A Framework for Group Key A Framework for Group Key Management for Multicast Management for Multicast

SecuritySecurity

by T. Hardjono, B. Cain, N. by T. Hardjono, B. Cain, N. DoraswamyDoraswamy

Two planesTwo planes

Network infrastructure planeNetwork infrastructure planeFunctions and entities that define the Functions and entities that define the

network (e.g. protocols, routers)network (e.g. protocols, routers) Key management planeKey management plane

Functions and entities that define and Functions and entities that define and establish security in the network (e.g. GKM establish security in the network (e.g. GKM protocols, IPsec, cryptosystems)protocols, IPsec, cryptosystems)

Two hierarchies within key Two hierarchies within key management planemanagement plane

Trunk region: Trunk region: – Contains only Group Key Manager(s) Contains only Group Key Manager(s)

(GKM), but no member hosts (senders, (GKM), but no member hosts (senders, receivers)receivers)

Leaf region: Leaf region: – Contains member hostsContains member hosts– Every member host is associated with at Every member host is associated with at

least one GKM of its own regionleast one GKM of its own region

Further OutlineFurther Outline

Issues of Group Key ManagementIssues of Group Key Management Basic Model of the frameworkBasic Model of the framework Two ExamplesTwo Examples

Issues of Group Key Issues of Group Key ManagementManagement

– Multicast application typesMulticast application types– Size and distribution of membersSize and distribution of members– Scalability of protocols and membership Scalability of protocols and membership

managementmanagement– Independence of GKM protocolIndependence of GKM protocol– Trust-relationshipsTrust-relationships– Group authentication and sender Group authentication and sender

authenticationauthentication– Identities and anonymityIdentities and anonymity

Issues of Group Key Issues of Group Key Management (cont’d)Management (cont’d)

– Access control and membership Access control and membership verificationverification

– Failure of systemsFailure of systems– Denial of service attacksDenial of service attacks– Authenticity of multicast routing exchangesAuthenticity of multicast routing exchanges– Tamper-proof storage on network entitiesTamper-proof storage on network entities– Security and practicality of protocolsSecurity and practicality of protocols– ......

Two general multicast Two general multicast application typesapplication types

One-to-many multicastOne-to-many multicast– One source of data, many receiversOne source of data, many receivers– Two cases exist with respect to the data:Two cases exist with respect to the data:

The authenticity of the data is of concern (e.g. The authenticity of the data is of concern (e.g. stock market data)stock market data)

Their confidentiality is of concern (e.g. pay TV)Their confidentiality is of concern (e.g. pay TV)Receivers must subscribe to the group, hence Receivers must subscribe to the group, hence only the sender controls the key manageronly the sender controls the key manager

Two general multicast Two general multicast application types (cont’d)application types (cont’d)

Many-to-many multicastMany-to-many multicast– Relationship between members is equalRelationship between members is equal– Every member is both a sender and a Every member is both a sender and a

receiverreceiver– Authenticity and confidentiality is of Authenticity and confidentiality is of

concern (Why always both?)concern (Why always both?)

Size and distribution of Size and distribution of membersmembers

IP multicast model is attractiveIP multicast model is attractive– Members can be throughout the InternetMembers can be throughout the Internet– Source need not know the membersSource need not know the members

In GKMs which employ secure unicast In GKMs which employ secure unicast (e.g. to distribute keys to members) size (e.g. to distribute keys to members) size of the group and distribution of of the group and distribution of members have an impact on scalabilitymembers have an impact on scalability

Scalability of protocols and Scalability of protocols and membership managementmembership management

Frequency of changes to the Frequency of changes to the membership, which may lead to re-membership, which may lead to re-keyingkeying

Security managing entity (e.g. key Security managing entity (e.g. key server) might be the bottleneck and a server) might be the bottleneck and a attractive point for intrudersattractive point for intruders

Workload of re-keyingWorkload of re-keying

Independence of GKM Independence of GKM protocolprotocol

GKM protocol must be independent of GKM protocol must be independent of the underlying multicast routing protocolthe underlying multicast routing protocol

