[Search] [txt|pdf|bibtex] [Tracker] [Email] [Nits]

Versions: 00
INTERNET-DRAFT                                       R. Canetti,  B. Pinkas
draft-canetti-secure-multicast-taxonomy-00.txt             IBM Research and
Expire in two months                                 the Weizmann Institute
May 1998

A taxonomy of multicast security issues
(temporary version)

Status of this Memo

This document is an Internet Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and working groups.  Note that other groups may also distribute
working documents as Internet Drafts.

Internet Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet Drafts as reference
material or to cite them other than as "work in progress."

To view the entire list of current Internet-Drafts, please check
the "1id-abstracts.txt" listing contained in the Internet-Drafts
Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
(Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au
(Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu
(US West Coast).

1. Abstract

With the growth and commercialization of the Internet, the need for
secure IP multicast is growing. In this draft we present a taxonomy of
multicast security issues. We first sketch some multicast group
parameters that are relevant to security, and outline the basic
security issues concerning multicast in general, with emphasis on IP
multicast. Next we suggest two benchmark' scenarios for secure
multicast solutions. Lastly we review some previous works.

This is a temporary version of the document. The authors will be
grateful for remarks, and will update and revise this document
accordingly.

Canetti, Pinkas                                                 [Page i]

INTERNET DRAFT                                                  May 1998

1. Abstract ................................................. i
2. Introduction ............................................. 1
3. A Taxonomy of multicast security issues................... 2
3.1 Multicast group characteristics....................... 2
3.2 Security requirements and trust issues................ 3
3.3 Performance  parameters............................... 5
4. Benchmark Scenarios....................................... 5
4.2 Virtual Conferences................................... 7
5. A mini-survey of related work............................. 7
5.1 Works on group key management......................... 8
5.2 Works on individual authentication.................... 9
5.3 Works on membership revocation........................10
5.4 Working prototypes....................................11
Acknowledgments.... .........................................12
References...................................................12

2. Introduction

Protocol supports a multicast mode where a packet is addressed to
a group of recipients. The main motivation behind this mode is
efficiency, both in sender resources (one transmission serves all
recipients) and in network resources (far less traffic). The main
challenge in efficient multicast transmission is routing: how to get
a packet to its intended recipients with minimal latency and
bandwidth consumption. See work done at the MBONED and IDMR working
groups. Reliable multicast is being studied in the IRTF Reliable
Multicast working group.

The growth and commercialization of the Internet offers a large
variety of scenarios where multicast transmission will greatly save
in bandwidth and sender resources. Immediate examples include news
feeds and stock quotes, video transmissions, teleconferencing,
software updates, and more. Yet, multicast transmission introduces
security concerns that are far more complex than those of simple
unicast.  Even dealing with the standard' issues of message
authentication and secrecy becomes much more complex; in addition
other concerns arise, such as access control, trust in group
centers, trust in routers, dynamic group membership, and others.

Canetti, Pinkas                                                 [Page 1]

INTERNET DRAFT                                                  May 1998

We are looking for solutions that mesh well with current multicast
routing protocols, and that have as small overhead as possible.
In particular, a realistic solution must maintain the current way by
which {\em data packets} are being routed; yet additional control
messages may be introduced, for key exchange and access control.
These messages need not necessarily be sent via multicast.

As a first step towards a workable solution, we present a taxonomy
of multicast security concerns and scenarios, with a strong emphasis
on IP multicast.  First we list multicast group characteristics
that are relevant to security. Next we list security concerns and some
trust issues. We also discuss important performance parameters.

It soon becomes clear that the scenarios are so diverse that there
is little hope for a single security solution that accommodates all
scenarios.  Thus we suggest two benchmark' scenarios for
multicast security solutions.  One scenario involves a single sender
(say, an on-line stock-quotes distributor) and a large number of
passive recipients (say, hundreds of thousands). The second scenario
depicts relatively small interactive groups of up to few thousands
of participants.

