長庚大學通識中心 李榮宗
DESCRIPTION
Distributed Multiple Secret Key Management for Cluster-based Ad Hoc Networks 分散式多重 密 鑰 管理 機制應用於群集隨意型網路. 長庚大學通識中心 李榮宗. Outline. Introduction Background Distributed ID-based multiple secret key management scheme (IMKM) Conclusion. Introduction. Ad-hoc networks and security concerns - PowerPoint PPT PresentationTRANSCRIPT
Distributed Multiple Secret Key Management for Cluster-based Ad Hoc
Networks分散式多重密鑰管理機制應用於群集隨意型網路長庚大學通識中心 李榮宗
Outline Introduction Background Distributed ID-based multiple secret key
management scheme (IMKM) Conclusion
2
Introduction Ad-hoc networks and security concerns Authenticated key management protocols Scope of the work Summary of contributions
3
Ad-hoc networks and security concerns
A mobile ad hoc network (MANET) is an autonomous system of mobile nodes connected through wireless links
4
Ad-hoc networks and security concerns (Cont’d)
A cluster is a connected graph including a clusterhead (CH) responsible for establishing and organizing the cluster
5
1
2
36
5
4
7
8
Cluster headGatewayNode
Ad-hoc networks and security concerns (Cont’d)
Deploying security mechanisms in MANETs is difficult Absence of fixed infrastructure Shared wireless medium Node mobility Limited resources of mobile devices Bandwidth-restricted Error-prone communication links
6
Ad-hoc networks and security concerns (Cont’d)
Ad hoc networks are subject to various kinds of attacks Passive eavesdropping Active impersonation Message replay Message distortion
key management is particularly difficult to implement in such networks
7
Authenticated key management protocols
Threshold sharing-based key management with distributed authorities
Session key management protocols Two-party authenticated key management
protocols Multi-party authenticated key management
protocols
8
Authenticated key management protocols (Cont’d)
Threshold sharing-based key management with distributed authorities Using (t,n) threshold scheme Certificate exchanges consumes much bandwidth Does not provide verifiablity When t shareholders are compromised, the overall
system security is broken
9
Authenticated key management protocols (Cont’d)
Session key management protocol Two-party authenticated key management
protocols by bilinear pairings Based on Discrete logarithm problems over elliptic
curve groups Is not secure against key revealing attacks Does not provide perfect forward secrecy
10
Authenticated key management protocols (Cont’d) Multi-party authenticated key management
protocols by bilinear pairings Suffers from the man-in-the-middle attack Suffers from the impersonation attack Disadvantages in number of rounds , pairing-
computation and communication bandwidth
11
Scope of work In this paper, we address key management issues in
cluster-based mobile ad hoc networks We present a fully distributed ID-based multiple
secret key management scheme (IMKM) as a combination of ID-based, multiple secret and threshold cryptography
ID-based approach eliminates the need for certificate-based public-key distribution
12
Scope of work (Cont’d) Multiple secret key update scheme enhances system
security and eliminate communication and computation overhead for key update
Fully distributed threshold secret sharing scheme solves the single point of failure and compromise tolerance problems
Cluster-based mechanism reduces routing overhead and provides more scalable solutions
13
Summary of contributions Our IMKM scheme provides complete and solid
solutions for key management The overall system security is still guaranteed even
when t shareholders are compromised in IMKM. When the network becomes sparse, it is quite
difficult to collect t shares to reconstruct the secret. However, it is easy to adjust threshold t in IMKM which makes the system more robust and reliable.
14
Background Symmetric and public key cryptography Elliptic curve cryptosystems (ECC) Legrange interpolation polynomial Threshold sharing scheme Shuffling scheme Security schemes for attacks
15
Symmetric key and public key cryptography
Symmetric key The same key is used to do both encryption and
decryption. Advantages: efficient, easy to use Disadvantages: less secure than public key,
problem of sharing keys Ex: DES, RC6, MD5, SHA-1, etc.
