marks: zero side-effect multicast key mgmt using arbitrarily revealed key sequences bob briscoe bt...
TRANSCRIPT
MARKS:Zero side-effect Multicast key mgmt using
Arbitrarily Revealed Key Sequences
Bob Briscoe
BT Research
7 Nov 1999
3
context solution variants summary more info
key mgmt: the problem
time
member
context
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
4
context solution variants summary more info
application data unit (ADU)
wrt security/charging
see taxonomy of large-scale multicast requirements [Bagnall]
context
5
context solution variants summary more info
key mgmt: ADUs
time
member
context
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
6
context solution variants summary more info
m'cast key mgmt: state of the art not suitable for large-scale deployment
• re-keying traffic rate of same order as join/leave rate• re-keying requires reliable multicast• hence Internet research task force, not IETF
MARKS: redefine problem• arbitrary eviction, but pre-planned• mainly commercial scenarios (pre-pay)
e.g. pay-per-view-TV, usage-charged network games• zero side-effect on other receivers and sender• one small unicast set up message per session
context
7
context solution variants summary more info
lateral thinking
time
member
solution
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
8
context solution variants summary more info
loose coupling to senders
KMR
KM
KM
R
R
R
R
R
S
S
S
S
KM
R
sender
key manager
receiver
multicast data
unicast set-up
reliable multicast keying not req'd
solution
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
9
context solution variants summary more info
two blinding functions from one
r0 r1
b b
s1,0 s1,1
s0,0
b0 b1
solution
context solution variants summary more info
binary hash tree
s2,2s2,1s2,0 s2,3
s1,0 s1,1
s0,0
s4,0
=k0
s4,1
=k1
s4,2
=k2
s4,3
=k3
s4,4
=k4
s4,5
=k5
s4,6
=k6
s4,7
=k7
s4,8
=k8
s4,9
=k9
s4,10
=k10
s4,11
=k11
s4,12
=k12
s4,13
=k13
s4,14
=k14
s4,15
=k15
b0 b1
s3,0 s3,1 s3,2 s3,3 s3,4 s3,5 s3,6 s3,7
solution
min=3 max=9
indexing arranged soeven left
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
11
context solution variants summary more info
algorithm to reveal intermediate seedsfor(d=D; ; d--) { // working from leaves... // move up tree 1 level ea loop if (min == max) { // min & max have converged... reveal(d,min); // ...so reveal sub-tree root.. break; // ...and quit } if odd(min) { // odd min never left child... reveal(d,min); // ...so reveal odd min seed min++; // and step min in 1 to right } if !odd(max) { // even max never right child.. reveal(d,max); // ...so reveal even max seed max--; // and step max in 1 to left } if (min > max) break; // min & max cousins, so quit min/=2; // halve min ... max/=2; // ... & halve max ready for... } // ... next level round loop
solution
context solution variants summary more info
BHT - per ADU key calculation
s2,2s2,1s2,0 s2,3
s1,0 s1,1
s0,0
s4,0
=k0
s4,1
=k1
s4,2
=k2
s4,3
=k3
s4,4
=k4
s4,5
=k5
s4,6
=k6
s4,7
=k7
s4,8
=k8
s4,9
=k9
s4,10
=k10
s4,11
=k11
s4,12
=k12
s4,13
=k13
s4,14
=k14
s4,15
=k15
b0 b1
s3,0 s3,1 s3,2 s3,3 s3,4 s3,5 s3,6 s3,7
solution
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
13
context solution variants summary more info
BHT processing efficiency
receiver & sender:(mean no. of hashes per key)
= (no. of branches) / (no. of leaves)
= (2(D+1) - 1) / 2D < 2
key manager:– it depends...
• store all intermediate seeds, or cache & re-hash?
solution
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
14
context solution variants summary more info
BHT efficiency N: length of the range of keys req'dws: size of seed (typically 128b) wh: KM protocol header overhead ts: processor time to blind a seed
N: length of the range of keys req'dws: size of seed (typically 128b) wh: KM protocol header overhead ts: processor time to blind a seed
solution
min 1max 2(log(N+2) - 1)mean O(log(N) - 1)min 0max log(N)mean O(log(N) /2)min 1max log(N)mean 2
per S or KMper S
per R(unicast msg size) / ws - wh
or (min storage) / ws
per R (processing latency) / ts
1
per R or S (processing per key) / ts
(min storage) / ws
(min random bits) / ws
min 1max 2(log(N+2) - 1)mean O(log(N) - 1)min 0max log(N)mean O(log(N) /2)min 1max log(N)mean 2
per S or KMper S
per R(unicast msg size) / ws - wh
or (min storage) / ws
per R (processing latency) / ts
1
per R or S (processing per key) / ts
(min storage) / ws
(min random bits) / ws
independent of n, #rcvrstruly zero side effect
independent of n, #rcvrstruly zero side effect
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
15
context solution variants summary more info
BHT security as secure as the chained hash function max attacker gain
– doubles accessible value / hash• 1025 years for lone attacker?
