[Search] [txt|pdf|bibtex] [Tracker] [Email] [Nits]

Versions: 00                                                            
INTERNET-DRAFT                                       R. Canetti,  B. Pinkas
draft-canetti-secure-multicast-taxonomy-00.txt             IBM Research and
Expire in two months                                 the Weizmann Institute
                                                                   May 1998


                  A taxonomy of multicast security issues
                         (temporary version)
               <draft-canetti-secure-multicast-taxonomy-00.txt>


                          Status of this Memo

   This document is an Internet Draft. Internet Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and working groups.  Note that other groups may also distribute
   working documents as Internet Drafts.

   Internet Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet Drafts as reference
   material or to cite them other than as "work in progress."

   To view the entire list of current Internet-Drafts, please check
   the "1id-abstracts.txt" listing contained in the Internet-Drafts
   Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
   (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au
   (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu
   (US West Coast).




   1. Abstract

   With the growth and commercialization of the Internet, the need for
   secure IP multicast is growing. In this draft we present a taxonomy of
   multicast security issues. We first sketch some multicast group
   parameters that are relevant to security, and outline the basic
   security issues concerning multicast in general, with emphasis on IP
   multicast. Next we suggest two `benchmark' scenarios for secure
   multicast solutions. Lastly we review some previous works.

   This is a temporary version of the document. The authors will be
   grateful for remarks, and will update and revise this document
   accordingly.












Canetti, Pinkas                                                 [Page i]


INTERNET DRAFT                                                  May 1998



   Table of Contents:

   1. Abstract ................................................. i
   2. Introduction ............................................. 1
   3. A Taxonomy of multicast security issues................... 2
      3.1 Multicast group characteristics....................... 2
      3.2 Security requirements and trust issues................ 3
      3.3 Performance  parameters............................... 5
   4. Benchmark Scenarios....................................... 5
      4.1 Single source broadcast............................... 6
      4.2 Virtual Conferences................................... 7
   5. A mini-survey of related work............................. 7
      5.1 Works on group key management......................... 8
      5.2 Works on individual authentication.................... 9
      5.3 Works on membership revocation........................10
      5.4 Working prototypes....................................11
   Acknowledgments.... .........................................12
   References...................................................12
   Authors address..............................................13




   2. Introduction


   In addition to traditional  unicast communication, the Internet
   Protocol supports a multicast mode where a packet is addressed to
   a group of recipients. The main motivation behind this mode is
   efficiency, both in sender resources (one transmission serves all
   recipients) and in network resources (far less traffic). The main
   challenge in efficient multicast transmission is routing: how to get
   a packet to its intended recipients with minimal latency and
   bandwidth consumption. See work done at the MBONED and IDMR working
   groups. Reliable multicast is being studied in the IRTF Reliable
   Multicast working group.

   The growth and commercialization of the Internet offers a large
   variety of scenarios where multicast transmission will greatly save
   in bandwidth and sender resources. Immediate examples include news
   feeds and stock quotes, video transmissions, teleconferencing,
   software updates, and more. Yet, multicast transmission introduces
   security concerns that are far more complex than those of simple
   unicast.  Even dealing with the `standard' issues of message
   authentication and secrecy becomes much more complex; in addition
   other concerns arise, such as access control, trust in group
   centers, trust in routers, dynamic group membership, and others.




Canetti, Pinkas                                                 [Page 1]


INTERNET DRAFT                                                  May 1998

   We are looking for solutions that mesh well with current multicast
   routing protocols, and that have as small overhead as possible.
   In particular, a realistic solution must maintain the current way by
   which {\em data packets} are being routed; yet additional control
   messages may be introduced, for key exchange and access control.
   These messages need not necessarily be sent via multicast.

   As a first step towards a workable solution, we present a taxonomy
   of multicast security concerns and scenarios, with a strong emphasis
   on IP multicast.  First we list multicast group characteristics
   that are relevant to security. Next we list security concerns and some
   trust issues. We also discuss important performance parameters.

