Secure Group Communications SGC

1
Secure Group Communications (SGC)

• Introduction
• ?Secure group communication (SGC)
• ?Problem setting
• Group key management for SGC
• ? (Centralized) Key tree approach
• ? N-party Diffie-Hellman key agreement

2
IntroductionSecure group communication

• A large group of users
• with common interests communicate with one
  another
• Examples
• Teleconferencing
• Pay-TV
• VPN (Virtual Private Network)
• Electronic newspaper distribution

MSU
WSU
Internet
Internet
IUPUI
UCD
3
Enabling technology

• Network connectivity (Internet, Internet 2)

• IP multicast
• Cryptosystems
• ?public key systems such as RSA, ElGmal
• ?Secret key systems such as DES, IDEA
• Key management protocols

Multicast packet
Multicast capable router
4
Application requirements

• Scalability large group sizes
• Dynamics Join, Leave, Multiple join and leave
  operation.
• Distributed (no central control)
• Efficiency and limited overhead
• Authentication

5
Group key management

• A Group key
• Communication encrypted by group key
• Join key changes to allow the joining user to
  decrypt the future messages (but not previous
  messages!)
• Leave key changes to prevent the leaving user
  from decrypting the future messages

6
Classification of key manage-ment protocols for
SGC

• Broadcast (one-to-many) versus Conference
  (many-to-many)
• Centralized versus distributed (CA selected group
  key versus uniformly contributory group key)
• Unconditionally secure versus computationally
  secure
• Public-key based versus secret-key based
• My classifications of Protocol types
• Centralized group key distribution
• Decentralized group key management
• Distributed (contributory) group key agreement
• Distributed group key distribution
• Protocols Naïve protocol, Secure lock, RPS,
  STB, CBT, a suite of dynamic conference
  protocols, Iolus, DEP, OFT, Key-tree DISEC, a
  suite of n-party Diffie-Hellman protocols.

7
Key management protocol? Naïve solution

• Join
• ?Select a new group key
• ?Encrypt it with the old key and send to
  group
• ?Send it to the joining user
• ?Rekeying messages O(1)
• Leave
• ? Select a new group key
• ? Send it to remaining users one by one
• ?Rekeying messages O(n)
• Problem Scalability (when users leave)

8
Key management protocol? key tree solution

• A central group controller
• Key tree Wong 98, Caronni 98, Noubir 98
• Users located on leaf nodes
• A user has the keys from its leaf to the root
• Root key is shared by all users and is the group
  key
• DEK data encryption key
• KEK key encryption key

K0-7(DEK)
K0-3(KEK)
K4-7(KEK)
K0-1
K2-3
K4-5
K6-7
K0
K1
K2
K3
K4
K5
K6
m0
m1
m2
m3
m4
m5
m6
Users
9
Effect of user join operation

• The keys along the path need to be changed
• Every changed key is encrypted with each of its
  two childrens keys separately and sent to the
  group
• Starting from the immediate parent to the root
• ?change the key
• ?encrypt with each childs key and send
  to the group
• ?consider parent node
• Rekeying messagesO(1)?log(n)

K0-7(DEK)
K0-3(KEK)
K4-7(KEK)
K0-1
K2-3
K4-5
K6-7
K0
K1
K2
K3
K4
K5
K6
K7
m0
m1
m2
m3
m4
m5
m6
m7
A user joins
10
Effect of user leave operation

• The keys along the path need to be changed
• Every changed key is encrypted with each of its
  two childrens keys (except the leaving users
  key) separately and sent to the group
• Starting from the immediate parent to the root
• ?change the key
• ?encrypt with each childs key and
  send to the group
• ?consider parent node
• Rekeying messagesO(n)?log(n)

K0-7(DEK)
K0-3(KEK)
K4-7(KEK)
K0-1
K2-3
K4-5
K6-7
K0
K1
K2
K3
K4
K5
K6
m0
m1
m2
m3
m4
m5
m6
m3 leaves
11
Effect of multiple join operation

• Place the joining users at the positions of
  unoccupied leaf nodes, expanding key tree, if
  needed.
• Shared keys only change once
• Original users m1,m2,m3
• Three users join, placed in positions 2,4,5 and
  expanding the key tree (right sub-tree)

K0-7(DEK)
K0-3(KEK)
K4-7(KEK)
K0-1
K2-3
K4-5
K0
K1
K2
K3
K4
K5
m0
m1
m2
m3
m4
m5
Three users join, expand the key tree
12
Effect of multiple join and leave operation

• Place the joining user at the positions of the
  leaving users
• Shared keys only change once
• Users m2,m4,m5 leave and two users join
• Call both a join and a leave a update

K0-7(DEK)
K0-3(KEK)
K4-7(KEK)
K0-1
K2-3
K4-5
K6-7
K0
K1
K2
K3
K4
K5
K6
m0
m1
m2
m3
m4
m5
m6
M2
M4
13
Decentralized group key management Iolus 1998
SG3
SG2
K3
K2
u7, u8, u9,u10
u2, u4, u6,u11
Three subgroups, subgroup controllers, each
manages its own subgroup. A subgroup controller
also knows the key of its parental subgroup,
thus, can relay the encrypted data message.
14
N-party Diffie-Hellman key agreement

