Tree Based Approach for Secure Group Communication in
Tree Based Approach for Secure Group Communication in Grid Environment Project guide Dr. G. Sudha Sadhasivam Asst Professor, Dept of CSE Presented by C. Geetha Jini (07 MW 03)
Agenda Objective Grid Security Issues Dynamic VO in Grid Group Communication in Grid Tree Based Group Diffie Hellman Protocol Interval based Rekeying Domain to domain Communication Establishment of Trust Results Conclusion Future Work References 2
Objective To use Tree Based Group Diffie Hellman Protocol to generate and update the group key dynamically. To compare the performance of individual and interval based rekeying approachs. Securing domain to domain communication by establishing trust relationship among entities. Simulating the protocol using Grid. Sim toolkit. 3
Grid Security Issues The activities that need to be secured in a grid environment are: Naming and authentication Secure communication – TLS/SSL Trust, policy, and authorization Access control. 4
Dynamic VO in the Grid Virtual organizations (VOs) are collections of diverse and distributed individuals that seek to share and use diverse resources in a coordinated fashion. Users can join into several VOs, while resource providers also partition their resources to several Vos. 5
Security Challenges Ø Dynamic VO establishment ◦ A VO is organized for some goal and disorganized after the goal is achieved. ◦ Users can join into or leave VOs. ◦ Resource providers can join into or leave VOs. Ø Dynamic policy management ◦ Resource providers dynamically change their resources policies. ◦ VO managers manage VO users’ rights dynamically. Ø Interoperability with different host environments 6
Group Communication in grid 7
Tree-based Group Diffie-Hellman (TGDH) 0 K 0 = Group Key 1 3 2 4 7 8 M 1 M 2 M 3 5 11 M 4 6 12 M 6 M 5 A binary key tree is formed. Each node v represents a secret (private) key Kv and a blinded (public) key BKv = αKv mod p, where α and p are public parameters. Every member holds the secret keys along the key path Assume each member knows the all blinded keys in the key tree. 8
TGDH: Node Relationships The secret key of a non-leaf node v can be generated by: v Kv = (BK 2 v+2)K 2 v+1 = (αK 2 v+2)K 2 v+1 mod p Kv = (BK 2 v+1)K 2 v+2 = (αK 2 v+1)K 2 v+2 mod p BK 2 v+2 2 v+1 2 v+2 BK 2 v+1 Kv = αK 2 v+1 K 2 v+2 mod p The secret key of a leaf node is randomly selected by the corresponding member. 9
TGDH: Group Key Generation 0 1 2 4 3 7 8 M 1 M 2 M 3 5 11 M 4 6 12 M 6 M 5 E. g. , M 1 generates the group key via: n K 7, BK 8 K 3 n K 3, BK 4 K 1 n K 1, BK 2 K 0 (Group Key) 10
TGDH: Rekeying Ø Ø Rekeying (renewing the keys of the nodes) is performed at every single join/leave event to ensure backward and forward confidentiality. A special member called sponsor is elected to be responsible for broadcasting updated blinded keys. 11
TGDH: Single Join Case 0 M 8 joins 1 3 7 8 M 1 M 2 2 4 5 M 3 M 4 6 11 12 13 14 M 4(S) M 8 M 6 M 7 M 8 broadcasts individual blinded key BK 12 on joining. M 4 becomes the sponsor. It rekeys K 5, K 2 and K 0 and broadcasts the blinded keys. Now everyone can compute the new group key. 12
TGDH: Single Leave Case 0 M 5 leaves 1 3 7 8 M 1 M 2 2 4 55 M 3 M 4(S) 11 M 4 6 12 13 14 M 5 M 6 M 7 M 4 becomes the sponsor. It rekeys the secret keys K 2 and K 0 and broadcasts the blinded keys. M 1, M 2 and M 3 compute K 0 given BK 2. M 6 and M 7 compute K 2 and then K 0 given BK 5. 13
Partition Tree T 3 Tree T*3 <0, 0> <2, 1> M 3 <3, 0> M 1 <1, 0> <1, 1> <1, 0> <3, 1> M 2 sponsor <2, 2> <2, 0> <2, 3> M 4 M 2 sponsor <3, 6> M 5 <1, 1> <2, 1> M 3 <2, 0> M 5 <2, 1> M 6 sponsor <3, 7> M 6 sponsor 14
