Security for Dynamic Groups

1
Security for Dynamic Groups
Final Report By Prabhu Ram Raghunathan
2
(No Transcript)
3
Objectives

• Design a Secure protocol for
• P2P file sharing with
• Concern for overhead
• Extrapolation for ad hoc networks ?
• Survey analougues
• Specify protocol

4
Why is it useful

• Consider Security approaches studied in the
  course thus far.
• They are based on the notion of a well defined,
  single local group.
• We have policies within organisations
• What about outside agencies whom it might be
  useful to share data with.
• How to ensure secure access intrinsically
• Secure group communication is not a simple
  extension of secure two-party communication.
  Two-party communication can be viewed as a
  discrete phenomenon it starts, lasts for a while
  and ends. Instead, group communication starts,
  the group mutates (members leave and join) and
  there might not be well-defined end.

5
P2P

• A P2P is a small network amongst users without a
  central server
• A P2P network is still one physical network
• Where Open Source coding, B2B,Napster etc.
• Other methods Client/Server, Dedicated
  Computers
• Quorum formation

6
ISSUES

• Different Oses, different network protocols
• Mechanism for inter-domain sharing
• Insecure- Tapping possible on local domains
• How does an arbitrary user start a group without
  admin rights over several domains and designate
  resource privileges
• No central machine, to monitor accounts
• Security Mechanisms

7
Steps

• Extensive Background study - Done
• Literature Survey - Done
• Notation and Target systems - Inherited
• Security aspects - Analysed
• Design and Ratification Reviewed and Used
• Implementation considerations Too much
• Difficulty Implementation oriented topic

8
Popluar Apps

• Napster Central database and search server for
  audio files requires login Insecure
• Aimster Share files with people on AOL buddy
  list
• Gnutella allows anything to be shared.
  Decentralized. Clients found by diffusion. No
  central user index
• Freenet Large Scale Encrypted,signed,replicated
  and anonymized- claims to be immune to attack.

9
Inter Domain

• Security oriented towards broadcast situations
  and static groups. Dynamic groups require
  reassignments. Controller oriented
• Kerberos like patterns require setup for
  inter-domain activity
• Authentication alone is treated
• Significant Message Overhead
• Admin Admin Admin

10
The works

• Design a solution with a Group leader
• Group leader issues term licenses- authentication
• Peer interactions start with handshakes
• RSA core for acquisition and and handshake
• Deja vu ? SSL
• Open Eliminate the leader with an embedded
  mechanism
• Without limiting the number or peers.
• Gauge overhead

11
Related Work

• Napster random assignment on login, hot list
  for files shared
• CuteMX enemy list Aimster Buddy list no
  group semantics one-one neither is secure
• Gnutella- decentralized. Uses broadcasts,
  anonymizes queries.
• Adar and Huberman 98 files shared by 20
  hosts. Ergo- these are central servers.
• Spontaneous collaboration in large anonymous
  groups is tough.

12
Related Work P2P

• Freenet similar to gnutella better caching,
  routing.
• Onshare, globedrive etc. central server
• Filetopia access to one file list on a peer
  access to all lists on that peer.
• Distributary uses Packages analogous to CVS on
  Unix machines. Changes are propogated to the
  group of each package.
• Some use sesions keys and 256 bit encryption.

13
Related work Crypto file systems

• SFS, CFS, CSFS
• Secure data by automatically encrpyting/
  decrypting data while reading and writing from
  disk.
• Varying or no group sharing mechanisms
• TCFS has a quorum rule for permitting access to a
  shared directory.

14
Related Work Formal Protocols

• Most work is on securing broadcasts/multicasts
• Key agreement Each member cintributes a piece
  of info to the group key for a session
• Constraints number , identification of all
  members known apriori. Total ordering.
• Group Leader needed to start process.
• Rekey for every entry/exit Overhead
• Use subgroups to reduce number of messages

15
Related work Protocols

• Cascaded Event When one entry/exit is
  simultaneous with another such event. Not handled
• Kerberos tough for multi-domain systems
• Admins exchange inter-realm keys apriori
• Considerable message overhead
• Good for authentication
• Several known dictionary attacks

16
Protocol Overview

• Based on group sharing
• DPGs are small
• One Group Authority per group.
• Peer presents credentials to GA to get a GMC
• GMC is a certificate for interaction with others.
• Initial handshake starts a secure channel
• Unique session not group key.
• No unrelated group member can eavesdrop

17
GMCs

• GMCs have a specific life time.
• ACLs have passwords for getting GMCs.
• ACL records also have max. life for each , times
  for pwd .Pwds dont match.
• GA need not be part of any group.
• Gas can delegate , creater other Gas
• Distribute Controls and Distirbute ACLs
• For remote collaboration, raise life times.

