Scalable Group Key Management with Partially Trusted Controllers

Document Sample
Scalable Group Key Management with Partially Trusted Controllers Powered By Docstoc
					                    Kroot


     KA             KB                KC
                                            Scalable Group Key
K1   K2   K3   K4    K5     K6   K7   K8
                                            Management with Partially
M1   M2   M3   M4    M5     M6   M7    M8
                                            Trusted Controllers
                       Himanshu Khurana, Adam Slagell,
                     Rafael Bonilla, Raja Afandi, Hyung-Seok
                             Hahm and Jim Basney



                                                     National Center for Supercomputing Applications
        Introduction
• Secure Group Communications (SGC) needed to
  support many military/commercial applications; e.g.,
   –   Conferencing (Video and/or Audio)
   –   Command-and-Control Systems
   –   Digital White-boards
   –   Publish-Subscribe Systems
   –   Interactive Distance-Learning


• Group Key Management (GKM) cornerstone of SGC
   – Involves distribution of symmetric key to group members for
     encrypting data
   – Must be efficient and scalable to handle large, dynamic groups
        • Shared key changed every time a member joins/leaves group



                                National Center for Supercomputing Applications
      Current GKM Solutions
• Logical Key Hierarchies (LKH)
   – Advantage: Very efficient
      • log(n) computation and storage (O(n) storage for GC)
      • Constant number of rounds
   – Drawback: GC is completely trusted
      • Single point of compromise of short and long term keys
          – Adversary can read messages and make recovery very costly
      • Problem is exacerbated when managing multiple groups


• Decentralized or Contributory Schemes
   – Advantage: Does not involve GC so no single point of security
     failure
   – Drawback: Scale poorly
      • E.g., O(n) communications rounds in GDH

                                 National Center for Supercomputing Applications
 TASK - Tree-based w/ Asymmetric Split Keys
• Efficient and Scalable
  – O(log(n)) computation and storage
  – Constant number of communication rounds

• Partially Trusted GC
  – GC does not store encryption keys
     • Confidentiality maintained even if GC is compromised
     • Therefore, GC no longer single point of security failure
  – Instead, GC uses proxy encryption to transform
    messages between members for key establishment
  – Simpler recovery from GC compromise
     • Re-key of entire group is not necessary


                             National Center for Supercomputing Applications
Difference between LKH & TASK




            National Center for Supercomputing Applications
     TASK Encryption
• Use of proxy re-encryption
  – GC translates key material encrypted with one key
    into messages encrypted with another key
• Protocol messages are always encrypted with
  a valid El Gamal Key pair
  – Bulk or Data communications secured by shared
    symmetric encryption key
• We have shown confidentiality is preserved by
  reducing TASK proxy encryption to El Gamal
• We assume presence of an external PKI
  – Other schemes assume for signing, we use for
    signing and encryption

                        National Center for Supercomputing Applications
        Member Join                                                       GC

• We can use existing keys to                                             K’1-8
  distribute changes to users
    – No need for proxy re-encryption
• GC only one with whole tree                         K’123               K’456               K’78
  structure, thus GC chooses
  sponsor and insertion node
• Sponsor helps new member
  create a key                                K’1     K’2     K’3 K’4     K’5     K’6 K’7     K’8

    – Sponsor only knows
      intermediary key, new member
      changes before use
• After join completes DEK                    K1       K2      K3 K4       K5      K6 K7      K8
                                             K123     K123    K123 K456   K456    K456 K78    K78
  changes as well as every key split         K1-8     K1-8    K1-8 K1-8   K1-8    K1-8 K1-8   K1-8
    – Different random number added
                                              M        M       M    M      M       M     M    M
      to member splits and GC splits
                                              1        2       3    4      5       6     7    8
    – Still holds that any two splits add
      to the same number, however,
      this GKEK diff. now

                                       National Center for Supercomputing Applications
        Member Leave Details                                              GC

• Proxy re-encryption with help of                                        K’1-8
  GC is necessary
    – Not necessarily a single key
      shared by all but leaving member
                                                      K’123               K’456               K’78
• GC translates random value
  encrypted with sponsor's key to a
  minimal set of newly encrypted
  messages, O(log(n))                         K’1     K’2     K’3 K’4     K’5     K’6 K’7     K’8    K’9
    – Really all combined into one
      O(log(n)) multicast message
• After leave completes DEK
  changes as well as every key split          K1       K2      K3 K4       K5      K6 K7       K8     K9
    – Different random number added          K123     K123    K123 K456   K456    K456 K789   K789   K789
                                             K1-9     K1-9    K1-9 K1-9   K1-9    K1-9 K1-9   K1-9   K1-9
      to member splits and GC splits
    – Still holds that any two splits add     M        M       M    M      M       M     M     M     M9
      to the same number, however,            1        2       3    4      5       6     7     8


      this GKEK diff. now


                                       National Center for Supercomputing Applications
                LKH versus TASK Costs
                                         Communication                            Computation
                                               Messages
Sche-          Enti- Even-                                                                                 Stor-
 mes            ty    ts     Rou-        Unicast           Multicast       Expone-     Signa    Verific-   age
                             nds     #        Msg          #      Msg
                                                                           ntiations   t-ures   ations

