key agreement for heterogeneous mobile ad-hoc groups (µstr-h) mark manulis horst-görtz institute,...
TRANSCRIPT
Key Agreement for
Heterogeneous Mobile Ad-hoc Groups(µSTR-H)
Mark Manulis
Horst-Görtz Institute, Bochum (Germany)http://www.hgi.rub.de
2
Mark Manulis, Horst-Görtz Institute, Bochum, Germany
HeterogeneousMobileAd-HocGroup
3
Outline
Elliptic Curve Cryptography Performance of Mobile Devices Device Architecture µSTR-H Protocol Suite
Setting Requirements Protocols: Setup, Join, Leave, Merge, Partition
Performance Analysis Current and Future Work
Mark Manulis, Horst-Görtz Institute, Bochum, Germany
4
Elliptic Curve Cryptography (ECC) Elliptic curve E over a finite field Fq
q Primes: y2 = x3 + ax +b , x,y,a,b Fp and 4a3 + 27b2 0
q = 2m, mN: y2 + xy = x3 + ax2 + b , x,y,a,b F2m and b 0
Group of elliptic points E(Fq) is commutative. Let P,Q E(Fq) Negation: –P Addition: P + Q = R(xR, yR) E(Fq)
Doubling: 2P = R(xR, yR) E(Fq)
Let G E(Fq) of prime order t with t | q-1 Generated additive subgroup <G> = {O, G, 2G, … , (t-1)G} Scalar-Point Multiplication: r {1,…,t-1}, rG = R G
Note: R = G + … + G
It is hard to compute r given R and G (EC-Discrete Logarithm Problem)
r times
Mark Manulis, Horst-Görtz Institute, Bochum, Germany
5
Performance of Mobile Devices
Benchmark function F
Input: device’ hardware parameters CPU clocks memory size storage capacity battery power consumption …
Process: application-specific operations cryptographic and network operations
Output: performance ratio µ
Mark Manulis, Horst-Görtz Institute, Bochum, Germany
run F(input)
get µ
6
Performance Ratio Order
Mobile Ad-Hoc Group: M1, … , Mn
Performance ratio order: P = (M1, … , Mn), Mi, Mi+1 : µi µi+1
e.g.:
Assumption: µi can be figured out from P
M1 M2 M3 M4 M5 M6 M7 M8 M9
Mark Manulis, Horst-Görtz Institute, Bochum, Germany
7
Homogeneous & Heterogeneous Mobile Ad-Hoc Groups
Homogeneous Mobile Ad-Hoc Group: µi, µj P : |µi - µj|
Heterogeneous Mobile Ad-Hoc Group: µi, µj P : |µi - µj| >
: limit of homogeneity
Mark Manulis, Horst-Görtz Institute, Bochum, Germany
8
CGKA Protocol Requirements
Usual security requirements against passive adversary
Cost fairness (performance requirement) Homogeneous Groups:
uniform distribution of protocol costs between devices Heterogeneous Groups:
distribution of protocol costs between devices with respect to P
Performance Honesty (security requirement) Adversary cannot cheat on its device performance
Remark: Adversary is active Concerns only heterogeneous groups
Mark Manulis, Horst-Görtz Institute, Bochum, Germany
9
Abstract Device Architecture based on TCG
Mark Manulis, Horst-Görtz Institute, Bochum, Germany
Trusted Computing Base Components Trusted Platform Module (TPM)
Tamper-resistant Limited computational capabilities Platform Configuration Registers (PCRs) Attestation Identity Key Pair (PKAIK, SKAIK)
Trusted Software Component (TSC) Its measurement S is included in PCRs Better computational capabilities
Non-Trusted Components Application isolated from other processes
Hardware Plattform
PCR1
PCR2
PCRl
...