16
Symmetric key and public key cryptography (Cont’d)
Public key Motivated by three limitations of symmetric key
cryptography, that is, key delivery, key management and user authentication
Advantages: encryption is stronger than symmetric key
Disadvantages: much processing power, much longer data files are create and transmitted
Ex: RSA, ElGamal, ECC, etc.17
Elliptic curve cryptosystems (ECC)
Based on the difficulty of solving elliptic curve discrete logarithm problem (ECDLP) (Ex: Q = kP)
Smaller key sizes Low communication cost Faster implementation For resource-constrained environments, such
as smart cards, and wireless devices18
Elliptic curve cryptosystems (ECC) (Cont’d)
RSA & ElGamal
Key
length( bits)ECC Key length
( bits)Necessary Computing
workload( MIPS)The ratio of
key length
512 106 104 5:1
768 132 108 6:1
1024 160 1012 7:1
2048 210 1020 10:1
21000 600 1078 35:1
Security comparisons of RSA, ElGamal and ECC
19
Legrange interpolation polynomial
Given points , where are distinct. Seek a polynomial with degree such that
20
nnnn yxyxyxyx ,,,,...,,,, 1-1-11001n
yxf )(ix
n
Legrange interpolation polynomial (Cont’d)
The Lagrangian interpolating polynomial is given by:
where n in stands for the nth order polynomial that approximates the function
given at data points as and is a weighting function that includes a
product of terms with terms of omitted
∑0
)()()(n
iiin xfxLxf
nnnn yxyxyxyx ,,,,...,,,, 1-1-1100
n
ijjji
ji xx
xxxL ,0)(
)(xLi
21
)(xfn
)(xfy 1n
ij
Legrange interpolation polynomial (Cont’d)
Given a set of three data points {(0,3),(1,9),(2,21)}, we shall determine the Lagrange interpolation polynomial of degree 2 which passes through these points. First, we compute
Lagrange interpolation polynomial is:
2)1-()(,
1)2-(-)(,
2)2-)(1-()( 210
xxxLxxxLxxxL
333)(21)(9)(3)( 22102 xxxLxLxLxf
22
Threshold sharing scheme The dealer chooses , and random
polynomial Suppose the unique ID of each user is , , then the shares of each user are:
That is the polynomial passes through points (1,9), (2,4), (3,5), (4,12), (5,8)
.17mod)333()( 2 xxxf
8)5(,12)4(,5)3(
,4)2(,9)1(
5
43
21
fSfSfSfSfS
23
iIDi
5,,2,1 i
i
5,3 nt
Threshold sharing scheme (Cont’d)
After combining t shares (ex. S1, S3, S5), the original polynomial can be reconstructed by using the Legrange interpolation as follows:
24
17mod)333(
17mod))3)(1)(15(8)5)(1)(4(5)5)(3)(15(9(17mod))3)(1)(8(8)5)(1()4(5)5)(3)(8(9(
17mod]859[
17mod]859[)(
2
111
8)3)(1(
4)5)(1(
8)5)(3(
)35)(15()3)(1(
)53)(13()5)(1(
)51)(31()5)(3(
xx
xxxxxxxxxxxx
xfxxxxxx
xxxxxx
Shuffling scheme To prevent the exposure of shares, the
shuffling scheme is introduced First, each pair of nodes (i, j) securely exchange
a shuffling factor di,j
One node in the pair adds di, j to its partial share while the other one subtracts di, j
For node i, it must apply all t −1 shuffling factors, either by adding or subtracting, to its partial share
25
Shuffling scheme (Cont’d) When a new member k joins the secret sharing
network The shuffled partial share is generated as
where and After receives t shuffled partial shares, node k
recovers its share as:
ikiki dd ,',
ji
t
ijji dijsign ,
≠,1
)-(∑
0≤x1,-0,1)( xxsign
∑ ∑ ∑ ∑∑ ∑1 1 ≠,1 1
,,,1 1
,', 0i)-()(
t
i
t
i
t
ijj
t
ikkijiki
t
i
t
iikiki dddjsignddd
26
Intrusion detection system (IDS)- Unwanted manipulations to systems
Watchdog- Selfish behavior
Packet leashes- Wormhole attack
Rushing attack prevention (RAP)- Denial of service attack
27
Security schemes for attacks
Distributed ID-based multiple secret key management scheme
Design goals and system models Network initialization Key revocation Multiple secrets key update scheme Key joining, key eviction Group key agreement protocol Protocol analysis
28
Design goals and system models Design goals
It must not have a single point of compromise and failure
It should be compromise-tolerant Efficiently and securely revoke keys of
compromised nodes once detected and update keys of uncompromised nodes
Efficient schemes to generate group session key
29
Design goals and system models (Cont’d)
System models We envision a cluster-based MANET consisting of n
clusterheads (CHs) called D-PKGs, D-PKGs are selected to enable secure and robust key revocation and update
If a cluster-based routing protocol is used, the clusters established by the routing protocol can also be employed in our security conceptualization
The size of the network may be dynamically changing with CH join, leave, or failure over time.
