Secure Group Communication Related Issues Presenter: Haiyan Cheng - - PowerPoint PPT Presentation

▶

Jul 27, 2023 238 likes •450 views

Secure Group Communication Related Issues Presenter: Haiyan Cheng CS 6204, Spring 2005 1 Outlines Addresses relevant security issues for IP multicast network Investigates steps to create secure multicast sessions Group membership

SLIDE 1

1 CS 6204, Spring 2005

Secure Group Communication Related Issues

Presenter: Haiyan Cheng

SLIDE 2

2 CS 6204, Spring 2005

Outlines

♦ Addresses relevant security issues for IP

multicast network

♦ Investigates steps to create secure multicast

sessions

– Group membership – Key distribution

♦ Establishes a criteria to evaluate multicast

keying architectures.

SLIDE 3

3 CS 6204, Spring 2005

Characteristics of Multicast

♦ Efficient data distribution ♦ Dynamic group membership ♦ Vulnerable to attack

SLIDE 4

4 CS 6204, Spring 2005

Security Services for Multicast

♦ Defining multicast by Access Control

during registration

♦ Key management

SLIDE 5

5 CS 6204, Spring 2005

Threats to Multicast Communications

♦ Eavesdropping ♦ Unauthorized creation of data ♦ Unauthorized alteration of data ♦ Unauthorized destruction of data ♦ Denial of service ♦ Illegal use of data

SLIDE 6

6 CS 6204, Spring 2005

Fundamental Security Services

♦ Authentication—Assure host identity (only

authorized hosts are permitted to join the secure group)

♦ Integrity—Assure traffic not altered ♦ Confidentiality—Assure information

confidentiality

– Encryption – Limiting the routing of session IP datagrams

SLIDE 7

7 CS 6204, Spring 2005

Implementation Details

♦ Initiator defines session requirements ♦ Initiator announces requirements to

potential participants

– Advertisement with SAP (Session Announcement Protocol) – Invitation with SIP (Session Initiation Protocol)

SLIDE 8

8 CS 6204, Spring 2005

Implementation Details

♦ Type of cryptographic algorithm ♦ Length of a crypto-period ♦ Key length ♦ Type of authentication mechanism used ♦ Other security related information

describing the implementation details of a particular secure session

SLIDE 9

9 CS 6204, Spring 2005

Key Management Issues

♦ Key management ♦ Key distribution ♦ Access control for key material

SLIDE 10

10 CS 6204, Spring 2005

Secure Multicast Process

1.

Identify need for a secure session

2.

Initiator defines the parameters

3.

Initiator determines whether assistant is required to perform the participant registration or key distribution functions.

4.

Announce session description to potential participants

5.

Potential participant register for the secure session

6.

Necessary maintenance operation can be performed during the course of a secure session.

SLIDE 11

11 CS 6204, Spring 2005

Secure Multicast Criteria

SLIDE 12

12 CS 6204, Spring 2005

Key Distribution Architectures

♦ Manual Key Distribution ♦ Pairwise Keying ♦ Hierarchical trees ♦ Secure Lock ♦ Distributed Registration and Key

Distribution (DiRK)

SLIDE 13

13 CS 6204, Spring 2005

Key Distribution Architectures

♦ Manual Key Distribution

– Key generation and distribution functions are reside at a central KDC (Key Distribution Center). – Key material must be determined by the initiator in advance. – No computational load on individual participants. – Not scalable. – Slow response to dynamic user entries and exits from the secure multicast group. – New key material must be manually distributed to valid participants in case there’s a group key compromise.

SLIDE 14

14 CS 6204, Spring 2005

Key Distribution Architectures

♦ Pairwise Keying

– CBT (Core Base Tree) architecture (proposed by Ballardie)

Initiator creates an Access Control List (ACL) and SA

(Security Association)

ACL and SA are passed to the core
Core creates Group Traffic Encryption Key (GTEK) and

Group Key-encryption-keys (GKEK)

Core distributes ACL, GTEK, GKEK to secondary routers.
Internet Security Association and Key Management Protocol

(ISAKMP) is used to distribute keys between group members and the trusted routers. (guarantees the uniqueness of the session key between two entities.)

SLIDE 15

15 CS 6204, Spring 2005

Key Distribution Architectures

♦ Hierarchical Trees

– A hierarchical tree of key-encryption-keys is created. – Participants store all keys within the tree between themselves and the root – Efficient removal of participant – Scalable

SLIDE 16

16 CS 6204, Spring 2005

Key Distribution Architectures

♦ Secure Lock

– Use Chinese Remainder Theorem (CRT) to generate lock. – The lock is transmitted with each encrypted message. – Only users in the secure group can “unlock” the session key. – Flexible towards the dynamic addition and deletion of a group participant. – Not scalable for large group

SLIDE 17

17 CS 6204, Spring 2005

Key Distribution Architectures

♦ Distributed Registration and Key Distribution

(DiRK)

– A key distribution protocol designed for application

ver MBONE.

– Active participant can help with registration and key distribution. – Hosts send registration request to request join session – Any active participant can respond. – Efficient due to the distributive nature – Highly scalable

SLIDE 18

18 CS 6204, Spring 2005

Key Distribution Architectures Comparison

♦ Manual Key Distribution— slow ♦ Pairwise Keying—linear efficiency for initial key

and rekey

♦ Hierarchical trees—linear efficiency for initial key

and logarithm rekey

♦ Secure Lock—linear efficiency for initial key and

constant rekey

♦ Distributed Registration and Key Distribution

(DiRK)—distributive linear efficiency for initial key and rekey (trust is a problem)

SLIDE 19

19 CS 6204, Spring 2005

Secure Group Communication Related Issues

Presenter: Haiyan Cheng

Outlines

♦ Addresses relevant security issues for IP

multicast network

♦ Investigates steps to create secure multicast

sessions

– Group membership – Key distribution

♦ Establishes a criteria to evaluate multicast

keying architectures.

Characteristics of Multicast

♦ Efficient data distribution ♦ Dynamic group membership ♦ Vulnerable to attack

Security Services for Multicast

♦ Defining multicast by Access Control

during registration

♦ Key management

Threats to Multicast Communications

♦ Eavesdropping ♦ Unauthorized creation of data ♦ Unauthorized alteration of data ♦ Unauthorized destruction of data ♦ Denial of service ♦ Illegal use of data

Fundamental Security Services

♦ Authentication—Assure host identity (only

authorized hosts are permitted to join the secure group)

♦ Integrity—Assure traffic not altered ♦ Confidentiality—Assure information

confidentiality

– Encryption – Limiting the routing of session IP datagrams

Implementation Details

♦ Initiator defines session requirements ♦ Initiator announces requirements to

potential participants

– Advertisement with SAP (Session Announcement Protocol) – Invitation with SIP (Session Initiation Protocol)

Implementation Details

♦ Type of cryptographic algorithm ♦ Length of a crypto-period ♦ Key length ♦ Type of authentication mechanism used ♦ Other security related information

describing the implementation details of a particular secure session

Key Management Issues

♦ Key management ♦ Key distribution ♦ Access control for key material

Secure Multicast Process

1.

Identify need for a secure session

2.

Initiator defines the parameters

3.

Initiator determines whether assistant is required to perform the participant registration or key distribution functions.

4.

Announce session description to potential participants

5.

Potential participant register for the secure session

6.

Necessary maintenance operation can be performed during the course of a secure session.

Secure Multicast Criteria

Key Distribution Architectures

♦ Manual Key Distribution ♦ Pairwise Keying ♦ Hierarchical trees ♦ Secure Lock ♦ Distributed Registration and Key

Distribution (DiRK)

Key Distribution Architectures

♦ Manual Key Distribution

Key Distribution Architectures

♦ Pairwise Keying

– CBT (Core Base Tree) architecture (proposed by Ballardie)

(Security Association)

Group Key-encryption-keys (GKEK)

(ISAKMP) is used to distribute keys between group members and the trusted routers. (guarantees the uniqueness of the session key between two entities.)

Key Distribution Architectures

♦ Hierarchical Trees

– A hierarchical tree of key-encryption-keys is created. – Participants store all keys within the tree between themselves and the root – Efficient removal of participant – Scalable

Key Distribution Architectures

♦ Secure Lock

– Use Chinese Remainder Theorem (CRT) to generate lock. – The lock is transmitted with each encrypted message. – Only users in the secure group can “unlock” the session key. – Flexible towards the dynamic addition and deletion of a group participant. – Not scalable for large group

Key Distribution Architectures

♦ Distributed Registration and Key Distribution

(DiRK)

– A key distribution protocol designed for application

– Active participant can help with registration and key distribution. – Hosts send registration request to request join session – Any active participant can respond. – Efficient due to the distributive nature – Highly scalable

Key Distribution Architectures Comparison

♦ Manual Key Distribution— slow ♦ Pairwise Keying—linear efficiency for initial key

and rekey

♦ Hierarchical trees—linear efficiency for initial key

and logarithm rekey

♦ Secure Lock—linear efficiency for initial key and

constant rekey

♦ Distributed Registration and Key Distribution

(DiRK)—distributive linear efficiency for initial key and rekey (trust is a problem)

Future Works

♦ Security application should be transparent