MARKS: Zero side-effect Multicast key mgmt using Arbitrarily Revealed Key Sequences Bob Briscoe BT...

MARKS:Zero side-effect Multicast key mgmt using

Arbitrarily Revealed Key Sequences

Bob Briscoe

BT Research

7 Nov 1999

3

context solution variants summary more info

key mgmt: the problem

time

member

context

7 Nov 1999 MARKS; (c) British Telecommunications plc 1999

4


application data unit (ADU)

wrt security/charging

see taxonomy of large-scale multicast requirements [Bagnall]

context

5


key mgmt: ADUs

time

member

context


6


m'cast key mgmt: state of the art not suitable for large-scale deployment

• re-keying traffic rate of same order as join/leave rate• re-keying requires reliable multicast• hence Internet research task force, not IETF

MARKS: redefine problem• arbitrary eviction, but pre-planned• mainly commercial scenarios (pre-pay)

e.g. pay-per-view-TV, usage-charged network games• zero side-effect on other receivers and sender• one small unicast set up message per session

context

7


lateral thinking

time

member

solution


8


loose coupling to senders

KMR

KM

KM

R

R

R

R

R

S

S

S

S

KM

R

sender

key manager

receiver

multicast data

unicast set-up

reliable multicast keying not req'd

solution


9


two blinding functions from one

r0 r1

b b

s1,0 s1,1

s0,0

b0 b1

solution


binary hash tree

s2,2s2,1s2,0 s2,3

s1,0 s1,1

s0,0

s4,0

=k0

s4,1

=k1

s4,2

=k2

s4,3

=k3

s4,4

=k4

s4,5

=k5

s4,6

=k6

s4,7

=k7

s4,8

=k8

s4,9

=k9

s4,10

=k10

s4,11

=k11

s4,12

=k12

s4,13

=k13

s4,14

=k14

s4,15

=k15

b0 b1

s3,0 s3,1 s3,2 s3,3 s3,4 s3,5 s3,6 s3,7

solution

min=3 max=9

indexing arranged soeven left


11


algorithm to reveal intermediate seedsfor(d=D; ; d--) { // working from leaves... // move up tree 1 level ea loop if (min == max) { // min & max have converged... reveal(d,min); // ...so reveal sub-tree root.. break; // ...and quit } if odd(min) { // odd min never left child... reveal(d,min); // ...so reveal odd min seed min++; // and step min in 1 to right } if !odd(max) { // even max never right child.. reveal(d,max); // ...so reveal even max seed max--; // and step max in 1 to left } if (min > max) break; // min & max cousins, so quit min/=2; // halve min ... max/=2; // ... & halve max ready for... } // ... next level round loop

solution


BHT - per ADU key calculation

s2,2s2,1s2,0 s2,3

s1,0 s1,1

s0,0

s4,0

=k0

s4,1

=k1

s4,2

=k2

s4,3

=k3

s4,4

=k4

s4,5

=k5

s4,6

=k6

s4,7

=k7

s4,8

=k8

s4,9

=k9

s4,10

=k10

s4,11

=k11

s4,12

=k12

s4,13

=k13

s4,14

=k14

s4,15

=k15

b0 b1

s3,0 s3,1 s3,2 s3,3 s3,4 s3,5 s3,6 s3,7

solution


13


BHT processing efficiency

receiver & sender:(mean no. of hashes per key)

= (no. of branches) / (no. of leaves)

= (2(D+1) - 1) / 2D < 2

key manager:– it depends...

• store all intermediate seeds, or cache & re-hash?

solution


14


BHT efficiency N: length of the range of keys req'dws: size of seed (typically 128b) wh: KM protocol header overhead ts: processor time to blind a seed

