SURAKSHA: An Implementation of
Secure Group Communications
Nagesh H.R
Assistant Professor
Department of MCA
NMAM Institute of Technology,
Nitte, Udupi, Karnataka
Email:
[email protected]
K. Chandra Sekaran
Professor & Head
Department of Computer
Engineering
National Institute of Technology
Karnataka, Surathkal
Email: [email protected]
Niranjan N. Chiplunkar
Professor & Head
Department of Computer
Engineering
NMAM Institute of Technology,
Nitte, Udupi, Karnataka
Email: [email protected]
Abstract-Many emerging network applications (e.g., teleconference, information
services, distributed interactive simulation, and collaborative work) are based
upon a group communication model. As a result, securing group communications,
i.e., providing confidentiality, authenticity, and integrity of messages
delivered between group members, will become a critical networking issue. We
formalize the notion of a secure group as a triple (U, K, R) where U denotes a
set of users, K a set of keys held by the users, and R a user-key relation. We
then introduce key graphs [1] to specify secure groups, with nodes containing
information about the users and subgroups. For a special class of key graphs
called tree, we present a strategy for securely distributing rekey messages
after a join/leave and specify protocols for joining and leaving a secure
group. A user-oriented rekeying strategy and join/leave protocol is implemented
in a prototype key server we have built. Our implementation of secure group
communications provides authentication, confidentiality and integrity of the
messages delivered between the group members.
Key words-Confidentiality,
group communications, group
key management, key distribution, multicast, privacy,
rekeying,
security.
1.0 INTRODUCTION
MOST network applications are based upon the
client–server paradigm and make use of unicast (or point-to-point) packet
delivery. Many emerging applications, on the other hand, are based upon a group
communications model. In particular, they require packet delivery from one or
more authorized sender(s) to a large number of authorized receivers. In the
Internet, multicast has been used successfully to provide an efficient, best
effort delivery service to large groups [2]. We envision that deployment of
network applications requiring group communications will accelerate in coming
years. As a result, securing group communications, i.e., providing
confidentiality, authenticity, and integrity of messages delivered between
group members, will become a critical networking issue in the near future.
While the
technical issues of securing unicast communications for client–server computing
are fairly well understood, the technical issues of securing group
communications are not. Conceptually, since every point-to-multipoint
communication can be represented as a set of point-to-point communications, the
current technology base for securing unicast communications can be extended in
a straightforward manner to secure group communications. However, such an extension
is not scalable to large groups.
For a more
concrete illustration of this point, we outline a typical procedure for
securing unicast communications between a client and a server. Initially, the
client and server mutually authenticate each other using an authentication
protocol or service; subsequently, a symmetric key is created and shared by
them to be used for pair wise confidential communications. This procedure can
be extended to a group as follows.
Let there be a trusted server, which is given
membership information to exercise group access control. When a client wants to
join the group, the client and server mutually authenticate using an
authentication protocol. Having been authenticated and accepted into the group,
each member shares with the server a key, to be called the member's individual
key. In this paper, key means a key from a symmetric cryptosystem, such as DES
[6], unless explicitly stated otherwise. For group communications, the server
distributes to each member a group key to be shared by all members of the
group. For a group of members, distributing the group key securely to all
members requires messages encrypted with individual keys (a computation cost
proportional to group size). Each such message may be sent separately via unicast.
Alternatively, the messages may be sent as a combined message to all group
members via multicast. Either way, there is a communication cost proportional
to group size (measured in terms of the number of messages or the size of the
combined message). Observe that for a point-to-point session, the costs of
session establishment and key distribution are incurred just once, at the
beginning of the session.
A group
session, on the other hand, may persist for a relatively long time with members
joining and leaving the group. Consequently, the group key should be changed
frequently. To achieve a high level of security, the group key should be
changed after every join and leave so that a former group member has no access
to current communications and a new member has no access to previous
communications. It is easy to see that sharing a group key enables confidential
communications within a group. In addition to confidentiality, standard
techniques such as digital signature and message digest can be used to provide
authenticity, integrity, and nonrepudiation.
Let there be a trusted server that creates a
new group key after every join and leave. After a join, the new group key can
be sent via unicast to the new member (encrypted with its individual key) and via
multicast to existing group members (encrypted with the previous group key).
