Key Agreement for

Heterogeneous Mobile Ad-hoc Groups(µSTR-H)

Mark Manulis

Horst-Görtz Institute, Bochum (Germany)http://www.hgi.rub.de

2

Mark Manulis, Horst-Görtz Institute, Bochum, Germany

HeterogeneousMobileAd-HocGroup

3

Outline

Elliptic Curve Cryptography Performance of Mobile Devices Device Architecture µSTR-H Protocol Suite

Setting Requirements Protocols: Setup, Join, Leave, Merge, Partition

Performance Analysis Current and Future Work

Mark Manulis, Horst-Görtz Institute, Bochum, Germany

4

Elliptic Curve Cryptography (ECC) Elliptic curve E over a finite field Fq

q Primes: y2 = x3 + ax +b , x,y,a,b Fp and 4a3 + 27b2 0

q = 2m, mN: y2 + xy = x3 + ax2 + b , x,y,a,b F2m and b 0

Group of elliptic points E(Fq) is commutative. Let P,Q E(Fq) Negation: –P Addition: P + Q = R(xR, yR) E(Fq)

Doubling: 2P = R(xR, yR) E(Fq)

Let G E(Fq) of prime order t with t | q-1 Generated additive subgroup <G> = {O, G, 2G, … , (t-1)G} Scalar-Point Multiplication: r {1,…,t-1}, rG = R G

Note: R = G + … + G

It is hard to compute r given R and G (EC-Discrete Logarithm Problem)

r times

Mark Manulis, Horst-Görtz Institute, Bochum, Germany

5

Performance of Mobile Devices

Benchmark function F

Input: device’ hardware parameters CPU clocks memory size storage capacity battery power consumption …

Process: application-specific operations cryptographic and network operations

Output: performance ratio µ

Mark Manulis, Horst-Görtz Institute, Bochum, Germany

run F(input)

get µ

6

Performance Ratio Order

Mobile Ad-Hoc Group: M1, … , Mn

Performance ratio order: P = (M1, … , Mn), Mi, Mi+1 : µi µi+1

e.g.:

Assumption: µi can be figured out from P

M1 M2 M3 M4 M5 M6 M7 M8 M9

Mark Manulis, Horst-Görtz Institute, Bochum, Germany

7

Homogeneous & Heterogeneous Mobile Ad-Hoc Groups

Homogeneous Mobile Ad-Hoc Group: µi, µj P : |µi - µj|

Heterogeneous Mobile Ad-Hoc Group: µi, µj P : |µi - µj| >

: limit of homogeneity

Mark Manulis, Horst-Görtz Institute, Bochum, Germany

8

CGKA Protocol Requirements

Usual security requirements against passive adversary

Cost fairness (performance requirement) Homogeneous Groups:

uniform distribution of protocol costs between devices Heterogeneous Groups:

distribution of protocol costs between devices with respect to P

Performance Honesty (security requirement) Adversary cannot cheat on its device performance

Remark: Adversary is active Concerns only heterogeneous groups

Mark Manulis, Horst-Görtz Institute, Bochum, Germany

9

Abstract Device Architecture based on TCG

Mark Manulis, Horst-Görtz Institute, Bochum, Germany

Trusted Computing Base Components Trusted Platform Module (TPM)

Tamper-resistant Limited computational capabilities Platform Configuration Registers (PCRs) Attestation Identity Key Pair (PKAIK, SKAIK)

Trusted Software Component (TSC) Its measurement S is included in PCRs Better computational capabilities

Non-Trusted Components Application isolated from other processes

Hardware Plattform

PCR1

PCR2

PCRl

...

TPM

TSC

Common OS

S

Application

10

µSTR-H: Pre-Requisites

Communication Channel public broadcast / multicast reliable

Authentication Every device has CertTPMi = (IDTPMi, PKAIK, SigCA(IDTPMi, PKAIK))

Assumption: All protocol messages are authentic Explicit indication of authentication procedure is omitted

Mark Manulis, Horst-Görtz Institute, Bochum, Germany HGI-Seminar 2005

11

µSTR-H: Parameters and Notations E(Fq), q is prime or 2m, mN

<G> = {O, G, 2G, … , (t-1)G}, t is prime, t | q-1

public keys R1 K2 K3 K4

secret keys r1 k2 k3 k4 k5 ki = (ki, … , kn)

blinded session randoms

R1 R2 R3 R4 R5 Ri = (Ri, … , Rn)

secret session randoms r1 r2 r3 r4 r5

M1 M2 M3 M4 M5 P User Mi computes:

ri R {1, … , t-1}

Ri = riG ki = map(riKi-1); for all 2<i<j≤n: kj = map(kj-1Rj)

exception: k2 = map(r1R2) = map(r2R1)

Ki = kiG

Example M3: r3 R {1, … , t-1} k3 = map(r3K2)

k4 = map(k3R4)

k5 = map(k4R5)

group keyauxiliary keys

Mark Manulis, Horst-Görtz Institute, Bochum, Germany

(performance ratio order)