18
Group Mgmt -Login Protocol

• Login protocol obtain membership
• Each peer generates a D-H random exponent and RSA
  public/private keys.
• Identify source,dest addresses, ports,Seq number.
• User login, Authority login.
• Authority login possible only with other GAs.
• There is a central site which is the first GA.
• This can be removed by issuing expiring
  authorities. Call the first live site GA. Replace.

19
Login Protocol

• U sends to A one time DH exp, group Ids, PWD Id,
  Header digest
• A verifies header,digest,pwd,PID , generates a
  random challenge, decrypts DH exp ,generates the
  session key and sends it to U
• U reproduces the process with an additional
  REQUEST msg.
• For authority login, REQUEST is empty
• A verifies the message and responds with similar
  encryption, a RESPONSE
• U decryts the msg, checks if challenge was echoed
  correctly and saves the RESPONSE.
• You are now logged on

20
Mutual Authentication Protocol

• Establishes a session between two users
• Uses a secret unique session key for each session
• U1 sends to U2, Griup id, DH exp, Digest, Group
  Membership Certificate signed by the GA
• Based on U1's public key, U2 generates session
  key and verifies GMC1, computes a challenge based
  on GMC2,m which it sends to U1
• U1 verifies and rechallenges
• U1,U2 check echoes. Session is on.

21
Group Operations

• Create Group
• Add Member/Authority Account
• Remove Account
• Join Group / Delete Group
• Submit Local Name
• Submit Local File Catalog
• Get Peers File Catalog
• Search Group Member List
• Manually Add Peer to Group
• Get Peers Authority / Get Backup Authority
• File Search

22
Notation

• A system principal
• K initial symmetric session key (not a
  one-time-use key)
• Krand final, random, one-time-use symmetric
  session key
• P password
• PID password ID uniquely identifying a given
  password
• RA andom, long-lived Diffie-Hellman (DH) exponent
  generated by A
• Rt A temporary, random, one-time-use DH exponent
  generated by A
• g, p base and modulus for discrete exponentiation
  in DH algorithm
• KA long-lived RSA public key of A

23
Notation

• K-1 A long-lived RSA private key of A
• CA random challenge generated by A
• P(M) message encrypted with password P
• K(M), Krand(M) message encrypted with symmetric
  key K and, respectively, Krand
• K-1 A(M) message signed with RSA private key of A
• H message header (opcode, src. IP, src. port,
  dest. IP, dest. port, seqno)
• D digest over transmitted header and message
• G group (group name, authority (IP and port)
  granting group account)
• GMA As group membership K-1 B (G, EXP, gRA mod
  p) signed by authority B

24
Formal Specs - Login

• U A H, G, PID, P(gRtU mod p), D
• A U H, P(gRt A mod p), Krand(CA), D
• U A Krand(H, REQUEST, CA, CU, D)
• A U Krand(H, CU, RESPONSE, D)
• Decrypt , Check Echo and Save Request.

25
Formal Specs MAP

• U1 U2 H, G, GMU1, D
• U2 U1 H, GMU2, K(CU2), D
• U1 U2 K(H, CU1 CU2 D)
• U2 U1 K(H, CU1, D)
• U1 checks CU1 echo
• Session key Krand gRU1RU2CU1CU2 mod p

26
Extensions

• Allow external and not just home GA to allow
  login.
• External User Caching
• Session Caching Speed Up connections.
• To break the hierarchy, round robin Gas
• Go through firewalls
• Light, flexible protocol.
• Easy to implement and Maintain.
• Scalable and Extensible.

27
Resources

• Web gnutella,aimster,openp2p,distributary...
• Key Agreement in Dynamic Peer Groups-Steiner,Tsudi
  k Maidner
• An Integrated Solution for Secure Group
  Communication in Wide-Area Networks -Agrawal et
  al.
• Authenticated Group Key Agreement and Friends
  Atienise
• A Decentralised Architecture for Group Key
  Management -Rafelli
• Key Establishment in Ad-hoc Networks
  Heitalhatti
• CLIQUES project page at UCI http//sconce.ics.uc
  i.edu/cliques/