Upload
srknt-rckz
View
225
Download
0
Embed Size (px)
Citation preview
8/6/2019 distributed group key securing a dynamic peer groups
1/33
Efficient GroupEfficient Group Authenticated KeyAuthenticated KeyAgreement Protocol for Dynamic GroupAgreement Protocol for Dynamic Groupss
Kui Ren*, Hyunrok Lee*, Kwangjo Kim*, and Taewhan Yoo**
* IRIS, Information and Communications University, Daejeon, Korea** Electronics and Telecommunications Research Institute, Daejeon, Korea
WISA 2004 (23-25, Aug)
8/6/2019 distributed group key securing a dynamic peer groups
2/33
22
Contents
Introduction
EGAKA Overview
Notation and Primitives
EGAKA
EGAKA-KE (Key Establishment)
EGAKA-KU (Key Update)
Complexity & Security Analysis
Conclusion
Q & A
8/6/2019 distributed group key securing a dynamic peer groups
3/33
33
Introduction (1/3)
Secure group communication
A (large) group of users communicate with one another ina secure way
Ex) Teleconferencing, Collaborative work,
Multiple interactive game, VPN (Virtual Private Networks),Wireless Ad-hoc Networks
Dynamic Peer Groups
Relatively small (~ 100 of members)
No hierarchy
Frequent membership changes
Any member can be sender and receiver
8/6/2019 distributed group key securing a dynamic peer groups
4/33
44
Introduction (2/3)
Group Key Management
A group key
Shared only by current group members
Communication encrypted/decrypted by the group key
Difficult aspect Dynamics
Join Backward secrecy
Allow the joining member(s) to decrypt future messages, but notprevious messages
Leave:
Forward secrecy Prevent the leaving member(s) from decrypting future messages
Burst behavior: Multiple joins and/or multiple leaves simultaneously.
8/6/2019 distributed group key securing a dynamic peer groups
5/33
55
Introduction (3/3)
Classification Group Key Distribution
One party generates a secret key and distributes to others
Not suitable for dynamic groups
Group Key Agreement
Secret key is derived jointly by two or more parties Key is a function of information contributed by each member
No party can pre-determine the key
Motivation Need Group Key Agreement
Strong security Dynamic membership management
Adapt to heterogeneous environments
Efficiency in communication and computation
8/6/2019 distributed group key securing a dynamic peer groups
6/33
66
EGAKA Overview (1/2)
EGAKA Efficient Group Authenticated Key Agreement protocol Important Properties
Distributed Fault-tolerant Efficient dynamic group membership management Mutual authentication among group members Secure against both passive and active attacks
Can be built on any two-party authenticated key exchangeprotocols E.g. Diffie-Hellman protocol, password based protocol
Achieves scalability and robustness in heterogeneousenvironments
provides efficient member join services Low communication and computation costs, and they are constant
to the group size.
8/6/2019 distributed group key securing a dynamic peer groups
7/33
77
EGAKA Overview (2/2)
Trust Model
Any single current member can authenticate thenew members and accept them.
Assumption Do not consider insider attacks
The secrecy of group keys and the integrity of groupmembership
The size of dynamics group < 200
Group members in dynamic groups have different securityprimitives
For generating the group key
Use Common two-party key exchange protocol
8/6/2019 distributed group key securing a dynamic peer groups
8/33
88
Notation and Primitives (1/4)
8/6/2019 distributed group key securing a dynamic peer groups
9/33
99
GK
1M
6M
5M
4M
2M
3M
3K
4K15K
135K
26K
246K
123456K! 0!l
3!d
3!l
2!l
1!l
6!N
15B B
)K( 1 51 5 hB !
2B
4B
4B
1N
22N2N
24N
11N 12N
1N 2N N 4N1 6 2
Root node
Interior node
Isolated Leaf node
Key pair: Kij & BijLeaf node
Notation and Primitives (2/4)
8/6/2019 distributed group key securing a dynamic peer groups
10/33
1010
GK
M M5M
M
M
M
K K5K
5K
K
K
5K! 0!l
3!d
3!l
2!l
1!l
6!N
15B B
)K( 1 51 5 hB!
