Internet Engineering Task Force                       L. Dondeti/Nortel
Internet Draft                          B. Decleene and S. Griffin/TASC
draft-dondeti-irtf-smug-gkm-mobility-00.txt        T. Hardjono/Verisign
July 2001                                        J. Kurose, D. Towsley,
Expires: January 2002                  C. Zhang and S. Vasudevan/UMass.


        Group key management in wireless and mobile environments

STATUS OF THIS MEMO

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference mate-
   rial or to cite them other than as "work in progress".

   To view the list Internet-Draft Shadow Directories, see
   http://www.ietf.org/shadow.html.


Abstract

   In this document we consider the problem of key management in a
   mobile wireless networking environment, such as a dynamic, dis-
   tributed setting in which command and control nodes move along with
   individual users.  In this scenario, data must be securely multicast
   from one source to many users, requiring that users be properly
   keyed. Furthermore, because users move in and out of the session (due
   to mobility, attrition, and reinforcement), in order to preserve con-
   fidentiality, it becomes necessary to rekey each time a user enters
   or leaves. We present a hierarchical framework and key distribution
   algorithms for such a dynamic environment, with a focus on how keys
   and trust relationships are transferred when users move between so-
   called "areas" in the group management hierarchy.  We present several
   schemes including one that rekeys every time a member moves from area
   to area and one that delays rekeying so long as security is not com-
   promised.







L. Dondeti                                                    [Page 1]


Internet Draft         Mobile group key management


                           Table of Contents

1 Introduction to secure mobile groups
2 Hierarchical group key management
3 Impact of mobility on key management
3.1 Mobile members
3.2 Mobile key distributors
4 Key management to address mobility
4.1 Baseline rekeying
4.2 Immediate rekeying
4.3 Delayed rekeying
5 Summary and future work
6 Authors' contact information








1 Introduction to secure mobile groups

   Consider secure communication to a group of mobile nodes.  The commu-
   nication could be over wired or wireless networks.  Several solutions
   exist in the literature for secure group key management. A group man-
   ager distributes a common key used for encryption of data to the
   sender(s) as well as the members. For several applications, it is
   necessary that perfect forward and backward access control be main-
   tained in the group. To achieve perfect forward/backward access con-
   trol, the group manager sends a new group key at each membership
   change.

   There are two types of solutions for scalable rekeying of large
   groups. One involves maintenance of a logical key hierarchy (LKH)
   [1,2], while the other calls for a group management hierarchy. A com-
   bination of the two approaches is probably the best solution for
   efficient rekeying.

   When members are mobile, hierarchical group key management (in effect
   decentralized group key management) works better than centralized
   group key management used in LKH-based approaches.  In hierarchical
   group management (e.g. Iolus [3] and Intra-domain group key manage-
   ment [4]), there are several "area key distributors (AKD)" (subgroup
   managers in Iolus) to manage the group. If the AKDs are geographi-
   cally distributed, mobile members can get access to new group keys as
   long as they are "near" to one of the AKDs.




L. Dondeti                                                    [Page 2]


Internet Draft         Mobile group key management


   The notion of members moving between areas or subgroups is new to
   group key management. We investigate the issues involved in area
   rekeying when members move between areas. We present several differ-
   ent rekeying algorithms and analyze their applicability. Note that in
   some applications, senders must stop data transmission during rekey-
   ing. Mobile group members may add to the rekeying overhead when they
   move between areas. We propose algorithms that minimize the time off-
   line due to rekeying.

2 Hierarchical group key management

   A common approach for designing a scalable network service is to
   adopt a hierarchical structure, and a number of recently-proposed key
   management algorithms have adopted such an approach [3,4].  Broadly,
   these rekeying algorithms operate by hierarchically dividing the key
   management domain into smaller administratively scoped areas. The
   details of hierarchical key management differ from one approach to
   another, and so in our discussion below we adopt a framework based on
   [4].

   Throughout the domain, a Domain Key Distributor (DKD) generates the
   data key used by the sender for encrypting data. The DKD may be col-
   located with the sender or shared throughout the domain by multiple
   sessions. As discussed previously, whenever a new member joins a cur-
   rent session or an existing member leaves a session, a new data key
   must be generated and distributed to ensure both forward and backward
   confidentiality.

   The domain is further divided into disjoint areas. An area is unique
   in that movement within the area does not require any additional sig-
   naling with regard to rekeying; and the cost of rekeying members when
   a join/leave occurs is considered reasonable. Areas may be small
   (such as a fine-grained ad-hoc network) or large (such as a satellite
   broadcast) depending upon the network topology and operational
   arrangements. Similarly, an area can be either logically or geograph-
   ically defined.

