Internet Engineering Task Force L. Dondeti/Nortel Internet Draft B. Decleene and S. Griffin/TASC draft-dondeti-irtf-smug-gkm-mobility-00.txt T. Hardjono/Verisign July 2001 J. Kurose, D. Towsley, Expires: January 2002 C. Zhang and S. Vasudevan/UMass. Group key management in wireless and mobile environments STATUS OF THIS MEMO This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference mate- rial or to cite them other than as "work in progress". To view the list Internet-Draft Shadow Directories, see http://www.ietf.org/shadow.html. Abstract In this document we consider the problem of key management in a mobile wireless networking environment, such as a dynamic, dis- tributed setting in which command and control nodes move along with individual users. In this scenario, data must be securely multicast from one source to many users, requiring that users be properly keyed. Furthermore, because users move in and out of the session (due to mobility, attrition, and reinforcement), in order to preserve con- fidentiality, it becomes necessary to rekey each time a user enters or leaves. We present a hierarchical framework and key distribution algorithms for such a dynamic environment, with a focus on how keys and trust relationships are transferred when users move between so- called "areas" in the group management hierarchy. We present several schemes including one that rekeys every time a member moves from area to area and one that delays rekeying so long as security is not com- promised. L. Dondeti [Page 1] Internet Draft Mobile group key management Table of Contents 1 Introduction to secure mobile groups 2 Hierarchical group key management 3 Impact of mobility on key management 3.1 Mobile members 3.2 Mobile key distributors 4 Key management to address mobility 4.1 Baseline rekeying 4.2 Immediate rekeying 4.3 Delayed rekeying 5 Summary and future work 6 Authors' contact information 1 Introduction to secure mobile groups Consider secure communication to a group of mobile nodes. The commu- nication could be over wired or wireless networks. Several solutions exist in the literature for secure group key management. A group man- ager distributes a common key used for encryption of data to the sender(s) as well as the members. For several applications, it is necessary that perfect forward and backward access control be main- tained in the group. To achieve perfect forward/backward access con- trol, the group manager sends a new group key at each membership change. There are two types of solutions for scalable rekeying of large groups. One involves maintenance of a logical key hierarchy (LKH) [1,2], while the other calls for a group management hierarchy. A com- bination of the two approaches is probably the best solution for efficient rekeying. When members are mobile, hierarchical group key management (in effect decentralized group key management) works better than centralized group key management used in LKH-based approaches. In hierarchical group management (e.g. Iolus [3] and Intra-domain group key manage- ment [4]), there are several "area key distributors (AKD)" (subgroup managers in Iolus) to manage the group. If the AKDs are geographi- cally distributed, mobile members can get access to new group keys as long as they are "near" to one of the AKDs. L. Dondeti [Page 2] Internet Draft Mobile group key management The notion of members moving between areas or subgroups is new to group key management. We investigate the issues involved in area rekeying when members move between areas. We present several differ- ent rekeying algorithms and analyze their applicability. Note that in some applications, senders must stop data transmission during rekey- ing. Mobile group members may add to the rekeying overhead when they move between areas. We propose algorithms that minimize the time off- line due to rekeying. 2 Hierarchical group key management A common approach for designing a scalable network service is to adopt a hierarchical structure, and a number of recently-proposed key management algorithms have adopted such an approach [3,4]. Broadly, these rekeying algorithms operate by hierarchically dividing the key management domain into smaller administratively scoped areas. The details of hierarchical key management differ from one approach to another, and so in our discussion below we adopt a framework based on [4]. Throughout the domain, a Domain Key Distributor (DKD) generates the data key used by the sender for encrypting data. The DKD may be col- located with the sender or shared throughout the domain by multiple sessions. As discussed previously, whenever a new member joins a cur- rent session or an existing member leaves a session, a new data key must be generated and distributed to ensure both forward and backward confidentiality. The domain is further divided into disjoint areas. An area is unique in that movement within the area does not require any additional sig- naling with regard to rekeying; and the cost of rekeying members when a join/leave occurs is considered reasonable. Areas may be small (such as a fine-grained ad-hoc network) or large (such as a satellite broadcast) depending upon the network topology and operational arrangements. Similarly, an area can be either logically or geograph- ically defined. Within each area, an Area Key Distributor (AKD) is responsible for distributing the data key to members within that area. Because the distribution of the data key within an area must itself be secure, area-local keys are used by the AKD to distribute a new data key to members within the area. Approaches for intra-area rekeying include Public Key Infrastructure (PKI), secure multicast, and logical tree- based algorithms such as [2,1]. From the definition of area, mobility impacts performance only when members cross between areas. Without AKD reassignment, rekeying mes- sages must cross heterogeneous network boundaries resulting in L. Dondeti [Page 3] Internet Draft Mobile group key management additional performance degradation. Consequently, member movement between areas requires a coordinated transfer of the security rela- tionships. Inter-area rekeying algorithms address this problem by introducing specific semantics for transferring between areas. 3 Impact of mobility on key management Mobility complicates key management by allowing members to not only leave or join a session but also transfer between networks while remaining in the session. Since a mobile user may accumulate informa- tion about the local security services for each area he/she visits, the key management system must consider the level of trust to impart to these mobile members and the performance implications should the member leave the session. Furthermore, as a member moves, the net- work latency between the member and the key management services may change and result in additional performance degradation. 3.1 Mobile members The performance of any inter-area rekeying algorithm strongly depends upon the mobility characteristics of the members as well as their join/leave characteristics. Members that remain in the session for long periods of time and are highly mobile are likely to visit many areas. As the number of these high-mobility members increase, the amount of control overhead increases. Approaches that minimize the amount of rekeying when a members moves between areas help address this concern. Fundamentally, inter-area rekeying requires members and/or key dis- tributors to identify when a member is leaving one area and entering a new area. Bind credentials that have been signed by the departing area may be delivered to the member transferring to stream-line his/her authentication onto the new area. Managing these credentials is important to improving performance while ensuring confidentiality. Alternatively, key distributors may coordinate between each other to "hand-off" the member. 3.2 Mobile key distributors Mobility of an AKD or DKD may result in substantial changes in the hierarchical topology. To ensure performance, inter-area rekeying must address the problems of new key distributor nomination/election, member reassignment, and load balancing to ensure that the end-to-end performance is maintained. 4 Key management to address mobility L. Dondeti [Page 4] Internet Draft Mobile group key management In this document, we describe multiple inter-area key distribution algorithms, where members may not only enter/leave the session but may also move between areas. These algorithms are defined below. 4.1 Baseline rekeying A direct approach for handling mobility across areas (called the baseline algorithm) is to treat the movement as a leave from the old area followed by a join to the new area. The member leaving the ses- sion notifies the local AKD, which halts the current data transmis- sion. Next, the local AKD updates the area key for the remaining mem- bers by either securely unicasting to each member using their shared private key, or exploiting a more sophisticated intra-area key proto- col such as LKH [2]. Once this is updated securely, a new data key can be distributed to all areas such that the departing member is excluded. At this point, data transmission resumes. This approach ensures forward confidentiality. During the join, the process is similar. The new member informs the local AKD of its intent to join. Data transmission is halted while a new area key is distributed to the current members (through multi- cast) and the new member (through unicast). Once complete, the new data key is distributed to all of the members and transmission resumes. This approach ensures backward confidentiality. The disadvantage of the baseline algorithm is that data transmission is unnecessarily interrupted twice during a transfer between areas because the system cannot distinguish between a departing member and a member that is simply moving. The result is degraded throughput and additional computational complexity as extra keys are calculated. 4.2 Immediate rekeying The immediate rekeying algorithm extends the baseline algorithm by adding explicit semantics for a hand-off between areas. The member initiates a transfer by notifying the two affected areas. Each area updates the local area keys per their new membership. However, unlike the baseline algorithm, no new data key is generated and the data transmission continues uninterrupted. Note that when a member actually leaves or joins the session, data transmission is inter- rupted as new data and area keys are generated per the baseline algo- rithm described previously. 4.3 Delayed rekeying Both baseline and immediate rekeying algorithms rekey the local areas as soon as a member transfers. As a result, a member that moves rapidly between two areas may cause repeated local rekeying. In L. Dondeti [Page 5] Internet Draft Mobile group key management baseline rekeying mobility of a single member affects all the members in the domain (since the data key changes). Delayed algorithms postpone local rekeying until a particular crite- rion is satisfied. Members moving between multiple areas may accumu- late multiple area keys and reuse these keys when they return to a previously visited area. As always, if a member leaves or joins the session, then the appropriate areas are rekeyed to ensure forward and backward confidentiality. In pure delayed rekeying, each AKD maintains a list of members that have left the area but still hold valid keys for the area. When a member transfers, the area that the member is entering is rekeyed to prevent a member from falsely transferring into an area to get access to the old keys (backward confidentiality). For the departed area, the AKD does not rekey but instead adds the member to the Extra Key Owner List (EKOL). This list is reset whenever a local rekey occurs. When a member returns to an area, it is checked against the EKOL and no new keys are generated if it is on the list. A characteristic of the delayed algorithms is that they defer some of the rekeying until a member departs. In this case, all of the areas that the member has currently valid keys are rekeyed as well to pre- vent unauthorized access. Thus, the impact of member mobility is reduced at the cost of increased leave semantics. One modification of this approach proposed by Chun et. al. [5] allows members who have previously visited an area and are reauthen- ticated to receive the current area key to be added without rekeying of the new area. The benefit of this approach is that the number of keys generated and distributed is substantially reduced. The algo- rithm can be further extended by overlaying periodic rekeying of the areas to prevent any outside member from holding the key beyond a finite period of time. Alternatively, threshold rekeying triggers a rekey of an area whenever any member collects more than a given num- ber of keys. This ensures that no member is able to accumulate all the keys by visiting all of the areas. 5 Summary and future work In this document, we describe group rekeying in the presence of mobile members. We propose that hierarchical group key management works best for managing mobile members of a secure group. We intro- duce several rekeying schemes when members move from one area to another area, while still being member of a group. Our ongoing work includes mathematical analysis of the various rekey- ing schemes to investigate the time off-line and rekeying overhead L. Dondeti [Page 6] Internet Draft Mobile group key management due to mobility. We are currently developing a prototype of the key management framework (KMF) and the rekeying algorithms. Apart from the analysis and implementation of the protocols proposed so far, our focus is on the following topics: o Implications of mobility on SA management o Mobile AKDs When an AKD moves, members within its area may decide to (s)elect a new AKD to manage them. We are currently investigating AKD (s)election algorithms. 6 Bibliography [1] D. Balenson, D. McGrew, and A. Sherman, "Key management for large dynamic groups: One-way function trees and amortized initialization," Internet Draft, Internet Engineering Task Force, Aug. 2000. Work in progress. [2] D. M. Wallner, E. Harder, and R. C. Agee, "Key management for multicast: Issues and architectures," RFC (Informational) 2627, Internet Engineering Task Force, Sept. 1998. [3] S. Mittra, "Iolus: A framework for scalable secure multicasting," in ACM SIGCOMM , (Cannes, France), sep 1997. [4] T. Hardjono, B. Cain, and I. Monga, "Intra-domain group key man- agement protocol," internet draft, Internet Engineering Task Force, Feb. 2000. Work in progress. [5] C. Zhang, B. DeCleene, J. Kurose, and D. Towsley, "Comparison of inter-area rekeying algorithms for secure wireless group communica- tions," tech. rep., June 2001. Submitted for publication. 7 Authors' contact information Lakshminath R. Dondeti Nortel Networks 600 Technology Park Drive Billerica, MA 01821, USA (978) 288-6406 ldondeti@nortelnetworks.com Thomas Hardjono Verisign Inc. L. Dondeti [Page 7] Internet Draft Mobile group key management 401 Edgewater Place, Suite 280 Wakefield, MA 01880, USA thardjono@verisign.com Brian DeCleene Sean Griffin TASC Inc. 55 Walkers Brook Dr. Reading, MA 01867, USA btdecleene@tasc.com Jim Kurose Don Towsley Chun Zhang Sudarshan Vasudevan Computer Science department University of Massachusetts, Amherst, MA {kurose,towsley,czhang,svasu}@cs.umass.edu L. Dondeti [Page 8]