Rek Molva, Alain Pannetrat. Institut Eurecom, Sophia-Antipolis, France. cryptographic keying material.

Similar documents
ABB STOTZ-KONTAKT. ABB i-bus EIB Current Module SM/S Intelligent Installation Systems. User Manual SM/S In = 16 A AC Un = 230 V AC

CHAPTER 2 LITERATURE STUDY

Y9.ET1.3 Implementation of Secure Energy Management against Cyber/physical Attacks for FREEDM System

MAXIMUM FLOWS IN FUZZY NETWORKS WITH FUNNEL-SHAPED NODES

Algorithms for Memory Hierarchies Lecture 14

METHOD OF LOCATION USING SIGNALS OF UNKNOWN ORIGIN. Inventor: Brian L. Baskin

Three-Phase Synchronous Machines The synchronous machine can be used to operate as: 1. Synchronous motors 2. Synchronous generators (Alternator)

Study on SLT calibration method of 2-port waveguide DUT

Example. Check that the Jacobian of the transformation to spherical coordinates is

Multi-beam antennas in a broadband wireless access system

(CATALYST GROUP) B"sic Electric"l Engineering

MATH 118 PROBLEM SET 6

Domination and Independence on Square Chessboard

The Discussion of this exercise covers the following points:

Understanding Basic Analog Ideal Op Amps

First Round Solutions Grades 4, 5, and 6

A Key Set Cipher for Wireless Sensor Networks

Spiral Tilings with C-curves

Synchronous Machine Parameter Measurement

LECTURE 9: QUADRATIC RESIDUES AND THE LAW OF QUADRATIC RECIPROCITY

Module 9. DC Machines. Version 2 EE IIT, Kharagpur

Application Note. Differential Amplifier

BP-P2P: Belief Propagation-Based Trust and Reputation Management for P2P Networks

Redundancy Data Elimination Scheme Based on Stitching Technique in Image Senor Networks

Synchronous Machine Parameter Measurement

Section 16.3 Double Integrals over General Regions

BP-P2P: Belief Propagation-Based Trust and Reputation Management for P2P Networks

Interference Cancellation Method without Feedback Amount for Three Users Interference Channel

Energy Harvesting Two-Way Channels With Decoding and Processing Costs

A Slot-Asynchronous MAC Protocol Design for Blind Rendezvous in Cognitive Radio Networks

Synchronous Generator Line Synchronization

Adaptive Network Coding for Wireless Access Networks

Solutions to exercise 1 in ETS052 Computer Communication

The Math Learning Center PO Box 12929, Salem, Oregon Math Learning Center

Math Circles Finite Automata Question Sheet 3 (Solutions)

ECE 274 Digital Logic. Digital Design. Datapath Components Shifters, Comparators, Counters, Multipliers Digital Design

Experiment 3: Non-Ideal Operational Amplifiers

A COMPARISON OF CIRCUIT IMPLEMENTATIONS FROM A SECURITY PERSPECTIVE

Joanna Towler, Roading Engineer, Professional Services, NZTA National Office Dave Bates, Operations Manager, NZTA National Office

Exercise 1-1. The Sine Wave EXERCISE OBJECTIVE DISCUSSION OUTLINE. Relationship between a rotating phasor and a sine wave DISCUSSION

Engineer-to-Engineer Note

Topic 20: Huffman Coding

Geometric quantities for polar curves

Experiment 3: Non-Ideal Operational Amplifiers

April 9, 2000 DIS chapter 10 CHAPTER 3 : INTEGRATED PROCESSOR-LEVEL ARCHITECTURES FOR REAL-TIME DIGITAL SIGNAL PROCESSING

Dataflow Language Model. DataFlow Models. Applications of Dataflow. Dataflow Languages. Kahn process networks. A Kahn Process (1)

A New Algorithm to Compute Alternate Paths in Reliable OSPF (ROSPF)

University of North Carolina-Charlotte Department of Electrical and Computer Engineering ECGR 4143/5195 Electrical Machinery Fall 2009

Sequential Logic (2) Synchronous vs Asynchronous Sequential Circuit. Clock Signal. Synchronous Sequential Circuits. FSM Overview 9/10/12

INSTITUTE OF AERONAUTICAL ENGINEERING (Autonomous) Dundigal, Hyderabad

CS 135: Computer Architecture I. Boolean Algebra. Basic Logic Gates

A Development of Earthing-Resistance-Estimation Instrument

CHAPTER 3 AMPLIFIER DESIGN TECHNIQUES

CS2204 DIGITAL LOGIC & STATE MACHINE DESIGN fall 2008

EE Controls Lab #2: Implementing State-Transition Logic on a PLC

& Y Connected resistors, Light emitting diode.

Information-Coupled Turbo Codes for LTE Systems

Mixed CMOS PTL Adders

Development and application of a patent-based design around. process

Fuzzy Logic Controller for Three Phase PWM AC-DC Converter

PB-735 HD DP. Industrial Line. Automatic punch and bind machine for books and calendars

On the Description of Communications Between Software Components with UML

Design and Modeling of Substrate Integrated Waveguide based Antenna to Study the Effect of Different Dielectric Materials

A Channel Splitting Technique for Reducing Handoff Delay in Wireless Networks

5 I. T cu2. T use in modem computing systems, it is desirable to. A Comparison of Half-Bridge Resonant Converter Topologies

Available online at ScienceDirect. Procedia Engineering 89 (2014 )

Efficient and Resilient Key Discovery based on Pseudo-Random Key Pre-Deployment

An One-way Hash Function Based Lightweight Mutual Authentication RFID Protocol

Lecture 20. Intro to line integrals. Dan Nichols MATH 233, Spring 2018 University of Massachusetts.

EET 438a Automatic Control Systems Technology Laboratory 5 Control of a Separately Excited DC Machine

SOLVING TRIANGLES USING THE SINE AND COSINE RULES

Foot-Pedal: Haptic Feedback Human Interface Bridging Sensational Gap between Remote Places

Engineer-to-Engineer Note

Section 17.2: Line Integrals. 1 Objectives. 2 Assignments. 3 Maple Commands. 1. Compute line integrals in IR 2 and IR Read Section 17.

