Tunable Group Key Agreement - Semantic Scholar

3 downloads 17999 Views 177KB Size Report
teleconferencing, interactive simulation, pay per view, video on demand, multi player ... group is formed it belongs to a particular application class and has different behavior. ..... start main counter and call join procedure Join(Tjoin, M). 7: end if.
32nd IEEE Conference on Local Computer Networks

Tunable Group Key Agreement Rajesh Ingle, G. Sivakumar Department of Computer Science and Engineering Indian Institute of Technology Bombay, Mumbai, India Email: ingle, [email protected]

Abstract— Secure group communication has various applications. Requirements for an application differ in various parameters such as tolerance times for join and leave, arrival rate, departure rate, staying period and group life time. Existing group key agreement protocols do not harness knowledge of application requirements. In this paper we present scheme for tunable group key agreement. We introduce an application class awareness concept, rekeying algorithms and novel key tree structure. We simulated periodic refresh mode, periodic batch mode and controlled periodic refresh mode. Simulation experiment clearly shows that controlled periodic refresh mode outperforms periodic refresh mode and periodic batch mode.

I. I NTRODUCTION The concept of groups can be used in distributed systems to handle the complexity of large applications. Processes are organized into groups. A process or user may join or leave the group. The set of processes that are currently members of the group represents the group view [1]. The group oriented applications require a secure and reliable group communication platform [2]. Some examples of applications are teleconferencing, interactive simulation, pay per view, video on demand, multi player games and software updates. With the emergence of many group oriented distributed applications, securing group communication has become an important issue. The challenge is to allow only authorized group members to access group communication. This can be achieved by using group key as a symmetric key. Symmetric key or group key is a secret known only to current group members. The group key needs to be changed on membership change events. The individual rekey has efficiency and synchronization problem [3], so batch rekey was introduced. The batch rekey can be done on threshold based or interval based. Both the approaches may lead to violation of application requirements, i.e. join tolerance time and leave secrecy tolerance time. The issue of when and how to perform rekey without violating the application requirements is important. We propose rekeying algorithms to address this issue. It takes in to consideration application parameters and requests for join and leave and calculate the rekey interval at run time with reasonable performance. The secure group communication requires a group key management mechanism to perform [4]. Various group key management protocols [5], [6], [7], [8] address this issue. Contributory group key agreement protocols are preferred over other key management protocols [9]. Whenever a new member joins or leaves the group the group key agreement protocol should remain secure. The applications of group key agreement can be grouped into following different classes [10] peer

0742-1303/07 $25.00 © 2007 IEEE DOI 10.1109/LCN.2007.83

groups of long running servers, conferencing, one-to-many broadcast, distributed logging and mobile state transfer. Users may have different join and leave behavior [11]. Uncertainty of user behavior makes the key agreement algorithm costly. In order to obtain an efficient protocol one would need different model [12], [13], [14], [15]. We propose a tunable contributory group key agreement (TGKA) algorithm which makes use of the novel key structure [7], [15], parameters from application class and runtime information. The basic idea is, whenever a group is formed it belongs to a particular application class and has different behavior. The behavior of application class can be modeled using few parameters. These parameters and the environment parameters can be used to tune the key agreement algorithm. The membership dynamics depends on application and user behaviors [11]. To quantify the number of joins and leaves arriving in a rekey interval, we need to specify join and leave rates. The idea about membership dynamics is given in Figure 1(a). Tdu rekey

M1 Joins the group

M1 Leaves the group

M2

rekey M2

M3

t

t + Tri Rekey Interval Tri

(a) Membership Dynamics Group Formation

Auxiliary Key Agreement Phase

Closure

t Life time of a group

(b) Phases of Group Life Time Fig. 1.

Membership and Group Dynamics

Important aspect of groups is their dynamic behavior as they evolve over time. This aspect should be taken into consideration while designing key agreement algorithms. We consider the life time of a group into three different phases, group formation phase, auxiliary key agreement phase and closure. Figure 1(b) depicts the three phases of a group life time. The algorithm can make use of this information to tune itself. The goal of this work is to achieve tunable group key agreement by using application and user behavior parameters with reasonable performance. The rest of the paper is organized as follows. Next section discuss related work and compare with our approach. Section 3 covers concepts and background required for tunable group

1017

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY BOMBAY. Downloaded on April 24, 2009 at 06:18 from IEEE Xplore. Restrictions apply.

