Key-update distribution in secure group communication

Abstract

We focus on the problem of distributing key updates in secure dynamic group communication. In secure groups, to reflect changing group membership, the group controller needs to change and distribute new keys to ensure confidentiality of the group communication. However, in the current key management algorithms, which include the well-known logical key hierarchical algorithms, the group controller broadcasts all key updates even if only a subset of users need them. In this paper, we describe key-update distribution algorithms for distributing keys to only those users who need them. Our algorithms consist of a descendant tracking scheme – to track downstream users in the multicast tree and forwarding mechanisms – to forward key updates using the descendant tracking information. The forwarding mechanisms, in turn, depend on the type of key management algorithm used by the group controller. Using our descendant tracking scheme, a node forwards an encrypted key update only if it believes that there are descendents who know the encrypting key which enables them to decrypt the required key update. Our descendant tracking scheme requires minimal state overhead, of the order of $\log N$ bits for a group of N users, to be stored at the intermediate nodes in the multicast tree. We also describe an identifier assignment algorithm that assigns closely clustered logical identifiers to users who are in physical proximity in the multicast tree. Our identifier assignment algorithms leverages the fact that logically clustered users require the approximately same set of key updates. We show that our identifier assignment algorithm improves the performance of our key update distribution algorithms as well as that of a previous solution. Furthermore, we show that, our proposed algorithms reduce the cost of secure data distribution in applications where data needs to be sent securely to only a subset of the group users. To validate our algorithms, we tested them on different key management algorithms for distributing key updates and data. Our simulations results show that a bandwidth reduction of up to 55%, compared to broadcast, is achieved by our algorithms. We also discuss implications of topology matching and logical key tree balancing on our key distribution algorithm and show that it is possible to achieve bandwidth saving up to 90% by combining all three techniques.

Introduction

In group oriented applications, such as conferencing, networked gaming, and entertainment programs, it is necessary to secure the data from intruders as the data is confidential or it has monetary value. In the algorithms for secure group communication (e.g., [1], [2], [3], [4], [5], [6]), a group controller distributes a cryptographic key, called the group key, to all the group users. To secure the group communication. the group communication is encrypted with the group key. The group membership is dynamic i.e., users can join and leave the group during a session. To protect the privacy of the current group users, the group controller changes and securely distributes the group key for each membership change. This rekeying is especially needed when a user leaves the group and should no longer understand the group communication.

In the algorithms in [1], [2], [3], [4], in addition to the group key, the group controller distributes additional keys which are shared by different subsets of users. During group membership changes, these shared keys reduce the number of group key update messages the group controller needs to transmit. To illustrate the process, consider the case when a user leaves the group or is removed from the group. The group controller encrypts the new group key with a minimum subset of the shared keys, which are not known to the leaving user, and transmits these messages to the current users. To reflect current group membership, the group controller changes and securely transmits the updated shared keys for the keys that are known to the leaving user. Although each of the new shared keys needs to be transmitted to only a subset of the users, the current key management algorithms [1], [2], [3], [4] assume a broadcast primitive. Hence, all the current users receive all the key update messages. Of course, users cannot decrypt the key update messages that are not intended for them since they do not have the necessary decrypting keys. (Note that, in this paper, all encryption and decryption we consider are based on symmetric keys.)

From the above discussion, we observe that the current key management algorithms [1], [2], [3], [4] only focus on what key update messages are sent but do not emphasize on how they are distributed. This results in wastage of bandwidth as users receive key update messages for keys that they do not need. This wastage increases further if retransmission is required for any lost messages and such retransmissions are broadcasted as well. Although solutions for reducing the number of retransmissions in secure group communication have been proposed in [7], [8], the group controller still needs to broadcast them. Thus, efficient and cost-effective distribution of key updates is an important problem in secure dynamic group communication.

A more general scenario of the problem we discussed above occurs in the security of interval multicast [9]. An interval is defined [9] as a subset of consecutively chosen group users. The objective of the security of interval multicast algorithm [9] is to securely transmit data messages to an interval of users within the group. For example, these users may have subscribed to receive some important alerts and hence, it is necessary for the group controller to inform them. The group controller encrypts the data messages using shared keys known only to the selected interval of users and broadcasts them. We note that, the percentage of bandwidth wasted in this scenario is far more critical as the size and frequency of the data messages is arbitrarily large in many applications.

One possible solution to the key-update distribution problem, based on [10], is to create a different multicast group for each key update message and inform the users to join a particular group if they need the key being sent to that group. However, in this solution, the overhead of group setup and tear down for each key update message is not suitable for large groups. Also, the delay incurred during the rekeying is not desirable as the group controller interrupts the group communication until the rekeying is complete. Other possible solutions are the router level filtering technique proposed in [11] or the internet labeling and addressing architecture proposed in [12]. However, both these algorithms suffer from increased delay and high overhead.

In this paper, we propose an algorithm for the distribution of key update messages in secure dynamic groups. In our key-update distribution algorithm, we integrate the key management algorithms in [1], [2], [13] with appropriate forwarding functionality. We assume that the users are arranged in a multicast tree which can be built using any of the IP [14], [15], [16], [17] or overlay [18], [19], [20] multicast protocols. Depending on the multicast protocol used, an intermediate node in the multicast tree can be a router (IP multicast) or an overlay node. Hence, we only focus on the actions of an intermediate node as the implementation details are currently beyond the scope of this work. To distribute a key update message using the descendant tracking scheme, the group controller includes the label of the key with the key update message transmitted to the users. The label contains information about the intended receivers of the key-update message. When an intermediate node receives a key update message, it examines the message label to see whether its descendants need this key and accordingly, forwards the message or drops it. The contributions of our paper are as follows:

• We describe a compact descendant tracking scheme to track the descendants of the intermediate nodes. The memory required at the intermediate nodes for our scheme is small and scales logarithmically in the size of the group. The advantage of our descendant tracking scheme is that this information can either be updated periodically or in the background, i.e., after the group communication has resumed.

• Using the descendant tracking information, we describe the forwarding mechanisms used by the intermediate nodes to forward the key update messages in different types of key management algorithms [2], [3].

• We describe a user identifier assignment algorithm. Using our assignment algorithm, the group controller assigns closer logical identifiers to users who are located close to each other in the multicast tree. We show that our assignment algorithm improves the performance of our key distribution algorithm as well as that of a previous solution in [21].

• We discuss the implications of physical network topology matching [25], [26], [27] and logical key tree balancing [28], [29], [30] on our key distribution algorithm. Specifically, we examine a scenario where all three techniques are combined and estimate the bandwidth savings possible. Our analysis shows that by combining all three approaches a bandwidth saving of 90% can be achieved.

• We discuss the application of our key distribution algorithms to the problem of distributing data messages in the security of interval multicast [9]. Note that, our algorithms can be generalized to any scenario that views users in logical groups to establish shared keys.

The paper is organized as follows. In Section 2, we describe the notations used in our key distribution algorithm and describe a previous solution. In Section 3, we describe our key distribution algorithm and our user identifier assignment algorithm. In Section 4, we present the simulation results. In Section 5, we discuss the issues of physical network topology matching and logical key tree balancing in the context of our key distribution algorithms and present some experimental results. In Section 6, we discuss the application of our key distribution algorithm to the problem of secure interval multicast. Finally, in Section 7, we conclude and discuss some future work.