Improved Key Management Technique for Secure ... - Springer Link

3 downloads 342 Views 318KB Size Report
networks. Secure multicasting is a very vital problem in today's networks. ..... Trees, Technical Report No.0755, TIS Labs at Network Associates, Inc., Glenwood,.
C 2005) Journal of Network and Systems Management, Vol. 13, No. 3, September 2005 ( DOI: 10.1007/s10922-005-6266-2

Improved Key Management Technique for Secure Multicasting over IP G. Padmavathi1,3 and S. Annadurai2

Multicast communication is going to be the communication paradigm of all future networks. Secure multicasting is a very vital problem in today’s networks. In secure multicasting, the group members share a common key called the group key. Whenever the group members change, the group key must be changed. Therefore, many multicast security problems are abstracted into key management and distribution problems. The problem of distributing cryptographic keys to the group members in an optimum way that minimizes the communication and storage overheads are the important objectives of a secure multicast problem. In this paper, an efficient key management technique is proposed that minimizes the number of message exchanges and the number of keys stored. Existing key management methods have O(N) and O(log N) overheads. The proposed method shows further improvement. The model has been simulated and the results show improvements to existing approaches. KEY WORDS: Multicasting; key management; group key; rekeying and logical key hierarchy.

1. INTRODUCTION The large deployment of Internet in the last few years in applications combining text, video and voice over IP is a very clear fact. The net-based applications such as teleconferencing, distance education, computer supported collaborative work, distributed interactive games, stock quotes, software updates and shared white boards are some of the important multicast applications over IP. Security is a major issue in these applications.

1 Department

of Computer Science, Avinashilingam Deemed University, Coimbatore, Tamil Nadu, India. 2 Government College of Engineering, Tirunelveli, Tamil Nadu, India. 3 To whom correspondence should be addressed at 12/10, ‘Sruthi,’ Abbas Garden Extension, Luna Nagar, Coimbatore, Tamil Nadu 641 025, India. E-mail: mail [email protected] 293 C 2005 Springer Science+Business Media, Inc. 1064-7570/05/0900-0293/0 

294

Padmavathi and Annadurai

Security in unicast is a well-understood problem due to the very strong cryptographic support. To handle multicast, the current IP model [1] sets up many point-to-point connections between the current group members using the existing IP security protocol suite. This is not only inefficient in terms of scalability, but also an important disadvantage, called the set-up implosion, will be experienced by this approach. Therefore, multicast security is a challenging problem and it is still under exploration. In this paper, a new approach for scalable, secure group communication over IP multicast is proposed. This algorithm can be implemented over the existing IP multicast model and does not require any special delivery mechanism other than the multicast-capable router support that works on best effort forwarding. The multicast delivery tree is the input to the model. The important requirement of any multicast security architecture is efficient packet delivery from source to destinations so that only registered senders can send information and only registered receivers can receive it. To achieve this, secure group communication systems rely on “group key”—a secret key known only to the current members of the group. Once a group key is distributed to all current members of the multicast group, secure messages can be sent encrypted with the group key. The overall security of the group depends wholly on the secrecy and strength of the group key. The routers on the way treat each message no different than the other IP multicast datagram. The key problem left to solve is to establish a scalable and secure keying mechanism to all the members of the multicast group. This requires very efficient grouping of members. Since the Internet infrastructure is insecure, it is possible for non-members to eavesdrop the messages shared among a multicast group and store encrypted messages. It is also possible for members who have left the group to continue to decrypt messages and new members to read the past messages stored previously with this group key. These are referred to as Perfect Backward Secrecy (PBS) and Perfect Forward Secrecy (PFS), respectively [2]. Therefore, during each membership change, a new group key must be distributed and all subsequent communications must use this new key. This process is called group rekeying. Establishing a new group key upon a membership change in the secure multicast group must be scalable irrespective of the number of members in the group. Number of keys stored, number of message updates and the communication cost are the important performance measures to be considered in this problem. The proposed method gives desirable results compared to existing approaches. The simplest solutions for rekeying involves a pairwise secure exchange of the group key between a central controller or key server and each group member. Generally, the central controller is an entity that is responsible for access control and key management. Unfortunately, this method incurs an O(N) overhead, where N is the size of the group. This is not viable for large groups, where a heavy traffic will be encountered with the central controller. The existing treebased methods encounter O(N) storage overheads and O(log N) communication

