Group key management for IP multicast security.

INFORMATION TO ALL USERS

The quality of this reproduction is d ep en d en t upon the quality of the copy submitted. In the unlikely even t that the author did not send a c o m p lete manuscript and there are missing p a g e s, these will be noted. Also, if materia! had to be rem oved,

a note will indicate the deletion.

Published by ProQuest LLC (2017). Copyright of the Dissertation is held by the Author.

All rights reserved.

This work is protected against unauthorized copying under Title 17, United States C o d e Microform Edition © ProQuest LLC.

ProQuest LLC.

789 East Eisenhower Parkway P.O. Box 1346

M u l t i c a s t S e c u r i t y

W ee Hock Desmond Ng

Submitted for the Degree o f

Doctor o f Philosophy

from the

University o f Surrey

UniS

Centre for Communication Systems Research

School o f Electronics and Physical Sciences

University o f Surrey

Guildford, Surrey GU2 7XH , U K

March 2006

IP m u ltic a st is a p ro m isin g co m m u n icatio n m o d e l fo r gro u p o rien ted ap p lic atio n s. U n fo rtu n ately, the stren gth o f m u lticast is a lso its se cu rity w e a k n e ss; the an o n y m o u s re c e iv e r m o d e l in m u ltic a st is b a s e d on a sin g le m u ltic a st a d d re ss, rath er than ex p lic itly listin g the m e m b e rs, allo w m u ltic a st to sc a le to v irtu ally an y g ro u p siz e . T h is c o m p lic a te s co n fid e n tiality w h ich re q u ire s in d iv id u al and e x p lic it id e n tificatio n o f the m e m b e rs in o rd er to m a k e su re that o n ly le g itim ate m e m b e rs are ab le to a c c e s s the m u lticast d ata stream . In th is th e sis, w e co n cen trate on on e o f the m ain a re as in m u ltic a st se cu rity - co n fid e n tiality.

In c e n tralise d d e sig n , w e fo c u s on the e ffic ie n c y o f the k e y tree ap p ro ach . F o r in d iv id u al re k e y in g , w e h av e p ro p o se d an alg o rith m that co n sid e rs se v e ra l re late d m u ltic a st s e ss io n s a s a w h o le an d the b a lan c e o f the k e y tree to m in im ise the co m m u n icatio n c o sts an d k e y sto ra g e n e e d e d b y the gro u p co n tro ller an d m e m b e rs. In c a s e s w h ere the m u ltic a st a p p lic atio n s d o not req u ire strict se c re c y , it is p o s s ib le to c o n so lid a te the jo in in g an d d e p artin g m e m b e rs an d re k e y th em a s a w h ole. W e h a v e p ro p o se d three alg o rith m s that m ain tain the b a lan c e o f the k e y tree o v e r tim e w h en m e m b e rs jo in an d /o r d e p art the m u lticast se ssio n w ith ou t a d d in g extra n etw ork c o sts.

T o a v o id p e rfo rm an c e b o ttlen eck an d sin g le p o in t o f failu re p ro b le m s, a d istrib u ted d e sig n that p artitio n s the g ro u p m e m b e rs into se v e ra l a re as is p re fe rre d o v er a c e n tra lise d d e sig n . M o b ility a d d s an oth er d im e n sio n o f c o m p le x ity to the d e sig n b y a llo w in g m e m b e rs n ot o n ly to jo in or d e p art the gro u p bu t a ls o tran sfer b etw een are as. W e h av e p ro p o se d on e alg o rith m that tries to m in im ise the co m m u n icatio n c o sts w h en m e m b e rs jo in the gro u p an d m e m b e rs tran sfer b etw een are as.

F ir st o f a ll, I w o u ld lik e to e x p re ss m y d e e p e st gratitu d e to m y su p e rv iso r P r o f Z h ili S u n fo r h is in v a lu ab le d isc u ssio n an d a d v ic e th ro u gh ou t the co u rse o f this re se arch , an d fo r m an y h e lp fu l co m m e n ts an d co n stru c tiv e critic ism w ith ou t w h ich th is d isse rtatio n w o u ld n ot h av e b ee n ach ie v ed .

P a rtic u lar th an ks g o to D r H aith am C ru ic k sh a n k fo r h is fru itfu l d is c u s sio n s d u rin g m y re se arch . I a lso d ire ct m y ap p re ciatio n to D r M ic h a e l H ow arth fo r h is in sp irin g in sig h ts. I am a lso g rate fu l to m y c o lle a g u e s at C en tre fo r C o m m u n icatio n S y ste m s R e se a rc h ( C C S R ) fo r th eir frien d sh ip an d su p p o rt.

F in a lly I w o u ld lik e to tak e th is o p p o rtu n ity to than k m y fa m ily an d m y g irlfrie n d fo r their su p p o rt an d u n d erstan d in g th ro ugh ou t m y P h D .

Contents

Summary... ii

Acknowledgments...iii

Contents... iv

List of Figures... viii

List of Abbreviations... xi 1 Introduction... 1 1.1 M u lt ic a s t ... 1 1.2 M u ltic a st S e c u rity I s s u e s ... 3 1.3 M u ltic a st S e c u rity S c e n a r io s ... 5 1.4 R e se a rc h G o a ls an d O b je c tiv e s ...6 1.5 R e se a rc h I s su e s an d P r o b le m s ... 7 1.6 A c h ie v e m e n ts...8 1.7 T h e s is o u tlin e ... 9 1.8 L is t o f p u b lic a tio n s ... 10 1.9 L i s t o f su b m itted p a p e r s ... 10 2 Background... 11 2.1 M u lt ic a s t ... 11 2.1 .1 M e m b e rsh ip d isc o v e ry P r o to c o l...12 2 .1 .2 M u ltic a st R o u tin g P r o t o c o ls ...12 2 .2 S e c u r it y ... 15

2.2 .1 C o n fid e n tia lity ... 16

2 .2 .1 .1 S y m m e tric k e y e n c r y p tio n ...16 2 .2 .1 .2 A sy m m e tric k e y e n c ry p tio n ... 17 2 .2 .2 A u th e n tic a tio n ... 18 2 .2 .2 .1 M e s s a g e A u th e n ticatio n C o d e ( M A C ) ... 18 22.2.2 D ig ita l S ig n a tu r e ... 19 2 .3 D is c u s s io n ... 2 0 2 .4 S u m m a r y ... 2 0 3 Multicast Security... 21

3.1 R e fe re n c e F r a m e w o r k ... 2 2 3 .2 E le m e n ts o f the R e fe re n c e F r a m e w o r k ... 2 4

3 .3 P ro b le m a r e a s ...25

3.3.1 P ro b le m a re a 1: M u ltic ast d ata h a n d lin g ... 25

3 .3 .2 P ro b le m a re a 2: M a n a g e m e n t o f k e y in g m a te r ia l...2 6 3 .3 .3 P ro b le m a re a 3: M u ltic a st se c u rity p o lic ie s ... 2 7 3 .4 G ro u p S e c u rity A sso c ia tio n ( G S A ) ... 2 7 3 .5 S u m m a r y ... 31

4 G r o u p K e y M a n a g e m e n t ...3 2 4.1 M u ltic a st S e c u rity ( M S E C ) G ro u p K e y M a n a g e m e n t A rc h ite c tu re ... 33

4 .1.1 R e q u ire m e n ts o f a G ro u p K e y M a n a g e m e n t P r o to c o l...33

4 .1 .2 D e s ig n o f M S E C G ro u p K e y M a n a g e m e n t A rc h ite c tu re ... 35

4 .2 E v a lu a tio n C rite ria fo r K e y M a n a g e m e n t S o lu tio n s... 37

