一种新的基于制表法的安全组播密钥分配方案(IJITCS-V4-N1-5)
I.J. Information Technology and Computer Science, 2012, 1, 32-39
Published Online February 2012 in MECS (https://www.360docs.net/doc/2611017299.html,/)
DOI: 10.5815/ijitcs.2012.01.05
A New Secure Multicast Key Distribution
Scheme Using Tabulation Method
R. Varalakshmi
Teaching Research Associate – Department of Mathematics,
Anna University, Chennai, India
Email: rvaralakshmi@https://www.360docs.net/doc/2611017299.html,
Dr. V. Rhymend Uthariaraj
Professor and Director, Ramanujan Computing Centre
Anna University, Chennai, India
Abstract— In the present paper, we propose a new scheme for a scalable multicast key distribution scheme. The present scheme is based on the Key Management using Tabulation method of Boolean Function Simplification technique. It explores the use of batching of group membership changes to reduce the frequency, and hence the cost, of key re-distribution operations. It focuses explicitly on the issue of snowballing member removal and presents an algorithm that minimizes the number of messages required to distribute new keys to the remaining group members. The algorithm is used in conjunction with a new scalable multicast key distribution scheme which uses a set of auxiliary keys in order to improve scalability. In contrast to previous schemes which generate a fixed hierarchy of keys, the proposed scheme dynamically generates the most suitable key hierarchy by composing different keys. Our snowballing member removal uses one of the Boolean function simplification techniques called tabulation method, and outperforms all other schemes known to us in terms of message complexity. Most importantly, our technique is superior in minimizing the number of messages when multiple members leave the session in the same round.
Index Terms— Multicast key distribution, Snowballing member removal, Boolean Function Simplification, tabulation method, Communication overhead. 1.Introduction
Many applications like pay-per–view, distribution of digital media etc., require secure multicast services in order to restrict group membership and enforce accountability of group members. A major issue associated with the deployment of secure multicast delivery services is the scalability of the key distribution scheme. This is particularly true with regard to the handling of group membership changes, such as membership departures and/or expulsions, which necessitate the distribution of a new session key to all the remaining group members.
As the frequency of group membership change increases, it becomes necessary to reduce the cost of key distribution operations. One solution is to let all authorized members use a shared key to encrypt the multicast data. To provide backward and forward confidentiality (D.M. Wallner and Agee, 1999), this shared key has to be updated on every membership change and redistributed to all authorized members securely which is referred to as rekeying. The efficiency of rekeying is an important issue in secure multicast as this is the most frequently performed activity with dynamic change in the membership.
Group key must be updated with the group membership changes to prevent a new member from deciphering messages exchanged before it join the group; this is defined as backward secrecy [3]. Group key
A New Secure Multicast Key Distribution Scheme Using Tabulation Method 33
revocation in case of one member joins or multiple members join could be achieved by sending the new group key to the old group members encrypted with the old group key. Also, group key must be must be updated with the group membership changes to prevent an old member (leaved or expelled) from deciphering current and future communication which is defined as forward secrecy[3]. Group key revocation, when one member leaves or multiple members leave, is more complicated in case of join because of the disclosure of the old group key. The old group key is known to the leaving member(s) so there is a need to re-key the group using valid key(s) in a scalable way. The trivial scheme for rekeying a group of n members is through using individual secret key shared between the Key distribution Centre KDC and each member. This is not a simple or scalable method and consumed large bandwidth especially for large group with high membership changes: furthermore it takes more time and needs more resources per hosts than using multicasting to re-key the group.
The rest of the paper is organized as follows. Section II discusses related work. The multicast key management scheme is presented in Section III. Section IV describes the algorithm that uses the Boolean function simplification techniques called tabulation method to minimize the number of rekeying operations. Section V analyzes the performance of the proposed scheme, followed by the conclusion in Section VI.
2.Related Works
The topics of key management for multiparty communications in general networks are studied and one of the efficient key tree based group key management technique called Logical Key Hierarchy (LKH) is discussed [1,2,3,4,5,6]. A key update in this scheme requires O(log2N) messages where N is the size of the group. In this scheme each user has to store log2N keys (i.e., keys along the path from leaf to the root) and the key server has to maintain a tree of O (N) keys.
The scheme proposed in uses the LKH scheme and uses a binary tree, but with only two keys at every level.
This reduces total number of keys at the server from O(N) to O(h) where h is the height of the tree. But storage at each user remains at O(log2N). The scheme discussed and extends the scheme to m-ary tree instead of binary tree, which reduces the user side storage from O(log2N) as to O(log m N)[2]. In tree based key management schemes each user shares a key called private key with the key server and key at the root of the tree is the group key which is shared by all users in the group. Other keys (other than private key and group key) are called auxiliary keys (key encryption keys) which are known only for certain subset of users and are used to encrypt new group key whenever there is a group membership change.
The scheme uses m-ary tree and at each level m keys are maintained. Whenever a node is compromised new group key is selected and distributed to other nodes. The encryption keys that are required to send new group key GKnew securely are computed. The new group key is distributed to group members without performing any encryptions. Our scheme distributes new group key to the remaining group members with minimum number of messages as compared to the scheme in [7]. In our scheme, in order to avoid the leaving members using auxiliary keys to learn the new group key, auxiliary keys are also updated.
3.Multicast Key Management Scheme
In our scheme each member of the group is associated with a unique user ID (UID) which is a binary string of length n. Consequently, a UID can be written as X n-1 X n-2 X0, where X i can be either 0 or 1. Using Boolean notation, X i / can be written as x’i or xi / depending on whether ! is Xi is 0 or 1. The length of the UID depends upon the size of the multicast group.
34 A New Secure Multicast Key Distribution Scheme Using Tabulation Method
In [3] binary tree structure is used. When the group is large, the number of levels in the binary tree will be more which increases number of keys at member. Extending the scheme to m-ary tree will reduce the height of the tree reducing number of keys at each member. At the same time we should consider server side storage i.e., number of keys at every level of the key tree.
