Background Bas c Cryptography Background: Basic Cryptography - PowerPoint PPT Presentation

Background Bas c Cryptography Background: Basic Cryptography  Symmetric Key System  Symmetric Key System  a shared symmetric key  Examples: DES IDEA RC4 AES  Examples: DES, IDEA, RC4, AES  Asymmetric Key System y y y  a pair of private and public keys  Examples: RSA, DSA, ElGamal, Rabin, FFS p Secure Group Communications (Simon S. Lam) 1 2/28/2017 1

Background: Authentication Services  N  Needham-Schroeder Protocols ( CACM , 1978) dh S h d P t l  Kerberos (MIT, 1988) – part of project Athena (1983- 1991) to develop campus wide distributed computing 1991) to develop campus-wide distributed computing environment  …  Secure sockets layers  SNP (U. Texas at Austin, 1993) • offshoot from authentication protocol verification work sponsored by NSA • to secure Internet applications that use TCP (or UDP) • published in Proceedings USENIX , June 1994  SSL (Netscape, 1995, 1996)  TLS (1999) Secure Group Communications (Simon S. Lam) 2 2/28/2017 2

Motivation (circa 1997) Mot vat on (c rca 997)  Traditional network applications  Traditional network applications  message-oriented unicast, e.g., email, file transfer, client-server  Emerging network applications E k l  flow-oriented, e.g., audio, video, stock quotes  multicast e g  multicast, e.g., teleconference, software distribution teleconference software distribution  Problem 1: Secure group communications - scalability  P  Problem 2: How to sign efficiently? bl 2 H t i ffi i tl ? Secure Group Communications (Simon S. Lam) 3 2/28/2017 3

Secure Group Communications U i Using Key Graphs K G h b by Chung Kei Wong, Mohamed Gouda, and Simon S. Lam Ch K i W M h d G d d Si S L in Proc. ACM SIGCOMM ’98 Secure Group Communications (Simon S. Lam) 4 2/28/2017 4

Secure group communications  Applications  teleconference teleconference  information services  collaborative work  collaborative work  virtual private networks  Group members share a symmetric key to  Group members share a symmetric key to  encrypt/decrypt communications providing confidentiality, integrity, and authenticity of messages delivered between group members  access resources  access resources Secure Group Communications (Simon S. Lam) 5 2/28/2017 5

Group key management  A group session may persist for a long time  Secure rekeying  after each join  after each leave  periodically -> batch rekeying (another paper)  Scalable server and protocols  for large groups with frequent joins and leaves  for large groups with frequent joins and leaves  Scalable and reliable transport (Zhang, Lam, Lee, Yang, 2003) g Secure Group Communications (Simon S. Lam) 6 2/28/2017 6

Assumptions Assumpt ons  Key server is trusted and secure (may be  Key server is trusted and secure (may be replicated)  An authentication service  An authentication service  for example, SSL  mutual authentication of server and joining user j g  distribution of a key shared by server and joining user (individual key)  Access control by key server or by an authorization service (e.g., a set of registrars) registrars) Secure Group Communications (Simon S. Lam) 7 2/28/2017 7

Group rekeying p y g  Non problem after a join  Non problem after a join  new group key encrypted by old group key  one encryption/rekey msg for all existing users ti / k s f ll isti s s  After a leave has occurred  new group key encrypted by individual key of each user  n- 1 encryptions/rekey messages for group size n 1 ti / k f i  not scalable Secure Group Communications (Simon S. Lam) 8 2/28/2017 8

Key graph  A directed acyclic graph with u -nodes and k nodes and k -nodes  u -node – no incoming edge m g g  root – a k-node with no outgoing edge  user u has key k if and only if there is a directed path from directed path from node u to node k  userset(k) is set of users that  one or more roots hold k (e.g., for multiple ( f lti l  keyset(u) is set of keys held by u  k t( ) i t f k h ld b groups) Secure Group Communications 9 (Simon S. Lam) 9

Key covering problem  When a user u’ leaves a secure group, every key k’ that has been held by u’ and shared by other users should be changed should be changed  To minimize the work of rekeying, the server y g would like to find a minimum size subset K’ of keys and securely send new keys to affected users i.e., userset(K ) is the subset of users who need new userset(K’) is the subset of users who need new keys  This  This problem is NP-hard in general bl is NP h d i l Secure Group Communications (Simon S. Lam) 10 10

Special cases of key graph Spec al cases of key graph n users, 1 key server manages key graph  St  Star  Tree - assumed to be full and balanced with height h , degree d degree d  Complete - a key for every nonempty subset of users (there are 2 n – 1) Secure Group Communications 11 (Simon S. Lam) 11