Improved Key Management Technique for Secured Multicast

295

overheads for group rekeying. However, they do not discriminate between the members and the system encounters overheads due to reconfiguration of nodes in the virtual key organization. In a real situation, the group has both static and dynamic members and the change of group key operations affect the static members in the system. Therefore, the present work considers the grouping of members according to their behavior and proposes a suitable key distribution mechanism. Detailed analysis of some famous models is discussed in [2]. The efficient grouping method proposed in this work gives very desirable results compared to other hierarchical approaches and it is the most suitable method for IP multicast model. The main contributions of this paper are as following. 1. A brief discussion about existing key management approaches. 2. Proposal of an efficient grouping mechanism based on membership behavior for implementing group security over IP multicast; along with a suitable key management technique. 3. Analysis and simulation of the model with group dynamism. Section 2 gives some of the existing models. Section 3 briefly explains the model. Section 4 gives a comparison and analysis of the similar approaches. Section 5 discusses the simulation results. Section 6 gives the conclusions. 2. EXISTING APPROACHES FOR SECURED MULTICAST PROBLEM In one-to-many secure group communication, there is a single sender sending data to a group of users. In the IP models, the sender sends the encrypted data via multicast capable routers (e.g. MBONE). Since the Internet model is an open model, any member possessing the multicast address can receive the data. Moreover, the sender cannot control or know the receivers of the data. With the help of the central entity called the central controller/group controller/key server, the sender can manage the cryptographic keys to securely send the data to the group members. As discussed previously, to maintain absolute secrecy the keys must be changed whenever the membership changes, i.e. when a user joins the group or leaves the group. The model must incur minimum overheads while providing for dynamic membership capability. Therefore, the multicast security problems are abstracted into key management and distribution problems. Hence, this section summarizes some of the existing approaches to key management. The existing schemes are classified into centralized flat scheme; centralized tree-based schemes and distributed schemes [2]. Each of these schemes is meant for specific applications. The proposed approach is a hybrid one that takes the best features from the key management methods.

296

Padmavathi and Annadurai

2.1. Centralized Flat Scheme In centralized flat schemes the central controller generates and distributes the group key to all the group members. The central controller distributes the group key encrypted with each of the member’s public key to send the multicast data securely. Certain famous models are: Group Key Management Protocol (GKMP) [3] and some Perfectly Secure Conference Key distribution schemes. These methods incur overheads of O(N), where N is the group size. Heavy traffic with the central controller and failure of the central entity are some of the major disadvantages in these methods. They are not suitable for large, dynamic groups. 2.2. Centralized Tree-Based Schemes The centralized tree-based schemes are also called as hierarchical tree distribution schemes. These schemes can be further classified as hierarchical node-based schemes and hierarchical key-based schemes. In both the schemes the intermediate nodes assist in providing security. In the hierarchical node-based approaches, there are certain nodes that act as the security agents and they perform certain key control operations on the group. Mostly, they are not the group members, but they are trusted and reliable intermediaries. Some famous models are: Iolus [4] and Nortel [5]. Certain important models in the hierarchical key-based approach are key tree [6], logical key hierarchy [7] and one-way function tree [8]. In the hierarchical key-based schemes, a virtual key tree is generated. Each member is associated with a unique leaf position in the hierarchy and shares a unique key encryption key with the central controller and receives all the keys corresponding to the internal nodes in the hierarchy from the root node to the leaf node. In one-way function trees the internal nodes have exactly two children. The internal node keys are computed from the keys held by the members using one-way hash functions. The members are represented at the leaf positions in the key tree. The central controller supplies each member, the unblinded version of the node keys and the blinded version of the siblings. The storage and communication overheads in the tree-based model are O(N) and O(log N), respectively. Hierarchical models are most suitable for moderate sized groups and they are scalable with respect to group size. 2.3. Distributed Schemes In the distributed key management schemes, there is no explicit controller that does key management. The members themselves do key generation. All the members participate in the group key generation process and compute the group key. This requires members with high processing power. Distributed approaches are most suitable for small and closed groups that require tight security. The

