Create Presentation
Download Presentation

Download Presentation

Presented by Haihui Huang ( hhuang3@eos.ncsu )

Download Presentation
## Presented by Haihui Huang ( hhuang3@eos.ncsu )

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Efficient Self-Healing Group Key Distribution with**Revocation Capabilityby Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang (hhuang3@eos.ncsu.edu)**Outline**• Introduction • Group key distribution overview • Self-healing key distribution • Revocation capability • Novel personal key distribution • Contribution and conclusion • Future work**Introduction**• Common way to ensure communication security: encrypt and authenticate messages • Challenge: • how to distribute keys to valid nodes • Challenges in ensuring communication security for mobile wireless ad hoc networks over unreliable channels • Volatile membership • Disruption of communication by adversary • Resource constraints**Group Key Distribution Techniques**• Group controller • Can’t scale to large groups • Iolus • subgroup hierarchy • Logical Key Hierarchy(LKH) or Key Graph • Keys are organized into a tree hierarchy • Self-healing key distribution • Stateless key distribution**Self-healing Key Distribution**• Users are capable of recovering lost group keys on their own • No need to request additional transmissions from the group manager • Lower network traffic • Decrease the load on the group manager • To recover the key via self-healing • A user must be a member both before and after the session in which a particular key is sent**Revocation Capability**• The ability to revoke users and thus prevent them from learning new keys • t-revocation capability • Possible to prevent at most t users at a time from learning new session key • With the revocation polynomial g(x) constructed as g(x)=(x-r1)(x-r2)…(x-rw)**Personal Key Share Distribution-Scheme 1**• t-revocation capability • To distribute keys to selected group members so that each member shares a distinct personal key with the group manage • But the other(revoked) group members and adversary cannot get any information of the keys • Choose a random t-degree polynomial f(x) from Fq[x] and select f(i) to be the personal key share for each member • Group manager broadcasts a single polynomial w(x) so that • Valid group member Ui can recover f(i) from w(x) and personal secret Si • Revoked group member Ui’ will NOT be able to recover f(i’)**Personal Key Share Distribution-Scheme 1(cont)**• Construct w(x) with the help of a revocation polynomial g(x) and a masking polynomial h(x) by computing w(x)=g(x)*f(x)+h(x) • g(x) is constructed in such a way that • For valid member Ui, g(i) <> 0 • For revoked member Ui’, g(i’)==0 • Choose a random t-degree polynomial f(x) from Fq[x] and select f(i) to be the personal key share for each member • Group manager broadcasts a single polynomial w(x) so that • Valid group member Ui can recover f(i) from w(x) and personal secret Si : f(i) = ( w(i) - h(i) ) / g(i) • Revoked group member Ui’ will NOT be able to recover f(i’) as g(i’)==0**How to achieve self-healing**• Use secret sharing • Based on polynomial interpolation • Bind the ability of users to recover from packet loss to the user’s membership status**How to achieve self-healing(2)**• Split group session key Kj into two t-degree polynomials, pj(x) and qj(x) such that Kj=pj(x)+qj(x) • In session j1: broadcast polynomials {p1(x),…,pj1(x),qj1(x),…, qj(x),…qj2(x),…, qm(x)} • In session j2(j2>j1): broadcast polynomials {p1(x),…,pj1(x), …, pj(x),…,pj2(x),qj2(x),…,qm(x)} • For any session j(j1<j<j2), we can recover Kj=pj(x)+qj(x)**Personal Key Share Distribution- Scheme 2**• Self-healing key distribution with t-revocation capability • In the jth session key distribution, given a set of revoked member Ids, Rj={r1,r2,…,rwj), |Rj|=wj<t • Group manager broadcasts message Bj= {Rj} ∪{Pj,i(x) = gj(x)pi(x) + hj,i(x)}i=1,...,j ∪{Qj,i(x) = gj(x)qi(x) + hj,i+1(x)}i=j,…m where gj(x) = (x − r1)(x − r2)...(x − rwj).**Reducing Storage Requirement**• In Scheme 2, the storage overhead in each group member is O(m2logq). • m: total sessions • logq: session key size • Use only ONE masking polynomial for each pi(x),qi(x) • Reduce the storage requirement in each member from O(m2logq) to O(mlogq) in Scheme 3**Personal Key Share Distribution- Scheme 3**• Improved self-healing key distribution with t-revocation capability • In the jth session key distribution, given a set of revoked member Ids, Rj={r1,r2,…,rwj), |Rj|=wj<t • Group manager broadcasts message Bj= {Rj} ∪{Pi(x) = gj(x)pi(x) + hi(x)}i=1,...,j ∪{Qj,i(x) = qi(x) + fi(x)}i=j,…m where gj(x) = (x − r1)(x − r2)...(x − rwj).**Personal Key Share Distribution- Scheme 4**• Trading off self-healing capability for less broadcast size • Introduce a “sliding window” of l sessions • only redundant information for the sessions that fall into this window is broadcasted • Can NOT ensure the same self-healing property as in previous schemes • Reduce storage overhead to (2m+2l-1)logq**Personal Key Share Distribution- Scheme 5**• Aimed at situations where they are relatively long term but infrequent communication failures • Introduce a “sliding window” of (l-1)d sessions • Assume each group member can receive at least d consecutive broadcast key distribution messages • Selectively include the same amount of redundant information from a large “window” of session(i.e. 2(l-1)d+1) in each key distribution message • storage overhead : (2m+2(l-1)d+1)logq**Conclusion**• Presented several group key distribution schemes for very large and dynamic groups over reliable channels • Developed several efficient unconditionally secure and self-healing group key distribution schemes that significantly improved over the previous approaches • Developed 2 techniques that allow trade-offs between broadcast message size and recoverabilities of lost session keys**Future work**• Develop a model that characterizes failures in large and highly mobile wireless networks • Further investigate the performance of the proposed schemes in this model • Seek more efficient ways to perform the initial key distribution for the proposed schemes