Lastly we present a brief survey of existing work on multicast
security. (The authors apologize in advance for any
misinterpretations and omissions. Please write and complain. They
will be happy to update and correct the  draft.) Two main issues
emerge, where the performance of current solutions leaves much to be
desired. One is individual authentication, where it is required to
make sure that information is arriving from a particular group member
(as opposed to information coming from "one of the group members").
The other is membership revocation: here it is required to prevent

3.   A Taxonomy of multicast security issues

3.1  Multicast group characteristics

We list salient parameters of multicast groups. These parameters
affect in a crucial way on the security architecture that should be
used.

Group size: Can vary from several tens of participants in small
discussion groups, through thousands in virtual conferences
and classes, and up to several millions in large broadcasts.

Member characteristics: These include computing power (do all members
have similar computing power or can some members be loaded more
than others?) and attention (are members on-line at all times?).

Canetti, Pinkas                                                 [Page 2]

INTERNET DRAFT                                                  May 1998

Membership dynamics: Is the group membership static and known in
advance? Otherwise, do members only join, or do members also
leave? how frequently does membership change and how fast should
changes be updated? Are membership changes bursty?

Expected life time: Is the group expected to last several minutes?
days? unbounded amount of time?

Number and type of senders: Is there a single party that sends data?
several such parties? all parties?  Does few senders generate most
of the traffic? Is the identity of the senders known in advance?
Are non-members expected to send data?

Volume and type of traffic: Is there heavy volume of communication?
Must the communication arrive in real-time? what is the allowed
latency? For instance, is it data communication (less stringent
real-time requirements, low volume), audio (must be real-time,
low volume), or video (real-time, high volume)?

3.2  Security requirements and trust issues

We list several security requirements and trust issues. Not all
issues are relevant to all multicast applications; yet they should
be kept in mind when designing a system.

Long-term secrecy: Making sure that  the data remains secret to
non-group members, for a substantial amount of time after
transmission. This may often not be a requirement for multicast
traffic. In particular, the larger the multicast group the
weaker the secrecy assurance is (even if the cryptography
is perfect.)

Perfect Forward Secrecy: Making sure that encrypted data remains
secret even if the key is compromised (either by cryptanalysis or
by break-in) at a later date. This requirement is needed only for
applications that require long-term secrecy. Thus in many
multicast applications it is not necessary.

Ephemeral secrecy: Preventing non group-members from easy access
to the transmitted data. Here a mechanism that delays access,
or prevents access only to crucial parts of the data is sufficient.
(For instance, to maintain ephemeral secrecy when transmitting
a video it is  sufficient to encrypt only the low-order Fourier
coefficients in an MPEG encoding.)

Canetti, Pinkas                                                 [Page 3]

INTERNET DRAFT                                                  May 1998

Sender and data authenticity: Making sure that the received data
originates with the claimed sender and was not modified on
the way.  Authenticity takes two flavors:  Group authenticity
means that a group member can recognize whether a message
was sent by a group member. Individual authenticity means that
it is possible to identify the particular sender within the group.
It may also be desirable to verify the origin of messages
even if the originator is not a group member.

Anonymity: Several flavors are possible. One is keeping the identity
of group members secret from outsiders or from other group members.
Another is keeping the identity of the sender of a message secret.
A related concern is protection from traffic analysis.

Non-repudiability: The ability of receivers of data to prove to third
parties that the data has been transmitted, together with the
source. Non-repudiability is somewhat contradictory to anonymity,
and it is not clear whether it should be implemented in an IP-layer
protocol.

Key refreshment: The need to refresh (change) the key during a
lengthy multicast session, in order to foil cryptanalysis and
other methods for compromising the key. It should be remembered
that key refreshment in a multicast setting is more complex
than for unicast.

Service availability: Maintaining service availability against
malicious attack is ever more relevant in a multicast setting,
since clogging attacks are easier to mount and are much more
harmful.

Group management and ownership: Several tasks related to
a secure multicast group need handling. We list these tasks
below. These tasks can be handled either by a centralized
entity or in a distributed way (and then it should be decided which
entities or coalitions of entities can perform each security
critical operation)  . It should be remembered that putting trust
in centralized centers is a security Achilles-heel (although it
usually makes solutions much simpler).
* Key management
* Logging/Audit
* Error and exception handling
* Access control (see below)

Access control: Controlling group membership, and perhaps keeping
reliable records of the amount of usage of each member. The problem
becomes more complex if members may join with time, and even more
complex if members may leave the group (and then the group has to
make sure that the leaving members lose the cryptographic abilities
reserved to members).