(i) each interior node has at most m children
(ii) each path from the root to a leaf has the same length N: Total number of members associated with the group. Each member is assigned with Unique Identification Number (UID) which is a binary string of length n (where n= log 2N).
Subgroups: Each interior node containing at the maximum m children nodes forms one subgroup. Subgroups at level i is where the leaders reside and are assigned with keys Ki0 to K i(m-1) called Auxiliary keys at level i.
In [3] two keys are maintained at every level of the key tree, extending the scheme to m-ary tree will result in maintaining m keys. For a group size n, if d is the height of the binary tree, it results in storing 2*d keys at the server. For the same value of n, if d' is the height of the m-ary tree, then m*d' keys are to be stored at the server. We can have the relation Keys: Individual member keys of any subgroup are numbered from K 0 to K m-1 so that the leaders at level i are assigned with key K 0 and members at position 1 of all subgroups are assigned with key K 1 and all members at position 2 of all subgroups are assigned with key K 2 and so on up to K m-1.
KEK: Key Encryption Keys is the set, initially empty, and at the end contains the keys used to encrypt the new auxiliary keys and member keys.
n = 2d = md' → d'= d/log 2m
Number of keys at server in m-ary tree in terms of d can be represented as m*(d/log 2m), which illustrates that as m increases, number of keys at server will increase, which violates our motto. Hence in order to maintain minimum number of keys both at member and server, following relation has to be satisfied :
{GK} K 1 denotes GK is encrypted with the key K 1. || denotes concatenation operation
(m*d/log 2m) ≤ 2*d which is true only if m ≤ 4.
Notations
m-ary tree:
is a tree with the following properties:
Fig 1: Key tree structure showing UIDs and keys of users in the group, auxiliary keys and group key
From fig. 1 the values of N, m, n, keys, auxiliary keys and group key are as follows:
N=16 m=4 n=4
Keys:
Members u0, u4, u8, u12 are assigned with key K0 Members u1, u5, u9, u13 are assigned with key K1 Members u2, u6, u10, u14 are assigned with key K2 Members u3, u7, u11, u15 are assigned with key K3
K10, K11, K12, K13 are auxiliary keys at level 1.
GK is the group key shared by u1, u2, u3, u4, u5, u6, u7, u8, u9, u10, u11, u12, u13, u14, u15
GKnew : new group key
3.1Procedure for finding new Secret Key
Using Hash function the method used to communicate the new secret key is as follows: central node computes the hash ([9, 10] of a shared key (i.e., key known to central node and authorized node) say ks i.e., H(ks) of the encryption key and XOR’s with new secret key knew to be communicated.
k comm H(ks) knew
After getting k comm nodes having ks compute H(ks) and XOR’s with k comm which yields new secret key knew.
i.e., knew H(ks) k comm
3.2Key Distribution
The encryption keys computed using the method of [11] are used to communicate new group key to the existing nodes without actually performing any encryption. Messages send by central node to group members by using the hash of the encryption keys that are known to compromised nodes. Hence using the keys of the compromised nodes it is not possible to get any information regarding new group key. In order to avoid attackers decrypting any message in the next time interval we perform two operations. First, each remaining node along with path from the leaving point will compute new auxiliary key using the method, F ( auxiliary key, new group key )
(auxiliary key) (new group key). Second, every key used to compute the hash value is incremented by one (1). In this scheme to communicate new group key securely we are not using any encryption instead all communications are by using hash values and XOR operations which will reduce the communication overhead i.e., rekeying cost is reduced.
3.3 Individual Member Removal
When a member of a multicast group is to be expelled, e.g., because its subscription has expired, a new session key needs to be distributed to every member except the one leaving to make sure that the expelled member can no longer receive and send data addressed to the group. Similarly, if a member voluntarily leaves the multicast group, the session key might also have to be updated. This can be useful for sessions where members pay according to the duration of their membership in the group.
In fig.1 if member u1 leaves, the Controller generates new keys and conveys new keys to the remaining members through a set of rekeying messages as:
KEK = {{ GKnew } K0 || GKnew } K1 || { GKnew } K3 || { GKnew } K11 || { GKnew } K12 || { GKnew } K13 } }
After distributing new keys to remaining members in the multicast group securely, auxiliary keys are updated using the function F as follows:
F(auxiliary keys, new group key) <- auxiliary keys group key
Same method holds good for all the following cases to compute new auxiliary keys.
3.4 Two members removal (leave) at a time
When two members leave the multicast group voluntarily or being removed from the group, we need to address three different cases:
(i) both the leaving members are from the same subgroup,
(ii) leaving members belonging to different subgroups but at the same position with common individual key (for example, in figure 1 u1 and u5 are the members belonging to different subgroups sharing the key K1),
(iii) leaving members belonging to different subgroups and also at different positions with different individual keys (for e.g., in fig.1 users u6 and u11 belong to subgroup 2 and 3 respectively with individual keys being K2 and K3 respectively).
Case (i): Let Leaving members be u5 and u6
/* leaving members from the same subgroup */
KEK= { K10, K12, K13, K0, K3 }
Following users can decrypt the new key encrypted using the keys of set KEK:
u0, u1, u2, u3 (using key K10)
u8, u9 ,u10, u11 (using key K12)
u12, u13, u14 , u15 (using key K13)
u4 (using key K0)
u7 (using key K3)
For the same members removal, Wong et al. scheme of [2] requires 6 encryptions whereas our scheme requires only 12 rekeying operations and 5 encryptions.
Case (ii): Let Leaving members be u1 and u9
/* leaving members are from the same position of different subgroups */
KEK = { K11, K13, K2 , K0, K3}
Following users can decrypt the new key encrypted using the keys of set KEK:
u4, u5, u6, u7 (using key K11)
u12, u13 ,u14, u15 (using key K13)
u0, u4 ,u8, u12 (using key K0)
u2, u6, u10, u14 (using key K2)
u3, u7 ,u11, u15 (using key K3)
For the same members removal, Wong et al. scheme of [2] requires 10 encryptions, whereas our scheme requires only 5 encryptions.
