First the notations:

GC - Group Controller - the centralized entity that manages the group key

GM - Group Member - a participant who wants to obtains the group key

K - the group key, it is also called DEK (Data Encryption Key) and is used to encrypt broadcast messages to the group.

KEK - Key Encryption Key - a key used to encrypt K.

Each GM in the group is assiged an identifier, ID. ID is an

*n*-bit binary number which is denoted as

*X*, where

_{n-1}X_{n-2}...X_{0}*X*is either

_{i}*0*or

*1*. The maximum size of the group

*N*=

*2*.

^{n}GC maintains

*2n*KEKs, {

*k*}. That is for each bit position, there are two keys, one for

_{i,b}| i ∈ Z_{n}, b ∈ Z_{2}*0*and one for

*1*.

Each GM is given

*n + 1*keys. Half of the KEKs (i.e.

*n*) which correspond to the

*n*bits in its ID and K.

**Join**:

Let's assume that the ID of the joing GM is

*X*. In order to provide backward secrecy (i.e. not allow the joining GM to access previous keys), we need to update K and

_{n-1}X_{n-2}...X_{0}*n*KEKs {

*k*} corresponding to this ID. New K and KEKs are encrtypted with their old K and KEKs respectively and broadcast to the group. GC gives the new K and KEKs to the joining GC though a secure private communication channel.

_{i,Xi}| i ∈ Z_{n}**Leave**:

Let's assume that the ID of the leaving GM is

*X*. In order to provide to provide forward secrecy (i.e. not allowing the leaving GM to access new keys), again K and the

_{n-1}X_{n-2}...X_{0}*n*KEKs held by the leaving GM are updated.

However, we need to use a different approach to update the keys since we cannot reuse the old keys to do the job. GC decides a new group key K' and encrypts with the remaining

*n*keys that the leaving GM does not possess and broadcasts the encrypted messages. An existing group member can decrypt at least one of those messages and obtain the new group key K'. Then GC encrypts each new KEK corresponding to those of the leaving GM twice. First GC encrypts with K' and then encrypts with the old KEK, and then broadcast to the group. It make sure only the existing users can access new KEKs who already had old KEKs. Notice that the leaving GM cannot access since it does not have K' to remove one layer of encryption.

There are proposals for optimizing for multiple leaves. In one work, the use Boolean function minimization techniques to reduce the complexity.

Collusion attacks:

When multiple users are removed at once, the FT key management approach is not resistant to collusion attacks.

References:

Waldvogel et. al. The VersaKey framework: versatile group key management, 1999

Chang et. al. Key management for secure internet multicast using Boolean function minimization techniques, INFOCOM 1999

## No comments:

Post a Comment