   Within each area, an Area Key Distributor (AKD) is responsible for
   distributing the data key to members within that area. Because the
   distribution of the data key within an area must itself be secure,
   area-local keys are used by the AKD to distribute a new data key to
   members within the area. Approaches for intra-area rekeying include
   Public Key Infrastructure (PKI), secure multicast, and logical tree-
   based algorithms such as [2,1].

   From the definition of area, mobility impacts performance only when
   members cross between areas. Without AKD reassignment, rekeying mes-
   sages must cross heterogeneous network boundaries resulting in



L. Dondeti                                                    [Page 3]


Internet Draft         Mobile group key management


   additional performance degradation. Consequently, member movement
   between areas requires a coordinated transfer of the security rela-
   tionships. Inter-area rekeying algorithms address this problem by
   introducing specific semantics for transferring between areas.

3 Impact of mobility on key management

   Mobility complicates key management by allowing members to not only
   leave or join a session but also transfer between networks while
   remaining in the session. Since a mobile user may accumulate informa-
   tion about the local security services for each area he/she visits,
   the key management system must consider the level of trust to impart
   to these mobile members and the performance implications should the
   member leave the session.  Furthermore, as a member moves, the net-
   work latency between the member and the key management services may
   change and result in additional performance degradation.

3.1 Mobile members

   The performance of any inter-area rekeying algorithm strongly depends
   upon the mobility characteristics of the members as well as their
   join/leave characteristics. Members that remain in the session for
   long periods of time and are highly mobile are likely to visit many
   areas. As the number of these high-mobility members increase, the
   amount of control overhead increases. Approaches that minimize the
   amount of rekeying when a members moves between areas help address
   this concern.

   Fundamentally, inter-area rekeying requires members and/or key dis-
   tributors to identify when a member is leaving one area and entering
   a new area. Bind credentials that have been signed by the departing
   area may be delivered to the member transferring to stream-line
   his/her authentication onto the new area. Managing these credentials
   is important to improving performance while ensuring confidentiality.
   Alternatively, key distributors may coordinate between each other to
   "hand-off" the member.

3.2 Mobile key distributors

   Mobility of an AKD or DKD may result in substantial changes in the
   hierarchical topology. To ensure performance, inter-area rekeying
   must address the problems of new key distributor nomination/election,
   member reassignment, and load balancing to ensure that the end-to-end
   performance is maintained.

4 Key management to address mobility





L. Dondeti                                                    [Page 4]


Internet Draft         Mobile group key management


   In this document, we describe multiple inter-area key distribution
   algorithms, where members may not only enter/leave the session but
   may also move between areas. These algorithms are defined below.

4.1 Baseline rekeying

   A direct approach for handling mobility across areas (called the
   baseline algorithm) is to treat the movement as a leave from the old
   area followed by a join to the new area.  The member leaving the ses-
   sion notifies the local AKD, which halts the current data transmis-
   sion. Next, the local AKD updates the area key for the remaining mem-
   bers by either securely unicasting to each member using their shared
   private key, or exploiting a more sophisticated intra-area key proto-
   col such as LKH [2]. Once this is updated securely, a new data key
   can be distributed to all areas such that the departing member is
   excluded. At this point, data transmission resumes. This approach
   ensures forward confidentiality.

   During the join, the process is similar. The new member informs the
   local AKD of its intent to join. Data transmission is halted while a
   new area key is distributed to the current members (through multi-
   cast) and the new member (through unicast). Once complete, the new
   data key is distributed to all of the members and transmission
   resumes.  This approach ensures backward confidentiality.

   The disadvantage of the baseline algorithm is that data transmission
   is unnecessarily interrupted twice during a transfer between areas
   because the system cannot distinguish between a departing member and
   a member that is simply moving. The result is degraded throughput and
   additional computational complexity as extra keys are calculated.

4.2 Immediate rekeying

   The immediate rekeying algorithm extends the baseline algorithm by
   adding explicit semantics for a hand-off between areas.  The member
   initiates a transfer by notifying the two affected areas. Each area
   updates the local area keys per their new membership.  However,
   unlike the baseline algorithm, no new data key is generated and the
   data transmission continues uninterrupted. Note that when a member
   actually leaves or joins the session, data transmission is inter-
   rupted as new data and area keys are generated per the baseline algo-
   rithm described previously.

4.3 Delayed rekeying

   Both baseline and immediate rekeying algorithms rekey the local areas
   as soon as a member transfers. As a result, a member that moves
   rapidly between two areas may cause repeated local rekeying. In



L. Dondeti                                                    [Page 5]


Internet Draft         Mobile group key management


   baseline rekeying mobility of a single member affects all the members
   in the domain (since the data key changes).