Case (iii): Let Leaving members u2 and u13
/* leaving members are from different positions of two different subgroups */
KEK = {K0, K3, K11, K12, K 13K2 , K10K1}
Following users can decrypt the new group key GKnew encrypted using the keys of set KEK:
u0, u4 ,u8, u12 (using key K0)
u3, u7 ,u11, u15 (using key K3)
u4, u5, u6, u7 (using key K11)
u8, u9, u10, u11 (using key K12)
u14 (using key K13 K2)
u1 (using key K10K1)
For the same members removal, Wong et al. scheme of [2] requires 10 encryptions, where as our scheme requires only 6 encryptions.
4.TABULATION METHOD
4.1Snowballing member removal
Any number of members can leave (be removed from) the multicast group from any position in our decentralized key management scheme. The Controller executes the tabulation method to compute the messages
that need to be sent out after multiple members depart the group in the same round.
There is a straightforward analogy between minimizing boolean functions and aggregating re-keying messages. Therefore, the need for simplification and aggregation arises. Similar problems have been addressed for many years in the area of switching theory and logical design. The objective there is to minimize Boolean functions so that the complexity of digital circuits can be reduced. In the context of logical design, a + operation corresponds to an OR gate and a multiplication to an AND gate. Typical objectives include the simplification of total number of gates and/or number of circuit stages.
We borrow from the results of logical design to construct a more efficient re-keying process. First, we define some of the terms we use in subsequent discussions.
Literal: A variable or its complement
Product Term: Series of literals related by AND Minterm: A product term which contains as many literals as there are variables in the function.
Sum term: Series of literals related by OR
Maxterm: A sum term which contains as many literals as there are variables in the function.
Normal term: Product or sum term in which no variable appears more than once.
TABLE I Determination of Prime Implicants
a
b
c
d
a
b c d a
b c
d
0 0 00 0 (0,4) 0#00√(0,4,4,12) ##0 0 4 0 10 0 (0,8) #000√(0,4,8,12) ##0 0 8 1 00 0 (4,5) 010#√(0,8,4,12) ##0 0 3 0 0 1 1 (4,6) 01#0√(0,8,8,12) ##
0 0
5 0 10 1 (4,12) #100√(4,5,5,7) 0 1 # #
6 0 1 1 0 (8,10) 10#0√(4,5,6,7) 0 1 # # 10 1 0 1 0 (8,12) 1#00√
(4,6,5,7)
0 1 # # 12 1 10 0 (3,7)
#11 (4,6,6,7)
1 # # 7 0 1 1 1 (3,11) #011 (8,10,10,11) 10 # # 11 1 0 1 1 (5,7) 01#1√(3,7,3,11) ##
1 1
13 1 10 1 (5,13) #101√(5,13) # 1 0 1 14 1 1 1 0 (6,7) 011#√
(6,14,10,14) ##
1 0
(6,14)
#110
(12,13,12,14)1 1 # # (10,11)101#√
(10,14)1#10 (12,13)110#
(12,14)
1
1
#
The standard form most usually considered in the simplification of Boolean functions is the form known as the sum of products expression (SOPE). In the context of logical design, each product corresponds to an AND gate and each literal to a gate input. In the context of the multicast group re-keying problem, each product corresponds to a message and each literal to a key which is used as input to a function that derives the encryption/decryption key for the message. Many criteria can be applied in optimizing a sum of products form. In the context of logical design, a sum of products expression is regarded as a minimal expression if there exist(1) no other equivalent expression involving fewer products, and (2) no other expression involving the same number of products but a smaller number of literals.
The tabulation method is a specific step-by-step procedure that is guaranteed to produce a simplified standard-form expression for a function. It consists of two parts. The first is to find by an exhaustive search all the terms that are candidates for inclusion in the simplified function. These terms are called prime-implicants. The second operation is to choose among the prime-implicants those that give an expression with the least number of literals.
Illustrative example:
Let leaving members be u1, u2, u9, u15
Thus, f(a,b,c,d) = Σ (1,2,9,15)
Remaining members
f(a,b,c,d) = Σ ( 0,3-8,10-14 )
F= a’b + c’d’ + cd + bc’d + cd’
4.2 Determination of prime implicants
Table 1 describes the procedure to determine the prime implicants.
Successive procedure: (algorithmic description)
1.Determination of the Disjunctive Normal Form
and a list of minterms
2.As far as possible: pairwise combination of
(min)terms and set up of a list of products
3.Repetition of 1.2 with an updated list after
every repetition
until:
4.no further simplification is possible any more.
Result on termination: prime implicants of the function f
Let Leaving members u1, u2, u9 and u15
/* leaving members are from different positions of two different subgroups */
KEK = {K0, K11, K1K13, K3K12, K3K10, K2 K12, K2K13}
u4, u5, u6, u7 (using key K11)
u0, u8, u12 (using key K0)
u3 (using key K3 K10)
u10 (using key K2K12)
u11 (using key K3K12)
u13 (using key K 1K13)
u14 (using key K2K13)
For the same members removal, Wong et al. scheme of [2] requires 10 encryptions, where as our scheme requires only 7 encryptions.
5.PERFORMANCE COMPARISON
To achieve message confidentiality in Secure Group Communication we require a group key and the group key should be updated whenever a node is compromised. In our scheme server is required to store (log2N * m) keys, along with the Group Key GK, where as the scheme in [7] requires O (N) keys to be stored at the server. The binary tree concept discussed in [8] is efficiently extended to m-ary tree in this paper with
reduced storage at user side. New Group Key is distributed to the existing nodes using hash functions and XOR operations.
6.CONCLUSION
The rationale behind the definition of optimality is that typically the cost of an additional gate is several times that of an additional input on an already existing gate and, hence, elimination of gates is the primary objective of the simplification process. Interestingly, the same definition of optimality is also applicable to our problem. The argument in our case is that the complexity of sending an additional message is far greater than that of adding an extra key ID in the message to indicate that the key should be used as input in deriving a new key.