                                    Msgs      Size       Msgs     Size
 TASK          GC    Join     2      1        O(1)         0       N/A        0          1         3       O(n)
                     Leave    2      0        N/A          1      O(dh)      dh        1         1
               Mem   Join     2      3        O(h)         1      O(1)        7          3         1       O(h)
               ber
                     Leave    2      1        O(1)         0       N/A        3          1         1
  LKH          GC    Join     1      2        O(h)         1      O(h)        0          3         1       O(n)
(Wong et al)
                     Leave    1      0        N/A          1      O(dh)       0          1         0
               Mem   Join     1      1        O(1)         0       N/A        0          1         2       O(h)
               ber
                     Leave    1      0        N/A          0       N/A        0          0         1


               LEGEND         n: number of current group members
                              d: degree of tree
                              h: height of tree
                                                     National Center for Supercomputing Applications
      Conclusions & Ongoing Work
• GKM solutions to date sacrifice efficiency or resilience
• TASK
   – Resilient - Allows for GC compromise
   – Simple recovery
   – Scales with LKH schemes
• TASK accomplishes this with split asymmetric keys
  and proxy re-encryption
• Future Work
   – Performance optimizations and reliable re-keying techniques
     for LKH may apply to TASK
   – Fully Implement TASK and empirically verify scalability




                               National Center for Supercomputing Applications
Member Join Details                           GC

                                              K’1-8




                          K’123               K’456               K’78




                  K’1     K’2     K’3 K’4     K’5     K’6 K’7     K’8




                  K1       K2      K3 K4       K5      K6 K7      K8
                 K123     K123    K123 K456   K456    K456 K78    K78
                 K1-8     K1-8    K1-8 K1-8   K1-8    K1-8 K1-8   K1-8

                  M        M       M    M      M       M     M    M
                  1        2       3    4      5       6     7    8




           National Center for Supercomputing Applications
       Member Join Details                                               GC

• Step 1                                                                 K’1-8

   – M8 generates random number r
     & adds to his keys
       • K8K8+r, K789 K78+r, K1-9                  K’123               K’456               K’78
         K1-8+r
       • DEK h(K1-9)
   – M8 generates random value r9
     and computes temp key                   K’1     K’2     K’3 K’4     K’5     K’6 K’7     K’8

       • TK9 K8+r9
   – M8 M9:EncPK9(g,p,q,TK9,K789,
     K1-9)
   – M8 GC:EncPKGC(r9)                      K1
                                            K123
                                                      K2
                                                     K123
                                                              K3 K4
                                                             K123 K456
                                                                          K5
                                                                         K456
                                                                                  K6 K7
                                                                                 K456 K78
                                                                                             K8
                                                                                             K78
   – M8 M1…M7:AEncPK1-8(r)                 K1-8     K1-8    K1-8 K1-8   K1-8    K1-8 K1-8   K1-8

                                             M        M       M    M      M       M     M    M
                                             1        2       3    4      5       6     7    8




                                      National Center for Supercomputing Applications
       Member Join Details                                               GC

• Step 1                                                                 K’1-8

   – M8 generates random number r
     & adds to his keys
       • K8K8+r, K789 K78+r, K1-9                  K’123               K’456               K’78
         K1-8+r
       • DEK h(K1-9)
   – M8 generates random value r9
     and computes temp key                   K’1     K’2     K’3 K’4     K’5     K’6 K’7     K’8

       • TK9 K8+r9
   – M8 M9:EncPK9(g,p,q,TK9,K789,
     K1-9)
   – M8 GC:EncPKGC(r9)                      K1
                                            K123
                                                      K2
                                                     K123
                                                              K3 K4
                                                             K123 K456
                                                                          K5
                                                                         K456
                                                                                  K6 K7
                                                                                 K456 K78
                                                                                              K8
                                                                                             K789
                                                                                                    TK9
                                                                                                    K789
   – M8 M1…M7:AEncPK1-8(r)                 K1-8     K1-8    K1-8 K1-8   K1-8    K1-8 K1-8   K1-9   K1-9