Canetti, Pinkas                                                 [Page 4]

INTERNET DRAFT                                                  May 1998

3.3   Performance  parameters

We list relevant performance parameters. Relative importance of
these parameters may vary from application to application. These
parameters should always be measured against the degree of security
achieved.

Latency, bandwidth  and work overhead per data packets. These are
the most immediate costs and should definitely be minimized.
machines and on weak end-users.

Group initialization occurs once. In groups with highly dynamic
membership, efficient addition (and especially deletion) of
members may be an important concern.

Sender initialization, the overhead of a sender when it starts
transmitting to the group.

Congestion, especially around centralized control services
at peak sign-on and sign-off times. (A quintessential scenario
is a real-time broadcast where many people join right before the
broadcast begins and leave right after it ends.)

Resume overhead: The work incurred when a group member becomes
active after being dormant (say, off-line) for a while.

4. Benchmark Scenarios

As seen above, it takes many parameters to characterize a multicast
security scenario, and a large number of potential scenarios exist.
Different scenarios call for different solutions; it seems unlikely
that a single solution will accommodate all scenarios.

We present two very different scenarios for secure multicast,
and sketch possible solutions and challenges. These scenarios seem
to be the ones that require most urgent solutions; in addition, they
span a large fraction of the concerns described above, and solutions
here may well be useful in other scenarios as well. Thus we suggest
these scenarios as benchmarks for evaluating security solutions.

Canetti, Pinkas                                                 [Page 5]

INTERNET DRAFT                                                  May 1998

Here a single source wishes to continuously broadcast data to a large
number of passive recipients. The source can be a news agency that
broadcasts stock-quotes and news-feeds to paying customers, or a
Pay-TV station. We list a number of characteristics:

The number of recipients can be up to hundreds of thousands or even
several millions.  The source is typically a top-end machine with
ample resources. It can also be parallelized or even split to several
sources in different locations. The recipients are typically
lower-end machines with limited resources. Consequently, and security
solution must optimize for efficiency at the recipient side.

Although the life-time of the group is usually long, the group
membership is dynamic: members join and leave at a relatively high
rate. In addition, at peak times (say, before and after important
broadcasts) a high volume of sign-on/sign-off requests are expected.
In addition, it can be assumed that members have a long-term
relationship with the group; this may facilitate processing of
sign-on/sign-off requests.

The volume of transmitted data may vary considerably: if only
text is being transmitted then the volume is relatively low (and
the latency requirements are quite relaxed); if audio/video is
transmitted (say, in on-line pay-TV) then the volume can be very
high and very little latency is allowed.

Authenticity of the transmitted data is a crucial concern and
should be strictly maintained: a client must never accept a forged
stock-quote as authentic. Another important concern is preventing
non-members from using the service. This can be achieved by
encrypting the data; yet the encryption may be weak since there
is no real secrecy requirement - only prevention from easy
unauthorized use.

The required latency of the communication varies from application
to application.  Member revocation should be performed within minutes
or seconds from the time it is requested (but it is typically not
required to remove members within fractions of a second)

There is usually a natural group owner that manages access-control as
well as key management. However, the sender of data may be a
different entity (say, Yahoo broadcasting Reuters stock-quotes in its
home-page).

Canetti, Pinkas                                                 [Page 6]

INTERNET DRAFT                                                  May 1998

4.2  Virtual Conferences

Typical virtual conference scenarios may include on-line meetings
of corporate executives or committees, town-hall type meetings,
interactive lectures and classes, and multiparty video games.
A virtual conference involves several tens to hundreds of peers,
often with roughly similar computational resources. Usually most,
or all, group members may a-priori wish to transmit data
(although often there is a small set of members that generate
most of the bandwidth).

The group is often formed per event and is relatively short-lived
(say, few minutes or hours). Membership is often static: members
join at start-up, and remain signed on throughout. Furthermore,
even if a member leaves it is often not crucial to
cryptographically revoke their group membership.
Bandwidth and latency requirements vary from application to
application, similarly to the case of single source
broadcast. However, latency (and especially sender initialization)
should typically be very small in order to facilitate the
simultaneity and interactivity of virtual conferences.