NUMBER THEORY Amin Witno

Student Book SERIES. Fractions. Name

How to Build Wealth Like Warren Buffett.

Digital Design. Chapter 1: Introduction

Network Sharing and its Energy Benefits: a Study of European Mobile Network Operators

This is a repository copy of Effect of power state on absorption cross section of personal computer components.

9.4. ; 65. A family of curves has polar equations. ; 66. The astronomer Giovanni Cassini ( ) studied the family of curves with polar equations

A New Stochastic Inner Product Core Design for Digital FIR Filters

MEASURE THE CHARACTERISTIC CURVES RELEVANT TO AN NPN TRANSISTOR

ECE 274 Digital Logic

CSI-SF: Estimating Wireless Channel State Using CSI Sampling & Fusion

Homework #1 due Monday at 6pm. White drop box in Student Lounge on the second floor of Cory. Tuesday labs cancelled next week

Direct AC Generation from Solar Cell Arrays

Convolutional Networks. Lecture slides for Chapter 9 of Deep Learning Ian Goodfellow

Simulation of Transformer Based Z-Source Inverter to Obtain High Voltage Boost Ability

On the Prediction of EPON Traffic Using Polynomial Fitting in Optical Network Units

Compared to generators DC MOTORS. Back e.m.f. Back e.m.f. Example. Example. The construction of a d.c. motor is the same as a d.c. generator.

Network Theorems. Objectives 9.1 INTRODUCTION 9.2 SUPERPOSITION THEOREM

A Cluster-based TDMA System for Inter-Vehicle Communications *

Jamming-Resistant Collaborative Broadcast In Wireless Networks, Part II: Multihop Networks

B inary classification refers to the categorization of data

Make Your Math Super Powered

A Novel Back EMF Zero Crossing Detection of Brushless DC Motor Based on PWM

DYE SOLUBILITY IN SUPERCRITICAL CARBON DIOXIDE FLUID

To provide data transmission in indoor

Analysis of Coding-aware MAC Protocols based on Reverse Direction Protocol for IEEE based Wireless Networks using Network Coding*

Transcription:

clble Multicst ecurity in Dynmic Groups. Rek Molv, Alin Pnnetrt Institut Eurecom, ophi-antipolis, Frnce. fmolv,pnnetrg@eurecom.fr Abstrct In this pper we propose new frmework for multicst security bsed on distributed computtion of security trnsforms by intermedite nodes. The involvement of intermedite nodes in the security process cuses new type of dependency between group membership nd the topology of the multicst network. Thnks to this dependency, the continment of security exposures in lrge multicst groups is ssured. The frmework lso ssures both the sclbility for lrge dynmic groups nd the security of individul members. Two dierent key distribution protocols complying with the frmework re introduced. The rst protocol is n extension of the El Gml encryption scheme wheres the second is bsed on multi-exponent version of RA. 1 Introduction Multi-prty communictions hve recently become the focus of new developments in the re of pplictions nd networking from group pplictions like videoconferencing to network lyer multicst protocols. As prt of the new issues involved with multi-prty communictions, security in terms of privcy nd integrity hs received prticulr ttention due to the vulnerbilities inherent to multi-prty rchitectures. While severl projects ddressed the problem of key distribution [9] nd digitl signtures [] mong the prticipnts of group, the security issues relted to multicst in lrge nd dynmic groups remined comprtively unexplored. Multicst is specil cse of group protocols by which single source trnsmits dt to multiple recipients. Like ny other multi-prty scheme, the inherent complexity of the underlying communiction mechnisms exposes multicst protocols to vulner- Appered in the Proceedings of the 6th ACM conference on Computer nd Communictions ecurity, November 1999, ingpore. Permission to mke digitl or hrd copies of prt or ll of this work for personl or clssroom use is grnted without fee provided tht copies re not mde or distributed for profit or commercil dvntge nd tht copies ber this notice nd the full cittion on the first pge. Copyrights for components of this work owned by others thn ACM must be honored. Abstrcting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission nd/or fee. Request permissions from Publictions Dept, ACM Inc., fx +1 (212) 869-481, or permissions@cm.org. bilities tht hve no counterprt in the unicst cse s depicted in [2][6]. Possible countermesures for those vulnerbilities re cryptogrphic security services rnging from uthentiction of group members, dt con- dentility nd integrity, non-repudition of origin to ccess control for group membership. Next to bsic security services, utomtic key mngement is necessry for the secure provision of lrge recipient groups with cryptogrphic keying mteril. In this pper we present frmework for multicst security tht focuses on two issues: sclbility in lrge dynmic groups: the mount of processing of ech individul component of the multicst security mechnism should be independent of the group size chnges to the group membership should ect the smllest subset of the group. continment of security exposures through prtitioning: ech recipient group should be prtitioned into sub-groups in order to ssure tht security exposure in sub-group does not endnger the security of other sub-groups. As preliminry step we present set of cryptogrphic sequences with specil properties tht re orgnized in tree. The rest of the pper considers this forml grph nd pplies it to multicst tree. We showhowthe properties of our forml grph cn be used to oer multicst security frmework tht dels with security nd sclbility issues. In the proposed frmework, conicting security nd sclbility requirements re ddressed through distributed scheme whereby intermedite components plced on the multicst trnsmission tree tke prtin the security protocol. The intermedite components shre the security processing lod with the source nd ssure the continment of security exposures t vrious prts of the multicst tree. The frmework denes bsic properties of set of cryptogrphic functions tht 1

