1 Group Key Agreement Gene Tsudik SCONCE Lab, UC Irvine

Preview:

Citation preview

1

Group Key AgreementGene Tsudik

SCONCE Lab, UC Irvine

2

OUTLINE

1. Group Communication

2. Security Services

3. Group Key Management Overview

4. Zooming in:1. DH-based Protocols

2. Authentication

3. Consistency

4. Measurements

5. Robustness / Integration with GCS

6. Other models

3

General Setting:Security in Group Communication

?

4

Group Communication Settings One-to-Many (or Few-to-Many)

• Single-source broadcast: Cable/sat. TV, radio

• Multi-source broadcast: Televised debates, GPS

Any-to-Any

• Collaborative applications

• Video/Audio conferencing, collaborative workspaces,

interactive chat, network games, replication

• Richer communication semantics, tighter control, more

emphasis on reliability and security

Anycast

5

Dynamic Peer Groups (DPGs)

No hierarchy

Anyone can send and receive

Membership changes

Relatively small (<100 of members)

6

DPG Security Layers

Encryption, Authentication

Key Management

Authorization, Access control, Non-repudiation …

Video / audio conferencing, distributed web servers,collaborative work space, multi-player games, replication

Secure Applications

Security Starts Here

Membership Control

Cert-n: PKI, Revocation

7

Group Key Management

Group key: a secret quantity known only to current group members

Group Key Distribution• One party generates key and distributes to others

Group Key Agreement• Key derived collectively by two or more parties

• As a function of each member’s contribution

• No one can pre-determine the result

8

Whither Key Distribution in DPG? Key Distribution well-understood, easy semantics, synchronization Need centralized key server(s)

• Single point of failure• Attractive attack target

Arbitrary network faults can occur• Key server replication is costly• Availability in any and all possible partition

9

Need Reliable Group Communication Group key agreement protocols rely on the

underlying group communication systems

• Protocol message transport

• Strong membership semantics (notification of all group

membership change events)

• Not for security reasons

Group communication system needs specialized

security mechanisms

Mutual benefit and interdependency

10

Membership Events Join: prospective member wants to join

Leave: member wants to (or is forced to*) leave

Partition: group is split (or splits) into smaller groups• Network failure: network event causes

• Explicit partition: application needs to split group

Merge: two or more groups unify• Network fault heal: previously disconnected partitions reconnect

• Explicit merge: application merges multiple pre-existing groups

* Forced by whom?

11

Key Change Triggers:

All (or some) of membership events

• E.g., sometimes a re-key on Join is not needed

• Application-specific requirements

Explicit re-key, e.g. time- or data-out

12

Group Key Evolution: Epochs

Epoch 1 Epoch 2 Epoch i Epoch n-1 Epoch n

13

‘Raw’ Security Requirements Group key secrecy

• computationally infeasible for a passive adversary to discover a group key

Backward secrecy• Knowledge of any (contiguous?) proper subset of group

keys cannot be used to discover previous group keys.

Forward secrecy• Knowledge of any (contiguous?) proper subset of group

keys cannot be used to discover subsequent group keys.

Key Independence• Knowledge of any proper subset of group keys cannot be

used to discover any other group key.

14

Layers of Key Agreement

Implicit (Key) Authentication

Raw Key Agreement

Explicit Authentication

Key Confirmation

Key/Content Consistency

Crashes, Malicious Disruption

passive

activ

e*No defense against passive insiders… except, of course, not having a common key.

activ

e

15

Layers of Key Agreement – contd.

Implicit (Key) Authentication

Raw Key Agreement

Explicit Authentication

Key Confirmation

Key/Content Consistency

Crashes, Malicious Disruption

*most viable approaches based on Diffie-Hellman

Amir, et al.’01, Cachin/Strobl’04

Katz/Yung’03, Bresson, et al.’02

BD’93, Ateniese, et al.’00, PQ’01, etc.

