Collaborative Security Collaborative Security Gene Tsudik USC/ISI - - PowerPoint PPT Presentation

collaborative security collaborative security
SMART_READER_LITE
LIVE PREVIEW

Collaborative Security Collaborative Security Gene Tsudik USC/ISI - - PowerPoint PPT Presentation

Oct 04, 2023 24 likes •267 views

Collaborative Security Collaborative Security Gene Tsudik USC/ISI 4676 Admiralty Way Marina del Rey, CA 90292 gts@isi.edu http://www.isi.edu/~gts 4/ 21/ 99 1 Group Communication One-to- many Single-source

slide-1
SLIDE 1

4/ 21/ 99 1

Collaborative Security Collaborative Security

Gene Tsudik USC/ISI 4676 Admiralty Way Marina del Rey, CA 90292 gts@isi.edu http://www.isi.edu/~gts

slide-2
SLIDE 2

4/ 21/ 99 2

Group Communication

λ One-to- many

ν Single-source broadcast: cable/ sat. TV, radio,

etc.

λ Few-to- many

ν Multi-source broadcast (2-tiered groups):

televised debates, GPS, time, etc.

λ Any-t o-any

ν Collaborative applications: conferencing, mailing

lists, visualization, instrument control, simulations, replicated servers, etc. Rich communication semantics, tighter control, more emphasis on security security

slide-3
SLIDE 3

4/ 21/ 99 3

CLIQUES: CLIQUES: Security in Dynamic Peer Groups

(DARPA/ITO HCN, 07/97 (DARPA/ITO HCN, 07/97-06/00) 06/00)

Formation Member add Member leave Group merge Group partition

slide-4
SLIDE 4

4/ 21/ 99 4

Problem: Problem:

  • Relatively small groups
  • Dynamic membership
  • No hierarchy
  • Many-to-Many
  • Collaborative applications

Targeted environment Targeted environment

how to obtain security in peer groups with dynamic dynamic membership and decentralized decentralized control?

Background

Complexity > > 2- and 3-party security

slide-5
SLIDE 5

4/ 21/ 99 5

Security Services

Key agreement Key adjustment Data Authenticity Data Privacy Membership Authentication weak Member Authentication weak Membership Authentication strong Member Authentication strong

Within Group

Group pk certification Data Authenticity Data Privacy

With Outsiders

Data Authenticity Data Privacy Member certification

Entire group Member

Member Authentication strong Member Authentication weak Data Authenticity Data Privacy

Entire group Member

slide-6
SLIDE 6

4/ 21/ 99 6

Group Diffie-Hellman

Important features: Important features:

ν

Form al Form al proof of security

ν

Decentralized.

ν

No ordering, no synchronization

ν

No topology or network dependencies

ν

Group controller -- floating or fixed (chore!)

ν

Everyone contributes to the key.

ν

Everyone can prove they took part in the generation of the key.

ν

Two message latency for join of 1 member

ν

One message latency for leave of N members.

ν

N+ 1 message latency for join/ merge of N members

Why key agreement? Why key agreement?

ν

Centralized (TTP) schemes untenable Centralized (TTP) schemes untenable

ν

2 2-

  • ,3

,3-

  • party extensions

party extensions unscalable unscalable

slide-7
SLIDE 7

4/ 21/ 99 7

Diffie-Hellman Primer (DH78)

) (generator base } 1 ,..., 1 { bits) 512 ( prime large

*

− − = ≥ −

g p Z p

p

Alice Bob

p g A

a mod

=

p g B

b mod

=

p B K Z a

a ab p R

mod

*

= ∈

p A K Z b

b ba p R

mod

*

= ∈

Kab= ?