   It soon becomes clear that the scenarios are so diverse that there
   is little hope for a single security solution that accommodates all
   scenarios.  Thus we suggest two `benchmark' scenarios for
   multicast security solutions.  One scenario involves a single sender
   (say, an on-line stock-quotes distributor) and a large number of
   passive recipients (say, hundreds of thousands). The second scenario
   depicts relatively small interactive groups of up to few thousands
   of participants.

   Lastly we present a brief survey of existing work on multicast
   security. (The authors apologize in advance for any
   misinterpretations and omissions. Please write and complain. They
   will be happy to update and correct the  draft.) Two main issues
   emerge, where the performance of current solutions leaves much to be
   desired. One is individual authentication, where it is required to
   make sure that information is arriving from a particular group member
   (as opposed to information coming from "one of the group members").
   The other is membership revocation: here it is required to prevent
   a leaving member from future access to the group resources.



   3.   A Taxonomy of multicast security issues

   3.1  Multicast group characteristics

   We list salient parameters of multicast groups. These parameters
   affect in a crucial way on the security architecture that should be
   used.

   Group size: Can vary from several tens of participants in small
      discussion groups, through thousands in virtual conferences
      and classes, and up to several millions in large broadcasts.

   Member characteristics: These include computing power (do all members
      have similar computing power or can some members be loaded more
      than others?) and attention (are members on-line at all times?).


Canetti, Pinkas                                                 [Page 2]


INTERNET DRAFT                                                  May 1998

   Membership dynamics: Is the group membership static and known in
      advance? Otherwise, do members only join, or do members also
      leave? how frequently does membership change and how fast should
      changes be updated? Are membership changes bursty?

   Expected life time: Is the group expected to last several minutes?
      days? unbounded amount of time?


   Number and type of senders: Is there a single party that sends data?
     several such parties? all parties?  Does few senders generate most
     of the traffic? Is the identity of the senders known in advance?
     Are non-members expected to send data?

   Volume and type of traffic: Is there heavy volume of communication?
     Must the communication arrive in real-time? what is the allowed
     latency? For instance, is it data communication (less stringent
     real-time requirements, low volume), audio (must be real-time,
     low volume), or video (real-time, high volume)?


   3.2  Security requirements and trust issues

   We list several security requirements and trust issues. Not all
   issues are relevant to all multicast applications; yet they should
   be kept in mind when designing a system.

   Long-term secrecy: Making sure that  the data remains secret to
     non-group members, for a substantial amount of time after
     transmission. This may often not be a requirement for multicast
     traffic. In particular, the larger the multicast group the
     weaker the secrecy assurance is (even if the cryptography
     is perfect.)

   Perfect Forward Secrecy: Making sure that encrypted data remains
     secret even if the key is compromised (either by cryptanalysis or
     by break-in) at a later date. This requirement is needed only for
     applications that require long-term secrecy. Thus in many
     multicast applications it is not necessary.

   Ephemeral secrecy: Preventing non group-members from easy access
     to the transmitted data. Here a mechanism that delays access,
     or prevents access only to crucial parts of the data is sufficient.
     (For instance, to maintain ephemeral secrecy when transmitting
     a video it is  sufficient to encrypt only the low-order Fourier
     coefficients in an MPEG encoding.)






Canetti, Pinkas                                                 [Page 3]


INTERNET DRAFT                                                  May 1998

   Sender and data authenticity: Making sure that the received data
     originates with the claimed sender and was not modified on
     the way.  Authenticity takes two flavors:  Group authenticity
     means that a group member can recognize whether a message
     was sent by a group member. Individual authenticity means that
     it is possible to identify the particular sender within the group.
     It may also be desirable to verify the origin of messages
     even if the originator is not a group member.

