![Page 1: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/1.jpg)
Multicast Security
May 10, 2004
Sam Irvine
Andy Nguyen
![Page 2: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/2.jpg)
Multicast Overview
• Bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to thousands of recipients (multicast group)
• Applications include video-conferencing, streaming audio, sending out stock quotes, etc.
• Scalable reliability, flow control, congestion control, security are all active areas of research
![Page 3: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/3.jpg)
Security Objectives
• Usual suspects:– Authentication
• How do we authenticate members within the multicast group?
– Confidentiality– Integrity– Exclusivity
![Page 4: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/4.jpg)
Multicast Security
• Inherently more susceptible to attack– Many more opportunities and points for
interception of traffic and attacks– Attacks affect many systems– Usually multicast address is well-known– Possible for attacker to pose as one of the
many possible systems in the multicast group
• Solutions must be scalable and address the dynamic nature of membership
![Page 5: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/5.jpg)
Unicast versus Multicast Security
• Security association defines a set of keying material in order to setup a secure link between two systems in a unicast protocol– Membership remains static throughout the
session
• In multicast, the security association is among many people– Membership is dynamic throughout the
session
![Page 6: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/6.jpg)
Dynamic Membership
• Must ensure that a member is only allowed to participate when it is authorized to do so
• New members must not be able to access old multicast data (joins)
• Old members must not be able to access new multicast data (leaves)
• Multicast security protocol must be prepared to change the keying material on each and every join to insure integrity
• How do we do key management for dynamic security associations?
![Page 7: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/7.jpg)
Key management solutions
• Centralized group key management protocols
• Decentralized Architectures– Management divided into subgroups
• Distributed Key Management protocols– No explicit key distribution center, members
themselves handle key generation
![Page 8: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/8.jpg)
Centralized Key Management Example
• Canetti et al. use one way function trees in conjunction with pseudo-random generators
• Each user holds log(n+1) keys
• Issuing a new keys takes log(n) sends
![Page 9: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/9.jpg)
Group Creation
k
k1
k01
k0
k10 k11k00
u1 u2 u3 u4
{k00,k01,k0,k10,k11,k1,k}
{k,k0,k00,k01}
{k,k0,k00} {k,k0,k01}{k,k1,k10}
{k,k1,k10,k01}
{k,k1,k11}
k is the shared key
![Page 10: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/10.jpg)
k
k1
k01
k0
k10 k11k00
u1 u2 u3 u4
Revoke u1's access
k is the shared key for the multicast group
![Page 11: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/11.jpg)
Revoke u1's access
k
k1
k01
k0
k10 k11k00
u1 u2 u3 u4
Generate k', k0'
![Page 12: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/12.jpg)
Revoke u1's access
k
k1
k01
k0
k10 k11k00
u1 u2 u3 u4
{k'}:k1
![Page 13: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/13.jpg)
Revoke u1's access
k
k1
k01
k0
k10 k11k00
u1 u2 u3 u4
{k'}:k1
![Page 14: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/14.jpg)
Revoke u1's access
k
k1
k01
k0
k10 k11k00
u1 u2 u3 u4
{k', k0'}:k01
![Page 15: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/15.jpg)
Revoke u1's access
k
k1
k01
k0
k10 k11k00
u1 u2 u3 u4
{k', k0'}:k01
![Page 16: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/16.jpg)
Decentralized Architectures Example
• Iolus– Splits a large group into small subgroups– Group Security Controller at the top, Group
security intermediaries manage subgroups– In order to update key for leaves, must send
out new key encrypted with everyone’s secret key. Size of message is O(n)
– Data path affected when sending out data (Translating data between groups)
![Page 17: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/17.jpg)
Distributed key management
• Group Diffie-Hellman Key Exchange– N rounds, single key
• Distributed Logical Key Hierarchy– log(n) rounds– log(n) keys
![Page 18: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/18.jpg)
Distributed Logical Key Hierarchy
m2 m3 m4m1
m1 and m2 agree on key k12
m3 and m4 agree on key k34
![Page 19: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/19.jpg)
Key (12),(34)
m2 m3 m4m1
(m1,m2) and (m3,m4) agree on key k (12),(34)
k12 k34
![Page 20: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/20.jpg)
• Digital Signatures– RSA,DSA, Elliptic Curve– Very expensive to compute for each message
• Message Authentication Codes (MAC)– Given a shared key K, a positive integer L and
a one way function F• Compute F
L(K + message), where
• F0(X) = F(X)
• FL(X) = F(F
L-1(X))
Message authentication
![Page 21: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/21.jpg)
Message authentication
• MAC exclusivity– If all receivers have the MAC key, than any
receiver can fake a message
• Solution– Generate a set of m keys– Distribute n < m of the keys randomly to each
receiver– Sender knows all m keys
![Page 22: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/22.jpg)
Message authentication
• Solution (cont)– Sender computes m MACs and sends them
with the message– Receivers verify the MAC for each of their
known n keys– Senders cannot independently create all m
MACs without collusion– Randomness prevents intentional collusion
![Page 23: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/23.jpg)
Message authentication
• Sets of keys can reduce MAC length overhead– Use previous scheme with 1 alteration: MACs
map to a single bit– Can arbitrarily forge a MAC with 1/2m
probability– Receivers can forge a MAC with 1/(2m-n)
probability
![Page 24: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/24.jpg)
What haven't we talked about
• Routing table security– Unauthenticated clients cannot change the
routing topology– Can legitimate clients affect routing tables?
![Page 25: Multicast Security May 10, 2004 Sam Irvine Andy Nguyen](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d5d5503460f94a3cd46/html5/thumbnails/25.jpg)
Differing multicast requirements
• 1-N multicasting– 1 Sender, N receivers
• M-N multicast– M senders transmit to N receivers
• N-N full duplex communication– Any member can communicate to any other
member