ING’82, STR’88, BD’93, GDH’96, Becker/Wille’99, TGDH’00

16

OUTLINE

1. Group Communication

2. Security Services

3. Group Key Management Overview

4. Zooming in:1. DH-based Protocols

2. Authentication

3. Consistency

4. Measurements

5. Robustness / Integration with GCS

6. Other models

17

Diffie-Hellman Setting

• p – large prime • g – generator

A B : NA = ga mod p B A : NB = gb mod p A : NB

a = gab mod p B : NA

b = gab mod pa b

gab

18

Diffie-Hellman Problem Computational Diffie-Hellman Problem &

Assumption (CDHp/a)• Given <g,ga,gb> compute gab

• Given <g,ga,gb> computing gab is hard

Decision Diffie-Hellman Problem & Assumption (DDHp/a)• Given <g,ga,gb,gc> check if: gc = gab

• Given <g,ga,gb,gc> checking gc =?= gab is hard

• Stronger than CDH

19

Man-in-the-Middle Attack

),( agA ),( egA

),( bgB),( egB

Secret Key with A is .

ebgSecret Key

with B is .

eag

)(MDES eag)(MDES ebg

Need authentication: explicit or implicit?

20

Group Diffie-Hellman (GDH) Steiner, et al. (CCS ’96) Contributory group key agreement protocols GDH.1 (silly), GDH.2 and GDH.3 Security

• Proof of security (passive adversary)• Key Independence • No authentication

Efficiency• Few rounds except for merge• Computational cost relatively high

Sequel introduced support for dynamic group operation (Steiner, et al. ICDCS’98)

21

Intuition

What is the “natural” extension of 2-party Diffie-Hellman to n members?• What is the form of the group secret?

gN1N2…Nn mod p where Ni is Mi’s secret share

• What information is required to compute the group key for each member i?

gN1N2…Nn /Ni mod p• How can we build this information?

22

GDH.2 Example: formation

1) AB: g, ga

2) BC: gb, ga, gab

3) CD: gbc, gac, gab, gabc

4) DG: gacd , gbcd , gabd, {gabc}

Everyone computes gabcd

23

GDH.3 Example: formation

1) AB: ga

2) BC: gab

3) CG: gabc

4) Everyone ‘factors out’ its contribution• AD: gbc

• BD: gac

• CD: gab

5) DG: gbcd , gacd , gabd, {gabc}

Everyone computes gabcd

24

Static vs Dynamic Groups

Early protocols supported static groups only,

e.g., conferencing with fixed parameters

Not realistic for most applications

Most peer groups evolve incrementally

Leaves and partitions must be supported

Notion of efficiency must be adjusted

25

Join: 2 rounds

{gN1…Nn’Nn+1/Ni | i [1, n]}

gN1…Nn’Nn+1

n exp-ns each

{gN1…Nn’/Ni | i [1, n]}

• 2n serial exp-ns

26

Join: 3 rounds

gN1…Nn’

{gN1…Nn’/Ni | i [1, n-1]}

{gN1…N

n’Nn+1/Ni | i [1, n]}

• n+3 serial exp-ns

27

Summary

Efficiency worst case (merge)• O(n) computation for controller (2 or 3 for all

others)

• (k+2) rounds

Robustness• What if a ‘token’ is lost?

• Complex recovery steps needed to achieve robustness against (esp. cascaded) failures

28

TGDH Can be based on a binary or ternary* key-tree One function suffices for all events Robust against cascaded faults Contributory Security

• Provable security (passive adversary)• Key independence

Efficient• d = tree height• Maximum number of exponentiations = 4(d-1) • Number of exponentiations in GDH.3 = 2n+1

Relative of Becker/Wille’99 hypercube/octopus protocols

* If based on bilinear maps (e.g., Joux)

29

Key Tree (General)

n4 n5

gn4n5 n6n1

n2 n3

gn2n3

gn1gn

2n

3

ggn1gn2n3 gn6gn4n5

gn6gn

4n

5

No more

30

Key Tree (M3’s view)

gn4 gn5

ggn4n

5 gn6gn1

gn2 n3

gn2n3

gn1gn

2n

3

GROUP KEY

ggn6gn4n5

= ggn1gn2n

3 gn6gn4n

5

n3

gn2n3

gn1gn

2n

3

GROUP KEY

Key-path: Set of nodes on the path from member node to root node

gn1

gn2

ggn6gn4n5

Co-path: Set of siblings of nodes on the key-pathMember knows all keys on the key-path and all blinded keysAny member who knows blinded keys on every nodes andits own contribution can compute the group key.

