Group Key Management for Secure

Multicast Communications
Outline

◼ Multicast Communications
◼ Security Issues
◼ Requirements of Group Key
Management
◼ Group Key Management Protocols

2
 Multicast Communications
◼ To transmit a single message to a select group
of recipients. A simple example of multicasting
is sending an e-mail message to a mailing-list.
◼ It provides efficiency and scalability comparing
to the unicast because it reduces the usage of
network resources sent to the receivers.
◼ Applications: Pay-per-view video, distant
education.

NOTE: Broadcast: one-to-all

3
 Security Issues
◼ Authentication: Ability to Identify the
members of the group (senders & receivers)
◼ Confidentiality: Content of a message must
be shared only by authorized users
◼ Integrity: Data cannot be modified without
being detected

To address these security issues, group key

management is a central part for any secure
multicast communication.

4
 Group Key Management
◼ To provide secure generation, distributions and
refreshing of cryptographic keys
◼ Group Key
 Only known to the current group members
 Used to encrypt message

An important component for protecting group secrecy is

rekeying.
◼ Membership changes trigger rekeying process
 Join: a new group key must prevent the new
member from decoding previous messages
 Leave: a new group key must prevent former group
members from decoding future messages
5
 Requirements
◼ Group key secrecy
 Computationally infeasible for a passive
adversary to discover a group key
◼ Forward secrecy
 Evicted users cannot learn any future keys
◼ Backward secrecy
 New users should not have access to any
old keys

6
 Requirements (continue)
◼ Scalability (1-affects-n)
 A membership change should affect only
a small subset of members
◼ Reliability
 Providing a recovery mechanism for
missing rekeying messages
◼ Low bandwidth overhead
 Rekeying process should not induce a
high number of rekeying messages

7
 Group Key Management
◼ Centralized Group Control
A single entity is the group controller who is …
 Responsible for key generation, key
distribution and key refreshment
 Ex: Naïve Solution, Key tree-based Approach

◼ Member control
 No group controller

 Each member contributes its share toward

group key generation
 Ex: Contributory key agreement supported by
the Diffie-Hellman algorithm: Cliques
8
 Naïve Solution
◼ Group Key vs Individual Key
 Group key: encrypt messages K1-3 Group key
 Individual key: verify each member’s {K1-3}k1 {K1-3}k3
identity. Shared only between each {K1-3} k2
member with key server or group
controller. k1 k2 k3 Individual
keys
◼ Rekeying Message
 Used to notify all members of any key
change and the new key information m1 m2 m3 Member
◼ Join
 Encrypt new group key with the old group
key and multicast to group m4 joins m4 leaves
 Encrypt new group key with new user’s
individual key and unicast to the joining K1-4
user {K1-4}k1-3 {K1-4}k4
◼ Leave
 To prevent leaving member m4 access k1 k2 k3 k4
future message, the new group key k1-3
have to be encrypted with each remaining
user’s individual key and unicast to each
member. m1 m2 m3 m4
9
 Naïve Solution
◼ Problem
 Not scalable when users leave. Especially, when
there are a large number of users in a multicast
group, such rekeying overhead in key
distribution and update can be very high if not
managed properly.
 To reduce the rekeying overhead and improve
the scalability, a tree structure is used to
arranging keys.

10
 Key Tree-Based Approach
Central Group Controller GC
◼ Key Tree
◼ Root: group key
Group key K1-8
encrypt/decrypt multicast
data packets
◼ Leaf: member’s individual
K1-4 K5-8 key
Intermediate
keys ◼ Nodes between leaves
and root: intermediate
K1-2 K3-4 K5-6 K7-8 keys, that are used to
encrypt other keys
instead of actual data
Individual ◼ Each member stores the
keys k1 k2 k3 k4 k5 k6 k7 k8 keys along the path from
leaf to the root
◼ m1: {k1, k1-2, k1-4, k1-8}
Member m1 m2 m3 m4 m5 m6 m7 m8
◼ m6: {k6, k5-6, k5-8, k1-8}

11
 Key Tree-Based Approach: Join
Central Group
Controller GC  K1-8 →K1-9
 {K1-9}K1-8
Group key K1-8
K1-9
 {K1-9}K9
Intermediate  K7-8 →K7-9
keys K1-3 K3-6 K7-8
K7-9  {K7-9}K7-8
 {K7-9}K9
Individual
keys k1 k2 k3 k4 k5 K6 k7 k8 k9

Member m1 m2 m3 m4 m5 m6 m7 m8 m9
◼ Keys along the path need to be changed ◼ m9 joins the group:
◼ Every changed key is encrypted with old K7-8 → K7-9, K1-8 → K1-9
keys, multicast to the group except newly
◼ GC → {m7, m8}: {K7-9}K7-8
join member
◼ GC → {m1, …, m8}: {K1-9}K1-8
◼ New member gets keys through unicast
◼ GC → {m9}: {K7-9, K1-9}K9 12
 Key Tree-Based Approach: Leave
Central Group
GC  K1-9 →K1-8
Controller
 {K1-8}K1-3
Group key K1-9
K1-8  {K1-8}K3-6
 {K1-8}K7-8
Intermediate
keys
K1-3 K3-6 K7-9
K7-8  K7-9 →K7-8
 {K7-8}K7
Individual
keys k1 k2 k3 k4 k5 K6 k7 k8 k9{K7-8}K8

