Multicast Security Group Key Management Architecture draft-ietf-msec-gkmarch-07.txt Internet Security Tobias Engelbrecht
Agenda zIntroduction zRequirements of a GKMP zDesign of the GKMA zRekey Protocol zGroup Security Association zSecurity Considerations
MSEC Group Key Management Architecture
Introduction zDefines a common architecture and design for group key-management protocols (GKMP) zExamples: {video broadcast {multicast file transfers
MSEC Group Key Management Architecture
Requirements of a Group Key Management Protocol (GKMP)
MSEC Group Key Management Architecture
Requirements of a GKMP zA group key management protocol (GKMP) {supports protected communication between members of a secure group {helps to ensure that only members of a secure group gain access to group data (by gaining access to group keys) and can authenticate group data. MSEC Group Key Management Architecture
Requirements of a GKMP zMembers receive security associations (SA) zThe group owner may define and enforce group membership, key management, data security and other policies zKeys have a predetermined lifetime zKey material should be delivered securely to the members of the group MSEC Group Key Management Architecture
Requirements of a GKMP zThe key-management protocol should be secure against replay and DoS attacks zThe protocol should facilitate addition and removal of group members zThe key management protocol should provide a mechanism to securely recover from a compromise of the key material z… MSEC Group Key Management Architecture
Design of the Group Key Management Architecture (GKMA)
MSEC Group Key Management Architecture
Design of the Group Key Management Architecture (GKMA) zThe goal of a GKMP is to securely provide the group members with an up-to-date data security association (Data SA) zGKMA Protocols {De- / Registration Protocol {Rekey Protocol
MSEC Group Key Management Architecture
Design of the Group Key Management Architecture (GKMA) Policy Infrastructure
Authorization Infrastructure
GCKS REGISTRATION or DE-REGISTRATION PROTOCOL
Sender(s)
REKEY PROTOCOL (OPTIONAL)
REGISTRATION or DE-REGISTRATION PROTOCOL
Receiver(s)
DATA SECURITY PROTOCOL MSEC Group Key Management Architecture
Design of the Group Key Management Architecture (GKMA) A new member joins the group: a joining member GCKS
R
R
R
R S S/R
R GROUP
MSEC Group Key Management Architecture
Design of the Group Key Management Architecture (GKMA) Registration Protocol (RP) zunicast protocol zthe GCKS and the member authenticates each other zsupplies the member with information to initialize a Data SA and a Rekey SA zRP must ensure that the transfer is done over a Registration SA MSEC Group Key Management Architecture
Design of the Group Key Management Architecture (GKMA) A new member leaves the group: a leaving member GCKS
R
R
R
R S S/R
R GROUP MSEC Group Key Management Architecture
Design of the Group Key Management Architecture (GKMA) Rekey Protocol zmulticast / unicast protocol from GCKS to members zRekey Messages are protected by the Rekey SA zRekey Messages update or change the Data SA and / or the Rekey SA MSEC Group Key Management Architecture
Design of the Group Key Management Architecture (GKMA) Rekey Protocol zRekey messages are authenticated by {Source Authentication {Group Based Authentication
zensures that all members receive the Rekey information in a timely manner
MSEC Group Key Management Architecture
Design of the Group Key Management Architecture (GKMA) zGroup keys {key encryption keys (KEKs) {traffic encryption keys (TEKs)
zTraffic Protection Keys (TPKs) denote the combination of a TEK and a traffic integrity key zRegistration and / or Rekey Protocol establish the keys MSEC Group Key Management Architecture
Design of the Group Key Management Architecture (GKMA) GCKS (Group Controller / Key Server) z creates KEKs and TPKs z performs authentication and authorization according to the group policy z MAY present a credential to the group members signed by the group owner z runs the Rekey protocol to push Rekey messages MSEC Group Key Management Architecture
Rekey Protocol
MSEC Group Key Management Architecture
Rekey Protocol Properties zto ensure that all members receive the rekey information in a timely manner zmechanism to re-sync keys zavoid implosion problems
MSEC Group Key Management Architecture
Rekey Protocol Transport & Protection zencrypted with the Group KEK zauthentication with MAC or digital signature zsequence number protect against replay attacks zreliable transport MSEC Group Key Management Architecture
Rekey Protocol Implosion zReasons {all members contact the GCKS at the same time {packet loss (feedback implosion)
zSolutions {a member waits before sending an out-of sync or feedback message {a member contacts an other server MSEC Group Key Management Architecture
Group Security Association (GSA)
MSEC Group Key Management Architecture
Group Security Association (GSA) zconsists of the Registration SA, Rekey SA (optional) and Data SA zWITHOUT Rekey SA {Registration Protocol initializes and updates one or more DATA SA
zWITH Rekey SA {Registration Protocol initializes the Rekey SA {Data SA is initialized by the Rekey Protocol MSEC Group Key Management Architecture
Group Security Association (GSA) Contents of the Rekey SA zPolicy zGroup Identity zKey encryption keys zAuthentication Key zReplay Protection zSecurity Parameter Index (SPI) MSEC Group Key Management Architecture
Group Security Association (GSA) Contents of the Data SA zGroup Identity zSource Identity zTraffic Protection Keys zSequence Numbers zSecurity Parameter Index (SPI) zData SA Policy MSEC Group Key Management Architecture
Security Considerations
MSEC Group Key Management Architecture
Security Considerations zauthenticated key exchange techniques limit the effects of man-in-the-middle and connection-hijacking attacks zsequence numbers and low-computation message authentication techniques can be effective against replay and reflection attacks zcookies can reduce the effects of denial of service attacks MSEC Group Key Management Architecture
Security Considerations zsharing of secrets among a group of members can cause problems zthe Registration protocol should be so good as the base protocol on which it is developed zthe Rekey protocol is new and has unkown risks associated with