TABLE I C OMPARISON Scheme TGKA PACK DCKAP DST

Interval based yes no yes no

Tunable, ACA yes no no no

Key tree structure main,join,leave main,join main main,join,exit

Rekey modes five one three one

III. T OWARDS ADAPTIVE MIDDLEWARE Middleware resides above the network operating system layer and below the application layer. Middleware may be decomposes into four layers [20] host infrastructure, distribution, common services and domain services. The common services layer which resides above the distribution layer provides security functionality. It also provides fault tolerance, load balancing, event propagation, logging, persistence, transactions and

Customizable

Configurable

Compile

Startup

Development

Tunable

Mutable

Run Time

Lifetime of Application

(a) Adaptation type

new view

App Class

ACA parameters and modeling view

join

Application

Leave

Monitoring

Group Membership

Tunable Group key Agreement

rcv

Broadcast monitor

snd

Consensus

Reliable channel

send

Failure Detection receive

Group key management is well researched area [7], [8]. In this subsection we focus only on contributory group key agreement and specially interval based and the one which makes use of more than one tree for key tree structure. Researchers have proposed many group key agreement algorithms [2], [4], [8], [12]. Logical key tree structures are used to improve the scalability of key agreement protocols [2], [12]. The binary tree is used to maintain the keying information [7]. Work on periodic batch rekeying [3], [6], [16] is also important step to address the scalability issue. Most of the work on contributory group key agreement protocols typically extends Diffie Hellman key exchange protocol [17] to multi party or group [5]. Recent work [15], [16] presents partial full maximum height key tree structure based group key agreement PACK, with two trees one for main tree and another for join tree. The work aims at efficient contributory group key agreement scheme that has lower communication, computation and time overhead. Optimization of batch rekey interval for secure group communication in wireless networks is attempted [18] by using stochastic petri net model. Interval based algorithm called distributed collaborative key agreement protocols, DCKAP was proposed by [19] on his work towards authentication protocols for dynamic peer groups. The idea of using separate main tree, join tree and leave tree was introduced by [12] while proposing a time efficient contributory key agreement framework for secure communications in dynamic groups. Table I compares tunable group key agreement (TGKA) with the related contributory group key agreement protocols.

Bcast

II. R ELATED WORK

real time scheduling [21], [22], [23]. Domain services layer deals with specific class of distributed applications. There are various adaption types like customizable, configurable, tunable and mutable. The adaption type we are using is configurable and tunable, as depicted in Figure 2(a). Tunability is an adaption type which enable the fine tuning of a component in response to the functional and environmental changes that occur after the said component is started. The placement of tunable group key agreement block in next generation middleware system is shown in following Figure 2(b).

deliver

key agreement. Section 4 presents ACA tree structure and basic procedures. It also explains key tree, rekeying and periodic batch rekeying. Section 5 presents rekeying algorithms. Section 6 discuss and explains performance evaluation and simulation results. Section 7 concludes and discuss the direction towards possible future work.

Unreliable Transport

(b) Tunable Group Key agreement Middleware Fig. 2.

Adaptation type and Middleware

A. Application class awareness Application class awareness means that one is able to use application class information. A system is application class aware (ACA) if it can interpret and use ACA information and adapt its functionality to a particular application class. The various application classes [10] are conferencing, distributed logging, collaborative servers, soft state transfer and one to many broadcast. The basic idea behind the framework is that, if the application class is known in advance the algorithm can get the information about the following parameters so that the algorithm can adapt itself using a particular rekeying mode. Ts Membership duration, A Arrival rate, D Leave rate, TJS Join secrecy tolerance time, TLS Leave secrecy tolerance time, lifetime of a group and duration of each phase. B. Evaluation metrics and notations This section explains the evaluation metrics and notations used in this paper. We consider communication cost, computation cost and delay as evaluation metrics. Delay deals with the latency in group key establishing and updating.

1018

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY BOMBAY. Downloaded on April 24, 2009 at 06:18 from IEEE Xplore. Restrictions apply.

Tri Trpt Ts A n TJS TLS

TriJoin TriLeave M inT ri M axT ri Ccomm Ccomp

Rekey period or rekey interval Rekeying process Time Membership duration Arrival rate Number of group members Join secrecy tolerance time Leave secrecy tolerance time Rekey interval for join Rekey interval for leave Minimum value for rekey interval Maximum value for rekey interval Communication cost Computation cost

Members can be grouped into pairs. Each pair performs a two party Diffie-Hellman to form a parent node key or subgroup key. The subgroup will pair with each other and using two party Diffie-Hellman forms an another subgroup. This process leads to formation of the group key.





C. Security requirements of key management protocols Security requirements [2], [4] includes secrecy of group key, backward secrecy, forward secrecy, key independence and perfect forward secrecy. Secrecy of group key: It guarantees that it is computationally not possible for a passive adversary to discover any group key Backward secrecy: It guarantees that a passive adversary who knows a contiguous subset group keys cannot discover preceding group keys. Forward secrecy: This guarantees that a passive adversary who knows a contiguous subset of old group keys cannot discover subsequent group keys. Key independence: It guarantees that a passive adversary who knows a proper subset of group keys cannot discover any other group key. It is a strong property and includes forward secrecy, backward secrecy and key secrecy. Perfect forward secrecy: It is a strongest property. It specifies that even when long term key is compromised, the secrecy of the past group key is preserved. IV. ACA TREE STRUCTURE This section covers definition of ACA tree structure. The rekeying algorithms introduced in next section makes use of definitions presented in this section. The purpose of new tree structure with three trees is to allow the group key agreement algorithm to make use of application class parameters. The ACA tree structure is derived from the key tree structures, with more than one tree, proposed by researchers [12], [13], [15], [16]. This section first explains what is key tree. It then describes rekeying and periodic batch rekeying, before introducing the key tree structure. A. Key tree Key tree is one of the technique used in the past for centralized group key distribution systems. This was adopted for use in fully distributed, contributory key agreement [4]. There are three types of keys in key tree. The root node of the tree corresponds to the group key. Leaf nodes in a key tree represents the private keys of the group members. Inner nodes maintains subgroup keys. The root is located at level 0 and the lowest leaves are at level d. The tree is binary if the two party Diffie-Hellman key exchange method is used. Every node is either a leaf node or a parent of two nodes. The node key can be derived from a contribution of the two children. The group key can be derived in bottom-up fashion.