Member m1 m2 m3 m4 m5 m6 m7 m8 m9
m9 leaves the group: K7-8 → K7-9,
◼ Keys along the path need to be ◼ GC → {m7}: {K7-8}K7
K1-8 → K1-9
changed
◼ GC → {m8}: {K7-8}K8
◼ Every changed key is encrypted with
◼ GC → {m1, m2, m3}: {K1-8}K1-3
each of its children’s keys
◼ GC → {m4, m5, m6}: {K1-8}K3-6

◼ GC → {m7, m8}: {K1-8}K7-8 13

 Centralized Group Control
◼ Advantages
 Key tree structure reduces the number of rekey
message
 Suitable for general multicast sessions having
small to medium sizes such as Internet radio
and stock quote services
◼ Disadvantages
 Single point of failure at the central controller

14
 Member Control
◼ No group controller
◼ Every member contributes a share towards
the group key
◼ Requires knowledge of group membership
◼ Example protocol: Contributory key
agreement supported by the Diffie-Hellman
algorithm: Cliques

15
 Diffie-Hellman (DH)

Alice Bob

A = gSa mod p A K= ASb mod p

K= BSa mod p B B = gSb mod p

K=ASb mod p = BSa mod p = gSaSb mod p

◼ DH allows two individuals to agree on a common

symmetric key

16
 Member Control: Cliques
s1 s2 s3 s4 secret
number
m1 m2 m3 m4 ◼ Extends two parties DH
partial to n parties
gs1 gs2 gs3 gs4 key
◼ Arranges the group
gs1 gs2 gs3 gs1s3 member in a logical liner
gs1 gs2 gs2s3 structure and passes key
gs1s2 information sequentially
gs1s2 gs1 gs1s2s3
gs1s2 ◼ Group members are
gs1s3
indexed
gs2s3 ◼ The last member (having
gs1s2s4
the highest index) is
gs1s2s3 gs1s3s4 Multicast responsible for key
to all
gs2s3s4 members generation and distribution

gs2s3s4 gs1s3s4 gs1s2s4 gs1s2s3s4 Group key

Group Key m1 m2 m3 m4
17
gs1s2s3s4 =g(s2s3s4)s1 =g(s1s3s4)s2 =g(s1s2s4)s3 =g(s1s2s3)s4
 Cliques: Join
s1 s2 s3 s4 S4’ s5
m1 m2 m3 m4 m5

gs1 gs2 gs3 gs4 gs5

gs1 gs2 gs3 gs1s3 gs4 gs1s2 gs1s2s4’

gs1 gs2 gs2s3 gs3 gs1s3 gs1s3s4’
gs1s2
gs1s2 gs1 gs1s2s3 gs2 gs2s3 gs2s3s4’
gs1s2 gs1 gs1s2s3 gs1s2s3s4’
gs1s3
gs2s3 gs1s2s4’
s1s2s4 gs2s3s4’
s2s3s4
gs1s2s4’s5 gs1s2s3s5 Multicast
gs1s2s3 gs1s3s4’
s1s3s4 gs1s2s3s4’
s1s2s3s4 to all
gs1s3s4’s5 gs2s3s4’s5 members

ggs2s3s4’s5
s2s3s4 ggs1s3s4’s5
s1s3s4 gs1s2s4’s5
gs1s2s4 gs1s2s3s5 gs1s2s3s4’s5 New Group key

Old group key: gs1s2s3s4

New Group Key m1 m2 m3 m4 m5
18
gs1s2s3s4’s5 = g(s2s3s4’s5)s1 =g(s1s3s4’s5)s2 =g(s1s2s4’s5)s3 =g(s1s2s3s5)s4’=g(s1s2s3s4’)s5
 Cliques: Leave
s1 s2 s3 s4 S4’
m1 m2 m3 m4
◼ mn generates a new
gs1 gs2 gs3 gs4 secret number sn’
gs1 gs2 gs3 gs1s3 ◼ mn computes new
partial keys excluding
gs1 gs2 gs2s3
gs1s2 departure member’s
gs1s2 gs1 gs1s2s3 secret number; sends
gs1s2 them to the other
gs1s3 members
gs2s3 ggs1s2s4
s1s4’ Multicast ◼ Departure member
to all has no information to
gs1s2s3 ggs2s3s4
s3s4’
members compute the new group

gs1s3s4’
s1s3s4 New key
ggs2s3s4
s3s4’ gs1s3s4 ggs1s2s4
s1s4’
Group key
gs1s2s3s4
Old group key: gs1s2s3s4
New Group Key m1 m3 m4 m2
gs1s3s4’ = g(s3s4’)s1 = g(s1s4’)s3 = g(s1s3)s4’ ? 19
 Member Control: Cliques
◼ Advantages
 No single point of failure (no central controller)
 Member gets group key through computation
rather than decryption
 Suitable for a multicast system having a small size
and a less powerful server or no centralized
server, such as video conferencing
◼ Disadvantages
 Heavy workload on last member who does key
distribution
 Requires knowledge of group membership 20
 Conclusion
Key Management for Secure Multicast
Communications
◼ Centralized Control
 Easy to implement; tree-based structure can
reduce rekeying overhead; single point of
failure
◼ Member Control
 No group controller; higher workload on the
member who does key distribution
21