- 65 Views
- Uploaded on
- Presentation posted in: General

CSC 774 Advanced Network Security

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

CSC 774 Advanced Network Security

Topic 5 Group Key Management

CSC 774 Adv. Net. Security

- A group consists of multiple members
- Messages sent by one sender are received by all the other group members
- Example application: Pay per view

CSC 774 Adv. Net. Security

- Messages sent by a valid group member can only be understood by the other valid members
- Others may receive the messages, but are unable to understand them
- Typical approach: Encrypt the group messages with a key only known to the valid group members

CSC 774 Adv. Net. Security

- Group key management
- Ensure only valid group members have access to the group key
- The REAL problem for secure group communication

CSC 774 Adv. Net. Security

- Group key secrecy
- It is at least computationally infeasible for an adversary to discover any group key

- Forward secrecy
- A passive adversary who knows a contiguous subset of old group keys cannot discover subsequent group keys
- Do not confuse with PFS

- Backward secrecy
- A passive adversary who knows a contiguous subset of group keys cannot discover preceding group keys

- Group key independence
- The combination of forward and backward secrecy.

CSC 774 Adv. Net. Security

- Stateful
- Decryption of new key depends on previous keys
- Group member should keep track of all rekeying messages
- Members should be online

- Stateless
- Decryption of new key depends on establishment key setthat is assigned when member join
- Group members don’t need to keep track of rekeying messages
- Members can be offline

CSC 774 Adv. Net. Security

- Group key agreement
- Group keys are determined collectively by all group members
- Usually extended from D-H key exchange

- Group key distribution
- Group keys are determined and distributed by a group key manager

CSC 774 Adv. Net. Security

CSC 774 Advanced Network Security

Topic 5.1 Group Diffie-Hellman Protocols

CSC 774 Adv. Net. Security

- Review of the basic two-party D-H key exchange
- Generic n-party D-H key agreement
- Three specific protocols
- GDH.1
- GDH.2
- GDH.3

CSC 774 Adv. Net. Security

Alice

Bob

Pick secret Sb randomly

Compute TB = gSb mod p

Send TB to Bob

Compute TASb mod p

Pick secret Sa randomly

Compute TA = gSa mod p

Send TA to Bob

Compute TBSa mod p

Shared key is reached at both parties: gSaSb mod p

CSC 774 Adv. Net. Security

- n: number of participants in the protocol
- : exponentiation base
- q: order of the algebraic group
- Mi: i-th group member, i is the index
- Ni: random exponent generated by group member Mi
- S: subsets of {N1, …, Nn}
- (S): product of all elements in subset S
- Kn: group key shared among n members

CSC 774 Adv. Net. Security

- Setup
- Alln participants agree on a cyclic group G, of order q and the base
- Each member Mi chooses a random value Ni G

CSC 774 Adv. Net. Security

- Generic Protocol:
- Distributively revealing and computing a subset of {(S)|S{N1, …, Nn}}
- From these subsets, member Mi computes
N1…Ni-1Ni+1…Nn mod q

- Finally, Mi computes the shared key
K = N1…Nn mod q

CSC 774 Adv. Net. Security

- Security
- The generic n-party D-H protocol is secure if the 2-party D-H protocol is security
- Proof: by induction on n

- Remaining problem
- Consider {(S)|S{N1, …, Nn}}
- What (S) to distribute, and how?

