A Survey of Key Management for Secure Group Communications

1
A Survey of Key Management for Secure Group
Communications

• Celia Li

2
Outline

• Group Communications
• Security Issues
• Requirements
• Classification
• Group Key Management Protocols

3
Group Communications

• Group Communications
• One-to-many
• Many-to-many
• Advantages
• Scalability
• Efficiency
• Applications
• Pay-per-view video, distant education,
  multiplayer games, online chat group
• NOTE Broadcast one-to-all

Internet
Internet
4
Security Issues

• Authentication Identifies the members of the
  group (senders receivers)
• Confidentiality Content of a message must be
  shared only by authorized users
• Integrity Data cannot be modified without being
  detected
• Access control Ensures that only authorized
  actions can be performed (e.g., restricting
  membership, restricting who can send data)
• Non-repudiation Ensures that an originator
  cannot deny sending a message.
• Availability Ensures that authorized actions can
  in fact take place

Security Mechanism Group Key Management
5
Group Key Management

• To provide secure distributions handling of
  cryptographic keying materials
• Group Key
• A piece of secret information that is known only
  to the current group members
• Used to encrypt message
• Membership changes trigger rekeying process
• Join a new group key must prevent the new member
  from decoding previous messages
• Leave a new group key must prevent former group
  members from decoding future messages
• Group Key Management Problem
• How to ensure that only legitimate users have
  access to the group key

6
Requirements for Group Key Management (1)

• Group key secrecy
• Computationally infeasible for a passive
  adversary to discover a group key
• Forward secrecy
• Evicted users cannot learn any future keys
• Backward secrecy
• New users should not have access to any old keys
• Key independency
• Disclosure of a key does not compromise other
  keys.

7
Requirements for Group Key Management (2)

• Scalability (1-affects-n)
• A membership change should affect only a small
  subset of members
• Reliability
• Providing a recovery mechanism for missing
  rekeying messages
• Resistance to attacks
• From both inside and outside the group
• Low bandwidth overhead
• Rekeying should not induce a high number of
  messages

8
Group Key Management Classification

• The entity who exercises the group control
• Centralized Group Control
• A single entity is the group controller who is
• Responsible for key generation, key distribution
  and key refreshment
• Ex Naïve Solution, Key tree-based Approach
• Subgroup Control
• The group is divided into subgroups
• Each subgroup is managed by its own controller
• Ex Iolus Framework
• Member control
• No group controller
• Each member contributes its share toward group
  key generation
• Ex Contributory key agreement supported by the
  Diffie-Hellman algorithm Cliques

9
Naïve Solution

• Group Key vs Individual Key
• Used to encrypt messages
• Used to verify each members identity
• Rekeying Message
• Used to notify all members of any key change and
  the new key information
• Join
• Encrypt new group key with the old group key and
  multicast to group
• Encrypt new group key with new users individual
  key and unicast to the joining user
• Number of rekeying messages O(1)
• Leave
• Encrypt new group key with each users individual
  key and Send it to remaining users one by one
• Number of rekeying messages O(n)
• Problem
• Not scalable when users leave

K1-3
Group key
k1
k2
k3
Individual keys
m1
m2
m3
Member
K1-4k1
K1-4k3
K1-4k2
m4 leaves
m4 joins
K1-4
k1
k2
k3
k4
m1
m2
m3
m4
K1-4k1-3
K1-4k4
10
Key Tree-Based Approach
GC
Central Group Controller

• Key Tree
• Root group key, encrypt/decrypt multicast data
  packets
• Leaf members individual key
• Nodes between leaves and root intermediate keys,
  that are used to encrypt other keys instead of
  actual data
• Each member stores the keys from leaf to the root
• m1 k1, k1-2, k1-4, k1-8
• m6 k6, k5-6, k5-8, k1-8

K1-8
Group key
K1-4
K5-8
Intermediate keys
K7-8
K5-6
K3-4
K1-2
Individual keys
k8
k7
k6
k5
k4
k3
k2
k1
m8
m7
m6
m5
m4
m3
m2
m1
Member
11
Key Tree-Based Approach Join
? K1-8 ?K1-9
GC
Central Group Controller
? K1-9K1-8
K1-8
K1-9
Group key
? K1-9K9
? K7-8 ?K7-9
Intermediate keys
K3-6
K1-3
K7-8
K7-9
? K7-9K7-8
? K7-9K9
Individual keys
k8
k7
K6
k5
k4
k3
k2
k1
k9
m8
m7
m6
m5
m4
m3
m2
m1
m9
Member

• Keys along the path need to be changed
• Every changed key is encrypted with old keys,
  multicast to the group except newly join member
• New member gets keys through unicast
• Number of rekeying messages O(logkn)

• m9 joins the group
• K7-8 ? K7-9, K1-8 ? K1-9
• GC ? m7, m8 K7-9K7-8
• GC ? m1, , m8 K1-9K1-8
• GC ? m9 K7-9, K1-9K9
• of rekeying At most 2logkn

12
Key Tree-Based Approach Leave
? K1-9 ?K1-8
GC
Central Group Controller
? K1-8K1-3
K1-9
K1-8
? K1-8K3-6
Group key
? K1-8K7-8
K3-6
Intermediate keys
K1-3
K7-9
K7-8
? K7-9 ?K7-8
? K7-8K7
Individual keys
? K7-8K8
k8
k7
K6
k5
k4
k3
k2
k1
k9
m8
m7
m6
m5
m4
m3
m2
m1
m9
Member
K7-8 ? K7-9, K1-8 ? K1-9
m9 leaves the group

