Secure Multicast (II)

Xun Kang

Content

• Batch Update of Key Trees

• Reliable Group Rekeying

• Tree-based Group Diffie-Hellman

• Recent progress in Wired and Wireless Network

Batch Updates of Key Trees

• Any problem in previous solution?– Synchronization problems among rekey msgs

and between rekey and data msgs; How?– Individual rekeying can be inefficient;

especially when join/leave happens frequently, there will be a huge burden on server for signing keys;

Periodic Batch Rekeying• Rekey subtree;• Collect requests during a rekey interval and

rekey them in a batch;

• Advantage:– For a J join and L leave, only needs 1 signing;– Less number of encrypted keys;

• Disadvantage:– Delayed group access control;

• A balance between rekeying overhead and group access control, the degree of forward access control vulnerability.

Three Ways of Batch Rekeying

• Periodic batch rekeying;

• Periodic bath leave rekeying;

• Periodic bath join rekeying;

• Question:– What’s the advantage and disadvantage of each

one? Which one is better?

Batch Rekeying Algorithm (1)

• Strategy 1: always keep a balanced tree

Adv: reduce the encrypted key numberDis: key server needs to provide new IDs to new join users as well as existing users?

Batch Rekeying Algorithm (2)• Strategy 2

– New nodes form a subtree – Grafted to a departed node with smallest height?

• Advantage – only one existing node needs to modify ID

• Disadvantage– Balance problem

Batch Rekeying Algorithm (3)• Strategy 3

– K789’s null children will be first replaced with new users– If still new users, let user nodes at next level be split– If still new users after that, use next user nodes

• “next” means sequential number, for example root is 0, then at tree level 1, the three key nodes will be 1, 2, 3

What is the advantage? ID automatically discovered.

Reliable rekey protocol

• Eventual reliability– A receiver should receive all needed keys;

• Soft real-time requirement– A rekey msg is finished before the start of the

next rekey interval

• Solution– Send re-synchronization requests when cannot

recover a rekey msg in time;– Proactive FEC for reducing recovery latency;

Proactive FEC• Partition rekey msgs into blocks• Generate (p-1)k PARITY packets (FEC) for

each block

Contributory GKM

• Application environment– Many to many applications

• Tele conferencing

• Application supporting collaborative work

– Small size group

– Group Splitting problem

• Centralized GKM has some problems– Key generator (TTP) must be always available

– TTP must exist in every possible subset of a group

• Contributory GKM

Tree-based Group Diffie-Hellman

• TGDH– Key trees to efficiently compute and update

group keys;– Diffie-Hellman key exchange to achieve

provably secure and fully distributed protocols;

• A problem? What’s difference, effect?– EVS: extended virtual synchrony– VS: view synchrony

Cryptographic Properties

• For the security requirement of group key– Suppose a successive group key changes form

K0 to Km

• Group key secrecy

• Forward secrecy

• Backward secrecy

• Key independence

– More strong than typical ones, for example• New member can not know past keys

• New keys must keep secret from leaved guys

Some Definitions for TGDH• Mi: i-th group members

• <l,v>: v-th node at level l in a tree

• Ti: Mi’s view of the key tree

• T<i,j>: a subtree rooted at node <i,j>

• Ki: node Mi’s individual key

• BKi*: set of Mi’s blinded keys

– BK<l,v> = f(K<l,v>)

– ie. f(k) = a k mod p --- p is a large prime number

A TDGH Key Tree Example

* Calculate the group key

* Replicated on each node* Only BK are transmitted

TGDH Membership Events• Join

– a new member is added to the group

• Leave– a member is removed from the group

• Merge– a group is merged with the current group

• Partition– a subset of members are split from the group

• Key refresh– the group key is updated

TGDH - Join Protocol

•How to choose the insert point?o Full balanced or not

•How to choose sponsor? o A guy for computing new intermediate keys and broadcasting to the group

Join Protocol

TGDH - Leave Protocol

TGDH - Partition Protocol

TGDH - Merge Protocol

Multiple Subgroups Merging

• First, the trees are ordered by height in decreasing order; if same height, list them in lexicographic order of the first member in each tree

• Let T1 the original tree T

• For i = 2 to k, merge_trees(T, Ti)

Cascaded Events

All membership events are delivered in sequence after all outstanding messages are delivered ---- underlying group communication system.

Self-clustering

Performance

Please refer to the paper

Recent Progress of SM

• Classification of KM for wired networks

• Some hard problems

• A wireless network multicast security example

• Open issues in this area

Classification of KM Schemes

Some Hard Parts

• Synchronization

• Balanced key tree maintaining

• Watermarking – copyright protection problem

If we assume that no one will deliver illegal copy to unauthorized users, is there any difference between these two?

–Using individual secret key–Using shared group key to protect content

SM in Wireless Network

DKD generates DEK

DEK is protected by KEK

Rekeying algorithms:

1. Baseline rekeying

2. Immediate rekeying

3. Delayed rekeying

Open Issues

• Leave for your guys!