Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies

Outline u Efficient cross realm authentication in Kerberos u Review original Kerberos u Propose a new extension for distributed operations in Kerberos u Multi-center multicast encryption schemes u Review single center schemes u Extend common schemes to distributed setting u Integrating Kerberos with multicast encryption schemes

Motivation u Increasing interest in group communication applications u Audio and video conferencing, data casting, collaborative applications u Problem: security u Goal: provide a practical solution

System Model Internet slow Intranet fast Intranet

Kerberos u Based on Needham and Schroeder protocol u Doesnt use asymmetric key crypto (fast) u Relies on a trusted third party (KDC) u Authentication is based on special data structures - tickets u Notation u KDC – Key Distribution Center u TGS – Ticket Granting Service u Alice, Bob – Kerberos principals u K A,B – Key shared by Alice and Bob u K A – Key derived from Alices password u TGT – Ticket granting ticket u T - nonce (timestamp) used to protect again replay attacks

Kerberos: Login Phase Hi, Im Alice Alice TGT = {Alice, TGS, K A,TGS }K TGS {K A,TGS, T}K A KDC

Kerberos: Service Ticket Request Alice, Bob, TGT TKT = {Alice, Bob, K A,B }K B {K A,B, T}K A,TGS AliceBob TGS

Kerberos: Application Request Alice, TKT, {Request}K A,B AliceBob KDC

Distributed Operations in Kerberos u Multiple Kerberos realms u Each realm administers local principals u No replication of data u Off-line phase u Shared keys established between participating KDCs u Ex: Wonderland and Oz u K W,Oz – shared key between KDCs u

Cross Realm Kerberos: Local Request TGT RTGT = K }K W,Oz {K T}K

Cross Realm Kerberos: Remote Req RTGT TKT = K A,B }K B {K A,B, T}K

Cross Realm Kerberos TKT, {Request}K A,B

Efficient Cross Realm Protocol u Can we improve: u Network delays u KDC workload u Client workload u Compatible with non-distributed version of Kerberos

Fake Ticket Protocol: Step 1 TGT FTKT = K A,B }K W,Oz {K A,B, T}K

Protocol: Step 2 FTKT, {Request}K A,B

Protocol: Step 3 TGT, FTKT TKT = K A,B }K B {K A,B, T}K

Evaluation u Minimizes the number of Internet (slow) messages u Reduced the workload on the client (Alice) u Alices software doesnt need to be modified u Extends easily to sending a message to a group

Outline u Efficient cross realm authentication in Kerberos u Multi-center multicast encryption schemes u Integrating Kerberos with multicast encryption schemes

Multicast Encryption u Methods for performing secure communication among a group of users u Key management problem: u Join/leave operations u Non-collaborative schemes: u Single center responsible for managing keys u Schemes evaluated based on: u Communication complexity u Storage complexity (both center and user)

Minimal Storage Scheme u Users store two keys: u K G - group key u K I,C - individual key shared with the center u Center stores two keys: u K G - group key u K M – secret key used to generate individual users key u Key update operation has linear communication cost

Tree-based Schemes u Build a logical tree u Each node represents a key: u Root – group key u Leaves – individual user keys u User stores all keys on the path from the leave to the root u User storage complexity is logarithmic u Center stores all keys in the tree u Center storage complexity is linear

Tree-based Schemes (cont.) u Key update operation requires logarithmic number of messages: u Change all keys on the path from the removed leave u Use siblings keys to distributes new keys

Multi-center Multicast: First Look u Multiple centers managing separate sets of clients u Build a single binary tree u Replicate tree at each center u Key updates require only local communication u Inefficient center and user storage: u Total center storage is O(n 2 ) u Each center stores keys for clients it doesnt manage

Extended Tree-based Multi-center u Each center manages M users u Each center builds a logical tree (size M) u Each user stores O(log M) keys u All centers share a key, K C u Key update operation requires (log M + N/M) message u Center storage among all centers is linear

Huffman Tree-based Multi-center u Each center has different number of users u Binary tree schemes doesnt provide an optimal tree u Each center builds a local tree u Associate a codeword with each center u Run Huffman algorithm to obtain minimal tree u Tree structure is kept by all centers

Outline u Efficient cross realm authentication in Kerberos u Multi-center multicast encryption schemes u Integrating Kerberos with multicast encryption schemes

Integration of Kerberos with Multicast Schemes u Need to extend Kerberos to sending a message to a group u N clients u Each KDC manages M clients u Notation u K G – group key u K C – key shared among all KDCs

Kerberized Multicast Alice, Group, TGT RTGT 1,.., RTGT N/M Alice

Integration Illustrated Alice RTGTs

Integration Illustrated (cont) Alice TKT I1,.., TKT Ik TKT J TKT K1,.., TKT Km

Integration Illustrated (cont) Alice Alice, TKT 1,.. TKT N

Kerberized Multicast with Fake Tickets Alice, Group, TGT FTKT G = Group, K G }K C Alice

Integration Illustrated Alice Alice, FTKT G

Integration Illustrated (cont) Alice TGT I, FTKT G TGT J, FTKT G TGT K, FTKT G

Integration Illustrated (cont) Alice TKT I TKT J TKT K

Conclusion u Presented an extension to Kerberos for cross realm authentication u Eliminates Internet (slow) communications u Presented an extension to multicast encryption schemes that optimizes for multiple centers u Explored integrating cross realm authentication with multicast encryption schemes