distributed group key securing a dynamic peer group

Embed Size (px)

Citation preview

  • 8/6/2019 distributed group key securing a dynamic peer group

    1/27

    Distributed Collaborative Key AgreementDistributed Collaborative Key Agreement

    Protocols for Dynamic Peer GroupsProtocols for Dynamic Peer Groups

    Patrick P. C. Lee, John C. S. Lui and David K. Y. Yau

    IEEE ICNP 2002

  • 8/6/2019 distributed group key securing a dynamic peer group

    2/27

    Outline

    Identify the motivations of group keyagreement and its requirements.

    Introduce Tree-Based Group Diffie-Hellman(TGDH), which uses a key tree to arrange allthe keys.

    Propose three interval-based rekeyingalgorithms: Rebuild, Batch and Queue-batch.

    Illustrate experimental results.

  • 8/6/2019 distributed group key securing a dynamic peer group

    3/27

    Motivations

    Many group-oriented and distributedapplications require security services.

    Example: a closed and confidential businessmeeting in a p2p network.

    We therefore need a secure distributed group

    key agreement scheme so that the group canencrypt their communication data with acommon secret group key.

  • 8/6/2019 distributed group key securing a dynamic peer group

    4/27

    Requirements of Group Key Agreement

    Distributed: there is no centralized key server,which has the following limitations: A single point of failure; and

    Not suitable for peer groups and ad hoc networks.

    Collaborative: all group members contributetheir own part to generate a group key.

    Dynamic: the protocol remains efficient evenwhen the occurrences of join/leave events arevery frequent.

  • 8/6/2019 distributed group key securing a dynamic peer group

    5/27

    Our Work

    We worked on the Tree-Based Group Diffie-Hellman protocol by Kim et al. in ACM CCS00.

    We designed three interval-based rekeyingalgorithms that have the distributed,collaborative and dynamic features.

    We performed quantitative and simulation-based analysis to illustrate the performancemerits of the interval-based algorithms.

  • 8/6/2019 distributed group key securing a dynamic peer group

    6/27

    Tree-Based Group Diffie-HellmanProtocol (TGDH)

    A key tree is formed. Each node v represents a secret(private) key Kv and a blinded (public) key BKv.

    BKv = Kv mod p, where and p are public parameters.

    Every member holds the secret keys along the key path,and all the blinded keys in the key tree.

    K0

    is the group key.

    0

    M1 M2

    2

    4 6

    7

    1

    53

    8 11 12

    M3

    M4 M5

    M6

  • 8/6/2019 distributed group key securing a dynamic peer group

    7/27

    TGDH: Relationships between nodes

    Kv = (BK2v+2)K2v+1 mod p = (K2v+2)K2v+1 mod p

    v

    The secret key of a non-leaf node vcan be generated by:

    Kv = (BK2v+1)K2v+2 mod p = (K2v+1)K2v+2 mod p

    2v+1 2v+2

    BK2v+

    1

    BK2v+2

    Kv= K2v+1K2v+2 mod p

  • 8/6/2019 distributed group key securing a dynamic peer group

    8/27

    Tree-Based Group Diffie-HellmanProtocol (TGDH)

    A key tree is formed. Each node v represents a secret(private) key Kv and a blinded (public) key BKv.

    BKv = Kv mod p, where and p are public parameters.

    Every member holds the secret keys along the key path,and all the blinded keys in the key tree.

    K0

    is the group key.

    0

    M1 M2

    2

    4 6

    7

    1

    53

    8 11 12

    M3

    M4 M5

    M6

  • 8/6/2019 distributed group key securing a dynamic peer group

    9/27

    TGDH: Handle membership events

    Rekeying (renewing the keys of the nodes) is performedfor every single join/leave event to ensure backwardand forward confidentiality.

    A special member called sponsor is elected to beresponsible for broadcasting updated blinded keys.

    t

    Join Leave Join Join Leave

    rekey rekey rekey rekey rekey

  • 8/6/2019 distributed group key securing a dynamic peer group

    10/27

    TGDH: Single Leave Case

    M4 becomes the sponsor. It rekeys the secret keys K2

    and K0 and broadcasts the blinded key BK2. M1, M2 and M3 compute K0 given BK2.