Improved Key Management Technique for Secured Multicast

297

overheads increase linearly and the members must be aware of the entire group list to make it very robust. Therefore, it is very time consuming and not suitable for IP multicast models. Some famous models are Cliques, Stenier, Tsudik and Waidner’s scheme [9] and Conference Key Agreement Protocol [10]. 3. PROPOSED KEY MANAGEMENT SCHEME The main objective of the centralized tree-based techniques is to minimize the centralized traffic with the group controller and provide for group dynamism without many overheads. This critical problem is approached in the present work, with the behavior of group members taken into consideration. According to the behavior, the members are grouped into two, static and dynamic, respectively. The dynamic members are grouped under static members. A hybrid logical key arrangement is considered for this grouping. The cryptographic key generation and distribution are discussed for this arrangement, preserving the logarithmic bounds. This arrangement shows improved performance compared to other hierarchical approaches. It follows a hierarchical grouping of members with 2-tier architecture. The static members are the intermediaries for the dynamic members under them. The static members are in turn arranged under the key server/host/group controller. The 1-tier sub-group key is introduced to disseminate the session key to the members. The 1-tier sub-group key is also used for secure communication among the sub-groups and the 2-tier sub-group keys for the secured communication within the sub-group. This method avoids the unnecessary exposure of secret keys to third party entities or hackers. The secured multicast protocol has certain components that are necessarily defined in a system. The important components of a secured multicast protocol are: group access control, key distribution and dynamic membership management. 3.1. Group Access Control Membership grouping and subsequent membership control are the first and the most basic component of a secure multicast protocol. It allows only the authorized members to participate in the group communication. Generally famous authentication protocols or capability certificates can be used. This depends on the security infrastructure of the underlying operating platform. Authenticated hosts issue the capability certificate to the genuine members of the multicast group. The authorization information indicates the time duration for which the group is entitled to receive the multicast data. The designated authorities issue these certificates. It is mandatory that all the members must get the capability certificates to gain access to a particular set of multicast data. Another alternative technique is to prepare an access control list (ACL). All the member information is stored in centralized place and the list must be verified before starting the secure communication. For

298

Padmavathi and Annadurai

large and dynamic groups it is not feasible to store the entire list. After verifying the member’s credibility, the sender issues a capability certificate either on its own or with the help of a designated authority. The members are classified as static and dynamic, respectively, during the initial registration and authentication process. The initial registration process is a vital phase in open models such as IP multicast models, as this type of initial authentication and access control operations are necessary to enforce security. To handle large groups, generally the group is divided into various subgroups. A designated sub-group manager will manage each sub-group. In the proposed approach also the multicast group is divided into sub-groups. The static members act as sub-group managers for each sub-group. They perform partial key control operations there by minimizing the burden on the central controller. The proposed grouping mechanism is shown in Fig. 1. In this approach, the static members are responsible for the following. (i) Changing the sub-group key whenever the members join/leave the group. (ii) Securely forwarding the session key from the central controller or the sender to the group. The entire communication is divided into number of sessions. Each session is associated with a different set of non-overlapping group members. The session key is the group key for that particular session. The members register for each session and they can join/leave the session. Initially, a grouping protocol is executed to form the membership grouping.

Fig. 1. Proposed membership grouping.

Improved Key Management Technique for Secured Multicast

299

3.2. Key Distribution Mechanism Key generation and distribution is the most important component of a secure multicast protocol. As the problem taken is the IP multicast groups, the virtual key distribution architecture is the most suitable one. A virtual key distribution tree is proposed to effectively forward the group key to the members. This virtual key tree is different from the multicast delivery tree used for distribution of data. The root of the tree represents the sender or the central controller that manages the top-level sub-group. Sometimes, the central controller may be an authorized entity of the sender. It is denoted as host. 3.2.1. Cryptographic Keys Used The secret key distribution takes place in two different phases. To avoid the exposure of the session data, the session is encrypted with the session encryption key (SEK). Every static member of the secure multicast group exchanges a pair wise keying mechanism with the host. The dynamic members in turn exchange with the corresponding static heads. These pair-wise keys exchanged are called key encryption keys (KEK). Every member possesses a sub-group key in addition to key encryption keys. The cryptographic keys used are arranged in a hierarchical form. As discussed earlier, the static members maintain the sub-group key. The different keys used in this protocol are: (i) session encryption key (SEK); (ii) key encryption keys (KEK); (iii) sub-group keys (SGK). The purpose of the key types used in the protocol is summarized in Table I. 3.2.2. Logical Key Tree (LKT) McGrew and Sherman [8], Wong et al. [6] and Wallner et al. [7] proposed key management schemes, by constructing a logical key tree. It is a virtual rooted binary tree with the members occupying the leaf position and the root as the