Merge 15
Interval-Based Rekeying Algorithms Interval-based rekeying is proposed such that rekeying is performed on a batch of join and leave requests at regular rekey intervals. Interval-based rekeying improves system performance. Queue-batch algorithm is used for interval based rekeying. 16
Queue-batch Algorithm Example of Queue-merge Phase 0 1 7 M 1 2 3 4 M 1(S) M 3 8 M 2 M 8, M 9, M 10 join M 2, M 7 leave 66 5 11 M 7 13 12 M 6 23 24 27 28 M 4 M 5 M 8 M 9 6 13 14 M 10(S) 27 M 8 28 T’ 14 M 10(S) M 9 T’ T’ is attached to node 6. M 10, the sponsor, will broadcast BK 6. M 1 rekeys K 1. M 6 rekeys K 2. M 1 broadcasts BK 1. M 6 broadcasts BK 2. 17
Cryptographic Properties Group key Secrecy Forward Secrecy Backward Secrecy Key Independence 18
Domain to Domain Communication Domain 1 d 1 Admin 1 Domain 2 d 2 5 4 Domain 3 d 3 3 2 Admin VO 1 Group 2 19
Establishment of Trust Evaluation Entity A’s opinion about entity B’s trustworthiness Combining Trust Comparing Trust If b. A > b. B; d. A < d. B and u. A < u. B, then opinion OA is over a threshold presented by OB. 20
Implementation Details Initialize the Grid. Sim Package Create grid entities- users and resources Build the Network topology (mesh) Form the group No Joins the entity to group Entity joins to to different domain yes Evaluate trust Join the entity to group Perform rekeying 21
Comparison of Join Cost for individual rekeying and interval based rekeying Leave = 0 Leave = 5 Leave = 10 22
Comparison of Communication Cost for individual rekeying and interval based rekeying Leave = 10 23
24
25
26
Conclusion TGDH is used for securing group communication in grid. Here each member contribute an equal share to the common group session key. This will enhance the security and avoid the problems with centralized trust and single point failure. In order to reduce rekeying complexity, interval based approach is carried out. Simulations are done using Grid. Sim toolkit. Domain to domain communication is enhanced by establishing a trust relationship. 27
Future work The group key management protocol can be further enhanced by coupling the session based group key with permanent private components of the group members to improve security. Groups can be formed within a virtual organization based on trust relationships, separate keys can be generated for each group and these keys can be managed hierarchically based on trust. The proposed system can be tested in a real grid environment using globus. 28
References [1] Y. Kim, A. Perrig, and G. Tsudik. Tree-Based Group Key Agreement. ACM Trans. on Information and System Security, 7(1): 60– 96, Feb 2004. [2] Distributed and Collaborative Key Agreement Protocols with Authentication and Implementation for Dynamic Peer Groups by Patrick P. C. Lee, John C. S. Lui, and David K. Y. Yau , , Vol. 14, No. 2, April 2006 [3] Grid Security Services Simulator (G 3 S) – A Simulation Tool for the Design and Analysis of Grid Security Solutions, Syed Naqvi, Michel Riguidel Proceedings of the First International Conference on e-Science and Grid Computing (e. Science’ 05) 2005 IEEE [4] http: //www. gridbus. org/gridsim [5] Ching Lin, Vijay Varadharajan and Yan Wang, Vineet Pruthi, “Enhancing Grid Security with Trust Management”, Proceedings of the 2004 IEEE International Conference on Services Computing (SCC’ 04). [6] Marty Humphrey, Mary R. Thompson, and Keith R. Jackson, Security for Grids, Proceedings of the IEEE, Vol. 93, No. 3, March 2005 29
THANK YOU 30
- Slides: 30