4 .3 C e n tralise d D e s ig n ...39

4 .3 .1 S in g le G ro u p K e y M a n a g e m e n t A lg o rith m s u sin g In d iv id u al R e k e y in g ... 4 0 4 .3 .1 .1 G ro u p K e y M a n a g e m e n t P ro to co l ( G K M P ) ... 4 0 4 .3 .1 .2 M u ltic a st k e y m an ag e m e n t w ith A rb itrarily R e v e a le d K e y S e q u e n c e s ... 4 0 4 .3 .1 .3 L o g ic a l K e y T r e e ( L K T ) / L o g ic a l K e y H ierarch y ( L K H ) ... 4 2 4 .3 .1 .4 L o g ic a l K e y H ierarc h y w ith im p ro v e d jo in rekey c o m p le x it y ... 4 4 4 .3 .1 .5 L o g ic a l K e y H ierarc h y p lu s ( L K H + ) ...4 4 4 .3 .1 .6 O n e-w ay F u n ctio n T r e e ( O F T ) ... 45

4 .3 .1 .7 O p tim al k ey sto r a g e L o g ic a l K e y H ie r a r c h y ... 4 6 4 .3 .1 .8 D is c u s s io n ... 4 7 4 .3 .2 H ie rarc h ical G ro u p K e y M a n a g e m e n t A lg o rith m s u sin g In d iv id u al R e k e y in g 4 8 4 .3 .2 .1 H ie rarc h ical G ro u p C o m m u n icatio n A lg o r ith m s...4 8 4 .3 .2 .2 C e n tralise d M u lti-G ro u p K e y M a n a g e m e n t A lg o r ith m ... 50

4 .3 .2 .3 D is c u s s io n ... 51 4 .3 .3 B a tc h R e k e y i n g ...51 4 .3 .3 .1 M a rk in g A lg o r ith m ... 53 4 .3 .3 .2 B a la n c e d B a tc h L K H ...56 4 .3 .3 .3 B o o le a n F u n ctio n M in im isatio n T e c h n iq u e s... 57 4 .3 .3 .4 D is c u s s io n ...58 4 .4 D istrib u te d D e s i g n ...59

4 .4.1 H ie rarc h ical S u b g ro u p A rc h ite c tu re ...59

4 .4 .2 H ie rarc h ical G ro u p K e y M a n a g e m e n t F r a m e w o r k ... 60

4 .4 .4 D u a l E n cry p tio n P ro to co l ( D E P ) ... 61 4 .4 .5 T o p o lo g y -M a tc h in g K e y M a n a g e m e n t ( T M K M ) ... 62 4 .4 .6 Im m e d iate R e k e y ....,... 63 4 .4 .7 F ir st E n try D e la y e d R e k e y + P e rio d ic ( F E D R P ) ...64 4 .4 .8 D i s c u s s i o n ... 64 4 .5 S u m m a r y ... 65 5 S c a l a b l e H i e r a r c h i c a l G r o u p K e y M a n a g e m e n t A l g o r i t h m ...6 6 5.1 E ffic ie n c y o f the k e y tr e e ...67 5 .2 M u lti-L a y e rs B a la n c e d L o g ic a l K e y H ierarc h y ( M L B - L K H ) ... 67

5 .3 O p tim isa tio n s ...7 0 5 .4 A n a ly s is ... 71 5.5 S im u la tio n r e su lts... 73 5 .6 S u m m a r y ... 77 6 B a l a n c e d B a t c h R e k e y i n g A l g o r i t h m s ... 7 9 6.1 B a tc h R e k e y in g A lg o r ith m s...80 6 .1.1 M e rg in g A lg o rith m 1 ... 80 6 .1 .2 M e rg in g A lg o rith m 2 ... 83 6 .1 .3 B a tc h B a la n c e d A lg o r ith m ... 83 6 .1 .4 U p d a te M e s s a g e s ...86 6 .2 A n a ly s is ... 87 6 .2.1 M e rg in g A lg o rith m A n a ly s is ... 87 6 .2 .2 B a tc h B a la n c e d A lg o rith m W o rst C a s t A n a l y s i s ... 87 6 .2 .3 B a tc h B a la n c e d A lg o rith m B e s t C a s e A n a l y s i s ... 89 6 .3 P e rfo rm an ce E v a lu a tio n ...9 0 6 .3 .1 B a tc h Jo in P e rfo rm an ce E v a lu a t io n ... 91 6 .3 .1 .1 R e k e y in g C o s t ... 91 6 .3 .1 .2 U p d a te C o s t ...9 2 6 .3 .1 .3 M in im u m an d M a x im u m H e i g h t ...9 2 6 .3 .1 .4 K e y S to r a g e ...9 4 6 .3 .2 B a tc h B a la n c e d A lg o r ith m ...9 4 6 .3 .2 .1 R e k e y in g c o s t s ... 95 6 .3 .2 .2 U p d a te C o s t ... 98 6 .3 ;2 .3 M in im u m an d M a x im u m H e ig h t ...100 6 .3 .2 .4 K e y S to r a g e ...102 6 .4 D is c u s s io n ... 102

6.4.1 Optimisation... 102

6.4.2 Simulation Results Analysis... 104

6.4.3 Application Scenarios... 104

6.5 Summaiy... 105

7 Distributed Group Key Management Architecture...107

7.1 Constraint... 108

7.2 Member Consolidation Delayed Rekeying (MCDR)... 108

7.3 Comparison... 112

7.4 Simulation Results ...113

7.5 Summary... 116

8 Conclusion and Future Work...118

8.1 Conclusion...118

8.2 Future Work... 120

8.2.1 Receiver Access Control in Edge Network...121

8.2.2 Sender Access Control in Edge Network... 122

8.2.3 Routing Security in Core Network...122

List of Figures

F ig u re 2 -1 : (a ) U n ic a st an d (b ) M u ltic a s t...11

F ig u re 2 -2 : S o u rc e d istrib u tio n t r e e ... 13

F ig u re 2 -3 : S h a re d d istrib u tio n t r e e ... 14

F ig u re 2 -4 : C o n v e rtin g c le a r tex t into cip h erte xt th ro u gh e n c iy p tio n ...16

F ig u re 2 -5 : S y m m e tric k e y e n c r y p tio n ...17 F ig u re 2-6: A sy m m e tric k e y e n c r y p tio n ... 17 F ig u re 2 -7 : T h e M A C p r o c e s s ... 19 F ig u re 2 -8 : D ig ita l s ig n a tu r e s ...19 F ig u re 2 -9 : S e c u re m u ltic a st g r o u p ...2 0 F ig u re 3 -1 : R e fe re n c e F r a m e w o r k ...23 F ig u re 3 -2 : R e la tio n sh ip o f G S A to S A ...2 8 F ig u re 3-3: G S A d e fin itio n ... 3 0 F ig u re 4 -1 : D e s ig n o f a gro u p k e y m an ag e m e n t m o d e l... 37 F ig u r e 4 -2 : (a ) In d iv id u al, (b ) B a tc h an d (c ) P e rio d ic re k e y in g ...4 0 F ig u re 4 -3 : k ey d istrib u tio n in M A R K S ... 41

F ig u re 4 -4 : B a la n c e d b in ary k e y tree w ith 8 gro u p m e m b e r s ... 4 2 F ig u re 4 -5 : Jo in o r d e p art ev en t o f m e m b e r U 8 in k e y t r e e ... 43

F ig u re 4 -6 : K e y sto ra g e in O F T ...45

F ig u re 4 -7 : D ep art ev en t in O F T ... 4 6 F ig u re 4 -8 : A n o p tim al k e y sto ra g e L K H ... 4 6 F ig u re 4 -9 : M u ltic a st v id e o e n c o d e d in c u m u lativ e l a y e r s ... 4 8 F ig u re 4 -1 0 : H ie rarc h ical g ro u p c o m m u n ic a tio n ...4 9 F ig u re 4 - 1 1 : C e n tralise d m u lti-gro u p k e y m an ag em en t k e y tree c o n str u c tio n ... 51

F ig u re 4 -1 2 : R e sp o n siv e n e s s In terv al fo r (a ) in d iv id u al an d (b ) b atch r e k e y in g ...53

