1 / 20

Key Agreement for Heterogeneous Mobile Ad-hoc Groups (µSTR-H)

Key Agreement for Heterogeneous Mobile Ad-hoc Groups (µSTR-H). Mark Manulis Horst-Görtz Institute, Bochum (Germany). http://www.hgi.rub.de. Mark Manulis, Horst-Görtz Institute, Bochum, Germany. Heterogeneous Mobile Ad-Hoc Group. Mark Manulis, Horst-Görtz Institute, Bochum, Germany.

chipo
Télécharger la présentation

Key Agreement for Heterogeneous Mobile Ad-hoc Groups (µSTR-H)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Key Agreement for Heterogeneous Mobile Ad-hoc Groups(µSTR-H) Mark Manulis Horst-Görtz Institute, Bochum (Germany) http://www.hgi.rub.de

  2. Mark Manulis, Horst-Görtz Institute, Bochum, Germany Heterogeneous Mobile Ad-Hoc Group

  3. Mark Manulis, Horst-Görtz Institute, Bochum, Germany Outline • Elliptic Curve Cryptography • Performance of Mobile Devices • Device Architecture • µSTR-H Protocol Suite • Setting • Requirements • Protocols: Setup, Join, Leave, Merge, Partition • Performance Analysis • Current and Future Work

  4. Mark Manulis, Horst-Görtz Institute, Bochum, Germany Elliptic Curve Cryptography (ECC) • Elliptic curve E over a finite field Fq • q  Primes: y2 = x3 + ax +b , x,y,a,b  Fp and 4a3 + 27b2  0 • q = 2m, mN: y2 + xy = x3 + ax2 + b , x,y,a,b  F2m and b  0 • Group of elliptic points E(Fq) is commutative. Let P,Q  E(Fq) • Negation: –P • Addition: P + Q = R(xR, yR) E(Fq) • Doubling: 2P = R(xR, yR)  E(Fq) • Let G  E(Fq) of prime order t with t | q-1 • Generated additive subgroup <G> = {O, G, 2G, … , (t-1)G} • Scalar-Point Multiplication: r  {1,…,t-1}, rG = R  G Note: R = G + … + G • It is hard to compute r given R and G (EC-Discrete Logarithm Problem) r times

  5. Mark Manulis, Horst-Görtz Institute, Bochum, Germany Performance of Mobile Devices • Benchmark function F • Input: device’ hardware parameters • CPU clocks • memory size • storage capacity • battery power consumption • … • Process: application-specific operations • cryptographic and network operations • Output: performance ratio µ runF(input) getµ

  6. M1 M2 M4 M6 M7 M8 M3 M5 M9 Mark Manulis, Horst-Görtz Institute, Bochum, Germany Performance Ratio Order • Mobile Ad-Hoc Group: M1, … , Mn • Performance ratio order: • P = (M1, … , Mn),  Mi, Mi+1 : µi  µi+1 • e.g.: • Assumption: • µi can be figured out from P

  7. Mark Manulis, Horst-Görtz Institute, Bochum, Germany Homogeneous & Heterogeneous Mobile Ad-Hoc Groups • Homogeneous Mobile Ad-Hoc Group: •  µi, µj  P : |µi - µj|   • Heterogeneous Mobile Ad-Hoc Group: •  µi, µj  P : |µi - µj| >  •  : limit of homogeneity

  8. Mark Manulis, Horst-Görtz Institute, Bochum, Germany CGKA Protocol Requirements • Usual security requirements against passive adversary • Cost fairness (performance requirement) • Homogeneous Groups: • uniform distribution of protocol costs between devices • Heterogeneous Groups: • distribution of protocol costs between devices with respect to P • Performance Honesty (security requirement) • Adversary cannot cheat on its device performance Remark: Adversary is active • Concerns only heterogeneous groups

  9. PCR1 PCR2 PCRl Mark Manulis, Horst-Görtz Institute, Bochum, Germany Abstract Device Architecture based on TCG • Trusted Computing Base Components • Trusted Platform Module (TPM) • Tamper-resistant • Limited computational capabilities • Platform Configuration Registers (PCRs) • Attestation Identity Key Pair (PKAIK, SKAIK) • Trusted Software Component (TSC) • Its measurement S is included in PCRs • Better computational capabilities • Non-Trusted Components • Application isolated from other processes Common OS Application TSC TPM S ... Hardware Plattform

  10. Mark Manulis, Horst-Görtz Institute, Bochum, Germany HGI-Seminar 2005 µSTR-H: Pre-Requisites • Communication Channel • public broadcast / multicast • reliable • Authentication • Every device has CertTPMi = (IDTPMi, PKAIK, SigCA(IDTPMi, PKAIK)) • Assumption: • All protocol messages are authentic • Explicit indication of authentication procedure is omitted

