1

Computer Science

Efficient Self-healing Group Key Distribution With Revocation Capability

Archana RajagopalCSC 774 Presentation

Based on Original Slides from Donggang Liu, Peng Ning, and Kun Sun

2Computer Science

Outline

• Motivation and background– Secure group communication in MANET

• Proposed solutions– Novel personal key distribution– Self-healing group key distribution– Improvements to reduce storage and

communication overheads

• Conclusions and future work

3Computer Science

Secure Group Communications in MANET

• Problem– How to distribute group keys?

• Challenges in MANET– Dynamic and volatile– Unreliable communication

• Lost packets, network partitions, relatively long term failures due to active attacks, …

4Computer Science

Related Work

• Extensive results on group key management– Group key distribution

• Tree-based scheme: LKH, Iolus, …

• Secret sharing-based scheme: Self-healing, …

– Group key agreement• GDH,TGDH, …

• Most existing techniques are not suitable for MANET– No fault tolerance => not applicable

– Simple fault tolerance => easy to disrupt, cannot deal with network partitions and active attacks

5Computer Science

Related Work (cont’d)

• Two potential candidates for MANET– Self-healing group key distribution

• Ability to recover lost session keys

• Staddon et al., Oakland 2002

– Stateless group key distribution• Ability to rejoin the group

• Cannot recover lost keys

• Naor, Naor, and Lotspiech (SDR), Crypto 2001

6Computer Science

Desirable Properties

• Unconditionally secure• Self-healing• t-revocation capability• t-wise forward secrecy

• t-wise backward secrecy

K1, K2, …, Ki, Ki+1…, Km

t comp. users

revoked

K1, K2, …, Ki, Ki+1…, Km

t comp. users

join

7Computer Science

Property of proposed scheme

• Processing,Communication and Storage overheads depend on number of compromised nodes that may collude together and not on group size.

8Computer Science

Scheme I: Personal Key Distribution

• Goal: distribute distinct keys to different members with one broadcast message– A key is a point on polynomial f(x), e.g., f(j)

• Idea: construct a single polynomial w(x) to distribute shares on f(x) such that– A valid member can only get its own key – Revoked members know nothing about

• Valid members’ keys

• Their own keys

9Computer Science

Scheme I (cont’d)

• Method: w(x)=g(x)f(x)+h(x)– h(x) is called a masking polynomial. Degree 2t

Each member i has one share on h(x), which is h(i).– g(x) is called a revocation polynomial. Degree

w(w<=t).If member v is revoked, g(v) =0; otherwise g(v)!=0

10Computer Science

Scheme I (cont’d)

• Group manager broadcasts – Revoked user ids {r1,…,rw} => g(x)=(x-r1)(x-r2)…(x-rw)– w(x)=g(x)f(x)+h(x)

• Communication overhead O(tlogq)

Member v is not compromised, but member v’ is compromised

)(

)()()(

vg

vhvwvf

)'()'()'()'()'( vhvhvfvgvw

w(x)=g(x)f(x)+h(x)

v v’

0

11Computer Science

Property of Scheme I

• Scheme I is an unconditionally secure personal key distribution scheme with t-revocation capability

12Computer Science

Scheme II: (Basic Session Key Distribution)• Main idea

– Combine the new personal key distribution scheme with the self-healing technique.

• Distribute p(x) part for all old session and q(x) part for all future sessions

K=

p(x) p(x)g(x)+h(x)

q(x) q(x)g(x)+h’(x)+

13Computer Science

Self Healing Property

• Group key Kj = pj(i) + qj(i)

• (m+1) polynomials broadcasted for all ‘m’ sessions– { p1(i)… pj(i) , qj(i) …. qm(i)}

• Ui receives messages from j1 and j2 but not j;where j1 < j < j2

• How to recover session key for ‘j’?– pj(i) from j2 and qj(i) from j1

14Computer Science

Broadcast

• Bj = • {Rj}• {Pj,i(x) = gj(x)pi(x) + hi,j(x)}i=1…j

• {Qi,j(x) = gj(x)qi(x) + hj,i+1(x)}i=j…m

15Computer Science

Scheme II (cont’d)

• In session j, given a set of revoked member ids Rj={r1,…,rwj}, the group manager broadcasts Rj and m +1 polynomials

• Communication overhead O(mtlogq)• Storage overhead O(m2logq)

)()()()(

)()()()(

)()()()(

)()()()(

1

1,1,,1,

1

vqvqvpvpv

xhxhxhxh

xqxqxpxp

xgxgxgxg

mjj

mjjjjjj

mjj

jjjj

•Member

Kj

16Computer Science

Properties of Scheme II

• Unconditionally secure, t-revocation capability

• Self-healing session key distribution

• t-wise forward secrecy and t-wise backward secrecy

17Computer Science

Scheme III: Reduce Storage Overhead

• Goal: reduce the storage overhead in scheme II• Source of storage overhead: shares on masking

polynomials

• Observation: each pi(x) or qi(x) is masked by different masking polynomials in different sessions– Having one masking polynomial for each pi(x) or qi(x) is

sufficient

– The broadcast messages are public. So it is unnecessary to protect the same polynomial multiple times using different masking polynomial

18Computer Science

Scheme III (cont’d)

• In session j, given the sets of revoked member ids {Ri}i=1,…,j, the group manager broadcasts {Ri}i=1,…,j and m+1 polynomials

• Communication overhead is still O(mtlogq)• Storage overhead is O(mlogq) instead of O(m2logq) in scheme

II

)()()()(

)()()()(

)()()()(

)()(

1

1

1

1

vqvqvpvpv

xfxfxhxh

xqxqxpxp

xgxg

mjj

mjj

mjj

j

•Member

Kj

19Computer Science

Properties of Scheme III

• Unconditionally secure, self-healing session key distribution and t-revocation capability

• t-wise forward secrecy and t-wise backward secrecy

20Computer Science

Scheme IV: (Less Broadcast Size)

• Goal: further reduce the communication overhead

• Observation: having redundant information for all the sessions may be unnecessary– Short term communication failures– Long term but infrequent communication failures

• Idea:– Sliding window.– Trade off between broadcast size and self-healing

capability

21Computer Science

Variant I

• For short term communication failures

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

Scheme III

Variant I

m=20, l=3

l-1

l-1

l-session self-healing: self-healing capability in terms of l consecutive sessions

22Computer Science

Variant II

• For long-term but infrequent communication failures

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

Variant I

m=20, l=3, d=2

l-1

l-1

Variant II

(l,d)-session self-healing: Can recover the lost session keys if a member receives d consecutive messages within ld sessions

23Computer Science

Conclusions

• Our new personal key distribution scheme can be used to– Develop more efficient self healing key

distribution schemes• Reduced the communication and the storage overhead

of session key distribution scheme

• Proposed two ways to trade off the broadcast size with the self-healing ability

24Computer Science

Future Work

• Long-lived self-healing key distribution

• Stateless group key distribution

• Supporting multiple groups

• Performance evaluation

25Computer Science

Thank You!

QUESTIONS?