31

Tree Management: Keep Tree Balanced

Join or Merge Policy• Join to leaf or intermediate node, if height of the tree

wouldn’t increase• Join to root, if height of the tree would increase

Leave or Partition policy?• Can’t predict such events…• Can choose to rebalance (costly!)

Success metric• Maintain ‘logarithmic’ depth (height < 2 log2 n)

Extensions • Ternary tree• Alternative tree management techniques• Rebalancing

32

Clustering Effect: repeated partitions

1 2 3 4 5 6 7 8 1 3 5 7 2 4 6 8

1 3 5 7 2 4 6 8

Partition: (1,3,5,7) (2,4,6,8)

Repeat Partition: (1,3,5,7) (2,4,6,8)

Merge

33

Summary

Efficiency

• Average # mod exp: 2 log2 n

• Max rounds: log2 n (nasty partition!)

Robustness easy due to self-stabilization

• Single function handles join, leave, merge, partition

• Can even handle cascaded events

35

Computation overhead Most GKA protocols involve modular exponentiation

Contrast with typical LAN roundtrip delay < 2ms

On paper, communication overhead is negligible

Number of protocol messages matters?

1024-bit mod exp

Pentium II 450 8 ms

Pentium III 800 4 ms

Sun Ultra 250 20 ms

37

Motivation: minimize rounds & messages

Over WAN (and wireless, dial-up, etc.) communication is more expensive than computation

Communication has an upper bound (speed of light)• Computation speed increases much fast than communication

Too many messages some might be lost/corrupted• Retransmissions

Many rounds cascaded events (protocol interruption)

Communication roundtrip (Ping)

UCI Columbia U 88 ms

UCI Thailand 420 ms

UCI Mozambique 670 ms

38

STR: Steer, et al. (Crypto’88) Kim, et al. (SEC’01, ToC’03) Communication-efficient

• Max 2 rounds• Max 2 b-casts

Concise: one function does all Fault-tolerance/robustness: simpler than TGDH Contributory Secure

• Provable security (passive adversary)• Key independence

Computation costs higher than TGDH• Max exp-ns = 4(N-1)

39

STR Key Tree

gn1

gn1n2

gn3gn

1n

2 gn4

gn3

gn4gn

3gn

1n

2

gn2

40

Summary

Efficiency

• Average # mod exp-ns (leave): 2n

• Max rounds: 2

• Max messages: 3

41

Additive Group Diffie-Hellman (BD)

Burmester/Desmedt (Eurocrypt’94)

K= gN1N2+…+Nn-1Nn+NnN1 where Ni is Mi’s secret share

Contributory group key agreement protocol B-cast, star and other topologies Security

• Proof of security (passive adversary)• Key Independence • No authentication

Dynamic Operations• Roughly same as formation concise but expensive

42

BD Example: formation

Stage 1: AG: ga

BG: gb

CG: gc DG: gd

Stage 2: AG: Xa=(gba/gda) BG: Xb=(gcb/gab) CG: Xc=(gdc/gbc) DG: Xd=(gad/gcd)

Everyone computes: K = gab+bc+cd+da

e.g., B’s version: K=(ga)4b * (gcb/gab)3 * (gdc/gbc)2 * (gad/gcd)1

43

Summary

* Not negligible if n >10 or so…

Efficiency

# mod exp-ns: 3 + (n2/2+n) multiplications*

Min #Rounds: 2

Messages: 2n (n per round)

B-casts: 2n (n per round)

Expensive in GCS setting

44

Overhead SummaryComm Comp

Rounds Msg Uni Broad Exp

GDH.3

Join 1

Join 2

2

3

2

n+2

1

n

1

2

2n

n+3

Leave, Partition 1 1 0 1 n-1

Merge k+2 n+2k+1 n+2k-1 2 n+2k+1

TGDH

Join, Merge 2 3 0 3 2log n

Leave 1 1 0 1 log n

Partition log n/2 log n 0 log n log n

STR

Join 2 3 1 3 7

Leave, Partition 1 1 0 1 3n+6

Merge 2 3 0 3 4k+4

BD 2 2n 0 2n 3 (4?)

