Collaborative Security Gene Tsudik Computer Networks Division, - - PowerPoint PPT Presentation

12/ 9/ 99 1

Collaborative Security

Gene Tsudik

Computer Networks Division, USC/ISI gts@ics.uci.edu http://www.ics.uci.edu/~gts and Information and Computer Science Department, UC Irvine gts@isi.edu http://www.isi.edu/~gts

12/ 9/ 99 2

Group Communication

G One-to-many

I Single-source broadcast: cable/ sat. TV, radio, etc.

G Few-to-many

I Multi-source broadcast (2-tiered groups): televised

debates, GPS, time, etc.

G Any-to-any

I Collaborative applications: conferencing, mailing

lists, visualization, instrument control, simulations, replicated servers, etc. Rich communication semantics, tighter control, more emphasis on security

12/ 9/ 99 3

CLIQUES: Security in Dynamic Peer Groups

(DARPA/ITO HCN, 07/97-06/00)

Formation Member add Member leave Group merge Group partition

12/ 9/ 99 4

Problem:

• Relatively small groups
• Dynamic membership
• No hierarchy
• Any-to-Any
• Collaborative applications

Targeted environment

how to obtain security in peer groups with dynamic membership and decentralized control?

Background

Complexity > > 2- and 3-party security

12/ 9/ 99 5

Security Services

Key agreement Key adjustment Data Authenticity Data Privacy Membership Authentication Member Authentication weak

Within Group

Group pk certification Data Authenticity Data Privacy

With Outsiders

Data Authenticity Data Privacy Member certification

Entire group Member

Member Authentication strong Member Authentication Data Authenticity Data Privacy

Entire group Member

Group Access Control

12/ 9/ 99 6

Group Diffie-Hellman

Important features:

I Form al proof of security I Decentralized. I No ordering, no synchronization (sort of) I No topology or network dependencies I Group controller: floating or fixed (chore, not privilege!) I Everyone contributes to the key. I Everyone can prove they took part in the generation of the key. I Two message latency for join of 1 member I One message latency for leave of N members. I N+ 1 message latency for join/ merge of N members

Why key agreement?

I Centralized (TTP) approach: single-point, too much load I 2-,3-party extensions unscalable: n* n message exchanges

12/ 9/ 99 7

Diffie-Hellman Primer (DH78)

) (generator base } 1 ,..., 1 { bits) 512 ( prime large

*

− − = ≥ −

g p Z p

p

Alice Bob

p g A

a mod

=

p g B

b mod

=

p B K Z a

a ab p R

mod

*

= ∈

p A K Z b

b ba p R

mod

*

= ∈

Kab= ?

Eve

12/ 9/ 99 8

DH Primer (contd)

p g FIND p g B and p g A Given a FIND p g A Given

ab b a a

mod : mod mod : : Problem Hellman Diffie : mod : : Problem Log Discrete

= = − =

number! random a from p g K h Distinguis p g B p g A : Given

ab ab b a

mod : mod , mod : Problem DH Decision

= = =

12/ 9/ 99 9

GDH Key Agreement

i j i

N N N N N

g i j g

L L

1 1

]}, , 1 [ | {

/

∈

} , {

1 g

g

N

} , , {

2 1 2 1

N N N N

g g g

]} , 1 [ | {

/

1

n j g

j n N

N N

∈

L

p g

n

N N n

mod

1L

=

Polynomially indistinguishable from random number! Key adjustments/ refresh protocols easily derived and shown secure

12/ 9/ 99 10

Another GDH Key Agreement

i

N N

g

L

1

1

N

g

1 1

−

n

N N

g

L

1 1

−

n

N N

g

L

i n

N N N

g

/

1 1

−

L

Member i Member n

]} , 1 [ | {

/

1

n j g

j n N

N N

∈

L

p g K

n

N N n

mod

1L

=

• 2 exponentiations per member
• lots of communication

Stage 1 Stage 2

12/ 9/ 99 11

Authenticated GDH Key Agreement

i j i

N N N N N

g i j g

L L

1 1

]}, , 1 [ | {

/

∈

p g K

j S i S ij

mod

=

} , , {

2 1 2 1

N N N N

g g g

)] ( [ ]}, , 1 [ | {

/

1

n N K N N

K f n j g

j n j n

∈

L

Key Independence Perfect Forward Secrecy KKA Resistance Key Confirmation Key Authentication Stronger version:

• Membership Integrity
• Partial entity authentication

} , {

1 g

g

N

12/ 9/ 99 12

OFT-based Key Agreement

2 1

12 N N

g K

=

34 12

1234 K K

g K

=

4 3

34 N N

g K

=

d d d d

5 1234

12345 N K

g K

=

Very fast merge Best-fit vs wors-fit insert Need to balance on leave Authentication hard

12/ 9/ 99 13

• Decentralized authenticated group key agreement

with provable security based on group Diffie-Helman: each member contributes equally to group key

