The 6th ASTAP Meeting

1
Security Mechanisms for Providing a Multicast
Service

• The 6th ASTAP Meeting
• Information Security Expert Group
• 2002. 06. 04 06
• Korea Information Security Agency(KISA)
• Hee-Un Park, Ph.D
• hupark_at_kisa.or.kr

2
Overview

• Purpose
• Provided as a Just for information
• Promoting the interest of multicast security in
  ASTAP IS-EG
• Proposing it to ITU-T standard in the future
• Fields of application
• For group based IT service
• Secret telemeeting, Remote medicine, pay-TV,
  online game and DRM etc
• Status
• On going technology

3
Overview(cont.)

• IETF MSEC WG standards
• Relationship of International Standards
• None. (developed by KISA)
• Current Status of Domestic(Korea) Standards
• None. (proposed to TTA(Telecommunications
  Technology Association) and under deliberation.

4
Contents

• 1. Introduction
• 2. Motivation
• 3. A Multicast Key Management Architecture
• 4. A Nominative Group Signature Method on
  Wireless Multicast Service
• 5. A Wireless Multicast Key Refreshing Method
• 6. A Integrated Wire and Wireless Multicast Key
  Management Model
• 7. Conclusions

5
1. Introduction - 1.1 Information Society
Trap, Disclosure, Forge, Illegal Use, ?
Modern Society
Group oriented service
Integrated Multicast
Information Society
Electronic election
Electronic approval
Safety, Trust
Electronic commerce
Portrait conference
Remote medical advice
6
1.2 Multicast
Multicast Service
Unicast(11)
?
?
?
Broadcast(1all)

• . Using a Open Network
• ? Required the Safety and Trust.
• . So, Use a Crypto System.
• ? Increment the Importance of
• Key Management.
• . Supported by a Remote Host
• ? Needed the Authentication
• and Anonymity

Multicast(1many)
7
2. Motivation
Proposing a Key Management Structure for
Providing a Integrated Multicast Service
Presenting Requirements and Architecture
A Digital Nominative Group Signature Group
key refreshing Method
To Wire-Wireless multicast
Extension Multicast Service
Increasing the necessary of group oriented
communication services
8
3. A Multicast Key Management Architecture
3.1 The requirements

• General requirements
• Integrity
• Authentication
• Access control
• Non-repudiation
• Privacy

• Requirements for dynamic group member change
• Fairness
• Scalability

• Requirements for remote host service
• Anonymity of a mobile user
• Toleration of Hand-Off

• Requirements for wireless multicast key
  distribution and refresh
• Over coming bottle neck
• Key refreshment
• Preventing from conspiracy
• Toleration of more two key refreshment

9
3.2 The Architecture
Domain 2

• Dynamic Domain
• ? To get the smallest
• key refreshing
• Two-level hierarchy
• ? Highest level
• DKM, DKA
• ? The other
• Border
• Merits
• ? Key managers over
• -head is down
• ? Untrust transmission
• is impossible
• ? Giving the security
• and efficiency

Transmission message
Mutual authentication and management of
communication key
Domain 1
Border
MBRi (Member i)
Border
Remote Host
10
System Parameter
4. A Nominative Group Signature Method on
Wireless Multicast Service

• p large prime p ? 2512
• q large prime q ?2160 p-1
• g generator for Zp
• k1, k2 Random number k1, k2 ?RZP
• D YZk2 mod p
• e gk2-k1 mod p
• H 160-bit secure one-way hash function
• R H(gk1 modp MeD)

• M Message
• KPG A signers group confirming public key list
• KSU A signers group signature key list
• XZ A confirmer Zs private key
• YZ A confirmer Zs public key
• S A digital nominative group signature

11
4.1 Protocol Flow
TC(Trusted Center)
Signer
Certifier
Membership registration and
Key distribution
1. Personal Information (Signers Name, ID,
group, etc)
Public Information KPGk, p, q, g, YZ
2. Secret Key List KSU KSL1, , KSLn
Generating and confirming the signature

3. Boding the Public Key KPGk gKSUk mod p
4. Generating the signature k1, k2 random
number ?RZP e gk2-k1 mod p D YZk2 mod p
R H(gk1 mod pMeD) S k1-KSUk R mod
q
5. (M, R, e, D, S)
6. Confirming the signature H(gS KPGR mod p
M e D) R (gSKPGRe)XZ D mod p
12
4.2 Analysis

• Its useful
• To get the authentication and anonymity on Mobile
  IP multicast service
• It gives the safety and efficiency
• When signature key is distributed
• Because the key list should be changed on the
  policy, the scheme has the safety on key
  distribution
• No need that TCs additional compute for key
  generation
• New member join is easy
• Only receiver
• Can confirm this signature and signers
  membership
• But, does not know his/her personal information
• Its applied to many application areas
• Electronic Voting
• Mobile IP Multicast
• E-money based on Electronic Bank etc.

