1 / 16

Cryptanalysis of Scalable Multicast Security Protocol

This paper discusses the cryptanalysis of the MOLVA-PANNETRAT protocol for dynamic multicast groups. It evaluates the protocol's security and scalability requirements and identifies potential vulnerabilities. The findings suggest challenges in implementing the protocol using the RSA algorithm while ensuring both security and scalability.

noemif
Télécharger la présentation

Cryptanalysis of Scalable Multicast Security Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptanalysis of Scalable Multicast Security Protocol • Source: IEEE Communications Letters, Vol. 7, No. 11, November 2003, pp. 561 – 563 • Authors: Ronggong Song, Member, IEEE Larry Korba, Member, IEEE • Speaker: Yi-Chiao Tan • Date: 2004/12/29

  2. Outline • Introduction • Review of the MOLVA-PANNETRAT protocol • Cryptanalysis of the MOLVA-PANNETRAT protocol • Conclusion

  3. The requirements of a security protocol in a dynamic multicast group (R. Molva and A. Pannetrat): • Data confidentiality: The protocol should be immune to eavesdropping. • JOIN and LEAVE security • Containment: The compromise of one member should not cause the compromise of the entire group. • Collusion resistance: A set of members who exchange their secrets cannot gain additional privileges. • Processing scalability: The processing load supported by an individual component should be independent of the group size. • Membership scalability: the actions performed by a member should not affect the group as a whole. • Groupwise scalability: the group should not require to be treated as a set of distinct individual.

  4. Containment: • The compromise of one member should not cause the • compromise of the entire group. • Membership scalability: • the actions performed by a member should not affect • the group as a whole. • Processing scalability: • The processing load supported by an individual • component should be independent of the group size. • Groupwise scalability: • the group should not require to be treated as a set of • distinct individual.

  5. The RSA-based ACS key distribution tree

  6. Review of the MOLVA-PANNETRAT protocol • Molva-Pannetrat Protocol composed of • Proposition • Setup phase • Key Distribution phase

  7. Large prime number : p , q • n=pq • m : message • Φ(n)=(p-1)(q-1) • gcd(e, Φ(n))=1 ; e is a public key • Calculate a privacy key d such that ed=1 mod Φ(n) • medmod n = mΦ(n)+1mod n = m

  8. Proposition • Let n = pq be the product of two carefully chosen large prime numbers p and q. • The set F = {fa(x) ≡xa(mod n); a∈Zφ(n)*} for messages in Zn.

  9. Setup phase • each inner node is assigned a secret value ai (I > 1) and function fai, and the root uses a1 where gcd(ai, φ(n)) = 1. • The reversing function distributed to the leave is defined as h(x) ≡xD(mod n) N1 N7 N8 L3 a1 ˙ ˙ ˙ ≡1 mod φ(n) a7 a8 D3 Key distribution center

  10. Key distribution phase • The source wishing to distribute a session key K. N1 N7 N8 N8’ L3 D3’ K Ka1 Ka1a7 Ka1a7a8

  11. Cryptanalysis of the MOLVA-PANNETRAT protocol • The terminal Inner Node With Its Leaf Collusion Attack • Two Sub-Branches Collusion Attack

  12. a1 ˙ ˙ ˙ ≡ 1 mod φ(n) a7 a8 D3 The terminal Inner Node With Its Leaf Collusion Attack a1 ˙ a7 ˙ A ≡ 1 mod φ(n) A 1 ≡ a8˙D3 ≡ (a1 ˙ a7 )-1 mod φ(n) A 2 ≡ a8’˙D3’ ≡ (a1 ˙ a7 )-1 mod φ(n) If A1 = A2 = …= An in Z A ≡ a8˙D3 ≡ a8’˙D3’

  13. The terminal Inner Node With Its Leaf Collusion Attack from A 1 ≡ a8˙D3 ≡ (a1 ˙ a7 )-1 mod φ(n) A 2 ≡ a8’˙D3’ ≡ (a1 ˙ a7 )-1 mod φ(n) can easily get e1 ∈ZB1 such that e1˙A1≡ 1 mod B1, i.e., e1˙A1≡ 1 mod φ(n) If A1 ≠ A2 ≠…≠ An in Z = K1˙ φ(n) + X = K2˙ φ(n) + X They can compute B1 as B1 = |A1 – A2| = K˙φ(n)

  14. Two Sub-Branches Collusion Attack a1 ˙ a2˙ Ax ≡ 1 mod φ(n) a1 ˙ a2˙ Ay≡ 1 mod φ(n)

  15. Conclusion • If the key distribution center choose different modulus for each leaf in the protocol, the root would need to implement different modulus operations for each leaf when the members change rendering the system unscalable. • It appears to be very difficult to implement the MOLVA-PANNETRAT framework using the RSA algorithm while maintaining the security and scalability of the system.

More Related