a new networking feature in computer classrooms: homegroup and homegroup protocol, velimir...

International Conference on Information Technology and Development of Education ITRO 2013 June, 2013. Zrenjanin, Republic of Serbia

184

A NEW NETWORKING FEATURE IN COMPUTER CLASSROOMS: HOMEGROUP

AND HOMEGROUP PROTOCOL V. Radlovacki

Skolski centar Nikola Tesla Vrsac, Republic of Serbia [email protected]

Abstract - HomeGroup provides methods for easy sharing files and printers in a classroom network without knowledge about computer networks or additional investment in IT equipment. HomeGroup creation, discovery and joining, as well as file and printer sharing, are done with no ambiguous options through simple user interface and Windows Explorer. System services are self-configuring and hidden from the end users. HomeGroup protocol creates a trust relationship between IPv6 configured hosts via peer-to-peer networking with the use of DPWS and Peer-to-Peer Grouping Security Protocol.

I. INTRODUCTION The average school in primary and secondary

educational system in Serbia usually has several computer classrooms. In each one, there are ten to twenty computers networked in a LAN (Local Area Network), sharing one Internet connection. The best scenario for maximum utilization of those available resources would be to deploy a school domain network, which would be maintained by a school network administrator. The reality is that primary and secondary schools do not have a network administrator. They also do not have adequate networking equipment and servers for the implementation of a school domain network.

Teachers fend for themselves as best as they can, trying to make better use of what they have. The most common solution for networking and sharing resources is a Windows workgroup, and even that solution requires specific knowledge and skills about computer networks and operating systems. One shared Internet connection and a workgroup in a computer classroom could be acceptable solution for networking, but a poor one for sharing resources. In Windows XP there was a limit of ten inbound connections that one host could handle. That disappeared with Windows Vista, but still, the increased amount of network traffic created issues with host visibility in a workgroup. Mentioned problems in combination with low-cost SOHO (Small Office Home Office) switches and routers meant problems in a classroom during the class. It was not common

that the teacher had to solve those problems to be able to continue with the class.

The idea to make network feature focused on small networks came in 2002 during the Longhorn development, and it was called Castles. Few years ago, starting with Windows 7, Microsoft officially introduced the end result, a new networking technology called HomeGroup [1]. HomeGroup provides methods for sharing files and printers in a local subnet working with other networking technologies that are already in use. Compared to those technologies, a domain network or a workgroup, HomeGroup is optional. Windows host must either belong to a workgroup or to a domain, but it is not required to use the HomeGroup feature. HomeGroup requires from each host who is initially joining, to provide a matching shared password, while workgroups do not. Unlike workgroup, HomeGroup does not require students to have accounts on other hosts. Instead, HomeGroup utilize a common system account so that all students can connect to any host in the group transparently, as with domains. HomeGroup hosts communicate via P2P (peer-to-peer) networking, similar to workgroups, but using different network protocols. Each host in a HomeGroup is equal, there are no computers configured as network servers. Windows 7 Starter, Windows 7 Home Basic, and Windows RT can join the HomeGroup, but cannot create one.

II. USING HOMEGROUP If the teacher decides to use a HomeGroup in a

classroom, he must take notice about network identification, HomeGroup creation, discovery and joining and about proper use of the HomeGroup potentials.

When a host successfully connects to a classroom network, several characteristics are examined to determine if it is a known network location. If the network is previously unknown and not identified as a domain-authenticated network,


185

the teacher will be prompted to select a profile for that network location. The selections are as follows: Home, Work, or Public. If the teacher sets a Home network profile for the location, proper ports are opened in the firewall and the network undergoes examination for an existing HomeGroup.

If HomeGroup is not detected during the out-of-box experience, one may be auto-created by that host. No content will be shared with the newly created HomeGroup except the Public folders and attached printers. If HomeGroup is not detected when joining a new Home network, the teacher will be prompted to create one. The defaults will be pre-selected on what to share: Pictures, Music, and Videos Libraries and Printers, and those choices can be modified. At that point, teacher has the ability to cancel HomeGroup creation. However, if the he chooses to create the HomeGroup, the HomeGroup password will be shown, so he can add other hosts later.