ssure dt condentility. Depending on the performnce of the underlying lgorithm, implementtions of the frmework my be suitble either for the encryption of bulk dt or only for the encryption of short messges s required by key distribution. The frmework is rst vlidted with respect to security nd sclbility requirements. Two dierent implementtions of the frmework re then discussed. Both solutions re bsed on symmetric techniques: n extension of the El Gml lgorithm [4] nd vrition on RA [8]. These lgorithms which oer strong protection re only suitble for key distribution since, due to their inherent complexity, bulk dt encryption with these solutions seems prohibitive. 2 Cryptogrphic Functions The building blocks we hve chosen to use to design dt condentility protocols over multicst tree re clled Reversible Prmetric equence (RP). This section will give forml denition of these sequences nd ssocite them in trees. These trees will be used is further sections to describe our multicst security frmework. 2.1 Reversible Prmetric equence Let f : N 2 7! N be function with the following property: if y = f(x ) it is computtionlly infesible to compute knowing x nd y. Let ( 1in ) be nite sequence of n elements. Let ( in ) be nite sequence of n +1elements dened s: i = f( i;1 i ), for i>., the initil vlue of the sequence. uch sequence will be clled Reversible Prmetric equence ssocited to f or RP f if, for ll couples (i j) 2 N 2 verifying < i < j n, there exists computble function h i j such s i = h i j ( j ). Moreover: A RP f ( i ) will be clled ymmetric (reversible) Prmetric equence ssocited to f or P f if h i j cn be computed from f i+1 i+2 ::: j g. A RP f ( i ) will be clled n Asymmetric (reversible) Prmetric equence ssocited to f or AP f if it is computtionlly infesible to determine the function h i j from f i+1 i+2 ::: j g lone. 1 = 2 1 = 2 1 1 1 2 f f 1 2 = 2 2 b b 4 f f c 4 f 1 2 c 4 f 1 4 2 4 Figure 1: Two RP f sequences mpped over tree. Exmple: Let p be lrge prime number. Let (n i )be set of numbers in Z (p;1) nd g be genertor of the cyclic group Z p. Dene f s f(x ) =x mod p. The following sequence is P f : i = f( i;1 n i ) = g 2.2 RP f 's over Generl Tree A tree cn mp fmily of RP f s which hve terms tht dier only fter certin rnk, greter thn 1. For exmple, if 1 is RP f dened from prmeter sequence f 1 2 b b 4 g nd 2 is RP f dened from prmeter sequence f 1 2 c c 4 g, simple tree tht mps 1 nd 2 cn be constructed s in gure 1. This tree illustrtes the fct tht 1 nd 2 dier fter rnk 2. This property cn be extended to lrge number of RP f s, with tree tht brnches ech time t lest two sequences dier. The nodes of the tree denote the f function nd the edges re the elements j i of the i different RP f s mpped over tht tree. All the sequences mpped over the sme tree shre t lest two elements, nmely nd 1. These two vlues re the input nd the output, respectively, of the root node of the tree. In the following discussion, ( i ) will refer to the RP f mpped over the pth tht connects the root to the i th lef of tree. The corresponding reversing functions will be denoted h i (: :). Multicst ecurity The gol of multicst security is to ssure tht the source of the multicst strem nd the group of multicst recipients communicte securely. This cn be chieved through the uthentiction of the messge origin by the recipients nd through condentility nd integrity preventing disclosure nd modiction of the messges by nyprty other thn the members of the multicst group. These services typiclly require the estblishment of security ssocition between the source 2

nd the recipients of the multicst chnnel. The security ssocition denes the set of cryptogrphic keys nd lgorithms used for ech service. While uthentiction, condentility nd integrity of messges in the multicst strem cn be ssured by clssicl network security mechnisms kin to unicst, the estblishment of security ssocition for multicst chnnel is inherently more complex thn with unicst. In the unicst cse, security ssocition is sttic in tht the source, the recipient nd the the dt ow do not vry during the ssocition. In dynmic multicst group, session is n ever evolving entity s recipients cn be dded to or removed from the recipient group through join nd leve opertions, respectively. Idelly, the keying mteril shred by the members of the multicst security ssocition should be updted in order to fulll the following conditions: As noted in [6], JOIN nd LEAVE procedures re cndidtes for exhibiting such filures, if they re not crefully designed. In strightforwrd multicst security protocol where ech member M i of the group hs n individul key K i used for the distribution of the group key K, t the deprture of member, the security conditions introduced in section would require new key K to be distributed to ll remining members. This simple scenrio illustrtes both sclbility filures: the deprture of one member ects the entire group through the key updte procedure nd the remining members of the group must be treted individully during the key updte, since the new group key K must be plced in seprte envelope encrypted under the key distribution key (K i )ofech remining member. As highlighted in this exmple, multicst security requirements nturlly cll for solutions tht conict with sclbility. 1. When user JOIN the group he should not hve ccess to pst keying mteril. 2. When user LEAVE group he should not hve ccess to future keying mteril. Hence, some keying mteril must chnge ech time the set of users in multicst group chnges. It should be noted tht the bove conditions pply for the highest security requirements nd they cn be relxed for multicst pplictions with less criticl security requirements. Moreover, s group gets lrger, it is not cceptble to shre the sme keying mteril between ll users of the group. The security of lrge group should not depend on its wekest member(s). If the keying mteril of user is intentionlly or unintentionlly exposed, the security of the group should not be compromised in tht only smll frction of the recipient group should be ected by the exposure..1 clbility Nturlly, while oering security services, the multicst spirit needs to be preserved: the mount of multicst dt sent by the source should be independent of the group size. This lso mens tht the cost in spce nd processing of the security services t ech receiver should be constnt, nd therefore not correlted to the group size. uivo Mitr hs described [6] two min sclbility pitflls in multicst security: 1. The \one ects ll" filure which occurs when the ction of member ects the whole group. 2. The \one does not equl n" filure which occurs when the group cnnot be treted s whole but insted s set of individuls with competing demnds..2 Conicting Requirements Extending the security requirements of unicst with the ones due to sclbility nd group dynmics, the requirements of security protocol for dt condentility in dynmic multicst group cn be summrized s follows: 1. Dt condentility: the protocol should be immune to evesdropping. 2. JOIN nd LEAVE security: new (resp. old) member should not hve ccess to pst (resp. future) dt exchnged by the group members.. Continment: the compromise of one member should not cuse the compromise of the entire group. 4. ttic sclbility: the processing lod supported by n individul component (be it the source, n intermedite forwrding component or recipient) should be independent of the group size. 5. Dynmic group sclbility: the ctions performed by n individul component should not ect the group s whole. 6. Trnsprent group sclbility: the group should not require to be treted s set of distinct individuls. At rst glnce these points seem to oer nests for contrdictions. For exmple, points nd 5 cll for the clustering of group members into dierent subgroups with dierent security prmeters. However points 4 nd 6 require the group to be treted s whole. More generlly, it's esy to see tht the source nd the recipients hve opposite requirements. clbility requires the source to consider the entire group s single entity wheres security requires ech recipient to be treted individully.

Mny multicst or group security schemes hve been proposed tht ll stisfy the rst requirement. However they dier widely from one nother on the remining requirements: [1] does not mke provisions for continment nor join nd leve security, [9][1] do not oer sclbility in lrge groups. Only [6] nd [12] seem to ddress both security nd sclbility requirements in lrge dynmic groups.. Motivtion for the Proposed Multicst ecurity Frmework The min motivtion of the solution proposed in this pper is to solve the bsic conict between sclbility nd security kin to multicst security in order to come up with solution tht cn scle up to lrge networks. We suggest tht the conict between sclbility ndse- curity cn be overcome by involving the intermedite components of the multicst communiction in the security process. Intermedite components,betheynetwork nodes, routers, or ppliction proxies, re inherent prticipnts in the bsic multicst trnsmission process. The key sclbility fctor in the bsic multicst trnsmission schemes is the spred of the multicst routing nd pcket forwrding lod over network of intermedite nodes. Plcing security mechnisms on existing intermedite components seems to be nturl extension of existing multicst protocols. Moreover, prtitioning the cost of security mechnisms over the intermedite components ppers to be good wy of ssuring sclbility. When the multicst group grows, new intermedite components re dded to support new group members nd the cost of security mechnisms cn still be eqully distributed by plcing the dditionl security processing lod due to the new members on the new intermedite components. The involvement ofintermedite components in the security process is lso premise for meeting multicst security requirements. If the security mechnisms cn be mde dependent on the intermedite component in which they re implemented, group members ttched to dierent intermedite components cn be treted independently or with dierent keying mteril. In ddition to its reltionship with the group membership, the keying mteril cn hve reltionship with the topology of the multicst network. The keying mteril ssocited with ech group member cn thus be function of the intermedite component towhichthe member is ttched. This topologicl dependency ssures the continment of security exposures: if some keying mteril belonging to group member ttched to n intermedite node is compromised, this keying mteril cnnot be exploited by recipients ttched to other intermedite nodes. We introduce our solution in two steps: rst, we dene generl frmework for multicst dt condentility bsed on distributed mechnisms involving intermedite components nd preserving the sclbility nd security properties, then we propose ctul solutions bsed on cryptogrphic functions tht comply with the frmework. 4 Multicst ecurity Frmework The proposed multicst security frmework consists of model tht is n bstrct denition of the components involved in the security mechnisms nd the reltionship between them which is n ppliction of the functions we dened in section 2. 4.1 Model In the bstrct denition of the frmework, the components of the multicst security frmework form tree. The root of the tree is the multicst source nd the members of the multicst group form the leves of the tree. The intermedite nodes of the tree - referred to s nodes - correspond to the intermedite components of the multicst communiction. Like themulticst scheme itself, nodes cn be implemented t the ppliction lyer or t the network lyer. In the cse of ppliction lyer multicst, nodes cn be ppliction proxies, such s those in hierrchicl web cching structure. In the cse of network lyer multicst, nodes cn be intelligent routers cpble of performing security opertions in ddition to multicst pcket forwrding functions. In further bstrction, ech lef of the tree will represent the set of group members ttched to the sme terminl node. In the ppliction lyer cse, lef will delimit sub-group of members ttched to proxy. In the network lyer cse, lef will delimit sub-network of recipient sttions ttched to router. Hence lef will refer to set of multicst group members with common ttchment node in the tree. If set of users represented by lef becomes too lrge, the lef cn esily be subdivided into severl \subleves" by dding new nodes. Hence the lef size in terms of the group members it represents is not sclbility issue for lgorithms tht tret lef s single entity. 4.2 RP f 's over Multicst Tree Next, we turn to multicst by pplying the previous concept of RP f from section 2 over tree s mens of performing secret trnsforms in multicst communictions. Let be the informtion to be trnsmitted over the multicst chnnel by the source under condentility. Furthermore, might either be the ctul dt or n encoding thereof, if possible dt vlues re 4

dierent from possible vlues tht cn tke on from the point of view of the security lgorithm. As prt of the setup for series of secure multicst trnsmissions, ech noden i is ssigned secret vlue i>1. Ech node is cpble of performing function f s dened in the previous section. During secure multicst trnsmission, upon receipt of multicst dt j from its prent noden j,noden i computes f( j i ), nd forwrds the resulting vlue i s the secure multicst dt to the child nodes or the leves. Assuming ( i )isrp f mpped over pth from the root to lef on the multicst tree, the lef will eventully receive n i, which is the nl term of the RP f. The leves in the multicst tree ber specil role in tht they re ble to recover the originl messge. Ech lef is ssigned function h i ( n i) tht llows it to compute i = from n i i since = h i ( n i) (i n i ). On the other hnd, the leves don't use function f. The distribution of the secret i vlues to the nodes nd the reversing functions to the lefs cn be ssured by centrl server using clssicl unicst security mechnisms. Becuse of the structure of the lgorithm, the centrl server will need to hve precise imge of the tree structure. This doesn't men, however, tht the functionlity ofthisserver cnnot be distributed over severl network entities. Working exmple: Figure 2 depicts simple tree with three RP f s. Looking t the pth from the root to lef on gure 2, we hve: The root computes f( 1 ) nd sends the result to its children nodes. N 1 receives 1 = f( 1 ), computes nd sends f(1 7 )ton 2. N 2 receives 2 = f( 1 7 ) nd sends f( 2 8 )to lef. Lef receives = f( 2 8) nd recovers the originl multicst dt by computing = h ( ) ;. 4.2.1 The Join Procedure. When user joins group by contcting node, two situtions cn rise: 1. lef (sub-group) ttched to this node lredy exists. 2. there is no lef ttched to this node prior to the current join opertion. In the former sitution, RP f sequence ( i )islredy mpped between the source nd the members in Root node 1 1 2 N 1 7 Nodes 2 4 5 6 h 2 (,4) N 2 8 Figure 2: A simple RP f tree. 1 2 7 4 5 6 Figure : User C joins/leves. 8 B A h (,) h 1 (,4) C Lef the existing lef. The lst node on the pth which holds prmeter i n i will be ssigned new vlue e i n i,updting the lst trnsformtion in the sequence. Hence, the corresponding new e h i ( n i) function will be distributed to ll the member in the lef including the new member. In the exmple of gure where C wishes to join the lef including existing members A nd B, the join opertion will perform s follows: 1. 8 will be substituted to e 8 in lst node. 2. h will be sent toa B C. ( 4) If M is the upper bound on the number of members in lef, join opertion requires the exchnge of the following messges: 1 messge sent to updte the vlue in the lst node on the pth, t most M ; 1 messges sent to the current members in the lef, 1 messge sent to the new member. A join opertion thus requires t most M + 1 messge exchnges. 5

In fct, it's possible to reduce the number of messges to, by slightly chnging the order of opertions in the join procedure. Insted of chnging the vlue i n i in the node right wy, it's possible to use the secure sequence to vehicle the new e h i ( n i) function to the current members in the lef, thus reducing the updte to one messge (versus n upper bound of M ; 1 messges). Then the vlue i n i in the node cn be chnged nd the new e h i ( n i) function trnsmitted to the joining member. However this pproch hsdrwbck: it cretes chin between the dierent vlues of e h i ( n i) which potentilly wekens the security ofthescheme. Unless the cost of individully sending messge to ech member in the lef is more importnt thn the security ofthe group, such n option should be voided. In the second cse, the uthority which receives join request hs to gure out the pth from the new member to the closest node in the ctive tree. The pth estblishment method used in this cse depends on the lyer (ppliction/network) t which themulticst security scheme is implemented. A similr decision hs to be tken by IPmulticst routing lgorithms when new router needs to be included in multicst routing tree. Once the pth to the new member is selected, the uthority will ssign vlues to the newly dded nodes on the pth, thus extending the RP f mpping. Finlly the new member will receive theh i ( n i) function needed to recover the originl multicst dt in the creted RP f. Hence, he's the only member of the new lef in the tree. The number ofmessgesexchnged here depends on the lgorithm used to set the pth between the new member nd the tree. Consequently, s stted in section., this security frmework would be nturl extension of multicst routing schemes. The number of messges exchnged here to crete new lef cn be ssumed to be proportionl to the numberofmessgesexchnged by the multicst routing protocols when dding new element in the multicst tree. In mny cses, it will be possible to perform the node setup hed in time, leving only the h i ( n i) function to be distributed when the member eectively joins. The uthority tht mnges the group does not need to be the root itself nd its functionlity cn be distributed in tree hierrchy, where ech sub-uthority mnges multicst subtree. 4.2.2 The Leve Procedure. The leve procedure is similr to the join procedure. When user leves lef in the tree, the vlue in the terminl node is chnged from i n i to e i n i nd the new e h i ( n i) function is distributed to the remining nodes in the tree. In eect, the ssocited RP f sequence hs its lst term chnged. 4. Evlution of the Frmework The previous discussion hs focused on the use RP f to chieve dt condentility overmulticst tree. This section will show how the RP f construct meets the requirements estblished in.2, ssuming tht the intermedite nodes re trusted nd secure. The implictions of node compromise will be discussed in the next section. 4..1 Dt Condentility A secret messge x trnsmitted by the source cnnot be retrieved from the multicst dt obtined by intruders evesdropping on ny of the links of the secure multicst tree. Retrieving x from multicst dt exchnged on n intermedite link would require the computtion of the inverse of f which, by denition, is computtionlly infesible. Retrieving x from the multicst dt trnsmitted to lef over the lst hop of multicst pth is lso impossible becuse the secret reversing function h i ( n i) cnnot be retrieved without the knowledge of t lest the secret i vlues ssigned to the nodes included in the pth. In ddition, if the multicst security scheme is bsed on n AP f even the disclosure of the i vlues would not compromise dt condentility s discussed is section 4.4. Dt condentility isnobvi- ous consequence of the wy the model ws dened. The degree of security of the one-wy function f nd should be evluted on per lgorithm bsis s in section 6 nd 7. 4..2 JOIN nd LEAVE ecurity A new member joining lef gets new reversing function e h i ( n i) tht cnnot be used to recover the old reversing function h i ( n i). As consequence, pst dt is not ccessible to new member. imilrly, former member using n old reversing function cnnot ccess dt tht is trnsmitted subsequently to its deprture. 4.. Continment Becuse of the topologicl dependency introduced by the model, the reversing function h i ( n i) used in lef of the tree will be useless outside tht lef. An intruder will only benet from n ttck if he is locted in the sme lef s the victim. This gretly reduces the impct of member compromise. 4..4 ttic clbility The mount of processing per component is independent of the group size. First, in our frmework, the size of messges trnsmitted by node (be it the source or n intermedite component) does not depend on the number of group members but it depends only on the 6

size of the originl secret messge. econd, the number of messges trnsmitted by node does not depend on the number of group members but it depends only on the number of child nodes ttched to this node. 4..5 Dynmic Group clbility There re three bsic ctions group member cn perform, nmely join, leve nd receive dt. The model is designed so tht none of these ctions ects the whole group. In fct these ctions hve n impct tht is limited to the lef contining the member performing these ctions s shown in section 4.2.1. The \one ect ll" type filure never ppers. 4..6 Trnsprent Group clbility The \1 does not equl n" type of filure never ppers over the group s whole, insted, it is conned to the leves in which join or leve opertions occur. ince the lefs hve mximum size, this is not sclbility issue. All other opertions, including re-key, ddress the group s whole. 4.4 Node Compromise. The previous section ssumed tht the nodes of the tree were completely secure. This hs to be true for the root node of the tree but it might not be possible to mke such n ssumption bout the intermedite nodes in the network. Hence the following section will focus on the impct of intermidite node compromise. Two type of ttcks tht derive from node compromise re highlighted in this section: unuthorized membership extension nd mode compromise by externl users. Unuthorized membership extension hppens when former member of the secure group is ble to mintin ccess to the dt even though he hs not received the new reversing function. Node compromise by externl users more generlly describes unuthorized ccess to the group by users tht never becme group members. 4.4.1 Unuthorized Membership Extension If member Eve in lef controls the lst node on the pth from the source to the lef i, hecnintercept chnges in the lst prmeter of the RP f. Let N be the lst node on the pth from the root to lef i of the tree nd the secret held by N. N receives j;1 i from its prent node nd sends j i = f(j;1 )to i the lef elements which will use h i reversing function to recover. If the group membership mnger ( j) decides tht Eve must leve from the group, the vlue in N will be chnged to new vlue e nd the corresponding reversing function e h i ( j) will be send to ll lef members except Eve. Despite its forml exclusion from the group, Eve cn ignore the chnge in the router nd compute from i j;1 using nd the old reversing function hi ( j) obtined trough the compromise of node N, simulting the older sequence, where = h i ( j) ; f( i j;1 ). This ttck works whtever the nture of the sequence, AP f or P f, but requires severl conditions to be met: 1. Eve should be former member of the group. 2. Eve should be ble to ccess the secret prmeter held by noden.. Eve should hve ccess to the dt trnsmitted to node N by its prent node (i.e. j;1 ). Moreover, updtes of i vlues in nodes t higher level will limit the scope of this ttck becuse the resulting reversing functions cnnot be retrieved bsed on the informtion gthered in lef or from the compromise of the lst node. A P f specic ttck Condition 2 described in the previous prgrph is not required if the sequence is P f. Towork round condition 2, the intruder rst computes: e h i (j;1 j) form e becuse the sequence is symmetric. Now, using e h i nd the new sequence vlue (j;1 j) e j i received in the lef, the former member computes: j;1 i = e h i (j;1 j) ( e j i) Next, the former member uses the vlue obtined through the compromise of N to compute: j i = f(i j;1 ) Finlly, using the old reversing function h i nd ( j) pplying it to j i,wehve: = h i ( j) (i) j where is the originl multicst dt. This ttck doesn't pply in n AP f tree becuse by denition e h i (j;1 j) cnnot be deduced form e. 4.4.2 Node Compromise by Externl Users. If the intruder Eve is not even former member of the group, n ttck is still possible if the sequence is symmetric provided tht: 1. Eve hs ccess to the vlue of the reversing function used by legitimte member. 2. Eve control ll the nodes on the pth between him 1 nd the legitimte member except the rst common ncestor they hve in the tree. 1 Eve does not hve to be in rel lef, he cn simply intercept trc somewhere in the tree. 7

If these conditions re met, Eve will be ble to forge reversing function he cn use to ccess the group. Insted of lengthy forml discussion, we chose to illustrte the ttck with the exmple scenrio depicted on gure 6, where the mlicious user Eve gets multicst dt 2 from node N 5. If Eve knows h ( ) from compromised user nd f 2 5 7 8 g, he cn compute: 2 2 = h 2 (2 ) (2 ) becuse h 2 (2 ) cn be derived from 5. imilrly, 1 = 2 1 = h 2 (1 2) (2 2) becuse h 2 (1 2) cn be computed from 2. Then nd yielding to 2 = f( 1 7) = f( 1 8 ) = h ( ) ( ) Agin, this ttck doesn't pply to n AP f bsed tree becuse reversing functions ssocited with n AP f cnnot be derived from the prmeters used in the intermedite nodes. 4.4. Node Compromise ummry The distinction between n AP f nd P f is totlly relevnt with respect to node compromise scenrios. Unlike [6], when using AP f s our frmework is immune to node compromise by externl users. The frmework does not however dictte the choice of n AP f over P f s one could expect becuse P f re likely to be esier to design thn AP f. It should be noted tht the security continment property is lso eective in cse of node compromise. Hence, previously described node compromise scenrios don't llow the intruder to provide unuthorized ccess to just ny other user in the network. This section concludes the forml presenttion of our secure multicst frmework. The next sections present two implementtions of this frmework bsed on extensions of public key cryptogrphic schemes. The rst scheme is n P f nd will therefore lend itself to further description of concrete node compromise scenrio. 5 Key Distribution Depending on the performnce of function f our frmework cn be used either for bulk dt condentility or only for key distribution. Current symmetric cryptogrphic systems provide sucient encryption speed but they don't exhibit the mthemticl properties required to crete RP f. On the other hnd symmetric cryptogrphy oers suitble properties to build solution complint with the frmework but it doesn't oer yet the necessry performnce for bulk dt condentility. Consequently, the next two sections will describe of the frmework bsed on symmetric cryptogrphy for multicst key distribution. The rst scheme, derived from the El Gml encryption lgorithm, llows the cretion of P f key distribution tree, wheres the second scheme, bsed on RA, eectively cretes n AP f key distribution tree. Using RP f tree, the source cn distribute secret key k by initilising the sequences with = k (or otherwise function of k). The dt condentility mechnism of the secure multicst frmework will llow to securely trnsmit k to the members of the group. The source cn frequently updte k but, unlike the reversing function tht is dierent inech lef, k is shred mong ll members of the group so the exposure of k ects the group s whole. However, unlike there- versing function tht enbles ech member to ccess the multicst group, the shred key k is short term vlue tht cn be frequently updted by the source using the secure multicst frmework. Consequent vlues of k re independent. 6 Key Distribution using the Discrete Log. The discrete log problem used in the El Gml cryptosystem cn be used to crete RP f. Let p be lrge prime nd let f, the node opertion, be dened s f(x ) =x mod p. Ify = f(u v) it is computtionlly infesible to compute v from (u y). 6.1 etup The source of the node chooses genertor g of the cyclic group Z p nd secret rndom vlue r in Z (p;1). The nodes nd the root re ssigned i> vlues 2 in Z. The initil vlue of the sequence is set to (p;1) = g r mod p. Let f ik>g denote the sequence elements. The reverse function distributed to the nodes is dened s: h k ( n k) (x) =x(i 1 :i 2 :i :::in k );1 mod p 2 Nturly, we should void the unlikely cse tht Qk i k =1on the pth from the root to the i th lef. 8