• Membership changes: single member, many members

and sub-groups

• Membership authentication and non-repudiation:

based on knowledge of key-share

• Authenticated join/ leave: requires long-term DH

credentials

• Certification infrastructure
• Reliable group communication subsystem
• Membership Authorization / Access control

Other pieces of the puzzle

Security Services Provided

12/ 9/ 99 14

• Protocols
• Initial Key Agreement
• Auxiliary Key Agreement (membership changes)
• Authenticated Key Agreement
• Shared-key and signature strains
• CLIQUES API, C implementation (rel. 1.7a)
• OpenSSL as crypto base
• Testing and integration with JHU’s SPREAD and UCSB’s TOTEM
• Current performance results: O(n) exponentiations
• 12msec on SPARC ULTRA II, 2msec on PENTIUM II 450Mhz !!!
• On-going integration with AKENTI Access Control Server

STATUS

12/ 9/ 99 15

CLIQUES API (contd)

Underlying group communication subsystem must provide reliable synchronized event notification for:

• group joins
• group leaves
• partitions
• node failures or disconnects
• merges (partition heals)

Supports primitives for:

• leaves
• joins
• merges
• refreshes

Centralized and GDH key agreement (others tba)

hardest

12/ 9/ 99 16

Generic Architecture

12/ 9/ 99 17

Secure SPREAD Architecture

12/ 9/ 99 18

Secure Spread: join

12/ 9/ 99 19

Secure Spread: leave/partition

12/ 9/ 99 20

Secure Spread: cascaded events

12/ 9/ 99 21

Lessons learned

• Paper protocols < > real protocols
• Incremental formation of groups
• Security, group comm not a simple composition
• Comm latency vs computation (group topology!)
• Difficulty of handling many merging sub-groups
• Group size limits (100?)
• other DH-like keys
• elliptic curve duals
• Provable security matters!

12/ 9/ 99 22

Challenges and directions

• Two-tiered groups (few-to-many)
• Group membership policy (Auth + AC)
• How to specify?
• Enforce?
• Group certification: group key, membership, etc.
• Dynamic membership?
• Individual vs. opaque certificates?
• How to tolerate Byzantine behavior by member(s)?
• Cannot prevent key release or denial-of-service...
• Member proves correct protocol execution
• Group Barter
• Group Signatures

12/ 9/ 99 23

Related Work

Strong Group Semantics:

G

Cornell: Birman et al. (ISIS, Horus, Ensemble)

G

UCSB: Melliar-Smith et al. (Totem)

G

HUJ: Dolev et al. (Transis)

G

JHU: Amir et al. (Spread) IP Multicast:

G

TIS: Balenson et al. (OFT)

G

UTA: Lam, Gouda

G

NSA Wallner et al. (LKH)

G

IBM: Canetti et al.

G

ETHZ: Carroni, Sun (Versa) Theory:

G

Ingemarsson, Tang, Wong (ToIT 81)

G

Burmester/ Desmedt 94 (Eurocrypt 94)

G

Steer/ Diffie (Crypto’89)

G

DeSantis/ Vaccaro/ Yung

12/ 9/ 99 24

Publications

• M. Steiner, G. Tsudik and M. Waidner

Diffie-Hellman Key Distribution Extended to Groups, ACM CCCS’96

• M. Steiner, G. Tsudik and M. Waidner,

CLIQUES: A New Approach to Group Key Agreement, IEEE ICDCS’98

• G. Ateniese, M. Steiner and G. Tsudik

Authenticated Group Key Agreement and Friends, ACM CCCS’98

• M. Steiner, G. Tsudik and M. Waidner

Key Agreement in Dynamic Peer Groups, IEEE TPDS, submitted.

• G. Ateniese, M. Steiner and G. Tsudik

Authenticated Group Key Agreement and Friends, IEEE JSAC, April 2000.

• Y. Amir, G. Ateniese, D. Hasse, Y. Kim, C. Rotaru, J. Stanton, J. Schultz, and
• G. Tsudik, Spread/ CLIQUES Integration Experience, IEEE ICDCS’00
• D. Hasse, Y. Kim, O. Chevassut and G. Tsudik,

The Design of Group Key Agreement API, DARPA DISCEX’00.

12/ 9/ 99 25

Summary

Impact:

• IBM
• JHU
• LBNL
• IRTF

CLIQUES web page: http: / / www.isi.edu/ div7/ cliques

• API documentation
• Publications
• Presentations

API code by request from gts@isi.edu

Collaborators:

• IBM Research, Johns Hopkins, LBNL, Nortel

People:

• G. Ateniese, O. Chevassut, D. Hasse, Y. Kim, G. Tsudik

12/ 9/ 99 26

Other current research

• Integrated and Reliable Multicast in Ad Hoc Networks (NSF)
• Secure IP multicast (Nortel)
• Survivability Using Controlled Security Services (DARPA)
• Server-Assisted Digital Signatures (NSA)
• Access Control in Collaborative Applications (DoE, w/ LBNL)