   Anonymity: Several flavors are possible. One is keeping the identity
     of group members secret from outsiders or from other group members.
     Another is keeping the identity of the sender of a message secret.
     A related concern is protection from traffic analysis.



   Non-repudiability: The ability of receivers of data to prove to third
     parties that the data has been transmitted, together with the
     source. Non-repudiability is somewhat contradictory to anonymity,
     and it is not clear whether it should be implemented in an IP-layer
     protocol.

   Key refreshment: The need to refresh (change) the key during a
     lengthy multicast session, in order to foil cryptanalysis and
     other methods for compromising the key. It should be remembered
     that key refreshment in a multicast setting is more complex
     than for unicast.

   Service availability: Maintaining service availability against
     malicious attack is ever more relevant in a multicast setting,
     since clogging attacks are easier to mount and are much more
     harmful.

   Group management and ownership: Several tasks related to
     a secure multicast group need handling. We list these tasks
     below. These tasks can be handled either by a centralized
     entity or in a distributed way (and then it should be decided which
     entities or coalitions of entities can perform each security
     critical operation)  . It should be remembered that putting trust
     in centralized centers is a security Achilles-heel (although it
     usually makes solutions much simpler).
     Group management tasks include:
      * Key management
      * Logging/Audit
      * Error and exception handling
      * Access control (see below)

   Access control: Controlling group membership, and perhaps keeping
     reliable records of the amount of usage of each member. The problem
     becomes more complex if members may join with time, and even more
     complex if members may leave the group (and then the group has to
     make sure that the leaving members lose the cryptographic abilities
     reserved to members).

Canetti, Pinkas                                                 [Page 4]


INTERNET DRAFT                                                  May 1998




   3.3   Performance  parameters

   We list relevant performance parameters. Relative importance of
   these parameters may vary from application to application. These
   parameters should always be measured against the degree of security
   achieved.


   Latency, bandwidth  and work overhead per data packets. These are
     the most immediate costs and should definitely be minimized.
     Here distinction should be made between the load on strong server
     machines and on weak end-users.



   Group initialization, and member addition and deletion overheads.
     Group initialization occurs once. In groups with highly dynamic
     membership, efficient addition (and especially deletion) of
     members may be an important concern.

   Sender initialization, the overhead of a sender when it starts
     transmitting to the group.

   Key generation and distribution overhead.

   Congestion, especially around centralized control services
     at peak sign-on and sign-off times. (A quintessential scenario
     is a real-time broadcast where many people join right before the
     broadcast begins and leave right after it ends.)

   Resume overhead: The work incurred when a group member becomes
     active after being dormant (say, off-line) for a while.


   4. Benchmark Scenarios

   As seen above, it takes many parameters to characterize a multicast
   security scenario, and a large number of potential scenarios exist.
   Different scenarios call for different solutions; it seems unlikely
   that a single solution will accommodate all scenarios.

   We present two very different scenarios for secure multicast,
   and sketch possible solutions and challenges. These scenarios seem
   to be the ones that require most urgent solutions; in addition, they
   span a large fraction of the concerns described above, and solutions
   here may well be useful in other scenarios as well. Thus we suggest
   these scenarios as benchmarks for evaluating security solutions.


Canetti, Pinkas                                                 [Page 5]


INTERNET DRAFT                                                  May 1998

   4.1 Single source broadcast

   Here a single source wishes to continuously broadcast data to a large
   number of passive recipients. The source can be a news agency that
   broadcasts stock-quotes and news-feeds to paying customers, or a
   Pay-TV station. We list a number of characteristics:

   The number of recipients can be up to hundreds of thousands or even
   several millions.  The source is typically a top-end machine with
   ample resources. It can also be parallelized or even split to several
   sources in different locations. The recipients are typically
   lower-end machines with limited resources. Consequently, and security
   solution must optimize for efficiency at the recipient side.