N: length of the range of keys req'dws: size of seed (typically 128b) wh: KM protocol header overhead ts: processor time to blind a seed

solution

min 1max 2(log(N+2) - 1)mean O(log(N) - 1)min 0max log(N)mean O(log(N) /2)min 1max log(N)mean 2

per S or KMper S

per R(unicast msg size) / ws - wh

or (min storage) / ws

per R (processing latency) / ts

1

per R or S (processing per key) / ts

(min storage) / ws

(min random bits) / ws

min 1max 2(log(N+2) - 1)mean O(log(N) - 1)min 0max log(N)mean O(log(N) /2)min 1max log(N)mean 2

per S or KMper S

per R(unicast msg size) / ws - wh

or (min storage) / ws

per R (processing latency) / ts

1

per R or S (processing per key) / ts

(min storage) / ws

(min random bits) / ws

independent of n, #rcvrstruly zero side effect

independent of n, #rcvrstruly zero side effect


15


BHT security as secure as the chained hash function max attacker gain

– doubles accessible value / hash• 1025 years for lone attacker?

• …collusion or arbitrage far easier

usual caveats about due care:• randomness of seed

• security of announcements and set up messages– (SDP & SSL-based example in paper)

solution


16


variations

multi-sender multicast• all use same seeds - network game example in paper

combination with other schemes• storage/complexity costs sum of combined schemes

• bandwidth cost of each only when necessary

– unplanned eviction• (BHT aux. keys) XOR (Chang99 aux. keys)

• but lose advantage of decoupling

– watermarking...

variants


18

context solution variants summary more infosummary

limitations

receiver collusion & arbitrage (strength of hash chain of length D)

= D(hash strength)?


20


audit trail

watermark without smartcard?– Chameleon [Anderson97]

• long-term watermarked key block• watermarks secondary keys - XOR cipherstream partial flaw: no protection against leaks to recent

group members

variants

stostolen

len


21


wider context valid non-multicast scenarios for MARKS

•DVD: digital video disk •VPN: virtual private network

dynamic stack creation• Flexinet, Mware• software engineering rather than protocol engineering (SMuG)

frameworks (longer term focus)• cover reliable multicast, unicast etc.• declarative: cf. LSMA requirements taxonomy 'RFC'draft-ietf-lsma-requirements-04.txt

summary


22


summary no limit on MARKS scalability

• completely decoupled

• esp. if scenario allows stateless key manager replication

• extremely low set up and running costs

• no (reliable) multicast re-keying

arbitrary eviction• unplanned far more difficult than planned

• cost difference worth business model distortion

• can usefully combine planned & unplanned

summary


23


where now?

current plan• license technology in short term?

• will fit into SMuG framework

• public domain & standardise medium term?

• is SMuG chartered for RFCs on mechanisms?

summary


24


further information Mware project

http://www.labs.bt.com ...… /projects/mware/

this presentation and paper… /people/briscorj/papers.html#MARKS

Bob Briscoe… /people/briscorj/

Flexinethttp://www.ansa.co.uk/

more info

common modelcommon model


25


bi-directional hash chain

v0,0

vG,1

=k0

v1,0

vG-1,1

=k1

v2,0

vG-2,1

=k2

vm,0

vG-m,1

=km

vi,0

vG-i,1

=ki

vn,0

vG-n,1

=kn

vG-1,0

v1,1

=kG-1

vG,0

v0,1

=kG

…

…

…

…

…

…

…

…

v0,0 v1,0 represents v(1,0) = b(v(0,0))

v0,0 vG,1 = k0 represents k0 = c ( v(0,0) , v(G,1) )

variants

7 Nov 1999 26


continuous BHT

D0

M

variants

7 Nov 1999 27


hash chain-tree hybrid elements0,0

v1,1

=s1,0

s0,1

v1,0

=s1,1

s0,1

v1,2

=s1,2

s0,2

v1,1

=s1,3

s0,0 v1,1 = s1,0 represents s(1,0) = c ( s(0,0) , b( s(0,1) ) )

s0,0 v1,0 represents v(1,0) = b( s(0,0) )

a)

s1,0 s1,1 s1,2 s1,3

s0,0 s0,1 s0,2

b)