  11. Mark Manulis, Horst-Görtz Institute, Bochum, Germany HGI-Seminar 2005 µSTR-H: Parameters and Notations • E(Fq), q is prime or 2m, mN • <G> = {O, G, 2G, … , (t-1)G}, t is prime, t | q-1 auxiliary keys group key (performance ratio order) • User Mi computes: • riR {1, … , t-1} • Ri= riG • ki= map(riKi-1); for all 2<i<j≤n: kj = map(kj-1Rj) exception: k2 = map(r1R2) = map(r2R1) • Ki = kiG • Example M3: • r3R {1, … , t-1} • k3= map(r3K2) • k4 = map(k3R4) • k5 = map(k4R5)

  12. PCR Mark Manulis, Horst-Görtz Institute, Bochum, Germany HGI-Seminar 2005 Achieving Performance Honesty • Tasks of TPMi • Choose ri and compute Ri • Seal ri under µi and Si • Generate σi = SignSK_AIK_i(Ri, µi) • Compute riKi-1 given Ki-1 • Tasks of TSCi • Compute all secret keys ki, … ,kn • Compute all public keys Ki, … , Kn-1 • Tasks of untrusted µSTR-H • Send and receive protocol messages • Verify received σj • Compute P • Store Ri performance ratio µi Common OS µSTR-H ki, … ,kn TSCi TPMi Si ri Hardware Plattform ri

  13. PCR Mark Manulis, Horst-Görtz Institute, Bochum, Germany Message Exchange between Components Ri+1,…,Rn Ki,…,Kn-1 µi, Ri, σi, CertTPMi performance ratio µi Common OS µSTR-H µSTR-H (non trusted) ki, … ,kn TSCi Ri+1,…,Rn Ki,…,Kn-1 TPMi µi, Ri, σi, CertTPMi Si TSCi ri riKi-1 Ki-1 Hardware Plattform µi, Ri, σi, CertTPMi TPMi

  14. K2 K3 K4 K5 K6 K7 k2 k3 k4 k5 k6 k7 k8 8 4 1 7 6 3 2 5 4 8 6 3 5 2 7 1 M1 M2 M4 M5 M6 M7 M3 M8 Mark Manulis, Horst-Görtz Institute, Bochum, Germany µSTR-H: Setup k1 µi P • TPMi selects ri, computes Ri and σi. Mi broadcasts (µi, Ri, σi, CertTPMi). • Mi verifies all σj, computes P, stores Ri+1,…, Rn. TPM1 computes r1R2. TSC1 computes k1 = (k2,…, kn) and (K2,…, Kn-1). M1 broadcasts (K2,…, Kn-1). • Mi stores Ki-1. TPMi computes riKi-1. TSCi computes ki = (ki,…, kn).

  15. R´3, K´3 K´4 K´5 k´1 k´2 k´4 k´5 k´6 M1 M1 M2 M2 Mj M4 M3 M3 M4 M5 M6 M5 Mark Manulis, Horst-Görtz Institute, Bochum, Germany µSTR-H: Join µj µ3>µj>µ4 k´3 P sponsor

  16. R´2, K´2 K´3 K´4 k´1 k´3 k´4 k´5 M1 M1 M2 M2 M4 M3 M3 M5 M4 M5 M6 Mark Manulis, Horst-Görtz Institute, Bochum, Germany µSTR-H: Leave k´2 P sponsor

  17. R´2, K´2 K´3 K´4 K´5 K´6 K´7 k´1 k´3 k´4 k´5 k´6 k´8 k´7 µi 8 7 6 5 4 3 2 1 P 6 4 3 2 8 7 5 1 M1 M21 M2 M22 M4 M23 M5 M12 M6 M13 M14 M7 M11 M3 M24 M8 Mark Manulis, Horst-Görtz Institute, Bochum, Germany µSTR-H: Merge k´2 sponsor R11 R21 µ1i µ2i P1 P2

  18. µi µi 8 8 7 6 6 5 4 4 3 2 2 1 1 R´1 K´2 K´3 K´4 k´2 k´3 k´5 k´4 P P M1 M1 M2 M4 M5 M3 M6 M7 M4 M3 M2 M5 M8 Mark Manulis, Horst-Görtz Institute, Bochum, Germany µSTR-H: Partition k´1 sponsor

  19. Mark Manulis, Horst-Görtz Institute, Bochum, Germany HGI-Seminar 2005 Performance Analysis S – setup, J – join, L – leave, M – merge, P – partition, original STR costs n – initial group size, i (s) – index of member (sponsor), v – size of partition

  20. Mark Manulis, Horst-Görtz Institute, Bochum, Germany • Future Work • Consider various protocols in MANETs where applied techniques (non-uniform distribution of protocol costs, enforcement of a property compliance) are useful, e.g. multicast routing, threshold crypto, … Thank You !!!

More Related