Optimal Batch Rekeying for Secure Group Communications in

Wireless NetworksAuthors: Jin-Hee Cho, Ing-ray Chen,

Mohamed Eltoweissy

Presented by Niharika Gujarati

and Sindhu Motupalli

Agenda

• Introduction and previous work

• System model and assumptions

• Threshold-based periodic batch rekeying

• Performance model

• Numerical results and analysis

• Conclusion

1.Group Communication

• Applications inherently based on group communication.

• Wireless networks– Network functionality– Assure confidentiality, authenticity and

intergrity

User = End-user / network node.

Symmetric key

• Group key shared by members.

• Group key dist by key server.

• Dedicated key server or existing server employed

• Multiple key servers can co-exist in clustered network.

• Group key used to encrypt and decrypt messages only by group members.

• Forward secrecy - Group key management property that ensures that an intruder that knows a contiguous subset of old group keys cannot identify subsequent group keys.

• Backward secrecy - Group key management property that ensures that an intruder that knows a subset of group keys cannot discover previous group keys

Individual Rekeying

• Performs a rekey operation for every join or leave.

• Not scalable because of significant communication overhead.

• Synchronization difficult to maintain.

• To Remedy – periodic batch rekeying

Periodic Batch Rekeying

• Joins and leaves aggregated.

• Rekeying done only periodically.

• Thus communication overhead is reduced when compared to individual rekeying.

• Improves efficiency and reduces out-of sync problem.

• Consequence – forward and backward secrecy not strictly satisfied.

Contributions of paper.

• Develops new threshold-based batch rekeying schemes.

• Finding an optimal rekey interval to reduce communication costs while maintaining intergrity.

• SPN model to measure performance metrics.

2.System Model and Assumption

• KS maintains a key tree based on LKH (logical key hierarchy) protocol.

• Each node – cryptographic sym key

• KS connects each member with one tree node

• Each node knows all keys from leaf to root node

• No other nodes’ keys are known

• This key set is called key path

• Root node key plays as group key

• Example : key path of M2 is K5 , K2 and K1.

• When member joins, KS sends all the keys in keypath

• Msg length – k(2log2 (N) -1)

• When member leaves, KS updates all the keys in the key path

• Msg length – 2klog2 (N)

• k – length of key

• N - number of members

• Therefore each updates’ msg length is logarithimic in no of group members.

• Assume periodic batch rekeying is used• User cannot join without authorisation, ie;

no Untrusted Joins.• Leaves can be Trusted or Untrusted.• Trusted leave - User voluntarily leaves the

group.• Untrusted leave – User is evicted from the

group.• if rekeying doesn’t take place immediately

after an untrusted leave it will result in a period of security vulnerability.

• Probability of trustworthiness.

Pt = number of trusted leave oprns

total number of trusted and untrusted leaves

Data is periodically collected by the KS

3.Threshold-based periodic batch rekeying

• Based on notion of thresholds that govern the max number of leave and join requests to be accumulated beyond which rekeying is done

• Rekeying scheme using only one threshold k3

• Rekeying schemes using two thresholds k1 and k2

• This scheme identifies the set of states in which rekeying is performed thus implicitly determining time between two rekeying oprns.

• State machine with 3 component state representation ( a , b , c)

a number of trusted join requests.

b number of trusted leave requests.

c number of untrusted leave requests.

Threshold based rekeying

ULT

Untrusted Leave Threshold Based

TAUDT

Trusted and Untrusted Double Threshold based

JALDT

Join and Leave Double Threshold based

ULT

• One Threshold k3 that guards only untrusted leave

• K3 number of untrusted leave requests ( state variable “c”)

• Special case k3=1 , individual rekeying is used.

• Used as a baseline to compare other two schemes.

TAUDT

• Two thresholds k1 and k2.

• k1 number of trusted requests : a + b state variables

• k2 number of untrusted leave requests : c state variable

JALDT

• Two thresholds k1 and k2.

• k1 number of trusted join requests : state variable a

• k2 number of trusted and untrusted leaves : b + c state variables.

Rekeying

• Only at the end of the batch interval T

Two application specific constraints are

• Probability of secrecy violation Pv

– Proportion of time with secrecy violation risk– Only forward secrecy

• Delay D– Latency per join or leave request (the same)– Joins and leaves are not distinguished as they

are aggregated.

• Optimal batch rekeying interval (T) – interval in which overhead is minimised while satisfying Pv and D

• Simple optimization feature used to reduce communication overhead

• New join member can take the place of leave member in a key tree.

• Thus for each join-leave pairs, KS only generates new keys along the keypath and a new key to the new member.

KS applies following procedure while rekeying.

• if a > b+c, then the server will process b+c join-leave request pairs before processing a – (b+c) join requests;

• if a = b+c, then the server will process b+c join-leave request pairs;

• if a < b+c, then the server will process a join-leave

Performance Model

For ULT we derive analytical closed from solution

Average Batch Rekey interval

T =

= average inter-arrival ime of untrusted leave requests

• Thus at end of each batch rekeying the state variables have the values…

• The communication overhead bits Cm is calc as

• Scm is the communication overhead

• Tb is overhead for broadcast

• Thus Scm is calculated as the sum of this overhead and packet transmission time.

