secure group communication related issues
play

Secure Group Communication Related Issues Presenter: Haiyan Cheng - PowerPoint PPT Presentation

Secure Group Communication Related Issues Presenter: Haiyan Cheng CS 6204, Spring 2005 1 Outlines Addresses relevant security issues for IP multicast network Investigates steps to create secure multicast sessions Group membership


  1. Secure Group Communication Related Issues Presenter: Haiyan Cheng CS 6204, Spring 2005 1

  2. Outlines ♦ Addresses relevant security issues for IP multicast network ♦ Investigates steps to create secure multicast sessions – Group membership – Key distribution ♦ Establishes a criteria to evaluate multicast keying architectures. CS 6204, Spring 2005 2

  3. Characteristics of Multicast ♦ Efficient data distribution ♦ Dynamic group membership ♦ Vulnerable to attack CS 6204, Spring 2005 3

  4. Security Services for Multicast ♦ Defining multicast by Access Control during registration ♦ Key management CS 6204, Spring 2005 4

  5. Threats to Multicast Communications ♦ Eavesdropping ♦ Unauthorized creation of data ♦ Unauthorized alteration of data ♦ Unauthorized destruction of data ♦ Denial of service ♦ Illegal use of data CS 6204, Spring 2005 5

  6. Fundamental Security Services ♦ Authentication—Assure host identity (only authorized hosts are permitted to join the secure group) ♦ Integrity—Assure traffic not altered ♦ Confidentiality—Assure information confidentiality – Encryption – Limiting the routing of session IP datagrams CS 6204, Spring 2005 6

  7. Implementation Details ♦ Initiator defines session requirements ♦ Initiator announces requirements to potential participants – Advertisement with SAP (Session Announcement Protocol) – Invitation with SIP (Session Initiation Protocol) CS 6204, Spring 2005 7

  8. Implementation Details ♦ Type of cryptographic algorithm ♦ Length of a crypto-period ♦ Key length ♦ Type of authentication mechanism used ♦ Other security related information describing the implementation details of a particular secure session CS 6204, Spring 2005 8

  9. Key Management Issues ♦ Key management ♦ Key distribution ♦ Access control for key material CS 6204, Spring 2005 9

  10. Secure Multicast Process Identify need for a secure session 1. Initiator defines the parameters 2. Initiator determines whether assistant is required 3. to perform the participant registration or key distribution functions. Announce session description to potential 4. participants Potential participant register for the secure 5. session Necessary maintenance operation can be 6. performed during the course of a secure session. CS 6204, Spring 2005 10

  11. Secure Multicast Criteria CS 6204, Spring 2005 11

  12. Key Distribution Architectures ♦ Manual Key Distribution ♦ Pairwise Keying ♦ Hierarchical trees ♦ Secure Lock ♦ Distributed Registration and Key Distribution (DiRK) CS 6204, Spring 2005 12

  13. Key Distribution Architectures ♦ Manual Key Distribution – Key generation and distribution functions are reside at a central KDC (Key Distribution Center). – Key material must be determined by the initiator in advance. – No computational load on individual participants. – Not scalable. – Slow response to dynamic user entries and exits from the secure multicast group. – New key material must be manually distributed to valid participants in case there’s a group key compromise. CS 6204, Spring 2005 13

  14. Key Distribution Architectures ♦ Pairwise Keying – CBT (Core Base Tree) architecture (proposed by Ballardie) • Initiator creates an Access Control List (ACL) and SA (Security Association) • ACL and SA are passed to the core • Core creates Group Traffic Encryption Key (GTEK) and Group Key-encryption-keys (GKEK) • Core distributes ACL, GTEK, GKEK to secondary routers. • Internet Security Association and Key Management Protocol (ISAKMP) is used to distribute keys between group members and the trusted routers. (guarantees the uniqueness of the session key between two entities.) CS 6204, Spring 2005 14

  15. Key Distribution Architectures ♦ Hierarchical Trees – A hierarchical tree of key-encryption-keys is created. – Participants store all keys within the tree between themselves and the root – Efficient removal of participant – Scalable CS 6204, Spring 2005 15

  16. Key Distribution Architectures ♦ Secure Lock – Use Chinese Remainder Theorem (CRT) to generate lock. – The lock is transmitted with each encrypted message. – Only users in the secure group can “unlock” the session key. – Flexible towards the dynamic addition and deletion of a group participant. – Not scalable for large group CS 6204, Spring 2005 16

  17. Key Distribution Architectures ♦ Distributed Registration and Key Distribution (DiRK) – A key distribution protocol designed for application over MBONE. – Active participant can help with registration and key distribution. – Hosts send registration request to request join session – Any active participant can respond. – Efficient due to the distributive nature – Highly scalable CS 6204, Spring 2005 17

  18. Key Distribution Architectures Comparison ♦ Manual Key Distribution— slow ♦ Pairwise Keying—linear efficiency for initial key and rekey ♦ Hierarchical trees—linear efficiency for initial key and logarithm rekey ♦ Secure Lock—linear efficiency for initial key and constant rekey ♦ Distributed Registration and Key Distribution (DiRK)—distributive linear efficiency for initial key and rekey (trust is a problem) CS 6204, Spring 2005 18

  19. Future Works ♦ Security application should be transparent to users. ♦ Should work efficiently with other required protocols. ♦ Focus on achieving a truly integrated security solution that functions together with non-security functions and exisiting multicast protocols. CS 6204, Spring 2005 19

Recommend


More recommend