Thus, changing the group key securely after a join is not too much work. After
a leave, however, the previous group key can no longer be used and the new
group key must be encrypted for each remaining group member using its
individual key. Thus, we see that changing the group key securely after a leave
incurs computation and communication costs proportional to, the same as initial
group key distribution. That is, large groups whose members join and leave
frequently pose a scalability problem.
This security aspects applied to the group
communication is used in a Group Chat application, that allows a large number
of users or group members to join and leave the group at any time and hence
securely communicate with other members using the keys supplied by the server.
In secured mode of “peer to peer”
communicating model unicasting of the secured information has to be done. Then
the number of keys to be maintained for this will keep on increasing as the
number of users increase. Number of encryptions and decryptions will also
increase at both the ends. Key management and space for storing the keys is the
major problem with the secured mode of “peer to peer” communication. Considering
users wants to communicate as a group can easily solve this. Because of
multicasting and group key, key management is easier and space for storing the
keys will also be reduced
2.0 SECURE GROUPS
This section deals with secure
group, key graph, and user-oriented rekeying strategy. It also deals with
join/leave protocol for all user-oriented rekeying strategy.
A secure group is a triple (U, K,
R) where:
• U is a finite and nonempty set of users,
• K is a finite and nonempty set of keys,
• R is a binary relation between U and K,
R Ì
U × K, called the user-key relation of the secure group. User u has key k
if and only if (u, k) is in R. Each
secure group has a trusted key server
responsible for generating and securely distributing the keys in K
to users in the group. Specifically, the
key server knows the user set, U and the key set, K and maintains the user–key
relation R. Every user in U has a key in K, called its individual key, which is shared
only with the key server and is used for pair wise confidential communication
with the key server. There is a group key in K, shared by the key server and all users
in U. Each user to send messages confidentially to other members of the group
can use the group key [1].
A key graph
is a directed acyclic graph G with two types of nodes: u-nodes representing users and k-nodes
representing
keys. Each u-node has one or more outgoing edges but no incoming edge.
Each k-node has one or more incoming edges. If a k-node has
incoming edges only and no outgoing edge, then this k-node is called a root.
Given a key graph G, it
specifies a secure group (U, K, R) as follows.
1) There is a one-to-one
correspondence between U and
the set of u-nodes in G.
2) There is a one-to-one
correspondence between K and the set of k-nodes in G.
3) (u, k) is
in R if and only if G has a directed path from the u-node
that
corresponds to u to the k-node that corresponds to k.
As an example, the key graph in Fig. 1 specifies the following secure group:
U = {u1, u2,
u3, u4}
K = {k1, k2,
k3, k4, k12, k234,
k1234}
U1 U2 U3 U4
U-nodes
Fig. 1 A key graph
R =
{(ul, kl), (ul, k12),
(ul, k1234), (u2, k2),
(u2, k12), (u2, k234),
(u2, k1234), (u3, k3), (u3, k234),
(u3, k1234), (u4, k4),
(u4, k234), (u4, k1234)}.
Associated
with each secure group (U, K, R) are two functions,
keyset() and userset(), defined as follows:
keyset(u) = {k | (u,
k) Î R}
userset (k) = {u
| (u, k) Î R}.
Intuitively, keyset(u) is the set of
keys that are held by user u in U, and userset(k) is the
set of users that hold key k in K. For examples, referring to the
key graph in Fig. 1, we have keyset(u4) = {k4,
k234, k1234} and userset(k234)
= {u2, u3, u4}.
Generalized
definition of function keyset() to any subset U ’ of U, and
function userset() to any subset K ’ of K, in a straightforward
manner, i.e., keyset(U ') is the set of keys each of which is held by at
least one user in U ’, and userset(K ’) is the set of users each
of which holds at least one key in K ’.
When a user u leaves a secure group (U,
K, R), every key that has been held by u and shared by
other users in U should be changed. Let k be such a key. To
replace k, the server randomly generates a new key knew and sends it to every user in
userset(k) except u. To do so securely, the server needs to find
a subset K ’ of keys such that userset(K ') = userset(k) -
{u} and use keys in K ' to encrypt knew for
distribution [1].