Table I. Key Type Used in This Protocol Key type

Purpose

Session encryption key Key encryption keys

To encrypt the session data To hide the session key

Sub-group keys

For secret communication within sub-group

Owner of the key

Receiver of the key

Host Host Static members members Host

All members Static members Dynamic

Static

Dynamic members

Static members

300

Padmavathi and Annadurai

group key or session key. In these methods each member is assigned a leaf node thus fixing the group size N. Therefore, number of nodes determines the height of the tree. As the group size increases, the height of the tree also increases by increasing the intermediate nodes. The intermediate nodes are important, as they are associated with a set of lower level nodes. Each member of the multicast group stores the individual key, group key and the sub-group keys. Figure 2 explains the logical key tree of degree 2. According to the scheme the user u1 stores keys k1 , k12 , k1−4 and k1−8 . The storage and the communication overheads thus depend on the height of the tree, which is logd N + 1, d degrees. The number of message updates is given by (d − 1) logd N [6]. The central controller in this case stores (dN − 1)/(d − 1) keys, which is of order O(N). 3.2.3. Hybrid Tree Method/Clustering Method (CM) Mingyan et al. [11] proposed a hybrid approach, by clustering the members and assign multiple members to the leaf nodes. This method builds a tree of depth logd (N/M), where M cluster size. The members are divided into clusters of equal size, thus fixing the overheads as logd (N/M). Here all the members are treated alike and grouped under a single leaf node in the virtual arrangement. The leaf nodes form the layer keys and the cluster keys within the clusters. This takes care of intra-group management. 3.2.4. Proposed Method (PM) The proposed method further improves the method and the grouping of members takes place based on their behavior. Membership dynamism is a very critical issue in-group communication. Therefore, in the logical key tree, the leaf nodes are allotted to the static members, with the dynamic members clustered under them. The dynamic members are grouped under the static members, thus assigning fixed number of members to each node. An example tree is shown in Fig. 3. A key tree with 8 static members and 32 dynamic members for a group size of 40 is shown. The main idea is to form sub-groups under static members and minimize the overheads due to frequent membership changes. In a group of 40, with 4 members in a sub-group, the ratio of static:dynamic is 1:4. According to this arrangement 20% of the members can be accommodated additionally in this case. This percentage may vary based on the ratio of static and dynamic taken. 4. ANALYSES AND COMPARISON The efficiency of any key management technique depends on the following metrics. (i) Number of keys with the server and the member.

301

Fig. 2. Logical key tree.

Improved Key Management Technique for Secured Multicast

302

Padmavathi and Annadurai

Fig. 3. Key tree with 8 static and 32 dynamic members in a group of 40.

(ii) The number of message updates or communication updates. (iii) The encryption and decryption cost and the processing requirements. As the storage and the communication overheads are the important overheads discussed in the literature, these two performance parameters are taken into consideration here. In a rooted tree-based key distribution scheme, each member is assigned 2 + logd N keys. In a d-ary tree, the depth is h = logd N . Deletion of a single member requires 2 + logd N key updates. The central controller (CC) has to store d(N + 1) − 2/(d − 1) keys. In other words, CC has to store 2N − 1 key encryption keys leading to O(2N). In the hybrid tree with the cluster size M, the depth of the tree to be built is logd (N/M). A user needs to store 1 + logd (N/M) key encryption keys [11]. The number of message updates is given by (d − 1) logd (N/M) within the tree and M − 1 within the cluster. The number of keys is: keys on the  stored tree plus the seeds of the clusters, which is equal to d i + N/M, where i = 0 to logd (N/M). In the proposed approach, in a group of size N, with Ns -static and Nd -dynamic members, N = Nd + Ns . As discussed earlier, the leaf keys are assigned to the static members and dynamic members form sub-groups under them. The number of sub-groups is Ns . Size of each sub-group is Nd /Ns , i.e N/Ns − 1. The static members have the sub-group keys in the virtual key structure. The number of key update messages that takes place on a single member leave is (N/Ns − 1) − 1. Generally, the initial group establishment takes care of the join operations. Therefore, the overheads during the leave operations are considered in all the above methods. In this method, the number of keys assigned to each sub-group is logd [N/(N/Ns − 1)].