The proposed scheme is based on KM-BFM scheme. Instead of using one tree as in KM-BFM, the members are divided into a number of subgroup trees. A comparison between the proposed scheme and KM-BFM scheme is undertaken according to storage requirements at both group controller and group members and the number of updates in case of a single leave or multiple leaves. The comparison shows that the proposed scheme using tabulation method achieves lower storage requirements at both the group controller and the group members. On the other hand, it has a lower communication overhead in case of a single member leave and a comparable communication overhead in case of multiple leaves.
References
[1] A.Bellardie, ”Scalable Multicast Key Distribution” RFC 1949, May 1996
[2]Chung Kei Wong, Mohamed Gouda, and Simon S Lam, “Secure Group Communication Using Key Graphs”, Proceedings of ACMSIGCOMM, Vancouver, British Columbia, September 1998.
[3]I. Chang, R.Engel, D.Kandlur, D.Pendarakis and D.Daha. “Key management for secure internet multicast using Boolean function minimization technique”. ACM SIGCOMM’99, March 1999. [4]Debby M. Wallner, Eric J. Harder, Ryan C. Agee, “Key Management for Multicast: Issues and Architectures”, Informational RFC, draft-Wallnerkey-arch-ootxt, July 1997. [5]H.Harney, C.Muckenhirn, “Group Key Management Protocol (GKMP) Architecture”, RFC 2094, July 1997.
[6]H.Harney, C.Muckenhirn, “Group Key Management Protocol (GKMP) Specifications”, RFC 2093, July 1997.
[7] D.McGrew and A. Sherman. “Key establishment in large dynamic groups using one way function trees”, May 1998.
[8] A. Perrig, D.Song and J.Tygar, “ELK: A new protocol for efficient large-group key distribution”. In Proceedings of the 2001 IEEE symposium on Security and Privacy, 2001.
[9]Ran Canetti, Benny Pinkas, “A Taxonomy of Multicast security issues”, Internet Draft, May 1998.
[10]Suvo Mittra, “Iolus: A Framework for Scalable Secure Multicasting”, Proceedings of ACMSIGCOMM’97, Cannes, France, pp. 277-288, 1997.
[11]A.Chandha, Y.Liu and S.K.Das, “Group Key distribution via local collaboration in wireless sensor networks”, in IEEE International Conference on Sensor and AdHoc Communications and Networks(SECON), 2006.
[12]Chaddoud, G., Chrisment, I. and Schaff, A., “Dynamic Group Communication Security”, Proc. of sixth IEEE Symposium on Computers and Communications (ISCC'01) pp 49-56, 2001.
[13]Chang I., Engel R., Kandlur D., Pendarakis, Dimitrios., Saha, Debanjan., “Key Management For Secure Internet Multicast Using Boolean Function Minimization Technique”, Proc. of INFOCOMM’99, pp 689-698, 1999.
[14]E.L.McCLUSKEY, Minimization of Boolean functions, Bell System Technical Journal, 35 (1959), pp. 149-175.
[15]Moyer, M.J., Rao, J.R and Rohatgi, P., “A Survey Of Security Issues in Multicast Communications”, IEEE Networks vol. 13, pp12-23, 1999.
[16]Roth, Charles H., Jr, “Fundamentals of Logic Design”, Fourth Edition, pp 161-167.
[17]Setia, S., Koussih, S., Jajodia, S., and Harder, E., “Kronos: “A Scalable Group Re-keying Approach For Secure Multicast”, Proc. of 2000 IEEE Symposium on Secusrity and Privacy, pp 215-228, 2000.