   Although the life-time of the group is usually long, the group
   membership is dynamic: members join and leave at a relatively high
   rate. In addition, at peak times (say, before and after important
   broadcasts) a high volume of sign-on/sign-off requests are expected.
   In addition, it can be assumed that members have a long-term
   relationship with the group; this may facilitate processing of
   sign-on/sign-off requests.


   The volume of transmitted data may vary considerably: if only
   text is being transmitted then the volume is relatively low (and
   the latency requirements are quite relaxed); if audio/video is
   transmitted (say, in on-line pay-TV) then the volume can be very
   high and very little latency is allowed.

   Authenticity of the transmitted data is a crucial concern and
   should be strictly maintained: a client must never accept a forged
   stock-quote as authentic. Another important concern is preventing
   non-members from using the service. This can be achieved by
   encrypting the data; yet the encryption may be weak since there
   is no real secrecy requirement - only prevention from easy
   unauthorized use.

   The required latency of the communication varies from application
   to application.  Member revocation should be performed within minutes
   or seconds from the time it is requested (but it is typically not
   required to remove members within fractions of a second)

   There is usually a natural group owner that manages access-control as
   well as key management. However, the sender of data may be a
   different entity (say, Yahoo broadcasting Reuters stock-quotes in its
   home-page).







Canetti, Pinkas                                                 [Page 6]


INTERNET DRAFT                                                  May 1998



  4.2  Virtual Conferences


   Typical virtual conference scenarios may include on-line meetings
   of corporate executives or committees, town-hall type meetings,
   interactive lectures and classes, and multiparty video games.
   A virtual conference involves several tens to hundreds of peers,
   often with roughly similar computational resources. Usually most,
   or all, group members may a-priori wish to transmit data
   (although often there is a small set of members that generate
   most of the bandwidth).

   The group is often formed per event and is relatively short-lived
   (say, few minutes or hours). Membership is often static: members
   join at start-up, and remain signed on throughout. Furthermore,
   even if a member leaves it is often not crucial to
   cryptographically revoke their group membership.
   Bandwidth and latency requirements vary from application to
   application, similarly to the case of single source
   broadcast. However, latency (and especially sender initialization)
   should typically be very small in order to facilitate the
   simultaneity and interactivity of virtual conferences.

   Authenticity of data {\em and sender} is the most crucial
   security concern. In some scenarios maintaining secrecy of data and
   anonymity of members may be crucial as well; in many other
   scenarios secrecy of data is not a concern at all. There is often a
   natural group owner that may serve as a trusted center. Yet,
   it is always beneficial to distribute trust as much as possible.



   5.  A mini-survey of known related work

   Following is a short survey of multicast security related work. The
   authors apologize in advance for any misinterpretations and
   omissions. Please write and complain. They will be happy to update
   and correct the draft.
   The first three sections of the survey describe work on three main
   issues described above: group key management, individual
   authentication, and membership revocation. The last section describes
   work on prototypes which implement various elements of multicast
   security.







Canetti, Pinkas                                                 [Page 7]


INTERNET DRAFT                                                  May 1998

   5.1 Works on group key management

   The works below  concentrate on establishing and managing a common key
   among all group members. This key can be used for encryption
   and group authentication, but is not sufficient for individual
   authentication.

   The GKMP protocol [GKMPA,GKMPS] generates and maintains symmetric
   keys for the members of a multicast group. In this protocol each
   multicast group has a dedicated Group Controller (GC) which is
   responsible for managing the group keys. The GC  generates the
   group keys in a joint operation with a selected group
   member. Afterwards it contacts each group member validates its
   permissions and sends it the group keys encrypted by a key mutually
   shared between the GC and that member. This approach is non-scalable
   since a single entity, the GC, is responsible for sending the keys to
   all group members.