Improved Key Management Technique for Secured Multicast

303

The communication overhead (CO) is  O(log N) and is given by CO = N/Ns − 2 + (d − 1) logd [N/(N/Ns − 1)]. The storage overhead (SO) is proportional to O(log N/Ns ) and is given by  SO = di + N/(N/Ns − 1), for i = 0 to logd [N/(N/Ns − 1)], i.e. d × Ns − 1/(d − 1) + N/Ns − 1. Worst Case Analysis: In the overall group of size N, if the ratio of static and dynamic is 1:d, then the total sub-group size is 1 + d. Therefore, the number of sub-groups, n = N/(1 + d). In the worst case, when one member in all the sub-groups join/leave, the cost = O(2n).    1/N (1/(1 + d))i 2n, for i = 0, . . . , n. The amortized cost for the group = 2n/N [1 + 1/(1 + d) + 1/(1 + d)2 + · · · + 1/(1 + d)n ].  O(2n/N + c) = O(c), c − const. (as N → ∞, 1/N → 0).

Therefore the communication overhead is proved to be constant. As the proposed method is based on the improvements against the virtual tree-based schemes, a comparison of this method with the existing key tree-based methods is shown in Table II. 5. SIMULATION RESULTS AND ANALYSIS The proposed model is compared with logical key methods [6, 7] and hybrid clustering method [11]. Of the two methods taken for comparison, logical key methods are communication efficient and hybrid cluster method is storage efficient. Table II. Comparison With Existing Tree-Based Methods Parameters used for comparison Total number keys maintained by GC Number of keys maintained by static members Number of keys with dynamic members Communication cost per single join/leave

Conventional tree-based schemes

Proposed scheme

2 × N – 12 × N/M−1 M-cluster size

2 × N/(1 + d) − 1



2×d−1

1 + loga N

1 + loga d, a-degree of the tree

(a − 1) × loga N/M − 1 + (a − 1) × loga N/M N/(1 + d) − 1 + (a − 1) × loga d

Fig. 4. Comparison of communication overheads.

304 Padmavathi and Annadurai

Improved Key Management Technique for Secured Multicast

305

The proposed method further improves the results. The model is simulated for varying group sizes. The number of messages exchanged for each key change operation due to join/leave requests is a very important measure of rekeying. The join/leave requests for the entire simulation period is observed and a sample is shown in Fig. 4. The results of 256 different samples are compared and the proposed method showed significant improvement over other hierarchical key-based methods. Considering all possible requests, the simulation results are tabulated. The percentage of improvement is shown in Table III. On the average, 24% of improvement in communication efficiency compared to hybrid clustering method and 9% of improvement over logical key structures is observed. The results are analyzed with the ratio of static and dynamic proportional to the cluster size for uniformity and clarity. If the ratio increases, the results are further improved. The experimental results for the storage efficiency for 24 different samples of size 1024 and 2048 are given in Fig. 5. The storage overheads are compared and the results are given in Table IV. Generally the key tree degree up to 4 is taken for comparison; therefore the results up to degree 4 are measured and compared [11]. On the average, 38% of improvement in storage efficiency compared to hybrid clustering method [11] and 66.7% of improvement over the logical key hierarchical methods [6, 7] is observed during simulation. The numerical comparisons also prove this. 6. CONCLUSIONS An efficient and flexible approach to key management in secure group communication applications is proposed. The model is simulated and the results are compared. A brief analysis of the method has also been given. As the minimization of the communication and storage overheads are important requirements, an effort has been made to minimize this while offering strong security for group communication. The results show significant improvement over other methods Table III. Comparisons of Simulated Results for Communication Overheads No. of join and leave requests 256 (28 ) 512 (29 ) 1024 (210 )

Average key updates using LKT

Average key updates using HM

Average key updates using PM

Saving compared to LKT (%)

Saving compared to HM (%)

99 112 125

120 133 148

90 102 114

9.1 8.9 8.8

25 23.3 22.97

Note. LKT: logical key tree; HM, hybrid method; PM, proposed method.