Authenticity of data {\em and sender} is the most crucial
security concern. In some scenarios maintaining secrecy of data and
anonymity of members may be crucial as well; in many other
scenarios secrecy of data is not a concern at all. There is often a
natural group owner that may serve as a trusted center. Yet,
it is always beneficial to distribute trust as much as possible.

5.  A mini-survey of known related work

Following is a short survey of multicast security related work. The
authors apologize in advance for any misinterpretations and
omissions. Please write and complain. They will be happy to update
and correct the draft.
The first three sections of the survey describe work on three main
issues described above: group key management, individual
authentication, and membership revocation. The last section describes
work on prototypes which implement various elements of multicast
security.

Canetti, Pinkas                                                 [Page 7]

INTERNET DRAFT                                                  May 1998

5.1 Works on group key management

The works below  concentrate on establishing and managing a common key
among all group members. This key can be used for encryption
and group authentication, but is not sufficient for individual
authentication.

The GKMP protocol [GKMPA,GKMPS] generates and maintains symmetric
keys for the members of a multicast group. In this protocol each
multicast group has a dedicated Group Controller (GC) which is
responsible for managing the group keys. The GC  generates the
group keys in a joint operation with a selected group
member. Afterwards it contacts each group member validates its
permissions and sends it the group keys encrypted by a key mutually
shared between the GC and that member. This approach is non-scalable
since a single entity, the GC, is responsible for sending the keys to
all group members.

The Scalable Multicast Key Distribution scheme (SMKD) [Ballardie] is
based on the Core-Based Tree (CBT) routing protocol and provides
secure joining of a CBT group tree in a scalable approach.
It utilizes the hard-state approach of CBT in which routers on the
delivery tree know the identities of their tree-neighbors. When a CBT
group is initiated in this scheme the core of the tree operates
as the group controller and generates the group session keys and key
distribution  keys. As routers join the delivery tree they are
delegated the ability to authenticate joining members and provide
them with the group key. This approach is highly scalable. Yet, since
every router in the delivery tree obtains the same keys as the group
controller the scheme does not provide a high level of security against
corrupt routers in the group tree.

The Iolus scheme [Mittra] handles the scalability problem
by introducing a "secure distribution tree". The multicast group is
divided into subgroups which are arranged hierarchically. There is a
Group Security Controller (GSC) managing the top-level group, and
Group Security Intermediaries (GSIs) for managing the different
subgroups. Each subgroup has its own subkey which is chosen by its
manager. A GSI knows the keys of its subgroup and of a higher level
subgroup, so it can "translate" messages to/from higher levels.
A disadvantage of this approach is the latency incurred by GSIs
decrypting and re-encrypting each data packet (although the use of
encryption indirection enables this latency to be constant and
independent of the packets length). The removal of an untrusted GSI is
also complex.

Canetti, Pinkas                                                 [Page 8]

INTERNET DRAFT                                                  May 1998

The MKMP [MKMP] key management protocol enables the initial Group Key
Manager to delegate the key distribution authority to other
parties in a dynamic way. It first generates the group key (the
method which is used for key generation is left outside the scope of
the MKMP draft). Then it delegates the key distribution authority to
selected parties by sending a message to the  multicast group
soliciting  these parties. This message contains keys and access
lists which can only be decrypted by the solicited parties. After
they obtain this material they can operate as Group Key Managers.
This dynamic approach has the advantage that the group topology can be
adapted to changes occurring on-line. MKMP uses a single key for the
entire group and thus does not require hop-by-hop

5.2 Works on individual authentication

In order to authenticate that a message was sent by a group member it
is enough to use Message Authentication Codes (MACs, see e.g. [HMAC])
with a single shared key known to all group members. However, this
method does not suffice to enable individual authentication,
i.e. to authenticate a message as being from a specific party.

Individual authentication can be achieved if the sender of the message
signs it using a digital signature scheme. However, the computational
complexity of computing and verifying digital signatures, as well as the
length of the signature,  may be significant. RSA signatures might be
an appealing choice of a signature scheme since it is possible to use
them in a mode  which considerably reduces the running time of the
verifier.