   The Scalable Multicast Key Distribution scheme (SMKD) [Ballardie] is
   based on the Core-Based Tree (CBT) routing protocol and provides
   secure joining of a CBT group tree in a scalable approach.
   It utilizes the hard-state approach of CBT in which routers on the
   delivery tree know the identities of their tree-neighbors. When a CBT
   group is initiated in this scheme the core of the tree operates
   as the group controller and generates the group session keys and key
   distribution  keys. As routers join the delivery tree they are
   delegated the ability to authenticate joining members and provide
   them with the group key. This approach is highly scalable. Yet, since
   every router in the delivery tree obtains the same keys as the group
   controller the scheme does not provide a high level of security against
   corrupt routers in the group tree.

   The Iolus scheme [Mittra] handles the scalability problem
   by introducing a "secure distribution tree". The multicast group is
   divided into subgroups which are arranged hierarchically. There is a
   Group Security Controller (GSC) managing the top-level group, and
   Group Security Intermediaries (GSIs) for managing the different
   subgroups. Each subgroup has its own subkey which is chosen by its
   manager. A GSI knows the keys of its subgroup and of a higher level
   subgroup, so it can "translate" messages to/from higher levels.
   A disadvantage of this approach is the latency incurred by GSIs
   decrypting and re-encrypting each data packet (although the use of
   encryption indirection enables this latency to be constant and
   independent of the packets length). The removal of an untrusted GSI is
   also complex.


Canetti, Pinkas                                                 [Page 8]


INTERNET DRAFT                                                  May 1998

   The MKMP [MKMP] key management protocol enables the initial Group Key
   Manager to delegate the key distribution authority to other
   parties in a dynamic way. It first generates the group key (the
   method which is used for key generation is left outside the scope of
   the MKMP draft). Then it delegates the key distribution authority to
   selected parties by sending a message to the  multicast group
   soliciting  these parties. This message contains keys and access
   lists which can only be decrypted by the solicited parties. After
   they obtain this material they can operate as Group Key Managers.
   This dynamic approach has the advantage that the group topology can be
   adapted to changes occurring on-line. MKMP uses a single key for the
   entire group and thus does not require hop-by-hop
   decryption/re-encryption of the  payload.


   5.2 Works on individual authentication

   In order to authenticate that a message was sent by a group member it
   is enough to use Message Authentication Codes (MACs, see e.g. [HMAC])
   with a single shared key known to all group members. However, this
   method does not suffice to enable individual authentication,
   i.e. to authenticate a message as being from a specific party.

   Individual authentication can be achieved if the sender of the message
   signs it using a digital signature scheme. However, the computational
   complexity of computing and verifying digital signatures, as well as the
   length of the signature,  may be significant. RSA signatures might be
   an appealing choice of a signature scheme since it is possible to use
   them in a mode  which considerably reduces the running time of the
   verifier.

   It is also possible to use signature schemes based on elliptic curves,
   which are very efficient in both the computation and the communication
   requirements. Another interesting approach is to use on-line/off-line
   signatures schemes [Even]. These enable the signer to perform most of
   its computation off-line, even before it learns the message that it
   should sign. When this message becomes known the signer only has to
   perform a very efficient computation in order to complete the signature.

   The schemes of Gennaro and Rohatgi [Gennaro] enable to efficiently
   sign streams of data. Basically, the idea is to partition the data
   packets into chains; each data packet will include a hash of the
   next packets in the chain; now only the first packet in the chain
   needs to be signed. However, these schemes do not deal well with
   unreliable communication channels, and might not be efficient enough
   for on-line data which should be transmitted "on-the-fly".


Canetti, Pinkas                                                 [Page 9]


INTERNET DRAFT                                                  May 1998

   Building on previous work [FN1,Dyer], Canetti et al [CGIMNP]
   suggest individual authentication schemes which are based on
   efficient MACs rather than on public key signatures. These schemes are
   designed to be secure against coalitions of up to k of group members,
   where k is a parameter which affects the overhead. To explain the
   approach, let us present a simplified example: The idea is to
   use some number, n, of MAC keys. The pre-designated sender has all
   keys, where each one of the receivers has  n/2 keys, chosen at random
   from the n keys. Now, each message is MACed with each one of the n
   keys, and a recipient verifies the MACs whose keys it knows.
   A coalition of bad parties can make some `victim' accept forge messages
   only it the coalition knows all the MAC keys that the victim
   knows. The parameters are set so that the probability that  such a
   bad event occurs is small.