                                             M        M       M    M      M       M     M     M     M9
                                             1        2       3    4      5       6     7     8




                                      National Center for Supercomputing Applications
       Member Join Details                                          GC

• Step 2                                                            K’1-8

   – M1…M7 decrypt message, add r
     to their keys, & update DEK
       • DEK h(K1-9)                           K’123               K’456               K’78
   – GC decrypts message,
     temporarily stores r9
   – M9 decrypts keys and generates
                                        K’1     K’2     K’3 K’4     K’5     K’6 K’7     K’8
     new random number r9 to change
     K9
       • K9 TK9+r9
   – M9 GC:EncPKGC(r9)
                                        K1       K2      K3 K4       K5      K6 K7       K8    TK9
                                       K123     K123    K123 K456   K456    K456 K78    K789   K789
                                       K1-8     K1-8    K1-8 K1-8   K1-8    K1-8 K1-8   K1-9   K1-9

                                        M        M       M    M      M       M     M     M     M9
                                        1        2       3    4      5       6     7     8




                                 National Center for Supercomputing Applications
       Member Join Details                                          GC

• Step 2                                                            K’1-8

   – M1…M7 decrypt message, add r
     to their keys, & update DEK
       • DEK h(K1-9)                           K’123               K’456               K’78
   – GC decrypts message,
     temporarily stores r9
   – M9 decrypts keys and generates
                                        K’1     K’2     K’3 K’4     K’5     K’6 K’7     K’8
     new random number r9 to change
     K9
       • K9 TK9+r9
   – M9 GC:EncPKGC(r9)
                                        K1       K2      K3 K4       K5      K6 K7       K8     K9
                                       K123     K123    K123 K456   K456    K456 K789   K789   K789
                                       K1-9     K1-9    K1-9 K1-9   K1-9    K1-9 K1-9   K1-9   K1-9

                                        M        M       M    M      M       M     M     M     M9
                                        1        2       3    4      5       6     7     8




                                 National Center for Supercomputing Applications
       Member Join Details                                            GC

• Step 3                                                              K’1-8

   – GC computes corresponding
     private key for M9
       • K’9 K’8 - r9 - r9                       K’123               K’456               K’78
   – GC adds random value to all
     corresponding private keys

                                          K’1     K’2     K’3 K’4     K’5     K’6 K’7     K’8




                                          K1       K2      K3 K4       K5      K6 K7       K8     K9
                                         K123     K123    K123 K456   K456    K456 K789   K789   K789
                                         K1-9     K1-9    K1-9 K1-9   K1-9    K1-9 K1-9   K1-9   K1-9

                                          M        M       M    M      M       M     M     M     M9
                                          1        2       3    4      5       6     7     8




                                   National Center for Supercomputing Applications
       Member Join Details                                            GC

• Step 3                                                              K’1-8

   – GC computes corresponding
     private key for M9
       • K’9 K’8 - r9 - r9                       K’123               K’456               K’78
   – GC adds random value to all
     corresponding private keys

                                          K’1     K’2     K’3 K’4     K’5     K’6 K’7     K’8    K’9




                                          K1       K2      K3 K4       K5      K6 K7       K8     K9
                                         K123     K123    K123 K456   K456    K456 K789   K789   K789
                                         K1-9     K1-9    K1-9 K1-9   K1-9    K1-9 K1-9   K1-9   K1-9

                                          M        M       M    M      M       M     M     M     M9
                                          1        2       3    4      5       6     7     8




                                   National Center for Supercomputing Applications
Member Leave Details                         GC

                                             K’1-8




                         K’123               K’456               K’78




                 K’1     K’2     K’3 K’4     K’5     K’6 K’7     K’8    K’9




                 K1       K2      K3 K4       K5      K6 K7       K8     K9
                K123     K123    K123 K456   K456    K456 K789   K789   K789
                K1-9     K1-9    K1-9 K1-9   K1-9    K1-9 K1-9   K1-9   K1-9

                 M        M       M    M      M       M     M     M     M9
                 1        2       3    4      5       6     7     8




          National Center for Supercomputing Applications
       Member Leave Details                                           GC

• Step 1                                                              K’1-8

   – M8 generates random value r and
     adds to its private keys &
     computes new session key                     K’123               K’456               K’78
       • K8 K8+r, K78 K789+r,   K1-
         8 K1-9+r
       • DEK h(K1-8)
   – M8 sends message to GC proxy         K’1     K’2     K’3 K’4     K’5     K’6 K’7     K’8    K’9
     re-encrypt and forward to group
       • M8 GC:X=AENCPK8(r)