• …collusion or arbitrage far easier
usual caveats about due care:• randomness of seed
• security of announcements and set up messages– (SDP & SSL-based example in paper)
solution
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
16
context solution variants summary more info
variations
multi-sender multicast• all use same seeds - network game example in paper
combination with other schemes• storage/complexity costs sum of combined schemes
• bandwidth cost of each only when necessary
– unplanned eviction• (BHT aux. keys) XOR (Chang99 aux. keys)
• but lose advantage of decoupling
– watermarking...
variants
2 Nov 1999 MARKS; (c) British Telecommunications plc 1999
18
context solution variants summary more infosummary
limitations
receiver collusion & arbitrage (strength of hash chain of length D)
= D(hash strength)?
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
20
context solution variants summary more info
audit trail
watermark without smartcard?– Chameleon [Anderson97]
• long-term watermarked key block• watermarks secondary keys - XOR cipherstream partial flaw: no protection against leaks to recent
group members
variants
stostolen
len
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
21
context solution variants summary more info
wider context valid non-multicast scenarios for MARKS
•DVD: digital video disk •VPN: virtual private network
dynamic stack creation• Flexinet, Mware• software engineering rather than protocol engineering (SMuG)
frameworks (longer term focus)• cover reliable multicast, unicast etc.• declarative: cf. LSMA requirements taxonomy 'RFC'draft-ietf-lsma-requirements-04.txt
summary
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
22
context solution variants summary more info
summary no limit on MARKS scalability
• completely decoupled
• esp. if scenario allows stateless key manager replication
• extremely low set up and running costs
• no (reliable) multicast re-keying
arbitrary eviction• unplanned far more difficult than planned
• cost difference worth business model distortion
• can usefully combine planned & unplanned
summary
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
23
context solution variants summary more info
where now?
current plan• license technology in short term?
• will fit into SMuG framework
• public domain & standardise medium term?
• is SMuG chartered for RFCs on mechanisms?
summary
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
24
context solution variants summary more info
further information Mware project
http://www.labs.bt.com ...… /projects/mware/
this presentation and paper… /people/briscorj/papers.html#MARKS
Bob Briscoe… /people/briscorj/
Flexinethttp://www.ansa.co.uk/
more info
common modelcommon model
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
25
context solution variants summary more info
bi-directional hash chain
v0,0
vG,1
=k0
v1,0
vG-1,1
=k1
v2,0
vG-2,1
=k2
vm,0
vG-m,1
=km
vi,0
vG-i,1
=ki
vn,0
vG-n,1
=kn
vG-1,0
v1,1
=kG-1
vG,0
v0,1
=kG
…
…
…
…
…
…
…
…
v0,0 v1,0 represents v(1,0) = b(v(0,0))
v0,0 vG,1 = k0 represents k0 = c ( v(0,0) , v(G,1) )
variants
7 Nov 1999 26
context solution variants summary more info
continuous BHT
D0
M
variants
7 Nov 1999 27
context solution variants summary more info
hash chain-tree hybrid elements0,0
v1,1
=s1,0
s0,1
v1,0
=s1,1
s0,1
v1,2
=s1,2
s0,2
v1,1
=s1,3
s0,0 v1,1 = s1,0 represents s(1,0) = c ( s(0,0) , b( s(0,1) ) )
s0,0 v1,0 represents v(1,0) = b( s(0,0) )
a)
s1,0 s1,1 s1,2 s1,3
s0,0 s0,1 s0,2
b)
variants
