1 / 47

Group Key Management Scheme for Simultaneous Multiple Groups with Overlapped Membership

Group Key Management Scheme for Simultaneous Multiple Groups with Overlapped Membership. Andrew Moore 9/27/2011. Overview. Review of Group Communication Background Information Scheme Definitions Protocol Discussion Example Results Conclusion. Group Communication.

tait
Download Presentation

Group Key Management Scheme for Simultaneous Multiple Groups with Overlapped Membership

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Group Key Management Scheme for Simultaneous Multiple Groups with Overlapped Membership Andrew Moore 9/27/2011

  2. Overview • Review of Group Communication • Background Information • Scheme Definitions • Protocol Discussion • Example • Results • Conclusion

  3. Group Communication • Group communication is a means for members of a group to exchange messages with one another • Static group • Dynamic group • Secure group communication • Forward access control • Backward access control • Rekeying

  4. Group Communication (cont.) • Group key management • Centralized group key management • Decentralized group key management • Distributed group key management • Example of centralized group key management • Key Distribution Center (KDC) manages groups by organizing keys in a key tree • Each leaf is a user that has a private key and a group key to encrypt/decrypt

  5. Group Communication (cont.) • Multiple users in multiple groups • Shamir’s secret sharing • Key-User Tree (KUT) • Multiple groups are a collection of subgroups • Each subgroup consists of distinct users and is secure • Group members communicate with group key • Secure multiple groups are a collection of secure subgroups

  6. Overlapping Membership Group A (8 users) Group B (9 users) Group C (9 users)

  7. LaGrange Form of the Interpolation Polynomial • Interpolation – given a set of points, find a polynomial that goes through all points in the set • LaGrange Form – the polynomial with the least degree that each x corresponds to a y • Not unique • No x can be the same • Given k points, distinct polynomials are constructed using the following equations (1)

  8. LaGrange (cont.) • P1= {(x1,y1),…,(xk,yk)} • P2= {(x1,y1),…,(xm,ym)} • |P1| = |P2| = k • No xi in P1 is the same (same for P2) • Let: • 𝑃1∩𝑃2 = {(𝑥1,𝑦1),...,(𝑥𝑘−1,𝑦𝑘−1)} 𝑎𝑛𝑑 ∣𝑃1∩𝑃2∣ = 𝑘−1 • 𝑃1∪𝑃2 = (𝑃1∩𝑃2)∪{(𝑥𝑘, 𝑦𝑘), (𝑥𝑚, 𝑦𝑚)} 𝑎𝑛𝑑 ∣𝑃1∪𝑃2∣ = 𝑘+1

  9. LaGrange (cont.) • 𝑃1 ∩ 𝑃2 contains all the points common to both 𝑃1 and 𝑃2 • Adding (xk,yk) to 𝑃1 ∩ 𝑃2 and using (1) from 7 yields a polynomial P1(x) where the degree is k-1 • Adding (xm,ym) to 𝑃1 ∩ 𝑃2 and using (1) from 7 yields a polynomial P2(x) where the degree is k-1 • P1(x) and P2(x) share y-intercept

  10. LaGrange (cont.) • Lemma • S = {(x1,y1},…,(xk-1,yk-1} where each xi and yi, i = 1,…k-1, are chosen from GF(p) • Each xi is unique • Add point (xk,yk), such that xk ≠ xjfor all j = 1,…,k-1 in S • Using (1), a polynomial of degree k-1 can be constructed • For each distinct (xi,yi), i=1…,n not in S, n polynomials can be constructed • n polynomials for n + k – 1 points

  11. Scheme Definitions • U = {u1,…,un} is the set of n users • S1,…Sm are m groups compromising of distinct subsets of users • x -> y: z denotes sending a message from x to y (unicast or multicast) • {M}K: Encrypt message M with key K • userset(K) : users who have key K

  12. Scheme Definitions (cont.) • uk -> KDC : (J,Si), join request from user uk to group Si (could be set of users) • uk-> KDC : (L,Si), leave request from user uk to whose parent group is Si • uk -> KDC : (J,Si,Sj), join request from user uk to group Sj whose parent group is Si • uk -> KDC : (L,ε,Sj), leave request from user ukwho has no parent group to leave group Sj

  13. Scheme Definitions (cont.) • Joining Point: node of KUT where newly joined user is attached • Parent group: joining point of user is defined in the right subtree of the corresponding KUT for the group • Non-parental group: joining point of user is defined in the left subtreeof the corresponding KUT for the group • Storage cost: number of points used to construct group keys and the number of auxiliary keys