                                          K1       K2      K3 K4       K5      K6 K7       K8     K9
                                         K123     K123    K123 K456   K456    K456 K789   K789   K789
                                         K1-9     K1-9    K1-9 K1-9   K1-9    K1-9 K1-9   K1-9   K1-9

                                          M        M       M    M      M       M     M     M     M9
                                          1        2       3    4      5       6     7     8




                                   National Center for Supercomputing Applications
       Member Leave Details                                           GC

• Step 1                                                              K’1-8

   – M8 generates random value r and
     adds to its private keys &
     computes new session key                     K’123               K’456               K’78
       • K8 K8+r, K78 K789+r,   K1-
         8 K1-9+r
       • DEK h(K1-8)
   – M8 sends message to GC proxy         K’1     K’2     K’3 K’4     K’5     K’6 K’7     K’8    K’9
     re-encrypt and forward to group
       • M8 GC:X=AENCPK8(r)

                                          K1       K2      K3 K4       K5      K6 K7      K8      K9
                                         K123     K123    K123 K456   K456    K456 K789   K78    K789
                                         K1-9     K1-9    K1-9 K1-9   K1-9    K1-9 K1-9   K1-8   K1-9

                                          M        M       M    M      M       M     M    M      M9
                                          1        2       3    4      5       6     7    8




                                   National Center for Supercomputing Applications
       Member Leave Details                                            GC

• Step 2                                                               K’1-8

   – GC deletes node K’9
   – GC multicasts proxy re-
     encrypted message to rest of                  K’123               K’456               K’78
     group
       • GC M1…M7:
         (K’8,K’123)(X),
         (K’8,K’456)(X),                  K’1     K’2     K’3 K’4     K’5     K’6 K’7     K’8    K’9
         (K’8,K’7)(X)



                                           K1       K2      K3 K4       K5      K6 K7      K8      K9
                                          K123     K123    K123 K456   K456    K456 K789   K78    K789
                                          K1-9     K1-9    K1-9 K1-9   K1-9    K1-9 K1-9   K1-8   K1-9

                                           M        M       M    M      M       M     M    M      M9
                                           1        2       3    4      5       6     7    8




                                    National Center for Supercomputing Applications
       Member Leave Details                                            GC

• Step 2                                                               K’1-8

   – GC deletes node K’9
   – GC multicasts proxy re-
     encrypted message to rest of                  K’123               K’456               K’78
     group
       • GC M1…M7:
         (K’8,K’123)(X),
         (K’8,K’456)(X),                  K’1     K’2     K’3 K’4     K’5     K’6 K’7     K’8
         (K’8,K’7)(X)



                                           K1       K2      K3 K4       K5      K6 K7      K8
                                          K123     K123    K123 K456   K456    K456 K789   K78
                                          K1-9     K1-9    K1-9 K1-9   K1-9    K1-9 K1-9   K1-8

                                           M        M       M    M      M       M     M    M
                                           1        2       3    4      5       6     7    8




                                    National Center for Supercomputing Applications
       Member Leave Details                                            GC

• Step 3                                                               K’1-8

   – M1…M7 decrypt r, add to keys
     and update session key
       • DEK h(K1-8)                              K’123               K’456               K’78
   – DC chooses random rGC and adds
     to all corresponding private keys

                                           K’1     K’2     K’3 K’4     K’5     K’6 K’7     K’8




                                           K1       K2      K3 K4       K5      K6 K7      K8
                                          K123     K123    K123 K456   K456    K456 K789   K78
                                          K1-9     K1-9    K1-9 K1-9   K1-9    K1-9 K1-9   K1-8

                                           M        M       M    M      M       M     M    M
                                           1        2       3    4      5       6     7    8




                                    National Center for Supercomputing Applications
       Member Leave Details                                            GC

• Step 3                                                               K’1-8

   – M1…M7 decrypt r, add to keys
     and update session key
       • DEK h(K1-8)                              K’123               K’456               K’78
   – DC chooses random rGC and adds
     to all corresponding private keys

                                           K’1     K’2     K’3 K’4     K’5     K’6 K’7     K’8




                                           K1       K2      K3 K4       K5      K6 K7      K8
                                          K123     K123    K123 K456   K456    K456 K78    K78
                                          K1-8     K1-8    K1-8 K1-8   K1-8    K1-8 K1-8   K1-8

                                           M        M       M    M      M       M     M    M
                                           1        2       3    4      5       6     7    8




                                    National Center for Supercomputing Applications

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:7
posted:3/27/2012
language:
pages:24