Internet DRAFT - draft-dondeti-irtf-smug-gkm-mobility
draft-dondeti-irtf-smug-gkm-mobility
Internet Engineering Task Force L. Dondeti/Nortel
Internet Draft B. Decleene and S. Griffin/TASC
draft-dondeti-irtf-smug-gkm-mobility-00.txt T. Hardjono/Verisign
July 2001 J. Kurose, D. Towsley,
Expires: January 2002 C. Zhang and S. Vasudevan/UMass.
Group key management in wireless and mobile environments
STATUS OF THIS MEMO
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference mate-
rial or to cite them other than as "work in progress".
To view the list Internet-Draft Shadow Directories, see
http://www.ietf.org/shadow.html.
Abstract
In this document we consider the problem of key management in a
mobile wireless networking environment, such as a dynamic, dis-
tributed setting in which command and control nodes move along with
individual users. In this scenario, data must be securely multicast
from one source to many users, requiring that users be properly
keyed. Furthermore, because users move in and out of the session (due
to mobility, attrition, and reinforcement), in order to preserve con-
fidentiality, it becomes necessary to rekey each time a user enters
or leaves. We present a hierarchical framework and key distribution
algorithms for such a dynamic environment, with a focus on how keys
and trust relationships are transferred when users move between so-
called "areas" in the group management hierarchy. We present several
schemes including one that rekeys every time a member moves from area
to area and one that delays rekeying so long as security is not com-
promised.
L. Dondeti [Page 1]
�
Internet Draft Mobile group key management
Table of Contents
1 Introduction to secure mobile groups
2 Hierarchical group key management
3 Impact of mobility on key management
3.1 Mobile members
3.2 Mobile key distributors
4 Key management to address mobility
4.1 Baseline rekeying
4.2 Immediate rekeying
4.3 Delayed rekeying
5 Summary and future work
6 Authors' contact information
1 Introduction to secure mobile groups
Consider secure communication to a group of mobile nodes. The commu-
nication could be over wired or wireless networks. Several solutions
exist in the literature for secure group key management. A group man-
ager distributes a common key used for encryption of data to the
sender(s) as well as the members. For several applications, it is
necessary that perfect forward and backward access control be main-
tained in the group. To achieve perfect forward/backward access con-
trol, the group manager sends a new group key at each membership
change.
There are two types of solutions for scalable rekeying of large
groups. One involves maintenance of a logical key hierarchy (LKH)
[1,2], while the other calls for a group management hierarchy. A com-
bination of the two approaches is probably the best solution for
efficient rekeying.
When members are mobile, hierarchical group key management (in effect
decentralized group key management) works better than centralized
group key management used in LKH-based approaches. In hierarchical
group management (e.g. Iolus [3] and Intra-domain group key manage-
ment [4]), there are several "area key distributors (AKD)" (subgroup
managers in Iolus) to manage the group. If the AKDs are geographi-
cally distributed, mobile members can get access to new group keys as
long as they are "near" to one of the AKDs.
L. Dondeti [Page 2]
�
Internet Draft Mobile group key management
The notion of members moving between areas or subgroups is new to
group key management. We investigate the issues involved in area
rekeying when members move between areas. We present several differ-
ent rekeying algorithms and analyze their applicability. Note that in
some applications, senders must stop data transmission during rekey-
ing. Mobile group members may add to the rekeying overhead when they
move between areas. We propose algorithms that minimize the time off-
line due to rekeying.
2 Hierarchical group key management
A common approach for designing a scalable network service is to
adopt a hierarchical structure, and a number of recently-proposed key
management algorithms have adopted such an approach [3,4]. Broadly,
these rekeying algorithms operate by hierarchically dividing the key
management domain into smaller administratively scoped areas. The
details of hierarchical key management differ from one approach to
another, and so in our discussion below we adopt a framework based on
[4].
Throughout the domain, a Domain Key Distributor (DKD) generates the
data key used by the sender for encrypting data. The DKD may be col-
located with the sender or shared throughout the domain by multiple
sessions. As discussed previously, whenever a new member joins a cur-
rent session or an existing member leaves a session, a new data key
must be generated and distributed to ensure both forward and backward
confidentiality.
The domain is further divided into disjoint areas. An area is unique
in that movement within the area does not require any additional sig-
naling with regard to rekeying; and the cost of rekeying members when
a join/leave occurs is considered reasonable. Areas may be small
(such as a fine-grained ad-hoc network) or large (such as a satellite
broadcast) depending upon the network topology and operational
arrangements. Similarly, an area can be either logically or geograph-
ically defined.
