a secure multicast group management and key distribution
TRANSCRIPT
Β© 2016 Toshiba Corporation
Secure Multicast Group Management and Key Distribution in IEEE 802.21
Yoshikazu HanataniNaoki Ogura
Yoshihiro OhbaLidong Chen
Subir Das
(Toshiba)(Toshiba)(Toshiba Electronics Asia)(NIST)(Applied Communication Sciences)
Security Standardization Research 2016, 6th Dec. 2016
Β© 2016 Toshiba Corporation 2
β’ Use case β’ IEEE 802.21β’ Group Key Distribution Protocolβ’ Security analysisβ’ Prototype Results β’ Conclusion
Outline
Β© 2016 Toshiba Corporation 3
β’ In IoT deployment, one βControl Centerβ needs to manage a large number of devices.
β’ A system sending control information to each device by unicast communication is not resource efficient and may have the scalability issue.
β’ A multicast communication is proved to be very useful for managing a large number of devices (e.g., configuring parameters, updating firmware).
Use Case
Control Center
DevicesControl Info.
Results
Multicast group
Β© 2016 Toshiba Corporation 4
β’ A shared key is used to protect each unicast communicationβ The shared key can be established by various standards-based key exchange protocolsβ Number of unicast session = number of shared keys
β’ However, the multicast communication can be protected by a single group keyβ How to securely distribute the group key?β Standards-based key distribution protocol is good for industry
Use Case Contd..
Control Center
Devices
Control Info.
Results
Multicast group
Fake info.
Eavesdropping
gk gk
gk gk
Β© 2016 Toshiba Corporation 5
β’ IEEE 802.21 specifies a framework and signaling protocol that can be used to securely distribute the group key to a multicast group β Can be transported over IP and over link layer
β’ Group Manager (Control Center) generates and distributes group keys to the group members (a.k.a. devices).β The group key is protected by a scalable broadcast encryption mechanism using a
symmetric key encryption.
Group Key Distribution Protocol in IEEE 802.21
Group Manager(Control Center)
Devices
BEnc(gk)
Results (Option)
Β© 2016 Toshiba Corporation 6
β’ RFC 6407: Group Domain of Interpretationβ Key manager sends an initial group key to each group member by a secure
unicast communication. β The protocol allows group key distribution for rekeying by a logical key
hierarchy. β’ ISO/IEC 11770-5:2011 Group key management
β Specify a group key management by a logical key hierarchy.
β’ Broadcast encryption: [FN93], [NNL01] etc.β Distributing a group key for decrypting contents only to compliant devices.β Used in AACS copy-protection system.
Past Work
Β© 2016 Toshiba Corporation 7
β’ Described a group key distribution protocol in IEEE 802.21
β’ Provided a formal security proof of the group key distribution protocolβ Define a relaxed security modelβ The protocol is secure in the relaxed security model.β The relaxed security model is weaker than a current security model
β’ Prototype Implementation Results
Contribution to this Paper
Β© 2016 Toshiba Corporation 8
β’ Provide a media independent framework, services and signaling protocolβ Interfaces to Lower-layer and to Upper-layerβ Define Protocol messagesβ Security mechanisms for protecting the messagesβ Messages can be transported over IP (port assigned by IANA) and over link layer
IEEE 802.21 : Media Independent Services
802.16(WiMAX) 3GPP 3GPP2
(LTE)
UDP/IP
L2
802.21
Application
L3
802.3(Ethernet)
802.11(Wi-Fi)
IEEE 802.21 Device
IEEE 802.21 Device
Β© 2016 Toshiba Corporation 9
Use case of multicast communication in IEEE 802.21
β’ Other use cases:β Load balancingβ Configuration parameters update or Firmware update.