F ig u re 4 -1 3 : (a ) M o re jo in s than d e p arts an d (b ) M o re d e p arts than jo in s fo r M a rk in g A lg o rith m 1 ... 5 4 F ig u re 4 -1 4 : N o d e ID a ss ig n m e n t...55

F ig u re 4 -1 5 : (a ) M o re jo in s than d e p arts an d (b ) M o re d e p arts than jo in s fo r M a rk in g A lg o rith m 2 ... 56

F ig u re 4 -1 6 : (a ) Jo in ev en t an d (b ) m o re d e p arts than jo in in B a la n c e d B a tc h L K H ...57

F ig u re 4 -1 7 : B o o le a n F u n ctio n M in im isatio n T e c h n iq u e ...58

F ig u re 4 -1 8 : I o lu s ...6 0 F ig u re 4 -1 9 : H ierarc h ical gro u p k e y m an ag e m e n t fr a m e w o r k ... 60

F ig u r e 4 -2 0 : In tra-d o m ain g ro u p k e y m an ag e m e n t p r o t o c o l... 61 F ig u re 4 -2 1 : T o p o lo g y -M a tc h in g K e y M a n a g e m e n t (T M K M ) - O n e -S H s y s te m ... 63 F ig u r e 4 -2 2 : T o p o lo g y -M a tc h in g K e y M a n a g e m e n t (T M K M ) - M u ltip le -S H s y s t e m ...63 F ig u re 5 -1 : (a ) B a la n c e d k ey tree an d (b ) u n b a la n c e d k ey t r e e ... 67 F ig u re 5 -2: M a p p in g o f m u ltic a st v id e o e n co d e d in c u m u lativ e la y e rs in M L B - L K H ... 68 F ig u re 5-3: In itialisatio n o f M L B - L K H ... 69 F ig u re 5-4: R e su ltan t k e y tr e e ...7 0 F ig u re 5-5: G e n e ratio n o f T E K s u sin g o n e-w ay c h a i n ... 71

F ig u re 5-6: B a la n c e d k e y t r e e ...72

F ig u r e 5-7: (a ) W o rst c a s e an d (b ) B e s t c a s e o f sw itc h in g b etw een S G s ... 73

F ig u re 5-8: (a) G C ’ s k e y sto r a g e an d (b ) G ro u p m e m b e r’ s sto ra g e fo r L K H an d M L B - L K H 74 F ig u re 5-9: (a ) Jo in in g an d (b ) D e p a rtin g c o sts in L K H ... 75

F ig u re 5 -1 0 : (a ) Jo in in g an d (b ) D e p a rtin g c o sts in M L B - L K H ... 75

F ig u re 5 -1 1 : L K H sw itc h in g - (a ) L o w lay e r to h igh lay e r an d (b ) H ig h lay e r to lo w la y e r 76 F ig u re 5 -1 2 : M L B - L K H sw itc h in g - (a ) L o w la y e r to h ig h lay er an d (b ) H ig h la y e r to lo w la y e r7 6 F ig u r e 5 -1 3 : K e y sto ra g e at d iffere n t la y e rs fo r (a ) C en tralise d m u lti-gro u p k e y m an ag em en t sc h e m e an d (b ) M L B - L K H ... 77

F ig u re 6 -1 : S T _ A (5 m e m b e rs) an d S T _ B (2 m e m b e rs)...80

F ig u re 6-2: (a) P art o f k e y free in S T _ A , (b ) S T _ B (3 m e m b e rs) an d (c) re su ltan t k e y t r e e ...81

F ig u re 6 -3 : (a ) S T _ A k e y tree (8 m e m b e rs), (b ) S T B k e y tree (2 m e m b e rs) an d (c ) resu ltan t k ey tre e ... 82

F ig u r e 6-4: (a ) S T _ A su b tree (5 m e m b e rs), (b ) S T _ B su b tree (3 m e m b e rs) an d (c ) re su ltan t k ey tre e ...82

F ig u re 6 -5 : (a ) S T _ A k e y tree (8 m e m b e rs), (b ) S T _ B (4 m e m b e rs) k e y tree an d (c ) R e su ltan t k e y tre e ... 83

F ig u r e 6 -6: S te p 1 to S te p 3 o f B a tc h B a la n c e d A lg o r it h m ... 8 4 F ig u re 6-7: R e su ltan t k e y tree fo r B a tc h B a la n c e d A lg o rith m ... ... 85

F ig u r e 6-8: R e su lta n t k e y tree fo r M a rk in g A lg o rith m 1 ... 85

F ig u re 6 -9 : R e su ltan t k e y tree fo r M a rk in g A lg o rith m 2 ... 86

F ig u re 6 -1 0 : (a ) U s a b le an d (b ) N e w u p d ate d k e y t r e e ... 86 F ig u re 6 -1 1 : W o rst c a s e re k e y in g c o s t ...88 F ig u re 6 -1 2 : B e s t c a s e re k e y in g c o s t ... 89 F ig u re 6 -1 3 : B a tc h jo in re k e y in g c o s t s ... 9 2 F ig u re 6 -1 4 : M a x im u m h e ig h t in k e y t r e e ...93 F ig u re 6 -1 5 : M a x im u m d iffe re n c e in h e ig h t in k e y t r e e ... 9 4 F ig u re 6 -1 6 : F lo w c h a rt o f the s im u la to r ...95 F ig u re 6 -1 7 : (a ) B e s t an d (b ) W o rst c a s e re k e y in g c o sts fo r k — 2 ... 9 6

F ig u re 6 -1 8 : (a ) B e s t an d (b ) W o rst re k e y in g c o sts fo r k - 4 ... 96 F ig u r e 6 -1 9 : R e k e y in g c o sts fo r (a ) M a rk in g A lg o rith m 1 (b ) M a rk in g A lg o rith m 2 an d (c ) B a tc h B a la n c e d A lg o r ith m ... 97 F ig u re 6 -2 0 : D iffe re n c e in re k e y in g c o sts fo r k=2 ... 98 F ig u re 6 -2 1 : D iffe re n c e in re k e y in g c o sts fo r k— 4... 98 F ig u re 6 -2 2 : U p d a te m e s s a g e s fo r B a tc h B a la n c e d A lg o rith m (lc — 2 ) ...9 9 F ig u re 6 -2 3 : U p d a te m e s s a g e s fo r B a tc h B a la n c e d A lg o rith m (lc ~ 4 ) ...100 F ig u re 6 -2 4 : (a ) M in im u m an d (b ) M a x im u m h e ig h t in M ark in g A lg o rith m 1 ...100 F ig u re 6 -2 5 : (a ) M in im u m an d (b ) M a x im u m h e ig h t in M ark in g A lg o rith m 2 ...101 F ig u re 6 -2 6 : (a ) M in im u m an d (b ) M a x im u m h e ig h t in B a tc h B a la n c e d A lg o rith m ...101 F ig u re 6 -2 7 : (a ) M in im u m an d (b ) M a x im u m h eig h t in B a tc h B a la n c e d A lg o rith m ... 102

F ig u re 6 -2 8 : (a ) K e y tree w ith jo in an d d e p art re q u e sts an d the (b ) re su ltan t k e y tr e e ...103

F ig u re 6 -2 9 : U p d a te m e s s a g e fo r O p tim ise d B a tc h B a la n c e d A lg o rith m ( l c - 2 )... 103

F ig u re 7-1: G ro u p K e y M a n a g e m e n t A rc h ite c tu re ...107

F ig u re 7-2: (a ) Jo in an d (b ) D e p a rt p r o c e ss fo r m e m b e r u... I l l F ig u re 7-3: (a ) T r a n sfe r in an d (b ) T r a n sfe r ou t p r o c e ss fo r m e m b e r u...I l l F ig u r e 7 -4 : R e k e y in g c o sts fo r IR /F E D R P an d M C D R fo r the jo in e v e n t ...114

F ig u re 7 -5 : R e k e y in g c o sts fo r (a ) IR , (b ) F E D R P an d (c ) M C D R fo r a se q u e n c e s o f jo in , depart, tran sfer in an d o u t e v e n t... 115