Scm = Tb + Cm / BW

• Average communication overhead per join or leave

S = Scm

a + b + c

• Probability of secrecy violation is the propotion of time in which fwd secrecy has been violated

Pv = [ (k3-1) / k3 ] * T + Scm

(T + Scm)

• Delay per join / leave

D = S + T/2

T/2 = average wait time for batch rekeying for an operation

S = average communication overhead per join/ leave

Calculated D is almost the same as resp time per operation

• For TAUDT and JALDT there are too many states to yield closed-form analytical expressions, hence the use of SPN model.

• Places

tmp is a temporary place holder not corresponding to any state component just to hold newly arriving leave requests.

• Transitions

• Arcs

• Firing Rule for any of the transactions in the model

– There are atleast m tokens in each of its input places connected by an input arc of multiplicity m

– The associate enabling function of that transaction

• when trusted join arrives-token in “a”

• Modelled by transition T1 with rate λ * Pt because there are no untrusted joins, only trusted ones.

• Any leave – token in tmp• Modelled by T2 with rate µ• If leave trusted go to “b” with immediate

transition (T4) rate of Pt.• If untrusted go to “c” with immediate

transition rate (T5) of 1 – Pt.

• For both schemes rekeying is performed when rekeying condition is satisfied.

• Modelled by using an enabling function that has to be satisfied to fire the transition T3.

• Enbling function for T3

TAUDT if mark(a) + mark(b) = k1

or if mark(c) = k2 then true

else false

JALDT if mark(a) = k1

or if mark(b) + mark(c) = k2 then true

else false

• Enabling functions

• Average communication overhead

– R = Set of rekeying states – P(i) = The steady-state probability of the system

being in state i.• The Secrecy of Violation:

– V denotes the set of states in which mark(c)>0

– ri = 1

• To obtain T , convert all rekeying states to absorbing states.

• Assign a reward value of 1 to all states other than absorbing states.

• T is computed as expected cumulative reward until absorption.

Numerical results and analysis

Analyze numerical results obtained from applying mathematical models developed for ULT,TAUDT and JALDT.Following system parameters are used:number of members in the group (N) = 1024•length of each key (J) is 64 bits•Tb = 5 msec• bandwidth (BW) is 1 Mbps

ULT Analysis • Baseline scheme which TAUDT and JALDT will be

compared against.• Assumed - λ: μ = 1: 0.5 and Pt = 0.9

•D is Delay•k3 increases D increases•Hence takes more time to accumulate “c” to reach the threshold

•Pv is Secrecy Voilation•k3 increases c increases•When k3 = 0 Pv = 0

• The optimal batch rekey interval (T) is the interval at which the overhead is minimized while satisfying the two application-level constraintsT = 1 μ(1 − Pt ) × k3

At D= 5, Pv = .05 , k3 = 1T = 6.67 seconds

TAUDT Analysis• Two thresholds – k1 number of trusted

requests (a+b)and k2 number of untrusted requests (c).

•K1 increases Pv increases since high threshold means more states voilated secrecy requirement.•As K2 increases, Pv increases too, until k2 reaches a threshold ( k2 > 2).

D increases as k1 increases and k2 increases.K2 not significant as k1 due to high Pt used.

•As k1 increases, S decreases since aggregating join and leave events reduces rekeying overhead•S is insensitive to incresing k2 since “c” is very small

•optimal batch rekey interval

At D= 5, Pv = .05 (k1,k2) = (16,1)T = 8.83 seconds

JALDT Analysis• two thresholds - k1 number of join requests (a) and k2 the number of leave requests (b+c)

•Pv and D increase when either k1 or k2 increases

S decreases as both k1 and k2 increase because aggregating more join and leave events for a batch rekeying operation will amortize the cost per operation. optimal batch rekey interval

At D= 5, Pv = .05 (k1,k2) = (13,2)T = 3.96 seconds

Comparison

• Calculated Optimal batch rekey intervals :ULT 6.67 secondsTAUDT 8.83 secondsJALDT 3.96 seconds

• TAUDT has the highest optimal T

• JALDT shows the second highest optimal T, followed by ULT

TAUDT is able to produce the minimum S and the maximum T, which makes it the most efficient scheme among all.

Conclusion

• By varying the Pv and (λ : µ), TAUDT is able to produce the minimum S and the maximum T.

• As Pt increases, minimum S decreases and T increases.

• As µ increases, minimum S increases and optimal T decreases

Future Works

• Augment by taking reliability and availability considerations to the SPN model.

• Analyzing the effects of insider attacks and intrusion detection system design on the security and performance prosperities of group communications in wireless systems.

• Investing the issue of optimal batch rekeying for the case in which a group consists of multiple subgroups.