CSC 774 Adv. Net. Security

- Consists of an upflow stage and a downflow stage

…

Mn

Upflow:

M1

M2

M3

…

Mn

M1

M2

M3

Downflow:

CSC 774 Adv. Net. Security

- Upflow
- Mi receives the set {N1, N1N2, …, N1…Ni-1} and forwards to Mi+1 {N1, N1N2, …, N1…Ni}, i [1, n-1]

- Example
- M4 receives the set
{N1, N1N2, N1N2N3}

- and forwards to M5
{N1, N1N2, N1N2N3, N1N2N3N4}

- M4 receives the set

CSC 774 Adv. Net. Security

- Downflow
- Mi uses the last intermediate value to compute Kn (1<i<=n)
- Mi then raises all remaining values to the power of Ni and forwards the resulting set to Mi-1

- Example
- M4 receives the set
{N5, N1N5, N1N2N5, N1N2N3N5}

- and forwards to M3
{N5N4, N1N5N4, N1N2N5N4}

- M4 receives the set

CSC 774 Adv. Net. Security

- How many rounds?
- __________

- How many messages in GDH.1?
- __________

- How many exponentiations per Mi?
- __________

…

Mn

Upflow:

M1

M2

M3

…

Mn

M1

M2

M3

Downflow:

CSC 774 Adv. Net. Security

- Consists of an upflow stage and a broadcast stage
- Use broadcast to reduce communication overhead

…

Mn

Upflow:

M1

M2

M3

…

Mn

M1

M2

M3

Broadcast:

CSC 774 Adv. Net. Security

- Upflow
- Mi composes i intermediate values and one cardinal value and forwards the resulting set to Mi+1 (i < n)

- Example:
- M4 receives the set
{N1N2N3, N1N2, N1N3, N2N3}

- and forwards to M5
{N1N2N3N4, N1N2N3, N1N2N4, N1N3N4, N2N3N4}

- M4 receives the set

CSC 774 Adv. Net. Security

- Downflow
- Mn raises every intermediate value to the power of Nn broadcasts the resulting values to all group members, in another word
- Mn broadcasts the set {N1…Ni-1Ni+1…Nn} to Mi (i < n)

- Example
- M4 receives the set {N1N2N3N5 } from M5 (Assume n=5)

CSC 774 Adv. Net. Security

- How many rounds?
- __________

- How many messages in GDH.2?
- __________

- How many exponentiations per Mi?
- __________

…

Mn

Upflow:

M1

M2

M3

…

Mn

M1

M2

M3

Broadcast:

CSC 774 Adv. Net. Security

- Consists of an upflow stage, a broadcast stage, a response stage, and final broadcast stage
- Reduce the number of exponentiations per group member.

…

Mn-1

Upflow:

M1

M2

M3

…

Mn-1

M1

M2

M3

Broadcast:

M1

M2

M3

Mn

Response:

…

Mn

M1

M2

M3

Broadcast:

CSC 774 Adv. Net. Security

- Upflow
- Mi (i [1, n-2]) receives N1…Ni-1, and
- forwards to Mi+1N1…Ni,

- Broadcast
- Mn-1 broadcasts N1…Nn-1to Mi (in-1)

CSC 774 Adv. Net. Security

- Response
- Mi (i < n) factors out its own component and forwards N1…Ni-1Ni+1…Nn-1to Mn

- Broadcast
- Mn raises every input to the power of Nn and broadcasts the resulting set {N1…Ni-1Ni+1…Nn} to Mi (i < n)

CSC 774 Adv. Net. Security

- How many rounds?
- __________

- How many messages in GDH.2?
- __________

- How many exponentiations per Mi?
- __________

CSC 774 Adv. Net. Security

GDH.1 GDH.2 GDH.3

Rounds 2(n-1) n n+1

Messages 2(n-1) n 2n-1

Total message size n(n-1) (n-1)(n/2+2)-1 3(n-1)

Exp ops per Mi i+1, n i+1, n 4, 2, n

Total exp ops (n+3)n/2-1 (n+3)n/2-1 5n-6

CSC 774 Adv. Net. Security

- GDH.1 does not support efficient member addition/deletion.
- GDH.2 & GDH.3
- Member addition
- Consider the new member as the new Mn+1

- Member deletion
- Mn regenerates its secret Nn and re-executes the protocol from the second stage.

- Member addition

CSC 774 Adv. Net. Security