密钥管理的新进展
密钥管理系统的新进展 随着社会的信息化进程加速发展,尤其是计算机技术和网络技术的发展,使得人们越来越多地意识到信息安全在生产和生活中的重要性和紧迫性。基于密码学的信息安全解决方案是解决信息保密的可靠方式。加密技术广泛地运用于工作和生活之中,承担对军事、商业机密和个人隐私的保护任务。 保密信息的安全性取决于对密钥的保护,而不是对算法或硬件本身的保护。加密算法决定了密钥管理的机制,不同的密码系统,其密钥管理方法也不相同,如签名密钥对的管理和加密密钥对的管理。在网络环境中,密钥管理的所有工作都是围绕着一个宗旨:确保使用的密钥是安全的。设计安全的密码算法和协议并不容易,而密钥管理则更困难,因此,网络系统中的密钥管理就成为核心问题。 本文将从介绍密钥管理技术,并用单独的篇幅介绍密钥备份和密钥更新技术,同时研究其在一些领域内的进展。 1.密钥管理 1.1.目的及目标 密钥管理是指与保护、存储、备份和组织加密密钥有关的任务的管理。高端数据丢失和遵规要求刺激了企业使用加密技术的大幅度上升。问题是单个企业可以使用几十个不同的,可能不兼容的加密工具,结果就导致有成千上万个密钥——每一个都必须妥善的保存和保护。 密钥管理是数据加密技术中的重要一环,密钥管理的目的是确保密钥的安全性(真实性和有效性)。一个好的密钥管理系统应该做到: 1、密钥难以被窃取; 2、在一定条件下窃取了密钥也没有用,密钥有使用范围和时间的限制; 3、密钥的分配和更换过程对用户透明,用户不一定要亲自掌管密钥。 1.2.机构及其动作过程 1、对称密钥管理。对称加密是基于共同保守秘密来实现的。采用对称加密技术的贸易双方必须要保证采用的是相同的密钥,要保证彼此密钥的交换是安全可靠的,同时还要设定防止密钥泄密和更改密钥的程序。这样,对称密钥的管理和分发工作将变成一件潜在危险的和繁琐的过程。通过公开密钥加密技术实现对称密钥的管理使相应的管理变得简单和更加安全,同时还解决了纯对称密钥模式中存在的可靠性问题和鉴别问题。 2、公开密钥管理/数字证书。贸易伙伴间可以使用数字证书(公开密钥证书)来交换公开密钥。国际电信联盟(ITU)制定的标准X.509,对数字证书进行了定义该标准等
密钥管理技术
密钥管理技术 一、摘要 密钥管理是处理密钥自产生到最终销毁的整个过程的的所有问题,包括系统的初始化,密钥的产生、存储、备份/装入、分配、保护、更新、控制、丢失、吊销和销毁等。其中分配和存储是最大的难题。密钥管理不仅影响系统的安全性,而且涉及到系统的可靠性、有效性和经济性。当然密钥管理也涉及到物理上、人事上、规程上和制度上的一些问题。 密钥管理包括: 1、产生与所要求安全级别相称的合适密钥; 2、根据访问控制的要求,对于每个密钥决定哪个实体应该接受密钥的拷贝; 3、用可靠办法使这些密钥对开放系统中的实体是可用的,即安全地将这些密钥分配给用户; 4、某些密钥管理功能将在网络应用实现环境之外执行,包括用可靠手段对密钥进行物理的分配。 二、关键字 密钥种类密钥的生成、存储、分配、更新和撤销密钥共享会议密钥分配密钥托管 三、正文 (一)密钥种类 1、在一个密码系统中,按照加密的内容不同,密钥可以分为一般数据加密密钥 (会话密钥)和密钥加密密钥。密钥加密密钥还可分为次主密钥和主密钥。 (1)、会话密钥, 两个通信终端用户在一次会话或交换数据时所用的密钥。一般由 系统通过密钥交换协议动态产生。它使用的时间很短,从而限制了密码分析者攻 击时所能得到的同一密钥加密的密文量。丢失时对系统保密性影响不大。 (2)、密钥加密密钥(Key Encrypting Key,KEK), 用于传送会话密钥时采用的密 钥。 (3)、主密钥(Mater Key)主密钥是对密钥加密密钥进行加密的密钥,存于主机 的处理器中。 2、密钥种类区别 (1)、会话密钥 会话密钥(Session Key),指两个通信终端用户一次通话或交换数据时使用的密钥。它位于密码系统中整个密钥层次的最低层,仅对临时的通话或交换数据使用。 会话密钥若用来对传输的数据进行保护则称为数据加密密钥,若用作保护文件则称为文件密钥,若供通信双方专用就称为专用密钥。 会话密钥大多是临时的、动态的,只有在需要时才通过协议取得,用完后就丢掉了,从而可降低密钥的分配存储量。 基于运算速度的考虑,会话密钥普遍是用对称密码算法来进行的 (2)、密钥加密密钥
密钥分配与管理1.0
第5章密钥分配与管理 1.密钥管理基本概念 现代密码学把数据加密保护的全部系于密钥之上,所以密钥的安全管理是保证密码系统安全性的关键因素。密钥管理是指处理密钥自产生到最终销毁的有关问题的全过程,大体上讲,密钥管理包括密钥的生成、存储、分配、启用与停用、控制、更新、撤销与销毁等诸多方面,其中密钥的分配与存储可能最棘手。密钥管理的目地是维持系统中各实体之间的密钥关系,以抗击各种可能的威胁。密钥管理要借助加密、认证、签名、协议、公正等技术。(1)密钥的种类 密钥种类很多,但主要有以下几种 ①基本密钥或初始密钥 基本密钥是由用户选或由系统分配给用户的可在较长时间(相对于会话密钥)内由一对用户所专用的秘密密钥,又称用户密钥。基本密钥和会话密钥一起启动和控制某种算法所构造的密钥产生器,以此,产生用于加密数据的密钥流。 ②会话密钥 会话密钥是两个通信终端用户在一次交换数据时所采用的密钥,当用其保护传输数据时称为数据加密密钥,当用其保护文件时称为文件密钥。会话密钥可由通信双方预先约定,也可由系统动态地产生并赋予通信双方,它为通信双方专用,故又称为专用密码。 ③密钥加密密钥 密钥加密密钥是对传送的会话或文件密钥进行加密时采用的密钥,也称次主密钥,通信网中每个节点都分配有一个这类密钥。 ④主机主密钥 主机主密钥是对密钥加密密钥进行加密的密钥,存于主机处理器中。 此外还有用户密钥、族密钥和算法更换密钥等。 (2)密钥生成 主机主密钥通常用要用诸如掷硬币、骰子,从随机数表中选数等随机方式产生。 密钥加密密钥可由安全算法、二级管噪声产生器、伪随机数产生器等生成,也可以由密钥操作员选定。 会话密钥可在密钥加密密钥作用下通过某种加密算法动态生成,如用密钥加密密钥控制DES算法生成。 基本密钥可用生成密钥加密密钥或主机主密钥的方法生成。 (3)密钥存储
密钥管理系统实施方案
密钥管理系统实施方案
