Approaches to Globally Scalable Key Distribution - CSRC · PDF fileApproaches to Globally...
Transcript of Approaches to Globally Scalable Key Distribution - CSRC · PDF fileApproaches to Globally...
A Notional Zeitgeist of Key Management D
ynam
ics Global
Hawk
Future Force
Warrior
Brigade Combat Team
Modernization
Micro UAVs
Reaper
Predator
Sensor Nets
Sensor Dust
Future Combat System
Blue Force
Tracker
GPS
GPS GPS
CAOCC
GIG
Destroyer CTF
CVN-21 Wearables
TOC
Scale ©2009 BAE Systems. 2
Key Management Requirements
• Secure global key distribution - Scalable key encryption algorithms to support secure wireless delivery
• Responsive key revocation - Near-zero vulnerability window due to compromise
• Global perfusion of revocation • Seconds, not minutes
- Delegation to tactical commanders with local situational awareness - Command override
• Customized “last-mile” key delivery - Mission and context driven
• Air, land, sea • In-situ infrastructure • Covert operation
©2009 BAE Systems. 3
Example Key Distribution Algorithm (Overview)
• Gateway Subset Difference Revocation (GSDR) [ODL06] - Extends SDR [NNL01] - Introduces subordinate Key Distribution Gateways (KDG) - Supports
• Audit – Revocation and rekey actions are captured • Delegation – Commanders can delegate rekey decisions to
subordinates • Override – Commanders can also bypass subordinates
• Key Strengths - SDR scales proportionally to the number of revoked ECUs
• As long as the revoked set is a small proportion of the total number of ECUs deployed, the rekey message size is significantly reduced
- GSDR enhances SDR scalability through delegation at subordinate KDGs - A single rekey message can be used to rekey a large number of ECUs - Both algorithms are stateless – Devices can miss a rekey due to comms outage or
other factors and still rekey later
[ODL06] Jeffrey Opper, Brian DeCleene, May Leung, "Gateway Subset Difference Revocation," mahss, pp.839-844, 2006 IEEE International Conference on Mobile Ad Hoc and Sensor Systems, 2006
[NNL01] Dalit Naor , Moni Naor , Jeffrey B. Lotspiech, Revocation and Tracing Schemes for Stateless Receivers, Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, p.41-62, August 19-23, 2001
©2009 BAE Systems. 4
12
1
0
33 3
Basic Concepts (SDR or GSDR) • Subset Difference
- A tuple (B, S) used to represent the act of rekeying a tree rooted atB (base) while revoking thesubordinate subtree S (subtractor)
- A (0,4) rekey would rekey the entire tree with the exception ofnodes 9 and 10
• Subset Cover - The minimum number of subset
differences required to fullyexpress the revocation state of thetree
- [(1,4)(2,11)] would express the revocation of nodes 9, 10, and 11
• Key Encryption Key (KEK/Label) - Derived from a node seed at the
desired base node - Left-hand (FL) and right-hand (FR)
one-way functions are used tohash the node seed to the desiredsubtractor node
- L(0,5) = FL · FR· σ0 1211
1
0
5
1413
2
6
87
3
109
4
0
©2009 BAE Systems. 5
Initialization Phase
• ECUs establish secure connections with key distribution gateway (KDG)
- Can be: • Offline (pre-placed keys) • Online (IKE, etc.)
• KDG places each ECU in local key graph
• Predetermined sets of key encryption keys (KEK) are providedto each ECU based upon location in key graph
• Each key set is unique to each ECU, but contains keys that overlap other key sets
©2009 BAE Systems. 6
Rekey Message Creation
• The KDG performing the rekey determines which ECUs have been revoked
• The KDG creates a rekey message containing copies of the new TEKencrypted with a series of unique KEKs and the KEK identifier
• The set of KEKs used are guaranteed by the key distribution algorithm to only beheld by the union of the ECUs that are not revoked
©2009 BAE Systems. 7
Reception Phase
• The rekey message received is decrypted and validated by each ECU • Each ECU examines each KEK identifier to determine if it possesses the
