On the Performance of Group Key Agreement Protocols

rockyboygangNetworking and Communications

Oct 24, 2013 (3 years and 9 months ago)

97 views

On the Performance of Group Key
Agreement Protocols
Yair Amir,
Cristina Nita-Rotaru
http://www.cnds.jhu.edu
Johns Hopkins
University
University of California,
Irvine
Yongdae Kim,
and Gene Tsudik
http://sconce.ics.uci.edu
July
2002
ICDCS
2002
2
Group
Communication
Systems

Client-server
architecture,
small
number
of
servers,
numerous
clients

Reliable
and
ordered
message
delivery
(unicast
and
broadcast
)
+

Group
membership
UCSB
OSU
Rutgers
Mae East
Hopkins
CNDS
Hardware Broadcast
Hardware Multicast
IP
Multicast
July
2002
ICDCS
2002
3
What
About
Security?

Security is imperative since most current
distributed applications are running over the
Internet

Building blocks for secure group communication:

Key management

Encryption algorithms

Authentication services

Access control to system resources
July
2002
ICDCS
2002
4
Group
Key
Management

Computation
:

one member selects the key (
centralized
)

key distribution

all members contribute to the key (
contributory
) –

key agreement

Distribution
:

one entity distributes the key (
centralized
)

more members are involved
– structures (trees) that
optimize the key distribution (
distributed
)
July
2002
ICDCS
2002
5
Outline

Secure group communication and key
management

Goal of this work

Overview of the protocols we focus on

Communication/computation tradeoffs

Experimental results in local and
wide area networks

Conclusions
July
2002
ICDCS
2002
6
This
Work

Focuses on
key agreement protocols

Compares five protocols in the same framework,
in local

(LAN)

and wide area networks

(WAN)

Framework
: Secure Spread

secure group communication system supporting
multiple

contributory key agreement protocols

based on
Spread
group communication system

uses the
Cliques
API cryptographic library
July
2002
ICDCS
2002
7
Group
Key
Agreement
Protocols

Burmester-Desmedt (BD)
: completely distributed

Group Diffie-Hellman (GDH):

Key computed from a list of partial keys:

One member (
group controller
) manages the list
p
g
K
n
n
x
x
x
x
x
x
group
mod
1
3
2
2
1
...




p
g
K
n
N
N
group
mod
*
...
*
1







p
g
i
n
N
N
N
i
mod
*
...
*
1
July
2002
ICDCS
2002
8
Group
Key
Agreement
Protocols

Skinny Tree (STR)

Tree-based Group
Diffie-Hellman (TGDH)
r2, br2,
br2

r3, br3
k2’, bk2

k4 = K
p
g
br
r
mod

p
g
K
ab
mod

r4, br4
k4 = K
r1, br1

,
br1

r4, br4
k3’, bk3

k3, bk3

r2, br2,
br2

k2’, bk2

r1, br1
r3, br3,
br3

July
2002
ICDCS
2002
9
Communication
vs.
Computation
2n
n-k
Easier
3
2n

0
2n

2
Burmester-Desmedt
(BD)
2k
3
0
3
2
Merge
1
0
1
1
Leave, Partition
Easier
2
1
1
2
1
Join
Skinny
Tree
(STR)
log n
log n
0
log n
log n/2
Partition
log n
1
0
1
1
Leave
Easier
2log n
3
0
3
2
Join, Merge
Tree
Group
Diffie-
Hellman
(TGDH)
n+2k
2
n+2k-1
n+2k+1
k+3
Merge
1
0
1
1
Leave, Partition
Hard
1
1
2
2
Join
Group
Diffie-
Hellman
(GDH)
Exp
Messages
Multicast
Rounds
Communication
Unicast
Computation
Robust
2n
July
2002
ICDCS
2002
10
LAN

Testbed
and
Parameters

Testbed:
cluster of 13 dual-processor 667 MHz
machines running Linux, one server on each machine,
multiple clients on one machine

Cryptographic primitives:

1024 RSA: sign - 9.6 ms and verify

0.2
ms

Exponentiations: 512

1.7 ms and 1024 – 5.3 ms

Communication:

One agreed multicast message: 0.75
– 0.92 ms

BD communication round: 2 – 21 ms
July
2002
ICDCS
2002
11
LAN
Results
-
Join
0
100
200
300
400
500
600
700
2
10
20
30
40
50
Group
size
(#
members)
Time
(milliseconds)
BD
CKD
GHD
STR
TGDH
Membership cost
July
2002
ICDCS
2002
12
LAN
Results
-
Leave
0
100
200
300
400
500
600
700
2
10
20
30
40
50
Group
size
(#
members)
Time
(milliseconds)
BD
CKD
GDH
STR
TGDH
Membership cost
July
2002
ICDCS
2002
13
Observations
-
LAN

Computation
is
the
bottleneck

STR:
fast
join,
very
expensive
leave

BD:
slower
than
expected

hidden costs due to many multiplications

many signature verifications

GDH:
fast
leave,
expensive
join

TGDH:
seems
best
overall
July
2002
ICDCS
2002
14
WAN

Testbed

Same distribution: 13 machines: 667

1.1 MHz, running Linux

Note: the cost of multicast depends on the diameter of the network
and not the number of servers
JHU
ICU
UCI
135
ms
35
ms
150
ms
Information
and
Communication
University,
Korea
Johns
Hopkins
University
East
Coast,
USA
University
of
California,
Irvine
West
Coast,
USA
July
2002
ICDCS
2002
15
WAN
Results
-
Join
0
500
1000
1500
2000
2500
3000
2
10
20
30
40
50
Group
size
(#members)
Time
(milliseconds)
BD
CKD
GDH
STR
TGDH
Membership cost
July
2002
ICDCS
2002
16
WAN
Results
-
Leave
0
500
1000
1500
2000
2500
3000
2
10
20
30
40
50
Group
size
(#members)
Time
(milliseconds)
BD
CKD
GDH
STR
TGDH
Membership cost
July
2002
ICDCS
2002
17
Observations
-
WAN

Communication
becomes
the
predominant
factor


#
of communication rounds is important!

Cost of group membership becomes
significant

More
difficult
to
evaluate

TGDH
and
CKD
obtain
best
performance
July
2002
ICDCS
2002
18
Conclusions

TGDH
seems
to
be
the
best
compromise
for
both
local-
and
wide-area
networks

Cliques
(GDH,BD,STR,TGDH,CKD)
code
available
at:

http://sconce.ics.uci.edu/cliques/

Secure
Spread
code
available
at:

http://www.cnds.jhu.edu/securespread/