M1

M2







M3





M3

M4

M4

M1 (a) Four member key tree

Fig. 3.







M2 (b) Six member Key Tree

M5



M6

Notations for a key tree

Figure 3 shows a four member key tree and six member key tree. If we denote each members private key as ri, the group key can be computed in four member key tree as K = α(α

r1r2modp

)(αr3r4modp )

mod p.

Where α is an exponential base, p is modular base, K is the key associated with < l, v > and < l, v > is vth node at level l in a key tree. B. Rekeying and periodic batch rekeying Whenever new user joins or existing user leaves group size change occurs and the group key management system distributes the group key. This is called rekeying. The term rekey determines the action of distributing or generating a new key to replace the previous one. Periodic batch rekeying is introduced by various researchers [24], [25], [6], [26], [27]. Key refresh for every join and leave event has drawbacks. It has synchronization problem and inefficiency. Synchronization will be difficult to maintain if key refresh or rekeying is done at each membership change event. If the join and or leave requests are frequent the requests messages may not be decrypted and the member will need memory space to store them. The high rate of membership change will result into more operations and will result in inefficiency. C. ACA tree structure The ACA tree structure consists of three different special key trees. Main key tree for the stable members of the group, join skewed tree for the joining members and a leave tree for the departing members. The key tree structure used is binary because of two party Diffie Hellman use. Key path denotes the path from the said node to the root. Co path denotes all siblings of nodes on its key path. Any node can calculate the group key if it know its own keys and all the blinded keys on its co path [2], [10], [12]. The size of the key tree is defined as the number of leaf nodes in the tree. Let k be a nonnegative integer. Definition 1 (Join Tree) A key tree T is a ACA Join tree if it is a binary tree of size n and if and only if it satisfies exactly one of the following conditions. 1: If n = 1, then T is a single node tree;

1019

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY BOMBAY. Downloaded on April 24, 2009 at 06:18 from IEEE Xplore. Restrictions apply.

G1 , ..., GL be a set of subgroups. Each subgroup is represented by a key tree Ti . The procedure combine(T) combines all key trees which represents a particular subgroup Gi . It performs IGDH among these subgroups. The procedure partition takes binary tree as an input and returns a set of fully balanced binary key trees with minimum set size. 1) Inter group Diffie Hellman (IGDH) key agreement: IGDH is basic buiding module, which will be used subsequently in different algorithms. This accepts two subgroups and performs two party Diffie Hellman [17] among them. Let subgroup Ga be represnted by Ta and subgroup Gb be represnted by Tb . Members of Ga uses a group key Ka and users of Gb uses group key Kb . Let B(K) known as blinded key [17], represent the following operation B(K) = αK mod p, where α is the exponential base and p is the modular base. Each subgroup sponsor will multicast the blinded group key, so that members in each group have sufficient informtion to compute group key Kab

(0,0)

(1,1)

(1,0)

(0,0)

M4 (1,1)

(1,0)

(2,0)

(2,1)

M5 (2,0)

M3 (3,1)

(3,0) M1

(3,0)

M2

M1

(a) Join Tree

(2,1)

(3,1)

(3,2)

(3,3)

M2

M3

M4

(b) M Key Tree

Fig. 4.

ACA Join and M key Tree (0,0)

(1,1)

(1,0)

(2,0)

(2,1)

(2,2)

(2,3) M12

(3,0)

(3,1)

(3,2)

(3,4)

(3,3)

(3,5)

M7 (4,0)

(4,1)

M1

(4,2)

(4,4)

(4,3)

M3

M2

M4

(4,5)

M5

(4,6)

M6

(4,7)

M8

(4,8)

M9

M10

(4,9)

Kab = B(Ka )Kb mod p = B(Kb )Ka mod p

M11

(a) ML Key Tree

IGDH(Ta , Tb ) 1: Each group has a sponsor other wise elect the sponsor 2: if sponsor of group Ga then 3: multicast blinded group key B(Ka ) to subgroup Gb 4: end if 5: if sponsor of group Gb then 6: multicast blinded group key B(Kb ) to subgroup Ga 7: end if 8: if member of Ga then 9: compute the new group key Kab = B(Kb )Ka mod p 10: end if 11: if member of Ga then 12: compute the new group key Kab = B(Ka )Kb mod p 13: end if 14: create a new node T such that 15: TLef t = Ta and TRight = Tb 16: return(T)