• Keys along the path need to be changed
• Every changed key is encrypted with each of its
  childrens keys
• Number of rekeying messages O(logkn)

• GC ? m7 K7-8K7
• GC ? m7 K7-8K8
• GC ? m1, m2, m3 K1-8K1-3
• GC ? m4, m5, m6 K1-8K3-6
• GC ? m7, m8 K1-8K7-8
• of rekeying At most klogkn

13
Centralized Group Control

• Advantages
• Key tree structure reduces the number of rekey
  message to O(logkn)
• Suitable for general multicast sessions having
  small to medium sizes such as Internet radio and
  stock quote services
• Disadvantages
• Single point of failure at the central controller
• Not scalable for very large groups

14
Subgroup Control Iolus Framework
Sender
? DataRand Rand k3
K3
K2
K1
SGC1
SGC2
SGC3
? DataRand Rand SK3
m
m
m
m
m
m
m
SGC31
SGC11
? DataRand Rand SK31
SK1
SK2
SK3
m
m
m
m
m
m
SK31
SK11

• SGC subgroup controller
• Ki subgroup controllers individual key
• SKi subgroup key
• Sender generates a random number to encrypt
  actual data
• The random number is encrypted by each subgroup
  controllers individual key

• new member joins/leaves local subgroup
• Subgroup controller changes its subgroup key
• Other subgroup keys do not need to be changed

15
Subgroup Control Iolus Framework

• Advantages
• Easier group management as a large multicast
  group is organized into smaller subgroups
• Eliminating the problem of concentrating the
  workload on a single group controller
• Suitable for general multicast sessions with
  globally distributed members such as pay-per view
  international news and movie systems
• Disadvantages
• Members cannot access group communications if
  their subgroup controller fails
• Introducing message delivery delay as subgroup
  controllers have to perform key translation
• Not suitable for real-time multicast applications
  such as video-conferencing

16
Member Control

• No group controller
• Every member contributes a share towards the
  group key
• Requires knowledge of group membership
• Example protocol Contributory key agreement
  supported by the Diffie-Hellman algorithm Cliques

17
Diffie-Hellman
Alice
Bob

• p large prime
• (e.g. 512 or 1024 bits)
• g base generator
• a Alices secret integer
• b Bobs secret integer

A ga mod p K Ba mod p
K Ab mod p B gb mod p
A
B
KAb mod p Ba mod p gab mod p

• DH allows two individuals to agree on a common
  symmetric key
• It has been proved that nobody else can compute
  the shared key gab in a reasonable amount of time
  even though they know ga and gb
• ga is used to represent ga mod p

18
Member Control Cliques
gs1
gs1s2
m4
Stage 1
m1
m2
m3

• Cliques arranges the group member in a logical
  liner structure and passes key information
  sequentially
• Group members are indexed
• The last two members (having the highest
  indices) are responsible for taking part in key
  distribution
• The last member does the key distribution

m1
gs1s2s3
Stage 2
m4
m3
m2
gs1s2s3
m1
gs2s3
gs1s3
Stage 3
m2
m4
m3
gs1s2
m1
gs2s3s4
gs1s3s4
Stage 4
m2
m4
m3
gs1s2s4
Group Key m1 m2 m3
m4
gs1s2s3s4 g(s2s3s4)s1 g(s1s3s4)s2 g(s1s2s4)s3
g(s1s2s3)s4
19
Cliques Join
m5
gs1s2s3, gs1s2s4, gs1s3s4, gs2s3s4
m1
s4 ? s4
gs2s3s4
m4
m5
Stage 1
gs1s3s4
joins
m2
m4
m1
m3
gs2s3s4s5
gs1s2s4
gs1s3s4s5
m2
Stage 2
m5
Old Group Key
m3
gs1s2s4s5
gs1s2s3s4
gs1s2s3s5
m4
New Group Key m1 m2 m3
m4 m5
gs1s2s3s4s5 g(s2s3s4s5)s1 g(s1s3s4s5)s2
g(s1s2s4s5)s3 g(s1s2s3s5)s4g(s1s2s3s4)s5

• new member mn1 replaces member mn to distribute
  partial keys
• mn factorizes out his secret number from all
  factorized partial keys adds a newly generated
  secret number sn sends it to mn1
• mn1 adds his own secret number and sends the
  new partial keys back to the corresponding members

20
Cliques Leave
s4 ? s4
m1
gs2s3s4
m1
gs3s4
m2 leaves
gs1s3s4
m2
m4
m4
m3
gs1s2s4
m3
gs1s4
New Group Key m1 m3 m4 m2
Old Group Key
gs1s3s4 g(s3s4)s1 g(s1s4)s3
g(s1s3)s4 ?
gs1s2s3s4

• mn generates a new secret number sn
• mn computes new partial keys excluding departure
  members secret number sends them to the other
  members
• Departure member has no information to compute
  the new group key

21
Member Control Cliques

• Advantages
• No single point of failure (no central
  controller)
• Robust due to self-stabilization
• Single function handles join and leave
• Suitable for a multicast system having a small
  size and a less powerful server or no centralized
  server, such as video conferencing
• Disadvantages
• Heavy workload on the member who does key
  distribution
• Not scalable number of rekeying messages is O(n)
• Requires knowledge of group membership

22
Conclusion

• Key Management for Secure Group Communications
• Centralized Control
• Easy to implement concentrated high overhead on
  a single entity not scalable
• Subgroup Control
• Membership changes in a subgroup does not affect
  other subgroups ? more scalable
• Member Control
• Member-driven design higher workload on the
  member who does key distribution