Efficient Self-healing Group Key Distribution With Revocation Capability

1
Efficient Self-healing Group Key Distribution
With Revocation Capability

• Archana Rajagopal
• CSC 774 Presentation
• Based on Original Slides from Donggang Liu, Peng
  Ning, and Kun Sun

2
Outline

• Motivation and background
• Secure group communication in MANET
• Proposed solutions
• Novel personal key distribution
• Self-healing group key distribution
• Improvements to reduce storage and communication
  overheads
• Conclusions and future work

3
Secure Group Communications in MANET

• Problem
• How to distribute group keys?
• Challenges in MANET
• Dynamic and volatile
• Unreliable communication
• Lost packets, network partitions, relatively long
  term failures due to active attacks,

4
Related Work

• Extensive results on group key management
• Group key distribution
• Tree-based scheme LKH, Iolus,
• Secret sharing-based scheme Self-healing,
• Group key agreement
• GDH,TGDH,
• Most existing techniques are not suitable for
  MANET
• No fault tolerance gt not applicable
• Simple fault tolerance gt easy to disrupt, cannot
  deal with network partitions and active attacks

5
Related Work (contd)

• Two potential candidates for MANET
• Self-healing group key distribution
• Ability to recover lost session keys
• Staddon et al., Oakland 2002
• Stateless group key distribution
• Ability to rejoin the group
• Cannot recover lost keys
• Naor, Naor, and Lotspiech (SDR), Crypto 2001

6
Desirable Properties

• Unconditionally secure
• Self-healing
• t-revocation capability
• t-wise forward secrecy
• t-wise backward secrecy

7
Property of proposed scheme

• Processing,Communication and Storage overheads
  depend on number of compromised nodes that may
  collude together and not on group size.

8
Scheme I Personal Key Distribution

• Goal distribute distinct keys to different
  members with one broadcast message
• A key is a point on polynomial f(x), e.g., f(j)
• Idea construct a single polynomial w(x) to
  distribute shares on f(x) such that
• A valid member can only get its own key
• Revoked members know nothing about
• Valid members keys
• Their own keys

9
Scheme I (contd)

• Method w(x)g(x)f(x)h(x)
• h(x) is called a masking polynomial. Degree 2t
  Each member i has one share on h(x), which is
  h(i).
• g(x) is called a revocation polynomial. Degree
  w(wltt).If member v is revoked, g(v) 0
  otherwise g(v)!0

10
Scheme I (contd)

• Group manager broadcasts
• Revoked user ids r1,,rw gt g(x)(x-r1)(x-r2)(x
  -rw)
• w(x)g(x)f(x)h(x)
• Communication overhead O(tlogq)

Member v is not compromised, but member v is
compromised
11
Property of Scheme I

• Scheme I is an unconditionally secure personal
  key distribution scheme with t-revocation
  capability

12
Scheme II (Basic Session Key Distribution)

• Main idea
• Combine the new personal key distribution scheme
  with the self-healing technique.
• Distribute p(x) part for all old session and q(x)
  part for all future sessions

p(x) p(x)g(x)h(x)

K
q(x) q(x)g(x)h(x)
13
Self Healing Property

• Group key Kj pj(i) qj(i)
• (m1) polynomials broadcasted for all m
  sessions
• p1(i) pj(i) , qj(i) . qm(i)
• Ui receives messages from j1 and j2 but not
  jwhere j1 lt j lt j2
• How to recover session key for j?
• pj(i) from j2 and qj(i) from j1

14
Broadcast

• Bj
• Rj
• Pj,i(x) gj(x)pi(x) hi,j(x)i1j
• Qi,j(x) gj(x)qi(x) hj,i1(x)ijm

15
Scheme II (contd)

• In session j, given a set of revoked member ids
  Rjr1,,rwj, the group manager broadcasts Rj
  and m 1 polynomials
• Communication overhead O(mtlogq)
• Storage overhead O(m2logq)

• Member

Kj
16
Properties of Scheme II

• Unconditionally secure, t-revocation capability
• Self-healing session key distribution
• t-wise forward secrecy and t-wise backward secrecy

17
Scheme III Reduce Storage Overhead

• Goal reduce the storage overhead in scheme II
• Source of storage overhead shares on masking
  polynomials
• Observation each pi(x) or qi(x) is masked by
  different masking polynomials in different
  sessions
• Having one masking polynomial for each pi(x) or
  qi(x) is sufficient
• The broadcast messages are public. So it is
  unnecessary to protect the same polynomial
  multiple times using different masking polynomial

18
Scheme III (contd)

• In session j, given the sets of revoked member
  ids Rii1,,j, the group manager broadcasts
  Rii1,,j and m1 polynomials
• Communication overhead is still O(mtlogq)
• Storage overhead is O(mlogq) instead of O(m2logq)
  in scheme II

• Member

Kj
19
Properties of Scheme III

• Unconditionally secure, self-healing session key
  distribution and t-revocation capability
• t-wise forward secrecy and t-wise backward secrecy

20
Scheme IV (Less Broadcast Size)

• Goal further reduce the communication overhead
• Observation having redundant information for all
  the sessions may be unnecessary
• Short term communication failures
• Long term but infrequent communication failures
• Idea
• Sliding window.
• Trade off between broadcast size and self-healing
  capability

21
Variant I

• For short term communication failures

l-session self-healing self-healing capability
in terms of l consecutive sessions
22
Variant II

• For long-term but infrequent communication
  failures

(l,d)-session self-healing Can recover the lost
session keys if a member receives d consecutive
messages within ld sessions
23
Conclusions

• Our new personal key distribution scheme can be
  used to
• Develop more efficient self healing key
  distribution schemes
• Reduced the communication and the storage
  overhead of session key distribution scheme
• Proposed two ways to trade off the broadcast size
  with the self-healing ability

24
Future Work

• Long-lived self-healing key distribution
• Stateless group key distribution
• Supporting multiple groups
• Performance evaluation

25
Thank You!
QUESTIONS?