1 / 43

Secure Reliable Group Key Management

This system provides secure and reliable group key management through advanced marking schemes and lower bounds on rekey encoding.

corey
Télécharger la présentation

Secure Reliable Group Key Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Reliable Group Key Management Yang Richard Yang 11/14/2001

  2. Review: DDoS • Prevention • ingress filtering • router filtering [Park et al. 2001] • Detection • end-to-end signaling • ICMP: out-band [Bellovin 2000] • Marking: in-band [Savage et al. 2000] • auditing • Source Path Isolation Engine (SPIE) [Snoeren et al. 2001]

  3.  R4  R5  R5  R4  R6  R5  R4  R6 (R3 (R5 (R2 (R3 (R2 (R1 (R1 (R4 R6) = R5 R6) = R4 R4) = ? R4) = R2 R4) = ? R5) = ? R4) = R1 R5) = R3 Example: Multiple Attackers A1 R1 attack path R4 R6 V R2 A2 victim  R6 R6 0 R5 R3 A3 R4 R6 1 R5 R6 1 attackers R1 R4 2 R2 R4 2 R3 R5 2

  4. Advanced Marking Scheme (AMS) I[Song et al. 2001] • Main idea: assume that the victim knows the map of its upstream routers • relatively easy to obtain in practice, although incurs a high overhead • Use two 11-bit hash functions (to distinguish the order of the two routers) h and h’ to hash the endpoints addresses and XOR them • Use the other 5 bits to encode the distance from edge to the victim

  5.  R4  R4  R6  R5  R4  R6  R5  R5 (R1 (R2 (R3 (R2 (R2 (R5 (R1 (R4 R4) = ? R4) = ? R5) = ? R4) = ? R4) = ? R6) = R4 R6) = R5 R4) = ? Example: Multiple Attackers A1 R1 attack path R4 R6 V R2 A2 victim victim  R6 R6 R6 0 R5 R3 A3 R4 R4 R6 R6 1 R5 R5 R6 R6 1 attackers R1 R4 2 R2 R4 2 R3 R5 2

  6. Advance Marking Scheme II • Use two sets of hash functions instead of two hash functions • Use w bits to encode the hash function and 11 – w to encode its value • Intuition • probability for collision in AMS I is 1/211 • probability for collision in AMS II is 1/2(11-w)s , where s = 2wbecause the victim will need to match the values of s hash functions (the implementation uses a threshold approach) • Choose w = 3 • Lesson: always question my statement

  7. Group Key Management System • A class of applications is based on a group communications model • The function of a group key management system is to provide access control to the shared symmetric group key • Two types of access control: • backward access control: change the group key after a new user joins the group • forward access control: change the group key after a current user leaves the group

  8. k456 k9 k7 k6 k5 k4 k3 k2 k8 k1 Key Trees group key k1-8 auxiliary key node k123 k78 individual key node u1 u2 u3 u4 u5 u6 u7 u8 u9 [Wallner et al. Internet Draft, Wong et al. SIGCOMM ’98]

  9. k1-9 k123 k456 K4 k3 k9 k8 k7 k6 k5 k2 k1 New User u9 Joins the Group (changed from k1-8) {k1-9}k123 {k1-9}k456 {k1-9}k789 (changed from k78) k789 {k789}k7 {k789}k8 {k789}k9 u1 u2 u3 u4 u5 u6 u7 u8 u9 join

  10. k’ 1-8 {k’ 1-8}k123 {k’ 1-8}k456 {k’ 1-8}k’78 k123 k456 K’ 78 {k’ 78}k7 {k’ 78}k8 K4 k2 k6 k5 k7 k3 k9 k8 k1 User u9 Leaves the Group (changed from k1-9) (changed from k789) u1 u2 u3 u4 u5 u6 u7 u8 u9 leave

  11. A Lower Bound on Rekey Encoding

  12. Summary of the Lower Bound • (log(n)) amortized per request lower bound if forward access control is required, regardless of whether backward access control is required • Snowink, et al. proved a similar bound independently at about the same time. This proof is much shorter 

  13. System Model • There is only one key server • Key server implements forward access control • After the i-th operation, all users in the group share a common group key gi • When updating keys, the key server uses one key k to encrypt another key k’ • The adversary has access to all past communications. However, it can access one key k only if it has received k from the key server, or k is encrypted by a key k’ that it has access, etc.

  14. Rekey Encryption Graphs • A model to capture all communications • Rekey encryption graphs • A sequence of directed graphs Gi • Gi captures the communication cost of rekeying the first i requests

  15. Nodes and Edges of Gi • Nodes • individual key nodes • other key nodes • Edges • A key node k to key node k’ if the key server has sent k’ by encrypting it using k • Properties

  16. Subgraph Si of Graph Gi • User node u when u is in the group (joined and not left) • The group key gi • Any node or edge that is on a path from an individual key node in Si to gi • Reduce Si to a tree

  17. Properties of Subgraph Si • Denote N as the number of individual key nodes in Si • Denote i(x) as the in-degree of node x • Define cost of user node u as • Define C = i=2 i=1 i=2 c=3 c=4 c=4

  18. Properties of Si (cont’) i=2, n=3 • Define n(x) as the number ofindividual key nodes reachableto x • We can prove (using induction, and because xln(x) is convex) that • Therefore, i=1,n=1 i=2, n=2 c=3 c=4 c=4 S = 11

