Scalable Group Key Management for Secure Multicast: A Taxonomy and New Directions [chapter]

Sencun Zhu, Sushil Jajodia
2010 Network Security  
Multicast is an efficient technique to distribute data to a large group of users. To prevent disclosure of distributed data to unauthorized users, multicast-based applications require confidential group communication, which is achieved by encrypting data with a group-wide shared key. The group key must be updated and redistributed to all authorized users in a secure and reliable fashion whenever a user joins or leaves the group. Thus, group key management becomes a very challenging issue for
more » ... ge and dynamic groups with unreliable channels. We give an overview of the approaches that have been recently proposed to address the group key management issue, show the research trends, and finally discuss several new research directions. Introduction Many multicast-based applications (e.g., pay-per-view, online auction, and teleconferencing) require a secure communication model to prevent disclosure of distributed data to unauthorized users. One solution for achieving this goal is to let all members in a group share a key that is used for encrypting data. To provide backward and forward confidentiality [23] (i.e., a new member should not be allowed to decrypt the earlier communication and a revoked user should not be able to decrypt the future communication) this shared group key must be updated for every membership change and redistributed to all authorized members in a secure, reliable, and timely fashion. This process is referred to as group rekeying. A group rekeying operation usually involves two phases. The first phase deals with the key encoding problem. To prevent passive eavesdropping attacks, a new group key must be encrypted by some key encryption keys (KEKs) before its distribution. The goal of a key encoding algorithm is to minimize the number of encrypted keys that have to be distributed. The second phase deals with the key distribution problem, i.e., distributing the encryptions output from a key encoding algorithm to group members reliably even in the presence of packet losses. The scalability of group rekeying is determined by the efficiency of both key encoding and key distribution mechanisms. A simple approach for group rekeying is one based on unicast; that is, the key server sends the group key to each member individually and securely. Despite its simplicity, this approach is not scalable because its communication cost increases linearly with the group size. Specifically, for a group of size N , the key server needs to encrypt and send N keys without considering packet losses. For large groups with very frequent membership changes, scalable group rekeying becomes an especially challenging issue. In recent years, many approaches for scalable group rekeying have been proposed. Among them, Logical Key Hierarchy (LKH) [22, 23] , One-way Function Trees (OFT) [2, 4] , and Subset-Difference [16, 10], • Join Procedure Suppose in Fig. 1 the root key was K 1-8 and K 789 was K 78 before user U 9 joined the group, and they are replaced with keys K 1-9 and K 789 respectively when U 9 joins. All the users need K 1-9 , but only U 7 , U 8 and U 9 need K 789 . To distribute these new keys to the members of interest securely, the key server encrypts K 1-9 with K 1-8 , K 789 with K 78 , and K 1-9 and K 789 with K 9 . Let Enc(m, k) denote encrypting message m with key k, and x|y denote the concatenation of messages x and y. The message multicast by the key server is: KeyServer −→ All : Enc{K 1-9 , K 1-8 }, Enc{K 789 , K 78 }, Enc{K 1-9 |K 789 , K 9 }. Each user can extract the keys it needs independently. For example, user U 1 decrypts the first item in the message to obtain the new group key K 1-9 ; besides K 1-9 , user U 7 also decrypts the second item to obtain key K 789 . Here we can see that some users are only interested on a fraction of the rekeying payload. This is referred to as sparseness property. • Departure Procedure When user U 4 departs from the group, the keys K 456 and K 1-9 need to be changed. Assume that these keys are replaced with keys K 456 and K 1-9 respectively. In the join procedure, an updated key can be encrypted by its old key for distribution. In the departure procedure, however, an updated key is encrypted by its child keys that are unknown to the revoked users, because these users also know the old key. Therefore, the key server encrypts K 1-9 with K 123 , K 456 and K 789 separately, encrypts K 456 with K 5 and K 6 separately, and then multicasts these five encrypted keys to the group.
doi:10.1007/978-0-387-73821-5_3 fatcat:in2t5bvv3vgklo7fy2wkjvrlle