45

Other Services

46

Implicit Authentication

Ateniese, et al. (CCS’98, JSAC’00) Motivation:

• same building block (exponentiation/DH)

• little additional cost

Cons: • not secure if membership not explicit

• requires long-term pair-wise keys

Not recommended…

47

Authenticated GKA

State-of-the-art: Katz/Yung (Crypto’03) “Compiler” for transforming secure GKA into

secure AGKA explicit authentication + key confirmation• signatures and 1 extra round

• n2 messages

• instantiated with BD

48

Consistency: Malicious Insiders

Problem: malicious insider ‘plays along’ but generates inconsistent output (messages)• Inconsistent within a message

• Inconsistent between versions of same message

How do we make sure such behavior is detectable?

Possible solution: apply ‘compiler’ techiques to fortify existing protocols: each time a private contribution is used, prove equality/consistency with prior uses by the same party• E.g., Schnorr-based SKEQLOG proofs

49

BD Example: formation

Stage 1: AG: ga

BG: gb

CG: gc DG: gd

Stage 2: AG: Xa=(gba/gda) BG: Xb=(gcb/gab) CG: Xc=(gdc/gbX) or Xc=(gX) DG: Xd=(gad/gcd)

Everyone computes? K = gab+bc+cd+da

50

GDH.3 Example: formation

1) AB: ga

2) BC: gab gX

3) CG: gabc

4) Everyone ‘factors out’ its contribution• AD: gbc

• BD: gac

• CD: gab -- gX

5) DG: gbcd , gacd , gabd -- gX

Everyone computes gabcd

51

Experimental Results (Computation)

Results without communication Meaningful for LAN-s Avg time for each membership event Considerations

• 1024 Bit RSA signature• TGDH: Random Tree• STR: picking random member for leave

52

Computation Cost (Join and Leave)

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

8 16 24 32 40 48 56 64 72 80 88 96 104 112 120 128

Number of Remaining Group Members

Se

co

nd

s

BD

TGDH

GDH

STR

0

0.2

0.4

0.6

0.8

1

1.2

1.4

8 16 24 32 40 48 56 64 72 80 88 96 104 112 120 128

Number of Current Group Members

Se

con

ds

BD

TGDH

GDH

STR

x-axis: # members before join TGDH, STR: almost 0.1 sec GDH worst TGDH: Joining node is near to

root due to random tree BD: hidden cost => signature

verification, modular multiplication

x-axis: # members after leave TGDH best STR worst

53

Experimental Result (WAN)

Using Spread over high delay WAN• JHU: 11 machines

• UCI: 1 machine

• ICU (Korea): 1 machine

Approx. 300 ms r/t time

54

WAN Experimental Results

Computational cost negligible Communication cost dominates Longest path determines delay

55

Summary Seemingly efficient (i.e., least computation & smallest message sizes)

protocol is not always best Need to consider other parameters

• # of messages (esp. b-cast!)

• Resilience to failures

• Complexity of implementation

• Behavior in high-latency and mixed networks

The herd moves at the speed of the slowest beast…

56

Other Models

57

Asynchronous Model: Crashes+Read-only Insider Adversary

See Cachin/Strobl (PODC’04) Self-sufficient: no reliance on view-

providing GCS Needs tc-resilient consensus protocol n2 messages and O(1) extra rounds General; not DH-based (though can

be)• Needs encryption• Scalability?• Experiments?

58

Further Info

GKA (CLIQUES) toolkit: GDH, STR, TGDH, BD

http://sconce.ics.uci.edu/cliques

Membership Control

http://sconce.ics.uci.edu/gac

Secure Spread:

http://www.cnds.jhu.edu/research/group/

secure_spread/

59

All done…

Recommended