13
5. A Wireless Multicast Key Refreshing Method

• System parameters

• Pj A large prime number generated by TC (j is
  order of key refreshment)
• Kj A information to generate the group key
• Ti Each users mobile device( i 1, 2, , n)
• Yij, Yij-1 A blinding factor for group key and
  its reverse
• Sij User is private key

14
5.1 Protocol
System setup and registration phase 1) Generates
a large prime number Pj( j 1, , m) and
calculates a users private key
information GCD(Sij, Sik) 1, (Sij ?
Sik) 2) Generates Kj and calculates a blinding
factor and its reverse Yij KjSij mod Pj,
Yij-1 3) Sends this information to a user i
(Si1, Yi1, Yi1-1, , Sim, Yim, Yim-1)
TC
Key refreshment phase 1) Confirms the
discontinuance devices and its information ?
Each users (P1, Si1, Yi1, Yi1-1), (P2, Si2 ,
Yi2 , Yi2 -1)
15
5.1 Protocol(cont.)
1) Calculates at, bt(t?1, 2) a1 Si1
b1 Se1 1 a2 Si2 b2 Se2 1 2) When
at lt 0, calculates (Yi1-1)-a1 Ye1b1 mod P1
K1a1Si1b1Se1 mod P1 K1 (Yi2-1)-a2
Ye2b2 mod P2 K2a2Si2b2Se2 mod P2 K2
When bt lt 0, calculates Yi1a1
(Ye1-1)-b1 mod P1 K1a1Si1b1Se1 mod P1
K1 Yi2a2 (Ye2 -1) -b2 mod P2
K2a2Si2b2Se2 mod P2 K2 3) Refreshes K
using the calculated information Ki K
(?Ki) mod Pt (i 1, , t)
Each users
16
5.2 Analysis
17
6. A Integrated Wire and Wireless Multicast Key
Management Model 6.1 System parameters

• PKM Domain and Border public key manager
• DKMi Domain key manager i
• DKAi Domain key agent i
• R, DMBi Router and Domain Border i
• GML Group member list
• MGBi Multicast Group border i
• MBRi , GI Group member i and Group initiator
• SGBi Subgroup Border i
• RHi Remote host i
• Mkey Multicast key generated by PKM
• KGSi, KGVi A digital nominative group signature
  key and confirming key
• KPi, KSi is public key and private key

• KD_DAi Session key between DKMi and DKAi
• KMSi Group member MBRis private key
• KDAi_Ms Session key between DKAi and members
• Hdr Each groups identity
• ID, Sig, IP s identity, signature and IP
  address
• M Multicast message
• T, Tr Time-stamp generated by member and remote
  host
• Rep_WMS A mobile multicast request message
• Teri Each users mobile device(i1, 2, , n)
• Yij, Yij-1 Subgroup common session key blinding
  factor and its revers
• Sij subgroup member is secret information
  generated by DKAi

18
6.2 Architecture
Domain 2
Transmission message
Mutual authentication and management of
communication key
Domain 1
Border
MBRi (Member i)
Border
Remote Host
19
6.3 System Protocol
Domain initiation
PKM
DKMi
APL
DKMi KDPi DKAi KDAPi
DKAi
Cert(IDpublic keyIP)
DKAi
Each Border

• PKM sends the public key certification to all
  managers using APL
• Cert(IDpublic keyIP) ? DKMi, DKAi, Each
  Borders
• Each domain consists of one DKMi and some DKAi
  that manages
• its subgroup hierarchically

20
Group Initiation
KDKMPi(GMLSigPKM(GML))
DKMi
PKM
SigGI(IDGIGML)
GI
KBPi(MkeySigPKM(IDPKM))
Bi

• GI
• ? Setting the GML and sending this
• Signature information to PKM
• SigGI(IDGIGML)
• GML(IDMBR1IDMBRn))

• PKM
• ? Authenticates GI and GML with confirming
• received Signature from GI
• ? Generates Mkey and send it to all Borders
• ? Sends the GML to Domain, securely using
• the KDPi

21
Group Member Join

• DKMi
• ? 1) Generates the KD_DAi and sends it to DKAi
  using
• the secure unicast channel.
• ? 5) Compares with receiving information from
  DKAi
• and GML

DKMi
4)
1) KDKAPi(KD_DAiSigPKM(KD_DAi))
DKAi
3
1

• DKAi
• ? 4) Sends group join member list to DKMi
• ? 6) Sends KDAi_Ms1, subgroup key refreshment
  information and
• KGSi to each member using the
  receiving private key KMSi.
• ? 7) KDAi_Ms1, SKRI and KGSi is sent to DKMi
  and Bi securely

DKAi
6, 7) KDAi_Msi , KGS
Bi
2

• Members
• ? 2) Authenticates him(her)self to DKAi
• ? 3) Sends his encrypted private key to DKAi
• KDKAPi(IDMBRiKMSiReq_WMSSigMBRi(IDMBRiKMSi
  Req_WMS))

