads • Conclusions and future work

  3. Secure Group Communications in MANET • Problem • How to distribute group keys? • Challenges in MANET • Dynamic and volatile • Unreliable communication • Lost packets, network partitions, relatively long term failures due to active attacks, …

  4. Related Work • Extensive results on group key management • Group key distribution • Tree-based scheme: LKH, Iolus, … • Secret sharing-based scheme: Self-healing, … • Group key agreement • GDH,TGDH, … • Most existing techniques are not suitable for MANET • No fault tolerance => not applicable • Simple fault tolerance => easy to disrupt, cannot deal with network partitions and active attacks

  5. Related Work (cont’d) • Two potential candidates for MANET • Self-healing group key distribution • Ability to recover lost session keys • Staddon et al., Oakland 2002 • Stateless group key distribution • Ability to rejoin the group • Cannot recover lost keys • Naor, Naor, and Lotspiech (SDR), Crypto 2001

  6. K1, K2, …, Ki,Ki+1…, Km t comp. users revoked  K1, K2, …, Ki,Ki+1…, Km t comp. users  join Desirable Properties • Unconditionally secure • Self-healing • t-revocation capability • t-wise forward secrecy • t-wise backward secrecy

  7. Property of proposed scheme • Processing,Communication and Storage overheads depend on number of compromised nodes that may collude together and not on group size.

  8. Scheme I: Personal Key Distribution • Goal: distribute distinct keys to differentmembers with one broadcastmessage • A key is a point on polynomial f(x), e.g., f(j) • Idea: construct a single polynomial w(x) to distribute shares on f(x) such that • A valid member can only get its own key • Revoked members know nothing about • Valid members’ keys • Their own keys

  9. Scheme I (cont’d) • Method: w(x)=g(x)f(x)+h(x) • h(x) is called a masking polynomial. Degree 2t Each member i has one share on h(x), which is h(i). • g(x) is called a revocation polynomial. Degree w(w<=t).If member v is revoked, g(v) =0; otherwise g(v)!=0

  10. 0 w(x)=g(x)f(x)+h(x) v v’ Scheme I (cont’d) • Group manager broadcasts • Revoked user ids {r1,…,rw} => g(x)=(x-r1)(x-r2)…(x-rw) • w(x)=g(x)f(x)+h(x) • Communication overhead O(tlogq) Member v is not compromised, but member v’ is compromised

  11. Property of Scheme I • Scheme I is an unconditionallysecure personal key distribution scheme with t-revocation capability

  12. Scheme II: (Basic Session Key Distribution) • Main idea • Combine the new personal key distribution scheme with the self-healing technique. • Distribute p(x) part for all old session and q(x) part for all future sessions p(x) p(x)g(x)+h(x) + K= q(x) q(x)g(x)+h’(x)

  13. Self Healing Property • Group key Kj = pj(i) + qj(i) • (m+1) polynomials broadcasted for all ‘m’ sessions • { p1(i)… pj(i) , qj(i) …. qm(i)} • Ui receives messages from j1 and j2 but not j;where j1 < j < j2 • How to recover session key for ‘j’? • pj(i) from j2 and qj(i) from j1

  14. Broadcast • Bj = • {Rj} • {Pj,i(x) = gj(x)pi(x) + hi,j(x)}i=1…j • {Qi,j(x) = gj(x)qi(x) + hj,i+1(x)}i=j…m

  15. Scheme II (cont’d) • In session j, given a set of revoked member ids Rj={r1,…,rwj}, the group manager broadcasts Rj and m +1 polynomials • Communication overhead O(mtlogq) • Storage overhead O(m2logq) Member Kj

  16. Properties of Scheme II • Unconditionally secure, t-revocation capability • Self-healing session key distribution • t-wise forward secrecy and t-wise backward secrecy

  17. Scheme III: Reduce Storage Overhead • Goal: reduce the storage overhead in scheme II • Source of storage overhead: shares on masking polynomials • Observation: each pi(x) or qi(x) is masked by different masking polynomials in different sessions • Having one masking polynomial for each pi(x) or qi(x) is sufficient • The broadcast messages are public. So it is unnecessary to protect the same polynomial multiple times using different masking polynomial

  18. Scheme III (cont’d) • In session j, given the sets of revoked member ids {Ri}i=1,…,j, the group manager broadcasts {Ri}i=1,…,jand m+1 polynomials • Communication overhead is still O(mtlogq) • Storage overhead is O(mlogq) instead of O(m2logq) in scheme II Member Kj

  19. Properties of Scheme III • Unconditionally secure, self-healing session key distribution and t-revocation capability • t-wise forward secrecy and t-wise backward secrecy

  20. Scheme IV: (Less Broadcast Size) • Goal: further reduce the communication overhead • Observation: having redundant information for all the sessions may be unnecessary • Short term communication failures • Long term but infrequent communication failures • Idea: • Sliding window. • Trade off between broadcast size and self-healing capability

  21. Variant I • For short term communication failures l-session self-healing: self-healing capability in terms of l consecutive sessions

  22. Variant II • For long-term but infrequent communication failures (l,d)-sessionself-healing: Can recover the lost session keys if a member receives d consecutive messages within ld sessions

  23. Conclusions • Our new personal key distribution scheme can be used to • Develop more efficient self healing key distribution schemes • Reduced the communication and the storage overhead of session key distribution scheme • Proposed two ways to trade off the broadcast size with the self-healing ability

  24. Future Work • Long-lived self-healing key distribution • Stateless group key distribution • Supporting multiple groups • Performance evaluation

  25. Thank You! QUESTIONS?

More Related