Embed Size (px)
Citation preview
A secure re-keying scheme
• Introduction
• Background
• Re-keying scheme
• User revocation
• User join
• Conclusion
Introduction
• Multicast is the preferred mode for group communication services
• A group key is known to all users in the group, but is unknown to non-group users
• Ensure this while the group membership changes
• A re-keying scheme is an algorithm to securely and efficiently update the group key
Background
Approaches to form authorized subgroups:– Broadcast
Enable a single source to securely broadcast to an arbitrary and dynamically changing subset of users
– Secure sharing Requires a user to store only one key
– Logical key hierarchy Use tree structure to update a group key in order to
revoke or join users
Re-keying scheme
• Based on the logical key hierarchy approach
• Uses a one-way hash chain to generate all the keys of a user from a seed value
• hv(x), where h() is a one-way hash function, is a one-way hash chain when h is applied v times to x. hv(x) = h(h(…(h(x)…)).
Model
• U: set of users
• GC:group controller
• A users hold a unique set of keys, K is the set of keys in the system
• of users sharing a session key
KuK )(
UUUUM nii },...,{ 21
KKsi
Group operation
Re-keying consists of two group operations:– User revocation
A subset of users Ri is revoked from Mi resulting a new session consisting of Mi+1 = Mi \ Ri sharing a new session key Ks+1
– User join A subset of users Ji is join Mi resulting a new session
consisting of Mi+1 = Mi U Ji sharing a new session key Ks+1
System operation
• During the initial session, GC generates the keys K and sends a subset of keys to user via a secure unicast channel
• In all subsequence session, GC sending a re-keying message over an insecure multicast channel. A user user his set of keys and the re-keying message to calculate the new session key ki+1
KuK )( 0MU
1 iMU
A LKH re-keying scheme
• A logical key hierarchy(LKH) is a tree where each node logically corresponds to a key and each leaf logically corresponds to a user.
• A user knows the keys of nodes along the path from the user’s leaf to the root.
A LKH re-keying scheme
A LKH re-keying scheme
• Each node is given a label Iw(l) and a key
Kw(l) . Node label is public and node keys
are private.
• The user holds the set
of node keys along the path.
• All user have a common root key Kw(0) .
}...,,{)( )()1()0( Suwww kkkUK
Re-keying algorithm for GC
• GC choose a random number
where b is the security parameter.
• For level l = s, …,0 and node , updates Kw
(l) to K’w(l) = hs-l (r)
• Generate the re-keying message:
E() denotes the encryption algorithm.
bRr }1,0{
)}(),(|),({ )()1()()1()(')1(
lwY
lw
lw
lw
lwKrkey ICISNIIKEM l
w
)()( SNI lw
Re-keying algorithm for users
• A user U find the nodes that are both in N(U) and Mrkey
• User decrypts using his node key.
• User needs to update keys of node Iw(y) and
all it’s ancestors, i.e., Iw(y-1) ,… Iw
(0)
• For level l= y-1, … 0 and every node User updates the node key
rkeyy
wKMKE y
w )( )('
)1(
))(( )(')1()1()(' yw
ywK
ywK
yw KEDK
)( )('1)(' yw
ylw KhK
System Initialization
• Let • GC construct a tree structure with n0 leaves, given
a unique label to each node, attaches a randomly generated key to each node and corresponds each leaf to a user.
• GC publishes the tree structure in a public bulletin board and keeps all node keys secret.
• GC sends to user U, a set of node keys along the path from U’s leaf to the root over a secure unicast channel.
}...{0,10 nUUM
User revocation• Group controller
1. Updates the tree structure
2. Updating the session key Ksi to Ksi+1 (updating root key)
All internal keys belong to the users in Ri require to be updated
• User 1. Each affected user remove the redundant nodes and keys
and rearranged the levels of the affected nodes and keys.2. Each user receives the re-keying message and perform
the re-keying scheme, obtaining the new session key.
User revocation
User revocation
User revocation• Suppose
• Node have been pruned. Nodes in dashed line have been arranged to new levels
• Keys require to be updated
• Re-keying:
• Re-keying message:
)3(11
)3(9
)2(5
)2(4
)1(2 ,,,, IIIII
},,{ 653 UUURi
},,{)( )0(0
)1(1
)2(3 KKKSK
)(),(, 2)0('0
1)1('1
)2('3 rhKrhKrK
}),(,),(,),(,),({ )1(6
)0('0
)2(10
)1('1
)3(8
)2('3
)3(7
)2('3 )1(
6)2(
10)3(
8)3(
7IKEIKEIKEIKEM
kkkkrkey
User revocation• U1, U2:
have , calculate
• U4:
have , and calculate
• U7 , U8:
have • The session key is
)(),( )2('3
2)0('0
)2('3
1)1('1 KhKKhK
)2('3K
)1('1K )( )1('
11)0('
0 KhK
)0('0K
)(2)0('01
rhKKis
User join• Group controller
1. Updates the tree structure2. Produce a randomly chosen key for each new leaf, and associates each
new user to a new leaf3. Updating the session key
• User1. Each new user performs the re-keying operation to obtain the updated
keys and the new session key.2. Each affected user adds the new nodes and rearranges the levels of the
affected nodes and keys.3. The rest of the users perform the re-keying operation to update the keys
and obtain the new session key.
User join
User join
User join• Suppose
• Node have been added. Nodes in dashed line have been arranged to new levels
• Keys require to be updated
• Re-keying:
• Re-keying message:
)3(16
)3(15
)2(14 ,, III
},{ 109 UUJ i
},,,{)( )0(0
)1(2
)2(6
)2(14 KKKKSK
)(),(,, 12)0('
011)1('
22)2('
61)2('
14 rhKrhKrKrK
}),(,),(,),(,),(
,),(,),(,),({
)1(1
)0('01
)2(6
)1('2
)3(16
)2('63
)3(13
)2('63
)3(12
)2('6
)3(15
)2('14
)3(5
)2('14
)(1
)2(6
)(16
)(13
)3(12
)3(15
)3(5
IKEIKEIKEIKE
IKEIKEIKEM
kkkk
kkkrkey
User join• U6, U9:
have , calculate
• U7,U8,U10:
have , and calculate
• U1 …. U5:
have • The session key is
)(),( )2('14
2)0('0
)2('14
1)1('2 KhKKhK
)2('14K
)2('6
)1('2 , KK )( )1('
21)0('
0 KhK
)0('0K
)( 12)0('
01rhKK
is
Conclusion
• A re-keying scheme for multiple user revocation and multiple user join.
• Employs logical key hierarchy with one way hash chain to achieve higher efficiency.
• The scheme satisfies forward secrecy, backward secrecy and forward-backward secrecy.
Reference• H. Kurnio, R. Safavi-Naini, Huaxiong Wang, A Secure Re-keying
Scheme with Key Recovery Property , 7th Australasian Conference on Information Security and Privacy, ACISP 2002, Vol. 2384, pages 40--55.
• Adrian Perrig, Dawn Song, J.D. Tygar ELK, a New Protocol for Efficient Large-Group Key Distribution. IEEE symposium on security and privacy 2001. Page 247-262
• Kurnio H and Safavi-Naini R, Huaxiong Wang, A group key distribution scheme with decentralised user join. Third Conference on Security in Communication Networks '02 September 12-13, 2002
• Dalit Naor, Moni Naor, Jeff Lotspiech, Revocation and Tracing Schemes for Stateless Receivers. Advances in Cryptology – CRYPTO 2001, Lecture Notes in Computer Science 2139, pages 41-62