PoS
Devices access a network via a Point of Services (PoS)When PoS needs maintenance or malfunctioning, PoS sends alternative PoSβsinformation to devices.The devices can dynamically change the PoS without disrupting the network access and services
Β© 2016 Toshiba Corporation 10
β’ Multicast Group Managementβ’ Group Key Distribution Protocolβ’ Certification Distribution Protocolβ’ Message protection by Group key and Digital signature
Multicast Security Mechanism in IEEE 802.21
Β© 2016 Toshiba Corporation 11
β’ Use Case β’ IEEE 802.21β’ Group Key Distribution Protocolβ’ Security analysisβ’ Prototype Results β’ Conclusion
Outline
Β© 2016 Toshiba Corporation 12
Complete Subtree Methodβ’ GM has all node keys in a management tree.β’ Each leaf node is assigned to a device.β’ Each device has a part of node key as its own device key.
Index: root, Key: k
Index: 0, Key: k0
Index: 1, Key: k1
Index: 00, Key: k00
Index: 01, Key: k01
Index: 10, Key: k10
Index: 11, Key: k11
Index: 000, Key: k000
Index: 001, Key: k001
Index: 010, Key: k010
Index: 011, Key: k011
Index: 100, Key: k100
Index: 101, Key: k101
Index: 110, Key: k110
Index: 111, Key: k111
Γ
ΓΓ
ΓGM
(Null, k)(0,k0)(00,k00)(000,k000)
A B C D E F G H(Null, k)(0,k0)(00,k00)(001,k001)
(Null, k)(0,k0)(01,k01)(010,k010)
(Null, k)(0,k0)(01,k01)(011,k011)
(Null, k)(1,k1)(10,k10)(100,k100)
(Null, k)(1,k1)(10,k10)(101,k101)
(Null, k)(1,k1)(11,k11)(110,k110)
(Null, k)(1,k1)(11,k11)(111,k111)
Ex1. GM wants to send πππππ to all devices.
Send (root, πΈπΈπΈπΈπΈπΈ(ππ,πππππ))
Ex2. GM wants to send πππππ to devices excluding C.
Send (00,πΈπΈπΈπΈπΈπΈ ππ00,πππππ ),(0ππ,πΈπΈπΈπΈπΈπΈ ππ011,πππππ ),(π,πΈπΈπΈπΈπΈπΈ ππ1,πππππ )
Β© 2016 Toshiba Corporation 13
β’ Key wrapping KWβ AES-Key_Wrapping-128 or AES-ECB-128β KW satisfies IND-RPA (Indistinguishability against Random Plaintext Attack)
β’ Digital signature πΊπΊβ ECDSA_P256_SHA256β πΊπΊ satisfies EUF-CMA (Existential Unforgeability against Chosen Message Attack)
Ciphersuites for the group key distribution
ππ β πΎπΎπΎπΎπΎπΎπΎπΎπΎπΎπΈπΈ(π π )πΈπΈ β ππππππππ(ππ,ππππ)ππππ β πππΈπΈππππππππ(ππ, πΈπΈ) when πΈπΈ = ππππππππ(ππ,ππππ)
(ππππ, π π ππ) β πΎπΎπΎπΎπΎπΎπΎπΎπΎπΎπΈπΈΞ£(π π )ππ β πππππππΈπΈ(π π ππ,ππ)π β πππΎπΎππππππ(ππππ,ππ,ππ) when ππ = πππππππΈπΈ(π π ππ,ππ)
Β© 2016 Toshiba Corporation 14
β’ Provisioningβ The maximum number of devices : πππβ U : A set of all device to be managed. |U|β€ πππ
Group key distribution protocol in IEEE 802.21
GM Device 1
This step may need individual secure channel.IEEE 802.21 does not specify the provisioning protocol
Device 2
Device 3
1. Generate a binary tree T with depth πΈπΈ.
2. Assign πΌπΌππ , ππππ to each nodein T. β’ πΌπΌππ is ID of the node.β’ ππππ β πΎπΎπΎπΎπΎπΎπΎπΎπΎπΎπΈπΈ(π π ππ)
3. Assign a leaf node andcorresponding device key π·π·πΎπΎto a device βU.
4. Generate verification key and signing key ππππ, π π ππ β πΎπΎπΎπΎπΎπΎπΎπΎπΎπΎπΈπΈΞ£(π π )
ππππ,π·π·πΎπΎ1
ππππ,π·π·πΎπΎ2
ππππ,π·π·πΎπΎ3
Save π·π·πΎπΎ1 as the long-term key.