Within each area, an Area Key Distributor (AKD) is responsible for
distributing the data key to members within that area. Because the
distribution of the data key within an area must itself be secure,
area-local keys are used by the AKD to distribute a new data key to
members within the area. Approaches for intra-area rekeying include
Public Key Infrastructure (PKI), secure multicast, and logical tree-
based algorithms such as [2,1].
From the definition of area, mobility impacts performance only when
members cross between areas. Without AKD reassignment, rekeying mes-
sages must cross heterogeneous network boundaries resulting in
L. Dondeti [Page 3]
�
Internet Draft Mobile group key management
additional performance degradation. Consequently, member movement
between areas requires a coordinated transfer of the security rela-
tionships. Inter-area rekeying algorithms address this problem by
introducing specific semantics for transferring between areas.
3 Impact of mobility on key management
Mobility complicates key management by allowing members to not only
leave or join a session but also transfer between networks while
remaining in the session. Since a mobile user may accumulate informa-
tion about the local security services for each area he/she visits,
the key management system must consider the level of trust to impart
to these mobile members and the performance implications should the
member leave the session. Furthermore, as a member moves, the net-
work latency between the member and the key management services may
change and result in additional performance degradation.
3.1 Mobile members
The performance of any inter-area rekeying algorithm strongly depends
upon the mobility characteristics of the members as well as their
join/leave characteristics. Members that remain in the session for
long periods of time and are highly mobile are likely to visit many
areas. As the number of these high-mobility members increase, the
amount of control overhead increases. Approaches that minimize the
amount of rekeying when a members moves between areas help address
this concern.
Fundamentally, inter-area rekeying requires members and/or key dis-
tributors to identify when a member is leaving one area and entering
a new area. Bind credentials that have been signed by the departing
area may be delivered to the member transferring to stream-line
his/her authentication onto the new area. Managing these credentials
is important to improving performance while ensuring confidentiality.
Alternatively, key distributors may coordinate between each other to
"hand-off" the member.
3.2 Mobile key distributors
Mobility of an AKD or DKD may result in substantial changes in the
hierarchical topology. To ensure performance, inter-area rekeying
must address the problems of new key distributor nomination/election,
member reassignment, and load balancing to ensure that the end-to-end
performance is maintained.
4 Key management to address mobility
L. Dondeti [Page 4]
�
Internet Draft Mobile group key management
In this document, we describe multiple inter-area key distribution
algorithms, where members may not only enter/leave the session but
may also move between areas. These algorithms are defined below.
4.1 Baseline rekeying
A direct approach for handling mobility across areas (called the
baseline algorithm) is to treat the movement as a leave from the old
area followed by a join to the new area. The member leaving the ses-
sion notifies the local AKD, which halts the current data transmis-
sion. Next, the local AKD updates the area key for the remaining mem-
bers by either securely unicasting to each member using their shared
private key, or exploiting a more sophisticated intra-area key proto-
col such as LKH [2]. Once this is updated securely, a new data key
can be distributed to all areas such that the departing member is
excluded. At this point, data transmission resumes. This approach
ensures forward confidentiality.
During the join, the process is similar. The new member informs the
local AKD of its intent to join. Data transmission is halted while a
new area key is distributed to the current members (through multi-
cast) and the new member (through unicast). Once complete, the new
data key is distributed to all of the members and transmission
resumes. This approach ensures backward confidentiality.
The disadvantage of the baseline algorithm is that data transmission
is unnecessarily interrupted twice during a transfer between areas
because the system cannot distinguish between a departing member and
a member that is simply moving. The result is degraded throughput and
additional computational complexity as extra keys are calculated.
4.2 Immediate rekeying
The immediate rekeying algorithm extends the baseline algorithm by
adding explicit semantics for a hand-off between areas. The member
initiates a transfer by notifying the two affected areas. Each area
updates the local area keys per their new membership. However,
unlike the baseline algorithm, no new data key is generated and the
data transmission continues uninterrupted. Note that when a member
actually leaves or joins the session, data transmission is inter-
rupted as new data and area keys are generated per the baseline algo-
rithm described previously.
4.3 Delayed rekeying
Both baseline and immediate rekeying algorithms rekey the local areas
as soon as a member transfers. As a result, a member that moves
rapidly between two areas may cause repeated local rekeying. In
L. Dondeti [Page 5]
�
Internet Draft Mobile group key management
baseline rekeying mobility of a single member affects all the members
in the domain (since the data key changes).
