Optimal Batch Rekeying for Secure Group Communications in Wireless Networks Authors: JinHee Cho, Ing

1
Optimal Batch Rekeying for Secure Group
Communications in Wireless NetworksAuthors
Jin-Hee Cho, Ing-ray Chen, Mohamed Eltoweissy

• Presented by
• Niharika Gujarati
• and
• Sindhu Motupalli

2
Agenda

• Introduction and previous work
• System model and assumptions
• Threshold-based periodic batch rekeying
• Performance model
• Numerical results and analysis
• Conclusion

3
1.Group Communication

• Applications inherently based on group
  communication.
• Wireless networks
• Network functionality
• Assure confidentiality, authenticity and
  intergrity
• User End-user / network node.

4

• Symmetric key
• Group key shared by members.
• Group key dist by key server.
• Dedicated key server or existing server employed
• Multiple key servers can co-exist in clustered
  network.
• Group key used to encrypt and decrypt messages
  only by group members.

5

• Forward secrecy - Group key management property
  that ensures that an intruder that knows a
  contiguous subset of old group keys cannot
  identify subsequent group keys.
• Backward secrecy - Group key management property
  that ensures that an intruder that knows a subset
  of group keys cannot discover previous group keys

6
Individual Rekeying

• Performs a rekey operation for every join or
  leave.
• Not scalable because of significant communication
  overhead.
• Synchronization difficult to maintain.
• To Remedy periodic batch rekeying

7
Periodic Batch Rekeying

• Joins and leaves aggregated.
• Rekeying done only periodically.
• Thus communication overhead is reduced when
  compared to individual rekeying.
• Improves efficiency and reduces out-of sync
  problem.
• Consequence forward and backward secrecy not
  strictly satisfied.

8
Contributions of paper.

• Develops new threshold-based batch rekeying
  schemes.
• Finding an optimal rekey interval to reduce
  communication costs while maintaining intergrity.
• SPN model to measure performance metrics.

9
2.System Model and Assumption
10

• KS maintains a key tree based on LKH (logical key
  hierarchy) protocol.

11

• Each node cryptographic sym key
• KS connects each member with one tree node
• Each node knows all keys from leaf to root node

12

• No other nodes keys are known
• This key set is called key path
• Root node key plays as group key
• Example key path of M2 is K5 , K2 and K1.

13

• When member joins, KS sends all the keys in
  keypath
• Msg length k(2log2 (N) -1)
• When member leaves, KS updates all the keys in
  the key path
• Msg length 2klog2 (N)
• k length of key
• N - number of members
• Therefore each updates msg length is
  logarithimic in no of group members.

14

• Assume periodic batch rekeying is used
• User cannot join without authorisation, ie no
  Untrusted Joins.
• Leaves can be Trusted or Untrusted.
• Trusted leave - User voluntarily leaves the
  group.
• Untrusted leave User is evicted from the group.
• if rekeying doesnt take place immediately after
  an untrusted leave it will result in a period of
  security vulnerability.

15

• Probability of trustworthiness.
• Pt number of trusted leave oprns
• total number of trusted and
  untrusted leaves
• Data is periodically collected by the KS

16
3.Threshold-based periodic batch rekeying

• Based on notion of thresholds that govern the max
  number of leave and join requests to be
  accumulated beyond which rekeying is done
• Rekeying scheme using only one threshold k3
• Rekeying schemes using two thresholds k1 and k2

17

• This scheme identifies the set of states in which
  rekeying is performed thus implicitly determining
  time between two rekeying oprns.
• State machine with 3 component state
  representation ( a , b , c)
• a ? number of trusted join requests.
• b ? number of trusted leave requests.
• c ? number of untrusted leave requests.

18
Threshold based rekeying
JALDT Join and Leave Double Threshold based
ULT Untrusted Leave Threshold Based
TAUDT Trusted and Untrusted Double Threshold based
19
ULT

• One Threshold k3 that guards only untrusted leave
• K3 ? number of untrusted leave requests
  ( state variable c)
• Special case k31 , individual rekeying is used.
• Used as a baseline to compare other two schemes.

20
TAUDT

• Two thresholds k1 and k2.
• k1 ? number of trusted requests a b state
  variables
• k2 ? number of untrusted leave requests c
  state variable

21
JALDT

• Two thresholds k1 and k2.
• k1? number of trusted join requests state
  variable a
• k2 ? number of trusted and untrusted leaves b
  c state variables.

22
Rekeying

• Only at the end of the batch interval T

23

• Two application specific constraints are
• Probability of secrecy violation Pv
• Proportion of time with secrecy violation risk
• Only forward secrecy
• Delay D
• Latency per join or leave request (the same)
• Joins and leaves are not distinguished as they
  are aggregated.
• Optimal batch rekeying interval (T) interval in
  which overhead is minimised while satisfying Pv
  and D

24

• Simple optimization feature used to reduce
  communication overhead
• New join member can take the place of leave
  member in a key tree.
• Thus for each join-leave pairs, KS only generates
  new keys along the keypath and a new key to the
  new member.