F ig u re 7 -6 : C u m u la tiv e re k e y in g c o sts fo r IR , F E D R P an d M C D R ...116

List of Abbreviations

A H A u th e n ticatio n H e a d e r A G C A r e a G ro u p C o n tro lle r A K D A r e a K e y D istrib u to r A S M A n y S o u rc e M u ltic a st B K M B o rd e r K e y M a n a g e r B S B a s e S tatio n D G D a ta G ro u p D K D D o m a in K e y D istrib u to r D o S D e n ia l o f S e r v ic e

D V M R P D ista n c e V e c to r M u ltic ast R o u tin g P ro to co l E S P E n c a p su la tin g S e c u rity P a y lo a d

F E C * F o rw a rd E rro r C o rre ctio n F T P F ile T r a n sfe r P ro to co l G C G ro u p C o n tro lle r G K P G ro u p K e y P ac k e t G S E C G ro u p S e c u rity

G S A G ro u p S e c u rity A sso c ia tio n G S C G ro u p S e c u rity C o n tro lle r G S I G ro u p S e c u rity In term ed iary

H M A C H a sh -b a se d M e s s a g e A u th en ticatio n C o d e H T T P H y p e rte x t T r a n sfe r P ro to co l

IE T F In ternet E n g in e e rin g T a s k F o rc e IG M P In ternet G ro u p M a n a g e m e n t P ro to co l I K E In ternet K e y E x c h a n g e

IP Internet P ro to co l

I P S e c In ternet P ro to co l S ec u rity I R T F In ternet R e se a rc h T a s k F o rc e

I S A K M P Internet S e c u rity A sso c ia tio n an d K e y M a n a g e m e n t P ro to co l K D C K e y D istrib u tio n C en tre

K E K K e y E n cry p tio n K e y

M A C M e s s a g e A u th en ticatio n C o d e M S E C M u ltic ast S e c u rity

M L M o b ility L is t

M L D M u ltic a st L iste n e r D isc o v e ry

M O S P F M u ltic a st E x te n sio n to O pen S h o rtest P ath F ir st N A T N e tw o rk A d d re ss T ran slatio n P IM P ro to co l In d ep en d en t M u ltic ast P L P e n d in g L is t P R F P se u d o ra n d o m F u n ctio n R L R e m o v in g L is t R P R e n d e z v o u s P o in t R P F R e v e r se P ath F o rw ard in g R T S P R e a l T im e S tre a m in g P ro to co l S A S e c u rity A sso c ia tio n

S G M S u b -G ro u p M a n a g e r S G S e r v ic e G ro u p S H S u p e r v iso r H o st S IP S e s s io n In itiatio n P ro to co l S P T S h o rte st P ath T re e S R T P S e c u r e R e a l-tim e T ran sp o rt P ro to co l S S L S e c u r e S o c k e t L a y e r

S S M S ou rce-S pecific M ulticast

StS Station-to-Station

TCP Transm ission Control P rotocol

T E K T raffic Encryption K ey

T L S Transport Layer Security

T P K T raffic Protection K ey

U D P User Datagram P rotocol

U ID U nique m em ber ID

C h a p t e r 1

1 I n t r o d u c t i o n

W ith the widespread use o f the Internet, secure data transmissions is an important requirement for m any applications. Secure group com m unication has several applications in multimedia conferencing, online stock updates, p a y-per-view and collaborative w ork. Som e o f these applications engage in one to many com m unication w hile others in v olve many to many com m unication. M ulticasting is an efficien t w ay to distribute data stream to a group o f receivers but it also poses several unique security issues. R esponding to these issues in multicast, the w ork has been divided into several areas and w e w ill be concentrating on one o f the areas,

confidentiality, in this thesis.

1.1 Multicast

Internet P rotocol (IP) multicast com m unication [1 ][2 ] is an efficient w a y to distribute data stream to multiple destinations sim ultaneously ov er the Internet. A lthough multicast can be achieved b y using multiple point-to-point m essages (unicast approach), mechanism s that enable multi­ destinations delivery using a single group address can provide greater efficie n cy . This allows better utilisation o f the network resources (less traffic) and sender resources (one transmission serves all recipients). It has been show n that fo r a group size as small as 20 to 40 group mem bers offers a 5 5 -7 0 % reduction in the num ber o f links traversed when com pared to separately deliver in unicast form at [3]. A pplications that can benefit from use o f IP multicast are online stock

updates, vid eo conferencing, online gam ing, software updates, m ob ile-com m erce, etc [4 ][5 ][6 ] [7] [8].

M ulticast com m unication is about com m unicating from one sender to a group o f receivers. The group o f receivers is called the multicast group and is a central con cept fo r multicast com m unication. This group does not have any physical or geographical boundaries (i.e. the receivers can b e located anywhere on the Internet). T ypical characteristics o f a multicast group include [9]:

•

Openness to new members

: A group can be open or closed with regard to new members. In an open group, any new m em ber can receive the multicast traffic without any registration with the sender. In other w ords, the group o f m em bers is transparent to the

sender, and the sender is not aware o f the exact identity o f all the receivers. O f course, this does not exclude the possibility that som e o f the receivers from the group are actually

know n to the sender. On the other hand, in a closed group all the receivers are known.

•

Openness to senders

: A group can also be closed or open with regard to senders. In a clo sed group, on ly registered senders can send messages to this clo sed group. In contrast, data from any sender can b e forw arded to open groups.

•

Dynamics:

In static groups, mem bership o f the group is predetermined and does not change during an established com m unication. In dynam ic groups, membership can change during com m unication.

•

Lifetime

: Regarding the group lifetim e, a distinction can be made betw een permanent groups and transient groups. A permanent group exists even i f it currently has no m em bers, whereas a transient group exists on ly as long as the group has members.

•

Heterogeneity

: It is also p ossible to differentiate betw een heterogeneous and h om ogen eous groups. In heterogeneous groups, the mem bers have different capabilities, fo r exam ple, with respect to their network connection (e.g. in terms o f available bandwidth or connectivity - continuous versus intermittent). O n the other hand, in hom ogen eous groups all mem bers have the same capabilities.

•

Security

: The multicast com m unication has certain security requirements, w hich might be static fo r the duration o f the w h ole com m unication, or they can vary during the com m unication. M oreover, the requirements m ay differ fo r the different data in volved (e.g. v id eo, audio, and text).

In order fo r multicast to scale to large group, the receivers do not directly contact the sender(s) to express their interest in receiving the data. Instead, each receiver sends a m essage to the first hop multicast router that it is interested in receiving data sent to a particular multicast group. S p ecifica lly, receivers use the Internet Group M anagement P rotocol (IG M P ) [1 0 ][1 1] for IPv4 or Multicast Listener D iscov ery (M L D ) [1 2 ][1 3 ] for IPv6 to express their interest in receiving data sent to a given group. U p on receiving this jo in request, the first hop multicast router runs with

other routers a multicast routing p rotocol, such as P rotocol Independent M ulticast (P IM ) [1 4 ][1 5 ][1 6 ], Distance V ector M ulticast R outing P rotocol (D V M R P ) [17] or M ulticast Extension

to O pen Shortest Path First (M O S P F ) [18], that allow s to graft the new m em ber to the multicast distribution tree. W hen a receiver departs from the session, its first hop multicast router prunes it from the multicast tree, i f there is no lon ger any interested party in that attached segments. This m od el is beneficial because it favours scalability - v e iy little state inform ation is required, and it p rovides som e anonym ity for the group m em bers [19][2 0 ],

1.2

Multicast Security Issues

W h ile the advantages o f multicasting are clear, there are several obstacles for widespread deploym ent [21] [22] [23]. The popular applications o f the Internet are based on unicast, and are dependent on the reliability and som etim es security o f the transmission. M ost applications use hypertext transfer p ro to co l (H T T P ) [24], file transfer p rotocol (F T P) [25], w hich run over Transm ission C ontrol P rotocol (T C P ) [26] fo r reliability, and m ost e-com m erce applications m n

over the secure socket layer (S S L ) [27] for security. End-users and application service providers (A S P s) do expect som e form o f reliability and security for multicast com m unication as w ell and m ost applications today need tight control over w h o can transmit data to a set o f receivers.

Charging fo r software dow nloads, and m onthly subscription to digital libraries and on-line m agazines, is com m onplace on the Internet. Content providers can charge fo r unicast data transfer rather easily on the Internet. The same cannot b e said fo r multicast applications. This is mainly

due to the anonym ous receiver m od el o f IP multicast. A n y m em ber can request to receive data, and the sender has not control over group membership.

The on ly w a y to ensure controlled access to data is to encrypt the multicast data and distribute the encryption key to all authorised m em bers. In other words, secure multicast enables content providers to en force access control, and thus b e able to charge for multicast data services. A cce ss control is on ly one o f the motivating factors fo r secure multicast com m unications. A pplications in general m ay need [23][2 8 ] [29]:

•

Privacy

: Ensure that certain inform ation is never d isclosed to unauthorised entities. It is required on ly w hen the data is to be kept secret.

•

Authentication'.

R eceivers need to b e able to establish the source o f the data, thereby preventing an intruder from masquerading as a legitimate source o f the message.

•

Integrity

: R eceivers must b e able to determine that data has not been m od ified either by other mem bers o f the multicast group or b y external adversaries. This is to avoid accepting packets that have been m od ified b y a hostile node, w h ile in transit.

•

Non-repudiation

: The originator o f the m essage cannot deny having sent the message. It is useful fo r detection and isolation o f com prom ised nodes.

•

Availability'.

Ensure that the intended network services are available to the intended parties when required.

A lthough mature security controls and techniques exist to deal with m ost o f these requirements and provide secure unicast com m unication, unicast controls cannot be directly applied to the multicast com m unication. The security m echanism s for unicast are not adequate fo r the multicast

scenario since multicast security m echanism s are under tightly scalability and efficien cy constraints [9], Therefore, responding to the security issues in multicast, the w ork has been divided into several areas, including:

•

Multicast data confidentiality

: In unicast com m unication, tw o m em bers can achieve confidentiality b y encrypting the com m unicating data with a shared key. In multicast

com m unication, a group key is distributed to all authorised members. This group key is used b y the sender as a sym m etric key to encrypt the multicast data. This becom es com plicated w hen group m em bership is dynam ic (m em bers jo in and/or depart continuously during the multicast session). Research w ork in group key management aims to provide efficien t rekeying schem es fo r dynam ic groups [3 0 ][3 1 ][3 2 ][3 3 ][3 4 ].

•

Multicast sender and receiver access control'.

In the basic IP multicast m odel, anyone can send data to a multicast group, and anyone can b e co m e a m em ber o f any multicast group. It is clear that this m odel is vulnerable to Denial o f Service (D o S ) attacks, where m alicious m em bers jo in or send data to multicast groups on ly to waste bandwidth or to overw helm other group m em bers with garbage data or m alicious cod e. Solving these problem s requires controlling the ability o f members to send or to jo in a multicast tree distribution to receive the data. These are called

sender access control

and

receiver access

control

respectively. A lthough this cou ld potentially solve b ig issues o f D o S , they w ill need to have support in the routing infrastructure adding therefore to the com plexity and,

possibly, hindering the scalability [35].

•

Multicast source authentication

: In a tw o party com m unication, data authentication can b e achieved through a purely sym m etric mechanism: the sender and the receiver share a secret key to com pute a M essage Authentication C ode (M A C ) o f all com m unicated data. W hen a m essage with a correct M A C arrives, the receiver is assured that the sender generated that message. In multicast environment where all receivers are mutually untrusted, sym m etric M A C authentication becom es less secure: every receiver know s the M A C key, and cou ld thus impersonate the sender and forge m essages to other receivers.

O n the other hand, the com putation com p lexity o f producing and verifying digital signatures, as w ell as the length o f the signature, m ay be significant. Therefore, m ore efficien t solution is needed [3 3 ][3 4 ][3 6 ].

•

Watermarking:

Encryption is generally used to safeguard content w hile it is being transmitted so that unauthorised m em ber cannot obtain useful inform ation, but this offers no protection after the intended m em ber receivers the data. There is n o protection against

unauthorised duplication and propagation b y the intended receiver. Watermarking can provide protection in the form o f theft deterrence. W atermarking [37] [38] is the process

o f em bedding data into a multim edia element such as im age and audio vid eo. This em bedded data can later b e extracted from , or detected in, the m ultimedia fo r security purposes [3 0 ][3 3 ][3 4 ].

W e n otice that there are serious con flicts betw een multicast scalability m echanism and security. Indeed, the anonym ous receiver m od el in multicast based on a single multicast address, rather than explicitly listing the mem bers, allow s multicast to scale to virtually any group size. This sim plicity w hich makes the strength o f multicast routing, how ever, presents many vulnerabilities [30] [3 9]. On the other hand, confidentiality requires individual and explicit identification o f the m em bers in order to provide them with the correct keys to access the encrypted data stream.

M oreover, large groups with highly dynam ic m em bers present serious scalability issues for group key management and distribution. In the case o f authentication, the problem is not related to the group size explicitly but rather to the requirement o f an efficien t asym m etric m echanism to prevent the receivers from im personating the sender. A dditionally, as m ost o f the m edia- streaming applications based on multicast rely on a best effort channel, those asymmetric authentication m echanism s must tolerate packet loss.

1.3 Multicast Security Scenarios

B ased on the characteristics o f a multicast group outlined above, it takes many parameters to characterise a multicast security scenario, and a large number o f potential scenarios exist. D ifferent scenarios call fo r different solutions; it seems unlikely that a single solution w ill accom m odate all scenarios. T w o very different scenarios for secure multicast have been presented

in [40][4 1 ].

• Single source broadcast

Here a single source wishes to continuously broadcast data to a large number o f passive recipients. The source can b e a new s agency that broadcasts share-quotes and n ew s-feeds to paying customers, or a P a y -T V station. Som e o f the characteristics are:

> The number o f recipients can be up to hundreds o f thousands and m ore. The

source is typically a top-end m achine with ample resources. It can also be parallelised or split to several source in different locations. T he recipients are typically low er-end machines with limited resources. Consequently, the security solution must optim ise fo r e fficie n cy at the recipient side.

> The lifetim e o f the group is usually long. Y et, the group m em bership is dynamic: m em bers jo in and depart at a relatively high rate. In addition, a high volum e o f sig n -o n /sig n -o ff requests are expected at peak times. It can be assumed that

m em bers have a long-term relationship with the group; this may facilitate

processing o f s ig n -o n /s ig n -o ff requests.

> The volu m e o f transmitted data m ay vary considerably: i f only text is being transmitted then the volu m e is relatively lo w (and the latency requirements are quite relaxed); i f au dio/video is transmitted (e.g. p a y-p er-view ) then the volu m e can be v e iy high and v e iy little latency is allow ed.

> Authenticity o f the transmitted data is a crucial concern and should be strictly maintained: a client must never accept a forged share-quote as authentic. A nother important con cern is preventing non-m em bers from using the service. This can be achieved b y encrypting the data.

> The required latency o f the com m unication varies from application to application. M em ber revocation w ou ld b e perform ed within minutes or seconds from the time it is requested.

> There is typically a natural group ow ner that manages access-con trol as w ell as key management. H ow ever, the sender o f data m ay be a different entity.

• Virtual conferences

T yp ica lly virtual con feren ce scenarios m ay include on-line meetings o f corporate executives or com m ittees, interactive lectures and classes, and multi-party vid eo games.

> A virtual con feren ce involves several tens to hundreds o f peers, often with roughly similar computational resources. Usually most, or all, group mem bers m ay a-priori wish to transmit data.

> The group is often form ed per event and is relatively short-lived (say fe w minutes or hours). M em bership is often static: mem bers jo in at start-up, and remain signed on throughout. Furthermore, cryptographically revoke this group membership. Bandwidth and latency requirements vary from application to application, similarly to the case o f single source broadcast. H ow ever, latency should typically be very small in order to facilitate the simultaneity and interactivity o f

virtual conferences.

> Authenticity o f data m ay be the m ost crucial security concern.

1.4 Research Goals and Objectives

The overall contribution o f this thesis is in the area o f multicast data confidentiality. A lthough group key agreement schem es have been prop osed for virtual con feren ce scenarios where all

m em bers cooperate with one another to derive a com m on group key to secure the multicast data, w e w ill, how ever, focu s on group key distribution where there exists a trusted entity, know n as the Group Controller (G C ), responsible for generating and distributing a com m on group key to the

mem bers. The use o f a specialised G C generally benefits scenarios such as single source broadcast where the group size is very large.

The prim aiy goal o f this thesis is to prop ose scalable group key management schem es for large dynam ic groups. The prop osed group k ey management schem es should satisfy the follow in g objectives:

• A ch ie v e better e fficie n cy com pared to the existing schemes;

• M inim ise the number o f keys held b y the G C and group mem bers;

• M inim ise the number o f com m unication costs for each rekeying operation;

• R educe the com putation pow ers needed b y the G C and group mem bers;

• B e feasible to implement.

1.5

Research Issues and Problems

B elo w are som e o f the identified issues and problem s that have been tackled in this thesis.

• Several related multicast sessions should b e considered as a w h ole to m inim ise the com m unication costs and key storage needed b y the G C and the group members.

• T he e fficie n cy o f the key tree approach depends critically on whether the key tree remains balanced. A key tree is considered balanced i f the distance from the root to any tw o le a f nodes differs b y not m ore than one. A n unbalanced key tree results in dissimilar storage am ong group m em bers. In addition, the com m unication costs m ay b e higher.

• There are issues at the receivers’ side regardless o f whether the multicast data stream are halted or continue to flo w during rekeying. Halting the data stream adds waiting latency w hich m ay affect real-time applications. On the other hand, i f the data stream continues to flo w during rekeying, it causes buffering problem fo r receivers with lim ited storage since they need to bu ffer all packets b efore they can decrypted.

• In distributed architecture, m obility com plicates the design b y allow ing members not only to jo in and depart the group but also transfer betw een different areas. I f the m obile mem bers transfer betw een areas frequently, the com m unications costs can be v e iy significant i f the m em ber m ovem ent is not taken into consideration.

1.6 Achievements

Our detailed achievements are as fo llo w s:

• W e have p roposed M ulti-Layer B alanced L og ica l K ey Hierarchy (M L B -L K H ) that treats several related multicast sessions as a w h ole. In addition, M L B -L K H also considers the

balance o f the key tree since it affects the com m unication cost and key storage efficien cy. T o further enhance the e fficie n cy o f our M L B -L K H , w e have p roposed tw o optimisations that try to reduce the data and k ey storage needed b y the m em bers during rekeying. Simulation result show s that our M L B -L K H reduces the com m unication costs and storage needed b y the G C and group m em bers significantly com pared to traditional approach.

• W e have prop osed three algorithms, tw o M erging A lgorithm s and a Batch Balanced Algorithm , w hich are suitable for batch rekeying. These three algorithms tiy to maintain the balance o f the key tree ov er time as mem bers jo in or depart. In other w ords, all three algorithms try to minimise the differen ce in height in the key tree without adding extra com m unication costs. M erging A lgorithm 1 and 2 are only suitable fo r batch jo in events.

Our M erging A lgorithm s provide a g o o d com prom ise com pared to existing algorithms, producing a balanced key tree with lo w com m unication costs. T o additionally handle

batch depart event, w e extend the tw o M erging Algorithm s into a Batch B alanced A lgorithm . Our Batch B alanced A lgorithm outperforms existing algorithms w hen the number o f jo in in g mem bers is greater than the number o f departing mem bers and when there are lot o f departing mem bers with n o join in g members. F or similar numbers o f jo in in g and departing m em bers, our Batch Balanced A lgorithm achieves the same perform ance as existing algorithms.

• For distributed design, w e have prop osed M em ber C onsolidation D elayed R ekeying (M C D R ) that tries to m inim ise the com m unication costs when a static or m obile m em ber jo in s the group in an area and when a m obile m em ber transfers betw een areas. W e achieve it b y consolidating these mem bers in a list. D oin g so does not affect any m em ber since all o f them have the group key to decrypt the multicast data stream and M C D R does not com prom ise the strict secrecy requirement, where on ly authorised mem bers can decrypt the multicast data. The m em bers in the list w ill hold valid auxiliary keys when there is a depart events or the num ber o f mem bers in the list reaches a threshold. C om pared to existing schem es, our p roposed M C D R achieves the efficien cy close to batch rekeying but does not tra d e-off any security for that.

1.7 Thesis outline

The remaining o f the thesis is structured as fo llow s:

Chapter 2 gives an ov erview o f multicast and security. W e also discuss the difference betw een IP

multicast group and secure multicast group.

Chapter 3 discusses som e o f the standardisation w ork that have been p roposed in literature. S p ecifically, a R eferen ce Fram ework has been prop osed to address the fundamental problem in m anaging the keying material. It tries to express the com p lex multicast security question from the perspective o f problem classification (i.e., the three problem areas), architectures (i.e. centralised

and distributed), multicast types (i.e. one-to-m any or m any-to-m any), and p rotocols (i.e. the exchanged messages).

Chapter 4 presents group key m anagement as the core mechanism fo r achieving confidentiality and access control in multicast com m unication. T he goal o f a group key management p roto col is to provid e legitimate group mem bers with up-to-date cryptographic materials they need for secrecy and authentication throughout the life o f the group. In order to achieve this goal, three

p rotocols (i.e. registration p rotocol, rekey p rotocol and data security p ro toco l) have been defined. Finally, w e review som e o f the existing w ork that has been proposed in centralised and distributed design.

Chapter 5 investigates the efficie n cy o f the key tree approach and describes h ow an unbalanced key tree m ay affect the key storage needed b y the group m em bers and increase the com m unication costs. W e sh ow h ow w e can create a balanced key tree fo r several related multicast sessions fo r our M L B -L K H . W e observe som e issues at the receiver side regardless o f whether the multicast data streams are halted or continue to flo w during rekeiyng. T o alleviate these issues, w e have p roposed tw o optimisations to further enhance the e fficie n cy o f our M L B - LK H .

Chapter 6 describes our three algorithms, tw o M erging Algorithm s and a Batch B alanced A lgorithm , that have been prop osed to create a balanced key tree over time w hen mem bers jo in or depart fo r batch rekeying. W e also provid e best and worst theoretical analysis for our three algorithms. Finally, w e discuss som e scenarios where our algorithms can outperform existing work.

Chapter 7 presents a distributed architecture that considers m em ber m obility betw een different G C s. W e observe that allow ing a m obile m em ber to h old several set o f valid auxiliary keys does not com prom ise the security as lon g as all the keys it possesses are updated w hen it departs from the multicast group. W e describe h ow our M C D R minim ise the com m unication costs fo r jo in , depart, transfers in and out events.

Chapter 8 concludes the thesis and opens venues fo r further research.

1.8 List of publications

[1] W .H .D N g, Z . Sun, “ M ulti-Layers L K H ” , IEEE International C onference on C om m unications (IC C ), V o l. 2, pp. 1015-1019, M ay 2005.

[2] W .H .D N g , Z . Sun, H. Cruickshank, “ Group K ey Management with N etw ork M ob ility ” , IEEE International C onference on N etworks (IC O N ), N ov . 2005.

[3] W .H .D N g , H. Cruickshank, Z . Sun, “ Scalable Balanced Batch R ekeying fo r Secure Group C om m unication” , Elsevier Computers and Security, A ccep ted fo r publication.