Once the teacher has decided to create a HomeGroup and determined what to share with the others, the HomeGroup services perform several tasks on his behalf. HomeGroup is created on the host and secured with a strong auto-generated password, which is provided to the teacher. Firewall ports required by the HomeGroup to function properly are opened. HomeGroup is then advertised on the classroom network to allow other hosts to discover and join it. HomeGroup account is created on the host to be used by all members for authentication to access shared resources. Local security group is created on the host and all local users except Guest are added in it. Libraries and printers, as selected by the teacher, will be shared appropriately with other HomeGroup members. Those shared libraries and printers on the host are then advertised on the classroom network to make them discoverable by the future members. The two core services that work to configure a Windows host are: HomeGroup Listener Service that performs local changes and HomeGroup Provider Service that performs networking tasks.

Whenever a new host is connected to a classroom network, the host will automatically try to discover an existing HomeGroup on that network. If the classroom network already has a HomeGroup present, the teacher may join that existing HomeGroup. But, before the teacher is asked to join an existing HomeGroup on the classroom network, HomeGroup services perform

some key checks to determine if it is valid to ask the teacher to join that group. So when a host joins the new classroom network and discovers the existing HomeGroup invitation on that network, the HomeGroup Provider Service examines the invitation for the name of the HomeGroup creator, the number of hosts that belong to the HomeGroup, a PeerGroup Invitation for the HomeGroup, and the time the HomeGroup was created. Using that, the HomeGroup service then determines whether or not to show the join experience to the user. If the host is not a member of any HomeGroup, it will prompt the user to join the discovered HomeGroup. If the host is already a member of another HomeGroup, and is the only member of that HomeGroup, it will then further examine the date the newly discovered HomeGroup on the network was created to determine which one is newer. If it is determined that the discovered HomeGroup was created more recently than the one on that host, it will ask the user to join that newly discovered HomeGroup. If the host is already a member of another HomeGroup with more than one member, it will ignore the newly discovered HomeGroup on the network since it is already a member of a fully functioning HomeGroup, and the user wont be prompted to join.

Once the correct password is supplied by the teacher and authentication is successful to join the discovered HomeGroup, the HomeGroup Provider Service joins the host to the shared PeerGroup as specified in the HomeGroup invitation and retrieves information from it. The HomeGroup Provider and Listener Services use the information from the PeerGroup, with user sharing preferences supplied during the join user experience, and complete necessary tasks. First task is to open firewall ports [2] for Peer to Peer Grouping, Peer Name Resolution Name Protocol, Media Streaming, SMB (Server Message Block Protocol) etc. Then the HomeGroup is re-advertised to all hosts to facilitate future joining with an updated HomeGroup invitation the number of hosts is incremented and reflected in the new invitation. A HomeGroup account HomeGroupUser$ is created on the host to be used by all members for authentication to access shared resources across the classroom. A local security group HomeUsers is created. All local users except Guest are added to the HomeUsers Security Group. Libraries and printers, as selected by the teacher, are shared appropriately to the HomeUsers group. Both the shared libraries and printers on the local host are


186

then advertised on the network to make them discoverable by future members. Public folders are shared with the HomeGroup to allow for a default network save location on every host. Windows Media Streaming Services are enabled to allow streaming of the users media to future members in Windows Media Player or to other authorized DLNA (Digital Living Network Alliance) compliant media receivers. New entries are added to the user credential store on the current host to allow seamless authentication for shared resources on other members using the HomeGroupUser$ account.