  14. Key User Tree • Constructed by the KDC for each group • Partially based on Logical Key Tree (LKT) • User categories • Parent group users • Non-parental group users

  15. Key User Tree (cont.) Arbitrary key K of KDC • t parent group users, height of LKT is • k non-parental group users, binary tree with ui, i=1,…k, as nodes with u1 being the root User Node Group key G LKT

  16. Key User Tree (cont.) KUT of S1 KUT of S2 KUT of S3

  17. Multiple Group Key Management Scheme (Step 1) • One KDC • Manages the multiple secure groups • Uses KUT to manage keys • Handles all join/leave requests and rekeying process • Chooses security parameter k and fixes GF(p) • Initially there are no users in any group • Set U of n users that want to join m groups

  18. Multiple Group Key Management Scheme (Step 2) • Assume user is authenticated and a secure channel initially exists between each user and the KDC • KDC generates a Ki for each user ui • Ki is a private key • Ki enables ui to securely communicate with KDC

  19. Multiple Group Key Management Scheme (Step 3) • KDC chooses k-2 points (xi,yi), i = 1,..,k-2 • (xi,yi) are chosen randomly and independently from GF(p) such that no values of xi are the same • All points are distinct • Prepositioned base shares • Sent to all users • KDC chooses another point (xk-1, yk-1) such that xk-1 ≠ xi • Polynomial construction trigger share

  20. Multiple Group Key Management Scheme (Step 4) • KDC selects m points (xSj,ySj), j = 1,…,m by picking xSj and ySj from GF(p) • All points are distinct • No xi can equal xSj • Group specific share of a user who is joining Sj

  21. Multiple Group Key Management Scheme (Step 5) • KDC constructs LKT for each group Sj • Auxiliary keys computed • Group keys computed using {(x1,y1),…, (xk-2,yk-2),(xk-1,yk-1), (xSj,ySj)} and applying (1) to obtain Sj(x) • Sj(x=0) is group key Gj for Sj • KDC sends auxiliary keys to respective users • Auxiliary keys are represented as the intermediate nodes of the LKT • Each user has -1 auxiliary keys, for t users in Sj • LKT for Sj rooted at Gj

  22. Multiple Group Key Management Scheme (Step 5 cont.) • KDC constructs KUT rooted at K • LKT is rooted at Gj as right subtree of KUT • Initially, left subtree is empty

  23. Multiple Group Key Management Scheme (Step 6) • KDC sends (xSj,ySj) to all users who request to join group Sj • A user who has sent a request to join Sj will have the prepositioned base shares and a group specific share • {(x1,y1),…,(xk-2,yk-2)} • {xSj,ySj} • KDC sends polynomial construction trigger share to all users of group Sj • (xk-1,yk-1)

  24. Multiple Group Key Management Scheme (Step 7) • User constructs Sj(x) from three shares using (1) to make polynomial of degree k-1 • Solve for x = 0 to obtain Gj

  25. Example • S1 = {u1,…,u7}∪ {u9,…,u13} • {u1,…,u7} are parent group members • {u9,…,u13} have overlapping membership • S2= {u9,…,u15}∪ {u1,…,u4} • {u9,…,u15} are parent group members • {u1,…,u4} have overlapping membership

  26. Example (cont.) • KUT of S1 KS1 u9 K1-8 u10 u11 K1-4 K5-8 u12 u13 K1-2 K3-4 K5-6 K7-8 K1 K2 K3 K4 K5 K6 K7 u1 u2 u3 u4 u5 u6 u7

  27. Example (cont.) • KUT of S2 KS2 u1 K9-16 u2 u3 K9-12 K13-16 u4 K9-10 K11-12 K13-14 K15-16 K9 K10 K11 K12 K13 K14 K15 u9 u10 u11 u12 u13 u14 u15

  28. Example Join • Consider u8 joining S1 • Parent group join (not in S1 or S2) • User sends join request • KDC finds the joining point K7-8, changes K7-8, K5-8, and K1-8 • Chooses new group specific share (x’s1,y’s1)K1-8 • Must be distinct • Sends to all users in S1 • Generates new auxiliary keys K’5-8and K’7-8

  29. Example Join (cont.) • KDC sends {(x’S1,y’S1)}K1-8 to all users • KDC sends {K’5-8}K5-8 to {u5,u6,u7} • KDC sends {K’7-8}K7-8to {u7} • KDC sends {{(x1,y1),…,(xk-1,yk-1)},K’5-8,K’7-8}K8to {u8} • All users construct new group key