• (Centralized) key distribution
• A central authority distributes group key(s) to
  group members
• Distributed key agreement
• The group key is agreed upon all members uniform
  contribution.
• N-party Diffie-Hellman key exchange
• n-party Diffie-Kellman key tree (log(n) rounds)
• BD scheme (just two rounds)

15
TGDH Y. Kim 00 initial setting up
g a1a2g a3a4
g a5a6a7
g
g
g
RK?(a1,a2,,a7) in O(log n)
?
g a1a2g a3a4
g a1a2g a3a4
?
g a5a6a7
g a5a6a7
g
g
g
g
g
g
g a1a2
g a3a4
g a5a6
g a1a2? g
a7? g a7
g a3a4? g
g a5a6? g
M7
a5? g a5
a6? g a6
a1? g a1
a2? g a2
a3? g a3
a4? g a4
M1
M2
M3
M4
M5
M6
16
TGDH --Key re-computation for leave operation
g a1a2g a3a4
g a5a6a7
g a5a6a7
g a1a2g a3a4
A members Sponsorthe rightmost member in its
lowest subtree. e.g., M6 M5, M7 M6.
g
g
g
g
RK?(a1,a2,,a7)
RK?(a1,a2,,a7)
RK?(a2,,a7)
g
g
?
g a1a2g a3a4
g a1a2g a3a4
g
g
g
g a3a4
g a5a6
a7? g a7
g a3a4? g
g a5a6? g
a1? g a1
M7
a5? g a5
a6? g a6
a3? g a3
a4? g a4
a2? g a2
M1
M6
M3
M2
M4
M5
? M1 leaves
17
Burmester and Desmedt (BD) protocol

• Suppose p, g are public and group size is n
• m0, m1,, mn-1.
• Every mi selects a secret value si.
• Every mi computes and broadcasts bi gsi . (b
  stands for blinded secret.)
• Every mi computes and broadcasts Xi
  (bi1/bi-1)si.
• Every mi now computes the key
• Ki (bi-1)nsi? Xin-1 ? Xi1n-2 ??? Xi-2 .
• The group key is Kgs0s1s1s2sn-2sn-1sn-1s0.

18
New class Distributed group key distribution
DGKD, Pratima Zou05
A key tree, as previous, but with the leaf keys
are the public keys of users. In addition, each
user keeps and maintains its own copy of the same
key tree.
K0-7
K4-7
K0-3
Whenever there is a member Joins or leaves, its
sponsor will generate the keys along path and
send the encrypted Keys to the co-distributors
and the co-distributors then encrypt and
distribute the keys to the members in their
scopes.
K0-1
K2-3
K4-5
K6-7
pk0
pk1
pk3
pk4
pk5
pk2
pk6
m0
m1
m2
m3
m4
m5
m6
Users
19
Distributed group key distribution
A new user m7 joins, K6-7, K4-7, K0-7 needs to be
changed m6 is sponsor, m0,m4 are co-distributors
K0-7
m6?m7 K6-7,K4-7,K0-7pk7.
m6 sends keys to co-distributors m6?m4
K4-7,K0-7pk4 m6?m0 K0-7pk0.
K0-3
K4-7
K0-1
K2-3
K4-5
K6-7
The co-distributors multicast keys m4 multicasts
K4-7,K0-7K4-5. m0 multicasts K0-7K0-3
pk0
pk1
pk3
pk4
pk5
pk2
pk6
pk7
m0
m1
m2
m3
m4
m5
m6
m7 join
20
Secret sharing

• Question a map to an island full of treasure,
  who will keep the map?

Split the map into 2 pieces, each one keeps one
piece.
Secret sharing Given a secret s, n parties to
share the secret such that 1. All n parties can
get together and recover s. 2. Less than n
parties can not recover s.
Principle split s into n pieces, given one piece
to each party
21
Secret sharing

• Partial Information Disclosure
• if split in an inappropriate way, information
  about the secret will disclosure.
• Example about splitting a password.
• A secure split for binary string secret.

(n,t) Secret Sharing Problem with (n,n) secret
sharing, example for 3 generals to launch a
missile. therefore let t lt n
22
(n,t) Secret Sharing

• Given a secret s, split among n parties
• Availability greater than or equal to t parties
  can recover s.
• Confidentiality less than t parties have no
  information about s.
• Examples
• (n,2) secret sharing, a random line passing s

• (n,3) secret sharing, a random curve passing
  s

• (n,t) secret sharing, a random polynomial in
• variable x with degree t-1 and having s as
• constant item.

23
Shamirs secret sharing

• we can assume that the data D is (or can be made)
  a number. To divide it into pieces Di, we pick a
  random k - 1 degree polynomial q(x) a0 a1
  x ... ak-1 x(k-1) in which a0 D, and
  evaluate
• D1 q(1), ..., Di q(i), ..., Dn q(n).
• Given any subset of k of these Di values
  (together with their identifying indices), we can
  find the coefficients of q(x) by interpolation,
  and then evaluate D q(O). Knowledge of just k -
  1 of these values, on the other hand, does not
  suffice in order to calculate D.
• Features
• (1) The size of each piece does not exceed the
  size of the original data.
• (2) When k is kept fixed, Di pieces can be
  dynamically added or deleted
• (3) It is easy to change the Di pieces without
  changing the original data D
• By using tuples of polynomial values as Di
  pieces, we can get a hierarchical scheme in which
  the number of pieces needed to determine D
  depends on their importance.