(0,0)

(1,1)

(1,0)

(2,3)

(2,2) (2,0)

(2,1)

(3,0)

M16

(3,4)

(3,2)

(3,1)

(3,5)

(3,3)

M15

M12 (4,0)

(4,1)

(4,2)

(4,3)

(4,4)

(4,5)

(4,5)

M7

(4,6)

M13

(5,0)

(5,1)

(5,3)

(5,4)

(5,5)

(5,6)

(5,7)

M1

M2

M3

M4

M5

m6

M8

(5,8) M9

(5,9)

5,10

M10

M14 JOIN TREE

M11

LEAVE TREE

MAIN TREE

(b) ACA Key Tree Fig. 5.

ACA ML and ACA Key Tree

2: If n ≥ 2 then left subtree of T is a ACA Join tree with size n − 1, and right subtree of T is a single node tree. Definition 2 (M Key Tree) T is a ACA M key tree if it is a binary tree of size n and if and only if it satisfies exactly one of the following condition: 1: T is a balanced binary tree with size 2k ; 2: The left subtree of T is a balanced binary tree with size 2Logn , and the right subtree of T is a ACA M key tree with size ( n- 2logn ). Definition 3 (ML Key Tree) A key tree T of size n is a ACA ML key Tree if and only if it satisfies exactly one of the following conditions: 1. T is a ACA M key tree; 2. The left subtree of T is a ACA M key tree, and the right subtree of T is a ACA M key tree. Definition 4 (ACA Key Tree) A key tree T of size n is a ACA key Tree if and only if it satisfies one of the following conditions: 1. T is a ACA ML key tree; 2. The left subtree of T is a ACA ML key tree, and the right subtree of T is

Note that each member needs one modular exponentiation operation to calculate a group key. The sponsor will need one more modular exponentiation to calculate its own subgroup key if it is not known already. 2) Combining set of balance trees: It takes a set of fully balanced trees and club them together. First same size fully balanced trees are paired together to form a bigger fully balanced tree. It repeats till all the tree left are of different size. It then combines them together. It assumes that all the trees in T are indexed such that lower the index larger the size of the tree. Procedure Combine and Figure 6 explains the combine operation. The procedure goes through multiple rounds. This procedure reduces the delay in comparison with the option of rebuilding the key tree again, because the tree Ti with size greater than 1 can be treated as the result of merging the leaf nodes in Ti without introducing delay.

a ACA Join key tree.

D. Basic procedures This subsection explains three basic procedures, inter group Diffie Hellman (IGDH), combine and partition. Let G =

Combine(T1 , · · · , Tk ) 1: while (Ti , Tj ∈ T with size(Ti ) = size(Tj ) and i < j) and there is no h such that h < i and size(Th ) = size( Ti ) do 2: Tnew = IGDH(Ti , Tj ) 3: remove Ti and Tj from T 4: insert Tnew to T and reindex 5: end while 6: k = number of trees in T 7: while k ≥ 2 do

1020

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY BOMBAY. Downloaded on April 24, 2009 at 06:18 from IEEE Xplore. Restrictions apply.

T T1

T2

T3

(0,0)

(0,0)

(0,0)

period. This is a batch move from Tmain . Periodic refresh algorithm is explained in Algorithm 1.

(0,0)

(1,0) (1,0)

(1,1)

(1,0)

(1,1)

M1

M2

M3

M4

(1,0)

(1,1)

M5

M6

1,1

2,0

2,1

2,2

Algorithm 1 PeriodicRefersh(TJS , TLS , M inT ri , M axT ri )

2,3

T5

T4

Combine

M7

M8

Fig. 6.

3,0

3,1

3,2

3,3

3,4

M1

M2

M3

M4

M5

3,5

3,6

3,7

M6

M7

M8

Combining set of fully balance trees

8: Tk−1 = IGDH(Tk−1 , Tk ) 9: remove Tk from T 10: k = k -1 11: end while 12: return Tk

3) Partitioning binary tree: This procedure takes any binary tree as an input and partitions the tree into a set of fully balanced binary key trees with minimum set size. The partitioning process is explained in procedure Partition and Figure 7. Each member only needs to truncate the current tree maintained by itself. Hence this is done locally it does not involve any communication cost. The computation cost and delay is also negligible. T

T1

0,0

Partition

1,0

2,0

1,1

2,1 M3

2,2

2,3

M4

M5

1: 2: 3: 4: 5: 6: 7: 8:

2,1

3,0

3,1

M1

M2

2,2

3,3

T3

3,0

3,1

2,1

M1

M2

M3

Fig. 7.