Fig. 5. Comparison of storage overheads.

306 Padmavathi and Annadurai

Improved Key Management Technique for Secured Multicast

307

Table IV. Comparisons of Storage Overheads

Group size and degree 210 , 3 210 , 4 216 , 2 216 , 3 216 , 4 220 , 2 220 , 3 220 , 4

Number of keys stored due to LKT

Number of keys stored due to HM

1536 1365 32767 24576 21845 262143 196608 174762

853 796 16383 13653 12743 131071 109226 101945

Number of keys stored due to PM 514 457 10924 8194 7283 87382 65538 58256

Storage efficiency (reduction in %) compared to LKT

Storage efficiency (reduction in %) compared to HM

66.5 66.5 66.7 66.7 66.7 66.7 66.7 66.7

39.7 42.6 33.3 39.98 42.8 33.3 40 42.9

Note. LKT, logical key tree; HM, hybrid method; PM, proposed method.

with similar approaches while preserving the logarithmic bounds. The model is the most suitable one for the current IP multicast model. REFERENCES 1. S. Deering, Host Extensions for IP Multicasting, RFC 1112, 1989. 2. Mathew J. Moyer, Josyula R. Rao, and Pankaj Rohatgi, A Survey of Security Issues in Multicast Communications, IEEE Network, pp. 12–23, 1999. 3. H. Harney and C. Muckenhirn, Group Key Management Protocol (GKMP) Architecture, RFC 2094, 1997. 4. S. Mittra, Iolus: A framework for scalable secure multicasting, in Proceedings of the ACM SIGCOMM, Volume 27, No. 4, ACM, New York, pp. 277–288, September 1997. 5. T. Hardjono, B. Cain, and N. Doraswamy, A Framework for Group Key Management for Multicast Security, IETF Internet Draft (work in progress), 2000. 6. Chung Kei Wong, Mohamed Gouda, and Lam S. Simon, Secure Group Communication Using Key Graphs, IEEE/ACM Transactions on Networking, Vol. 8, No. 1, pp. 16–30, 2000. 7. D. Wallner, E. Harder, and R. Agee, Key Management for Multicast: Issues and Architectures, RFC 2627, 1999. 8. D. A. McGrew and A. T. Sherman, Key Establishment in Large Dynamic Groups Using One-Way Function Trees, Technical Report No.0755, TIS Labs at Network Associates, Inc., Glenwood, MD, 1998. 9. M. Stenier, G. Tsudik, and M. Waidner, Diffie-Hellman key distribution extended to group communication, in SIGSAC Proceedings of the 3rd ACM Conference on Computer and Communications Security, ACM, New York, pp. 31–37, 1996. 10. C. Boyd, On key agreement and conference key agreement, in ACISP: Australian Conference on Information Security and Privacy, Springer-Verlag, pp. 294–302, 1997.

308

Padmavathi and Annadurai

11. Mingyan Li, R. Poovendran, and C. Berenstein, Design of secure multicast key management schemes with communication budget constraint, IEEE Communications Letters,Vol. 6, No. 3, pp. 108–110, 2002. G. Padmavathi has been a member of Computer Science Department, Avinashilingam Deemed University, and Coimbatore, India, for 18 years. She has contributed 20 papers at national level and 5 papers at international level. She has four publications in the areas of Fault Tolerant Real Time Systems, Cryptography and Network Security. S. Annadurai, Principal of Government Engineering College, Tirunelveli, Tamil Nadu, India, is a reputed educationalist. He has more than 150 publications at national and international level, and is an expert committee member for government and membership in many professional organizations. His research interests include Image Processing, Soft Computing and Network Security.