Upload
srknt-rckz
View
221
Download
0
Embed Size (px)
Citation preview
8/6/2019 distributed group key securing a dynamic peer group
1/27
Distributed Collaborative Key AgreementDistributed Collaborative Key Agreement
Protocols for Dynamic Peer GroupsProtocols for Dynamic Peer Groups
Patrick P. C. Lee, John C. S. Lui and David K. Y. Yau
IEEE ICNP 2002
8/6/2019 distributed group key securing a dynamic peer group
2/27
Outline
Identify the motivations of group keyagreement and its requirements.
Introduce Tree-Based Group Diffie-Hellman(TGDH), which uses a key tree to arrange allthe keys.
Propose three interval-based rekeyingalgorithms: Rebuild, Batch and Queue-batch.
Illustrate experimental results.
8/6/2019 distributed group key securing a dynamic peer group
3/27
Motivations
Many group-oriented and distributedapplications require security services.
Example: a closed and confidential businessmeeting in a p2p network.
We therefore need a secure distributed group
key agreement scheme so that the group canencrypt their communication data with acommon secret group key.
8/6/2019 distributed group key securing a dynamic peer group
4/27
Requirements of Group Key Agreement
Distributed: there is no centralized key server,which has the following limitations: A single point of failure; and
Not suitable for peer groups and ad hoc networks.
Collaborative: all group members contributetheir own part to generate a group key.
Dynamic: the protocol remains efficient evenwhen the occurrences of join/leave events arevery frequent.
8/6/2019 distributed group key securing a dynamic peer group
5/27
Our Work
We worked on the Tree-Based Group Diffie-Hellman protocol by Kim et al. in ACM CCS00.
We designed three interval-based rekeyingalgorithms that have the distributed,collaborative and dynamic features.
We performed quantitative and simulation-based analysis to illustrate the performancemerits of the interval-based algorithms.
8/6/2019 distributed group key securing a dynamic peer group
6/27
Tree-Based Group Diffie-HellmanProtocol (TGDH)
A key tree is formed. Each node v represents a secret(private) key Kv and a blinded (public) key BKv.
BKv = Kv mod p, where and p are public parameters.
Every member holds the secret keys along the key path,and all the blinded keys in the key tree.
K0
is the group key.
0
M1 M2
2
4 6
7
1
53
8 11 12
M3
M4 M5
M6
8/6/2019 distributed group key securing a dynamic peer group
7/27
TGDH: Relationships between nodes
Kv = (BK2v+2)K2v+1 mod p = (K2v+2)K2v+1 mod p
v
The secret key of a non-leaf node vcan be generated by:
Kv = (BK2v+1)K2v+2 mod p = (K2v+1)K2v+2 mod p
2v+1 2v+2
BK2v+
1
BK2v+2
Kv= K2v+1K2v+2 mod p
8/6/2019 distributed group key securing a dynamic peer group
8/27
Tree-Based Group Diffie-HellmanProtocol (TGDH)
A key tree is formed. Each node v represents a secret(private) key Kv and a blinded (public) key BKv.
BKv = Kv mod p, where and p are public parameters.
Every member holds the secret keys along the key path,and all the blinded keys in the key tree.
K0
is the group key.
0
M1 M2
2
4 6
7
1
53
8 11 12
M3
M4 M5
M6
8/6/2019 distributed group key securing a dynamic peer group
9/27
TGDH: Handle membership events
Rekeying (renewing the keys of the nodes) is performedfor every single join/leave event to ensure backwardand forward confidentiality.
A special member called sponsor is elected to beresponsible for broadcasting updated blinded keys.
t
Join Leave Join Join Leave
rekey rekey rekey rekey rekey
8/6/2019 distributed group key securing a dynamic peer group
10/27
TGDH: Single Leave Case
M4 becomes the sponsor. It rekeys the secret keys K2
and K0 and broadcasts the blinded key BK2. M1, M2 and M3 compute K0 given BK2.
M6 and M7 compute K2 and then K0 given BK5.
5
11 12
M4 M5
0
2
M1 M2
4 6
7
1
3
8
M3
M6
13 14
M7
5
12
2
0M5 leaves
5
M4(S)
8/6/2019 distributed group key securing a dynamic peer group
11/27
M4
0
2
0
TGDH: Single Join Case
M8 broadcasts its individual blinded key BK12 on joining.
M4 becomes the sponsor again. It rekeys K5, K2 and K0given BK12 and broadcasts the blinded key BK5 and BK2.
Now everyone can compute the new group key.
1211
M4(S)
M8 joins
2
5
M8M1 M2
4 6
7
1
3
8
M3
M6
13 14
M7
5
8/6/2019 distributed group key securing a dynamic peer group
12/27
Interval-Based Rekeying Algorithms
We can reduce one rekeying operation if we can simplyreplace M5 by M8 in node 12.
Interval-based rekeying is proposed such that rekeyingis performed on a batch of join and leave requests atregular rekey intervals.
Interval-based rekeying improves system performance.
We propose three interval-based rekeying algorithms,namely Rebuild, Batch and Queue-batch.
8/6/2019 distributed group key securing a dynamic peer group
13/27
0
M1 M2
2
4 6
7
1
53
8 11 12
M3
M4 M5
M623 24
M7
Rebuild Algorithm
Intuition: Minimize the final tree height so that the number ofrekeying operations of every member is reduced.
Basic Idea: Reconstruct the whole key tree to form a completetree.
We can explore under which workload Rebuild is good.