   5.3 Works on membership revocation

   In order to prevent newly joined members (respectively, leaving members)
   from accessing data sent before they joined (respectively, after they
   leave), one needs to change a multicast group key whenever membership
   in the group changes. It is particularly difficult to make sure that a
   leaving member does NOT know the newly distributed key.

   The approach taken when  removing untrusted members in most existing
   group key management protocols [GKMPA,SMKD,MKMP] is to generate a new
   group key and distribute it to all the remaining group members, thus
   essentially creating a new multicast group without the untrusted member.
   This approach is highly non-scalable.  The same approach is also taken
   by the Iolus protocol [Mittra] for the subgroup which contained the
   removed member, but since this subgroup is smaller than the entire group
   this solution is more scalable. However, if a Group Security
   Intermediary becomes untrusted then a more complex operation (which is
   not described in [Mittra]) should be performed.

   Broadcast encryption is a scheme designed in [FN] to encrypt messages
   from a single source to a dynamically changing group of recipients.
   When a member is leaving, the scheme can be used to send the new group
   key to the remaining members. The scheme uses a parameter k which is
   the maximum tolerable size of a corrupt coalition of former group
   members that might try to learn a key they should not get. The
   overhead of the scheme is large for small numbers of leaving members,
   but becomes more attractive when the number of leaving/joining members
   is large.  The scheme is based on using a set of keys
   and applying a clever method of assigning subsets of these keys to
   group members. This assignment makes sure that for every corrupt
   coalition of k users it is possible to encrypt a message such that the
   keys known to the corrupt coalition members do not suffice for
   decryption, whereas the keys of any other member do.


Canetti, Pinkas                                                 [Page 10]


INTERNET DRAFT                                                  May 1998

   The scheme of Wallner et al [Wallner] for user revocation is highly
   scalable. For a group of n members there is a total of 2n keys but
   each member is only required to store log(n) keys. When a group
   member is removed, the group controller should send a single message
   of size 2log(n) to all members, and each member should perform log(n)
   (rather efficient) computations in order to generate the new group
   key. The removed member cannot compute the new group key even if it
   receives this message. The basic idea of the scheme is to arrange the
   users as leaves of a binary tree, assign a key to each node, give
   each user the keys in the path from its leaf to the root and use the
   root key as the group key. When a user is removed, all the keys it
   holds are replaced. The main drawbacks of this scheme are  that it
   requires the center to keep track of about 2n keys, and requires
   each member to receive and process all member-revocation
   messages in order to learn the current group key. In contrast, it may
   be good to design mechanisms that enable members which have been
   off-line to receive and process all member-revocation messages that
   they have not received, in a reasonable amount of work.



   5.4 Working prototypes


   A prototype of the Iolus system has been implemented [Mittra]. It
   uses a client application which interfaces between applications and
   the Iolus GSC/GSIs. It is claimed there that the basic prototype is
   rather a simple to implement and to use. There is only small
   penalty for the decryption/encryption process of a GSI, and
   this penalty does not depend on the size of the payload. Note however
   that the Iolus system does not provide any individual authentication
   mechanism.

   A toolkit for secure internet multicast is described in [CEKPS]. It
   emphasizes a separation between control and data functions. This
   enables applications to have fine grain control over the data path,
   while keeping the control plain transparent to the applications. The
   toolkit can operate without end-to-end support for multicast, using
   data reflectors connected via unicast tunnels. It is written in
   Java. Similar to Iolus, a multicast group is divided to subgroups
   (domains), however the toolkit offers better flexibility, supports
   individual authentication (by using digital signatures), and operates
   over non-multicast enabled backbones.