26B
4B
46B
NN
N4
N
N N
N N N 4
NK 5K 6K K
KP5* = {N32, N21, N11}
CP5* = {N31, N22, N12}
Notation and Primitives (3/4)
8/6/2019 distributed group key securing a dynamic peer groups
11/33
1111
GK
1M
6M
5M
4M
2M
3M
3K
4K
15K
135K
26K
246K
123456K! 0!l
3!d
3!l
2!l
1!l
6!N
1B B
)( 11 hB !
26B
4B
246B
2N
22N23N
24N
11N 12N
31N 32N 33N 34N1K 5K 6K 2K
M2s view of the group which could be divided into l subgroups
Notation and Primitives (4/4)
8/6/2019 distributed group key securing a dynamic peer groups
12/33
1212
EGAKA
Two basic sub-protocol
EGAKA-KE : Key Establishment Protocol
EGAKA-KU : Key Update Protocol
Both sub-protocols are subtle integrations of above
mentioned binary key tree structure, one way functions
and two-party key agreement protocol, as well assymmetric encryption algorithm.
8/6/2019 distributed group key securing a dynamic peer groups
13/33
1313
EGAKA-KE
EGAKA-KE includes two phases:
Phase I
To complete group entity authentication by applying any
chosen two-party authenticated key agreement protocol
Phase II
The group key generation process.
8/6/2019 distributed group key securing a dynamic peer groups
14/33
1414
EGAKA-KE: Phase I (1/6)
Tasks to accomplish
choose the two-party protocol in common
generate the key tree structure
perform mutual authentication according to generated tree
structure
establish peer-to-peer session keys among members.
8/6/2019 distributed group key securing a dynamic peer groups
15/33
1515
EGAKA-KE: Phase I (2/6)
Hello, I want to use
DH protocol, and M4can be the one to
generate the key treestructure
M1
M2 M3
M4
M5M7
Hello, here is the
key tree structure
2M
3M
5M 1M 1M 1M 4M M 2M
2M
3M
7M
M6
8/6/2019 distributed group key securing a dynamic peer groups
16/33
1616
EGAKA-KE: Phase I (3/6)
3rE
1r
E
M1
M2 M3
M4
M5
M7
M6
2r
E
8/6/2019 distributed group key securing a dynamic peer groups
17/33
1717
EGAKA-KE: Phase I (4/6)
122Sr
E 133Sr
E
M1
M2 M3
M4
M5
M7
M6
155Sr
E
377Sr
E
266Sr
E
2 Sr
E
8/6/2019 distributed group key securing a dynamic peer groups
18/33
1818
EGAKA-KE: Phase I (5/6)
151312 ,, KKK 3713,KK 262412 ,, KKK15K 37K
26K
24K
Execution Results of EGAKA-KE: Phase I
jirr
ij E
Session Key
8/6/2019 distributed group key securing a dynamic peer groups
19/33
1919
EGAKA-KE: Phase I (6/6)
Rounds = 2 (except for protocol negotiation step)
Two-party key exchange protocol executesexactly n-1 times to finish the entityauthentication among group members
8/6/2019 distributed group key securing a dynamic peer groups
20/33
2020
EGAKA-KE: Phase II (1/5)
15B 15B 37B37B 26B37B
4B
37B
1357}{: 2461 KBM 246}{: 13572 KBM
246B
37B 15B 15B
1357B
4B 4B
26B
246B 246B 246B 1357B
1357B
)||(2461357
BKBKhKG
!
