military multicast key management-2

8/3/2019 Military Multicast Key Management-2

1/19

MILITARY MULTICAST KEY

MANAGEMENTReporters:

Al Ann Ibanez

Jeonghwa Yoo

Roh

Nazcar Pine


2/19

ABSTRACT

Todays world is what we call the: Network Centric

World this is very important in military operations

Same group members use the same key, but thekey must be dynamic

KAA like the key exchange algorithm inIPSEC(Oakley). But Oakley is the protocol for P2P.KAA are used for group.


3/19

Provide security services

Different from commercial use

Frequent use of group communication

The current circuit has difficulty with providinggroup communications

VoIP Networks has very useful services formulticasting

Multicast = Communication in group communicationin Military Network is converted

Problem with VoIP updating the group membersdynamically.


4/19

INTRODUCTION

Multicast is a very efficient and scalable techniquefor group communication

IPSec Architecture

Multicast Group Mapping

Source Authentication

Group Access

Confidentiality

Group Key

Administration(MIKE)

Single Membership changes when a user wants toleave the group

Operation is called when user is forced to leave

A symmetriccryptographicalgorithm


5/19

Additive subgroup operation Group merge

Subtractive subgroup operation Group Partition

Group communication security

Key Updating/Rekeying Mode key agreement/Key distribution

Two modes in Military are needed


6/19

PROPOSED SCHEME


7/19

PROPOSED SCHEME

The key agreement part forces every member tocalculate the tree by

means of an iterative Diffie Hellman group keyexchange.

The key distribution mode a group controllerconstructs the key tree and spreads the group keyin a secure way.


8/19

KEY TREE

Reduces the expense of group key update

A Key tree is a tree with

USER LEAVES

KEY NODES

NULL NODES

USER LEAF


9/19

KEY TREE

1U

2U

3U

4U

5U

6U

7U

8U N

k1 k2 k3 k4 k5 k6 k7 k8 N

k123 k456 k78

K1-8

KEY_NODES

USER_LEAVES

KEY_LEAF NO USER

NULL_NODE

Rootnode


10/19

KEY TREE


11/19

From the software design point of view both modescan base on the c++ class KeyTree{}

The derivate classes AgreeKeyTree{} andDistKeyTree{} implement the special modefunctionality needed for key update.

In order to provide an easy accessible interface tothe cryptographic library the classes are derived asecond time.


12/19

KEY DISTRIBUTION (1)

GC (Group Controller)

- Administration of the key tree

- management of users

- spreading of the group key

- know the structure of the key tree and all keys.

User

- No knowledge about the key tree

- know the keys of the path to the root node

Auxiliary key

- A key encypting the exchanged data

- only known by the subset of the group


13/19

KEY DISTRIBUTION (2)

For example

- transmit K1-8 from the GC to the user u1-u3

- the content of the bracket is encrypted with thekj

31}{ 81

kk

jk{}


14/19

TREE BASED KEY DISTRIBUTION


15/19

TREE BASED KEY AGREEMENT

Within groups working with the key agreement algorithma transaction manager (TM) exists for the observation ofthe next key operation.

Every user can hold the TM status

Only the TM can refresh the key tree and change thegroup key

The key tree can be calculated by each user by aniterative Diffie Hellman key agreement:

Where kji = kij is the agreed Diffie Hellman value and pa prime number


16/19


In order to explainthe algorithm, the

join procedure ofuser u8 is explained.


17/19


A three way handshake is used to transmit the newuser individual blind key BK(u8) to the current TMand authenticate the user.

A new node is added to the key tree storing theusers individual blind key.

The tree path from the user to the root becomeinvalid.

By a p3TMDistribute message the group users

and the new user are informed about the TM statusof the new user u8.


18/19


The p3TMDistribute message contains all blindkeys of the tree without the invalid key path.

u8 confirms the reception of the new roll andcalculates the tree path by using a Diffie Hellman

algorithm several times. Afterwards u8 distributes the blind key BK(k78),

BK(k5-8) of the key path by ap3UpdateDistribute message.

Every user can now calculate the group key

- u1 calculates kG = k14 oBK(k58 ),

- u5 calculates k5-8 = k56o BK(k78 ) ,

kG= k58 o BK(k14 )


19/19

CONCLUSION

The usage of key trees simplifies theimplementation of both modes.

Utilizing information of military groupsincreases the efficiency of the key updateprocedure.

The increased efficiency is obtained by meansof batched rekeying and probabilistic key treeconstruction.

The usage of key trees produces anoptimization for both modes of operation

military multicast key management-2

Documents