0
M1(s) M3(S)
2
4 6
7
1
53
8
M4(S) M6(S) M8(S)
0
21
3
M2, M5, M7 leave
M8 joins
8/6/2019 distributed group key securing a dynamic peer group
14/27
Batch Algorithm
Based on the centralized batch rekeying approach by Liet al. in WWW10 2001.
Basic Idea: add the joins to suitable nodes: Replace the leave nodes with the join nodes. Attach the join nodes to the shallowest positions.
Keep the key tree balanced.
Elect the sponsors who help broadcast new blinded keys.
Given J joins and L leaves, we illustrate two cases: L > J > 0
J > L > 0
8/6/2019 distributed group key securing a dynamic peer group
15/27
0
M1 M2
2
4 6
7
1
53
8 11 12
M3
M4 M5
M623 24
M7
Batch Example 1: L > J > 0
M8 broadcasts its join request, including its blinded key.
M1 rekeys secret keys K1 and K0. M4 rekeys K5, K2 and K0.
M1 broadcasts BK1.M4 broadcasts BK5 and BK2.
63
8 11
24
M2, M5, M7 leave
M8 joins
0
21
5
M1(S)
3
M4(S)11
M8(S)
6
8/6/2019 distributed group key securing a dynamic peer group
16/27
0
M1 M2
2
4 6
7
1
53
8 11 12
M3
M4 M5
M623 24
M7
Batch Example 2: J > L > 0
M8 and M9 form a subtree T1. M10 itself forms a
subtree T2. M8 and M9 compute K6, and one of them broadcasts BK6.
M1 rekeys K3 and K1. M6 rekeys K2.
M1 broadcasts BK3 and BK1. M6 broadcasts BK2.
0
21
3 6
8
6
13 14M8(S) M9(S)
T1
M8, M9, M10 join
M2, M7 leave
M10(S)8
T2
8/6/2019 distributed group key securing a dynamic peer group
17/27
Queue-batch Algorithm
Intuition: The previous approaches perform rekeying at the
start of every rekey interval, leading to a heavyprocessing workload at the update instance.
Reduce the load by pre-processing the join eventsduring the idle rekey interval.
8/6/2019 distributed group key securing a dynamic peer group
18/27
Queue-batch Algorithm
Two stages: Queue-subtree and Queue-merge.
Queue-subtree: Within the idle rekey interval, form asubtree T with all joining members, just like individual
rekeying for a single join event. Queue-merge: At the beginning of the next rekey
interval, prune all departed leaf nodes if any and addthe subtree T to the highest leave position (or attach T
to the shallowest position). Elect the sponsors who can help broadcast the new
blinded keys.
8/6/2019 distributed group key securing a dynamic peer group
19/27
Queue-batch Example of Queue-merge Phase
T is attached to node 6.
M10, the sponsor, will broadcast BK6.
M1 rekeys K1. M6 rekeys K2.
M1 broadcasts BK1.
M6 broadcasts BK2.
0
21
0
M1 M2
2
4 6
7
1
53
8 11 12
M3
M4 M5
M6
23 24
M7
M8, M9, M10 join
M2, M7 leave
3 6
8
M1(S)
3 6
13 14
M8 M9
T
27 28M10(S)
8/6/2019 distributed group key securing a dynamic peer group
20/27
Performance Evaluations
Study the performance of the interval-based algorithms.
Performance Metrics: Number of renewed nodes: a renewed node refers to a non-leaf
node whose keys are renewed. This metric provides a measureof the communication cost.
Number of exponentiation operations: this metric provides ameasure of the computation load.
Settings:
There is only one group. The population size is fixed at 1024 users. Originally, 512 members are in the group. Every potential member joins the group with probability pJ, and
every existing member leaves the group with probability pL.
8/6/2019 distributed group key securing a dynamic peer group
21/27
Experiment 1: Evaluation usingMathematical Models
Start with a well-balanced tree with 512 members.
Obtain the metrics under different numbers of joinsand leaves.
Queue-batch offers the best performance, and asignificant computation/communication reduction whenthe group is very dynamic.
Details on mathematical models are referred to thepaper/technical report.
8/6/2019 distributed group key securing a dynamic peer group
22/27
Experiment 2: Average Analysis Averagenumberof exponentiations atdifferentjoin
probabilities:
pJ=0.25 pJ=0.5
pJ=0.75
8/6/2019 distributed group key securing a dynamic peer group
23/27
Experiment 2: Average Analysis Averagenumberofrenewednodes at different join
probabilities:
pJ=0.25 pJ=0.5
pJ=0.75
8/6/2019 distributed group key securing a dynamic peer group
24/27
Experiment 3: Instantaneous Analysis
InstantaneousnumberofexponentiationsatdifferentjoinprobabilitiesforBatch and Queue-batch:
pJ=0.25
pL=0.25pJ=0.25
pL=0.75
pJ=0.75pJ=0.75
pL=0.75
pJ=0.75
pL=0.25
8/6/2019 distributed group key securing a dynamic peer group
25/27
Experiment 3: Instantaneous Analysis
InstantaneousnumberofrenewednodesatdifferentjoinprobabilitiesforBatch andQueue-batch:
pJ=0.25
pL=0.25pJ=0.25
pL=0.75
pJ=0.75pJ=0.75
pL=0.75
pJ=0.75
pL=0.25
8/6/2019 distributed group key securing a dynamic peer group
26/27
Experimental Results
Queue-batch offers the best performance interms of computation and communication costsamong the three interval-based algorithms.
The superior performance of Queue-batch ismore obvious when the occurrences of
joins/leaves are highly frequent.
8/6/2019 distributed group key securing a dynamic peer group
27/27
Future Work
Authentication
Sponsors coordination
Fault tolerance
System implementation