The common ways to share resources are: electing to share libraries or printers when creating or joining a HomeGroup, via the sharing choices available in HomeGroup in Control Panel, via the Share With menu in Windows Explorer or via the context menu that can be invoked by right-clicking any appropriate resource in Windows Explorer and clicking the Share With menu. When someone shares content in the HomeGroup, the HomeGroup shares the selected resources with other members by sharing the resource with the HomeGroup Users security group. This is achieved by applying the respective ACL (Access Control Lists) for the HomeGroup Users security group to the resource in the local file system. Then HomeGroup creates a UNC (Universal Naming Convention) share, if one does not exist, to expose the resource so that it can be accessed on the classroom network. Finally, HomeGroup advertises the shared resource on the network to other members using Function Discovery the same way as advertises itself.

When another host receives and parses the share resource message, the next step is to render the shared resource within Windows Explorer to provide users with easy discovery and access to that shared resource. Shared libraries and folders appear under a users name. When the user initiates a request to access a shared resource from the HomeGroup folder, the connection request is handled by Windows Explorer, which hands off the connection request to SMB to complete the request. Based on user preference, SMB will attempt to connect to the remote host using HomeGroup Credentials or user specified Credentials, which are configurable under HomeGroup Connections in the Control Panel under Advanced Sharing Settings.

On a HomeGroup password change, the HomeGroup Provider and HomeGroup Listener services must first stop HomeGroup members

from accessing shared content until they can provide the new password. That is achieved by disconnecting any currently active network connections, de-authorizing all hosts for media streaming access, departing the old PeerGroup, changing the password for the HomeGroupUser$ account and removing all credentials from the credential manager. Then HomeGroup Provider and HomeGroup Listener services re-configure the HomeGroup for members to join with the new password by creating a new PeerGroup and updating the HomeGroup invitation with new information. Existing members will parse the new HomeGroup invitation and inform the users that the password has changed.

A user can leave the HomeGroup at any time. When a HomeGroup is departed, the HomeGroup Provider and Listener services close all firewall ports used by the HomeGroup, stop publishing all HomeGroup messages on the classroom network, delete the HomeGroupUser$ account, delete the HomeUsers local security group, de-authorize MAC addresses of previous members from accessing streamed media content, remove all entries from the credential manager and disconnect all HomeGroup SMB connections.

III. HOMEGROUP PROTOCOL A. Protocol Overview

MS-HGRP (Microsoft HomeGroup Protocol) [3] is used to create a trust relationship that facilitates the advertising and publishing of content between hosts via a peer-to-peer (P2P) infrastructure. This relationship is achieved with the use of WSD (Web Services on Devices) and a PeerGroup infrastructure. There is no client-server relationship in this protocol. In order to participate in a HomeGroup, all hosts implement the protocol in the same manner. WSD is used to publish messages that are discoverable to all hosts on the subnet. These messages include the HomeGroup Invitation and Shared Printer messages. The PeerGroup is used as a secure line of communication between HomeGroup members.

A host that attempts to create a HomeGroup accomplishes this by creating a PeerGroup first, which is the secure P2P connection through which the HomeGroup is synchronized. This HomeGroup host sets the HomeGroup password, which is used to secure the HomeGroup. Once the PeerGroup has been created, this first host publishes an invitation to the HomeGroup via WSD, which allows new hosts on the subnet to discover the HomeGroup. A host detects that there


187

is a HomeGroup on the subnet by receiving a HomeGroup Invitation message over WSD. With the invitation and the correct HomeGroup password, the host is able to join the PeerGroup, and by extension, the HomeGroup.

This protocol depends on DPWS (Devices Profile for Web Services) to enable the discovery of a HomeGroup on the subnet, and MS-PPSEC (Microsoft Peer-to-Peer Grouping Security Protocol) to create a PeerGroup for communication between members of the HomeGroup. The underlying PeerGroup is restricted to hosts on the same subnet. DPWS and MS-PPSEC are used independently of each other, which means that neither protocol sits above the other in the relationship hierarchy. MS-HGRP also requires that all hosts implement the IPv6 (Internet Protocol version 6) protocol and have a valid IPv6 addresses. B. Protocol Messages

Transport for this protocol is achieved through two channels: the PeerGroup and WSD, both of which are independent of the other. WSD is used to publish messages that are available to all hosts on the subnet. The PeerGroup is used for sending secure communication between members of the HomeGroup. All messages are generated in XML format.

