collusion-resistant group key management using attribute-based encryption

Download Collusion-Resistant Group Key Management Using Attribute-based Encryption

Post on 24-Feb-2016

68 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

Collusion-Resistant Group Key Management Using Attribute-based Encryption. Presented by: Anurodh Joshi. Overview of the Paper. Presents a ciphertext -policy attribute-based encryption (CP-ABE) scheme to solve the collusion issue of Group Key Management - PowerPoint PPT Presentation

TRANSCRIPT

Slide 1

Collusion-Resistant Group Key Management Using Attribute-based Encryption

Presented by:Anurodh JoshiFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style Presents a ciphertext-policy attribute-based encryption (CP-ABE) scheme to solve the collusion issue of Group Key Management CP-ABE scheme proposed by Bethencourt, Sahai, and Waters is (BSW) used to implement collusion resistant flat-key group key management Mechanism for refreshing the keys (for added security) are discussed 2Overview of the PaperFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title styleSetting & Motivation: IP Multicast: an efficient way to distribute information to a large group of usersHowever, any host can join (access control issue) Solution: Encrypt Data using Data Encryption Key(DEK) DEK can be generated and distributed securely to the Group Members (GMs). However, the main challenge is efficiency of selective key distribution; this problem is called Group Key Management Related issues:Group Backward Secrecy (new member joins) Group Forward Secrecy (old member leaves)

3Group Key ManagementFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title styleExisting Group Key Management approach:Most schemes use key encryption keys (KEKs) on flat table key managment Distribute unique set of KEK to each GM Group controller (GC) encrypts DEK with a combination of KEKsProblem?Vulnerable to Collusion 4Group Key ManagementFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style Use CP-ABE instead of KEKS = set of Attributes ; SK = secret Key Associate GM with S, SK rather than KEK GC computes access structure that is satisfied by SK of current members only AdvantageSKs are computed based on S using a randomization factorcollusion resistant (follows from CP-ABE)5Proposed solutionFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title styleBackgroundFlat table key management CP-ABE Proposed scheme for Group Key Management Results & Performance Concluding Remarks6Outline of the paperFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style Flat table key management A way to manage group key

Each GM has a n bit unique ID: Xn, Xn-1, .. X0 Xi [0,1] So maximum size of the group is 2n Two KEKs corresponding to each n bitKEKs {ki,b | i Zn, b Z2}. So total 2n KEKs

7BackgroundX0X1X3X2k0,1k0,0Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style The GC maintains the DEK (K) + 2n KEKs Each GM has n KEKs + 1 DEK Join:Group backward secrecy:Suppose id: Xn, Xn-1, .. X0 is joiningN KEKs + K is refreshed Example: (3 bit group ids) |1| 1|0 | (New)KEK => k2,1| k1,1| k1,0

8Background Contd.Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style Join: GC encrypts the new keys with corresponding old keys and multicasts new member is given ki,b | i Zn, b Z2 and K via secure unicast Leave:Suppose id Xn, Xn-1, .. X0 is leaving Forward Secrecy:The n KEKs + 1 (K) held by the leaving member is refreshed The GC multicasts the new DEK encrypted once with each of the n KEKs not held by the leaving GM {K}kn-1, xn-1, , {K}k0,x0leaving GM cant decrypt any of these messages rest of the GMs should be able to decrypt at least one of these messages hence obtaining K The GC multicasts the new KEKs encrypted with both the new DEK and the KEKs. Again existing GMs can decrypt and update appropriate KEK but the leaving GM can not.

9Background Contd.Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style Multiple Leaves:Leave procedure can be repeated to remove multiple members from the group More efficient approaches such as using Boolean function minimization (m) has been proposed m(Xn, Xn-1, .. X0) = 0 if it is leaving id m(Xn, Xn-1, .. X0) = 1 if it is existing idThe GC runs the Quine-McCluskey algorithm which returns sum of products expression (SOPE)Example:011 and 101 are to be removed from the group. The membership function `m can be reduced to m(X2, X1, X0) = X2X1 + X2X1 + X0 m(0, 1, 1) = 0(1) + (1)(0) + 0 = 0 m(1, 0, 1) = 1(0) + 0(1) + 0 = 0 To Update the DEK three messages are multicast by GC{K}k2,1, k1,1 , {K}k2,0, k1,0 and {K}k0,010Multiple LeavesFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style CollusionLeaving group members can collude to possibly figure out the new DEK and KEKs Example:If leaving ids are |0|1|1| and |1|0|1| Can start to collectively figure out rekey messages {K}k2,1, k1,1 and {K} k2,0, k1,0

11Multiple Leaves Contd.Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style Use a simplified version of BSW scheme (CP-ABE scheme) Use SKs instead of KEKs GM with id Xn, Xn-1, .. X0 has SK associated with S := { AiXi | i Zn} Can decrypt a message only if S / SK satisfies the access structure Advantage:Leaving group members can not collude to breach the system

12CP-ABEFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style Algorithms in CP-ABE scheme:Setup Encrypt KeyGen Decrypt Delegate (optional) Setup: Generates the public key PK := < G, g, g, g (1/), e(g,g), H>13CP -ABEFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style Encrypt Input: PK, M, T (access tree) output: CT (cipher text) KeyGenInput: set S of attributes output: SK associated with S DecryptInput: CT , SK Output: Message if S satisfies T (access structure) DelegateUsed by Sub group controller (SGC) for decentralized management14CP-ABE (BSW)Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style Concept:Use flat table key management Use CP-ABE for rekey operations in order to achieve collusion resistance instead of KEK Group InitializationGC plays the role of central authority (CP-ABE) To initialize GC runs the setup algorithm and gets the PK (public key) and MK (master key) Selects random DEK (K) G No KEKs needed

15New Scheme for Group Key Management Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style Group Membersn bit id: Xn, Xn-1, .. X0 with attribute set: S:= {Ai,b| i Zn , b Z2 } JoinJoining GM establishes a secure unicast with the GC GC selects new DEK (K) G at random Multicasts {K}K . Current members can decrypt and update the DEK GC runs KeyGen with attribute set S := {Ai,b| i Zn , b Z2 } to get SKThe joining member receives the secret key SK and K via secure unicast16New Scheme for Group Key Management Contd.Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style16 LeaveSingle leave and multiple leaves work exactly the same way Let C be the set of active members in the group after some GMs leave GC runs the Quine-McCluskey algorithm to obtain the SOPE, E = E0 + E1 + . + EL The GC selects a random K G. For each l, GC runs Encrypt on K and Tl to obtain the CTl and multicasts CT0,CT1,CTL. Each active GM should be able to decrypt at least one message to recover K Inherits collusion resistance from CP-ABE. This ensures leaving GMs can not collude to decrypt K

17New Scheme for Group Key Management Contd.Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style GC chooses random K G and Zp PK and MK are updated PK = < G, g, g, g (1/), e(g,g), H> MK = < , g > GC broadcasts two messages {K}K GMs know K so they can decrypt and update Kand {g ( / )} K this is called the conversion factor and used to update the SKs by the GMs SK = < D . g ( / ) , {Doj | j S}, {D1j | j S}> K and are random so do not reveal anything about older versions of the same

18Periodic Refresh for perfect forward secrecyFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style Current Scheme:GC manages the whole group Responsible for storage, KeyGen and overall communicationWorkload can be distributed by assigning responsibilities to subgroup of trusted members who act as Subgroup Controllers (SGCs)Number of SGCs is small so communication between SGC and GC is done via secure unicast (multicast for other direction) 19Decentralized ManagementFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick t

Recommended

View more >