A user who wants to join (leave) a secure
group sends a join (leave) request to the key server, denoted by s. For a join
request from user u, we assume that the user selects a user name that is not
already present in the group and also a password to identify him/her. Thus a
join request initiates an authentication exchange between u and s. If user u is
not authorized to join the group, server s sends a join-denied reply to u. If
the join request is granted, we assume that the session key distributed as a
result of the authentication exchange will be used as the individual key ku
of u. To simplify protocol specifications below, we use the following
notation:
s ó u : authenticate u and
distribute ku.
to
represent the authentication exchange between server s and user u, and secure
distribution of key ku to be shared by u and s.
After each join or leave, a new secure group
is formed. Server s has to update the group's key graph by replacing the keys
of some existing k-nodes, deleting some k-nodes (in the case of a leave), and
adding some k-nodes (in the case of a join). It then securely sends rekey
messages containing new group/subgroup keys to users of the new secure
group.
After granting a join request from u, server
s creates a new u-node for user u and a new k-node for its individual key ku.
Server s finds an existing k-node (called the joining point for this
join request) in the key tree and attaches k-node ku to the joining
point as its child.
To prevent the joining user from accessing
past communications, all keys along the path from the joining point to the root
node need to be changed. After generating new keys for these nodes, server s
needs to securely distribute them to the existing users as well as the joining
user. For example, as shown in Fig. 2, suppose u9 is granted to join
the upper secure group in the figure. The joining point is k-node k78
in the upper key graph, and the key of this k-node is changed to k789
in the lower key graph. Moreover, the group key at the root is changed from k1-8
to k1-9. Users u1,
u2... u6 only need the new group key k1-9,
while users u7, u8, and u9 need the new group
key k1-9 as well as the new subgroup key k789.
To securely distribute the new keys to the
users, the server constructs and sends rekey messages to the users. A rekey
message contains one or more encrypted new key(s), and a user needs to
decrypt it with appropriate keys in order to get the new keys. The
user-oriented approach is used to used to construct and send the rekey messages.
K1
U
U1 U2 U3 U4 U5 U6 U7 U8
K1
U
U1 U2 U3 U4 U5 U6 U7 U8 U9
Fig. 2 A key tree graph before and after a join
(leave).
2.3.1 User-Oriented Rekeying
Consider
each user and the subset of new keys it needs. The idea of user-oriented
rekeying is that for each user, the server constructs a rekey message that
contains precisely the new keys needed by the user and encrypts them using a
key held by the user. For example, as shown in Fig. 2, for user u9
to join the upper secure group in the figure, server s needs to send the
following three rekey messages:
s {u1,…,u6}:
{k1-9}k1-8
s
{u7,u8} : {k1-9, k789}k78
s u9 : {k1-9, k789)k9.
Note that users u1, …, u6
need to get the new group key kl-9. There is no single key that is shared only by u1, …, u6.
However, key k l-8 can be used to encrypt the new key kl-9
for u1, …, u6 without security breach since
users u7 and u8 will also get this new
group key from another rekey message.
User-oriented
rekey messages can be constructed as follows. For each k-node x whose
key has been changed, say, from k to k', the server constructs a
rekey message by encrypting the new keys of k-node x and all its
ancestors (up to the root) by the old key k. This rekey message is then
sent to the subset of users that need precisely these new keys. Either unicast
or subgroup
multicast may
be used. Moreover, one rekey message is sent to the joining user, which
contains all of the new keys encrypted by the individual key of the joining
user. This approach needs h-rekey messages [1](h-height of the tree).
2.4 Leaving
a Tree Key Graph
After
granting a leave request from user u, server s updates the key
graph by deleting the u-node for user u and the k-node for its individual key from the
key graph. The parent of the k-node for its individual key is called the
leaving
point. To
prevent the leaving user from accessing future communications, all keys along
the path from the leaving point to the root node need to be changed. After
generating new keys for these k-nodes, server s needs to securely
distribute them to the remaining users. For example, as shown in Fig. 2,
suppose u9 is granted to leave the lower secure group in the
figure.
The leaving point is the k-node for k789
in the lower key graph, and the key of this k-node is changed to k78
in the upper key graph. Moreover, the group key is also changed from kl-9
to kl-8 . Users ul, . . .,u6
only need to know the new group key kl-8 . Users u7
and u8 need to know the new group key k1-8
and the new subgroup key k78. To securely distribute the new
keys to users after a leave, same rekeying strategies are used.