Delayed algorithms postpone local rekeying until a particular crite-
rion is satisfied. Members moving between multiple areas may accumu-
late multiple area keys and reuse these keys when they return to a
previously visited area. As always, if a member leaves or joins the
session, then the appropriate areas are rekeyed to ensure forward and
backward confidentiality.
In pure delayed rekeying, each AKD maintains a list of members that
have left the area but still hold valid keys for the area. When a
member transfers, the area that the member is entering is rekeyed to
prevent a member from falsely transferring into an area to get access
to the old keys (backward confidentiality). For the departed area,
the AKD does not rekey but instead adds the member to the Extra Key
Owner List (EKOL). This list is reset whenever a local rekey occurs.
When a member returns to an area, it is checked against the EKOL and
no new keys are generated if it is on the list.
A characteristic of the delayed algorithms is that they defer some of
the rekeying until a member departs. In this case, all of the areas
that the member has currently valid keys are rekeyed as well to pre-
vent unauthorized access. Thus, the impact of member mobility is
reduced at the cost of increased leave semantics.
One modification of this approach proposed by Chun et. al. [5]
allows members who have previously visited an area and are reauthen-
ticated to receive the current area key to be added without rekeying
of the new area. The benefit of this approach is that the number of
keys generated and distributed is substantially reduced. The algo-
rithm can be further extended by overlaying periodic rekeying of the
areas to prevent any outside member from holding the key beyond a
finite period of time. Alternatively, threshold rekeying triggers a
rekey of an area whenever any member collects more than a given num-
ber of keys. This ensures that no member is able to accumulate all
the keys by visiting all of the areas.
5 Summary and future work
In this document, we describe group rekeying in the presence of
mobile members. We propose that hierarchical group key management
works best for managing mobile members of a secure group. We intro-
duce several rekeying schemes when members move from one area to
another area, while still being member of a group.
Our ongoing work includes mathematical analysis of the various rekey-
ing schemes to investigate the time off-line and rekeying overhead
L. Dondeti [Page 6]
�
Internet Draft Mobile group key management
due to mobility. We are currently developing a prototype of the key
management framework (KMF) and the rekeying algorithms.
Apart from the analysis and implementation of the protocols proposed
so far, our focus is on the following topics:
o Implications of mobility on SA management
o Mobile AKDs
When an AKD moves, members within its area may decide to (s)elect
a new AKD to manage them. We are currently investigating AKD
(s)election algorithms.
6 Bibliography
[1] D. Balenson, D. McGrew, and A. Sherman, "Key management for large
dynamic groups: One-way function trees and amortized initialization,"
Internet Draft, Internet Engineering Task Force, Aug. 2000. Work in
progress.
[2] D. M. Wallner, E. Harder, and R. C. Agee, "Key management for
multicast: Issues and architectures," RFC (Informational) 2627,
Internet Engineering Task Force, Sept. 1998.
[3] S. Mittra, "Iolus: A framework for scalable secure multicasting,"
in ACM SIGCOMM , (Cannes, France), sep 1997.
[4] T. Hardjono, B. Cain, and I. Monga, "Intra-domain group key man-
agement protocol," internet draft, Internet Engineering Task Force,
Feb. 2000. Work in progress.
[5] C. Zhang, B. DeCleene, J. Kurose, and D. Towsley, "Comparison of
inter-area rekeying algorithms for secure wireless group communica-
tions," tech. rep., June 2001. Submitted for publication.
7 Authors' contact information
Lakshminath R. Dondeti
Nortel Networks
600 Technology Park Drive
Billerica, MA 01821, USA
(978) 288-6406
ldondeti@nortelnetworks.com
Thomas Hardjono
Verisign Inc.
L. Dondeti [Page 7]
�
Internet Draft Mobile group key management
401 Edgewater Place, Suite 280
Wakefield, MA 01880, USA
thardjono@verisign.com
Brian DeCleene
Sean Griffin
TASC Inc.
55 Walkers Brook Dr.
Reading, MA 01867, USA
btdecleene@tasc.com
Jim Kurose
Don Towsley
Chun Zhang
Sudarshan Vasudevan
Computer Science department
University of Massachusetts, Amherst, MA
{kurose,towsley,czhang,svasu}@cs.umass.edu
L. Dondeti [Page 8]
�
