weichao wang, bharat bhargava youngjoo, shin

KAIST

Key Distribution and Update for Secure Inter-group Multicast Communication

Weichao Wang, Bharat Bhargava

Youngjoo, Shin2006.09.12

22/22/22Key Distribution and Update for Secure Inter-group Multicast Communication

Contents

IntroductionAssumptionsStraight forward approachNew approach

Secure group communicationKey update during group changes

DiscussionsConclusions


Introduction

Secure multicast has become an important component of many applications in wireless networksTwo types of group communications

Intra-group communicationInter-group communication

This paper proposes a mechanism of key distribution and update for secure group communication

Intra-group communication Inter-group communication


Assumptions

Network and communication modelThe links among wireless nodes are bidirectionalTwo neighboring nodes can always send packets to each otherA centralized group manager (GM) is in charge of key distribution and key update

Threat modelEavesdroppingImpersonationBackward secrecyForward secrecy


EPubG2(M)

Straight forward approach

GM deploys a public-private key pair for each group

G1 G2 G3

GM

PubG2

PubG3

PriG1

PubG1

PubG3

PriG2

PubG1

PubG2

PriG3

EPriG1(M)


Straight forward approach

Three major disadvantagesThe public-private key encryption involves exponential computation

Not efficient for a wireless node

The GM will be overwhelmed by the computation overhead for generating secure public-private key pairs when a group changes

An attacker can easily impersonate another nodeSince the public keys are known to every node


New approach

Symmetric keys are used to protect the multicast traffic in intra-group communication

Polynomials are adopted to determine the keys to protect inter-group communication

Flat tables are adopted to distribute keys via broadcast when a group changes


Secure group communication

Intra-group communication

i

G2

GM

Ki-GM - pairwise key shared between node i and the GMK2 - group key shared by members of G2

EKi-GM(K2)

j

EKj-GM(K2)

k

EKk-GM(K2)EK2(M)

EK2(M)



Inter-group communication

h(x) - t-degree polynomial to determine the keys for decrypting the multicast traffic from other group h(i) - personal key share to encrypt multicast traffic sent to the other group

j k

G1 G2 G3

GM

h12(x)h13(x)h21(j)h31(j)

Eh21(j)(M)i

h21(x)h23(x)h12(i)h32(i)

h31(x)h32(x)h13(k)h23(k)

Dh21(j)(Eh21(j)(M))



Secret keys held by node i in group G2 and their usage



Secret key refreshment using the flat tableFlat table

Consists of 2r keysr : the number of bits that are required to represent a node ID (r=┌log2n┐)

E.g., (z1.0, z1.1, z2.0, z2.1, … , zr.0, zr.1)

Every group has its own flat table

Every node has a set of keys in the flat table for its groupE.g., If r=4, a node ID with 10 can be represented as (1010)2

Flat table : (z1.0, z1.1, z2.0, z2.1, z3.0, z3.1, z4.0, z4.1)

The node has a set of keys (z1.1, z2.0, z3.1, z4.0)

Every pair of nodes in the same group must have at least one different keyBecause every node has a unique ID E.g., a node ID with 10 has a set of keys (z1.1, z2.0, z3.1, z4.0) a node ID with 11 has a set of keys (z1.1, z2.0, z3.1, z4.1)



Secret key refreshment (Cont’d)The flat table has brought two features

Only one node in a group can decrypt the messageNode i will have the keys (z1.i1, z1.i2, z2.i3, z2.i4, … , zr.ir)

can be decrypt by only node I

All the nodes but one node can decrypt the messageNode i will have the keys (z1.i1, z1.i2, z2.i3, z2.i4, … , zr.ir)

can be decrypt by all the nodes but node i


Key update during group changes

Group joining operations

a

G1

GM

EK1(K’1)

b

EK1(K’1)

c

EK1(K’1)

i

Step1. Update group key K1




a

G1

GM

M

b

c

i

Step2. Update the new flat table for group G1

M

M

M :




a

G1

GM

b

c

i

Step3. Update the polynomials for inter-group communication

EK1(h’12(x), h’13(x))

M

M

M

M :




a

G1

GM

b

c

i

Step4. GM distributes the keys to node i

EK1-GM(K’1, h’12(x), h’13(x), z’1.i1,…z’r.ir)



Group leaving operations

a

G2

GM

b

c i

Step1. Update group key K2

M MM

M

M :




a

G2

GM

b

c i

Step2. Update the new flat table for group G2

M :

M MM

M




a

G2

GM

b

c i

Step3. Update the polynomials for inter-group communication

M :

M MM

M

EK’2(h’21(x), h’23(x))


Discussions

Overhead

Compared to the group changes, the encryption and decryption of the traffics happen much more frequently

Additional transmission overhead for key refreshment is totally paid off

The adoption of polynomials enables the distribution of personal key shares

Difficult for an attacker to impersonate another node

When a node changes its group, new keys must be established by the group manager

Much efficient to choose several t-polynomials


Conclusions

Adopts polynomials to support the distribution of personal key shares

Employ flat tables to achieve efficient key refreshment

Reduces the computation overhead to process the packets

Becomes more difficult for an attacker to impersonate another node


Question?

weichao wang, bharat bhargava youngjoo, shin

Documents