1 / 69

長庚大學通識中心 李榮宗

Distributed Multiple Secret Key Management for Cluster-based Ad Hoc Networks 分散式多重 密 鑰 管理 機制應用於群集隨意型網路. 長庚大學通識中心 李榮宗. Outline. Introduction Background Distributed ID-based multiple secret key management scheme (IMKM) Conclusion. Introduction. Ad-hoc networks and security concerns

iago
Download Presentation

長庚大學通識中心 李榮宗

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed Multiple Secret Key Management for Cluster-based Ad Hoc Networks分散式多重密鑰管理機制應用於群集隨意型網路 長庚大學通識中心李榮宗

  2. Outline • Introduction • Background • Distributed ID-based multiple secret key management scheme (IMKM) • Conclusion

  3. Introduction • Ad-hoc networks and security concerns • Authenticated key management protocols • Scope of the work • Summary of contributions

  4. Ad-hoc networks and security concerns • A mobile ad hoc network (MANET) is an autonomous system of mobile nodes connected through wireless links

  5. Ad-hoc networks and security concerns (Cont’d) • A cluster is a connected graph including a clusterhead (CH) responsible for establishing and organizing the cluster 5 4 3 1 8 6 Cluster head Gateway 2 7 Node

  6. Ad-hoc networks and security concerns (Cont’d) • Deploying security mechanisms in MANETs is difficult • Absence of fixed infrastructure • Shared wireless medium • Node mobility • Limited resources of mobile devices • Bandwidth-restricted • Error-prone communication links

  7. Ad-hoc networks and security concerns (Cont’d) • Ad hoc networks are subject to various kinds of attacks • Passive eavesdropping • Active impersonation • Message replay • Message distortion • key management is particularly difficult to implement in such networks

  8. Authenticated key management protocols • Threshold sharing-based key management with distributed authorities • Session key management protocols • Two-party authenticated key management protocols • Multi-party authenticated key management protocols

  9. Authenticated key management protocols (Cont’d) • Threshold sharing-based key management with distributed authorities • Using (t,n) threshold scheme • Certificate exchanges consumes much bandwidth • Does not provide verifiablity • When t shareholders are compromised, the overall system security is broken

  10. Authenticated key management protocols (Cont’d) • Session key management protocol • Two-party authenticated key management protocols by bilinear pairings • Based on Discrete logarithm problems over elliptic curve groups • Is not secure against key revealing attacks • Does not provide perfect forward secrecy

  11. Authenticated key management protocols (Cont’d) • Multi-party authenticated key management protocols by bilinear pairings • Suffers from the man-in-the-middle attack • Suffers from the impersonation attack • Disadvantages in number of rounds , pairing-computation and communication bandwidth

  12. Scope of work • In this paper, we address key management issues in cluster-based mobile ad hoc networks • We present a fully distributed ID-based multiple secret key management scheme (IMKM) as a combination of ID-based, multiple secret and threshold cryptography • ID-based approach eliminates the need for certificate-based public-key distribution

  13. Scope of work (Cont’d) • Multiple secret key update scheme enhances system security and eliminate communication and computation overhead for key update • Fully distributed threshold secret sharing scheme solves the single point of failure and compromise tolerance problems • Cluster-based mechanism reduces routing overhead and provides more scalable solutions

  14. Summary of contributions • Our IMKM scheme provides complete and solid solutions for key management • The overall system security is still guaranteed even when t shareholders are compromised in IMKM. • When the network becomes sparse, it is quite difficult to collect t shares to reconstruct the secret. However, it is easy to adjust threshold t in IMKM which makes the system more robust and reliable.

  15. Background • Symmetric and public key cryptography • Elliptic curve cryptosystems (ECC) • Legrange interpolation polynomial • Threshold sharing scheme • Shuffling scheme • Security schemes for attacks

  16. Symmetric key and public key cryptography • Symmetric key • The same key is used to do both encryption and decryption. • Advantages: efficient, easy to use • Disadvantages: less secure than public key, problem of sharing keys • Ex: DES, RC6, MD5, SHA-1, etc.

