Internet Engineering Task Force Thomas Hardjono INTERNET-DRAFT Brad Cain Indermohan Monga Nortel Networks February 2000 Expires August 2000 Intra-Domain Group Key Management Protocol Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document describes a protocol for intra-domain group key management for IP multicast security, based on the framework of [HCD99]. In order to support multicast groups, the domain is divided into a number of administratively-scoped "areas". A host-member of a multicast group is defined to reside within one (and only one) of these areas. The purpose of placing host-members in areas is to achieve flexible and efficient key management, particularly in the face of the problem of changes (joining, leaving, ejections) in the membership of a multicast group. A separate administratively-scoped area control-group is defined for each (data) multicast group, for the express purpose of key management and other control-message delivery. Hardjono, Cain, Monga [Page 1] Internet Draft Intra-Domain GKM Protocol February 2000 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1 Domains, Areas and Key Distributors . . . . . . . . . . . 4 3.2 Trust Relationships. . . . . . . . . . . . . . . . . . . . 5 3.3 Multicast Groups for Data and Control. . . . . . . . . . . 6 3.4 Keys: Multicast Groups and Control-Multicast Groups. . . . 7 3.5 Control-Multicast Groups: Address Allocation . . . . . . . 8 3.6 Group Security Associations . . . . . . . . . . . . . . . 10 3.7 Secure Channels. . . . . . . . . . . . . . . . . . . . . .11 3.8 Periodic Re-Keying . . . . . . . . . . . . . . . . . . . .11 3.9 Arrangement of Keys in the Domain. . . . . . . . . . . . .12 4. Creation of New Multicast Groups. . . . . . . . . . . . . . . 16 4.1 Initiation of New Internal-Origin Groups . . . . . . . . .16 4.2 Membership to External-Origin Groups. . . . . . . . . . .19 5. Re-Keying Approach . . . . . . . . . . . . . . . . . . . . . .20 5.1 Re-Keying of Multicast Keys . . . . . . . . . . . . . . .20 5.2 Re-Keying of Area Keys . . . . . . . . . . . . . . . . . .21 5.3 Re-Keying of the All-KD-Key. . . . . . . . . . . . . . . .22 6. Hosts Joining a Multicast Group. . . . . . . . . . . . . . . .23 6.1 Joining with Backward Confidentiality . . . . . . .. . . .24 6.2 Joining Without Backward Confidentiality . . . . . . . . .25 7. Host Leaving a Multicast Group . . . . . . . . . . . . . . . .27 8. Reliability in Key Management. . . . . . . . . . . . . . . . .28 9. Packet Formats . . . . . . . . . . . . . . . . . . . . . . . .30 10. References. . . . . . . . . . . . . . . . . . . . . . . . . .30 1. Introduction This document describes a protocol for intra-domain group key management for IP multicast security, based on the framework of [HCD99]. In order to support multicast groups, the domain is divided into a number of administratively-scoped "areas". A host-member of a multicast group is defined to reside within one (and only one) of these areas. The purpose of placing host-members in areas is to achieve flexible and efficient key management, particularly in the face of the problem of changes (joining, leaving, ejections) in the membership of a multicast group. A separate administratively-scoped area control-group is defined for each (data) multicast group, for the express purpose of key management and other control-message delivery. A unique cryptographic key is associated with every (multicast group, control-group) pair in a given area. The control-groups are used for key management, following the re-keying behavior described in [WGL98] and extending it over several key distributor entities. Hardjono, Cain, Monga [Page 2] Internet Draft Intra-Domain GKM Protocol February 2000 2. Background The current document follows from the group key management framework proposal of [HCD99]. The framework of [HCD99] introduces two planes corresponding to the network entities and functions pertaining to multicasting ("network infrastructure plane") and to security ("key management plane"). Within the key management plane two hierarchies (levels) of regions are introduced, namely one "trunk region" (inter-region) and one or more "leaf regions" (intra- region). These regions are defined to have unique group keys and are open to differing (inter-region or intra-region) group key management protocols. The current work introduces an "intra-region" (leaf-region) group key management protocol, where the term "domain" in the current work is taken to mean a single leaf region of [HCD99]. Although in practice one leaf region of [HCD99] can consist on one or more of our current "domains", for simplicity we assume that one leaf region corresponds to one current domain. The definition of a "domain" (leaf) here is viewed more from an administrative perspective, in which the "domain" is administered and controlled by one body. This single-administration perspective is assumed both for multicasting and for key management. The group key management behavior in the current document is inspired by the work of [WGL98] which is based on a centralized server. The current work extends it to cover multiple entities in a distributed fashion. The current document addresses group key management for multicast security. The issue of how a cryptographic key is applied to data in a multicast group is not addressed, although the current document points to IPsec (ESP and AH) [KA98a, KA98b, KA98c] as a foremost candidate, depending on the multicast application type. Although in the document a key is used to "encipher" the multicast data to control access by group members, the intent is clear that authentication-only multicast applications may also employ the current design. The current document seeks to cover both the one-to-many and many- to-many multicast application types. Hence, the protocol has been described is the broadest way possible, without affecting the security of key management in general. Hardjono, Cain, Monga [Page 3] Internet Draft Intra-Domain GKM Protocol February 2000 3. Architecture The current work aims to manage multicast group keys based on well-defined domains. It also distinguishes between multicast groups for the purpose of payload delivery and for the purpose of key management. The current document is concerned with the correct and secure delivery of keys to members of a multicast group. It does not prescribe how a key is to be used on the data being transmitted in the multicast group. The reader is directed to methods such as IPsec ESP [KA98b] for concrete possibilities. |--------------R/TE-------------| | | | DKD DMAAE | | | | ----R---- ----R---- ----R---- | | | | | | | | | | | AKD | | AKD | | AKD | | | | | | | | | | | | R R | | | | m m m | | m m m | | m m m | | | --------- --------- --------- | |_______________________________| Figure 1: Intra-Domain Group Key Management Elements 3.1 Domains, Areas and Key Distributors At the domain-level, a Domain Key Distributor (DKD) entity is defined for the domain for the purpose of key management. In order to support multicast groups, the domain is divided into a number of administratively-scoped "areas" [Mey98]. A host-member of a multicast group is defined to reside within one (and only one) of these areas. The purpose of placing host-members in areas is to achieve flexible and efficient key management, particularly in the face of the problem of changes (joins and leaves) in the membership of a multicast group. At the area level, an Area Key Distributor (AKD) entity is defined for each area for the purpose of key management. Hardjono, Cain, Monga [Page 4] Internet Draft Intra-Domain GKM Protocol February 2000 Depending on the address allocation approach (see Section 3.4), each area may be associated with one Area Multicast Address Allocation Entity (AMAAE), such the MAAS of [HTE98], from which the Area Key Distributor (AKD) of that area obtains area-wide multicast addresses. In addition, at the domain-level, a Domain Multicast Address Allocation Entity (DMAAE) must exist to cater for the domain. Within the domain, all Key Distributors (the DKD and AKDs) are members of the domain-wide administratively-scoped multicast group, called the "All-KD-group", which does not extend beyond the domain and whose membership consists only of Key Distributors. The Domain Key Distributor (DKD) communicates to Area Key Distributors (AKD) either through secure one-to-one (unicast) communications or through the All-KD-group. The All-KD-group is independent of other multicast groups and it exists even when there are no host-members of any multicast group in the domain. The Area Key Distributor (AKD) communicates to host-members residing in its area either through secure one-to-one (unicast) communications or through a special (ie. control) multicast group whose scope is limited to that area. Should a multicast group originate from outside the domain and should its traffic be enciphered under a foreign key, then Translating Entity(s) (TE), such as a border-router(s), must be specified in the domain. In such a case, the Domain Key Distributor (DKD) is assumed to have a copy of the foreign key through other methods (unspecified). The DKD will then supply the Translating Entity(s) with a copy of the foreign key and a copy of a new multicast key to be used on the traffic in the domain. 3.2 Trust Relationships The trust relationship in the current work revolves around the Key Distributors and does not extend beyond the domain. All Key Distributors (DKD and AKDs) are configured and maintained by the human administration in the domain. They must be implemented using the most secure technology available, since they represent the best point-of-attack. All entities trust the Domain Key Distributor (DKD) as the primary source of authentic parameters. The DKD can in fact also take-on the role of a certification authority when the need arises. The public-key of the DKD is well-known to (and/or is configured within) each host and within the Area Key Distributors (AKDs). Hardjono, Cain, Monga [Page 5] Internet Draft Intra-Domain GKM Protocol February 2000 A host residing within an area trusts the Area Key Distributor (AKD) in that area. 3.3 Multicast Groups for Data and Control The current work employs administratively-scoped multicast groups for the purpose of key management. To distinguish these administratively-scoped multicast groups for control (ie. key management) from the multicast group for data, the latter will be referred to as "data multicast groups", "data-groups" or simply "multicast groups". A control-related group will be referred to as "control-multicast group" or simply "control-group". A "control-group" is an administratively-scoped multicast group which is area-wide. It is initiated/owned by the Area Key Distributor (AKD) of an area. The purpose of an area control-group is for key management relating to an associated data-multicast group. An area control-group associated with a data-multicast group exists so long as there are members of the corresponding data-multicast group in the area. Once a data-multicast group ceases to have any members in an area, the Area Key Distributor (AKD) of that area may terminate that corresponding area control-group. A special control-group is the All-KD-group. This is an administratively-scoped multicast group which is domain-wide and consists only of the Domain Key Distributor (DKD) and Area Key Distributors (AKD). It has a fixed address and is initiated/owned by the Domain Key Distributor (DKD). There is only one All-KD-group in a domain, and it is a permanent group, independent of whether any data multicast group members exists in the domain. Unless specifically mentioned, in the remainder of this document all control-groups are area control-groups. Note that once a host (in an area within the domain) becomes a member of a multicast group, it also must become a member of one of the area control-groups of the area within which that host resides. This allows the Area Key Distributor (AKD) to communicate with the host-member through the area control-group. From the perspective of an Area Key Distributor (AKD) of an area, for a multicast group having a host-member in its area, the Key Distributor (AKD) must assign that host-member to one of the area control-groups in that area. Hardjono, Cain, Monga [Page 6] Internet Draft Intra-Domain GKM Protocol February 2000 3.4 Keys: Multicast Groups and Control-Multicast Groups A multicast group is associated with a domain-wide Multicast-Key (MKey). The current work assumes that cryptographic keys are used for the encipherment of the multicast traffic as a method to provide receiver access-control, where only valid members of the multicast group is provided with a copy of the cryptographic key. This is true for data multicast groups and area control-groups. For each multicast group having a member in the domain, a unique Multicast-Key (MKey) is assigned by the Domain Key Distributor (DKD) for that multicast group. A multicast group having a member in an area in the domain is associated with one control-group in the area by the Area Key Distributor (AKD) of that area. All traffic within an area control- group is enciphered in such a way that only the AKD of that area and the intended receivers of the traffic will be able to decipher the traffic. The cryptographic key associated with an area control- group is referred to generally as the Area-Group-Key (AreaGroupKey). An Area-Group-Key is selected by the Area Key Distributor (AKD). The Area-Group-Key (AreaGroupKey) is unique for each (multicast group, control-group) pair. For the special All-KD-group, an All-KD-Key (AllKDKey) is assigned by the Domain Key Distributor (DKD) for the All-KD-group. Here, it is assumed (initially) that all payload related to a multicast group travelling within a domain is encrypted using the Multicast-Key (MKey). Should the sender of the multicast group be located outside the domain, then a "Translating-Entity" (TE), such as the border-router of the domain, must be employed to decrypt the entering traffic (using some inter-domain cryptographic key) and to re-encrypt it using the Multicast-Key (MKey) assigned in the domain to that multicast group. Similarly, the Translating- Entity must "translate" multicast group traffic (sent from a group member in the current domain) when the traffic leaves the domain. The "boot-strapping" process of each multicast group and control- group relies on the establishment of a Security Association (SA) and a shared private-key between a (candidate) member of the group with the Key Distributor (DKD or AKDs) that controls the group. It is through this one-to-one secure channel that the parameters for the groups are then given to host-members by the Area Key Distributor in the case of the multicast group and area control groups, or to the Area Key Distributors (AKDs) by the Domain Key Distributor (DKD) in the case of the All-KD-group. Hardjono, Cain, Monga [Page 7] Internet Draft Intra-Domain GKM Protocol February 2000 3.5 Control-Multicast Groups: Address Allocation Three possible approaches are available with regards to the use of area control-groups (corresponding to a given multicast group) for key management by the Area Key Distributor (AKD): (a) One control-group per area per multicast group: For each multicast group, having members in an area, a separate control-group is created within the area. Each separate area control-group is associated with a different Area-Group-Key. One disadvantage of this approach is the potential lack of multicast addresses within the area. Another disadvantage is the waste of resource related to area-wide multicasting if the area only has very few members of the corresponding multicast group. This approach requires the presence of an Area Multicast Address Allocation Entity (AMAAE) in each area. (b) One control-group per area for all multicast groups: In this approach, for each multicast group, having members in an area, only one control-group is created within the area. Hence, the area control-group is shared among members of different multicast groups. Although there is only one (shared) area control-group, a separate Area-Group-Key is used for each data multicast group. When the AKD wishes to communicate with members of a particular multicast group residing in its area, the AKD will encipher the communications using the appropriate Area-Group-Key. Other non- intended recipients will also receive the enciphered packets, but will drop them since they will not be able to decipher them. The advantage of this approach is that there is only one control- group which can be long-lived and have a fixed address. Having the fixed address obviates the Area Multicast Address Allocation Entity (AMAAE), thereby simplifying the entire design. The main disadvantage of this approach is that bandwidth within the area is wasted when the AKD is performing key management communications with only a small subset of group members residing in the area, since all other unconcerned members are receiving the (enciphered) packets and dropping them. Another related disadvantage is increased opportunity for cryptanalysis of enciphered packets of control-groups, since unconcerned members are receiving these packets and may cryptanalyze them. Hardjono, Cain, Monga [Page 8] Internet Draft Intra-Domain GKM Protocol February 2000 (c) One control-group per area for several multicast groups: This approach attempts to bring together the advantages of the previous two. For a fixed number of multicast groups, having members in an area, a single control-group is created within the area. Thus, within a given area a set of N multicast addresses for N control-groups can be selected and fixed. Each multicast group having (one or more members in an area) is then mapped to one of the N control-groups in that area (eg. by hashing the multicast group address). In terms of key management, each (multicast group, control-group) pair will be associated with a unique Area-Group-Key (AreaGroupKey). Thus, for example, a host who is a member of two multicast groups MG1 and MG2 may find that in its area both MG1 and MG2 are mapped into one control-group CG1, with two Area-Group-Keys AGK1 and AGK2 corresponding to the two multicast groups. Hence, for the control-group CG1 the host must maintain the unique triplets (MG1, CG1, AGK1) and (MG2, CG1, AGK2). The host must be able to distinguish control-group packets in CG1 corresponding to the two multicast groups, in order for it to apply the matching keys. Tagging methods within control-packets may be employed to achieve this effect, saving the host the effort of trying the keys. In this manner, the design is simplified by obviating the Area Multicast Address Allocation Entity (AMAAE) for each area, and the problem of unintended members receiving and dropping (enciphered) messages is also somewhat reduced. The current work will employ the third approach due to its simplicity. We specify that an Area Key Distributor (AKD) maintains a mapping between a multicast group and its corresponding control-group in the area. How this mapping is established is implementation-specific, and thus outside the scope of the document. Furthermore, we assume that each control-group packet carries sufficient identification information relating to the multicast group to which it corresponds, thereby allowing non-intended receivers of the packets in the shared control-group to drop the packets without attempting to decrypt it. Hardjono, Cain, Monga [Page 9] Internet Draft Intra-Domain GKM Protocol February 2000 3.6 Group Security Associations The IPsec security architecture [KA98a] defines the concept of a Security Association (SA) between two communicating parties. An SA is a simplex connection that affords security services to the traffic carried by it. An SA is uniquely identified by the triple consisting of the Security Parameter Index (SPI), an IP Destination Address and a security protocol identifier. Thus, for a two way communications, two Security Associations must be negotiated and established. The current work recognizes that for the many-to-many multicast applications the basic IPsec Security Association as a simplex connection does not suffice. Hence, it uses the notion of a Multicast Group Security Association (GSA) derived from the simplex Security Association. Note that the concept of a GSA for multicast has previously been describe, albeit briefly, in the IPsec security architecture document [KA98a] and other related documents. In the current document we assume that a Group Security Association (GSA) attributes is not negotiated between the communicating parties, but rather selected by one party. The entity that selects the GSA depends on the whether it is a multicast group or a control-group. All members of the group would then use the one same Group Security Parameter Index (GSPI) related to the GSA. Similarly, when a re-keying occurs, a new Group Security Parameter Index (GSPI) must selected for the GSA and a new key must be generated by one entity and delivered to the group members. The notion of a Group Security Association (GSA) selected by one entity departs from the existing IPsec definition and has implications on the ability of hosts to join multicast groups. Recall that in the two-party communication scenario, each party negotiates the Security Association (SA) depending on their cryptographic capability (eg. cryptographic algorithms available). In the case of a Group Security Association (GSA) selected by one entity, the required capability (eg. minimal algorithms) demanded of a potential member must be announced through other methods, such as through the multicast session description protocol or other protocols. In this way, a multicast group initiator or owner can specify what cryptographic algorithm(s) can be used in the multicast group. This approach is in-line with the one-to-many multicast applications (eg. pay per view service owners) and is deemed reasonable within the many-to-many multicast applications. Hardjono, Cain, Monga [Page 10] Internet Draft Intra-Domain GKM Protocol February 2000 3.7 Secure Channels The general term "secure channel" is used in the remainder of the current document to mean communications between one sender and one receiver (unicast), with authenticity and confidentiality. Secure channels here will be based on IPsec (AH and/or ESP) [KA98a]. The term implies the existence of a Secure Association (SA) and a private-key shared between the sender and receiver before the two begin communicating securely. The IKE protocol [HC98] can be used to establish the Security Association and the shared private-key. Independent of the Group Security Association (GSA) for the multicast group, each host-member is assumed to have establish a Security Association (SA) and a shared private-key with the Area Key Distributor (AKD) of the area within which that host resides before the host joins any groups. Similarly, each Area Key Distributor (AKD) is assumed to have establish a Security Association (SA) and a shared private-key with the Domain Key Distributor (DKD) before the AKD serves any multicast groups. A "secure channel" between one sender and one receiver implies that the identity of the one is known to the other. Hence, in communicating via a secure channel with a Key Distributor (AKD or DKD) a host-member is by definition identified and authenticated by the Key Distributor, and vice versa. 3.8 Periodic Re-Keying It is commonly accepted that the longer a cryptographic key is being employed, the higher the chances of that key being successfully cryptanalyzed by an attacker (who is assumed to have collected ciphertext of messages encrypted using the key). This is particularly true for keys of symmetric cryptosystems. The current document recognizes the importance of periodic re- keying and attempts to provide a workable solution in the face of the issue of re-keying due to a new host-member joining (backward confidentiality) and the issue of an existing member leaving or being ejected (forward confidentiality). The approach of re-keying only when the group membership changes suffers from the possibility that the membership does not in fact change over long periods, and thus opening the possibility of cryptanalysis of the multicast key. Hence, the current design adopts the underlying philosophy that periodic re-keying is necessary (even if the membership of the multicast group does not change), independent of whether or not Hardjono, Cain, Monga [Page 11] Internet Draft Intra-Domain GKM Protocol February 2000 immediate re-keying is performed when a host joins/leaves the multicast group. In this way, the design provides flexibility for the implementor to be "strict" (immediate re-key at each membership change) or to be "loose" (wait until next periodic re- key) with regards to multicast key re-keying. In the following discussions on the group key management protocols, the current work will observe the strict re-keying policy (ie. immediate re-key at each membership change) since it represents a more complex case. The loose re-keying can be established by removing some steps from the protocols and executing other steps only when the designated periodic re-keying occurs. Periodic re- keying in the multicast group will be determined by the Domain Key Distributor (DKD) and implemented with the aid of the Area Key Distributors (AKDs). Periodic re-keying in a control-group (in an area) associated with a multicast group will be determined by the Area Key Distributor (AKD) of that area. From the perspective of multicast reliability, the approach of using periodic re-keying allows each Key Distributor (AKD and DKD) to prepare for the re-keying, hence providing them with a window of opportunity to obtain the next key. Having this window of opportunity provides a context within which reliability mechanisms for key delivery can be established, either through existing reliable multicast protocols or through mechanisms specific to key management. In either case, the current document recognizes that reliability is paramount to group key management if multicast security is to be achieved. 3.9 Arrangement of Keys in the Domain The current protocol aims at delivering a multicast key, in the form of a private-key (symmetric cryptography), to members of a multicast group or a control-group. The fact that a host holds a copy of the multicast key is taken to mean that the host has previously been correctly identified by its Area Key Distributor (AKD) and that it has established a Security Association with its AKD. The private-key used in a multicast group or a control-group affords confidentiality and "group authentication" in the sense that the source of any information enciphered under the key is a valid member of the group. Note, that this level of authentication (group authentication) is implicit and does not provide irrefutable proof of the singular identity of the sender. The current document recognizes the benefits of a public key certification infrastructure and is open to such an infrastructure being deployed, with each entity being assigned a public key. Hardjono, Cain, Monga [Page 12] Internet Draft Intra-Domain GKM Protocol February 2000 However, in order to render the protocol immediately deployable in the near future, we assume that public keys are assigned only to the Key Distributors (DKD and AKDs) and the Domain Multicast Address Allocation Entity (DMAAE) to allow them to digitally-sign information that is to be sent through the multicast group or the control-groups. These public keys are valid only within the domain, and may not be recognized outside the domain (unless a certification infrastructure is employed). 3.9.1 Public Keys The current protocol assumes that all Key Distributors (DKD and AKDs) are assigned public-keys (asymmetric cryptography) in order for these Key Distributors to digitally-sign certain information in such a way that it is verifiable by all hosts in the domain. A host-member residing in area is assumed to have a copy of the public-key of its Area Key Distributor (AKD) and the public-key of the Domain Key Distributor (DKD). An Area Key Distributor (AKD) is assumed to have a copy of the public-key of the Domain Key Distributor (DKD). An Area Key Distributor (AKD) may obtain the public-keys of other Area Key Distributors from the Domain Key Distributor (DKD), with the DKD acting as a domain-wide certification authority. Al the very least, the public key of the Domain Key Distributor (DKD) must be advertised in a tamper-proof manner (eg. printed or manually configured) to allow it to be used to vouch for the public keys of the Area Key Distributors (AKDs). 3.9.2 Shared Private-Keys Three types of group-oriented (ie. shared by a group) private-keys (symmetric cryptography) are used: - Multicast-Key (MKey): this is the private-key associated with a multicast group that is used by all the group members in the domain to encrypt/decrypt the multicast traffic in the multicast group. This key is generated by the Domain Key Distributor (DKD) of the domain. This key is delivered securely to each Area Key Distributor (AKD), who will in turn deliver the key securely to each group member in their area. Hardjono, Cain, Monga [Page 13] Internet Draft Intra-Domain GKM Protocol February 2000 - Area-Group-Key (AreaGroupKey): this is the private-key associated with the (multicast group, control-group) pair, and used to encipher the communications in the control-group. An Area-Group- Key is generated by the Area Key Distributor (AKD) of that area and delivered to each member through a secure-channel. An Area- Group-Key is known only to the AKD of an area and the members (of the corresponding multicast group) residing in that area. - All-KD-Key (AllKDKey): this is the private-key associated with the special All-KD-group. All the Area Key Distributors (AKDs) and the Domain Key Distributor (DKD) hold a copy of the All-KD- Key. This key is generated by the Domain Key Distributor (DKD) and delivered to each AKD through a secure-channel. This key is used to encipher the communications within the All-KD-group. Two types of pair-oriented private-key are used in the current work: - Member-Private-Key (MbrPKey): Each host-member in an area pair- wise shares a Security Association (SA) and a Member-Private-Key (MbrPKey) with the Area Key Distributor (AKD) of that area. The Security Association (SA) and the Member-Private-Key (MbrPKey) are long-term and must be established before the host-member joins (or initiates) any multicast groups and is given a copy of that group's Multicast-Key (MKey). There is only one SA and one MbrPKey shared between the host-member and the Area Key Distributor (AKD), independent of the number of multicast groups to which that host-member belongs. - AKD-Private-Key (AKDPKey): Each Area Key Distributor (AKD) of an area pair-wise shares a Security Association (SA) and a AKD- Private-Key with the Domain Key Distributor (DKD). The Security Association and the AKD-Private-Key (AKDPKey) are long-term and must be established before any multicast group exists in the domain. In summary, the private-key arrangement from the point of view of entities is as follows. Hosts: A host-member of a multicast group residing in an area holds a copy of the Multicast-Key (MKey) and a copy of the Area-Group-Key (AreaGroupKey) corresponding to the (multicast group, control- group) pair. In addition, the host-member also holds its own Member Private-Key (MbrPKey) independent of any multicast groups. Hardjono, Cain, Monga [Page 14] Internet Draft Intra-Domain GKM Protocol February 2000 Area Key Distributors (AKD): For each multicast group having a member in an area, the Area Key Distributor (AKD) of the area holds a copy of the Multicast-Key (MKey) of the multicast group and holds a unique Area-Group-Key (AreaGroupKey) corresponding to each (multicast group, control- group) pair. In addition, an AKD also holds a copy of the current All-KD-Key (AllKDKey), its own AKD-Private-Key (AKDPKey) and a copy of the Member Private-Key (MbrPKey) of each member residing in its area. These (the AllKDKey, AKDPKey and MbrPKeys) are independent of any multicast groups to which a resident host-member belongs. Domain Key Distributor (DKD): The Domain Key Distributor (DKD) of a given domain holds the Multicast-Key (MKey) for each multicast group, a copy of the current All-KD-Key (AllKDKey), and a copy of the AKD-Private-Key (AKDPKey) of each Area Key Distributor (AKD) in the domain. -------------------------------------------------------- Multicast access purposes: Multicast Key (MKey) ======================================================== Control purposes: -------------------------------------------------------- Pair-wise Shared Group-wise shared ----------------------- ----------------------- DKD Key: AKD-Private-Key Key: All-KD-Key with - Long-term - Medium-term AKD - Independent of groups - Independent of groups AKD Key: Member-Private-Key Key: Area-Group-Key with - Long-term - Medium-term Hosts - Independent of groups - N per area -------------------------------------------------------- Table 1: Key arrangement Note that the Domain Key Distributor (DKD) does not hold copies of the Member-Private-Keys (MbrPKey). This is in contrast to the approach in [WGL98] in which a central server holds the private-keys of all members in the multicast group. If a host is in need of communicating directly through a secure channel to the Domain Key Distributor (DKD) or any other entity, then the host must establish a Security Association and a shared private-key with the DKD or entity. Hardjono, Cain, Monga [Page 15] Internet Draft Intra-Domain GKM Protocol February 2000 Although currently not prescribed, depending on the reliability mechanism to be employed, the Domain Key Distributor (DKD) may hold copies of the Area-Group-Key (AreaGroupKey) within each area in the domain. However, the intent is clear that the Domain Key Distributor (DKD) is not to replace any Area Key Distributor (AKD). Each key is assumed to be associated with a Key Identifier which uniquely identifies the cryptographic key is question. 4. Creation of New Multicast Groups Two possible scenarios with respect to new multicast groups exist. In the first case, the new multicast group is initiated from the current domain. In the second case, the multicast group was initiated from outside the domain and has existed before a host in the current domain joins it. 4.1 Initiation of New Internal-Origin Groups When a host ("Initiator") in the current domain wishes to commence a new multicast group, it must first initiate the creation of the multicast group via the underlying multicast routing protocol and some membership protocol (eg. IGMP). If it has not already done so, the initiator host must establish a Security Association (SA) and a shared Member Private-Key (MbrPKey) with its Area Key Distributor (AKD). The commencement of a new multicast group from the perspective of group key management is described as follows, consisting two inseparable parts. The first part is the generation and distribution of the multicast-key, while the second part is the generation and distribution of the Area-Group-Key. Protocol-I: Generation and distribution of the multicast key Step N1: The initiator in an area within the current domain creates a new domain-wide multicast group (method unspecified) with the aid of the Domain Multicast Address Allocation Entity (DMAAE) at the domain level. The DMAAE returns to the initiator the following parameters, digitally signed by the DMAAE: - a multicast group address - a multicast group identity - the identity of the initiator (as group owner) Hardjono, Cain, Monga [Page 16] Internet Draft Intra-Domain GKM Protocol February 2000 Step N2: The initiator selects the Multicast Group Security Association (MGSA) attributes (without the GSPI). The initiator then authentically notifies its Area Key Distributor (AKD) about the new multicast group and requests a new multicast key for the new multicast group. The message is sent through a secure channel and contains the signed parameters from the DMAAE, the MGSA and an Access Control List (ACL): - the multicast group address - the multicast group identity - the identity of the initiator - the Multicast Group Security Association (MGSA) - the time-period for re-keying cycle - an Access Control List (ACL) generated by the initiator Step N3: The Area Key Distributor (AKD) of the initiator receives the request from the initiator, notifies the Domain Key Distributor (DKD) about the new multicast group and passes the request message to the DKD through a secure channel. Step N4: The Domain Key Distributor (DKD) receives the request and performs the following steps: Step N4.1: The Domain Key Distributor (DKD) verifies the digital signature of the Domain Multicast Address Allocation Entity (DMAAE). Step N4.2: The Domain Key Distributor (DKD) generates: - a Group Security Parameter Index (GSPI) for the MGSA - a Multicast-Key (MKey) - a multicast key identifier MKeyID based on the MGSA selected by the initiator. Step N4.3: The Domain Key Distributor (DKD) digitally-signs the multicast group parameters: - the multicast group address - the multicast group identity - the identity of the initiator - the time-period for re-keying cycle - the Access Control List (ACL) - the Multicast Group Security Association (MGSA) - the Multicast-Key (MKey) - the multicast key identifier MKeyID - a timestamp Hardjono, Cain, Monga [Page 17] Internet Draft Intra-Domain GKM Protocol February 2000 Step N4.4: The Domain Key Distributor (DKD) securely delivers the signed multicast group parameters to each Area Key Distributor (AKD), either through the All-KD-group (encrypted under the All-KD-Key) or through a one-to-one secure channel to each Area Key Distributor (AKD). This message also serves as an acknowledgment to the Area Key Distributor (AKD) of the initiator. The process of the creation of the All-KD-group is similar to Protocol-I, with the exception that the multicast address is fixed and the DKD selects the Group Security Association (GSA) for the All-KD-group. The DKD also generates the All-KD-Key (AllKDKey) and the All-KD-Key identifier AllKDKeyID for the multicast group, based on the MGSA selected by the DKD. Protocol-II Generation and distribution of the area key Step N5: Upon receiving the signed multicast group parameters from the DKD, the Area Key Distributor (AKD) of the initiator performs the following steps: Step N5.1: The Area Key Distributor (AKD) maps the multicast group address to one of the area control-group addresses. The AKD maintains the following information for the given multicast group: - an area control-group address - an area control-group identity - the identity of the AKD (as group owner) Step N5.2: The Area Key Distributor (AKD) selects the Area Group Security Association (AGSA) attributes and generates: - a Group Security Parameter Index (GSPI) for the AGSA - an Area-Group-Key (AreaGroupKey) - an area key identifier AkeyID based on the AGSA selected by the AKD. Step N5.3: The Area Key Distributor (AKD) digitally-signs the area control-group parameters: - the multicast group address - the multicast group identity - the area control-group address - the area control-group identity - the identity of the AKD - the time-period for re-keying cycle - the Area Group Security Association (AGSA) - the Area-Group-Key (AreaGroupKey) - the area key identifier AKeyID - a timestamp Hardjono, Cain, Monga [Page 18] Internet Draft Intra-Domain GKM Protocol February 2000 Step N6: The Area Key Distributor (AKD) of the initiator returns to the initiator, through a secure channel: - the multicast group parameters (from Step N4) without the ACL, signed by the AKD - the area control-group parameters (from Step N5) signed by the AKD Step N7: The initiator joins the area control-group (method unspecified). Note that Step N4 above effectively provides each and every Area Key Distributor (AKD) in the domain with the necessary parameters related to the multicast group, regardless of whether or not the area of an AKD actually contains any members of the multicast group. This approach is chosen to allow for quick response by an AKD should other hosts in other areas wish to join the multicast group. In addition, the approach leaves open the possibility of the AKDs to participate in the reliability mechanisms to be employed (ie. as backups), since each of the AKDs holds the parameters related to every multicast group in the domain. The multicast group parameters are digitally signed by Domain Key Distributor (DKD) in order to aid reliability protocols. That is, in the case that the DKD goes down, the parameters can be obtained by one AKD from another AKD through a one-to-one secure channel, with the recipient being able to verify the authenticity of the parameters as signed by the DKD. 4.2 Membership to External-Origin Groups Although the current design focuses on intra-domain group key management, it does not preclude the possibility of a multicast group originated by a host external to the domain. However, unlike multicast groups which originate from a host within the domain and which is therefore known to the Domain Key Distributor (DKD), multicast groups which originate from outside a domain must be explicitly made known to the DKD. Since the current protocol views the multicast distribution tree used by a multicast routing protocol as a construct outside its control, the Domain Key Distributor (DKD) can be notified (when a host in domain joins the external-origin multicast group) through a number of ways, among others: - The joining host can explicitly notify its Area Key Distributor (AKD) or the Domain Key Distributor (DKD). Hardjono, Cain, Monga [Page 19] Internet Draft Intra-Domain GKM Protocol February 2000 - A domain border-router can notify the Domain Key Distributor (DKD) when it senses a request from a host to join the distribution tree - The Domain Key Distributor (DKD) can by default be a member of all external-origin multicast groups whose distribution tree extend into the domain. However, from the perspective of group key management, the Domain Key Distributor (DKD) only plays a role when the external-origin multicast traffic is enciphered for access control and the owner of the group requires the aid of the DKD to enforce access control. Hence, in this situation the DKD must obtain a copy of the key used to encipher the multicast traffic as it enters the domain and assign a new multicast key for that same traffic within its domain (method unspecified). The current document leaves the precise description and specification of the group key management for external-origin multicast groups to a later date. 5. Re-Keying Approach The basic approach to re-keying is discussed first in order to simplify later discussions on re-keying due to membership changes and due to periodic re-keying. For simplicity, the process is view from the perspective of the Domain Key Distributor (DKD) and one Area Key Distributor (AKD). It is the DKD who initiates and controls all re-keying events in the domain related to multicast groups. Re-keying of Area-Group-Keys of area control-groups are initiated and controlled by the respective Area Key Distributors (AKD). Note that it is important to have "cycle-over" period in which all host-members are in possession of the new re-key parameters, but is still employing the existing/old parameters. 5.1 Re-Keying of Multicast Keys In the following, all re-key steps are related to a given multicast group. The protocol is initiated and controlled by the Domain Key Distributor (DKD). Hardjono, Cain, Monga [Page 20] Internet Draft Intra-Domain GKM Protocol February 2000 Protocol-III: Re-keying the multicast key Step RM1: The Domain Key Distributor (DKD) issues an authentic prepare-to-rekey message to all Area Key Distributors (AKD) through the All-KD-group. The message contains: - an existing multicast group address - a existing multicast group identity of the multicast group being re-keyed Step RM2: The Domain Key Distributor (DKD) generates: - a new Group Security Parameter Index (GSPI) for the MGSA - a new Multicast-Key (MKey) - a new multicast key identifier MKeyID based on the MGSA selected by the initiator. Step RM3: The Domain Key Distributor (DKD) digitally-signs the multicast group parameters: - the existing multicast group address - the existing multicast group identity - the Multicast Group Security Association (MGSA) - the new Multicast-Key (MKey) - the new multicast key identifier MKeyID - a timestamp Step RM4: The Domain Key Distributor (DKD) securely delivers the signed parameters to each Area Key Distributor (AKD), either through the All-KD-group (encrypted under the All-KD-Key) or through a one-to-one secure channel to each Area Key Distributor (AKD). Step RM5: The Area Key Distributor (AKD) securely delivers the signed multicast group parameters to each host-member (of the multicast group) in its area using one of the following methods (depending on the cause of the re-keying event): (a) through the area control-group related to the multicast group (encrypted under the AreaGroupKey) (b) through a one-to-one secure channel to each concerned host-member. 5.2 Re-Keying of Area Keys In the following, all re-key steps by the Area Key Distributor (AKD) are related to a given multicast group. The protocol is initiated and controlled by the Area Key Distributor (AKD). Hardjono, Cain, Monga [Page 21] Internet Draft Intra-Domain GKM Protocol February 2000 Protocol-IV: Re-keying the area key Step RA1: The Area Key Distributor (AKD) issues an authentic prepare-to-rekey message to all members of the multicast group within the area through the relevant area control- group. The message contains: - an existing area control-group address - an existing area control-group identity of the area control-group being re-keyed Step RA2: The Area Key Distributor (AKD) generates: - a new Group Security Parameter Index (GSPI) for the AGSA - a new Area-Group-Key (AreaGroupKey) - a new area key identifier AkeyID based on the AGSA selected by the AKD. Step RA3: The Area Key Distributor (AKD) digitally-signs the area control-group parameters: - the existing area control-group address - the existing area control-group identity - the Area Group Security Association (AGSA) - the new Area-Group-Key (AreaGroupKey) - the new area key identifier AKeyID - a timestamp Step RA4: The Area Key Distributor (AKD) securely delivers the signed control-group parameters to each host-member (of the multicast group) in its area, using one of the following methods (depending on the cause of the re-keying event): (a) through the area control-group related to the multicast group (encrypted under the old/current AreaGroupKey) (b) through a one-to-one secure channel to each concerned host-member. 5.3 Re-Keying of the All-KD-Key The following describes the protocol to be employed when the All-KD- Key (AllKDKey) is to be re-keyed. All the Area Key Distributors (AKDs) and the Domain Key Distributor (DKD) share an All-KD-Key. This key is used to encrypt traffic within the All-KD-group. Note, that unlike host-members, Key Distributors never leave the All-KD- group, and hence its membership is static. Hardjono, Cain, Monga [Page 22] Internet Draft Intra-Domain GKM Protocol February 2000 Protocol-V: Re-keying the All-KD-Key Step RK1: The Domain Key Distributor (DKD) issues an authentic prepare-to-rekey message to all Area Key Distributors (AKD) through the All-KD-group. The message contains: - the existing All-KD-group address - the existing All-KD-group identity Step RK2: The Domain Key Distributor (DKD) generates: - a new Group Security Parameter Index (GSPI) for the MGSA - a new All-KD-Key (AllKDKey) - a new All-KD-Key identifier AllKDKeyID based on the MGSA selected by the DKD Step RK3: The Domain Key Distributor (DKD) digitally-signs the All- KD-group parameters: - the existing multicast group address - the existing multicast group identity - the Multicast Group Security Association (MGSA) - the new All-KD-Key (AllKDKey) - the new All-KD-Key identifier (AllKDKeyID) - a timestamp Step RK4: The Domain Key Distributor (DKD) securely delivers the signed All-KD-group parameters to each Area Key Distributor (AKD) using one of the following methods, depending on the status of the AKD and the network condition: (a) through the All-KD-group (encrypted under the existing/old All-KD-Key) (b) through a one-to-one secure channel to each Area Key Distributor (AKD). 6. Hosts Joining a Multicast Group When a host within a domain wishes to join a multicast group having already (at least) a member in the domain, the two possible approaches can be adopted in admitting the host to become a group member. In the first case, the host is disallowed from accessing (reading) traffic previous to its joining the group. In the second case, no such access restriction apply. The choice between the two approaches is dictated by policy, and hence beyond the scope of the current document. In the following, the strict re-keying policy is adopted, in which a re-keying of the Multicast-Key and the re-keying of the AreaGroupKey (of the area within which the new host joins) is conducted Hardjono, Cain, Monga [Page 23] Internet Draft Intra-Domain GKM Protocol February 2000 immediately. In the loose re-keying policy, the task is postponed until the next periodic re-keying, at which point the new member is able access (decipher) the data of the multicast group. In the following, it is assumed that when a host in an area (first member or otherwise) joins a multicast group the Area Key Distributor (AKD) has already created the necessary area control- groups in its area. To conserve resources, an AKD may postpone the control-group creation (corresponding to a given multicast group) until such time that a first member of the multicast group appears in its area. 6.1 Joining with Backward Confidentiality When a new host joining a multicast group is to be prevented from accessing (reading) previous traffic (which it may have intercepted and stored), then Multicast-Key (MKey) of the multicast group in the domain must be re-keyed each time a host joins the multicast group. Note that even when a host is the first member of a multicast group in its area, all the other areas having a member must be re-keyed to reduce the possibility of that new host having access to previous traffic which it obtained (intercepted) in other areas. Protocol-VI: Host joining with backward confidentiality Step JB1: The host sends an authentic join-request message for the multicast group to its Area Key Distributor (AKD). Step JB2: The Area Key Distributor (AKD) checks the host against the Access Control List (ACL) of the multicast group. If the host is permitted to join, then the Area Key Distributor (AKD) authentically notifies the Domain Key Distributor (DKD) and the other Area Key Distributors (AKD) of the membership change (new host-member). Otherwise, the AKD returns a join- reject message to the host Step JB3: The Domain Key Distributor (DKD) initiates an immediate re-keying (Protocol-III: Re-keying the multicast key). This results in all Area Key Distributor (AKD) and all existing members of the multicast group obtaining the following multicast group parameters: - the existing multicast group address - the existing multicast group identity - the Multicast Group Security Association (MGSA) - the new Multicast-Key (MKey) - the new multicast key identifier MKeyID - a timestamp Hardjono, Cain, Monga [Page 24] Internet Draft Intra-Domain GKM Protocol February 2000 Step JB4: The Area Key Distributor (AKD) of the area (within which the host resides) must re-key its Area-Group-Key, and thus generates: - a new Group Security Parameter Index (GSPI) for the AGSA - a new Area-Group-Key (AreaGroupKey) - a new area key identifier AkeyID based on the AGSA selected by the AKD. Step JB5: The Area Key Distributor (AKD) digitally signs the area control-group parameters: - the existing area control-group address - the existing area control-group identity - the Multicast Group Security Association (MGSA) - the new Area-Group-Key (AreaGroupKey) - the new area key identifier AKeyID - a timestamp Step JB6: If there are existing host-members in the area, the Area Key Distributor (AKD) securely delivers the signed control- group parameters to each existing host-member (of the multicast group) in its area, using one of the following methods: (a) through the area control-group related to the multicast group (encrypted under the old/current AreaGroupKey) (b) through a one-to-one secure channel to each existing host-member. Step JB7: The Area Key Distributor (AKD) of the new host-member securely delivers the signed multicast group parameters (from Step JB3) and the signed control-group parameters (from Step JB5) to the new host-member through a one-to-one secure channel to the new host-member. Step JB8: The new host joins the multicast group (method unspecified). Step JB9: The new host joins the area control-group (method unspecified). 6.2 Joining Without Backward Confidentiality Here, when a host joins a multicast group, the Multicast-Key need not be re-keyed since backward confidentiality is not required. The Area Key Distributor (AKD) of the host is already in possession of all the parameters related to the multicast group. Hardjono, Cain, Monga [Page 25] Internet Draft Intra-Domain GKM Protocol February 2000 Protocol-VII: Host joining without backward confidentiality Step JW1: The host sends an authentic join-request message for the multicast group to its Area Key Distributor (AKD). Step JW2: The Area Key Distributor (AKD) checks the host against the Access Control List (ACL) of the multicast group. If the host is permitted to join, then the Area Key Distributor (AKD) proceeds with the next step, otherwise it returns a join-reject message to the host. Step JW3: The Area Key Distributor (AKD) looks-up the following multicast group parameters which it previously digitally- signed: - the existing multicast group address - the existing multicast group identity - the Multicast Group Security Association (MGSA) - the new Multicast-Key (MKey) - the new multicast key identifier MKeyID - a timestamp Step JW4: The Area Key Distributor (AKD) looks-up the following control-group parameters which it previously digitally- signed: - the existing area control-group address - the existing area control-group identity - the Multicast Group Security Association (MGSA) - the existing Area-Group-Key (AreaGroupKey) - the existing area key identifier AKeyID - a timestamp Step JW5: The Area Key Distributor (AKD) of the new host-member securely delivers the signed multicast group parameters (from Step JW3) and the signed control-group parameters (from Step JW4) to the new host-member through a one-to-one secure channel to the new host-member. Step JW6: The new host joins the multicast group (method unspecified). Step JW7: The new host joins the area control-group (method unspecified). Hardjono, Cain, Monga [Page 26] Internet Draft Intra-Domain GKM Protocol February 2000 7. Host Leaving a Multicast Group The case of a host leaving a multicast group can be caused by a number of reasons depending on the policy dictating group membership and on the multicast application in question. From the perspective of the current design, re-keying must be conducted to preserve forward confidentiality. That is, re-keying must be conducted to prevent the ex-member from further accessing (deciphering) the data in the multicast group, even if the ex-member persists in being a part of the multicast distribution tree. In the following, the strict re-keying policy is adopted, in which a re-keying of the Multicast-Key and the re-keying of the Area-Group- Key (AreaGroupKey) of the area within which the new host joins are conducted immediately. In the loose re-keying policy, the task is postponed until the next periodic re-keying, at which point the ex- member ceases to be able to decipher traffic in the multicast group and its corresponding control-group in the area. Note that in the current design, when a host leaves a multicast group it must also (by default) depart from the associated control-group. In general, it makes no sense for a host to join a control-group without joining the corresponding multicast group. Protocol VIII: Host leaving a multicast group and control-group Step LB1: The leaving-host sends an authentic leave-request message for the multicast group to its Area Key Distributor (AKD). Alternatively, the Domain Key Distributor (DKD) notifies the AKD through an authentic eject-host-request message to the AKD. Step LB2: The Domain Key Distributor (DKD) of the affected area authentically notifies the other Area Key Distributors (AKD) of the membership change (host-member leaving). Step LB3: The Domain Key Distributor (DKD) initiates an immediate re-keying (Protocol-III: Re-keying the multicast key). This results in all Area Key Distributors (AKDs) and all host- members of the multicast group, except host-members in the affected area, obtaining the following multicast group parameters: - the existing multicast group address - the existing multicast group identity - the Multicast Group Security Association (MGSA) - the new Multicast-Key (MKey) - the new multicast key identifier MKeyID - a timestamp Hardjono, Cain, Monga [Page 27] Internet Draft Intra-Domain GKM Protocol February 2000 Step LB4: The Area Key Distributor (AKD) of the affected area (within which the leaving-host resides) must re-key its Area- Group-Key, and thus generates: - a new Group Security Parameter Index (GSPI) for the AGSA - a new Area-Group-Key (AreaGroupKey) - a new area key identifier AkeyID based on the AGSA selected by the AKD. Step LB5: The Area Key Distributor (AKD) digitally signs the area control-group parameters: - the existing area control-group address - the existing area control-group identity - the Multicast Group Security Association (MGSA) - the new Area-Group-Key (AreaGroupKey) - the new area key identifier AKeyID - a timestamp and digitally-signs the multicast group parameters that the AKD received from the DKD in Step LB3: - the existing multicast group address - the existing multicast group identity - the Multicast Group Security Association (MGSA) - the new Multicast-Key (MKey) - the new multicast key identifier MKeyID - a timestamp Step LB6: The Area Key Distributor (AKD) securely delivers the signed multicast group parameters and control-group parameters to each remaining host-member (of the multicast group) in its area, through a one-to-one secure channel to each existing host-member. Step LB7: The leaving-host leaves the multicast group (method unspecified). Step LB8: The leaving-host leaves the area control-group (method unspecified). 8. Reliability in Key Management The current document recognizes that key management be conducted in a reliable manner, due to the sensitivity of cryptographic keys and the basic necessity that a host-member obtain the multicast key before it can access (decipher) the multicast data. Reliability is also important in the re-keying of the keys used in the multicast group and in the area control-groups. This is true particularly if in the re-keying process, the control-group itself is used to Hardjono, Cain, Monga [Page 28] Internet Draft Intra-Domain GKM Protocol February 2000 transmit the new parameters (for either the multicast group or the same control-group) to the members of the group. However, the current document views reliability of transmission, particularly in the control-groups, as more of a multicast- reliability issue. That is, reliability should not be expected from and should not be part of key management. This is also true for the one-to-one "secure channels", in which confidential and authentic communications is created between a sender and a receiver through the previously-established Security Association (SA) and the shared private-key. Note that in the re-keying of a Multicast-Key (MKey), it is important that each Area Key Distributor (AKD) first reliably obtains the new parameters (including the new key) of the multicast group. This is because without the new parameters, the AKD will not be able to even begin to re-key its area. Once each AKD obtains the new parameters of the multicast group, the re-key of the Multicast- Key in each area is independent of one another. The current work currently does not specify how or what manner reliability in key management is to be achieved. However, when a control-group (either the All-KD-group or an area control- group) is used for key management from a sender to a number of recipients (eg. delivery of new key and new parameters) several basic approaches can be used: (a) ACKs from members When a control-group is used to transmit re-keying parameters, the recipients simply return an acknowledgment (ACK) to the Key Distributor through the secure channel previously established with the Key Distributor. Should the Key Distributor fail to receive such an ACK from a recipient within specified time, it will then query the recipient through the secure channel previously established. Depending on the frequency of key management and the number of host-members, this approach may cause an ACK-implosion on the AKDs. (b) Timeouts When some period after a prepare-to-rekey message is received, some recipients fail to receive the actual new key and parameters through the control-group, those recipients query the sender (AKD or DKD). When nothing is heard after both the due time for the prepare-to- rekey message and due time for the actual key/parameters to be received, the recipients query the sender (AKD or DKD). Hardjono, Cain, Monga [Page 29] Internet Draft Intra-Domain GKM Protocol February 2000 (c) Explicit Reliable Multicast (RM) protocol Employ a specific RM protocol to establish reliability within the All-KD-group and/or the area control-groups. Each control-group can in fact employ different RM protocols. 10. References [HCD99] T. Hardjono, B. Cain and N. Doraswamy, "A Framework for Group Key Management for Multicast Security", Internet Draft, February 1999. [HC98] D. Harkins and D. Carrel, "The Internet Key Exchange (IKE)", Internet Draft, June 1998. [WGL98] C. K. Wong, M. Gouda and S. Lam, "Secure Group Communications Using Key Graphs", in Proceedings of SIGCOMM'98. [KA98a] S. Kent and R. Atkinson, "Security Architecture for the Internet Protocol", IETF, RFC 1825, 1998. [KA98b] S. Kent and R. Atkinson, "IP Encapsulating Security Payload (ESP)", Internet Draft, July 1998. [KA98c] S. Kent and R. Atkinson, "IP Authentication Header", Internet Draft, July 1998. [Mey98] D. Meyer, "Administratively Scoped IP Multicast", IETF, RFC 2365, July 1998. [HTE98] M. Handley, D. Thaler, and D. Estrin, "The Internet Multicast Address Allocation Architecture", Internet Draft, June 1998. Hardjono, Cain, Monga [Page 30] Internet Draft Intra-Domain GKM Protocol February 2000 11. Author Addresses Thomas Hardjono Email: thardjono@baynetworks.com Brad Cain Email: bcain@baynetworks.com Inder Monga Email: imonga@baynetworks.com Nortel Networks 600 Tech Park Drive Billerica, MA 01821, USA Tel: +1-978-288-4538 Hardjono, Cain, Monga [Page 31] ------------------------------------------------------------------------- ------------------------------------------------------------------------ Thomas Hardjono email1: thardjono@yahoo.com email2: hardjono@nortelnetworks.com Tel: +1-978-288-4538 ------------------------------------------------------------------------