25

• KS applies following procedure while rekeying.
• if a gt bc, then the server will process bc
  join-leave request pairs before processing a
  (bc) join requests
• if a bc, then the server will process bc
  join-leave request pairs
• if a lt bc, then the server will process a
  join-leave

26
Performance Model
27

• For ULT we derive analytical closed from solution
• Average Batch Rekey interval
• T
• average inter-arrival ime of
  untrusted leave requests

28

• Thus at end of each batch rekeying the state
  variables have the values

29

• The communication overhead bits Cm is calc as

30

• Scm is the communication overhead
• Tb is overhead for broadcast
• Thus Scm is calculated as the sum of this
  overhead and packet transmission time.
• Scm Tb Cm / BW

31

• Average communication overhead per join or leave
• S Scm
• a b c
• Probability of secrecy violation is the propotion
  of time in which fwd secrecy has been violated
• Pv (k3-1) / k3 T Scm
• (T Scm)

32

• Delay per join / leave
• D S T/2
• T/2 average wait time for batch rekeying for an
  operation
• S average communication overhead per join/
  leave
• Calculated D is almost the same as resp time per
  operation

33

• For TAUDT and JALDT there are too many states to
  yield closed-form analytical expressions, hence
  the use of SPN model.

34

• Places
• tmp is a temporary place holder not
  corresponding to any state component just to hold
  newly arriving leave requests.

35

• Transitions

36

• Arcs

37

• Firing Rule for any of the transactions in the
  model
• There are atleast m tokens in each of its input
  places connected by an input arc of multiplicity
  m
• The associate enabling function of that
  transaction

38

• when trusted join arrives-token in a
• Modelled by transition T1 with rate ? Pt
  because there are no untrusted joins, only
  trusted ones.

39

• Any leave token in tmp
• Modelled by T2 with rate µ
• If leave trusted go to b with immediate
  transition (T4) rate of Pt.
• If untrusted go to c with immediate transition
  rate (T5) of 1 Pt.

40

• For both schemes rekeying is performed when
  rekeying condition is satisfied.
• Modelled by using an enabling function that has
  to be satisfied to fire the transition T3.

41

• Enbling function for T3
• TAUDT ? if mark(a) mark(b) k1
• or if mark(c) k2 then true
• else
  false
• JALDT? if mark(a) k1
• or if mark(b) mark(c) k2 then true
• else false

42

• Enabling functions

43
(No Transcript)
44

• Average communication overhead
• R Set of rekeying states
• P(i) The steady-state probability of the
  system being in state i.
• The Secrecy of Violation
• V denotes the set of states in which mark(c)gt0
• ri 1

45

• To obtain T , convert all rekeying states to
  absorbing states.
• Assign a reward value of 1 to all states other
  than absorbing states.
• T is computed as expected cumulative reward until
  absorption.

46
Numerical results and analysis

• Analyze numerical results obtained from applying
  mathematical models developed for ULT,
• TAUDT and JALDT.
• Following system parameters are used
• number of members in the group (N) 1024
• length of each key (J) is 64 bits
• Tb 5 msec
• bandwidth (BW) is 1 Mbps

47
ULT Analysis

• Baseline scheme which TAUDT and JALDT will be
  compared against.
• Assumed - ? µ 1 0.5 and Pt 0.9

• D is Delay
• k3 increases ? D increases
• Hence takes more time to accumulate c to
  reach the threshold

• Pv is Secrecy Voilation
• k3 increases ? c increases
• When k3 0 ? Pv 0

48

• The optimal batch rekey interval (T) is the
  interval at which the overhead is minimized while
  satisfying the two application-level constraints
• T 1
• µ(1 - Pt ) k3
• At D 5, Pv .05 , k3 1
• T 6.67 seconds

49
TAUDT Analysis

• Two thresholds k1 number of trusted requests
  (ab)and k2 number of untrusted requests (c).

• K1 increases ? Pv increases since high threshold
  means more states voilated secrecy requirement.
• As K2 increases, Pv increases too, until k2
  reaches a threshold ( k2 gt 2).

D increases as k1 increases and k2 increases. K2
not significant as k1 due to high Pt used.
50

• As k1 increases, S decreases since aggregating
  join and leave events reduces rekeying overhead
• S is insensitive to incresing k2 since c is
  very small
• optimal batch rekey interval
• At D 5, Pv .05 ? (k1,k2) (16,1)
• T 8.83 seconds

51
JALDT Analysis

• two thresholds - k1 number of join requests (a)
  and k2 the number of leave requests (bc)

• Pv and D increase when either k1 or k2 increases

52
S decreases as both k1 and k2 increase because
aggregating more join and leave events for a
batch rekeying operation will amortize the cost
per operation. optimal batch rekey interval
At D 5, Pv .05 ? (k1,k2) (13,2) T 3.96
seconds
53
Comparison

• Calculated Optimal batch rekey intervals
• ULT 6.67 seconds
• TAUDT 8.83 seconds
• JALDT 3.96 seconds
• TAUDT has the highest optimal T
• JALDT shows the second highest optimal T,
  followed by ULT

54
TAUDT is able to produce the minimum S and the
maximum T, which makes it the most efficient
scheme among all.
55
Conclusion

• By varying the Pv and (? µ), TAUDT is able to
  produce the minimum S and the maximum T.
• As Pt increases, minimum S decreases and T
  increases.
• As µ increases, minimum S increases and optimal T
  decreases

56
Future Works

• Augment by taking reliability and availability
  considerations to the SPN model.
• Analyzing the effects of insider attacks and
  intrusion detection system design on the security
  and performance prosperities of group
  communications in wireless systems.
• Investing the issue of optimal batch rekeying for
  the case in which a group consists of multiple
  subgroups.