multicast security group key management architecture
play

Multicast Security Group Key Management Architecture - PowerPoint PPT Presentation

Jan 01, 2024 •596 likes •892 views

Multicast Security Group Key Management Architecture draft-ietf-msec-gkmarch-07.txt Internet Security Tobias Engelbrecht Agenda Introduction Requirements of a GKMP Design of the GKMA Rekey Protocol Group Security Association

  1. Multicast Security Group Key Management Architecture draft-ietf-msec-gkmarch-07.txt Internet Security Tobias Engelbrecht

  2. Agenda � Introduction � Requirements of a GKMP � Design of the GKMA � Rekey Protocol � Group Security Association � Security Considerations MSEC Group Key Management Architecture

  3. Introduction � Defines a common architecture and design for group key-management protocols (GKMP) � Examples: � video broadcast � multicast file transfers MSEC Group Key Management Architecture

  4. Requirements of a Group Key Management Protocol (GKMP) MSEC Group Key Management Architecture

  5. Requirements of a GKMP � A group key management protocol (GKMP) � supports protected communication between members of a secure group � helps to ensure that only members of a secure group gain access to group data (by gaining access to group keys) and can authenticate group data. MSEC Group Key Management Architecture

  6. Requirements of a GKMP � Members receive security associations (SA) � The group owner may define and enforce group membership, key management, data security and other policies � Keys have a predetermined lifetime � Key material should be delivered securely to the members of the group MSEC Group Key Management Architecture

  7. Requirements of a GKMP � The key-management protocol should be secure against replay and DoS attacks � The protocol should facilitate addition and removal of group members � The key management protocol should provide a mechanism to securely recover from a compromise of the key material � … MSEC Group Key Management Architecture

  8. Design of the Group Key Management Architecture (GKMA) MSEC Group Key Management Architecture

  9. Design of the Group Key Management Architecture (GKMA) � The goal of a GKMP is to securely provide the group members with an up-to-date data security association (Data SA) � GKMA Protocols � De- / Registration Protocol � Rekey Protocol MSEC Group Key Management Architecture

  10. Design of the Group Key Management Architecture (GKMA) Policy Authorization Infrastructure Infrastructure GCKS REGISTRATION or REGISTRATION or REKEY DE-REGISTRATION DE-REGISTRATION PROTOCOL PROTOCOL PROTOCOL (OPTIONAL) Sender(s ) Receiver(s ) DATA SECURITY PROTOCOL MSEC Group Key Management Architecture

  11. Design of the Group Key Management Architecture (GKMA) A new member joins the group: a joining member GCKS R R R R S S/R R GROUP MSEC Group Key Management Architecture

  12. Design of the Group Key Management Architecture (GKMA) Registration Protocol (RP) � unicast protocol � the GCKS and the member authenticates each other � supplies the member with information to initialize a Data SA and a Rekey SA � RP must ensure that the transfer is done over a Registration SA MSEC Group Key Management Architecture

  13. Design of the Group Key Management Architecture (GKMA) A new member leaves the group: a leaving member GCKS R R R R S S/R R GROUP MSEC Group Key Management Architecture

  14. Design of the Group Key Management Architecture (GKMA) Rekey Protocol � multicast / unicast protocol from GCKS to members � Rekey Messages are protected by the Rekey SA � Rekey Messages update or change the Data SA and / or the Rekey SA MSEC Group Key Management Architecture

  15. Design of the Group Key Management Architecture (GKMA) Rekey Protocol � Rekey messages are authenticated by � Source Authentication � Group Based Authentication � ensures that all members receive the Rekey information in a timely manner MSEC Group Key Management Architecture

  16. Design of the Group Key Management Architecture (GKMA) � Group keys � key encryption keys (KEKs) � traffic encryption keys (TEKs) � Traffic Protection Keys (TPKs) denote the combination of a TEK and a traffic integrity key � Registration and / or Rekey Protocol establish the keys MSEC Group Key Management Architecture

  17. Design of the Group Key Management Architecture (GKMA) GCKS (Group Controller / Key Server) � creates KEKs and TPKs � performs authentication and authorization according to the group policy � MAY present a credential to the group members signed by the group owner � runs the Rekey protocol to push Rekey messages MSEC Group Key Management Architecture

  18. Rekey Protocol MSEC Group Key Management Architecture

  19. Rekey Protocol Properties � to ensure that all members receive the rekey information in a timely manner � mechanism to re-sync keys � avoid implosion problems MSEC Group Key Management Architecture

  20. Rekey Protocol Transport & Protection � encrypted with the Group KEK � authentication with MAC or digital signature � sequence number protect against replay attacks � reliable transport MSEC Group Key Management Architecture

  21. Rekey Protocol Implosion � Reasons � all members contact the GCKS at the same time � packet loss (feedback implosion) � Solutions � a member waits before sending an out-of sync or feedback message � a member contacts an other server MSEC Group Key Management Architecture

  22. Group Security Association (GSA) MSEC Group Key Management Architecture

  23. Group Security Association (GSA) � consists of the Registration SA, Rekey SA (optional) and Data SA � WITHOUT Rekey SA � Registration Protocol initializes and updates one or more DATA SA � WITH Rekey SA � Registration Protocol initializes the Rekey SA � Data SA is initialized by the Rekey Protocol MSEC Group Key Management Architecture

  24. Group Security Association (GSA) Contents of the Rekey SA � Policy � Group Identity � Key encryption keys � Authentication Key � Replay Protection � Security Parameter Index (SPI) MSEC Group Key Management Architecture

  25. Group Security Association (GSA) Contents of the Data SA � Group Identity � Source Identity � Traffic Protection Keys � Sequence Numbers � Security Parameter Index (SPI) � Data SA Policy MSEC Group Key Management Architecture

  26. Security Considerations MSEC Group Key Management Architecture

  27. Security Considerations � authenticated key exchange techniques limit the effects of man-in-the-middle and connection-hijacking attacks � sequence numbers and low-computation message authentication techniques can be effective against replay and reflection attacks � cookies can reduce the effects of denial of service attacks MSEC Group Key Management Architecture

  28. Security Considerations � sharing of secrets among a group of members can cause problems � the Registration protocol should be so good as the base protocol on which it is developed � the Rekey protocol is new and has unkown risks associated with MSEC Group Key Management Architecture

  29. Thanks for your attention Questions? MSEC Group Key Management Architecture

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Multicast Protocols IGMP - IP Group Membership Protocol DVMRP - DV Multicast Routing Protocol

Multicast Protocols IGMP - IP Group Membership Protocol DVMRP - DV Multicast Routing Protocol

Multicast Protocols IGMP - IP Group Membership Protocol DVMRP - DV Multicast Routing Protocol MOSPF - Multicast OSPF (see notes pages for some slides!) S38.122/RKantola/s00 9 - 1 IGMPv2 - Internet Group Management Protocol implements Group

474 views • 14 slides
The malloc Architecture Steve Hanna steve.hanna@sun.com IP Multicast Model Group is

The malloc Architecture Steve Hanna steve.hanna@sun.com IP Multicast Model Group is

The malloc Architecture Steve Hanna steve.hanna@sun.com IP Multicast Model Group is identified with class D IP address Any host can send to a multicast address To receive, join the group via IGMP Packets can be constrained

518 views • 15 slides
Multicast Protocols IGMP IP Group Membership Protocol DVMRP DV Multicast Routing Protocol

Multicast Protocols IGMP IP Group Membership Protocol DVMRP DV Multicast Routing Protocol

Multicast Protocols IGMP IP Group Membership Protocol DVMRP DV Multicast Routing Protocol MOSPF Multicast OSPF PIM Protocol Independent Multicast S-38.2121 / Fall-2007 / RKa, NB Multicast2-1 Multicast in local area networks

489 views • 25 slides
Group Communication Point-to-point vs. one-to-many Multicast communication Atomic

Group Communication Point-to-point vs. one-to-many Multicast communication Atomic

CPSC-662 Distributed Computing Group Communication Group Communication Point-to-point vs. one-to-many Multicast communication Atomic multicast Virtual synchrony Group management ISIS Reading: Coulouris:

520 views • 22 slides
Multicast Protocols IGMP IP Group Membership Protocol DVMRP DV Multicast Routing Protocol

Multicast Protocols IGMP IP Group Membership Protocol DVMRP DV Multicast Routing Protocol

Multicast Protocols IGMP IP Group Membership Protocol DVMRP DV Multicast Routing Protocol MOSPF Multicast OSPF PIM Protocol Independent Multicast S-38.121 / Fall-04 / RKa, NB Multicast2-1 Multicast in local area networks

621 views • 24 slides
Attacking Multicast Group Key Management Protocols Graham Steel and Alan Bundy I V N E U R

Attacking Multicast Group Key Management Protocols Graham Steel and Alan Bundy I V N E U R

Attacking Multicast Group Key Management Protocols Graham Steel and Alan Bundy I V N E U R S E I H T Y T O H F G R E U D B I N 1 Multicast Key Management Protocols Aim: To maintain a secure key for multicast within a

164 views • 15 slides
Multicast Protocols IGMP IP Group Membership Protocol DVMRP DV Multicast Routing Protocol

Multicast Protocols IGMP IP Group Membership Protocol DVMRP DV Multicast Routing Protocol

Multicast Protocols IGMP IP Group Membership Protocol DVMRP DV Multicast Routing Protocol MOSPF Multicast OSPF PIM Protocol Independent Multicast S-38.121 / S-03 / RKa, NB Multicast2-1 Multicast in local area networks

529 views • 26 slides
Multicast Security: Towards a Standardized Solution Ran Canetti IBM Research In this talk:

Multicast Security: Towards a Standardized Solution Ran Canetti IBM Research In this talk:

Multicast Security: Towards a Standardized Solution Ran Canetti IBM Research In this talk: A taxonomy of multicast security issues Some outstanding algorithmic problems Work at the SMuG (IRTF): Some design principles

525 views • 23 slides
Enabling Conferencing Applications on the Internet using an Overlay Multicast Architecture

Enabling Conferencing Applications on the Internet using an Overlay Multicast Architecture

Enabling Conferencing Applications on the Internet using an Overlay Multicast Architecture Yang-hua Chu, Sanjay Rao, Srini Seshan and Hui Zhang Carnegie Mellon University Supporting Multicast on the Internet Application ? At which layer

665 views • 32 slides
Two Problems L3 and L2 multicast L3 Copying L3 L3 Broadcast & select or bridging

Two Problems L3 and L2 multicast L3 Copying L3 L3 Broadcast & select or bridging

Two Problems L3 and L2 multicast L3 Copying L3 L3 Broadcast & select or bridging L2 L2 S L3 D D L2 D Multicast Membership Discovery IGMP - Internet Group Management Protocol - Version 1 - Version 2 - group leave message

249 views • 9 slides
Multicast Introduction Group management Routing Real-time transfer and control

Multicast Introduction Group management Routing Real-time transfer and control

Multicast Introduction Group management Routing Real-time transfer and control protocols Resource reservation Session management MBone Petri Vuorimaa 1 Introduction There are three ways to transport data in

796 views • 50 slides
The MASC/BGMP Architecture for Inter-domain Multicast Routing Satish Kumar (USC), Pavlin

The MASC/BGMP Architecture for Inter-domain Multicast Routing Satish Kumar (USC), Pavlin

The MASC/BGMP Architecture for Inter-domain Multicast Routing Satish Kumar (USC), Pavlin Radoslavov (USC), Dave Thaler (Merit), Cengiz Alaettinoglu (ISI), Deborah Estrin (ISI), Mark Handley (ISI) 1 Current multicast situation (one big

530 views • 19 slides
Contents l Group Communication l Repetition: Unicast routing (brief) Multicast l Multicast routing

Contents l Group Communication l Repetition: Unicast routing (brief) Multicast l Multicast routing

Contents l Group Communication l Repetition: Unicast routing (brief) Multicast l Multicast routing G Concepts Datakommunikation, G Intra domain ( and inter domain) pbyggnad VT-01 l (Transport protocol) Jerry Eriksson Group Communication

598 views • 14 slides
Outline 11: IP Multicast Multicast routing IP Multicast Design choices Distance

Outline 11: IP Multicast Multicast routing IP Multicast Design choices Distance

Outline 11: IP Multicast Multicast routing IP Multicast Design choices Distance Vector Multicast Routing Protocol (DVMRP) Last Modified: Core Based Trees (CBT) Protocol Independent Multicast (PIM) 4/9/2003 1:15:00 PM

619 views • 12 slides
IP Multicast T om Bird tom@portfast.co.uk @portfast Multicats? What is multicast? One to

IP Multicast T om Bird tom@portfast.co.uk @portfast Multicats? What is multicast? One to

IP Multicast T om Bird tom@portfast.co.uk @portfast Multicats? What is multicast? One to many propagation of data Uses of multicast Financial data IPTV Gaming T ypes of multicast Any-source multicast (ASM)

297 views • 17 slides
Lab 2 Group Communication Desired group communication Multicast communication Andreas

Lab 2 Group Communication Desired group communication Multicast communication Andreas

Overview Introduction to group communication Lab 2 Group Communication Desired group communication Multicast communication Andreas Larsson Group membership service 2009-02-04 DSII: Group Comm. 2 A Distributed System in

415 views • 6 slides
Network Partitioning E ff ects on Ripple Transactions Yoan Martin 1 Todays menu What

Network Partitioning E ff ects on Ripple Transactions Yoan Martin 1 Todays menu What

Network Partitioning E ff ects on Ripple Transactions Yoan Martin 1 Todays menu What is Ripple? Why is it interesting? Attacks Analysis 2 What is Ripple? Global Payments Network RippleNet vs XRP Gateway

920 views • 34 slides
November 12, 2013 1. Staff seeks Council feedback on the draft capital- oriented strategies and

November 12, 2013 1. Staff seeks Council feedback on the draft capital- oriented strategies and

City Council Meeting November 12, 2013 1. Staff seeks Council feedback on the draft capital- oriented strategies and measures of effectiveness. 2. Council input informs the Transportation Commissions identification of speed & reliability,

513 views • 32 slides
1 Transit Oriented/ Mixed Use Development in the Regional Centers of Portland Challenges,

1 Transit Oriented/ Mixed Use Development in the Regional Centers of Portland Challenges,

1 Transit Oriented/ Mixed Use Development in the Regional Centers of Portland Challenges, Solutions, Outcomes A Case Study 2 Tokola Properties Development Background During the majority of Tokola Properties development history we

402 views • 27 slides
Payments in the Web 2.0 Paradigm Chicago Fed Payments Conference 14 May 2009 Chicago, IL

Payments in the Web 2.0 Paradigm Chicago Fed Payments Conference 14 May 2009 Chicago, IL

Payments in the Web 2.0 Paradigm Chicago Fed Payments Conference 14 May 2009 Chicago, IL Steve MottPrincipal, BetterBuyDesign 1 Key Messages 1. Changing consumer demographics weighs heavily toward social networks as ultimate venue for

433 views • 18 slides
50 Milliards de failles connectes en 2020 Benot Rousseaux Bruxelles 12 juin 2018 Pure

50 Milliards de failles connectes en 2020 Benot Rousseaux Bruxelles 12 juin 2018 Pure

50 Milliards de failles connectes en 2020 Benot Rousseaux Bruxelles 12 juin 2018 Pure Player in Cyber Security Services 200+ Experts in France. Subsidiaries in Belgium and Luxembourg 2 domains of expertise : Information Systems and

717 views • 25 slides
CULLEN COMMISSION OF INQUIRY INTO MONEY LAUNDERING IN BRITISH COLUMBIA Opening Statement of Society

CULLEN COMMISSION OF INQUIRY INTO MONEY LAUNDERING IN BRITISH COLUMBIA Opening Statement of Society

CULLEN COMMISSION OF INQUIRY INTO MONEY LAUNDERING IN BRITISH COLUMBIA Opening Statement of Society of Notaries Public of British Columbia February 24, 2020 Presenters: Ron Usher General Legal Counsel & Commissioned Notary Public and John Mayr

503 views • 11 slides
WHAT YOU ARE UP AGAINST COMBATING FRAUD Garry W.G. Clement, CFE,CAMS, AMLP President and CEO

WHAT YOU ARE UP AGAINST COMBATING FRAUD Garry W.G. Clement, CFE,CAMS, AMLP President and CEO

WHAT YOU ARE UP AGAINST COMBATING FRAUD Garry W.G. Clement, CFE,CAMS, AMLP President and CEO Clement Advisory Group 905-355-1066, fax:905-355-3210 cell:905-375-5076 gclement@clementadvisorygroup.ca www.clementadvisorygroup.ca We are what we

857 views • 49 slides
SUMMARY OF THE PRESENTATION TO THE GUERNSEY ASSOCIATION OF COMPLIANCE OFFICERS FINANCIAL CRIMES

SUMMARY OF THE PRESENTATION TO THE GUERNSEY ASSOCIATION OF COMPLIANCE OFFICERS FINANCIAL CRIMES

SUMMARY OF THE PRESENTATION TO THE GUERNSEY ASSOCIATION OF COMPLIANCE OFFICERS FINANCIAL CRIMES SYMPOSIUM SAMANTHA SHEEN HEAD OF THE FINANCIAL CRIME & AUTHORISATIONS DIVISION 29 JANUARY 2014 Introduction The study of financial services

768 views • 7 slides

More recommend