Key-update distribution in secure group communication

We focus on the problem of distributing key updates in secure dynamic group communication. In secure groups, to reflect changing group membership, the group controller needs to change and distribute new keys to ensure confidentiality of the group communication. However, in the current key management algorithms, which include the well-known logical key hierarchical algorithms, the group controller broadcasts all key updates even if only a subset of users need them. In this paper, we describe key-update distribution algorithms for distributing keys to only those users who need them. Our algorithms consist of a descendant tracking scheme - to track downstream users in the multicast tree and forwarding mechanisms - to forward key updates using the descendant tracking information. The forwarding mechanisms, in turn, depend on the type of key management algorithm used by the group controller. Using our descendant tracking scheme, a node forwards an encrypted key update only if it believes that there are descendents who know the encrypting key which enables them to decrypt the required key update. Our descendant tracking scheme requires minimal state overhead, of the order of logN bits for a group of N users, to be stored at the intermediate nodes in the multicast tree. We also describe an identifier assignment algorithm that assigns closely clustered logical identifiers to users who are in physical proximity in the multicast tree. Our identifier assignment algorithms leverages the fact that logically clustered users require the approximately same set of key updates. We show that our identifier assignment algorithm improves the performance of our key update distribution algorithms as well as that of a previous solution. Furthermore, we show that, our proposed algorithms reduce the cost of secure data distribution in applications where data needs to be sent securely to only a subset of the group users. To validate our algorithms, we tested them on different key management algorithms for distributing key updates and data. Our simulations results show that a bandwidth reduction of up to 55%, compared to broadcast, is achieved by our algorithms. We also discuss implications of topology matching and logical key tree balancing on our key distribution algorithm and show that it is possible to achieve bandwidth saving up to 90% by combining all three techniques.

[1]  Sneha Kumar Kasera,et al.  Scalable reliable multicast using multiple multicast channels , 2000, TNET.

[2]  Alan T. Sherman,et al.  Key Establishment in Large Dynamic Groups Using One-Way Function Trees , 2003, IEEE Trans. Software Eng..

[3]  Lixia Zhang,et al.  Host multicast: a framework for delivering multicast to end users , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[4]  Radha Poovendran,et al.  Energy and Bandwidth-Efficient Key Distribution in Wireless Ad Hoc Networks: A Cross-Layer Approach , 2007, IEEE/ACM Transactions on Networking.

[5]  Srinivasan Seshan,et al.  A case for end system multicast , 2002, IEEE J. Sel. Areas Commun..

[6]  Eric J. Harder,et al.  Key Management for Multicast: Issues and Architectures , 1999, RFC.

[7]  Manuel Menezes de Oliveira Neto,et al.  Router level filtering for receiver interest delivery , 2000, Networked Group Communication.

[8]  Chin-Tser Huang,et al.  Key trees and the security of interval multicast , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[9]  N. Ranganathan,et al.  Multievent Crisis Management Using Noncooperative Multistep Games , 2007, IEEE Transactions on Computers.

[10]  Kevin C. Almeroth,et al.  Proceedings of NGC 2000 on Networked group communication , 2000 .

[11]  Sandeep S. Kulkarni,et al.  Rekeying and Storage Cost for Multiple User Revocation , 2005, NDSS.

[12]  Suvo Mittra,et al.  Iolus: a framework for scalable secure multicasting , 1997, SIGCOMM '97.

[13]  Mohamed G. Gouda,et al.  Secure group communications using key graphs , 2000, TNET.

[14]  Ivan Hal Sudborough,et al.  Efficient Algorithms for Batch Re-Keying Operations in Secure Multicast , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[15]  Hugh Harney,et al.  Group Key Management Protocol (GKMP) Specification , 1997, RFC.

[16]  Deborah Estrin,et al.  Protocol independent multicast-dense mode (pim-dm): protocol specification , 1996 .

[17]  Sushil Jajodia,et al.  A comparative performance analysis of reliable group rekey transport protocols for secure multicast , 2002, Perform. Evaluation.

[18]  Yang Richard Yang,et al.  Reliable group rekeying: a performance analysis , 2001, SIGCOMM 2001.

[19]  Radha Poovendran,et al.  Power proximity based key management for secure multicast in ad hoc networks , 2007, Wirel. Networks.

[20]  K. J. Ray Liu,et al.  A scalable multicast key management scheme for heterogeneous wireless networks , 2004, IEEE/ACM Transactions on Networking.

[21]  Paul Francis,et al.  Core based trees (CBT) , 1993, SIGCOMM 1993.

[22]  Tom Pusateri Distance Vector Multicast Routing Protocol , 2003 .

[23]  Guevara Noubir,et al.  Optimal tree structure for key management of simultaneous join/leave in secure multicast , 2003, IEEE Military Communications Conference, 2003. MILCOM 2003..

[24]  Jörg Liebeherr,et al.  Application-layer multicasting with Delaunay triangulation overlays , 2002, IEEE J. Sel. Areas Commun..

[25]  Roberto Di Pietro,et al.  LKHW: a directed diffusion-based secure multicast scheme for wireless sensor networks , 2003, 2003 International Conference on Parallel Processing Workshops, 2003. Proceedings..

[26]  David Thaler,et al.  Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification , 1997, RFC.

[27]  J. J. Garcia-Luna-Aceves,et al.  Improving Internet multicast with routing labels , 1997, Proceedings 1997 International Conference on Network Protocols.

[28]  Haitham S. Cruickshank,et al.  Dynamic Balanced Key Tree Management for Secure Multicast Communications , 2007, IEEE Transactions on Computers.

[29]  Xiaozhou Li,et al.  Batch Updates of Key Trees , 2000 .

[30]  Radha Poovendran,et al.  Energy and bandwidth-efficient key distribution in wireless ad hoc networks: a cross-layer approach , 2007, TNET.

[31]  Sandeep S. Kulkarni,et al.  Adaptive Rekeying for Secure Multicast , 2003 .

[32]  Stephen Casner,et al.  A ''traceroute'' facility for IP Multicast. , 2000 .