   Delayed algorithms postpone local rekeying until a particular crite-
   rion is satisfied. Members moving between multiple areas may accumu-
   late multiple area keys and reuse these keys when they return to a
   previously visited area. As always, if a member leaves or joins the
   session, then the appropriate areas are rekeyed to ensure forward and
   backward confidentiality.

   In pure delayed rekeying, each AKD maintains a list of members that
   have left the area but still hold valid keys for the area.  When a
   member transfers, the area that the member is entering is rekeyed to
   prevent a member from falsely transferring into an area to get access
   to the old keys (backward confidentiality). For the departed area,
   the AKD does not rekey but instead adds the member to the Extra Key
   Owner List (EKOL). This list is reset whenever a local rekey occurs.
   When a member returns to an area, it is checked against the EKOL and
   no new keys are generated if it is on the list.

   A characteristic of the delayed algorithms is that they defer some of
   the rekeying until a member departs. In this case, all of the areas
   that the member has currently valid keys are rekeyed as well to pre-
   vent unauthorized access. Thus, the impact of member mobility is
   reduced at the cost of increased leave semantics.

   One modification of this approach proposed by Chun et.  al. [5]
   allows members who have previously visited an area and are reauthen-
   ticated to receive the current area key to be added without rekeying
   of the new area. The benefit of this approach is that the number of
   keys generated and distributed is substantially reduced. The algo-
   rithm can be further extended by overlaying periodic rekeying of the
   areas to prevent any outside member from holding the key beyond a
   finite period of time. Alternatively, threshold rekeying triggers a
   rekey of an area whenever any member collects more than a given num-
   ber of keys.  This ensures that no member is able to accumulate all
   the keys by visiting all of the areas.

5 Summary and future work

   In this document, we describe group rekeying in the presence of
   mobile members. We propose that hierarchical group key management
   works best for managing mobile members of a secure group. We intro-
   duce several rekeying schemes when members move from one area to
   another area, while still being member of a group.

   Our ongoing work includes mathematical analysis of the various rekey-
   ing schemes to investigate the time off-line and rekeying overhead



L. Dondeti                                                    [Page 6]


Internet Draft         Mobile group key management


   due to mobility. We are currently developing a prototype of the key
   management framework (KMF) and the rekeying algorithms.

   Apart from the analysis and implementation of the protocols proposed
   so far, our focus is on the following topics:

     o Implications of mobility on SA management

     o Mobile AKDs

       When an AKD moves, members within its area may decide to (s)elect
       a new AKD to manage them. We are currently investigating AKD
       (s)election algorithms.

6 Bibliography

   [1] D. Balenson, D. McGrew, and A. Sherman, "Key management for large
   dynamic groups: One-way function trees and amortized initialization,"
   Internet Draft, Internet Engineering Task Force, Aug. 2000.  Work in
   progress.

   [2] D. M. Wallner, E. Harder, and R. C. Agee, "Key management for
   multicast: Issues and architectures," RFC (Informational) 2627,
   Internet Engineering Task Force, Sept. 1998.

   [3] S. Mittra, "Iolus: A framework for scalable secure multicasting,"
   in ACM SIGCOMM , (Cannes, France), sep 1997.

   [4] T. Hardjono, B. Cain, and I. Monga, "Intra-domain group key man-
   agement protocol," internet draft, Internet Engineering Task Force,
   Feb. 2000.  Work in progress.

   [5] C. Zhang, B. DeCleene, J. Kurose, and D. Towsley, "Comparison of
   inter-area rekeying algorithms for secure wireless group communica-
   tions," tech. rep., June 2001.  Submitted for publication.

7 Authors' contact information


Lakshminath R. Dondeti
Nortel Networks
600 Technology Park Drive
Billerica, MA 01821, USA
(978) 288-6406
ldondeti@nortelnetworks.com

Thomas Hardjono
Verisign Inc.



L. Dondeti                                                    [Page 7]


Internet Draft         Mobile group key management


401 Edgewater Place, Suite 280
Wakefield, MA 01880, USA
thardjono@verisign.com


Brian DeCleene
Sean Griffin
TASC Inc.
55 Walkers Brook Dr.
Reading, MA 01867, USA
btdecleene@tasc.com

Jim Kurose
Don Towsley
Chun Zhang
Sudarshan Vasudevan
Computer Science department
University of Massachusetts, Amherst, MA
{kurose,towsley,czhang,svasu}@cs.umass.edu
































L. Dondeti                                                    [Page 8]