WSD Messages are transported using WSD and published to the local subnet. The HomeGroup Protocol uses WSD messages to advertise the presence of a HomeGroup, as well as shared resources on the home network. The HomeGroup Invitation message is used to advertise the presence of the HomeGroup to other machines on the home network and to provide the required details to allow them to join that HomeGroup. The HomeGroup invitation includes the PeerGroup invitation (which is required to join the PeerGroup) and other relevant information about the HomeGroup. The invitation is serialized into an XML string and then published on the local subnet using WSD. The Shared Printer message is used to advertise printers that are installed on the advertising machine. It is serialized into an XML string and then published on the local subnet using WSD.

PeerGroup Messages are transported using PeerGroup. They are used for secure communication between members of the HomeGroup. All messages sent via the PeerGroup are converted to binary before being sent. HomeGroup Member Info messages are used to

broadcast a HomeGroup member's host name and Peer ID. The HomeGroup Record format is the base data structure that is used by the following PeerGroup messages:

HomeGroup Credentials messages used to synchronize HomeGroup credentials that are common to all HomeGroup members. This message contains the common credential name, its password, and its creation time.

HomeGroup User Info Record messages used to broadcast information about each user on the host to other hosts in the HomeGroup. Each user account on each HomeGroup host has a separate, corresponding HomeGroup User Info record in the PeerGroup.

HomeGroup MAC Address messages used to broadcast the MAC addresses of all network adapters present in a HomeGroup member host to all other members of the HomeGroup.

Messages containing information about the UNC (Universal Naming Convention) shares in the HomeGroup created with Data Protection Listener which enables a user to back up their data to a different device from the device where it is currently located. One of the objectives of data protection is to enable multiple users in a HomeGroup to share the same external device.

HomeGroup Signing Key messages used to distribute signing keys to the HomeGroup. The signing keys are used to verify the integrity of signed WSD messages that are sent by HomeGroup members over WSD.

C. Protocol Details To implement the HomeGroup Protocol, an

individual HomeGroup member stores and updates the data about itself and other members of the HomeGroup. That is necessary for sending the proper messages. When ever the data maintained by the host changes, the appropriate messages are re-sent. Resending the messages ensures that new information is propagated to all members of the HomeGroup.

HomeGroup protocol is initialized when a host creates or joins a HomeGroup. Upon first initialization, the host should check for the HomeGroup Invitation WSD message. If a HomeGroup Invitation is detected, then the host


188

may join the HomeGroup. If no invitation is detected, then the host may create a HomeGroup.

To participate in a HomeGroup, a host must create the HomeGroup when a HomeGroup Invitation message does not exist. This requires a HomeGroup password. All other hosts will then be able to join the HomeGroup when the first host's HomeGroup Invitation is detected. A new HomeGroup is created by creating a new PeerGroup with a secure Peer ID. The Peer ID is a unique identifier that other members in the PeerGroup can use to identify a particular member. The host then generates the signing keys. The host then sends a HomeGroup Signing Key message, a HomeGroup Member Info message, a HomeGroup User Info record for each user on the host, a HomeGroup Credentials message and a HomeGroup MAC Address message to the PeerGroup. If the data contained in a message changes, the host must create new messages and send them to the PeerGroup. After that, host must publish a HomeGroup Invitation WSD message. If the data contained in the HomeGroup Invitation WSD message changes, the host must create a new HomeGroup Invitation WSD message and publish it on the WSD channel. When a printer is attached to the host that is to be shared, the host should also publish a HomeGroup Printer WSD message on the WSD channel. If the printer is unshared, the host should remove the printer from the HomeGroup Printer WSD message. If a new user is created on the host, a HomeGroup User Info record must be sent to the PeerGroup for that user account. If a user is deleted from the host, the HomeGroup User Info record corresponding to that user account must be removed from the PeerGroup.