神州数码思特奇IC卡密钥管理系统 实施方案 1.关键缩略语 ....................................................................................................... 5 2.引用标准 ........................................................................................................... 6 3.开发思路 ........................................................................................................... 73.1. 系统设计目标 ................................................ 7 3.1.1.系统设计起点高 ........................................ 7 3.1.2.高度的安全体系 ........................................ 8 3.1.3.借鉴其他行业经验 .................................... 83.2. 系统开发原则 ................................................ 9 3.2.1.卡片选择原则 ............................................ 9 3.2.2.加密机选择原则 ........................................ 9 3.2.3.读卡机具选择原则 ................................ 10 3.2. https://www.360docs.net/doc/2611017299.html,B KEY选择原则 ................................. 11 3.2.5.开发工具选择原则 ................................ 11 3.2.6.系统整体构造图 .................................... 123.3. 系统安全设计 ............................................ 12 3.3.1.安全机制 ................................................ 12 3.3.2.密钥类型 ................................................ 13 3.3.3.加密算法 ................................................ 13 4.卡片设计方案 ............................................................................................... 23
密钥管理规定
密钥管理规定 目录 1.目的和适用范围 (1) 1.1. 1.2.目的 (1) 适用范围 (1) 2. 3.角色和职责 (1) 管理要求 (1) 3.1. 3.2. 3.3. 3.4. 3.5.安全数据的产生 (1) 密钥的形成与分发 (2) 根密钥明文数据的保存 (4) 其他密钥数据的保存 (4) 人员管理 (4) 4.相关记录 (5)
密钥管理规定 1.目的和适用范围 1.1.目的 规范公司产品开发及生产过程中密钥使用的保密要求,以防止因不当操作发生信息泄露。 1.2.适用范围 本规定适用于公司产品设计开发及生产过程中密钥使用的管理。 2.角色和职责 3.管理要求 3.1.安全数据的产生 开始进行个人化之前,必须创建相应的加密密钥,必须按本部分的规定进行。至少应生成以下的密钥: a) 发卡行主密钥(KMC):用来派生K MAC、K ENC和K DEK三个密钥。 ●K MAC——用来锁闭中国金融集成电路(IC)卡的应用区,并对个人化过程中装载到卡片 的个人化数据进行检验,证实它们完整无损,且没有被修改; ●K ENC——用来生成IC卡密文和验证主机密文;
密钥管理规定 ●K DEK——用来加密在个人化过程中写入卡片的保密数据。 KMC对每个发卡行是独有的,而K MAC、K ENC和K DEK对每张卡是独有的。 b) 主密钥(MDK)——用来导出:UDK——用于联机的卡认证和发卡行认证。 就每个BIN(银行标识码)而言,MDK通常是唯一的,而UDK对每张卡都必须是唯一的。 c) 发卡行公私钥对——通常由发卡行生成,公钥应传输给中国金融集成电路(IC)卡认 证机构,供其创建发卡行公钥证书。私钥被保存在发卡行的HSM(主机加密模块)内。 d) 密钥交换密钥(KEK)——用来对发卡行个人化输入文件中的机密数据进行加密,每个 发卡行的KEK必须是唯一的。 e) 传输密钥(TK)——用来对数据准备系统向个人化系统传送的发卡行个人化输入文件 中的机密数据进行加密。 作为选择,也可以用发卡行公私钥对生成这些密钥。 f) ICC公私钥对——IC卡利用这一对密钥执行DDA和CDA/AC密文生成算法。其中,公钥须 经过发卡行私钥的签名,才能获得发卡行公钥证书。 每张卡的ICC公私钥对必须是独一无二的。 g) MDK ENC——用来导出:UDK ENC——用来加密发卡行的脚本机密信息。 h) MDK MAC——用来校验发卡行的脚本信息。 3.2.密钥的形成与分发 不同类型的加密算法支持《EMV卡个人化规范:2003》中的不同功能。然而,当加密算法没有得到正确实施时,加密算法的预定作用将受到负面的影响。一种安全的实施将取决于规范所需的不同密钥被签发者管理的好坏程度。以下材料的目的是提供不同算法类型所扮演的加密角色的一个概述,以及提出安全地管理密钥所必需的基本要求。 a) 非对称(SM2/RSA)密钥管理 IC卡的安全性取决于私钥(签名)的保护。不能保证用来对静态或动态数据元签名的私钥的安全性将使IC卡面临被伪造的风险。私钥面临的主要风险包括: ——成功地解决ECDLP问题,以及成功地分解RSA模数; ——私钥自身的泄漏。 为了限制这些风险所代表的潜在的泄露问题,我们推荐使用以下发卡行要求。私钥(签名)的安全性取决于许多因素,包括: ——SM2/RSA密钥模数位的长度,例如:256或者1024和1152; ——组成公钥/私钥模数的主要数字的质量; ——用来从物理上保障(保护)私钥(签名)不受未经授权的访问和暴露/危害的影响的方法,特别是当IC卡或其它安全加密设备(SCD)使用它们时为密钥提供的保护。 SM2/RSA密钥生成当生成SM2/RSA公私钥对时,推荐在一台物理安全的设备的受保护内存中完成这个过程。这种设备必须包含一个随机或伪随机数字生成器,执行原始校验例程,并支持篡改响应机制。 ——SM2/RSA私钥(签名)可能对物理安全设备而言是暂时性的; ——密钥生成将利用一个随机或伪随机过程,以使得不可能预测出任何密钥或者确定密钥空间中的某些密钥比其它任意密钥可能性更大; ——个人计算机或其它类似的不安全设备,即不被信任的设备,将永远不能用来生成SM2/RAS 公私钥对。 公司内部资料注意保密第页
密钥的管理