    M6 and M7 compute K2 and then K0 given BK5.

    5

    11 12

    M4 M5

    0

    2

    M1 M2

    4 6

    7

    1

    3

    8

    M3

    M6

    13 14

    M7

    5

    12

    2

    0M5 leaves

    5

    M4(S)

  • 8/6/2019 distributed group key securing a dynamic peer group

    11/27

    M4

    0

    2

    0

    TGDH: Single Join Case

    M8 broadcasts its individual blinded key BK12 on joining.

    M4 becomes the sponsor again. It rekeys K5, K2 and K0given BK12 and broadcasts the blinded key BK5 and BK2.

    Now everyone can compute the new group key.

    1211

    M4(S)

    M8 joins

    2

    5

    M8M1 M2

    4 6

    7

    1

    3

    8

    M3

    M6

    13 14

    M7

    5

  • 8/6/2019 distributed group key securing a dynamic peer group

    12/27

    Interval-Based Rekeying Algorithms

    We can reduce one rekeying operation if we can simplyreplace M5 by M8 in node 12.

    Interval-based rekeying is proposed such that rekeyingis performed on a batch of join and leave requests atregular rekey intervals.

    Interval-based rekeying improves system performance.

    We propose three interval-based rekeying algorithms,namely Rebuild, Batch and Queue-batch.

  • 8/6/2019 distributed group key securing a dynamic peer group

    13/27

    0

    M1 M2

    2

    4 6

    7

    1

    53

    8 11 12

    M3

    M4 M5

    M623 24

    M7

    Rebuild Algorithm

    Intuition: Minimize the final tree height so that the number ofrekeying operations of every member is reduced.

    Basic Idea: Reconstruct the whole key tree to form a completetree.

    We can explore under which workload Rebuild is good.

    0

    M1(s) M3(S)

    2

    4 6

    7

    1

    53

    8

    M4(S) M6(S) M8(S)

    0

    21

    3

    M2, M5, M7 leave

    M8 joins

  • 8/6/2019 distributed group key securing a dynamic peer group

    14/27

    Batch Algorithm

    Based on the centralized batch rekeying approach by Liet al. in WWW10 2001.

    Basic Idea: add the joins to suitable nodes: Replace the leave nodes with the join nodes. Attach the join nodes to the shallowest positions.

    Keep the key tree balanced.

    Elect the sponsors who help broadcast new blinded keys.

    Given J joins and L leaves, we illustrate two cases: L > J > 0

    J > L > 0

  • 8/6/2019 distributed group key securing a dynamic peer group

    15/27

    0

    M1 M2

    2

    4 6

    7

    1

    53

    8 11 12

    M3

    M4 M5

    M623 24

    M7

    Batch Example 1: L > J > 0

    M8 broadcasts its join request, including its blinded key.

    M1 rekeys secret keys K1 and K0. M4 rekeys K5, K2 and K0.

    M1 broadcasts BK1.M4 broadcasts BK5 and BK2.

    63

    8 11

    24

    M2, M5, M7 leave

    M8 joins

    0

    21

    5

    M1(S)

    3

    M4(S)11

    M8(S)

    6

  • 8/6/2019 distributed group key securing a dynamic peer group

    16/27

    0

    M1 M2

    2

    4 6

    7

    1

    53

    8 11 12

    M3

    M4 M5

    M623 24

    M7

    Batch Example 2: J > L > 0

    M8 and M9 form a subtree T1. M10 itself forms a

    subtree T2. M8 and M9 compute K6, and one of them broadcasts BK6.

    M1 rekeys K3 and K1. M6 rekeys K2.

    M1 broadcasts BK3 and BK1. M6 broadcasts BK2.

    0

    21

    3 6

    8

    6

    13 14M8(S) M9(S)

    T1

    M8, M9, M10 join

    M2, M7 leave

    M10(S)8

    T2

  • 8/6/2019 distributed group key securing a dynamic peer group

    17/27

    Queue-batch Algorithm

    Intuition: The previous approaches perform rekeying at the

    start of every rekey interval, leading to a heavyprocessing workload at the update instance.