  19. Wasted CommunicationAfter a User leaves g i+1 g i • Suppose user u left and not re-join • Because of forward access control, c(u) is the wastedcommunication cost: in Si, not in Sj, for any j > i u S i S i+1

  20. Construction of Lower Bound Requests • First n joins, followed by n leaves • If the departed user has the highest cost, the i-th leave request gives ln(n+1-i) edges • Therefore, the number of edges in G2n is greater than or equal to: • Therefore, the per request communication cost is

  21. leave join registration rekey encoding individual key rekey transport System Components encrypted keys

  22. transport SSL registrar key Krclient lists SSL {IDc, Kc}Kr IDc, Kc TCP: IDc, {Join}Kc {Ack}Kc, {Keys}Kc TCP: IDc, {Leave}Kc {Ack}Kc, Distributed Registrars Protocol new client c registrar key server encoding reg.

  23. transport Rekey Encoding Component • The encoding component can process user requests either individually or in a batch • Periodic batch encoding has the following benefits: • batch rekeying improves efficiency • periodic rekeying can reduce out-of-sync problems • inter-dependency among rekey messages • inter-dependency between data messages and rekey messages • for periodic rekeying, a user knows when the group key will be changed • Why do we emphasize periodic rekeying? encoding reg.

  24. Periodic Batch Encoding Algorithms • Objectives • reduce the number of encrypted keys • maintain the balance of the updated key tree • make it easy for a user to identify its location and keys • Basic ideas of the batch algorithms • always replace departed users with new users • if J >L, how to add the remaining J-L new users?

  25. 2 dn+2 dn+1 dn+d 12 10 11 5 9 8 7 4 6 Key ID n 0 k-nodes k-nodes 1 3 u-nodes u1 u2 u3 u4 u5 u6 u7 u8 u9

  26. Insertion • Key server: • maintain nk, the ID of the largest valid key node • replace empty nodes from nk+1 to dnk+d with new users • if not enough to insert new users, starting from nk+1, split a u-node, put the split u-node as the left-most child, and nk++ • put nk in the rekey message • For a user with an ID n: • while (n is not in the range from nk+1 to dnk+d) n = dn+1

  27. 2 10 12 11 4 5 6 7 8 9 Insertion Example: Add 5 new users 0 nk=3 1 3 dashed: empty

  28. 2 12 10 11 7 6 8 4 9 5 Insertion Example: First Use the Empty Nodes 0 nk=3 1 3 new user1 new user2 new user3 new user4

  29. 2 12 15 14 10 13 11 8 7 9 5 6 Insertion Example: Now split nk+1 0 nk=4 1 3 4 new user1 new user2 new user3 new user4 old user with 4 new user5

  30. Batch Encoding Performance

  31. Batch Encoding Performance Gains

  32. encoding Rekey Transport Component • Function: encapsulate encrypted keys into packets, and provide reliable rekey transport • Issues: • what is the workload? • what is the transport protocol? how to analyze its performance? reg. transport

  33. k456 k2 k3 k4 k5 k6 k7 k8 leave leave Key Assignment: Key Tree → Rekey Subtree k1-9 k123 k789 k1 k9 u1 u2 u3 u4 u5 u6 u7 u8 u9

  34. k2-8 k456 k78 k23 k2 k3 k4 k5 k6 k7 k8 Key Assignment: Key Tree → Rekey Subtree (changed from k1-9) (changed from k789) (changed from k123) k1 k9 u1 u2 u3 u4 u5 u6 u7 u8 u9 leave leave

  35. k2-8 k456 k78 k23 k2 k3 k7 k8 Key Assignment: Key Tree → Rekey Subtree (changed from k1-9) (changed from k789) (changed from k123) u1 u2 u3 u4 u5 u6 u7 u8 u9 leave leave

  36. Key Assignment Algorithms • Three algorithms • BFA: large average, small variance • DFA: small average, large variance • R-BFA: small average, small variance • What is the assumption of the three algorithms?

  37. Average and Standard Deviation of the Number of Packets average standard deviation

  38. Total Number of Packets in a Rekey Message

  39. Rekey Multicast Transport Protocol • Two requirements: • soft real-time: each rekey message should be delivered with high probability before next rekey interval • eventual reliability • Protocol summary: • proactive adaptive FEC reliable multicast • with n original packets, the key server generates k repair packets and sends n+k packets; with any n out of the n+k packets, a receiver can recover the original n packets • reliable unicast re-synchronization [proposed by Wong et al.] • Performance analysis: • a rekey multicast protocol with sparse workload can be converted to a conventional reliable multicast protocol

  40. bandwidth overhead transport latency Effects of the Proactivity Factor

  41. How to Adapt the Proactivity Factor? • Depends on target: • set the target number of NACKs N* • Receiver • if receiver i needs ri more packets to have n packets, reports ri to the key server • Key server • send k+n packets • Ley N denote the number of NACKs received • if (the N > N*) sort the ri in increasing order {r1, r2, r3, …, rN-N*, …rN} k += rN-N* • How to reduce k? • Is this adjustment policy stable? How to make it stable?

  42. Overall System Performance • Need user membership dynamics to generate workload • Evaluations assume that the time each user stays in the group is exponentially distributed encoding reg. transport

  43. Bandwidth Requirement vs. Rekey Interval

More Related