10.5 密钥的保护、存储与备份 现代密码体制要求加密和解密算法是可以公开评估的,整个密码系统的安全性并不取决于对密码算法的保密或是对加密设备等的保护(尽管这样有利于提高整个密码系统的安全程度,但这种提高是相对而言的),而是取决于密钥的安全性,一旦密钥泄露,也就不再具有保密功能。 密码算法可以公开,密码设备可以丢失,但它们都不危及密码体制的安全性;但当密钥丢失时,非法用户将有可能窃取保密信息。此外,密钥作为密码系统中的可变部分,在考虑密码系统的设计时(特别是在商用系统的设计时),需要解决的核心问题是密钥管理问题,而不是密码算法问题(例如商用系统可以使用公开了的、经过大量评估分析认为抗攻击能力比较强的算法)。由此,可以看出密钥管理在整个密码系统中是极其重要的。 密钥的保护 由美国IBM公司的密码学家Thrsam Matyas 等为 通讯安全和文件安全设计的一套完整的密钥保护管理方 案。 1. 基本思想 将密钥按类型分成不同的等级。 大量的数据通过少量的动态产生的初级密钥来保 护。 初级密钥用更少量的、相对不变的二级密钥或主密钥KM0来保护。 二级密钥用主机主密钥KM1,KM2来保护。 少量的主密钥以明文形式存储在专用的密码装置中,其余的密钥以密文形式存储在专用密码装置以外。 这样,就把保护大量数据的问题简化为保护和使用少量数据的问题。(实际上保护一个密钥,因为KM1,KM2 是由KM0派生而来。) 2. 密钥保护的基本原则 密钥永远不可以以明文的形式出现在密码装置之外。 密码装置是一种保密工具,即可以是硬件,也可以是软件。 密码装置中含有一个传统的密码算法和存储少量密钥及数据参数的寄存器。 . 3. 等级性密钥管理的优点 (1)安全性强 底层密钥更换的比较频繁,可以做到一次一密。即使底层密钥被破译,高层密钥可以有效地保护底层密钥进行更换。 下层密钥的破译不会影响到上层密钥的安全。 直接攻击主密钥是很困难的,主要是因为主密钥的次数使用有限,并且一般是采用物理保护的。 (2)可实现密钥管理的自动化 除主密钥由人工装入之外,其他各层密钥均由密钥管理系统自动分配、更换和销毁。
无线传感器网络动态密钥管理方案
第21卷 第9期2008年9月 传感技术学报 CHIN ES E JOURNAL OF S ENSORS AND ACTUA TORS Vol.21 No.9Sep.2008 Dynamic K ey Management Scheme for Wireless Sensor N et works 3 YA N G H ai 2bo 3 ,Q I U N i ng ,C H EN You 2rong (College of I nf ormation S cience and Technology ,Zhej iang S huren Universit y ,H angz hou 310015,China ) Abstract :For many t raditional key management schemes unfit for t he const rained resource nodes in wireless sensor networks ,how to reduce energy consumption of nodes and guarantee t he security of t he network beco mes t he important target of key management schemes.A Two 2Tier Dynamic Key Management (TD 2KM )Scheme was p roposed.This scheme includes location 2ware pair 2wise keys in cluster nodes sessio ns and location 2based combinatorial keys in nodes communications.Wit h comparing t he SEC K scheme ,t he TD KM scheme overcomes high ref reshing co st and improves t he security performance.K ey w ords :wireless sensor networks ;dynamic key management ;two tier EEACC :6150P 无线传感器网络动态密钥管理方案 3 杨海波3,邱 宁,陈友荣 (浙江树人大学信息科技学院,杭州,310015) 基金项目:浙江省自然科学基金资助项目(Y105346)收稿日期:2008204224 修改日期:2008207211 摘 要:传统的密钥管理技术不适合资源受限的无线传感器网络,因此在保证网络的安全性下如何降低网络的能量开销已 成为无线传感器网络安全技术的重要部分。文中提出一种新的密钥管理方案――双层组密钥管理(Two 2Tier Dynamic Key Management ,TD KM )方案。该方案把网络拓扑分成上层簇节点之间密钥会话和下层节点之间通信,其中上层采用基于位置 的密钥预分布方法来建立簇节点之间会话密钥,下层采用基于位置的组合的密钥分布来组织节点之间的通信。与SEC K 方案比较,TD KM 方案降低了更新开销,并且提高了网络的安全性能。 关键词:无线传感器网络;动态密钥管理;双层 中图分类号:TN 915.07 文献标识码:A 文章编号:100421699(2008)0921595205 随着无线传感器网络的应用范围越来越广,节点之间的安全通信越发显得重要。由于传统的密钥管理存在能量开销大、广播发送复杂等缺点,从而不适合现有的无线传感器网络,因此很多学者提出新的密钥管理方案[126]。如Eschenauer 等人提出了随机密钥预分配方案[1] ,节点在部署之前,从密钥池中随机选取一定数目的密钥,节点部署到区域后,通信双方在各自的密钥环中寻找共同密钥;Chan 等人提出了q 2composite 方案[2],要求两个邻居节点有q 个或q 个以上共同的密钥才能建立安全链接,可以使攻击者捕获节点后得到一条链路密钥的概率减小,从而增强网络安全性。Liu 等人提出了多项式密钥随机预分配方案[3],当 捕获节点不超过t 个,该方案能够保证节点之间的安全通信。但是上述这些方法均针对分布式静态网络,不适合分层式的动态网络。 Jolly 等人[7]提出了分层式的密钥管理方案, 该方案采用节点标识符确定簇头与节点之间通信密钥以及节点与节点之间通信密钥,但是该方案的密钥更新能量开销较大。Eltoweissy 等人[8]提出了基于EBS 的密钥管理方案,该方案采用EBS 组合结构来更新簇头信息,降低更新密钥能量开销,但是EBS 组合结构使得节点密钥存在篡改信息攻击,一个节点的捕获会导致大部分相关节点信息的泄漏。Y ounies 等人在Eltoweissy 的基础上 提出了易扩展、分层、有效的密钥管理方法(Loca 2
第六章密钥分配与密钥管理,第五节,秘密分割
2013-1-158 秘密分割 Secrete Sharing 2013-1-15 9 秘密分割门限方案 导弹控制发射,重要场所通行检验,通常需要多人同时参与才能生效,需要将秘密分为多人掌管,并且由一定掌管秘密的人数同时到场才能恢复秘密。
2013-1-15 10 门限方案的一般概念 ?秘密s被分为n个部分,每个部分称为s hadow,由一个 参与者持有,使得 ?由k个或多于k个参与者所持有的部分信息可重构s。 ?由少于k个参与者所持有的部分信息则无法重构s。 ?称为(k,n)秘密分割门限方案,k称为门限值。 ?少于k个参与者所持有的部分信息得不到s的任何信 息称该门限方案是完善的。 Shadow影子,子秘密 用的很多,比如分布式系统里 2013-1-15 11 Sham i r门限方案 ?基于多项式Lagr ange插值公式 设{(x 1,y 1 ),…,(x k ,y k )}是平面上k个点构成的点 集,其中x i (i=1,…k,)各不相同,那么在平面上存在唯一的k-1次多项式f(x)通过这k个点.若把 秘密s取做f(0),n个s hadow取做f(x i )(i=1,…n),那么利用其中任意k个s hadow可以重构f(x),从 而可以得到秘密s 简单实用的方案,用的很多