  30. Example Join (cont.) • KUT of S1 after join KS1 u9 K1-8 u10 u11 K1-4 K5-8 u12 u13 K1-2 K3-4 K5-6 K7-8 K1 K2 K3 K4 K5 K6 K7 K8 u1 u2 u3 u4 u5 u6 u7 u8

  31. Example Join 2 • Consider u5 joining S2 • Joining non-parental group • KDC finds the joining point in the left subtree • KDC finds new group specific share (x’S2,y’S2) • KDC sends {(x’S2,y’S2)}K9-16 to {u9,…,u15}∪ {u1,…,u4} • KDC sends {(x’S2,y’S2)}K5 to u5 • All users compute new group key

  32. Example Join 2(cont.) • KUT of S2 after join KS2 u1 K9-16 u2 u3 K9-12 K13-16 u4 u5 K9-10 K11-12 K13-14 K15-16 K9 K10 K11 K12 K13 K14 K15 u9 u10 u11 u12 u13 u14 u15

  33. Example Leave • Consider u6 leaving S1 • KDC removes node • KDC changes keys K5-6, K’5-8,K’1-8 • KDC chooses new distinct group specific share • (x’’S1,y’’S1) • KDC sends {(x’’S1,y’’S1),K’’5-8, K5-6}K5to {u5} • KDC sends {(x’’S1,y’’S1),K’’5-8}K’7-8 to {u7,u8} • KDC sends {(x’’S1,y’’S1),}K1-4to {u1,…,u4} • KDC sends {(x’’S1,y’’S1),}K9-12to {u9,…,u12} • KDC sends {(x’’S1,y’’S1),}K13 to {u13}

  34. Example Leave (cont.) • All members construct the new group key • All changed keys are sent to the appropriate user

  35. Example Leave(cont.) • KUT of S1 after leave KS1 u9 K1-8 u10 u11 K1-4 K5-8 u12 u13 K1-2 K3-4 K5-6 K7-8 K1 K2 K3 K4 K5 K7 K8 u1 u2 u3 u4 u5 u7 u8

  36. Leave Example 2 • Consider u5 leaving S2 • Non-parent group member leave • KDC removes node • KDC chooses new distinct group specific share • (x’’Sj,y’’Sj) • KDC sends {(x’’Sj,y’’Sj)}K9-12 to {u9,…,u12} • KDC sends {(x’’Sj,y’’Sj)}K13-16to {u13,…,u15} • KDC sends {(x’’Sj,y’’Sj)}K1-4to {u1,…,u4}

  37. Leave Example 2 (cont.) • All users compute new group key • No auxiliary keys are changed

  38. Example Leave 2 (cont.) • KUT of S2 after leave KS2 u1 K9-16 u2 u3 K9-12 K13-16 u4 K9-10 K11-12 K13-14 K15-16 K9 K10 K11 K12 K13 K14 K15 u9 u10 u11 u12 u13 u14 u15

  39. Analysis of Join • Number of Encryptions • Parent group join • Atmost + 1 • Non-Parent group join • 2 • Number of Key Changes • Parent group join • Atmost • Non-Parent group join • 1 • Number of Rekey-Messages • Parent group join • Atmost + 1 • Non-Parent group join • 2

  40. Analysis of Leave • Number of Encryptions • Parent group leave • ≤ 2 + t • Non-Parent group leave • ≤ t + 2 • Number of Key Changes • Parent group leave • ≤ • Non-Parent group leave • 1 • Number of Rekey-Messages • Parent group leave • ≤ + t • Non-Parent group leave • ≤ t + 2

  41. Storage Cost Estimation • User of a parent group without overlapping membership • User of a parent group with m overlapping memberships • User who has left parent group and has m overlapping memberships

  42. Storage Cost Estimation (cont.) • User of a parent group without any overlapping memberships • (k-2) prepositioned base shares • 1 polynomial construction trigger share • 1 group specific share of the parent group • - 1 auxiliary keys • Private key

  43. Storage Cost Estimation (cont.) • User of a parent group with m overlapping memberships • (k-2) prepositioned base shares • 1 polynomial construction trigger share • 1 group specific share of the parent group • - 1 auxiliary keys • Private key • m group specific share of other groups

  44. Storage Cost Estimation (cont.) • User who has left parent group and has m overlapping memberships • (k-2) prepositioned base shares • 1 polynomial construction trigger share • Private key • m group specific share of other groups

  45. Results • Suppose n users with m groups • Each parent group member of every group has an overlapping membership with every other group • A group has (m-1)n non-parent group members and n parent group members

  46. Results

  47. Conclusion • Scheme scales well as overlapping membership increases rapidly • Significant reduction in rekeying cost, storage, and number of encryptions

More Related