Eve

slide-8
SLIDE 8

4/ 21/ 99 8

DH Primer (contd)

p g FIND p g B and p g A Given a FIND p g A Given Z in generator g prime, large p

ab b a a p

mod : mod mod : : Problem Hellman Diffie : mod : : Problem Log Discrete

= = − − − − − − − − − − − − − − − − = − − − − − − − − − − − − − − −

number! random a from p a K h Distinguis p a y p a y : Given

b a b a

x x ab x b x a

mod : mod , mod : Problem DH Decision

= = = − − − − − − − − − − − − −

slide-9
SLIDE 9

4/ 21/ 99 9

GDH Key Agreement (contd)

i j i

N N N N N

g i j g

L L

1 1

]}, , 1 [ | {

/

} , {

1 g

g N

} , , {

2 1 2 1

N N N N

g g g

]} , 1 [ | {

/

1

n j g

j n N

N N

L

p g

n

N N n

mod

1L

=

Polynomially indistinguishable from random number! Key adjustments/ refresh protocols easily derived and shown secure

slide-10
SLIDE 10

4/ 21/ 99 10

Another GDH Key Agreement

i

N N

g

L

1

1

N

g

1 1

n

N N

g

L

1 1

n

N N

g

L

i n

N N N

g

/

1 1

L Member i Mem ber n

]} , 1 [ | {

/

1

n j g

j n N

N N

L

p g K

n

N N n

mod

1L

=

  • 2 exponentiations per member
  • Impractical!
slide-11
SLIDE 11

4/ 21/ 99 11

Authenticated GDH Key Agreement

i j i

N N N N N

g i j g

L L

1 1

]}, , 1 [ | {

/

} , {

1 g

g N

} , , {

2 1 2 1

N N N N

g g g

)] ( [ ]}, , 1 [ | {

/

1

n N K N N

K f n j g

j n j n

L Key I ndependence Perfect Forward Secrecy KKA Resistance Key Confirm ation Key Authentication Stronger version:

  • Mem bership I ntegrity
  • Partial entity authentication
slide-12
SLIDE 12

4/ 21/ 99 12

  • Decentralized authenticated group key agreement

with provable security based on group Diffie-Helman: each member contributes equally to group key

  • Membership changes: single member, many members

and sub-groups

  • Membership authentication and non-repudiation:

based on knowledge of key-share

  • Authenticated join/ leave: requires long-term DH

credentials

  • Certification infrastructure
  • Reliable group communication subsystem
  • Membership Authorization / Access control

Other pieces of the puzzle Other pieces of the puzzle

Security Services Provided

slide-13
SLIDE 13

4/ 21/ 99 13

Proposed Architecture

slide-14
SLIDE 14

4/ 21/ 99 14

  • Initial Key Agreement
  • Auxiliary Key Agreement (membership changes)
  • Authenticated Key Agreement
  • JAVA implementation (rel. 0.0)
  • C implementation (rel. 0.1) coupled with JHU’s SPREAD
  • CLQ_API: completed (rel. 1.0) mid-Feb
  • Testing and integrating with SPREAD
  • Current performance results: O(n) exponentiations
  • Integration with TOTEM on-going (LBNL)
  • Integration with AKENTI: near future

STATUS

slide-15
SLIDE 15

4/ 21/ 99 15

Publications

  • M. Steiner, G. Tsudik and M. Waidner

Diffie-Hellman Key Distribution Extended to Groups 1996 ACM Conference on Computer and Communications Security (CCCS’96)

  • M. Steiner, G. Tsudik and M. Waidner

CLIQUES: A New Approach to Group Key Agreement 1998 IEEE International Conference on Distributed Computing Systems (ICDCS’98)

  • G. Ateniese, M. Steiner and G. Tsudik

Authenticated Group Key Agreement and Friends 1998 ACM Conference on Computer and Communications Security (CCCS’98)

  • M. Steiner, G. Tsudik and M. Waidner

Key Agreement in Dynamic Peer Groups IEEE Transaction on Parallel and Distributed Systems (TPDS), submitted.