Canetti, Pinkas                                                 [Page 11]


INTERNET DRAFT                                                  May 1998



   Acknowledgments
   ================

   Much of this text is reproduced from [CGIMNP], written
   with Juan Garay, Gene Itkis, Daniele Micciancio and Moni Naor.
   The authors are grateful to the people with whom they interacted
   on this topic, including all the above and in addition Naganand
   Doraswamy, Rosario Gennaro, Dan Harkins, Shai Halevi, Dimitris
   Pendarakis, Tal Rabin, Pankaj Rohargi and Debanjan Saha.



   References
   ==========

   [Ballardie] Ballardie A., "Scalable Multicast Key Distribution", RFC
   1949, May 1996.

   [CEKPS] Chang I., R. Engel, D. Kandlur, D. Pendarakis, D. Sala, "A
   Toolkit for Secure Iternet Multicast", manuscript, 1998.

   [CGIMNP] Canetti R., J. Garay, G. Itkis, D. Micciancio, M. Naor,
   B. Pinkas, "Multicast Security: A Taxonomy and Efficient
   Authentication", manuscript, 1998.

   [Dyer] Dyer M., T. Fenner, A. Frieze, A. Thomason, "On Key Storage
   in Secure Networks", J. of Cryptology, Vol. 8, 1995, 189--200.

   [Even] Even S., O. Goldreich, S. Micali, "On-line/off-line digital
   signatures", Advances in Cryptology - Crypto '89, Springer-Verlag
   LNCS 435, pp. 263-277, 1990.

   [FN] Fiat A., M. Naor, "Broadcast Encryption", Advances in Cryptology
   - Crypto '92, Springer-Verlag LNCS 839, pp. 257-270, 1994.

   [FN1] Fiat A., M. Naor, Unpublished work. Appears in Alon N.,
   "Probabilistic Methods in Extremal Finite Set Theory", in
   "Extremal Problems for Finite Sets", 1991, 39--57.

   [Gennaro] Gennaro R., P. Rohatgi, "How to Sign Digital Streams",
   Advances in Cryptology - Crypto '97, Springer-Verlag LNCS 1294,
   pp. 180-197, 1997.


Canetti, Pinkas                                                 [Page 12]


INTERNET DRAFT                                                  May 1998

   [MKMP] Harkins D., N. Doraswamy, "A Secure, Scalable Multicast Key
   Management Protocol (MKMP)".

   [GMKPA] Harney, H., C. Muckenhirn, "Group Key Management Protocol
   (GKMP) Architecture", RFC 2094, July 1997.

   [GKMPS] Harney, H., C. Muckenhirn, "Group Key Management Protocol
   (GKMP) Specification". RFC 2093, July 1997.

   [HMAC] Krawczyk H., M. Bellare, R. Canetti, "HMAC: Keyed-Hashing for
   Message Authentication", RFC 2104, February 1997.

   [Mittra] Mittra S., "Iolus: A Framework for Scalable Secure
   Multicast". In Proceedings of ACM SIGCOMM '97, Cannes, France,
   September 1997.

   [Wallner] Wallner D. M., E. G. Harder, R. C. Agee, "Key Management
   for Multicast: Issues and Architecture", internet draft
   draft-wallner-key-arch-00.txt, June 1997.







   Authors'  Addresses:
   ====================


   Ran Canetti                              Benny Pinkas
   IBM TJ Watson Research Center            Weizmann Inst. of Science
   POB. 704, Yorktown Heights,              Rehovot, Israel
   Tel. 1-914-784-7076                      Tel. +972-8-9344310
   canetti@watson.ibm.com                   bennyp@wisdom.weizmann.ac.il



















Canetti, Pinkas                                                 [Page 13]