HGI-Seminar 2005

12

Achieving Performance HonestyMark Manulis, Horst-Görtz Institute, Bochum, Germany HGI-Seminar 2005

Tasks of TPMi

Choose ri and compute Ri

Seal ri under µi and Si

Generate σi = SignSK_AIK_i(Ri, µi)

Compute riKi-1 given Ki-1

Tasks of TSCi

Compute all secret keys ki, … ,kn

Compute all public keys Ki, … , Kn-1

Tasks of untrusted µSTR-H Send and receive protocol messages Verify received σj

Compute P Store Ri

Hardware Plattform

PCRTPMi

TSCi

Common OS

Si

µSTR-H

ki, … ,kn

ri

performance ratio µi

13

Message Exchange between ComponentsMark Manulis, Horst-Görtz Institute, Bochum, Germany

TPMi

TSCi

µSTR-H (non trusted)

Ki-1 riKi-1

µi, Ri, σi, CertTPMi

Ri+1,…,Rn

Ri+1,…,Rn

Ki,…,Kn-1

Ki,…,Kn-1

µi, Ri, σi, CertTPMi

µi, Ri, σi, CertTPMi

Hardware Plattform

PCRTPMi

TSCi

Common OS

Si

µSTR-H

ki, … ,kn

ri

performance ratio µi

14

µSTR-H: Setup

TPMi selects ri, computes Ri and σi. Mi broadcasts (µi, Ri, σi, CertTPMi).

Mi verifies all σj, computes P, stores Ri+1,…, Rn. TPM1 computes r1R2. TSC1 computes k1 = (k2,…, kn) and (K2,…, Kn-1). M1 broadcasts (K2,…, Kn-1).

Mi stores Ki-1. TPMi computes riKi-1. TSCi computes ki = (ki,…, kn).

M1 M2M3 M4M5 M6 M7M8

4 1 3 2 8 6 5 7µi

P

k1

K2 K3 K4 K5 K6 K7

k2 k3 k4 k5 k6 k7 k8

8 7 6 5 4 3 2 1

Mark Manulis, Horst-Görtz Institute, Bochum, Germany

15

M1 M2 M3 M4 M5

µSTR-H: Join

µj µ3>µj>µ4

M4M1 M2 M3 M5 M6

R´3, K´3 K´4 K´5

P

Mjsponsor

k´3k´1 k´2 k´4 k´5 k´6

Mark Manulis, Horst-Görtz Institute, Bochum, Germany

16

M4M1 M2 M3 M5 M6M3M1 M2 M4 M5

µSTR-H: Leave

P

sponsor

R´2, K´2 K´3 K´4

k´2k´1 k´3 k´4 k´5

Mark Manulis, Horst-Görtz Institute, Bochum, Germany

17

µSTR-H: Merge

P1

R11

M11 M1

2 M13 M1

4 M21 M2

2 M23 M2

4

P2

µ1i µ2

i6 4 3 2 8 7 5 1

R21

M3 M5 M6 M7M1 M2 M4 M8

P

µi 8 7 6 5 4 3 2 1

sponsor

R´2, K´2 K´3 K´4 K´5 K´6 K´7

k´2k´1 k´3 k´4 k´5 k´6 k´7 k´8

Mark Manulis, Horst-Görtz Institute, Bochum, Germany

18

M3 M5 M6 M7M1 M2 M4 M8

P

µi 8 7 6 5 4 3 2 1

M2 M3 M4M1 M5

P

µi 8 6 4 2 1

µSTR-H: Partition

sponsor

R´1 K´2 K´3 K´4

k´1 k´2 k´3 k´4 k´5

Mark Manulis, Horst-Görtz Institute, Bochum, Germany

19

Performance AnalysisCommunication Computation Memory

Rounds Messages Size SP-Multiplications Size

S 2 n+1 2n-2

2n-1

i=1: 2n-1

i>1: n-i+2

i=1: 2n 3n-2

i>1: 2n-2i+4 3n-i

J 1 2 2n-2s+3

2n

i<s: n-s+2 2

i=s: 2n-2s+4 4

i>s: n-i+2 1

L 1 1 n-s

2n-4

i<s: n-s

i=s: 2n-2s

i>s: n-i

M 2 3 2n‘+2n‘‘-s+1

4n‘+4n‘‘-6

i<s: n‘+n‘‘-s+1 n‘‘+1

i=s: 2n‘+2n‘‘-2s+2

i>s: n‘+n‘‘-i+1

P 1 1 n-v-s+1

2n-2v-2

i<s: n-v-s+1

i=s: 2n-2v-2s+2

i>s: n-v-i+1

S – setup, J – join, L – leave, M – merge, P – partition, original STR costs

n – initial group size, i (s) – index of member (sponsor), v – size of partition

Mark Manulis, Horst-Görtz Institute, Bochum, Germany HGI-Seminar 2005

20

Future Work Consider various protocols in MANETs where applied techniques (non-uniform distribution of protocol costs, enforcement of a property compliance) are

useful, e.g. multicast routing, threshold crypto, …

Mark Manulis, Horst-Görtz Institute, Bochum, Germany

Thank You !!!