Secure Multicast (II) Xun Kang

Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and Wireless Network

Batch Updates of Key Trees Any problem in previous solution? –Synchronization problems among rekey msgs and between rekey and data msgs; How? –Individual rekeying can be inefficient; especially when join/leave happens frequently, there will be a huge burden on server for signing keys;

Periodic Batch Rekeying Rekey subtree; Collect requests during a rekey interval and rekey them in a batch; Advantage: –For a J join and L leave, only needs 1 signing; –Less number of encrypted keys; Disadvantage: –Delayed group access control; A balance between rekeying overhead and group access control, the degree of forward access control vulnerability.

Three Ways of Batch Rekeying Periodic batch rekeying; Periodic bath leave rekeying; Periodic bath join rekeying; Question: –What’s the advantage and disadvantage of each one? Which one is better?

Batch Rekeying Algorithm (1) Strategy 1: always keep a balanced tree Adv: reduce the encrypted key number Dis: key server needs to provide new IDs to new join users as well as existing users?

Batch Rekeying Algorithm (2) Strategy 2 –New nodes form a subtree –Grafted to a departed node with smallest height? Advantage –only one existing node needs to modify ID Disadvantage –Balance problem

Batch Rekeying Algorithm (3) Strategy 3 –K 789 ’s null children will be first replaced with new users –If still new users, let user nodes at next level be split –If still new users after that, use next user nodes “next” means sequential number, for example root is 0, then at tree level 1, the three key nodes will be 1, 2, 3 What is the advantage? ID automatically discovered.

Reliable rekey protocol Eventual reliability –A receiver should receive all needed keys; Soft real-time requirement –A rekey msg is finished before the start of the next rekey interval Solution –Send re-synchronization requests when cannot recover a rekey msg in time; –Proactive FEC for reducing recovery latency;

Proactive FEC Partition rekey msgs into blocks Generate  ( p-1 )k  PARITY packets (FEC) for each block

Contributory GKM Application environment –Many to many applications Tele conferencing Application supporting collaborative work –Small size group –Group Splitting problem Centralized GKM has some problems –Key generator (TTP) must be always available –TTP must exist in every possible subset of a group Contributory GKM

Tree-based Group Diffie-Hellman TGDH –Key trees to efficiently compute and update group keys; –Diffie-Hellman key exchange to achieve provably secure and fully distributed protocols; A problem? What’s difference, effect? –EVS: extended virtual synchrony –VS: view synchrony

Cryptographic Properties For the security requirement of group key –Suppose a successive group key changes form K 0 to K m Group key secrecy Forward secrecy Backward secrecy Key independence –More strong than typical ones, for example New member can not know past keys New keys must keep secret from leaved guys

Some Definitions for TGDH M i : i-th group members : v-th node at level l in a tree T i : M i ’s view of the key tree T : a subtree rooted at node K i : node M i ’s individual key BK i * : set of M i ’s blinded keys –BK = f(K ) –ie. f(k) = a k mod p --- p is a large prime number

A TDGH Key Tree Example * Calculate the group key * Replicated on each node * Only BK are transmitted

TGDH Membership Events Join –a new member is added to the group Leave – a member is removed from the group Merge –a group is merged with the current group Partition –a subset of members are split from the group Key refresh –the group key is updated

TGDH - Join Protocol How to choose the insert point? o Full balanced or not How to choose sponsor? o A guy for computing new intermediate keys and broadcasting to the group

Join Protocol

TGDH - Leave Protocol

TGDH - Partition Protocol

TGDH - Merge Protocol

Multiple Subgroups Merging First, the trees are ordered by height in decreasing order; if same height, list them in lexicographic order of the first member in each tree Let T 1 the original tree T For i = 2 to k, merge_trees(T, T i )

Cascaded Events All membership events are delivered in sequence after all outstanding messages are delivered ---- underlying group communication system.

Self-clustering

Performance Please refer to the paper

Recent Progress of SM Classification of KM for wired networks Some hard problems A wireless network multicast security example Open issues in this area

Classification of KM Schemes

Some Hard Parts Synchronization Balanced key tree maintaining Watermarking –copyright protection problem If we assume that no one will deliver illegal copy to unauthorized users, is there any difference between these two? –Using individual secret key –Using shared group key to protect content

SM in Wireless Network DKD generates DEK DEK is protected by KEK Rekeying algorithms: 1.Baseline rekeying 2.Immediate rekeying 3.Delayed rekeying

Open Issues Leave for your guys!