30
Design goals and system models (Cont’d)
Each CHi has a unique ID, denoted by IDi
Communications are potentially insecure and error-prone
We assume that compromised CHs will eventually exhibit detectable misbehavior
We also assume that adversaries compromise no more than out of n CHs simultaneously, where
Nor can adversaries break the underlying cryptographic primitive on which we base our design
31
2/1 nt )1( t
Network initialization Generation of pairing parameters and key
initiation System setup:
PKG (Private key generator) chooses a random number as the PKG’s private key. is the PKG’s public key.
The system parameters of PKG are as follows:
*∈ qZs0sPPpub
321021 ,,,,,,ˆ,,,,, HHHPPPeGGgqp mpub
32
Network initialization (Cont’d) Key extraction:
CHi submits his identity information to PKG. PKG computes and CHi ’s public and private key pair: ,
PKG preloads the key pair and system parameters on securely.
iID)≤≤1()(1 niIDHI ii
0)( PsIQ ii
01-)( PsIS ii
)≤≤1( niCH i
33
Generation of pair–wise keys In order to provide perfect forward secrecy, we
modified McCullagh and Barreto’s scheme as follows:
1) Each CHi randomly chooses his ephemeral key , computes and sends to CHj .
2) After exchange the ephemeral values, all CHs can compute their pair–wise keys:
)≤≤1( ni*qi Zx )( 0, pubjiji PPIxX
jiX , ),≤≤1( ijnj
ii xiijiij
xji SXeSXePPek ),(ˆ),(ˆ),(ˆ ,,00,
jiji xxxx PPePPe ),(ˆ),(ˆ 0000 )≠,≤,≤1( jinji34
Generation of pair–wise keys (Cont’d)
The above pair-wise key agreement protocol satisfies all the following security properties: Implicit key authentication, Known session key security, No key-compromise impersonation, Perfect forward secrecy, No unknown key-share, No key control.
Therefore, it is secure employed in MANETs.
35
Verifiable secret sharing
36
Verifiable secret sharing (Cont’d) 1) Each CHi , creates a (t,n) threshold sharing of ai,0
by generating a random polynomial of degree t-1 over , as:
2) Each CHi computes and securely sends an encrypted subshare, , to CHj , using pair-wise key .
3) Each CHi broadcasts public values 4) Each CHj verifies that subshare by checking
that
∑ 1-
0 , )(mod)( t
l
llii qxaxf
*
qZ
)≤≤1()(1 njIDHI jj
)(mod,
, pgy liali
)(mod)(10
)(,
)( pyg tl
ljI
lijIif
37
)( ji If
)( ji If
jiK ,
Verifiable secret sharing (Cont’d) 5) Each CHj computes its share key, and broadcasts public key Any subset, , of size t CHs, can determine the
master secret key: , where The public key, , of the master secret key, can
be generated from any t CHs’ public keys:
∑ 1 0)(ni jij PIfd
00,0,20,1∈ )()0(∑ PaaadD nj jj
)(mod)0( , -- qjii iIjI
iIj
DPHdD pubj pubjjpub )()0( 2∈∑
jpubpubj dPHd )(2
38
PUBD
Key revocation The key revocation scheme is comprised of
three sub-processes: Misbehavior notification Revocation generation Revocation verification
39
Misbehavior notification Upon detection of CHi’s misbehavior, CHj
generates an accusation, , against CHi
Securely transmits it to CHv
is a time stamp used to withstand message replay attacks
is the pair-wise key of CHj and CHv
vjKji TID ,},{
),≠,≤≤1( jivnv
40
jT
vjK ,
Revocation generation When the number of accusations reaches a
predefined revocation threshold, t norml CHj, having the smallest IDs,
generates a partial revocation, Each CHj sends it to the revocation leader
securely The revocation leader checks whether the
equation holds.