2013-1-15 12 Sham i r 门限方案 ? 有限域G F(q),q 为大素数,q ≥n+1。秘密s 是G F(q)\{0}上均匀选取的随机数,表示为s ∈R G F(q)\{0}.k-1个系数a 1,a 2,…a k-1选取a i ∈R G F(q)\{0}.在G F(q)上构造一个k-1次多项式f (x)=a 0+a 1x+…+a k-1x k-1? N 个参与者P 1,…,P n ,P i 的Shadow 为f (i )。任意k 个参与者得到秘密,可使用{(i l ,f (i l ))|l =1,…,k}构造方程组 ??? ? ?=+++=+++----) ()()()()()(1110 1111110k k k k k k k i f i a i a a i f i a i a a 解k 个方程也能推导出lagrange 插值公式
一 密钥分配
实习一密钥分配 一、实习目的 1.理解密钥管理的重要性; 2.掌握对称密码和公钥密码密钥管理的不同特性; 3.掌握密钥分发基本方法,能设计密钥分发方案 二、实习要求 1.实习前认真预习第2章的有关内容; 2.复习对称密码和公钥密码相关内容; 3.熟悉Java平台的JCE包有关类。 三、实习内容 假定两个用户A、B,用户A、B的通讯密钥为K,他们的公私钥对分别是K PUa、K PRa和K PUb、K PRb,他们要进行安全通讯,密钥分发与通信过程如1所示。 图1 基于混合加密的安全通信模型 Fig.1 Model of secure communication based on mixed cryptography (1)根据图1所示,实现利用公钥密码算法分发对称密钥的过程。 实现的阶梯任务如下: ①以本地两个目录模拟两个用户,采用变量方式直接实现密钥的分发; ②实现算法的图形化方式,用户可以选择算法、参数、工作模式等; ③以文件方式管理密钥及明文、密文; ④采用Socket,建立安全通信过程; ⑤将方案移植到某个web应用中。 (2)按照(1)的阶梯任务,实现基于DH密钥协定的密钥分发。
四、实验过程 1.知识回顾 DES 是数据加密标准(Data Encryption Standard)的简称,出自IBM 的研究工作,并在1977 年被美国政府正式采纳。它是使用较为广泛的密钥系统,最初开发DES 是嵌入硬件中DES 特别是在保护金融数据的安全,如自动取款机中,使用较多。 在DES 中,使用了一个56 位的密钥以及附加的8 位奇偶校验位,产生最大64 位的分组大小。加密过程中,将加密的文本块分成两半。使用子密钥对其中一半应用循环功能,然后将输出与另一半进行“异或”运算;接着交换这两半。循环往复。DES 使用16 个循环,但最后一个循环不交换。 攻击DES,一般只能使用穷举的密钥搜索,即重复尝试各种密钥直到有一个符合为止。如果DES使用56 位的密钥,则可能的密钥数量是2 56 个,穷举难度较大。IBM曾对DES拥有几年的专利权,但在1983 年到期。 在公开密钥密码体制中,加密密钥(即公开密钥)PK是公开信息,而解密密钥(即秘密密钥)SK是需要保密的。加密算法E和解密算法D也都是公开的。虽然解密密钥SK是由公开密钥PK决定的,但却不能根据PK计算出SK。 正是基于这种理论,1978年出现了著名的RSA算法,它通常是先生成一对RSA 密钥,其中之一是保密密钥,由用户保存;另一个为公开密钥,可对外公开,甚至可在网络服务器中注册。为提高保密强度,RSA密钥至少为500位长,一般推荐使用1024位。这就使加密的计算量很大。为减少计算量,在传送信息时,常采用传统加密方法与公开密钥加密方法相结合的方式,即信息采用改进的DES或IDEA对话密钥加密,然后使用RSA密钥加密对话密钥和信息摘要。对方收到信息后,用不同的密钥解密并可核对信息摘要。 2.问题分析 (1).对称密钥密码体系 对称密钥密码体系也叫密钥密码体系,它是指消息发送方和消息接收方必须使用相同的密钥,该密钥必须保密。发送方用该密钥对待发消息进行加密,然后将消息传输至接收方,接收方再用相同的密钥对收到的消息进行解密。这一过程可用数学形式来表示。消息发送方使用的加密函数encrypt有两个参数:密钥K 和待加密消息M,加密后的消息为E,E可以表示为E=encrypt(K,M)消息接收方使用的解密函数decrypt把这一过程逆过来,就产生了原来的消息 M=decrypt(K,E)=decrypt(K,encrypt(K,M)) (2).非对称密钥密码体系 非对称密钥密码体系又叫公钥密码体系,它使用两个密钥:一个公共密钥PK和一个私有密钥SK。这两个密钥在数学上是相关的,并且不能由公钥计算出对应的私钥,同样也不能由私钥计算出对应的公钥。这种用两把密钥加密和解密的方法表示成如下数学形式。假设M表示一条消息,pub—a表示用户a的公共密钥,prv—a表示用户a的私有密钥,那么: M=decrypt(pub—a,encrypt(prv—a,M))
第六章密钥分配与密钥管理,第四节,随机数的产生
2013-1-714随机数的产生 Generation of Random Numbers 2013-1-7 15随机数的用途 ? 相互认证? 会话密钥的产生?公钥密码算法中的密钥产生 2013-1-7 16随机数的要求-随机性 ?均匀分布 ?数列中每个数出现的频率相等或近似相等 ?独立性? 数列中任一数不能由其他数推出?经常使用的是伪随机数列
2013-1-7 17 随机数的要求-不可预测性 ?对数列中以后的数是不可预测的 ?对于真随机数,满足独立性,所以不可预测 ?伪随机数列需要特别注意满足不可预测性 2013-1-7 18 随机数源 ?真随机数源-物理噪声产生器 ?离子辐射脉冲检测器 ?气体放电管 ?漏电容 ?数的随机性和精度不够 ?这些设备很难联入网络
线性同余法 目前中的最广泛的 线性同余法
2013-1-721伪随机数产生器-线性同余法? 迭代函数应是整周期的,在重复之前应出现0到m 间的所有数? 产生的数列看上去应是随机的? 迭代函数能有效的利用32为运算实现? 如果m 为素数,且a 为m 的本原根,产生的数列是整周期的。?a=16807,m=231-1,c=0 a=16807 m=2^31 -1 c=0 常用于模拟 2013-1-722伪随机数产生器-线性同余法?假定敌手知道X 0,X 1,X 2,X 3,可以确定参数 ?????+=+=+=m c aX X m c aX X m c aX X mo d mod mod 23 1201 密码场合用的比较少。
基于密码算法的随机数产生器 基于密码算法的随机数产生器?DES的输出反馈方式(OFB)模式 采用OFB模式能用来产生密钥并用 于流加密。加密算法的输出构成伪 随机序列 2013-1-75