    Reduce the load by pre-processing the join eventsduring the idle rekey interval.

  • 8/6/2019 distributed group key securing a dynamic peer group

    18/27

    Queue-batch Algorithm

    Two stages: Queue-subtree and Queue-merge.

    Queue-subtree: Within the idle rekey interval, form asubtree T with all joining members, just like individual

    rekeying for a single join event. Queue-merge: At the beginning of the next rekey

    interval, prune all departed leaf nodes if any and addthe subtree T to the highest leave position (or attach T

    to the shallowest position). Elect the sponsors who can help broadcast the new

    blinded keys.

  • 8/6/2019 distributed group key securing a dynamic peer group

    19/27

    Queue-batch Example of Queue-merge Phase

    T is attached to node 6.

    M10, the sponsor, will broadcast BK6.

    M1 rekeys K1. M6 rekeys K2.

    M1 broadcasts BK1.

    M6 broadcasts BK2.

    0

    21

    0

    M1 M2

    2

    4 6

    7

    1

    53

    8 11 12

    M3

    M4 M5

    M6

    23 24

    M7

    M8, M9, M10 join

    M2, M7 leave

    3 6

    8

    M1(S)

    3 6

    13 14

    M8 M9

    T

    27 28M10(S)

  • 8/6/2019 distributed group key securing a dynamic peer group

    20/27

    Performance Evaluations

    Study the performance of the interval-based algorithms.

    Performance Metrics: Number of renewed nodes: a renewed node refers to a non-leaf

    node whose keys are renewed. This metric provides a measureof the communication cost.

    Number of exponentiation operations: this metric provides ameasure of the computation load.

    Settings:

    There is only one group. The population size is fixed at 1024 users. Originally, 512 members are in the group. Every potential member joins the group with probability pJ, and

    every existing member leaves the group with probability pL.

  • 8/6/2019 distributed group key securing a dynamic peer group

    21/27

    Experiment 1: Evaluation usingMathematical Models

    Start with a well-balanced tree with 512 members.

    Obtain the metrics under different numbers of joinsand leaves.

    Queue-batch offers the best performance, and asignificant computation/communication reduction whenthe group is very dynamic.

    Details on mathematical models are referred to thepaper/technical report.

  • 8/6/2019 distributed group key securing a dynamic peer group

    22/27

    Experiment 2: Average Analysis Averagenumberof exponentiations atdifferentjoin

    probabilities:

    pJ=0.25 pJ=0.5

    pJ=0.75

  • 8/6/2019 distributed group key securing a dynamic peer group

    23/27

    Experiment 2: Average Analysis Averagenumberofrenewednodes at different join

    probabilities:

    pJ=0.25 pJ=0.5

    pJ=0.75

  • 8/6/2019 distributed group key securing a dynamic peer group

    24/27

    Experiment 3: Instantaneous Analysis

    InstantaneousnumberofexponentiationsatdifferentjoinprobabilitiesforBatch and Queue-batch:

    pJ=0.25

    pL=0.25pJ=0.25

    pL=0.75

    pJ=0.75pJ=0.75

    pL=0.75

    pJ=0.75

    pL=0.25

  • 8/6/2019 distributed group key securing a dynamic peer group

    25/27

    Experiment 3: Instantaneous Analysis

    InstantaneousnumberofrenewednodesatdifferentjoinprobabilitiesforBatch andQueue-batch:

    pJ=0.25

    pL=0.25pJ=0.25

    pL=0.75

    pJ=0.75pJ=0.75

    pL=0.75

    pJ=0.75

    pL=0.25

  • 8/6/2019 distributed group key securing a dynamic peer group

    26/27

    Experimental Results

    Queue-batch offers the best performance interms of computation and communication costsamong the three interval-based algorithms.

    The superior performance of Queue-batch ismore obvious when the occurrences of

    joins/leaves are highly frequent.

  • 8/6/2019 distributed group key securing a dynamic peer group

    27/27

    Future Work

    Authentication

    Sponsors coordination

    Fault tolerance

    System implementation