DKAi
2, 3) KDKAPi(IDMBRiKMSiReq_WMS
SigMBRi(IDMBRiKMSiReq_WMS))
22
Multicast message transmission
Message transmission
Inside transmission
Outside transmission
Domain to Domain
Group to Group
Sending message to the reserved Subgroup
Inside Domain
23
Message transmission group to group

• MemberI
• ? 4) Decrypts M with KDAi1_Ms
• KDAi_Ms(KDAi_Ms(M)) M

• MemberI
• ? 1) Encrypts M and Hdr and sends
• it to SGBi KDAi_Ms1(HdrM)

SGBi
KDAi_Ms(M)
KDAi_Ms1(HdrM)
HdrSigSGBi(Hdr)MKey(M)
SGBi

• SGBi
• ? 2) Decrypts M, encrypts it with
• Mkey and sends this to SGBi
• HdrSigSGBi(Hdr)MKey(M)

• SGBi
• ? 3) Decrypts M, encrypts it with
• KDAi_Ms and send this to memberi
• MKey(MKey(M)) ? KDAi_Ms(M)

24
Accessing remote host and authentication
IDNKGS(IDNIDNrDKMiT)
RHi
MBRi(Member i)
IDN, IDNr A alias ID of MBRi and RHi T
Time-Stamp generated by MBRi KGS A nominative
group signature key

• MBRi
• ? generates the digital nominative
• group signature and sends
• authentication information to RHi
• IDNKGS(IDNIDNrDKMiT)

• RHi
• Certificating the signature from MBRi
• Setting a channel with border
• for multicasting service

25
Remote host hand-off and authentication
2) Certificating payment information
IDNrKDKMPi(IDNTr-T) ? RHi
1) KRHPi1(IDNrTr)KGSi(IDNIDNrT) ? RHi1
KDKMPi(IDNrTr)KGSi(IDNIDNrDKMiT) ?
DKMi
RHi
DKMi
4) Confirming received message and sends this
IDNKGSi(IDNIDNr1DKMiTrTr1) ? RHi1
MBRi
6) Payment authentication
1)
RHi1
5) KDKMPi(IDNr1Tr1)KGSi(IDNIDNr1DKMiT
rTr1) ? DKMi
3) Certifying and hand-off authenticating as
1)-b) IDNr1Tr1KRHSi1(IDNIDNr1TrTr
1) ? MBRi
26
New member join and old member leave

• Joining new member
• ? Operating same protocol as group member join
• Leaving old member
• ? The conventional key KDAi_Ms must be
  refreshed to KDAi_Ms1
• for the members to get the communication
  safety from
• a group leaver
• MBRi KDAPi(SigMSi(DELIDMBRi)) ?
  DKAi KD_DAi(SigDkAi(DELIDMBRi)) ? DKMi
• ? DKMi confirms the received information and
  changes
• GML to GML
• DKMi KDKMPi(SigDkMi(GML)) ? PKMi

27

• Old member leaves(cont.)
• DKAi sends the subgroup refreshment information
  to MBRi, DKMi, SGBi.
• ? DKAi P1, Si1, Yi1, Yi1-1, , Sij, Yij, Yij-1
  ? MBRi, DKMi, SGBi
• MBRi, DKMi and SGBi generate the new subgroup
  common session key as follows.

• Calculates at and bt(t?1, 2)
• a1 Si1 b1 Se1 1 aj Sij bj
  Sej 1
• 2) When at lt 0, calculates
• (Yi1-1)-a1 Ye1b1 mod P1
  K1a1Si1b1Se1 mod P1 K1
• (Yi2-1)-aj Ye2bj mod Pj
  KjajSijbjSej mod Pj Kj
• When bt lt 0, calculates
• Yi1a1 (Ye1-1)-b1 mod P1
  K1a1Si1b1Se1 mod P1 K1
• Yijaj (Yej -1) -bj mod P2
  KjajSijbjSej mod Pj Kj
• 3) Generates new subgroup common session key
• KDAi1_Msj (?Kj) mod n (i 1, , t)

28
6.4 Analysis

• Integrity, Access control
• Multicast message is transmitted using the
  session key and multicast key
• Authentication, Non-repudiation
• The digital signature and nominative group
  signature is processed
• Privacy
• A symmetric cryptography method protects a
  multicast message
• Anonymity
• Alias ID and the digital nominative group
  signature gives anonymity from the third party
  and home domain
• Fairness and scalability
• Key refreshing is clear and other members get new
  KDAi_Ms securely and operated in only subgroup
• Toleration of Hand-Off
• Old remote host sends a member authentication
  information to new remote host
• Wireless multicast key distribution and refresh
• This scheme uses the proposed mobile group key
  refreshment method

29
7. Conclusions
Presenting Requirements For multicast Services
Digital nominative group signature Mobile
group key refreshment method
Describing the necessary and weakness of
multicast service
Proposing a mechanism for supporting
wire-wireless Integrated multicast service
Applied into mobile IP multicast environment
Analysis the Proposed scheme based on
requirements
The presented scheme Safe and Trustable