It is also possible to use signature schemes based on elliptic curves,
which are very efficient in both the computation and the communication
requirements. Another interesting approach is to use on-line/off-line
signatures schemes [Even]. These enable the signer to perform most of
its computation off-line, even before it learns the message that it
should sign. When this message becomes known the signer only has to
perform a very efficient computation in order to complete the signature.

The schemes of Gennaro and Rohatgi [Gennaro] enable to efficiently
sign streams of data. Basically, the idea is to partition the data
packets into chains; each data packet will include a hash of the
next packets in the chain; now only the first packet in the chain
needs to be signed. However, these schemes do not deal well with
unreliable communication channels, and might not be efficient enough
for on-line data which should be transmitted "on-the-fly".

Canetti, Pinkas                                                 [Page 9]

INTERNET DRAFT                                                  May 1998

Building on previous work [FN1,Dyer], Canetti et al [CGIMNP]
suggest individual authentication schemes which are based on
efficient MACs rather than on public key signatures. These schemes are
designed to be secure against coalitions of up to k of group members,
where k is a parameter which affects the overhead. To explain the
approach, let us present a simplified example: The idea is to
use some number, n, of MAC keys. The pre-designated sender has all
keys, where each one of the receivers has  n/2 keys, chosen at random
from the n keys. Now, each message is MACed with each one of the n
keys, and a recipient verifies the MACs whose keys it knows.
A coalition of bad parties can make some victim' accept forge messages
only it the coalition knows all the MAC keys that the victim
knows. The parameters are set so that the probability that  such a

5.3 Works on membership revocation

In order to prevent newly joined members (respectively, leaving members)
from accessing data sent before they joined (respectively, after they
leave), one needs to change a multicast group key whenever membership
in the group changes. It is particularly difficult to make sure that a
leaving member does NOT know the newly distributed key.

The approach taken when  removing untrusted members in most existing
group key management protocols [GKMPA,SMKD,MKMP] is to generate a new
group key and distribute it to all the remaining group members, thus
essentially creating a new multicast group without the untrusted member.
This approach is highly non-scalable.  The same approach is also taken
by the Iolus protocol [Mittra] for the subgroup which contained the
removed member, but since this subgroup is smaller than the entire group
this solution is more scalable. However, if a Group Security
Intermediary becomes untrusted then a more complex operation (which is
not described in [Mittra]) should be performed.

Broadcast encryption is a scheme designed in [FN] to encrypt messages
from a single source to a dynamically changing group of recipients.
When a member is leaving, the scheme can be used to send the new group
key to the remaining members. The scheme uses a parameter k which is
the maximum tolerable size of a corrupt coalition of former group
members that might try to learn a key they should not get. The
overhead of the scheme is large for small numbers of leaving members,
but becomes more attractive when the number of leaving/joining members
is large.  The scheme is based on using a set of keys
and applying a clever method of assigning subsets of these keys to
group members. This assignment makes sure that for every corrupt
coalition of k users it is possible to encrypt a message such that the
keys known to the corrupt coalition members do not suffice for
decryption, whereas the keys of any other member do.

Canetti, Pinkas                                                 [Page 10]

INTERNET DRAFT                                                  May 1998

The scheme of Wallner et al [Wallner] for user revocation is highly
scalable. For a group of n members there is a total of 2n keys but
each member is only required to store log(n) keys. When a group
member is removed, the group controller should send a single message
of size 2log(n) to all members, and each member should perform log(n)
(rather efficient) computations in order to generate the new group
key. The removed member cannot compute the new group key even if it
receives this message. The basic idea of the scheme is to arrange the
users as leaves of a binary tree, assign a key to each node, give
each user the keys in the path from its leaf to the root and use the
root key as the group key. When a user is removed, all the keys it
holds are replaced. The main drawbacks of this scheme are  that it
requires the center to keep track of about 2n keys, and requires
each member to receive and process all member-revocation
messages in order to learn the current group key. In contrast, it may
be good to design mechanisms that enable members which have been
off-line to receive and process all member-revocation messages that
they have not received, in a reasonable amount of work.