β
jij dIDHREV )(1
)()( 12 ipubjjpub IDHdREVPH
41
Revocation generation (Cont’d) The revocation leader can construct a
complete revocation from these partials using Lagrange interpolation:
The revocation leader then floods throughout the network to inform others that CHi has been compromised.
∑ ∈ 1' )()0(
j ijji DIDHREVID
', ii IDID
42
Revocation verification Upon receipt of , each clusterhead verifies
it by checking whether the equation holds
This means that has been correctly accumulated from all other t-1 unrevoked CHs
Each clusterhead then records in its key revocation list (KRL) and declines to interact with it thereafter.
'iID
pubiipub DIDHIDPH )()( 1'
2
'iID
43
iID
Multiple secrets key update scheme
To resist cryptanalysis, it is a good practice to update keys frequently.
At each regular predetermined time interval, updates each CH’s share key, , to by replacing the generator, , with of
Key update is quite simple and efficient
mni jij PIfd ∑ 1
' )(
)≤≤1( Um
44
mp0p
jd
jd
Key joining Scheme I
Each CHj creates a new subshare, , and securely sends it to CHk. CHk constructs its share as:
CHk creates a (t,n) threshold sharing of by generating a random polynomial of degree, t-1, and securely sends to each CHj .
Upon receiving from CHk, each CHj
reconstructs the share key,
∑≠,∈ )(= kjφj mkjk PIfd
∑ 1-0 , )(mod)( t
ll
lkk qxaxf
),∈( kjj
mjkjj PIfdd )(+='45
)( kj If
)( jk If
)( jk If
0,ka
Key joining (Cont’d) Scheme II (shuffling scheme)
Each CHj generates the partial share for CHk: , where is the
Lagrange coefficient , and , where and is the shuffling factor.
The shuffled share, , is then returned to CHk. After receiving t partial shares, CHk can construct its share, .
jkjφi jikj δIλIfd +)()(= ∑∈, )( kj I)(mod∏ ≠,∈ -
-qjiφi iIjI
iIkI
∑ ≠,∈ ,)-(= jvφv vjvjj KIIsignδ 0≤,1-0,1)( x
xxsign
vjK ,
kjd ,
mkjφj kjk Pdd ∑ ≠,∈ ,=
46
Key eviction When CHk is revoked, and the number of
revoked CHs reaches the predetermined update threshold : Each CHi chooses a random number, ,
changes its share, , to and securely sends to all unrevoked CHj
After receiving all values, each CHj reconstructs the share key,
*∈Δ qi Z
0,ia iia 0,
i
i
mjii ijj Pdd )(,
'
47
)( t
Group key agreement protocol We presented an efficient ID-based authenticated
group key agreement (AGKA) protocols Scheme
Each CHi randomly chooses an ephemeral key, Li.
Each CHi constructs a Lagrange interpolating polynomial with degree n-1, as follows:
Each CHi then broadcasts
),,,( 1-10 niii aaa
48
)(mod)(mod)( 011-
1-,1 ),-,(),-(
1 qaxaxaqLxB iin
nin
ujj jiKuiKjiKxn
u ii
Group key agreement protocol (Cont’d)
Group key computation Each CHj uses the pair–wise session keys, , to
recover keys, Li , using the following equation: After recovering all the keys, Li , each CHj
computes the group session key as follows:
Member leave Reprocesses AGKA protocol
iiijin
ijiij LqaKaKakBn
mod])()([)(011- ,
1-,,
mnj PLLLSKSK )( 21
49
ijK ,
Protocol analysis Security analysis
Share key distribution Group key distribution
Performance analysis Comparison in key update Verifiable secret sharing Comparison in group key distribution
50
Security analysis Share key distribution
We compare the security of IMKM to that of RCBC(MOCA, URSA, AKM) and IBC-K.
These five approaches are all based on threshold schemes (robust).
When compromised t CHs, the CA’s (RCBC) private key, or the PKG’s (IBC-K) master secret key will be revealed.
51
Security analysis (Cont’d) The overall system security is still guaranteed
even when t shareholders are compromised in IMKM.
With IMKM, even compromise of the PKG does not reveal the master secret key.
In summary, IMKM outperforms RCBC and IBC-K with respect to security.