TPM
TSC
Common OS
S
Application
10
µSTR-H: Pre-Requisites
Communication Channel public broadcast / multicast reliable
Authentication Every device has CertTPMi = (IDTPMi, PKAIK, SigCA(IDTPMi, PKAIK))
Assumption: All protocol messages are authentic Explicit indication of authentication procedure is omitted
Mark Manulis, Horst-Görtz Institute, Bochum, Germany HGI-Seminar 2005
11
µSTR-H: Parameters and Notations E(Fq), q is prime or 2m, mN
<G> = {O, G, 2G, … , (t-1)G}, t is prime, t | q-1
public keys R1 K2 K3 K4
secret keys r1 k2 k3 k4 k5 ki = (ki, … , kn)
blinded session randoms
R1 R2 R3 R4 R5 Ri = (Ri, … , Rn)
secret session randoms r1 r2 r3 r4 r5
M1 M2 M3 M4 M5 P User Mi computes:
ri R {1, … , t-1}
Ri = riG ki = map(riKi-1); for all 2<i<j≤n: kj = map(kj-1Rj)
exception: k2 = map(r1R2) = map(r2R1)
Ki = kiG
Example M3: r3 R {1, … , t-1} k3 = map(r3K2)
k4 = map(k3R4)
k5 = map(k4R5)
group keyauxiliary keys
Mark Manulis, Horst-Görtz Institute, Bochum, Germany
(performance ratio order)
HGI-Seminar 2005
12
Achieving Performance HonestyMark Manulis, Horst-Görtz Institute, Bochum, Germany HGI-Seminar 2005
Tasks of TPMi
Choose ri and compute Ri
Seal ri under µi and Si
Generate σi = SignSK_AIK_i(Ri, µi)
Compute riKi-1 given Ki-1
Tasks of TSCi
Compute all secret keys ki, … ,kn
Compute all public keys Ki, … , Kn-1
Tasks of untrusted µSTR-H Send and receive protocol messages Verify received σj
Compute P Store Ri
Hardware Plattform
PCRTPMi
TSCi
Common OS
Si
µSTR-H
ki, … ,kn
ri
performance ratio µi
13
Message Exchange between ComponentsMark Manulis, Horst-Görtz Institute, Bochum, Germany
TPMi
TSCi
µSTR-H (non trusted)
Ki-1 riKi-1
µi, Ri, σi, CertTPMi
Ri+1,…,Rn
Ri+1,…,Rn
Ki,…,Kn-1
Ki,…,Kn-1
µi, Ri, σi, CertTPMi
µi, Ri, σi, CertTPMi
Hardware Plattform
PCRTPMi
TSCi
Common OS
Si
µSTR-H
ki, … ,kn
ri
performance ratio µi
14
µSTR-H: Setup
TPMi selects ri, computes Ri and σi. Mi broadcasts (µi, Ri, σi, CertTPMi).
Mi verifies all σj, computes P, stores Ri+1,…, Rn. TPM1 computes r1R2. TSC1 computes k1 = (k2,…, kn) and (K2,…, Kn-1). M1 broadcasts (K2,…, Kn-1).
Mi stores Ki-1. TPMi computes riKi-1. TSCi computes ki = (ki,…, kn).
M1 M2M3 M4M5 M6 M7M8
4 1 3 2 8 6 5 7µi
P
k1
K2 K3 K4 K5 K6 K7
k2 k3 k4 k5 k6 k7 k8
8 7 6 5 4 3 2 1
Mark Manulis, Horst-Görtz Institute, Bochum, Germany
15
M1 M2 M3 M4 M5
µSTR-H: Join
µj µ3>µj>µ4
M4M1 M2 M3 M5 M6
R´3, K´3 K´4 K´5
P
Mjsponsor
k´3k´1 k´2 k´4 k´5 k´6
Mark Manulis, Horst-Görtz Institute, Bochum, Germany
16
M4M1 M2 M3 M5 M6M3M1 M2 M4 M5
µSTR-H: Leave
P
sponsor
R´2, K´2 K´3 K´4
k´2k´1 k´3 k´4 k´5
Mark Manulis, Horst-Görtz Institute, Bochum, Germany
17
µSTR-H: Merge
P1
R11
M11 M1
2 M13 M1
4 M21 M2
2 M23 M2
4
P2
µ1i µ2
i6 4 3 2 8 7 5 1
R21
M3 M5 M6 M7M1 M2 M4 M8
P
µi 8 7 6 5 4 3 2 1
sponsor
R´2, K´2 K´3 K´4 K´5 K´6 K´7
k´2k´1 k´3 k´4 k´5 k´6 k´7 k´8
Mark Manulis, Horst-Görtz Institute, Bochum, Germany
18
M3 M5 M6 M7M1 M2 M4 M8
P
µi 8 7 6 5 4 3 2 1
M2 M3 M4M1 M5
P
µi 8 6 4 2 1
µSTR-H: Partition
sponsor
R´1 K´2 K´3 K´4
k´1 k´2 k´3 k´4 k´5
Mark Manulis, Horst-Görtz Institute, Bochum, Germany
19
Performance AnalysisCommunication Computation Memory
Rounds Messages Size SP-Multiplications Size
S 2 n+1 2n-2
2n-1
i=1: 2n-1
i>1: n-i+2
i=1: 2n 3n-2
i>1: 2n-2i+4 3n-i
J 1 2 2n-2s+3
2n
i<s: n-s+2 2
i=s: 2n-2s+4 4
i>s: n-i+2 1
L 1 1 n-s
2n-4
i<s: n-s
i=s: 2n-2s
i>s: n-i
M 2 3 2n‘+2n‘‘-s+1
4n‘+4n‘‘-6
i<s: n‘+n‘‘-s+1 n‘‘+1
i=s: 2n‘+2n‘‘-2s+2
i>s: n‘+n‘‘-i+1
P 1 1 n-v-s+1
2n-2v-2
i<s: n-v-s+1
i=s: 2n-2v-2s+2
i>s: n-v-i+1
S – setup, J – join, L – leave, M – merge, P – partition, original STR costs
n – initial group size, i (s) – index of member (sponsor), v – size of partition
Mark Manulis, Horst-Görtz Institute, Bochum, Germany HGI-Seminar 2005
20
Future Work Consider various protocols in MANETs where applied techniques (non-uniform distribution of protocol costs, enforcement of a property compliance) are
useful, e.g. multicast routing, threshold crypto, …
Mark Manulis, Horst-Görtz Institute, Bochum, Germany
Thank You !!!