T2

2,0

Partitioning the tree

Partition(T) if T is empty then return(0) else if T is a fully balanced binary key tree then return(T) else return partition((Tlef t ) ∪ partition(Tright )) end if reindex the obtained trees.

1: Initialise join rekey period T riJoin to join secrecy tolerance time TJS and leave rekey period T riLeave to leave secrecy tolerance time TLS . 2: Initialise main counter M C = 0. 3: Compare T riJoin and T riLeave and assign smaller value to rekey period T ri 4: Make sure that rekey period is not less than minimum rekey period M inT ri and not more than maximum rekey period M axT ri. 5: if Join request is received and main counter is off then 6: start main counter and call join procedure Join(Tjoin , M ). 7: end if 8: if leave request is received and main counter is off then 9: start main counter and call leave procedure Leave(M ). 10: end if 11: If main counter reached rekey period T ri then perform rekeing opertaion Rekey() and reset counters ResetT imers().

M inT ri and M axT ri are minimum and maximum value a rekey period can have. The rekey interval is decided on minimum of two tolerance times. In this mode of rekying we have one rekey interval and because of that if maximum of two criteria is used then it will violate application requirement. Main counter M C is used to count time elapsed from the last rekey. If join request is received during the rekey interval then it calls Join procedure after turning on main counter. Single member join event is handeled by procedure Join. It allows the member to join the group by adding it to the join tree if join tree exist or it creats the join tree with single member. The member gives the blinded key when it requests for the join. The IGDH operation is performed between ACA tree and single member join tree if the join tree is empty before member m joins. Additional IGDH operation is performed between the join tree root and joining member m if join tree exists. The rekeying cost is at most two rounds of IGDH when a join tree exists otherwise it requires only one round of IGDH. Procedure Join and Figure 8 explains the single join operation. The comumnication cost is twice the cost of IGDH that is 4CM cast . The computation cost is (n + 3)Ccomp (0,0)

(0,0)

V. R EKEYING A LGORITHMS

(0,0)

In this section we discuss different modes of rekeying and respective algorithms. The five algorithms for five modes are periodic refersh, periodic batch join, periodic batch leave, periodic batch and controlled periodinc refresh.

(1,1)

(1,0)

(1,1)

(2,_) M 9 Joins

(2,_)

M10 Joins

M L Tree

M L Tree

M L Tree

M1 . . .M8

M1 . . .M8

M1 . . .M8

Fig. 8.

Single Join

Join(Tjoin , M ) 1: if Tjoin = N U LL then 2: create a new join tree TJoin with only one new member M 3: T = IGDH(Taca , Tjoin ) 4: else 5: Tjoin = IGDH(Tjoin , M ) 6: T = IGDH(Taca , Tjoin ) 7: end if

A. Periodic refresh In this rekeying mode the join and leave requests are processed immediatly. The join tree TJoin developes as user joins the group. The leaving users are allowed to leave the group and there positions in the leave tree are marked as a multihomed node. The sponsor assumes the additional member role till the rekey period ends. At the rekey interval the join tree is merged into the main tree and all multihomed nodes are removed from the leave tree. The leave tree is updated by moving all the members scheduled to leave in next rekey

(1,0)

Similarly, when leave request is received it starts main counter if it is not done before and then calls Leave procedure. The following procedure Leave explains the single member leave protocol. We introduce the concept of multihoming.

1021

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY BOMBAY. Downloaded on April 24, 2009 at 06:18 from IEEE Xplore. Restrictions apply.

It allows the leave sponsor to simulteneously occupy more than one member position. When an existing member leaves the group, sponsor will assume itself an additional position, changes a secret share rekeys the relevant nodes and sends the blinded key to the group. The rightmost non multihomed node member under the subtree rooted at the sibling of the leave node is the leave sponsor. At the rekey interval all the multihomed nodes will be removed from the leave tree. Leave(M ) 1: if M is a sponsor then 2: The rightmost non multihomed node member under the subtree rooted at the sibling of the parent of the leave node is the new sponsor 3: Sponsor Ms takes the additional position at all the nodes belonging to M and changes the share 4: rekey key nodes and multicast blinded keys to group. 5: else 6: sponsor Ms takes the additional position at the node M and changes the share 7: rekey key nodes and multicast blinded keys to group. 8: end if

The procedure Leave first check if the leaving node is a sponsor itself. If it is then new sponsor is decided and the sponsor node takes the additional position at all the nodes belonging to earlier sponsor and rekey the key nodes and multicast new blinded keys to group. Otherwise the current sponsor takes additional position for the leaving node and changes the share. Then it rekey key nodes and mulicast new blinded keys to group. Periodic refresh algorithm then checks if the main counter value is greater than or equal to rekey period T ri. If it is then it performs rekey operation and resets main counter. Rekey() 1: Remove all multi home nodes from leave tree Tleave 2: Make a leave tree Tleave by moving all the members scheduled to leave in next rekey period. This is a batch move from Tmain 3: Tmain = combine(partition(Tmain) U partition(Tjoin)); 4: Tml = IGDH( Tmain, Tleave) 5: Taca = Tml

The function Rekey first remove all multi home nodes from leave tree and make a leave tree. The leave tree has members which are scheduled to leave in next rekey period. Make a leave tree by moving all the members scheduled to leave in next rekey period. This is a batch move from main tree. It then partitions main and leave tree and constructs the main tree. Then ACA tree is constructed by calculating a group key for two sub groups represented by main tree and leave tree. B. Periodic batch join In periodic batch join mode the leave request processed immediately and join request processed in a batch. The join tree is formed as the new member arrives and the members willing to join the group are added to the join tree. The join tree is merged with ACA tree at the rekeying time. The membership is awarded only at the rekeying interval. We introduce a background join, BJoin procedure to build join tree in background during rekey period. BJoin(Tjoin , M ) T  = Tjoin if T  = N U LL then create a new join tree TJoin with only one new member M else

Tjoin = IGDH (Tjoin , M ) end if

The procedure constructs the join tree and subgroup key for all the members waiting to join group. The algorithm for this mode differs from periodic refresh on how the join request is processed. Here it calls BJoin procedure insted of Join. C. Periodic Batch In this rekey mode both join and leave requests are processed periodicaly 2. This mode makes use of BJoin algorithm to build the join tree during the interval in the background and uses a Bleave algorithm to mark the nodes for which leave request received. The rekeying is performed only at the rekey interval. Algorithm 2 PeriodicBatch(TJS , TLS , M inT ri , M axT ri ) 1: Initialise join rekey period T riJoin to join secrecy tolerance time TJS and leave rekey period T riLeave to leave secrecy tolerance time TLS . 2: Initialise main counter M C = 0. 3: Compare T riJoin and T riLeave and assign smaller value to rekey period T ri 4: Make sure that rekey period is not less than minimum rekey period M inT ri and not more than maximum rekey period M axT ri. 5: If join request is received and main counter is off then start main counter and call offline or background join procedure BJoin(Tjoin , M ). 6: If leave request is received and main counter is off then start main counter and call offline or background leave procedure BLeave(M ). 7: If main counter reached rekey period T ri then perform rekeying opertaion Rekey() and reset counters ResetT imers().

D. CPR: Controlled Periodic Refresh CPR mode enables the tunable group key agreement adapt to the application class parameters. It mainly consideres the leave secrecy tolarance time and join tolarance time to decide rekey intervals. The period for join and leave can be different and can be tuned as per the application requirement. The parameters join tolerance time and leave secrecy tolerance time are used to fix this intervals. This mode makes use of BJoin algorithm to build the join tree during the interval in the background and uses a Bleave algorithm to mark the nodes for which leave request received. Bleave algorithm simply locates the particular node and sets the flag to indicate the leave request for that member. The algorithm 3 explains the controlled periodic refresh mode. The functions related to counters are listed below. InitatilseTimers() off JC, off LC, on MC ResetTimers() off JC, off LC, on MC ResetJtimers() off JC, off MC ResetLtimers() off LC, off MC The function rekey join combines the join tree with main tree. It then constructs the ACA tree with leave tree. The leave tree has members which are scheduled to leave in next rekey period. At the rekey interval the rekey leave remove marked nodes from leave tree and then, batch move all the nodes scheduled to leave in next rekey period to leave tree from main tree and refresh main tree. The function rekey first remove all multi home nodes from leave tree and make a leave tree as explained above and then constructs a ACA tree.

1022

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY BOMBAY. Downloaded on April 24, 2009 at 06:18 from IEEE Xplore. Restrictions apply.

Algorithm 3 CPR(TJS , TLS , M inT ri, M axT ri) 1: Initialise join rekey period T riJoin to join secrecy tolerance time TJS and leave rekey period T riLeave to leave secrecy tolerance time TLS . T ri to minimum of tolerance times and M axT ri. 2: Initialise counters M C = JC = LC = 0. 3: Calculate rekey periods, T ri, T riJoin and T riLeave based on the number of join requests and number of leave requests in last rekey period. i.e. It increases rekey interval T ri by DeltaT ri if number of requests in last rekey interval are less than threshold. If more then decreses the T ri. 4: Make sure that rekey periods are not less than minimum rekey period M inT ri and not more than maximum rekey period M axT ri. Check for tolerance times. 5: If join request is received and join counter is off then start join counter and call offline or background join procedure BJoin(Tjoin , M ). 6: If leave request is received and leave counter is off then start leave counter and call offline or background leave procedure BLeave(M ). 7: if Join counter value is greater than or equal to join rekey period T riJoin then 8: if Main counter MC is reaching MaxTri or leave counter LC reaching TriLeave then 9: perform rekey() operation and ResetT imers() 10: else 11: Perform rekeyJoin() and ResetJT imers() 12: end if 13: end if 14: if Leave counter value is greater than or equal to Leave rekey period T riLeave then 15: if Main counter MC is reaching MaxTri or join counter JC reaching T riJoin then 16: perform Rekey() operation and ResetT imers() 17: else 18: Perform rekeyJoin() and ResetLT imers() 19: end if 20: end if 21: If main counter value is greater than or equal to rekey period T ri then perform rekeying opertaion rekey() and reset counters ResetT imers().

2 party DH for join and leave [14]. The delay associated with IGDH is Cmcast + 2Ccomp . The delay associated with combine(T) can be upper bounded by log(n) in all situations. The total communication cost can be upper bounded by 2(k − 1)Cmulticast in all situations. Consider the situation That size(T ) = n. So for all i Size(Ti ) = 1. Then computation cost can be upper bounded by n(log(n) + 2)Ccomp Security properties: Let us first consider the join secrecy. When a user wants to join the group it selects a secret share n. It gets the blinded keys on its co path and then it can compute all the secret keys on its key path using its own secret share and blinded keys on the co path. So all these secret keys contains new members share. Hence the new member cannot derive any previous keys. Now for leave secrecy also similar treatment. When a member leaves the group all the keys on m’s key path will be updated to remove M’s share. So M knows only at most all blinded keys and using that it cannot derive future group key. Simulation results: We have conducted a simulation experiment to test the correctness of the tree structure and basic algorithms. We have carried out the simulation of periodic refresh, periodic batch and controlled periodic refresh mode. The simulation results are given below in terms of graphs. The group size is A ∗ Ts , where, A is average arrival rate and Ts is average staying period. Members join the group according to a Poisson process. Join 200 Periodic refresh Batch mode CPR

RekeyJoin() 1: Tmain = combine(partition(Tmain) U partition(Tjoin)); 2: Tml = IGDH( Tmain, Tleave) 3: Taca = Tml RekeyLeave() 1: Remove marked nodes from leave tree TLeave 2: Batch move all the nodes scheduled to leave in next rekey period to leave tree and refresh main tree. 3: Tml = IGDH( Tmain, Tleave)

No of Messages

150

100

50

0 0

E. Periodic batch leave

20

40

60

80

100

Group Size

(a) Join

The join request are processed immediately while the leave request are processed in a batch. The leaving members are moved to the leave tree in the previous rekey interval. At the end of the current rekey interval all the members are removed by removing the leave tree. It results in removing the share of all the leaving members.The algorithm for this mode differs from periodic refresh on how the leave request is processed. Here it calls Bleave procedure insted of Leave.

Leave 100 Periodic refresh Batch mode CPR

No of Messages

80

60

40

20

VI. P ERFORMANCE E VALUATION AND S IMULATION 0

RESULTS

0

20

40

60

80

100

Group Size

In this section we first look at performance evaluation of few procedures. Then we discuss security properties of tunable group key agreement algorithm. Finally we discuss the results of the simulation experiment we conducted. Theoretical analysis shows that for any tree based contributory scheme the lower bound of the worst case cost is log(n) rounds of

(b) Leave Fig. 9.

Communication cost

Figure 9(a) compares the number of messages required for join event in periodic refresh mode, batch mode and CPR mode. It clearly shows that the number of messages required

1023

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY BOMBAY. Downloaded on April 24, 2009 at 06:18 from IEEE Xplore. Restrictions apply.

for CPR mode are less than periodic refresh mode. The batch mode and CPR mode performance is O(1). Similarly Figure 9(b) depicts number of messages required for leave operation for three modes. In this case CPR mode outperforms other two modes. In case of refresh there is no significant increase in requirement of number of messages. Number of exponential operations required for join operation in all three modes are shown in Figure 10. Join 8 Periodic refresh Batch mode CPR

7

No of exponential

6

5

4

3

2

1

0 0

20

40

60

80

100

Group Size

Fig. 10.

Computation cost

VII. C ONCLUSIONS In this work we presented and successfully demonstrated that the approach of allowing delays for users joining or leaving the group, which results in relaxing security constraints permissible to applications, can be used for tunable group key agreement. The concept of application class awareness is presented in this paper. The novel tree structure enables the group key agreement algorithm to make use of application class parameters to adapt itself using one of the rekeying modes. TGKA also achieves proactive security by refreshing the group key even without membership change events. Mainly to limit the amount of available ciphertext encrypted with the same key. The simulation results clearly show that controlled periodic refresh mode outperforms other two modes. We have implemented tunable group key agreement using spread toolkit and performing various experiments. We are also working on tunable group key agreement middleware and performance analysis of tunable group key agreement in various applications. R EFERENCES [1] S. Mena, A. Schiper, and P. Wojciechowski, “A step towards a new generation of group communication systems,” in Middleware 2003, 2003. [2] Y. Kim, A. Perrig, and G. Tsudik, “Tree-based group key agreement,” ACM Transactions on Information and Systems Security, vol. 7, no. 1, pp. 60–96, Februrary 2004. [3] X. S. Li, Y. R. Yang, M. G. Gouda, and S. S. Lam, “Batch rekeying for secure group communications,” in ACM WWW10, Hong Kong, May 2001. [4] Y. Kim, A. Perrig, and G. Tsudik, “Simple and fault-tolerant key agreement for dynamic collaborative groups,” in ACM CCS’00, Athens, Greece, November 2000. [5] E. Bresson, O. Chevassut, D. Pointcheval, and J. jacques Quisquater, “Provably athenticated group diffie-hellman key exchange,” in ACM CCS’01, Philadelphia, Pennsylvania, USA, November 2001.

[6] A. M. Eskicioglu, “Multimedia security in group communications: Recent progress in key management, authentication, and watermarking,” ACM Multimedia Systems Journal, Special issue on Multimedia Security, September 2003. [7] S. Rafaeli and D. Hutchison, “A survey of key management for secure group communication,” ACM Computing Surveys, vol. 35, no. 3, pp. 309–329, September 2003. [8] S. Rahul and R. Hanshah, “An efficient distributed group key management algorithm,” in In Proceedings of the 10th International Conference on parallel and Distributed Systems (ICPADS 2004), Newport Beach, California, USA, July 2004. [9] Y. Amir, Y. Kim, J. Schultz, J. Stanton, and G. Tsudik, “Secure group communication using robust contributory key agreement,” IEEE Transactions on Parallel and Distributed Systems, pp. 468–480, May 2004. [10] Y. Amir, Y. Kim, and G. Tsudik, “On the performance of group key agreement protocols,” ACM Transactions on Information and Systems Security, vol. 7, no. 3, pp. 457–488, August 2004. [11] K. Almeroth and M. Ammar, “Collection and modelling of the join leave behavior of multicast group members in mbone,” in High performance Distributed Computing workshop (HPDC 96), Syracuse, New York, USA, August 1996. [12] Y. Mao, Y. Sun, M. Wu, and K. Liu, “Dynamic join-exit amortization and scheduling for time efficient group key agreement,” in IEEE INFOCOM, 2004. [13] M. Onen and R. Molva, “Group rekeying with a customer perspective,” in Renth International Conference on Parallel and Distributed Systems(ICPADS’04), 2004. [14] J. Snoeyink, S. Suri, and G. Varghese, “A lower bound for multicast key distribution,” in Computer Networks 47 429-441, Science Direct, 2005. [15] W. Yu, Y. Sun, and K. J. R. Liu, “Minimization of rekeying cost for contributory group communications,” in IEEE GLOBECOM, 2005. [16] W. Yu, Y. Sun, and K. R. Liu, “Optimizating rekeying cost for contributory group key agreement schemes,” in press, 2006. [17] W. Diffie and M. E. Hellman, “New directions in crytography,” in IEEE Information Theroy workshop, Lenox, MA, June 1975. [18] J. H. Cho, I. R. Chen, and M. Eltoweissy, “Optimization of batch rekey interval for secure group communications in wireless networks,” in International conference on wireless Networks, Communications and Mobile Computing, 2005. [19] P. P. C. Lee, J. C. S. Lui, and D. K. Yau, “Distributed collaborative key agreement and authentication protocols for dynamic peer groups,” IEEE/ACM Transactions on Networking., vol. 14, no. 2, APRIL 2006. [20] D. C. Schmidt, “Middleware for real time and embedded systems,” Communications of the ACM, vol. 45, June 2002. [21] J. A. Zinky, D. E. Bakken, and R. E. Schantz, “Architectural support for quality of service for corba objects,” Theory and Practice of Object Systems, vol. 3, no. 1, 1997. [22] R. Baldoni, Marchetti, and A. Termini., “Active software replication through a three tier approach,” in 22th IEEE International Symposium on Reliable Distributed Systems (SRDS02), Osaka, Japan, October 2002. [23] J. C. Fabre and T. Perennou, “A metaobject architecture for fault tolerant distributed systems: Friends approach,” IEEE Transactions on Computers, vol. 47, no. 1, 1998. [24] M. A. Marsh and F. B. Schneider, “Codex: A robust and secure secret distribution system,” IEEE Transactions on Dependable and secure Computing, vol. 1, no. 1, pp. 34–47, January-March 2004. [25] M. Burmester and Y. Desmedt, “A secure and efficient conference key distribution system,” in Advances in Cryptology- EUROCRYPT’94, 1995. [26] M. Waldvogel, germano Caronni, nathalie Weiler, and B. Plattner, “The versakey framework: Versatile group key management,” IEEE Journal on selected areas in commmunications, vol. 17, no. 9, pp. 1614–1631, Septmber 1999. [27] X. B. Zhang, S. S.Lam, D.-Y. Lee, and Y. R. Yang, “Protocol design for scalable and reliable group rekeying,” IEEE ACM Transactions on Networking, vol. 11, no. 6, December 2003.

1024

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY BOMBAY. Downloaded on April 24, 2009 at 06:18 from IEEE Xplore. Restrictions apply.