5.4 Working prototypes

A prototype of the Iolus system has been implemented [Mittra]. It
uses a client application which interfaces between applications and
the Iolus GSC/GSIs. It is claimed there that the basic prototype is
rather a simple to implement and to use. There is only small
penalty for the decryption/encryption process of a GSI, and
this penalty does not depend on the size of the payload. Note however
that the Iolus system does not provide any individual authentication
mechanism.

A toolkit for secure internet multicast is described in [CEKPS]. It
emphasizes a separation between control and data functions. This
enables applications to have fine grain control over the data path,
while keeping the control plain transparent to the applications. The
toolkit can operate without end-to-end support for multicast, using
data reflectors connected via unicast tunnels. It is written in
Java. Similar to Iolus, a multicast group is divided to subgroups
(domains), however the toolkit offers better flexibility, supports
individual authentication (by using digital signatures), and operates
over non-multicast enabled backbones.

Canetti, Pinkas                                                 [Page 11]

INTERNET DRAFT                                                  May 1998

Acknowledgments
================

Much of this text is reproduced from [CGIMNP], written
with Juan Garay, Gene Itkis, Daniele Micciancio and Moni Naor.
The authors are grateful to the people with whom they interacted
on this topic, including all the above and in addition Naganand
Doraswamy, Rosario Gennaro, Dan Harkins, Shai Halevi, Dimitris
Pendarakis, Tal Rabin, Pankaj Rohargi and Debanjan Saha.

References
==========

[Ballardie] Ballardie A., "Scalable Multicast Key Distribution", RFC
1949, May 1996.

[CEKPS] Chang I., R. Engel, D. Kandlur, D. Pendarakis, D. Sala, "A
Toolkit for Secure Iternet Multicast", manuscript, 1998.

[CGIMNP] Canetti R., J. Garay, G. Itkis, D. Micciancio, M. Naor,
B. Pinkas, "Multicast Security: A Taxonomy and Efficient
Authentication", manuscript, 1998.

[Dyer] Dyer M., T. Fenner, A. Frieze, A. Thomason, "On Key Storage
in Secure Networks", J. of Cryptology, Vol. 8, 1995, 189--200.

[Even] Even S., O. Goldreich, S. Micali, "On-line/off-line digital
signatures", Advances in Cryptology - Crypto '89, Springer-Verlag
LNCS 435, pp. 263-277, 1990.

- Crypto '92, Springer-Verlag LNCS 839, pp. 257-270, 1994.

[FN1] Fiat A., M. Naor, Unpublished work. Appears in Alon N.,
"Probabilistic Methods in Extremal Finite Set Theory", in
"Extremal Problems for Finite Sets", 1991, 39--57.

[Gennaro] Gennaro R., P. Rohatgi, "How to Sign Digital Streams",
Advances in Cryptology - Crypto '97, Springer-Verlag LNCS 1294,
pp. 180-197, 1997.

Canetti, Pinkas                                                 [Page 12]

INTERNET DRAFT                                                  May 1998

[MKMP] Harkins D., N. Doraswamy, "A Secure, Scalable Multicast Key
Management Protocol (MKMP)".

[GMKPA] Harney, H., C. Muckenhirn, "Group Key Management Protocol
(GKMP) Architecture", RFC 2094, July 1997.

[GKMPS] Harney, H., C. Muckenhirn, "Group Key Management Protocol
(GKMP) Specification". RFC 2093, July 1997.

[HMAC] Krawczyk H., M. Bellare, R. Canetti, "HMAC: Keyed-Hashing for
Message Authentication", RFC 2104, February 1997.

[Mittra] Mittra S., "Iolus: A Framework for Scalable Secure
Multicast". In Proceedings of ACM SIGCOMM '97, Cannes, France,
September 1997.

[Wallner] Wallner D. M., E. G. Harder, R. C. Agee, "Key Management
for Multicast: Issues and Architecture", internet draft
draft-wallner-key-arch-00.txt, June 1997.

====================

Ran Canetti                              Benny Pinkas
IBM TJ Watson Research Center            Weizmann Inst. of Science
POB. 704, Yorktown Heights,              Rehovot, Israel
Tel. 1-914-784-7076                      Tel. +972-8-9344310
canetti@watson.ibm.com                   bennyp@wisdom.weizmann.ac.il

Canetti, Pinkas                                                 [Page 13]