1 2 4 h ( ik)( ik )= mod p 5 6 1 = N 1 N2 7 8 2 = 1 1 7 = 1 7 8 h Lef K = T Reclling the previous exmple, where h (x) = h 1 ( )(x) =x1 7 8 mod p, the vlue of K is computed simply: K = T Figure 4: A discrete log tree. where The function f performed in ech node is dened s f(x ik )=x i k mod p. 6.2 Key Distribution The source wishing to distribute key K sends the following initil dt to its children in the tree: 1 =( ) 1 mod p T = K The intermedite elements in the tree perform f on their input ik;1 nd send ik to their children, long with T, where: ik = f( (ik ;1) ik )= ; (ik;1) ik mod p An exmple of this scheme is illustrted on the pth from the root to the lef of the tree on gure 4: The source send 1 =( ) 1 modp nd T = K to its children. N 1 receives ( 1 :T ) nd sends 2 =( ) 17 mod p nd T = K to its children. N 2 receives ( 2 T) nd sends = ( ) 178 mod p nd T = K to lef. 6.2.1 Decryption The decryption process is stritforwrd, the reverse function h is simply pplied to the received vlue, nd the result is used to extrct K from T : = h ; =(( ) 178 ) 6.2.2 The Next Key 1 1 7 8 mod p The next key to be sent e K only requires = g r mod p to be chnged to new e = g er modp in Z p. The initil vlue of the sequence is chnged for every messge. It should be noted here tht if g is genertor of Z p then g r nd g er re lso genertors of the cyclic group becuse r nd er re invertible [7] in Z.Trnsitively, (p;1) this mens tht ll elements in the creted RP f sequence re genertors. This ssures constnt strength of the trnsformtions in the RP f which is sequence of genertors of Z. p 6. Node Compromise nd Member Collusion Mny of the requirements estblished in section.2 re nturlly fulllled by implementing the frmework s described bove. However member collusion nd node compromise need to be considered on per-lgorithm bsis. 6..1 Node Compromise The previously described sequence is clerly P f becuse the reversing functions cn be computed with the knowledge of the secret prmeters in the nodes. Hence, compromise of the nodes oers some potentil for unuthorized membership extension s described in 4.4. Figure 5 will illustrte the node compromise scenrio. The hypothesis here will be tht mlicious member E of lef wishes to mintin membership in the group using the informtion of the terminl node N 2 he hs compromised. In norml scenrio where node compromise is not tken into ccount, in lef consisting of members fa B C Eg, whene leves, the following ctions tke plce: 9

4 4 1 2 5 6 2 1 1 2 2 2 N 5 5 2 6 1 = N 1 N2 7 8 2 = 1 1 7 = 1 7 8 Figure 5: Node Compromise h Lef A B C E 1 7 2 8 Eve h (,) Figure 6: Multiple node compromise ttck. In N 2, 8 is chnged to e 8. The newly computed reverse function e h ( ) is sent to fa B Cg but not E. Once the leve procedure is complete, E cnnot ccess further keys distributed to fa B Cg it cnnot derive e h from ( ) h. ( ) However, in the cse of node compromise, if E controls the lst node, he cn monitor the chnge from 8 to e 8. E cn then derive e h ( ) from h ( ), becuse if h ( ) (x) =x(178);1 mod p then: e h ( ) (x) =x 1 1 7 8 8 e8 mod p In summry, even if E doesn't receive the new reversing function, he will be ble to compute it nd thus ccess the keys distributed subsequently to the leve opertion. This ttck cn be extended to llow mlicious user to derive reversing function from nother one even if the reverse function comes from nother lef. It requires the ttcker to compromise nerly ll the nodes on the grph between him nd the compromised member. Figure 6 will serve s n exmple where user E -not member of the group- listens to trc coming out of N 5. The mlicious user is ssumed to know the following node prmeters f 2 5 7 8 g s well s h ( ) from compromised member in lef. With these conditions together, E cn compute new locl reverse function h 2 ( ) from h ( ) thus breking the clustering ppel of the model: h 1 ( )(x) =x 1 7 8 mod p which llows to compute: h 2 1 ( )(x) =x 1 2 5 mod p = h 7 8 ( ) (x) 2 5 mod p This second ttck ssumes tht the nodes re esy to compromise, nd the rst one mkes strong ssumptions bout the compromise power of the ttcker. While these ttcks on P f 's might be considered hrd to implement in some cses, the possibility itself pushed us to study second nd stronger construction bsed on AP f 's, s described in section 7. 6..2 Member Collusion A set of colluding members could compre their reversing functions to try to extrct dditionl informtion. Distributing reversing function of the form h(x) =x yi mod p ctully consists of distributing the exponent y i =( i 1 i 2::: in ) ;1 mod (p ; 1). A possible collusion ttck would im t deriving some individul sequence vlues i bsed on the knowledge of fy 1 y 2 ::: y n g by the colluding members. A trivil scenrio in which the collusion ttck cn succeed occurs if t lest one sequence is included in nother. This cn esily be prevented if none of the terminl nodes for one sequence is used s n intermedite node for nother sequence. 7 Key Distribution using RA. Extending RA to use multiple keys s in [5] llows the cretion of n AP f scheme. As in RA, let n = pq where p nd q re crefully chosen lrge primes. The node function is dened s f(x ) =x mod n. 7.1 etup The setup is even simpler here thn in the discrete log cse. Ech node in the tree is ssigned vlue i>1 nd the root uses 1 where gcd( i '(n)) = 1. This ssures tht the product A of ny subset of these i vlues lso veries gcd(a '(n)) = 1. The multiplictive inverse B of A dened s AB 1(mod '(n)) cn be computed using the Eucliden lgorithm. 1