Save π·π·πΎπΎ2 as the long-term key.
Save π·π·πΎπΎ3 as the long-term key.
Save ππππ
Save ππππ
Save ππππ
Β© 2016 Toshiba Corporation 15
Group key distribution protocol using typical option
GM Device 1T : all device keys
π·π·πΎπΎ1 : all device keys
1. Choose ππ β U where U is a set ofall available device in T
2. Decide a group identifier πΎπΎπΌπΌ3. Pick current sequence number ππππ for πΎπΎπΌπΌ4. Choose ππππππ βπ π 0,π β and πππππΌπΌπ·π· for ππππππ5. Compute all (πΌπΌππ , πΈπΈππ) from U, ππ, and T using
CS method where πΈπΈππ = ππππππππ(πππΌπΌππ ,ππππππ)6. Set a destination and pick current sequence
number π π π π for the destination7. ππ β πππππππΈπΈ(π π ππ, πΎπΎπΌπΌ| ππππ |{πΌπΌππ}| πΈπΈππ |πππππΌπΌπ·π·||π π π π )
Multicast the green-colored elements
ππππ : verification keyππππ : verification keyπ π ππ : signing key
1. Check π π π π to prevent a replay attack2. If π β πππΎπΎππππππ(ππππ,πΎπΎπΌπΌ| ππππ |{πΌπΌππ}| πΈπΈππ |πππππΌπΌπ·π·||π π π π ,ππ),
the message is dropped.3. If β πΌπΌππ such that πΌπΌππ , ππππ β π·π·πΎπΎ1 and πΌπΌππ β {πΌπΌππ},
β’ ππππππ β πππΈπΈππππππππ(ππππ, πΈπΈππ)β’ πππ π ππ β πΎπΎπ·π·πΎπΎ(ππππππ)β’ Record (πΎπΎπΌπΌ, ππππ, πππππΌπΌπ·π·,πππ π ππ)β’ Join group πΎπΎπΌπΌ
4. Otherwiseβ’ Delete πΎπΎπΌπΌ,β β β if it is recorded.β’ Leave group πΎπΎπΌπΌ
Β© 2016 Toshiba Corporation 16
A B C D A B C D
ComparisonIEEE 802.21 (Complete Subtree) GDOI (Logical Key Hierarchy)
Common Tree T is used for all groups The size of device keys is independent
of the number of groups
Trees are generated for each group The size of device keys depends on
the number of groups
Only send a master group key Send a master group keyand new node keys for tree Tβ
At most one decryption Multiple decryptions are required
Storage cost
Communication cost
Computational cost
Β© 2016 Toshiba Corporation 17
β’ Use Caseβ’ IEEE 802.21β’ Group Key Distribution Protocolβ’ Security analysisβ’ Prototype Results β’ Conclusion
Outline
Β© 2016 Toshiba Corporation 18
β’ All participants of the protocol are represented by oracles.β’ The adversary A can get and modify all messages in
communication channels.
Security Model : Communication
Ξ ππ1π π ππππ1
A
Ξ ππ1π π ππππ2
Ξ ππ2π π ππππ1
Ξ ππ2π π ππππ2
User U1 User U2
Β© 2016 Toshiba Corporation 19
Security Model: Queries for adversary A
A
Initialize(S)
Invoke(sid, Sβ)
Send(Ξ πππ π ππππ ,ππ)
Corrupt(U)
RevealState(Ξ πππ π ππππ)
Oracles {Ξ πππ π ππππ}ππβππ are available sid
result
result
AddUser(U)
Revealkey(Ξ πππ π ππππ)
Uβs Registration Info.,Uβs Long-term key
The (adversarial) user U isadded to U.
Uβs Long-term keyLong term key is revealed.
Ephemeral secret of Ξ πππ π ππππ
Ξ πππ π ππππβs Session key if it was derived.