  • G. Ateniese, M. Steiner and G. Tsudik

Authenticated Group Key Agreement and Friends IEEE Journal on Selected Areas in Communication (JSAC), to appear.

slide-16
SLIDE 16

4/ 21/ 99 16

CLQ_API prerequisites

Underlying group communication subsystem must provide reliable synchronized event notification for:

  • group joins
  • group leaves
  • partitions
  • node failures or disconnects
  • merges (partition heals)

merges (partition heals)

hardest

slide-17
SLIDE 17

4/ 21/ 99 17

CLQ_API

called by a new group member who received a NEW_MEMBER message from the current controller. clq_ join clq_ join (ctx, member_name, group_name, input, output); called by the current controller to hand over group context to a new member (who becomes next controller). clq_ pass_ ctx clq_ pass_ ctx (ctx, member_name, output); called by every member upon reception of a KEY_UPDATE_MESSAGE from the current group controller clq_ update_ ctx clq_ update_ ctx (ctx, input);

slide-18
SLIDE 18

4/ 21/ 99 18

CLQ_API (contd)

called by every group member after member leaves or partition occurs; removes all valid members in member_list from the group_member_list. Only controller gets output token clq_ leave clq_ leave (ctx, member_list[ ] , output); called only by controller when group_secret needs to be updated. clq_ refresh_ key clq_ refresh_ key (ctx, output);

slide-19
SLIDE 19

4/ 21/ 99 19

Secure Spread SD

slide-20
SLIDE 20

4/ 21/ 99 20

Lessons learned

  • Paper protocols < > real protocols
  • Incremental formation of groups
  • Security, group comm not a simple composition
  • Difficulty of handling many merging sub-groups
  • Group size limits (100?)
  • other DH-like keys
  • elliptic curve duals
  • Provable security matters!
slide-21
SLIDE 21

4/ 21/ 99 21

Challenges and directions

  • Two-tiered groups (few-to-many)
  • Group membership policy ( Auth + AC)
  • How to specify?
  • Enforce?
  • Group certification: group key, membership, etc.
  • Dynamic membership?
  • Individual vs. opaque certificates?
  • How to tolerate Byzantine behavior by member(s)?
  • Cannot prevent key release or denial-of-service...
  • Member proves correct protocol execution
  • Group Barter
  • Group Signatures
slide-22
SLIDE 22

4/ 21/ 99 22

Related Work

λ

Cornell: Birman et al. (ISIS, Horus, Ensemble)

λ

UCSB: Melliar-Smith et al. (Totem)

λ

HUJ: Dolev et al. (Transis)

λ

JHU: Amir et al. (Spread)

λ

TIS: Balenson et al. (OFT)

λ

UTA: Lam, Gouda

λ

NSA Wallner et al. (LKH)

λ

IBM: Canetti et al.

λ

ETHZ: Carroni, Sun (???)

λ

Ingemarsson, Tang, Wong (ToIT 81)

λ

Burmester/Desmedt 94 (Eurocrypt 94)

λ

Steer/Diffie (Crypto’89)

λ

DeSantis/ Vaccaro/ Yung

slide-23
SLIDE 23

4/ 21/ 99 23

Summary

Impact:

  • IBM
  • JHU
  • LBNL (DoE)
  • IRTF

CLIQUES web page: http: / / www.isi.edu/ div7/ cliques

  • API documentation
  • Publications
  • Presentations

API code by request from gts@isi.edu

Collaborators:

  • IBM Research, Johns Hopkins, LBNL, Nortel

People:

  • G. Ateniese, O. Chevassut, D. Hasse, Y. Kim, G. Tsudik
slide-24
SLIDE 24

4/ 21/ 99 24

Other current research

Integrated Multicast in Ad Hoc Networks (NSF) Secure IP multicast ( Nortel) Survivability Using Controlled Security Services (DARPA) Server-Assisted Digital Signatures (NSA) Access Control in Collaborative Applications ( DoE in subm.) Low Latency Massive Data Transfers ( Skunkworks)