KEK - If the identifier is found the ECU decrypts the encrypted TEK and make it
available for use
- If not found, the ECU is revoked and cannot use the TEK
©2009 BAE Systems. 8
Key Storage Requirements of SDR and GSDR
Number of Stored Keys Required by all Rekeying Devices
0
50
100
150
200
250
300
350
Num
ber o
f Key
s
SDR GSDR (M=64) GSDR (M=128)
1.0E+00 1.0E+01 1.0E+02 1.0E+03 1.0E+04 1.0E+05 1.0E+06 1.0E+07 1.0E+08
Number of Rekeying Devices
©2009 BAE Systems. 9
Level = 3 Offset = 3ID = 10 I.e., 23+3-1Parent = 4 I.e., int( (10-1)/2 )
Subset Difference Revocation Process
• Initialization Phase - Sender constructs a virtual tree with
receivers as leaves - Each node assigned a unique id
based on location in the tree • Level (L) from top-to-bottom • Offset (O) from left-to-right • ID
= 2L + O -1
• Parent = int( (ID-1)/2 ) • Sibling = if (ID even) ID-1
else (ID + 1) • IDLeftChild = 2 * ID + 1 • IDRgntChild= 2 * ID + 2
- Sender generates secret seeds for each internal node
• Never shared by sender
S
R
87 109
43
1211 1413
65
1 2
0 0
1 2
3 4 5 6
Level = 3 Offset = 3 ID = 10 I.e., 23+3-1 Parent = 4 I.e., int( (10-1)/2 ) Sibling = 9Sibling = 9
©2009 BAE Systems. 10
9
43
1 2
0
Subset Difference Revocation Process
• S
R
87 10 1211 1413
65
Receiver Configuration Phase - Sender establishes secure authenticated connection
with receiver - Sender assigns receiver to unused
leaf in the tree - Sender generates and loads labels
for off-path subset differences • FL : One-Way Hash to generate Left Label • FR : One-Way Hash to generate Right
Label • From on-path node (light blue), apply
appropriate hash to terminate on off-path node (dark blue)
0
1 2
3 4 5 6
9
43
1 2
0
L0,2 = FR◦ 0 L0,3 = FL◦FL◦ 0 L0,9 = FL◦FR◦FL◦ 0
L1,3 = FL ◦ 1 L1,9 = FL◦FR◦ 1 L4,9 = FL◦ 9
Rooted at 0 Rooted at 1 Rooted at 4 2 3 9Su
btra
ctor
©2009 BAE Systems. 11
6
0
Subset Difference Revocation Process
S
R
87 109
43
1211 1413
5
1 2
[0 ,6 , Ek0,6{TEK}]
6
0
• Transmit / Receive Phase - Sender identifies a subset cover that excludes the revoked
users - Sender encrypts the Traffic Encryption
Key (TEK) using the appropriate key and broadcasts
- Receivers generate key encryption key if possible
• Find label(s) rooted at same point • Find label with subtractor on path
between root and sender’s subtractor • Apply FL and FR to generate
corresponding label • Apply one-way function, K, to recover k0,6 = K◦FR◦L0,2 k0,6 = K◦L0,6 ???
the key encryption key • Decode the TEK TEK TEK
©2009 BAE Systems. 12
New Algorithmic Components in GSDR
• Leaf node seed
• Blinding one-way hash (complements SDR left and right hashes)
• Gateway Mask
• Gateway Label
• Revocation Type (Local, Override)
• Rekey Type (Delegated, Override)
©2009 BAE Systems. 13
B
89
44
21
S
Q H
87 109
43
1211 1413
65
1 2
0
A
6665
3231
15
7
4645
22
10
Sender / Gateway constructs a virtual tree Each node assigned a unique id based
Children rooted at gateway fall below
Sender generates extra layer of
0
1 2
3 4 5 6
8 9 11 12 137 10
10
21 22
44 45 46
Gateway Subset Difference Revocation Process
• Initialization Phase -
• on location in the tree
• gateway’s ID accordingly
- Internal seeds are generates by the 14
sender / gateway •
node-seeds (purple) • Gateways derive internal
seeds from node seed provided by sender when gateway registers (red)
©2009 BAE Systems. 14
109
43
1 2
0
Gateway Subset Difference Revocation Process
B
89
44
21
S
Q H
87 1211 1413
65
A
6665
3231
15
7
4645
22
10
• Registration Phase for Gateway - Perform SDR registration
• Setup secure channel • Distribute SDR labels
- Node seed for constructing labels of trees rooted at (or below) gateway – E.g., L21,43
- Blinded root seeds for labels rooted above gateway with subtractor below gateway – E.g., L1,15
109
43
1 2
0
L0,2, L0,3, L0,9, L1,3, L1,9, L4,9
B0,10 = G◦FR◦FR◦FL◦ 0 B1,10 = G◦FR◦FR◦ 1 B4,10 = G◦FR◦4
10
©2009 BAE Systems. 15
89
44
21
10
4
1
0
22
10
Gateway Subset Difference Revocation Process
16©2009 BAE Systems.