1.9 List of submitted papers

[1] W .H .D N g, M . Howarth, Z . Sun, H. Cruickshank, “ D ynam ic K e y T ree M anagement fo r Secure M ulticast Com m unications” , Submitted to IEEE Transactions on Computers.

[2] W .H .D N g, Z . Sun, “ Secure M ulti-Layers M ulticast C om m unications” , Submitted to Elsevier Computers and Security.

[3] W .H .D N g, Z . Sun, H. Cruickshank, “ Group K e y M anagement fo r W ireless N etw orks” , Submitted to IEEE Transactions on Dependable and Secure Com puting.

C h a p t e r 2

2 B a c k g r o u n d

The growth o f the Internet inspires lot o f netw ork applications, and many o f them are based on group com m unication m odels, where a m essage originated from a source has to be sent to an arbitrary num ber o f receivers in the group. G roup com m unications can take advantages o f a m ore efficien t multicast service w hich is capable o f sending a m essage to multiple destinations. H ow ever, multicast poses several unique security issues due to its open nature.

2.1 Multicast

Internet P rotocol (IP) multicast is a bandw idth-conserving tech n ology that reduces traffic b y

sim ultaneously delivering a single data stream to an arbitrary number o f receivers that expresses an interest in receiving this particular data stream. These receivers do not have any physical or geographical boundaries - they can be located anywhere on the Internet. A lthough multicast can be achieved b y using m ultiple point-to-point messages (unicast approach), mechanism s that enable multi-destinations delivery using a single group address can p rovide greater efficien cy as illustrated in Figure 2-1. First, multicast reduces the amount o f bandwidth in the network required to transport the data streams to the receivers. O nly one co p y o f the same data stream is needed

over the same links with the network elements such as routers or switches replicate it as necessary for the receivers. Second, multicast saves processing p ow er at the source and facilitates the fact that a service m ay scale to extrem ely large group size. The source on ly needs to generate a m essage on ce and distributes it to the link once. Third, a small o f state inform ation is needed for the source since it neither needs to k n ow the number o f subscribed receivers nor their identities.

(a) (b)

T o allow packets to b e distributed in a scalable manner to extrem ely large group, IP multicast does not sp ecify the individual IP addresses o f all receivers, but instead uses a single group address to identify them. In practice, IP multicast packets are quite similar to unicast IP packets, except that the destination IP address is chosen in the range 224.0.0.0 to 239.255.255.255, w hich is also know n as class D addresses in IPv4 (R efer to [42] for assignment restriction). R eceivers that are interested in receiving packets from a certain multicast group “ subscribe” to the

corresponding group address and the multicast routing p rotocols take care o f forwarding the packets to the receivers. T o achieve this, multicast relies on tw o prim ary mechanisms: first, a

membership discovery protocol

w h ich allow s recipients to signify to a loca l multicast router in receiving the multicast traffic, and second,

multicast routing protocols

that create the distribution trees.

2.1.1 Membership discovery Protocol

The first step toward multicast com m unications is the identification o f the receivers. A receiver must signal to its loca l multicast router that it wishes to jo in a sp ecific multicast group. This is accom plish ed via the Internet Group Management P rotocol (IG M P ) [1 0 ][1 1] in IPv4, w hich takes place betw een the host and the multicast loca l router.

IG M P is used to automatically control and limit the flo w o f multicast traffic through a network. IG M P manages multicast groups and traffic through the use o f qu eiy and report messages. Routers periodically send out IG M P qu eiy messages to interfaces on their network to see i f any group mem bers exist. These m essages are not forw arded on to other networks. I f a receiver wants to jo in a multicast group, it sends out an IG M P report m essage in response to the qu eiy and depending on the report that a router receives from the interfaces on a network, it w orks out where to forw ard the multicast packets. I f a router does not receive a response to its qu eiy messages after a number o f queries, it assumes that there are no group members on that network. A receiver does

not need to wait fo r query b efore jo in in g a multicast group, they can send out a m essage requesting to receive a multicast data stream. It is important to note that loca l multicast routers are not interested in the sp ecific receivers that are requesting the multicast data streams, they are on ly interested in the interfaces in a netw ork that want to receive multicast traffic because multicast traffic is sent to an entire subnet, not a single receiver.

2.1.2 Multicast Routing Protocols

O n ce a loca l multicast router know s the group m em bership o f its directly con nected hosts, it then can exchange inform ation with other routers using multicast routing p rotocol, enabling it to jo in

the IP multicast traffic takes through the network. The tw o basic types o f multicast distribution trees are:

i.

Source-based trees

: A separate tree is built fo r each source that is sending data to a multicast group. Each tree is rooted at a router adjacent to the source, and sources send data directly to the root o f the tree. It is also referred to as a shortest path tree (SP T ) because this tree creates an optim al path betw een the source and the receivers. This guarantees the m inim um amount o f netw ork latency fo r forw arding multicast data. This optimisation does com e with a price, though: The routers must maintain path inform ation fo r each source.

Figure 2 -2 shows an exam ple o f an SPT fo r group 224.1.1.1 rooted at the source and connecting tw o receivers. The special notation o f

(S,G)

enumerates an SPT where

S

is the IP address o f the source and

G

is the multicast group address. U sing this notation, the SPT fo r the exam ple in Figure 2 -2 w ou ld b e written as (192.1.1.1, 224.1.1.1).

Figure 2-2: Source distribution tree

ii.

Shared trees

: A single tree is built fo r all sources that are sending to a multicast group. The tree is rooted at som e selected n ode also know n as the R endezvous Point (R P ). The p rotocol then uses a p ro toco l-sp e cific m echanism to transport the data from the source to the root o f the tree. This approach has the advantage o f requiring the m inimum amount o f state in each router. H ow ever, under certain circumstances, the path betw een the source and receivers might not be the optimal path - w hich might introduce som e latency in data delivery.

Figure 2-3 show s a shared tree fo r group 224.2.2.2 with the root located at Router C. W hen using a shared tree, sources must send their traffic to the root fo r the traffic to reach

all receivers. B ecause all sources in the multicast group use a com m on shared tree, a wildcard notation written

(*,G)

represents the tree. In this case, * means all sources, and

Notation: (*, G ) .4.4

S S o u rce R R e c e iv e r G G ro up

Figure 2-3: Shared distribution tree

R outing multicast traffic is m ore co m p le x than routing unicast or broadcast traffic because IP multicast uses a single address to identify a particular transmission session rather than a specific physical destination. In other w ords, the multicast router cannot base its forw arding d ecision on the destination address in the packet; alternative methods are needed so that the multicast traffic can reach all receivers. The basic principle o f multicast routing is that multicast router must interact with each other to exchange infonnation about neighbouring routers.

M ulticast routing p rotocols facilitate the exchange o f inform ation betw een routers and are responsible for constructing distribution trees and forwarding multicast packets. There are number o f different routing p rotocols, but they generally fo llo w one o f the tw o basic approaches.

i.

Dense mode protocols'.

D ense p rotocols are based on the assumption that there are a number o f group mem bers densely distributed across a network. These protocols deliver the multicast traffic using a

push

principle. In other w ords, these p rotocols periodically flo o d the network with multicast traffic to establish and maintain the distribution tree. Dense m ode p rotocols are best suited to environments where there are a num ber o f hosts that wishes to receive the same multicast data stream and the bandwidth to co p y with the flood in g o f the network. Som e exam ples o f the dense m ode p rotocols are Distance V ector M ulticast R outing P rotocol (D V M R P ) [17] and P rotocol Independent Multicast D ense M od e (P IM -D M ) [15] w h ich em ploy on ly SPT to deliver (S ,G ) multicast traffic.

D V M R P uses “ flo o d and prune” m echanism where a router floo d s a multicast packet that it received out on all interfaces except the one that leads back to the source o f the packet. T o prevent unnecessary sending o f multicast messages through the distribution tree, D V M R P uses pruning. A D V M R P router sends prune m essage to its neighbours i f it discovers that the network to w hich a host is attached has n o mem bers or all neighbours, except the next- hop neighbours connected to the source, have pruned the source and the group. D V M R P has its ow n unicast routing p rotocol, based on hop counts that determined w hich interfaces leads back to the source.