3!round
1
}{:151 K
24
}{:262 K
1
}{:
K
24
}{:44 K
15
15
7
7
26
4
1!round
26B 15B 15B 37B37B 26B
4B
37B
1215,
1357371 KKBBM
1226
,24642
KKBBM
37153 KBM
246B
37B 15B 15B
1357B
4B 4B
26B
2!round
26B
8/6/2019 distributed group key securing a dynamic peer groups
21/33
2121
EGAKA-KE: Phase II (2/5)
15B
M1s view of the group
Round 1
M1 knows
M1 yet to know
M1 needs to
compute
37B
2 6B
1357B
KG
8/6/2019 distributed group key securing a dynamic peer groups
22/33
2222
EGAKA-KE: Phase II (3/5)
15B
M1s view of the group
Round 2
M1 knows
M1 yet to know
M1 needs to
compute
37B
2 6B
1357B
KG
8/6/2019 distributed group key securing a dynamic peer groups
23/33
2323
EGAKA-KE: Phase II (4/5)
15B
M1s view of the group
Round 3
M1 knows
M1 compute
37B
2 6B
1357B
KG
)||(2 61357
BKBKhKG!
8/6/2019 distributed group key securing a dynamic peer groups
24/33
2424
EGAKA-KE: Phase II (5/5)
Rounds = d, where d equals to , n is the sizeof the group.
No computational expensive operation is neededin this phase.
8/6/2019 distributed group key securing a dynamic peer groups
25/33
2525
EGAKA-KU: Member Join Protocol (1/5)
6M
joinr,6E
Sponsor
1!round:broadca t
ubgrou
6M
2!round
Sponsor
subgroup
subgroup
,363S
E3
M :c mputes 6
6
rrK E! ),(, 3636 KhB !
:broadcasts ,}||{,}||{
5
5
KKMBMB
G
:computes 36K ,, 36B6M )||( 24 356'
BBhKG !
iM :computes])5,[i
3M
))|| 36 356 BBB !
)||( 24
!
"
#
'BBh
$
!
363,Sr
E36
}||||{ 32415 KMBB
8/6/2019 distributed group key securing a dynamic peer groups
26/33
2626
EGAKA-KU: Member Join Protocol (2/5)
8/6/2019 distributed group key securing a dynamic peer groups
27/33
2727
EGAKA-KU: Member Leave Protocol (3/5)
6M
7M
151312 ,, KKK 15K 3613 ,KK36K 47K 2447 ,KK
2412 ,KK
Sponsor
6M
Leaving
)(b
subgroup
subgroup
)(a
Sponsor
6M
7M
Leaving
1312 ,KK
subgroupsubgroup
8/6/2019 distributed group key securing a dynamic peer groups
28/33
2828
EGAKA-KU: Member Leave Protocol (4/5)
8/6/2019 distributed group key securing a dynamic peer groups
29/33
2929
EGAKA-KU (5/5)
In Member Join Protocol: only fixed 6 exponentialoperations are needed for any member to beadded to the group and update the group key.Moreover, this cost is constant to group size. This
property is very useful in scenarios with frequentmember additions.
Member Leave protocol is not as efficient asmember join protocol, but its robust and fault-tolerant.
8/6/2019 distributed group key securing a dynamic peer groups
30/33
3030
Complexity and Security Analysis
Complexity Analysis
Communication and computation costs
Comparison between EGAKA and other well known key
establishment protocols
A-DH is used as the underlying two-party authenticated key
agreement protocol in order to provide a quantificational
comparison.
Security Analysis
Provide informal security analysis. (Formal analysis is undergoing) Secure against both passive and active attacks
Do not consider insider attacks
Provide forward and backward secrecy
8/6/2019 distributed group key securing a dynamic peer groups
31/33
3131
Comparison
8/6/2019 distributed group key securing a dynamic peer groups
32/33
3232
Conclusion
In this paper, we propose EGAKA (Efficient GroupAuthenticated Key Agreement) protocol Distributed
Fault-tolerant
Efficient dynamic group membership management
Mutual authentication among group members
Secure against both passive and active attacks
Can be built on any two-party authenticated key exchangeprotocols
E.g. Diffie-Hellman protocol, password based protocol
Achieves scalability and robustness in heterogeneous environments
provides efficient member join services Low communication and computation costs, and they are constant to
the group size.
Support fault-tolerant property to achieve robustness in memberleave service
8/6/2019 distributed group key securing a dynamic peer groups
33/33
3333
Thank you for yourattention
Q&A