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
28
context solution variants summary more info
hash chain-tree hybrid
s2,2s2,1s2,0 s2,3
s1,1 s1,2
s0,1
s4,0
=k0
s4,1
=k1
s4,2
=k2
s4,3
=k3
s4,4
=k4
s4,5
=k5
s4,6
=k6
s4,7
=k7
s4,8
=k8
s4,9
=k9
s4,10
=k10
s4,11
=k11
s4,12
=k12
s4,13
=k13
s4,14
=k14
s4,15
=k15
s3,0 s3,1 s3,2 s3,3 s3,4 s3,5 s3,6 s3,7
s4,16
=k16
s3,8
s2,4
s1,0
s0,0
s2,5
s4,17
=k17
s3,9
s1,3
s0,2
variants
context solution variants summary more info
hash chain-tree hybrid
s2,2s2,1s2,0 s2,3
s1,1 s1,2
s0,1
s4,0
=k0
s4,1
=k1
s4,2
=k2
s4,3
=k3
s4,4
=k4
s4,5
=k5
s4,6
=k6
s4,7
=k7
s4,8
=k8
s4,9
=k9
s4,10
=k10
s4,11
=k11
s4,12
=k12
s4,13
=k13
s4,14
=k14
s4,15
=k15
s3,0 s3,1 s3,2 s3,3 s3,4 s3,5 s3,6 s3,7
s4,16
=k16
s3,8
s2,4
variants
context solution variants summary more info
BHC-T per ADU key calculation
s2,2s2,1s2,0 s2,3
s1,1 s1,2
s0,1
s4,0
=k0
s4,1
=k1
s4,2
=k2
s4,3
=k3
s4,4
=k4
s4,5
=k5
s4,6
=k6
s4,7
=k7
s4,8
=k8
s4,9
=k9
s4,10
=k10
s4,11
=k11
s4,12
=k12
s4,13
=k13
s4,14
=k14
s4,15
=k15
s3,0 s3,1 s3,2 s3,3 s3,4 s3,5 s3,6 s3,7
s4,16
=k16
s3,8
s2,4
variants
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
31
context solution variants summary more info
hash chain-tree twist
s0,0
v1,1
=s1,0
s0,1
=v1,0
s1,1
variants
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
32
context solution variants summary more info
hash chain-tree hybrid growth
0 1
23
4
56
7
8a 8b
9
13d13c13b13a
12b12a
11
10
variants
33
context solution variants summary more info
continuous hashchain-tree
M2M M
variants
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
34
context solution variants summary more info
revealing and blinding pairs in BHC-T
s1,1 s1,2
s0,0 s0,1
variants
7 Nov 1999 35
context solution variants summary more info
hash chain-tree hybrid II elements0,0
v1,0
v1,2
=s1,0
s0,1
v1,3
v1,1
=s1,1
s0,1
v1,2
v1,4
=s1,2
s0,2
v1,5
v1,3
=s1,3
v1,0 v1,2 = s1,0 represents s1,0 = c(b0(s0,0), b0(s0,1))
s0,0 v1,0 represents v1,0 = b0(s0,0)
s0,0 v1,1 represents v1,1 = b1(s0,0)
b0
b1 b0b1 b0
b1 b0b1
a)
b0
b1
s1,0 s1,1 s1,2 s1,3
s0,0 s0,1 s0,2
b)
variants
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
36
context solution variants summary more info
revealing and blinding pairs in BHT2
s1,1 s1,2
s0,0 s0,1
variants
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
37
context solution variants summary more info
common model general form
– two co-ordinate planes• blinding• combining
– tree 'molecules' in blinding plane– molecule leaves map down into combining plane– results mapped back into blinding plane– next blinding molecule starts
3 general mapping formulae– expressions specialise formulae for each scheme
variants
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
38
context solution variants summary more info
BHT2
h
j
d
i v(h, j)
s(d, i)
2
1
00
1
2
34
001
2345
3
1
4
2
b0
b1b0
b1
variants
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
39
context solution variants summary more info
BHT
h
j
d
i v(h, j)
s(d, i)
2
1
00
1
2
001
234
3
1
4
2
b0
b1
variants
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
40
context solution variants summary more info
BHC
h
j
d
i
v(h, j)
s(d, i)
1
012
34
0012
3
1
4
25
0
variants
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
41
context solution variants summary more info
BHC-T
h
j
d
i v(h, j)
s(d, i)
2
1
00
1
2
34
001
2345
3
1
4
2
variants
7 Nov 1999 MARKS; (c) British Telecommunications plc 1999
42
context solution variants summary more info
BHC3-T
h
j
d
i
v(h, j)
s(d, i)
2
1
0
1234
0012
34
3
1
4
2
5
5
variants