  17. Symmetric key and public key cryptography (Cont’d) • Public key • Motivated by three limitations of symmetric key cryptography, that is, key delivery, key management and user authentication • Advantages: encryption is stronger than symmetric key • Disadvantages: much processing power, much longer data files are create and transmitted • Ex: RSA, ElGamal, ECC, etc.

  18. Elliptic curve cryptosystems (ECC) • Based on the difficulty of solving elliptic curve discrete logarithm problem (ECDLP) (Ex: Q = kP) • Smaller key sizes • Low communication cost • Faster implementation • For resource-constrained environments, such as smart cards, and wireless devices

  19. Elliptic curve cryptosystems (ECC) (Cont’d) Security comparisons of RSA, ElGamal and ECC

  20. Legrange interpolation polynomial • Given points ,where are distinct. Seek a polynomial with degree such that

  21. Legrange interpolation polynomial (Cont’d) • The Lagrangian interpolating polynomial is given by: • where n instands for the nth order polynomial that approximates the function • given at data points as • and • is a weighting function that includes a product of terms with terms of omitted

  22. Legrange interpolation polynomial (Cont’d) • Given a set of three data points {(0,3),(1,9),(2,21)}, we shall determine the Lagrange interpolation polynomial of degree 2 which passes through these points. First, we compute • Lagrange interpolation polynomial is:

  23. Threshold sharing scheme • The dealer chooses , and random polynomial • Suppose the unique ID of each user is , • , then the shares of each user are: • That is the polynomial passes through points • (1,9), (2,4), (3,5), (4,12), (5,8)

  24. Threshold sharing scheme (Cont’d) • After combining t shares (ex. S1, S3, S5), the original polynomial can be reconstructed by using the Legrange interpolation as follows:

  25. Shuffling scheme • To prevent the exposure of shares, the shuffling scheme is introduced • First, each pair of nodes (i, j)securely exchange a shuffling factor di,j • One node in the pair adds di, jto its partial share while the other one subtracts di, j • For node i, it must apply all t −1 shuffling factors, either by adding or subtracting, to its partial share

  26. Shuffling scheme (Cont’d) • When a new member k joins the secret sharing network • The shuffled partial share is generated as • where and • After receives t shuffled partial shares, node k recovers its share as:

  27. Security schemes for attacks • Intrusion detection system (IDS) - Unwanted manipulations to systems • Watchdog - Selfish behavior • Packet leashes - Wormhole attack • Rushing attack prevention (RAP) - Denial of service attack

  28. Distributed ID-based multiple secret key management scheme • Design goals and system models • Network initialization • Key revocation • Multiple secrets key update scheme • Key joining, key eviction • Group key agreement protocol • Protocol analysis

  29. Design goals and system models • Design goals • It must not have a single point of compromise and failure • It should be compromise-tolerant • Efficiently and securely revoke keys of compromised nodes once detected and update keys of uncompromised nodes • Efficient schemes to generate group session key

  30. Design goals and system models(Cont’d) • System models • We envision a cluster-based MANET consisting of nclusterheads (CHs) called D-PKGs, D-PKGs are selected to enable secure and robust key revocation and update • If a cluster-based routing protocol is used, the clusters established by the routing protocol can also be employed in our security conceptualization • The size of the network may be dynamically changing with CH join, leave, or failure over time.

  31. Design goals and system models (Cont’d) • Each CHihas a unique ID, denoted by IDi • Communications are potentially insecure and error-prone • We assume that compromised CHs will eventually exhibit detectable misbehavior • We also assume that adversaries compromise no more than out of n CHs simultaneously, where • Nor can adversaries break the underlying cryptographic primitive on which we base our design

  32. Network initialization • Generation of pairing parameters and key initiation • System setup: • PKG (Private key generator) chooses a random number as the PKG’s private key. is the PKG’s public key. • The system parameters of PKG are as follows:

  33. Network initialization (Cont’d) • Key extraction: • CHisubmits his identity information to PKG. PKG computes and CHi’s public and private key pair: , • PKG preloads the key pair and system parameters on securely.