Test(Ξ πππ π ππππ)
Ξ πππ π ππππβs Session keyor
Random key
Choose ππ βπ π {0,π}ππ = 0: Session keyππ = π: Random key
{Ξ πππ π ππππ}ππβππβ² start the protocol
Ξ πππ π ππππ processes ππAccording to the protocol
Β© 2016 Toshiba Corporation 20
Security model: Freshness of sidβ’ We say session ππππππ is Fresh if all of the following conditions are
satisfied.β A has not obtained the long term key of a participant in the session π π πππ π by the
adversarial queries, directly.β’ There are no Ξ πππ π ππππ who are added by AddUser(U).β’ There are no Ξ πππ π ππππ who issued Corrupt(U).
β A does not obtained an internal state of a participant in the session π π πππ π by the adversarial queries, directly.β’ There are no Ξ πππ π ππππ who issued RevealState(Ξ πππ π ππππ) before stopping Ξ πππ π ππππ.
β A does not obtained a session key of the session π π πππ π by the adversarial queries, directly.β’ There are no Ξ πππ π ππππ who issued RevealKey(Ξ πππ π ππππ) before stopping Ξ πππ π ππππ.
Ξ πππ π ππππ1sid 1 sid 2 sid πΈπΈ
Ξ πππ π ππππ2 Ξ πππ π ππππ ππSessions U is participating
Β© 2016 Toshiba Corporation 21
We say A wins when b = bβ and ππππππ is Fresh where A issuedTest(π·π·πΌπΌ
ππππππ).
Security for group session key
ATest(Ξ πππ π ππππ)
Ξ πππ π ππππβs Session keyor
Random key
Choose ππ βπ π {0,π}ππ = 0: Session keyππ = π: Random key
bβ=0/1
= | Pr ππ πππππΈπΈπ π β π/π|Advantage of A:
The group key distribution protocol is secure if is negligible.
Β© 2016 Toshiba Corporation 22
Comparison with [BBM09] modelβ’ Our model: When U is just corrupted, freshness of all ππππππ that U
participated are lost.β A has not obtained the long term key of a participant in the session π π πππ π by the
adversarial queries, directly.β’ There are no Ξ πππ π ππππ who issued Corrupt(U).
β Our model does not capture Perfect Forward Security.β’ [BBM09]: Freshness of ππππππ is NOT lost just by corrupting the
participant.β The freshness is lost when A issues a query using the corrupted Ξ πππ π ππππ.β [BBM] model captures Perfect Forward Security.
Ξ πππ π ππππ1sid 1 sid 2 sid πΈπΈ
Ξ πππ π ππππ2 Ξ πππ π ππππ ππ
sid 3
Ξ πππ π ππππ3
Β© 2016 Toshiba Corporation 23
Is the model reasonable?
β’ The device keys (Long-term key) of 802.21 are static. If a device key is revealed, all sessions using the device key are
compromised. So, it does not satisfy the security in [BBM09].β’ We can reduce the damage by regularly updating the tree.
Β© 2016 Toshiba Corporation 24
β’ Computational assumptionsβ Ξ£ satisfies EUF-CMA security
β KW satisfies IND-RPA security
β’ Theorem: Ξ£ satisfies EUF-CMA security and KW satisfies IND-RPA security, the group key distribution protocol in IEEE 802.21 satisfies the security on group keys, and
Computational Assumptions and Theorem
is negligible.
is negligible.
Β© 2016 Toshiba Corporation 25
β’ Use Case β’ IEEE 802.21β’ Group Key Distribution Protocolβ’ Security analysisβ’ Prototype Results β’ Conclusion
Outline
Β© 2016 Toshiba Corporation 26
GM
Prototype Results
D1
D2
D1024
PC
RaspberryPi
Virtual devices
ECDSA verification time is dominant.
Best case
Worst case
Β© 2016 Toshiba Corporation 27
β’ IEEE 802.21 specifies a group key distribution protocolβ’ The group key distribution protocol with typical options is secure
in the active attack model without PFSβ’ Comparing with GDOI, it has better performance when there are
multiple groupsβ’ Early prototype implementation results are reported
Conclusion