Key star G Group of n users, one group key, n individual keys f k i di id l k Secure Group Communications (Simon S. Lam) 12 2/28/2017 12

Join Protocol Jo n Protocol  Protocol  Protocol u 4 → s : join request s ↔ u 4 : mutual authentication, distribute k 4 4 4 s : generate k 1234 s → u 4 : {k 1234 } k4 s → {u 1 , u 2 , u 3 } : {k 1234 } k123  Encryption cost: 2 Secure Group Communications (Simon S. Lam) 13 2/28/2017 13

L Leave Protocol P t l  Protocol u 4 → s: {leave request} k4 s → u 4 : {leave granted} k4 s: generate k 123 k s → {u 1 }: {k 123 } k1 s → {u 2 }: {k 123 } k2 s → {u 2 }: {k 123 } k s → {u 3 }: {k 123 } k3  E  Encryption cost: n -1 for group size n ti st: 1 f si  O( n ) cost is not scalable Secure Group Communications (Simon S. Lam) 14 2/28/2017 14

Iolus approach [Mittra 1997] Iolus approach [M ttra 997]  A hierarchy of y agent user user security agents  No globally ... ... shared group key shared group key ... ... ... ... ... ...  join/leave affects local subgroup only g p y  Agents forward message key  decrypting and re-encrypting it with subgroup keys keys  Requirement: many trusted agents Secure Group Communications (Simon S. Lam) 15 2/28/2017 15

Our approach pp group key subgroup key individual key user user ... ...  A hierarchy of keys ... ... ... ... ... ...  Multiple keys for each user for each user  user has every key along path to root  A single trusted key server is sufficient A i l t t d k i ffi i t (may be replicated for reliability) Secure Group Communications (Simon S. Lam) 16 2/28/2017 16

Key graph y g p  Data structure maintained by key server  For a single secure group  For a single secure group  key tree sufficient for scalability  Multiple secure groups  Multiple secure groups  merging multiple trees into a graph Secure Group Communications (Simon S. Lam) 17 2/28/2017 17

Rekeying strategies Rekey ng strateg es How to compose and deliver rekey messages How to compose and deliver rekey messages  user-oriented  key-oriented k i t d  group-oriented Secure Group Communications (Simon S. Lam) 18 2/28/2017 18

User-oriented rekeying y g k 1-9 k 1-8  Select new keys y k 123 k 456 k 789 k 78 123 456 789 78 needed by a user or subset of users, k 1 k 2 k 3 k 4 k 5 k 6 k 7 k 8 k 9 form a rekey message form a rekey message and encrypt it u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 u 9  (d-1)(h-1) rekey y Leaving Leaving messages – sent by { , , } { } : unicast or subgroup s → u u u k − 1 2 3 1 8 k 123 multicast multicast { { , , , , } } { { } } : s → u u u k − 4 4 5 5 6 6 1 1 8 8 k k 456 456 { , }  Most work on server, : s → u k − k 7 1 8 78 k 7 least work on user { , } : s → u k − k 8 1 8 78 k 8 Secure Group Communications 19 (Simon S. Lam) 19

Key-oriented rekeying y y g k 1-9 k 1-8  Encrypt each new key, yp y, k 123 k 456 k 789 k 78 123 456 789 78 then compose rekey messages - encryption k 1 k 2 k 3 k 4 k 5 k 6 k 7 k 8 k 9 cost d(h-1) -1 cost d(h-1) -1 u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 u 9  (d-1)(h-1) rekey messages – sent by g y Leaving Leaving unicast or subgroup { , , } { } : s → u u u k − 1 2 3 1 8 k multicast 123 { , , } { } : s → u u u k − 4 5 6 1 8 k  Less work on server  Less work on server 456 { } , { } : s → u k − k 7 1 8 78 than user-oriented k k 78 7 { } , { } : s → u k − k 8 1 8 78 k k 78 8 Secure Group Communications 20 (Simon S. Lam) 20

Group-oriented rekeying k 1-9 k 1-8  One rekey message y g k 123 k 123 k 456 k 456 k 789 k 789 k 78 k 78 containing all encrypted new keys – sent by multicast y k 1 k 2 k 3 k 4 k 5 k 6 k 7 k 8 k 9  Message size O (log n ) u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 u 9  Each user decrypts what it needs what it needs Leaving Leaving  Least work on server, { ,..., } : s → u u 1 8 most work on user { } , { } , k k 78 78 k k 7 7 8 8  A user cannot decrypt { } , { } , k k 1 8 1 8 any key that does not k k − − 123 456 { } k − belong to the user g 1 8 k 78 Secure Group Communications 21 (Simon S. Lam) 21