2.4.1 User-Oriented Rekeying
In this
approach, each user gets a rekey message in which all the new keys it needs are
encrypted using a key it holds. For example, as shown in Fig. 2, for user u9 to
leave the lower secure group in the figure, server s needs to send the
following four rekey messages:
s {u1,u2,u3} : {k1-8}k123
s {u4,u5,u6} : {k1-8}k456
s u7 : {k1-8, k78}k7
s u8 : {k1-8 , k78}k8.
User-oriented
rekey messages for a leave can be constructed as follows. For each k-node
x whose key has been changed, say, from k to k', and for
each unchanged child y of x, the server constructs a rekey
message by encrypting the new keys of k-node x and all its
ancestors (up to the root) by the key K of k-node y. This
rekey message is then multicasted to userset(K) [1].
3.0 UML
State Diagram
A state
diagram (also called a state chart diagram) shows the sequence of states that
an object goes through during its life in response to outside stimuli and
messages. The state is the set of values that describes an object at a specific
point in time and is represented by state symbols and arrows connecting the
state symbols represent the transitions. A state diagram represents the state
of the method execution and the activities in the diagram represent the
activities of the object that performs the method. The purpose of the state
diagram is to understand the algorithm involved in performing a method. The
Fig. 3 and Fig. 4 represent the state diagram of a
server and a user (client) respectively.
Stop
Fig. 4 UML state diagram of the client
We have designed and constructed a separate
group key server, as well as a client, which implement join/leave protocols for
user-oriented rekeying strategy. The experiments are carried out on
Pentium-III, 128MB RAM, 700 MHz machine. The software’s used for conducting the
experiments are: JDK 1.3 [7], Oracle8i client-server version, Windows NT
workstations/ Windows 98 workstations. The server is initialized from number of
groups to be created. When a user sends a join request it generates the random
group number for that user and attaches the user to that group.
The system we have implemented provides
following security services:
Confidentiality: It is the protection of
transmitted data from passive attacks, that is, it ensures that the information
in a computer system and transmitted information are accessible for reading by
authorized parties. One method to achieve this confidentiality is to encrypt
data before transmitting it at the sending end and to decrypt the received
message at the receiving end. We have implemented the DES (Data Encryption
Standard) algorithm to preserve the confidentiality of the messages transmitted
within the group. All messages transmitted within the group are encrypted using
the group key that is shared by all users in the group. Also the message
transferred between the clients and the server is encrypted using the user’s
individual key or session key. The confidentiality of the rekey messages is
also preserved using the same technique. By this approach, only the authorized
users will be able to decrypt the message, since they will possess the key
required to decrypt the message.
Authenticity: The authentication service
is concerned with assuring that a communication is authentic. In the case of a
single message, the function of the authentication service is to assure the
recipient that the message is from the source that it claims to be from. Our implementation
supports basic authentication service of checking the user name and passwords.
The server maintains a database of all users in the Oracle database, which
consists of all the users user name and password. Every user who wishes to join
the group provides a user name and password to the server, which verifies them
against a database of user details. The confidentiality of this authentication
messages is maintained using the RSA algorithm [6], which is a public key
cryptosystem.
Integrity: It ensures that only
authorized parties are able to modify the transmitted information. There is a
very critical necessity that the clients are able to confirm that the rekey
messages were actually sent by the server and not by any other unauthorized
processes. To implement such checks, we use MD5 message digest algorithm in the
following way: when sending a rekey message the server computes the message
digest of the rekey message and sends it to the respective client encrypted
with the server’s private key along with the actual rekey message. On the
receiving end, the client recomputes the message digest on the received rekey
message, decrypts the message digest that the server had sent using the
server’s public key and compares both of them. If both the message digests are
equal, the client accepts the rekey message and the client’s keys are updated.
Otherwise the rekey message is discarded, as it is not a message from the
authorized server. The Fig. 5 and Fig. 6 represents the implementation of these
services at server and client side.