variants


28


hash chain-tree hybrid

s2,2s2,1s2,0 s2,3

s1,1 s1,2

s0,1

s4,0

=k0

s4,1

=k1

s4,2

=k2

s4,3

=k3

s4,4

=k4

s4,5

=k5

s4,6

=k6

s4,7

=k7

s4,8

=k8

s4,9

=k9

s4,10

=k10

s4,11

=k11

s4,12

=k12

s4,13

=k13

s4,14

=k14

s4,15

=k15

s3,0 s3,1 s3,2 s3,3 s3,4 s3,5 s3,6 s3,7

s4,16

=k16

s3,8

s2,4

s1,0

s0,0

s2,5

s4,17

=k17

s3,9

s1,3

s0,2

variants


hash chain-tree hybrid

s2,2s2,1s2,0 s2,3

s1,1 s1,2

s0,1

s4,0

=k0

s4,1

=k1

s4,2

=k2

s4,3

=k3

s4,4

=k4

s4,5

=k5

s4,6

=k6

s4,7

=k7

s4,8

=k8

s4,9

=k9

s4,10

=k10

s4,11

=k11

s4,12

=k12

s4,13

=k13

s4,14

=k14

s4,15

=k15

s3,0 s3,1 s3,2 s3,3 s3,4 s3,5 s3,6 s3,7

s4,16

=k16

s3,8

s2,4

variants


BHC-T per ADU key calculation

s2,2s2,1s2,0 s2,3

s1,1 s1,2

s0,1

s4,0

=k0

s4,1

=k1

s4,2

=k2

s4,3

=k3

s4,4

=k4

s4,5

=k5

s4,6

=k6

s4,7

=k7

s4,8

=k8

s4,9

=k9

s4,10

=k10

s4,11

=k11

s4,12

=k12

s4,13

=k13

s4,14

=k14

s4,15

=k15

s3,0 s3,1 s3,2 s3,3 s3,4 s3,5 s3,6 s3,7

s4,16

=k16

s3,8

s2,4

variants


31


hash chain-tree twist

s0,0

v1,1

=s1,0

s0,1

=v1,0

s1,1

variants


32


hash chain-tree hybrid growth

0 1

23

4

56

7

8a 8b

9

13d13c13b13a

12b12a

11

10

variants

33


continuous hashchain-tree

M2M M

variants


34


revealing and blinding pairs in BHC-T

s1,1 s1,2

s0,0 s0,1

variants

7 Nov 1999 35


hash chain-tree hybrid II elements0,0

v1,0

v1,2

=s1,0

s0,1

v1,3

v1,1

=s1,1

s0,1

v1,2

v1,4

=s1,2

s0,2

v1,5

v1,3

=s1,3

v1,0 v1,2 = s1,0 represents s1,0 = c(b0(s0,0), b0(s0,1))

s0,0 v1,0 represents v1,0 = b0(s0,0)

s0,0 v1,1 represents v1,1 = b1(s0,0)

b0

b1 b0b1 b0

b1 b0b1

a)

b0

b1

s1,0 s1,1 s1,2 s1,3

s0,0 s0,1 s0,2

b)

variants


36


revealing and blinding pairs in BHT2

s1,1 s1,2

s0,0 s0,1

variants


37


common model general form

– two co-ordinate planes• blinding• combining

– tree 'molecules' in blinding plane– molecule leaves map down into combining plane– results mapped back into blinding plane– next blinding molecule starts

3 general mapping formulae– expressions specialise formulae for each scheme

variants


38


BHT2

h

j

d

i v(h, j)

s(d, i)

2

1

00

1

2

34

001

2345

3

1

4

2

b0

b1b0

b1

variants


39


BHT

h

j

d

i v(h, j)

s(d, i)

2

1

00

1

2

001

234

3

1

4

2

b0

b1

variants


40


BHC

h

j

d

i

v(h, j)

s(d, i)

1

012

34

0012

3

1

4

25

0

variants


41


BHC-T

h

j

d

i v(h, j)

s(d, i)

2

1

00

1

2

34

001

2345

3

1

4

2

variants


42


BHC3-T

h

j

d

i

v(h, j)

s(d, i)

2

1

0

1234

0012

34

3

1

4

2

5

5

variants

MARKS: Zero side-effect Multicast key mgmt using Arbitrarily Revealed Key Sequences Bob Briscoe BT...

Documents

Transcript of MARKS: Zero side-effect Multicast key mgmt using Arbitrarily Revealed Key Sequences Bob Briscoe BT...