  34. Generation of pair–wise keys • In order to provide perfect forward secrecy, we modified McCullagh and Barreto’s scheme as follows: • Each CHi randomly chooses his ephemeral key , computes and sends to CHj . • After exchange the ephemeral values, all CHs can compute their pair–wise keys:

  35. Generation of pair–wise keys (Cont’d) • The above pair-wise key agreement protocol satisfies all the following security properties: • Implicit key authentication, • Known session key security, • No key-compromise impersonation, • Perfect forward secrecy, • No unknown key-share, No key control. • Therefore, it is secure employed in MANETs.

  36. Verifiable secret sharing

  37. Verifiable secret sharing (Cont’d) Each CHi , creates a (t,n) threshold sharing of ai,0by generating a random polynomial of degree t-1 over , as: Each CHi computes and securely sends an encrypted subshare, , to CHj, using pair-wise key . Each CHi broadcasts public values Each CHj verifies that subshare by checking that

  38. Verifiable secret sharing (Cont’d) • Each CHjcomputes its share key, • and broadcasts public key • Any subset, , of size t CHs, can determine the master secret key: • , where • The public key, , of the master secret key, can be generated from any t CHs’ public keys:

  39. Key revocation • The key revocation scheme is comprised of three sub-processes: • Misbehavior notification • Revocation generation • Revocation verification

  40. Misbehavior notification • Upon detection of CHi’smisbehavior, CHj generates an accusation, , against CHi • Securely transmits it to CHv • is a time stamp used to withstand message replay attacks • is the pair-wise key of CHj and CHv

  41. Revocation generation • When the number of accusations reaches a predefined revocation threshold, • tnormlCHj, having the smallest IDs, generates a partial revocation, • Each CHjsends it to the revocation leadersecurely • The revocation leader checks whether the equation holds.

  42. Revocation generation (Cont’d) • The revocation leader can construct a complete revocation from these partials using Lagrange interpolation: • The revocation leader then floods throughout the network to inform others that CHi has been compromised.

  43. Revocation verification • Upon receipt of , each clusterheadverifies it by checking whether the equation holds • This means that has been correctly accumulated from all other t-1 unrevoked CHs • Each clusterhead then records in its key revocation list (KRL) and declines to interact with it thereafter.

  44. Multiple secrets key update scheme • To resist cryptanalysis, it is a good practice to update keys frequently. • At each regular predetermined time interval, updates each CH’s share key, , to by replacing the generator, , with of • Key update is quite simple and efficient

  45. Key joining • Scheme I • Each CHjcreates a new subshare, , and securely sends it to CHk. CHkconstructsits share as: • CHkcreates a (t,n) threshold sharing of by generating a random polynomial of degree, t-1, and securely sends to each CHj. • Upon receiving from CHk,each CHjreconstructs the share key,

  46. Key joining (Cont’d) • Scheme II (shuffling scheme) • Each CHj generates the partial share for CHk: , where is the Lagrange coefficient , and , where and is the shuffling factor. • The shuffled share, , is then returned to CHk. After receiving t partial shares, CHk can construct its share, .

  47. Key eviction • When CHk is revoked, and the number of revoked CHs reaches the predetermined update threshold : • Each CHi chooses a random number, , changes its share, , to and securely sends to all unrevoked CHj • After receiving all values, each CHj reconstructs the share key,

  48. Group key agreement protocol • We presented an efficient ID-based authenticated group key agreement (AGKA) protocols • Scheme • Each CHi randomly chooses an ephemeral key, Li. • Each CHi constructs a Lagrange interpolating polynomial with degree n-1, as follows: • Each CHi then broadcasts

  49. Group key agreement protocol (Cont’d) • Group key computation • Each CHj uses the pair–wise session keys, , to recover keys, Li, using the following equation: • After recovering all the keys, Li , each CHjcomputes the group session key as follows: • Member leave • Reprocesses AGKA protocol

  50. Protocol analysis • Security analysis • Share key distribution • Group key distribution • Performance analysis • Comparison in key update • Verifiable secret sharing • Comparison in group key distribution

More Related