KAIST

Key Distribution and Update for Secure Inter-group Multicast Communication

Weichao Wang, Bharat Bhargava

Youngjoo, Shin2006.09.12

22/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Contents

IntroductionAssumptionsStraight forward approachNew approach

Secure group communicationKey update during group changes

DiscussionsConclusions

33/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Introduction

Secure multicast has become an important component of many applications in wireless networksTwo types of group communications

Intra-group communicationInter-group communication

This paper proposes a mechanism of key distribution and update for secure group communication

Intra-group communication Inter-group communication

44/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Assumptions

Network and communication modelThe links among wireless nodes are bidirectionalTwo neighboring nodes can always send packets to each otherA centralized group manager (GM) is in charge of key distribution and key update

Threat modelEavesdroppingImpersonationBackward secrecyForward secrecy

55/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

EPubG2(M)

Straight forward approach

GM deploys a public-private key pair for each group

G1 G2 G3

GM

PubG2

PubG3

PriG1

PubG1

PubG3

PriG2

PubG1

PubG2

PriG3

EPriG1(M)

66/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Straight forward approach

Three major disadvantagesThe public-private key encryption involves exponential computation

Not efficient for a wireless node

The GM will be overwhelmed by the computation overhead for generating secure public-private key pairs when a group changes

An attacker can easily impersonate another nodeSince the public keys are known to every node

77/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

New approach

Symmetric keys are used to protect the multicast traffic in intra-group communication

Polynomials are adopted to determine the keys to protect inter-group communication

Flat tables are adopted to distribute keys via broadcast when a group changes

88/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Secure group communication

Intra-group communication

i

G2

GM

Ki-GM - pairwise key shared between node i and the GMK2 - group key shared by members of G2

EKi-GM(K2)

j

EKj-GM(K2)

k

EKk-GM(K2)EK2(M)

EK2(M)

99/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Secure group communication

Inter-group communication

h(x) - t-degree polynomial to determine the keys for decrypting the multicast traffic from other group h(i) - personal key share to encrypt multicast traffic sent to the other group

j k

G1 G2 G3

GM

h12(x)h13(x)h21(j)h31(j)

Eh21(j)(M)i

h21(x)h23(x)h12(i)h32(i)

h31(x)h32(x)h13(k)h23(k)

Dh21(j)(Eh21(j)(M))

1010/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Secure group communication

Secret keys held by node i in group G2 and their usage

1111/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Secure group communication

Secret key refreshment using the flat tableFlat table

Consists of 2r keysr : the number of bits that are required to represent a node ID (r=┌log2n┐)

E.g., (z1.0, z1.1, z2.0, z2.1, … , zr.0, zr.1)

Every group has its own flat table

Every node has a set of keys in the flat table for its groupE.g., If r=4, a node ID with 10 can be represented as (1010)2

Flat table : (z1.0, z1.1, z2.0, z2.1, z3.0, z3.1, z4.0, z4.1)

The node has a set of keys (z1.1, z2.0, z3.1, z4.0)

Every pair of nodes in the same group must have at least one different keyBecause every node has a unique ID E.g., a node ID with 10 has a set of keys (z1.1, z2.0, z3.1, z4.0) a node ID with 11 has a set of keys (z1.1, z2.0, z3.1, z4.1)

1212/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Secure group communication

Secret key refreshment (Cont’d)The flat table has brought two features

Only one node in a group can decrypt the messageNode i will have the keys (z1.i1, z1.i2, z2.i3, z2.i4, … , zr.ir)

can be decrypt by only node I

All the nodes but one node can decrypt the messageNode i will have the keys (z1.i1, z1.i2, z2.i3, z2.i4, … , zr.ir)

can be decrypt by all the nodes but node i

1313/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Key update during group changes

Group joining operations

a

G1

GM

EK1(K’1)

b

EK1(K’1)

c

EK1(K’1)

i

Step1. Update group key K1

1414/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Key update during group changes

Group joining operations

a

G1

GM

M

b

c

i

Step2. Update the new flat table for group G1

M

M

M :

1515/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Key update during group changes

Group joining operations

a

G1

GM

b

c

i

Step3. Update the polynomials for inter-group communication

EK1(h’12(x), h’13(x))

M

M

M

M :

1616/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Key update during group changes

Group joining operations

a

G1

GM

b

c

i

Step4. GM distributes the keys to node i

EK1-GM(K’1, h’12(x), h’13(x), z’1.i1,…z’r.ir)

1717/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Key update during group changes

Group leaving operations

a

G2

GM

b

c i

Step1. Update group key K2

M MM

M

M :

1818/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Key update during group changes

Group leaving operations

a

G2

GM

b

c i

Step2. Update the new flat table for group G2

M :

M MM

M

1919/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Key update during group changes

Group leaving operations

a

G2

GM

b

c i

Step3. Update the polynomials for inter-group communication

M :

M MM

M

EK’2(h’21(x), h’23(x))

2020/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Discussions

Overhead

Compared to the group changes, the encryption and decryption of the traffics happen much more frequently

Additional transmission overhead for key refreshment is totally paid off

The adoption of polynomials enables the distribution of personal key shares

Difficult for an attacker to impersonate another node

When a node changes its group, new keys must be established by the group manager

Much efficient to choose several t-polynomials

2121/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Conclusions

Adopts polynomials to support the distribution of personal key shares

Employ flat tables to achieve efficient key refreshment

Reduces the computation overhead to process the packets

Becomes more difficult for an attacker to impersonate another node

2222/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Question?