Joining an existing HomeGroup requires the presence of a HomeGroup Invitation message. Multiple HomeGroup Invitation messages can be present on the network. When a HomeGroup Invitation message has been detected, the host must use the PeerGroup invitation and a proper HomeGroup password. Then the host can join the PeerGroup. Once the host has joined the PeerGroup, it is considered a member of the HomeGroup. After joining the PeerGroup, the host must then take the actions as described in a previous paragraph.

To depart from the HomeGroup, the host must remove all messages that it sent to the PeerGroup from the group, except those that are flagged to persist after the host's departure. The host must

stop publishing the HomeGroup Invitation WSD message and, if applicable, the HomeGroup Printer WSD message. The host may then close and delete the PeerGroup.

Changing the HomeGroup password is accomplished by departing the HomeGroup and creating a new HomeGroup with the new password. To change the HomeGroup password, the host departs the HomeGroup and creates a new HomeGroup. When doing so, both the name and the signing keys must be reused from the departed HomeGroup. When the new HomeGroup broadcasts its invitation, it will contain the old HomeGroup name and the digital signature will be signed with the signing keys of the previous HomeGroup. The other members then detect the new HomeGroup Invitation WSD message and can join the HomeGroup by supplying the new password. D. Protocol security

An encryption key is generated when a HomeGroup is created. A 256-bit AES (Advanced Encryption Standard) key is formed by taking the SHA-256 (256 bit Secure Hash Algorithm) hash of the PeerGroup name and the HomeGroup password as the salt. This encryption key is used to encrypt the HomeGroup Credentials message account credentials, as well as the public and private signing keys, before sending over the network.

The HomeGroup creator generates a 2048-bit RSA key pair (Rivest, Shamir and Adleman algorithm for public-key cryptography). These keys are encrypted and sent to the other members of the HomeGroup over the PeerGroup channel via a HomeGroup Signing Key message. The keys are used to sign or verify the integrity of signed WSD messages sent over the HomeGroup.

HomeGroup Invitation messages are SHA-256 hashed. This hash is signed with the HomeGroup signing key and the signed version is included in the message. The hash is then signed with the public signing key using the RSASSA-PKCS1-v1_5 (RSA Cryptography, Public-Key Cryptography Standards) signature algorithm. HomeGroup Printer messages are also signed with the public signing key using the RSASSA-PKCS1-v1_5 signature algorithm.

The password element in the HomeGroup Credentials message and the signing keys element in the HomeGroup Signing Key message are encrypted using the Encryption Key with the AES-


189

256 algorithm in Cipher Block Chaining mode with a zero Initialization Vector (IV). Detailed HomeGroup protocol analysis is possible with Microsoft Network Monitor and Network Monitor Open Source Parsers available on CodePlex website. Network Monitor Open Source Parsers are parsers for open standard protocols described in the MSDN Open Specifications. HomeGroup protocol parser is implemented in hgrp.npl.

IV. CONCLUSION HomeGroup helps make sharing files and

printers in a classroom network easy for everyone. With or without knowledge and skills about computer networks and operating systems,

teachers and students can better use IT equipment they already have. HomeGroup creation, discovery, joining and other procedures are simple and system processes underneath are automatic and hidden from the end user. HomeGroup protocol is well designed, safe and adequate for a classroom network use.

REFERENCES [1] Microsoft Corporation, "HomeGroup Overview, Version 1.0.0",

August 1, 2009. [2] Microsoft Corporation, "HomeGroup and Firewall Interaction,

Version 1.2", July 2009. [3] Microsoft Corporation, "[MS-HGRP]: HomeGroup Protocol

v20130118", January 18, 2013.

a new networking feature in computer classrooms: homegroup and homegroup protocol, velimir...

Documents