52
Security analysis (Cont’d) Group key distribution The proposed authenticated group key agreement
(AGKA) protocol satisfies the following security attributes: Implicit key authentication Known session key security Backward and forward secrecy No key-compromise impersonation No unknown key-share
53
Performance analysis We compare our IMKM with RCBC, with respect
to key updates For RCBC, the duration spans from the first point
of contact between a node and random D-CAs, to the point where the last node completes its key update.
For IMKM, the key eviction process starts when the revocation leader broadcasts a key update message to other D-PKGs (CHs) and finishes after all the D-PKGs have exchanged the key update materials.
54
Performance analysis (Cont’d)
Speed
(m/s)
Network cluster size
10 20 30 40
5 3.729 8.106 16.174 27.977
10 4.029 9.032 16.594 29.741
15 3.964 9.613 17.103 30.241
RCBC key update avg completion time (sec) IMKM key update avg completion time (sec)
Speed
(m/s)
Network cluster size
10 20 30 40
5 99.986 132.292 149.857 198.699
10 100.352 131.788 150.51 199.69
15 99.09 132.439 150.489 200.767
The key update time includes packet transmission time and all cryptographic processing time.
55
Performance analysis (Cont’d)
We also count the key update bandwidth overhead in terms of number of messages and bytes.
It should be noted that overhead is similar at all mobility speeds, suggesting that both schemes are robust to mobility.
56
Performance analysis (Cont’d)
Fig. 5.2 Average messages sent, 20 nodes
302316312
738738735
0100200300400500600700800
5 10 15
Mobility (m/s)
Ove
rhea
d (m
essa
ges) IMKM
RCBC
Fig. 5.3 Average messages sent, 40 nodes
109711111038
262025862554
0
500
1000
1500
2000
2500
3000
5 10 15
Mobility (m/s)
Ove
rhea
d (m
essa
ges)
IMKMRCBC
57
Performance analysis (Cont’d)
Fig. 5.4 Average bytes sent, 20 nodes
40159 40577 38824
277455 279130278800
0
50000
100000
150000
200000
250000
300000
5 10 15
Mobility (m/s)
Ove
rhea
d (b
ytes
) IMKMRCBC
Fig. 5.5 Average bytes sent, 40 nodes
950521
141385143135133731
942351 960644
0
200000
400000
600000
800000
1000000
1200000
5 10 15
Mobility (m/s)
Ove
rhea
d (b
ytes
)
IMKMRCBC
58
Performance analysis (Cont’d) Performance of verifiable secret sharing
16.77
27.85
60.29
99.83
64.26
17.03
28.43
93.61
17.53
30.41
66.76
95.31
0102030405060708090
100110120
10 20 30 40# of nodes
Tim
e (s
ec)
Mobility 5m/sec
Mobility 10m/sec
Mobility 15m/sec
Fig. 5.1 Verifiable secret sharing: avg. delay vs. node speed59
Comparison in group key distribution
Protocol Round Scalar Pairings Bandwidth
Barua’s ID-AGKA <5n(n-1)
Du’s ID-AGKA 2 n(n+5) 4n 3(n-1)
Lin’s AGKA 2 n 2n 2n
IMKM Scheme 1 n None n
n3log )1(9 n 3log5 3 nn
Table 5.4 Comparison of AGKA protocols
- Round: The total number of rounds.- Scalar: The total number of scalar multiplications in G1.- Pairings: The total number of pairing computations.- Bandwidth: The total number of messages sent by CHs.
60
Performance analysis (Cont’d)
Conclusion Conclusion
We have proposed a secure, efficient, and scalable distributed ID-based multiple secrets key management scheme (IMKM) for cluster-based MANETs.
IMKM is a complete and solid solution for key management, which includes share key, pair-wise key and group key distribution.
61
Conclusion (Cont’d) The master secret key is generated and
distributed by all clusterheads which leads to more autonomous and flexible key update methods.
The proposed IMKM scheme improves on the security and performance of previously proposed key management protocols (i.e., RCBC and IBC-K) for MANETs.
62
Conclusion (Cont’d) Besides, we presented an efficient one round
ID-based authenticated group key agreement protocols, which minimize the number of rounds and bandwidth usage, as well as satisfies all primary security concerns.
63
Thanks!
64
67
68
69
70
71