Trust-relationshipsTrust-relationships

On what basis can a security-related On what basis can a security-related entity be trusted (e.g. a member may entity be trusted (e.g. a member may only trust entities physically within its only trust entities physically within its country)country)

““This problem ... is a difficult one”This problem ... is a difficult one”

Group authentication and Group authentication and sender authenticationsender authentication

Group authentication Group authentication can be implicitly achieved with confidentiality can be implicitly achieved with confidentiality

due to the possession of a common keydue to the possession of a common key Sender authentication Sender authentication

can be achieved by e.g. public key can be achieved by e.g. public key cryptography schemes -> may require a cryptography schemes -> may require a public key infrastructurepublic key infrastructure

Identities and anonymityIdentities and anonymity

IP multicast IP multicast Identity of a receiver is reported to a router, but Identity of a receiver is reported to a router, but

not to the sourcenot to the source Secure multicastSecure multicast

Sender has to know the identity of the receiver to Sender has to know the identity of the receiver to allow him to join or notallow him to join or not

Anonymity Anonymity Can only be achieved on application layer, not on Can only be achieved on application layer, not on

network layer due to IPsecnetwork layer due to IPsec

Access control and Access control and membership verificationmembership verification

Issue of the application, not the Issue of the application, not the frameworkframework

Should be decoupled from the Should be decoupled from the group key management protocolgroup key management protocol

Failure of systemsFailure of systems

A failing entity must not allow to A failing entity must not allow to compromise security informationcompromise security information

It must exhibit a ‘fail-closed’ It must exhibit a ‘fail-closed’ behavoirbehavoir

The other issues are not discussed!The other issues are not discussed!

Basic Model of the Basic Model of the FrameworkFramework

Network infrastructure planeNetwork infrastructure plane– Physical/Topological viewPhysical/Topological view– Collection of autonomous systems Collection of autonomous systems

(AS)(AS)– Transit ASs and sub ASsTransit ASs and sub ASs– Identifies the entities and functions Identifies the entities and functions

that define the networkthat define the network

Basic Model of the Basic Model of the Framework (cont’d)Framework (cont’d)

Key management planeKey management plane– Functions and entities of the network Functions and entities of the network

which implement securitywhich implement security– E.g. GKM protocols, IPsec, key E.g. GKM protocols, IPsec, key

generators, key managers, ...generators, key managers, ...– divided into two regions:divided into two regions:

trunk region and leaf regiontrunk region and leaf region

The big pictureThe big picture

KM: KM: Key Key ManagerManager

BKM: Border Key BKM: Border Key ManagerManager

R: R: RouterRouter

KT: KT: Key Key TranslatorTranslator

m: m: membermember

TrunkKM

KM

R

R

Leaf

Leaf

RKT

m m m

KT

R

m

m

m

BKM

BKM

Key ManagerKey Manager

Tow types of KMsTow types of KMs– KMs within a regionKMs within a region

do not participate in inter-region key do not participate in inter-region key managementmanagement

– Border KMsBorder KMs bound the trunk regionsbound the trunk regions Every leaf region is associated with (at least) Every leaf region is associated with (at least)

one BKMone BKM

No clear definition of the tasks of a KM!No clear definition of the tasks of a KM!

Key TranslatorKey Translator

Translates payload Translates payload – from being encrypted under one key from being encrypted under one key

to anotherto another– must be done atomically and tamper-must be done atomically and tamper-

freefree– may be applied to multicast data or may be applied to multicast data or

for key management purposesfor key management purposes

Trunk keys and leaf keysTrunk keys and leaf keys

Each region has a different keyEach region has a different key The trunk key The trunk key

– is only known to BKMsis only known to BKMs– generated by a inter-region GKM protocolgenerated by a inter-region GKM protocol

The leaf keyThe leaf key– is known to the leaf and to the BKM of this is known to the leaf and to the BKM of this

leafleaf– is generated by a local GKM protocol (next is generated by a local GKM protocol (next

paper)paper)

Communication between Communication between the entitiesthe entities

is carried out using secure is carried out using secure channelschannels– mutual authenticationmutual authentication– data confidentialitydata confidentiality– date integritydate integrity

is implemented using IPsecis implemented using IPsec

How does it work?How does it work?