B
S
Q H
87 9
3
1211 1413
65
2
A
6665
3231
15
7
4645
• Registration Phase for Receiver - Labels rooted at and below gateway generated
using SDR algorithm with seeds generated during initialization
- Labels rooted above gateway with subtractor below gateway are generated from blinded seeds
- No labels for trees rooted above gateway with subtractor above gateway
L10,22, L10,43, L10,89, L21,43, L21,89, L44,89
10
4
1
0
89
44
21 22
10 L’0,22 = FR◦ B0,10 L’0,43 = FL◦FL◦ B0,10 L’0,89 = FL◦FR◦FL◦ B0,10
L’1,22 = FR◦ B1,10 L’1,43 = FL◦FL◦ B1,10 L’1,89 = FL◦FR◦FL◦ B1,10
L’4,22 = FR◦ B4,10 L’4,43 = FL◦FL◦ B4,10 L’4,89 = FL◦FR◦FL◦ B4,10
1211 1413
65
0
MG = 0 1 0 0
1 not GW4 not GW10 is GW22 not GW
Gateway Subset Difference Revocation Process
• Transmission -
gateway translations occur •
overridden
-
delegate distribution • Subset is Node 1 minus 46 • Node 10 is a gateway
between 1 and 46
B
89
44
21
S
Q H
87 109
43
1 2
A
6665
3231
15
7
4645
22
10
Incorporate gateway mask (MG) defining where
Identifies where delegation is being
Example: Override Gateway H to explicitly exclude two nodes while allowing Gateway Q to
[1, 46, 0100B, Ek1,46 {TEK}]
MG = 0 1 0 0
1 not GW 4 not GW 10 is GW 22 not GW
©2009 BAE Systems. 17
3
No labels rooted at Node 1
L1,4 is knownAdjust MG by 2 0100
L1,10 = G◦FR◦ L1,4 01L1,22 = FR◦G◦FR◦ L1,4 0L1,46 = FR◦FR◦G◦FR◦ L1,4 -
= F ◦F ◦G◦F ◦F ◦
L’1,22 is knownAdjust MG by 4 0100
L1,46 = FR◦L’1,22 -= FR◦FR◦B1,10 = F ◦F ◦G◦F ◦F ◦
Gateway Subset Difference Revocation Process
18©2009 BAE Systems.
B
89
44
21
S
Q H
87 109
4
1211 1413
65
1 2
0
A
6665
3231
15
7
4645
22
10
• Receipt - Allowed direct
subordinates receive the msg by applying the gateway mask appropriately
- Lower tier subordinates generally lack appropriate label to extract key
- Overridden nodes have appropriate labels to extract key
Labels rooted at Node 1 only subtract trees below Q
Cannot receive the transmission directly
R R R R 1
L1,4 is known Adjust MG by 2 0100
L1,10 = G◦FR◦ L1,4 01 L1,22 = FR◦G◦FR◦ L1,4 0 L1,46 = FR◦FR◦G◦FR◦ L1,4 -
= FR◦FR◦G◦FR◦FR◦ 1
R R R R 1
L’1,22 is known Adjust MG by 4 0100
L1,46 = FR◦L’1,22 -= FR◦FR◦B1,10= FR◦FR◦G◦FR◦FR◦ 1
Last Mile Key Delivery – Factors Influencing Approach
• Operational context - Land-based, Airborne, Afloat, Submerged, In-orbit, etc.
• Mission length and dynamics - Return-to-base rekey - In-stride rekey - Remote assets (sensor grids, orbital systems, etc.)
• Network/comms infrastructure - SATCOM, OTAR, TDL, commercial (IPv4/6, LAN, WLAN, WiMAX, PAN)
• Legacy crypto lacks auto-fill capability - Co-located rekey device a possibility
©2009 BAE Systems. 19
Example Rekeying Device for Legacy Crypto
• Work performed for AFRL/IFGB on the SecureKeysSBIR contract (2004-2005)
• Non-functional hardware prototype developed to stimulate discussion on form-factor and interfaces
- Windermere Group subcontracted to develop - Initial Fused Deposition Modeling prototype fabricated
summer 2005 • Connectors
- DS-101 Key Fill - Serial - Power - Antenna (for wireless variant)
• Controls - Zeroize
• Indicators - Power, BITE, Link
• Includes pluggable module to allow selection of network interface
©2009 BAE Systems. 20
Summary
• Global presence requires globally-scalable key management
• Deterring the cyber threat requires nearly-instantaneous revocation
• Operational requirements mandate flexible last-mile deployment strategies
• Fundamental technologies exist that provide the needed scale
©2009 BAE Systems. 21
Related Work
• SDR using Weighted Key Assignment and Batched Transmission S. Zhu, S. Setia, and S. Jajodia, “Adding reliable and self-healing key distribution to the subset difference group rekeying method for secure multicast,” Fifth International Workshop on Networked Group Communications (NGC'03), Munich, Germany, September 16-19, 2003.
• SDR using trapdoor one-way permutation trees T. Asano, “Reducing Receiver’s Storage in CS, SD, and LSD Broadcast Encryption Schemes,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Science, E88-A(1):203-210, January 2005
• Augmented Broadcast Encryption Dan Boneh , Brent Waters, A fully collusion resistant broadcast, trace, and revoke system, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
©2009 BAE Systems. 22
Questions?
“For those viewing via webcast, please submit questions for this presentation to [email protected]”
©2009 BAE Systems. 23