Let f ik>g denote the set of prmeters used in the nodes between the source nd lef k,plus i 1 = 1 in the root. The reversing function distributed to the nodes is dened s: where, h k ( n k) (x) =xdk mod n ( i 1: i 2::: nk ):D k 1(mod '(n)) Like the bsic RA lgorithm, the security ofthis scheme relies on the diculty of fctoring n, tht is, computing D k requires the knowledge of '(n) which currently seems to be only derivble from the fctors of n = pq. 7.2 Key Distribution The source wishing to distribute key K, sends the following vlue to its children in the tree: 1 = K 1 =( ) 1 (mod n) Ech noden i in the secure multicst tree processes the i;1 vlue received from its prent node nd sends i to its children nodes where: i = f( i;1 i )=( i;1 ) i (mod n) Reclling gure 5 while ssuming n RA like AP f sets the following scenrio on the pth from the root to lef of the tree: The root send 1 =( ) 1 mod n to its children. N 1 receives 1 nd sends 2 =( ) 17 mod n to its children. N 2 receives 2 nd sends =( ) 178 mod n to lef. 7.2.1 Decryption The decryption process is lso simpler thn in the discrete log cse. The decryption function h is pplied to the received vlue in the lef to recover K. For exmple, on gure 6: K = = h ( ) ( )=(( ) 178 ) D ssuming 1 7 8 :D 1(mod '(n)) mod n 7.2.2 The Next Key. ending new key e K only requires to be chnged in the preceding description. Nothing else needs to be done. 7. Node Compromise nd Member Collusion The node compromise ttck previously described in section 6 regrding the discrete log cse does not pply here essentilly becuse the RA bsed sequences re symmetric: to compute reversing function h (i j),the knowledge of the intermidite prmeters f i+1 ::: j g wouldn't be sucient s'(n) is lso required. However the node compromise ttck bsed on membership extension in section 4.4 is still possible with the RA bsed scheme. Possible collusion scenrios do not lend themselves to the lekge of ny secret informtion or cpcity. 8 Relted Work ome other ppers hve presented scheme tht ddress some of the requirements hightlighted in section.2. However, only [12] nd [6] seem to ddress both sclbility nd security. Hence we will focus our comprison on those two schemes, which dier from ours in minly two res: continment nd trust. Moreover we will look t the prticulr impliction of using our scheme for key distribution. Trust Though our solution uses intermedite components, it hs mjor dierence with [6]: our frmework does not put ny trust in the intermedite components, wheres in [6] echintermedite component hs ccess to the multicst dt. This problem does not pper in [12] since no intermedite elements re involved. Hence even though we use intermedite elements, our scheme is equivlent to[12] in terms of trust. Continment In terms of continment, our scheme is equivlent to[6], where ech subgroup uses dierent key to ccess the multicst dt. On the other hnd [12] does not ddress continment issues even though it uses tree structure. In tht scheme, the keys held by ny user cn be used to ccess the multicst group nywhere nd ll users re equivlently trusted with the security prmeters of the group. Key distribution Though we oer higher security in terms of trust nd continment, this hs cost. Indeed, [6] nd [12] hve cler dvntge over our scheme in terms of performnce. This hs led us to consider our scheme for key distribution nd not bulk dt encryption. In tht respect the frmework is used to distribute 11

short term dt encryption key k. As this short term key is common to ll recipients, it my looks our scheme looses its continment dvntge over [12]. However, the short term key cn be frequently updted nd its disclosure does not provide mens of long term group ccess to intruders. This is becuse in our scheme the group membership is represented by the long term reversing functions tht re dierent inechlefofthe multicst tree s opposed to the shred secret group membership key of [12]. 9 Conclusion This pper hs presented frmework designed to support dt condentility in lrge dynmic multicst group. The frmework meets set of requirements wider thn the previous work. While covering sclbility, the new concept of continment ws introduced s we believe the ltter is key requirement invery lrge groups. The introduction of Reverse Prmetric equences, or RP f, permits forml but yet prcticl description of the frmework elements, with voluntry distinction between symmetric nd symmetric behviors. The mpping of these sequences overmulticst tree is the core mechnism tht llows this frmework to meet the previously described requirements. Next, two key distribution schemes hve been exposed s implementtions of the frmework. Further detiled studies of the those two schemes, tht would ech deserve complete pper, will be necessry before concrete implementtion. Nevertheless these two schemes hve served s proof of concept for the frmework nd they hve llowed us to discuss the impliction of vrious node compromise scenrios, s the possibility of node compromise cnnot be neglected in lrge multicst network. The next mjor step would be the design of ecient functions tht could be used to build RP f s tht operte on bulk dt, in order to fully cpitlize on this frmework. Beyond just multicst, such functions will hve pplictions in mny group security problems. References [] Jn Cmenish nd Mrkus tdler, \Ecient Group ignture chemes for Lrge Groups", Advnces in Cryptology - CRYPTO'97, 1997. [4] T. ElGml, \A public key cryptosystem nd signture scheme bsed on discrete logrithms", Advnces in Crytology - CRYPTO'84, nt Brbr, Cliforni, UA, 1984. [5] Lein Hrn nd Thoms Kiesler, \Authenticted Group Key Distribution cheme For A Lrge Distributed Network", ymposium on ecurity nd Privcy, 1989. [6] uivo Mitr, \Iolus: A Frmework for clble ecure Multicsting", In Proceedings of the ACM IGCOMM'97, eptember 14-18, 1997, Cnnes, Frnce. [7] Nel Koblitz, \A course in Number Theory nd Cryptogrphy", pringer-verlg, 1994. [8] R. L. Rivest, A. hmir, L. M. Adlemn, \A method for obtining digitl signtures nd publickey cryptosystems", Communictions of the ACM, 21(2):12-126, 1978. [9] Michel teiner, Gene Tsudik, Michel Widner, \Die-Hellmn Key Distribution Extended to Group Communiction", in Proceedings of the rd ACM Conference on Communictions ecurity, Mrch 14-16, 1996, New Delhi, Indi. [1] M. teiner, G. Tsudik, nd M. Widner, \Cliques: A protocol suite for key greement in dynmic groups." Reserch Report RZ 2984 (#9), December 1997, IBM Zurich Reserch Lb. [11] Debby M. Wllner, Eric J. Hrder, Ryn C. Agee, \Key Mngement for Multicst: Issues nd Architectures", Internet drft, Network working group, september 1998. [12] C. K. Wong, M. Goud,.. Lm, \ecure Group Communictions Using Key Grphs", Technicl Report TR 97-2, University of Texs t Austin, July 1997. [1] Tony Bllrdie, \clble Multicst Key Distribution", RFC 1949, my 1996. [2] Tony Bllrdie nd Jon Crowcroft, \Multicst- pecic ecurity Threts nd Counter-Mesures", The Internet oc. ymposium on Network nd Distributed ystem ecurity, Februry 16-17, 1995, n Diego, Cliforni. 12

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback