Abstract: A novel multicast communication model using a RingNet hierarchy is proposed. The RingNet ..... be re-chosen in order to avoid the departed mem-.
Vol. 12
No. 6
J. CENT.
SOUTH UNIV.
TECHNOL.
Dec. 2005
A~icle ID: 1005 - 9784(2005)06 - 0720 - 06
A novel secure m u l t i c a s t s c h e m e in m o b i l e Internet ® W A N G G u o - j u n ( ~ [ ~ [ ~ ) 1'2, L I A O L i n ( ~ ~I~)1 , CAO J i a n - n o n g ( N t : ~ 3 ~ ) 2 , C H A N Keith C. C. (1. School of Information Science and Engineering, Central South U n i v e r s i t y , Changsha 410083, China; 2. Department of C o m p u t i n g , H o n g K o n g Polytechnic U n i v e r s i t y , H u n g H o m , K o w l o o n , H o n g K o n g , China)
Abstract: A novel multicast communication model using a RingNet hierarchy is proposed. The RingNet hierarchy consists of 4 tiers: border router tier, access gateway tier, access proxy tier and mobile host tier. Within the hierarchy, the upper 2 tiers are dynamically organized into logical rings with network entities. A novel hierarchical secure access control scheme on key management is proposed based on the RingNet model. Network entities within the multicast hierarchy belong to different privileged local groups. Network entities of the higher-privileged local groups have the r i g h t to derive the keys held by network entities of the lower-privileged local groups, and the reverse operation is not allowed. With the key management approach, any insertion and changing of local group key will not affect other local groups. The analytical result shows that the scheme has higher security than Lin's. Key words: key management; access control; related factor; local group; changing residue CLC number: TP393 Document code: A
1
INTRODUCTION
T h e access control of the shared resources and the m a n a g e m e n t of keys for multiple users in case of frequent mobility and high failure probability in mobile Internet are much more complicated than those in traditional Internet. T h e r e f o r e , there m u s t be some mechanisms to deliver group keys to valid group members. When it comes to very large and highly dynamic groups, the scalability problem becomes the bottleneck. In order to resolve the scalability issue, m a n y solutions have been proposed in the literature. Akl et al [1] first proposed the hierarchical cryptographic key assignment scheme among users in 1983. T h e cryptographic key assignment problem is to assign cryptographic key to a set of partially ordered classes so that cryptographic key of a higher-privileged class can be used to derive the cryptographic key of lowerprivileged classes. Many researchers concentrated on proposing schemes to achieve more secure performance and reduce time complexity of servers in order to solve the scalability problems E2-q. Lin ~8 proposed a dynamic key m a n a g e m e n t scheme for access control, using a related p a r a m e t e r of partially ordered classed for the hierarchical key management.
(9
Tzeng [s] proposed a time-bound cryptographic key assignment in which the eryptographic keys of a class are different for different time periods. K e y derivation is constrained not only by the class relation but also the time period. T o improve the Akl et al scheme, Chang c4] proposed a cryptographic key assignment scheme based on N e w t o n interpolation method and a predefined one-way function. Lin et al [8 proposed a cipher s y s t e m based upon the Diophantine equation, which m a k e s the keys to be easily generated. Chang et al [q proposed a secret sharing scheme employing the concept of admission tickets to delegate the access right from ancestors to their descendants. Cryptographic access control is important to protect the shared resources of hierarchical system. In the literature, the cryptographic access control was mainly used to achieve security in a user hierarchy. H o w e v e r , it has not been used in communication protocols, where the protection of messages is necessary. In multicast communication s y s t e m s , the multicast data and group key messages should be forwarded from the multieast sources to all the receivers in a secure way. By extending the cryptographic access control designed for user hierarchy to solve the key m a n a g e m e n t problem in multicast communications, secure multicast can be
Foundation item: Project(60503007) supported by the National Natural Science Foundation of China; project(05JJ30118) supported by the Natural Science Foundation of Hunan Province; project(G-YY41) supported by the Hong Kong Polytechnic University Central Research Grant
Received date: 2005 - 03 - 12 ; Accepted date.. 2005 - 06 - 08 Correspondence:WANG Guo jun, Professor; Tel.. 4-86-731-8877711; E-mail: csgjwang@maii, csu. edu. cn
WANG Guo-iun, et al: A novel secure muhicast schemein mobile Internet achieved within the proposed RingNet communication model, which also has the properties of scalability and reliability for very large and highly dynamic groups in mobile Internet. 2
RINGNET COMMUNICATION MODEL
Many researchers proposed many mobile Internet architectures, such as unified wireless networks architecture [r] , system architecture for mobile communication system [8] , all-IP wireless/mobile network architecture Eg], and F I T - M I P global system architecture [l°]. Based on these architectures, a new multicast communication model called a RingNet hierarchy is proposed as shown in Fig. 1. T h e 4 tiers of the RingNet hierarchy are border router tier ( B R T ) , access gateway t i e r ( A G T ) , access proxy t i e r ( A P T ) , and mobile host t i e r ( M H T ) . T h e 2 higher tiers are dynamically organized into logical rings. Each logical ring has a leader node, which is also responsible for interacting with upper tiers. Access proxies ( A P s ) are the network entities ( N E s ) that communicate directly with the mobile hosts ( M H s ) . Access g a t e w a y s ( A G s ) are the NEs that communicate either between different wireless networks or between one wireless network and one wired network. Only those NEs that are configured to run the proposed protocol will be involved in the hierarchy. In order to form such a hierarchy, each NE is ..,.-
• 721 •
assumed to have some knowledge of its candidate contactors, either some candidate neighbors through which it can join a logical ring, or some candidate parents through which it can be attached to an existing hierarchy. For each AP, it is configured with one or several candidates AGs. For each AG, it is configured with one or several neighboring AGs for joining the logical rings where these AGs reside, a n d / o r configured with one or several candidate parent BRs for being attached to the BRs. Considering more complex scenarios, sub-tiers of A G T and BRT may exist in a RingNet hierarchy. Multicast communications using the RingNet hierarchy is simple: multicast senders send mutticast messages to any of the BRs at the top logical ring. T h e n the multicast messages are transmitted along each logical ring, and downward to all the children NEs. Eventually the M H s receive multicast messages from their attached APs efficiently. Loosely speaking, the proposed RingNet hierarchy is a novel distribution vehicle that combines advantages of both logical trees and logical rings. Considering each logical ring as a node, the RingNet hierarchy becomes a tree. Each logical ring can be dynamically organized according to some criteria such as locality/proximity or quality of service ( Q o S ) . Due to the combination of ring and tree, fault tolerance is stronger than that o{ the tree structure that is fragile because its single node may be attacked easily. What is more, due to logical
•
BRT: Border router tier AGI AF[ MH"
BRT
AGT Att~
Mo'
APT
t
VIHT
Mobile video phones
Laptops Fig. 1
PDAs
RingNet hierarchy
Mobile phones
• 722 •
Journal CSUT
HIERARCHICAL KEY MANAGEMENT USING RINGNET MODEL
In Ref. [-11-], the RingNet hierarchy for totally ordered multicast was represented, which was proved to be scalable, reliable, and self-organizable in very large and highly dynamic groups. Based on this work, key management using the RingNet hierarchy was discussed. Strictly speaking, only the bottom tier M H s may join a group and they stand for the true users of the group communication services. All the NEs, including APs, AGs and BRs, are not the users of the group communication services. H o w e v e r , the NEs can be considered as users since they logically function as special users to assist true users to get group communication services. Mittra c12~ proposed Iolus, which was a novel framework for scalable secure multicast by making each subgroup relatively independent. Following Mittra's work, subgroups that are relatively static in their scheme were extended to local groups that can be dynamic in our scheme. To be scalable, the hierarchical architecture of RingNet model can be described as follows, the top BR ring can be regarded as one local group; every AG ring can be regarded as a classified local group; each AP node together with its member M H s is regarded as the lowest local group. An example hierarchy is shown in Fig. 2. Since the multicast data need to be transmitted from the upper NEs to the lower N E s , the upper NEs have higher secure privileges than the .
Fig, 2
..,."
.
.
No. 6
2005
lower ones; the upper local groups have higher privileges than the lower-level ones consequently. Keeping this in mind, the users belonging to higher-privileged class will have the right to deduce the keys owned by the users in lower-privileged local groups and the reverse operation is not allowed. In Ref. [2-], Lin proposed a dynamic key management for access control in a user hierarchy. In Lin's scheme, the users were authorized and classified into different privilege classes and users belonging to higher-privileged class have the right to obtain the message owned by the lower-privileged class. Since in RingNet multicast model, all of NEs and users belong to different levels and have different privilege, which can be regarded as different-privileged local groups. By extending Lin's scheme from simple user hierarchy to multicast groups in mobile Internet, Lin's scheme can be applied to the RingNet multicast model to solve some security issues. In RingNet hierarchy, all NEs and users are classified into separate and privileged local groups, namely $1, Sz, "", S,,. It's obvious that the BR local group has the highest privilege in the whole hierarchy, which has the most powerful right to get access to all its children's keys. In this hierarchical multicast communication model, the privilege comparison can be represented as S, ;>Sz~>Si, where ~ denotes that the former group has the higher privilege than the latter group. Let Sj ( l ~ j ~ m ) denote one BR local group, & ( l ~ / ~ m ) denote one AG local group and S , ( l ~ i ~ m ) denote one of & ' s children local group. In case that no confusion occurs, we simply state local group as a group.
rings, it is easy to ensure key packets transmitting along one vertical path even though one of the rings is destroyed. For topology maintenance, the RingNet hierarchy will dynamically change due to joins, leaves, and movements of M H s , and failures that occur within the hierarchy.
3
V o l . 12
3.1
Key generation in RingNet
Assume that each group S i ( l ~ i ~ m ) randomly chooses its own group key kl and that a third .
.
.
.
",.b
....
Hierarchical local group architecture in RingNet
W A N G Guo jun, et al: A novel secure multicast scheme in mobile Internet
trusted party central authority ( C A ) is required. Considering the fault tolerance, CA may be not a single entity but a series of redundant CAs. CA is responsible for computing some parameters used for key derivation, such as related factor and chan ging residue. Related factors are computed based on their group keys and some public parameters, which converts the abstract and secret relationship of two groups into a numerical and public value. Changing residue is a mapping value of a group key computed by CA using some secret parameters only known by CA. Hence the CA is the unique one that can compute the related factors and changing residues. Before these, CA does some initialization such as generating a pair of keys ( P K , SK) according to RSA algorithm. PK is public to the whole users to encrypt messages and SK is only known by CA to decrypt secret messages that are sent to CA. Another task of initialization is to obtain all valid direct candidate parent-child relationship, without bothering CA to record all the parent-child relationship including indirect ones. Let P be a large prime number; Z be a primitive element of Galois field G F ( P ) ; n be a product of two large primes randomly chosen by CA. During the key generation period, the groups choose group keys for themselves, which is shared by all the members within their local groups. In the AG group and BR group, the leader nodes undertake the key determination; while in AP group, the AP node is responsible for it. T h e key generation protocol is described as follows. Step 1 Each group S, chooses its own group key k~ independently. Step 2 Each group encrypts the group key by PK and sends EpK(k~) to CA. Here E ( • ) is some kind of encryption function. Step 3 CA recovers the encrypted message E'pK ( k , ) using the SK and obtains k,. Step 4 As to 2 groups Sj and S,, CA first checks whether Sj > S , relationship is within the direct parent-child relationship library stored by CA. If yes, CA will compute the related factor yj, of the 2 groups using Eqn. (1). If not, CA will not give them a related factor. Because the related factors are computed and held by CA, they are secret for all the local groups except that the legitimate local group requests it. Hence, only legitimate related factor can exist in CA. yj, = h (Zk, ®'~m o d P ) @k, ( 1) ei = k~ modn (2) In Eqn. ( 1 ) , h( ° ) represents a one way hash function, @ indicates the bitwise XOR operation, e, represents changing residue. For each k~, CA automatically computes the changing residue e, using Eqn. (2) and records a pair of parameters e,
• 723 •
and k~ for each group. From the Rabin cryptography and Ref. [-13], the difficulty of finding the solutions of the congruence k~ ~ e , (modn) is equivalent to factorize a product of 2 large prime numbers. In Ref. [ 1 4 ] , the quadratic residue is adopted to indicate the mapping function in a user hierarchy, so in Eqn. (2) changing residues el is used to indicate the mapping of k, whatever it changes to. Because n is the product of 2 large prime numbers, e, is only known and held by CA. In this paper, we also use the quadratic residue as the mapping function in the large-scale secure multicast communications based on the proposed RingNet model. Since CA is aware of group keys of all local groups and some primitive parameters P , Z, n, only the CA can compute the related factors yj, and changing residues e,. After the initialization, the values of P and Z, and h( • ) are public to all local groups. H o w e v e r , the value of n is also a secret number.
3.2
Key derivation in RingNet
During the muiticast communications, multicast data and key messages need to be transmitted from the upper NEs downwards to the lower NEs, eventually to the mobile users. By performing access control in key management, NEs in a higherprivileged group are able to derive the key of lower-privileged group and forward the secret message encrypted by it. For each relationship Sj ~ S, in RingNet, it is meant that users of group Sj can deduce the group key of group & by f r ( X , y ) in a secure and efficient way. T h e derivation procedure works as follows. Step 1 Sj requests some parameters from CA in order to get the key of S,. Step 2 If CA detects that S , > & is out of the membership library or the requester is not a group member, it will terminate the request. Step 3 CA sends y,, and e, to S, encrypted by lej.
Step 4 On receiving the parameters, S t computes k, by Eqn. (3). k, = h (Zk, ®~,m o d P ) @yli (3) It's the setting of the intermediate parameter that makes the group key of each group transparent to each other. 3.3
Key modification in RingNet
Since the group key of each local group is chosen by itself, each local group can change its group key by itself consequently. Similarly, the changing residue e, needs to be renewed by CA. Imagine that group St needs to change its group key from kt to k[ with parent S, and child S,. Then CA has to compute the following parameters by Eqns. ( 4 ) ( 6 ) , and store the information updated.
• 724 •
Journal CSUT
e{ = ( k { ) 2 m o d n
(4)
yj~ = h ( Z k , e ' ; m o d P ) @ k {
(5)
)'l~ = h ( Z k? ®' m o d P ) @ k i (6) From the above analysis, it is easy to know that when a group changes its group key, the ancestors and descendants of it will not be affected, which contributes much to the scalability of multicast communications.
4
SECURE DYNAMIC KEY MANAGEMENT ANALYSIS
In mobile Internet, with the property of frequent mobility, the dynamic secure analysis is discussed. In case of all kinds of topology changes, how the security is achieved and topology is maintained are discussed.
4.1
One local group insertion Assume that a new group S~ is going to join the multicast group, S~ should register to CA to show its information such as its candidate parents and candidate children. After CA approves of the registration, CA is required to compute some parameters such as e, and related factor yj~ which are corresponding to the new group. For example, when an AG group is joining, what CA should do is to compute changing residue el and related factor 7i~ which belongs to S~ and its direct ancestor (maybe a BR group) or direct successor ( A P group or other AG g r o u p ) . T h e r e f o r e , after the group is inserted, the other groups will not be affected and need not to update their group keys. In case of frequent mobility, the advantage of the insertion procedure will be more obvious. 4.2
One local group leave Similarly, by performing the hierarchical access mechanism, one group leave will not affect higher-privileged groups. H o w e v e r , once the departed group S~ has derived the group keys of its successor S~, and S~ does not modify k, from that time on, ki is exposed to the departed group. T h e groups with lower privilege are supposed to change group keys for higher security. Assuming $l (S~)> SI~'S~) is going to leave, the leave procedure is described as follows. Step 1 St --~ CA: "Request for leave". Step 2 CA collects the information of all lower-privileged groups. Step 3 CA --~ Sz. " Y o u have left from the group". Step 4 CA --~S~ :"Choose a new key k~". Step 5 S, : E'pK( k ? ) ~ CA. Step 6 CA: DsK(EpK(k," ) ) = k , * .
Step 7 Step 8
Vo1.12
No. 6
2005
CA computes new e{. CA computes )'~ and deletes Yst a n d
In fact, in the multicast communications, the leaving procedure of a local group is transparent to those lower-privileged local groups. T h e r e f o r e , the scalability and security are guaranteed in an indirect way.
4.3
Some group members leave If group S I ( S ~ > S z ~ ' S ~ ) has f members ( m l , rnz, " ' , m s ) and h ( l ~ h % f ) members ( m i , mi+l , •" , m~+h-1) have to leave, first ( m i , m~+l, " " , mi+h 1) need to ask for leave to leader of Sz. After CA collects the information of successor S., it will admit to leave and meanwhile S, will be informed of changing group key signal. T h e n k~ and k~ need to be re-chosen in order to avoid the departed members getting access to messages. After that, CA re-computes all parameters based on the alternation of group keys. T h e steps are similar to that of one local group leave. 4.4
Analysis of attacks In Lin's scheme, there is a drawback that once the old group key of a group is exposed, the newly chosen group key will be revealed in sequence Ez~. Eqns. ( 7 ) - ( 8 ) show the Lin's scheme. Assume that group S ~ ( l ~ i ~ m ) changes its group key from ki to k,* , but it has no idea that k~ is exposed to attackers. It is obvious that the attack has got the value of (Zk, ®~9, mod P ) by requesting the related factor y,,. After CA has recomputed the new 7j: , the attacker can easily derive the new group key of S, by performing Eqn. (9). yj, = (Zk, ®m~mod P ) @ k i (7) k, = ( Zk, ®m , mod P ) ( ~ F .
(8)
k{ = ( Z~, ®ID, mod P ) @ y ~ (9) The drawback is that after group key is changed, the value of (ZkJ ®1Dirood P ) keeps static and does not change as other parameters F~sl. T o be different, in our scheme the setting of changing residue e, and one-way Hash function overcome the drawback of Lin. Once ki is changing, the value of el is also changing with k~. Even if the attacker has got the old h(ZkJ ®e, rood P ) and 2'~ by performing Eqn. ( 1 0 ) , it has to face the difficulty of compu-
ting new h (Z~, ®e{ rood P ) .
Since the value of
(Zk, ®'," mod P ) is protected by the one-way hash function, it is hard to reverse the Hash function. What's more, even if (Zk~®e; rood P ) is disclosed, n is secret and the changing residue e{ is changing with the change of k~ all the time, it is impossible for attackers to reveal the k ; .
WANG Guo-jun, et al: A novel secure multicast scheme in mobile Internet
k? =h(Z~, ®~7 m o d P)@)'j~ 5
(10)
CONCLUSIONS
1) A novel multicast communication model u s i n g a R i n g N e t h i e r a r c h y , called t h e R i n g N e t m o d e l is p r o p o s e d . A h i e r a r c h i c a l k e y m a n a g e m e n t s c h e m e b a s e d on t h e m o d e l is p r o p o s e d . C o m p l e m e n t a r y to t h e s c a l a b i l i t y , r e l i a b i l i t y a n d selfo r g a n i z a b i l i t y of t h e R i n g N e t m o d e l , t h e d y n a m i c h i e r a r c h i c a l k e y m a n a g e m e n t c o n t r i b u t e s m u c h to the i n t e g r a l i t y of R i n g N e t . 2) T h e p r o p o s e d h i e r a r c h i c a l k e y m a n a g e m e n t s c h e m e a c h i e v e s g r e a t s c a l a b i l i t y in m o b i l e m u l t i cast c o m m u n i c a t i o n s in s p i t e of t h e f r e q u e n t m o b i l ity. I n s e r t i o n a n d d e p a r t u r e do n o t affect o t h e r local g r o u p s d i r e c t l y . 3)In particular, by performing access control in t h e m u l t i c a s t g r o u p , t h e u s e r s of h i g h e r - p r i v i l e g e d local g r o u p can d e d u c e t h e k e y of l o w e r - p r i v i l e g e d local g r o u p s e c u r e l y , so t h a t t h e m u l t i c a s t m e s s a g e can be f o r w a r d e d f r o m h i g h e r - p r i v i l e g e d N E s to l o w e r - p r i v i l e g e d N E s o r m o b i l e h o s t s . 4 ) B a s e d on L i n ' s s c h e m e , a d d i n g o n e - w a y H a s h f u n c t i o n and c h a n g i n g r e s i d u e s , t h e p r o p o s e d s c h e m e realizes h i g h e r s e c u r e p e r f o r m a n c e effic i e n t l y and o v e r c o m e s its d r a w b a c k . T o be d i f f e r e n t f r o m L i n ' s s c h e m e , in o u r m u l t i c a s t s c h e m e t h e u s e r s in a h i g h e r - p r i v i l e g e d g r o u p o n l y n e e d to derive t h e g r o u p k e y of its d i r e c t s u c c e s s o r and C A o n l y n e e d s to r e c o r d t h e d i r e c t p a r e n t - c h i l d r e l a t i o n s h i p s for m u l t i c a s t t r a n s m i s s i o n ; w h i l e in L i n ' s s c h e m e , n o t o n l y t h e d i r e c t s u c c e s s o r b u t also all o t h e r u s e r s in l o w e r - p r i v i l e g e d g r o u p s are i n v o l v e d in a u s e r h i e r a r c h y .
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
REFERENCES [14] [1]
[2]
[-3]
Akl S G, Taylor P D. Cryptographic solution to a problem of access control in a hierarchy[J]. ACM Trans Computer Systems, 1983, 1(3) .. 239 - 248. Lin C H. Dynamic key management scheme for access control in a hierarchy[J]. Computer Communications, 1997, 20(15): 1381-1385. Tzeng W G. A time-bound cryptographic key assignment scheme for access control in a hierarchy
[15]
• 725 • [J]. IEEE Trans on Knowledge and Data Engineering, 2002, 14(1): 182-188. Chang C C, Hwang R J. Cryptographic key assignment scheme for access control in a hierarchy[J]. Information Systems, 1992, 17(3) : 243 - 247. Lin C H, Chang C, Lee R C. A new public-key cipher system based upon the Diophantine equations [ J ] . IEEE Trans on Computers, 1995, 44(1) : 13 - 19. Chang C C, Lin C H, Lee W, et al. Secret sharing with access structures in a hierarchy[A]. Proc 18th International Conference on Advanced Information Networking and Application (AINA'04) [ C ] . Kyushu.. IEEE Computer Society, 2004. 31 - 34. Lu W W. Compact multidimensional broadband wireless., the convergence of wireless mobile and access [J]. IEEE Communications Magazine, 2000, 38(11): 119 - 123. Otsu T, Umeda N, Yamao Y. System architecture for mobile communication systems beyond IMT-2000[A]. Proc 44th IEEE Global Telecommunications Conference[C]. San Antonio~ IEEE Communications Society, 2001. 538 - 542. Zahariadis T B, Vaxevanakis K G, Tsantilas C P, et al. Global roaming in next-generation networks[J]. IEEE Communications Magazine, 2002, 40(2): 145151. Morand L, Tessier S. Global mobility approach with mobile IP in all IP networks[A]. Proc 2002 IEEE International Conference on Communications[C]. New York: IEEE Communications Society, 2002. 2075 2079. Wang G, Cao J, Chan K C C. A reliable totallyordered group multicast protocol for mobile Internet [ A ] . Proc IEEE 33rd International Conference on Parallel Processing Workshops (ICPPW 2004) [C]. Montreal: IEEE Computer Society, 2004. 108 - 115. Mittra S. Iolus: a framework for scalable secure multicasting[J]. ACM SIGCOMM Computer Communication Review, 1997, 27 (4): 227-288. Tan K J, Zhu H W. A conference key distribution scheme based on the theory of quadratic residues[J]. Computer Communications, 1999, 22(8) : 735 - 738. Chou J S, Lin C H, Lee T Y. A novel hierarchical key management scheme based on quadratic residues [ A ] . Proc 2nd International Symposium on Parallel and Distributed Processing and Applications [ C ] . Hong Kong: Springer-Verlag, 2004. 858- 865. Lee N, Hwang T. Comments on dynamic key management schemes for access control in a hierarchy[J]. Computer Communications, 1999, 22(1) .- 87 - 89.
(Edited by YANG Hua)