Similar to D V M R P , P IM -D M flo o d s packets out to all routers in a network and then prunes routers that do not have m em bers attached. H ow ever, P IM -D M does not need to build or maintain its ow n separate multicast routing table; instead it can use the existing routing table content.

ii.

Sparse mode protocols'.

Sparse m od e p rotocols are based on the assumption that the group mem bers that want to receive the multicast data stream are sparsely distributed across a network and that bandwidth is not necessarily w id ely available. A s the group mem bers are spread sparsely throughout the network, flood in g w ou ld waste bandwidth and cause perform ance problem s. Sparse m od e p rotocols therefore are m ore selective about h o w they

distribute the multicast data stream. These p rotocols deliver the multicast traffic using a

pull

principle. T hey start with an empty distribution tree and on ly add branches w hen they receive jo in requests. Sparse m od e p rotocols make use o f shared trees and occasionally, as in the case o f P rotocol Independent M ulticast Sparse M od e (P IM -S M ) [16], SPTs to distribute multicast traffic to the receivers in the network.

P IM -S M uses a RP that senders direct their inform ation to and receivers request inform ation from . W hen a receiver wishes to receive a multicast data stream, it registers with the R P and on ce the data starts to flo w from sender, the rendezvous point sends the data on. The routers automatically optim ise the path to get rid o f unnecessary hops. A s P IM -S M is p rotocol

independent, it can use the existing unicast routing table content.

2.2 Security

A lthough the advantages o f multicasting are clear, it also poses several unique security issues due to its open nature. First, it is not p ossible to restrict com m unication to a set o f authorised mem bers

since anyone can request to receive the data and the sender has n o control over the group mem bership. This com plicates the billing process fo r the content providers as w ell. Second, an ybody can send data to the multicast group and there are no mechanisms to restrict unauthorised sources from sending data the multicast group. In such cases, the group m em bers need to b e able to verify that the messages received are from the intended source. Third, there is no individualisation o f the received data as all m em bers receive the same packets. R esponding to these issues in multicast, the w ork has divided into several areas (R efer to Section 1.2).

Generally, the tw o basic security m echanism s to secure com m unication are:

•

Confidentiality.

The assurance that the content o f a m essage is know n on ly to its intended recipients. Confidentiality o f m essages is generally achieved through encryption.

• Authentication

: The assurance that the identity o f the sender o f a m essage can be proved to the recipient as correct.

2.2.1 Confidentiality

In unicast or multicast com m unication, the confidentiality o f the data can be achieved b y encryption. Encryption is any process that can convert readable data into secret cod e to prevent unauthorised mem bers from reading the encrypted information. Unencrypted inform ation is referred to as clear text, w hile enciypted data is called ciphertext. The reversal o f encryption is called decryption. A n algorithm that implements encryption and decryption is also know n as a cryptographic algorithm. A k ey is used in conjunction with a cryptographic algorithm to either encrypt clear text and/or decrypt ciphertext. Figure 2 -4 illustrates an exam ple o f converting clear text into ciphertext through encryption.

Figure 2-4: Converting clear text into ciphertext through encryption

B asically, there are tw o main approaches to encryption:

• Sym m etric key encryption, w hich uses shared secrets betw een tw o or m ore parties.

• A sym m etric key encryption, w hich uses separate but related keys for encryption and deciyption; one pu blic, the other private.

H ybrid systems m ix symm etric and asymm etric cryptography to use the best features o f both.

2.2.1.1 Symmetric key encryption

In sym m etric key encryption, the sender and the receiver share a com m on secret key, w hich they use to secure com m unications betw een them as shown in Figure 2-5. T he sender uses the secret

key to encrypt the m essage before its transmission and the receiver the same secret key to decrypt the received message. Sym m etric en ciyption is generally very fast, uses short keys and can be im plem ented in hardware. It is m ost co m m o n encryption schem e fo r achieving bulk data enciyption.

f 3 - f i v Sender Receiver AT f~ ~ \ z r " Message X ° r 7 \ Ciphertext O J Message ... Private key algorithm Private key algorithm Figure 2-5: Symmetric key encryption

The tw o types o f symm etric ciphers are as follow s.

•

Block ciphers.

B lock ciphers break the input into contiguous and fixed-length b lock s o f sym bols and apply the same encryption rules to each plaintext b lo ck to produce the corresponding ciphertext block .

•

Stream ciphers.

Stream ciphers convert the input stream o f plaintext sym bols into stream o f ciphertext sym bols. The encryption rule used on any plaintext sym bol or group o f contiguous sym bols depends on the relative position o f that portion o f the input from the beginning o f the stream.

2.2.1.2 Asymmetric key encryption

A sym m etric key encryption, also known as public key cryptography, uses tw o different keys for achieving secrecy as shown in Figure 2-6. The keys are related to each other (hence they are

called a key pair), but they are different. The relationship between the keys is such that message encrypt by K I can only be decrypted by its pair K2. I f K2 encrypts the information, it can only be decrypted b y K I. In practice, one key is called the private key and other is called the public key. The private key is kept secret b y the ow ner o f the key pair. The public key is published with information as to w h o the ow ner is.

KI

Plaintext

algorithm algorithm

The pair o f keys is generated together and therefore related. It is essential to note that despite having this relationship, that even having access or kn ow ledge o f the pu blic key, it is infeasible to com pute the value o f the private key. T herefore, there is no threat to the system b y publishing the pu blic key.

C om pared with sym m etric key enciyption, asymm etric key en ciyption induces high

com putationally overhead and is therefore not appropriate fo r large amounts o f data. A sym m etric en ciyption is m ainly used fo r signatures, authentication, and key establishment.

2.2.2 Authentication

M essage authentication provides tw o services. It provides a w ay to ensure m essage integrity and a

w ay to verify w h o sent the m essage. Data integrity and m essage authentication g o hand in hand. Suppose the multicast data has been m od ified in transit, the source is no longer the legitimate origin o f data. Similar, i f the receiver can v erify that the source o f the data, it proves that the data has not been m od ified en route. N on-repudiation is a strong form o f authentication, w hich allows impartial third-party verification o f the data source. The tw o methods to achieve authentication are M essage Authentication C ode (M A C ) and digital signatures.

2.2.2.1 Message Authentication Code (MAC)

A m essage authentication co d e (M A C ) enciypts a m essage digest with a session key to provide

assurance that the content o f a m essage has not been m odified in transit. A hashing algorithm is first applied to the m essage to generate a hash, a short, fixed-length cryptographic string also called the m essage digest that uniquely represents the message. The sender then encrypts the hash using a session key, w hich is a shared secret key know n to both sender and receiver. The resulting

M A C is then attached to the m essage and sent. W hen the m essage is received, the receiver d eciypts the M A C using the same session key to recover the hash. T he recipient then hashes the original m essage and com pares this to the received hash. I f the tw o hashes match, the recipient know s that the m essage hash integrity and has not been m od ified in transit. The process is illustrated in Figure 2-7.

Figure 2-7: The MAC process

2.2.2.2 Digital Signature

Digital signature mechanisms are used to provide an electronic analogue form o f handwritten signatures for electronic docum ents. Like handwritten signatures, digital signatures must not be forgeable; a receiver must be able to verify it and the signer must not be able to repudiate it later.

But unlike handwritten signatures, digital signatures incorporate the data (o r the hash o f the data) that are signed. Different data therefore result in different signatures even i f the signatory is unchanged.

T o create a digital signature, the m essage to be transmitted is first mathematically hashed to produce a message digest. The hash is then encrypted using the sender’ s private key to form the digital signature, w hich is appended to or em bedded within the message. O nce the encrypted message is received, it is decrypted using the sender’ s public key. The recipient can then hash the original message and com pare it with the hash included in the signature to verify the sender’ s identity.

private key used for signing