This is partly my interpretationThis is partly my interpretation– The sender encrypts the data using the leaf The sender encrypts the data using the leaf

keykey– It sends the data to the trunkIt sends the data to the trunk– There, the data are decrypted (leaf key) There, the data are decrypted (leaf key)

and again encrypted (trunk key). This is and again encrypted (trunk key). This is done by the KTs.done by the KTs.

– Before the trunk sends the data to the Before the trunk sends the data to the destination leaf, the KT decrypts (trunk destination leaf, the KT decrypts (trunk key) and encrypts (leaf key) again.key) and encrypts (leaf key) again.

How does it work? (cont’d)How does it work? (cont’d)

QuestionQuestion– Why are the KTs in the leaves and not Why are the KTs in the leaves and not

in the trunk?in the trunk?

Advantages of the Advantages of the frameworkframework

ScalabilityScalability– New leaf regions can be added, independent New leaf regions can be added, independent

of existing leaf regionsof existing leaf regions– Adding/dropping a member requires (at Adding/dropping a member requires (at

most) re-keying within one regionmost) re-keying within one region Reduced complexityReduced complexity

– Each leaf region can use its own GKM Each leaf region can use its own GKM protocolprotocol

– Key management in trunk region is Key management in trunk region is independent from key management in leafsindependent from key management in leafs

Advantages of the Advantages of the framework (cont’d)framework (cont’d)

Long life of trunk keysLong life of trunk keys Independent re-key periodsIndependent re-key periods

Two ExamplesTwo Examples

One-to-many multicastOne-to-many multicast Many-to-many multicastMany-to-many multicast The given examples do not very The given examples do not very

well demonstrate the use of the well demonstrate the use of the frameworkframework

One-to-many exampleOne-to-many example

Assumptions:Assumptions:– data have direct value for non-data have direct value for non-

membersmembers– attacker wants to redistribute to the attacker wants to redistribute to the

widest possible audience (e.g. pay widest possible audience (e.g. pay TV)TV)

– it is of the interest of the it is of the interest of the initiator/sender to ensure that only initiator/sender to ensure that only members (subscribers) get the data members (subscribers) get the data

One-to-many example One-to-many example (cont’d)(cont’d)

The sender must therefore defineThe sender must therefore define– the scope/size of each leaf regionthe scope/size of each leaf region– the physical locationthe physical location– the trust relationshipthe trust relationship

One-to-many example One-to-many example (cont’d)(cont’d)

The sender may choose The sender may choose – direct control, i.e. all key managers direct control, i.e. all key managers

are within its leaf and associated with are within its leaf and associated with remote leaves. (Hm... no trunk?)remote leaves. (Hm... no trunk?)

– indirect control, i.e. the sender relies indirect control, i.e. the sender relies on trusted entities of other on trusted entities of other organizationsorganizations

Many-to-many exampleMany-to-many example

AssumptionAssumption– attacker wants to provide data to a attacker wants to provide data to a

limited audiencelimited audience– it is of interest of all members to it is of interest of all members to

ensure that only members get the ensure that only members get the data (e.g. conference)data (e.g. conference)

Many-to-many example Many-to-many example (cont’d)(cont’d)

A leaf region A leaf region – might be physically limited to one might be physically limited to one

member’s organizationmember’s organization– The leaf region’s BKM should be The leaf region’s BKM should be

administrated by the member itselfadministrated by the member itself

ConclusionConclusion

This is my conclusion. There isn’t This is my conclusion. There isn’t one in the paperone in the paper– The framework provides a scalable The framework provides a scalable

scheme for group key managementscheme for group key management– In general, the paper is not very In general, the paper is not very

concreteconcrete– I think, more work is needed to have a I think, more work is needed to have a

good basis for protocol design and good basis for protocol design and implementationimplementation