DES Encryption
C1
Rekey
Message (M)
Calculate
MD5 RSA
Encryption using private key
C2
Fig. 5 Integrity check at server side
DES Encryption Calculate
MD5
C1
C2 C
Fig. 6 Integrity check at client side
4.1 Server
Implementation
The server subsystem is implemented as a concurrent
server that spawns a new child thread for every new client connection
established, using the JAVA socket Programming and JAVA Thread Programming
concepts. The server subsystem creates a socket and binds a well-known address
to the socket, so that all the clients can make a connection to that well known
address of the server. The main server then waits for a new connection to
arrive from any client. Once the client makes a connection request and
succeeds, the server checks the user authentication information sent by the
client and sends the list of keys that applies to that particular user.
The
implementation of the server module for the secure group communication model
consists of the following sub modules.
4.1.1
Initialization of the Tree (tree. java)
The server
stores the information corresponding to all the logged in users in a key graph,
which is implemented as a tree. The tree is implemented to have a height of
three. The top level indicates the root node, consisting of the group key. The
middle level of nodes in the key tree represents the various subgroups in the
group. The bottom most level in the tree represents the users of the respective
subgroups.
The nodes in the tree consist of the following information
about the respective users:
When the server is started, the key tree initializer
creates the root node and a certain number of subgroup nodes and initializes
these nodes with the keys for the respective subgroups. The subgroup keys are
generated using a random number generator function. As the users are accepted
into the group they added to their respective subgroups, that is a node corresponding
to the new user is created and attached to the node corresponding to the user’s
subgroup.
Initial
Key Tree:
with two active subgroups and three active users.
4.1.2 Processing of the client
requests (server. java)
The main purpose of a server is to process
the client requests and to provide them the service requested. Any
communication between the client and the server will be encrypted using the
either DES or RSA algorithm and will not be make any sense to the intruders.
The server handles the following five types of requests from the clients.
4.1.3 Join
protocol (keyGraph.java)
When a user joins into the existing group, a
new secure group is created and hence requires the old keys to be updated in
the key tree as well as intimate the users about the new keys. This is
necessary so that the new user cannot access the previous communications in the
group. This paper deals with the implementation of user-oriented rekeying
strategy, where each user gets a rekey message containing precisely the new
keys needed by that user encrypted with the key held by the user. The pseudo
code for our implementation of the user-oriented rekeying protocol is as below:
SendRekeyMessageAfterJoin(new_user,user’s_subgroup)
{ for ( every subgroup in the main group )
{
if ( subgroup != user’s_subgroup )
{ for (all users in the subgroup)
SendMessage({new_group_key}old_group_key )
}
else {
for ( every user in subgroup )
{ if ( user != new_user )
SendMessage({new_group_key
+new_subgroup_key}old_subgroup_key )
else
SendMessage({new_group_key
+new_subgroup_key}session_key )}}}
4.1.4 Leave
Protocol (keyGraph.java)
When a user
leaves a group forever, the existing keys in the tree hierarchy needs to be
changed using a leave protocol and the new keys must be securely communicated
to all users, except the one who just left. This implementation uses user-oriented
rekeying strategy to send the rekey messages to the users. This rekeying after
a user leave is essential because the user who left the group must not be able
to access the future communications. The
pseudo code for our implementation of the user-oriented rekeying protocol is as
below:
SendRekeyMessageAfterLeave
(left_user,user’s_subgroup)
{ for ( every subgroup in the main group )
{
if ( subgroup != user’s_subgroup )
{ for ( all users in the subgroup
)
{
SendMessage({new_group_key}subgroup_key )
}
} else
{ for ( every user in subgroup )
{ if ( user != left_user )
{
SendMessage({new_group_key
+new_subgroup_key}session_key ) }}}}
4.2 Client
Implementation
The client program is implemented as a pair
of threads, one that waits for rekey messages from the server and another that
waits for the messages from other clients within the group. Both of these
threads start running once the login process is over. Even the client side uses
the same cryptographic algorithms, as the ones implemented in the server
module, like the RSA and DES algorithms.
The
user interfaces for both the server side as well as the client side are
implemented using JAVA Swing components, which is a set of classes that
provides more powerful and flexible graphical user interface components. The
main procedures implemented in the client module are as follows:
4.2.1 Login
Process (Client. java)
Once the server starts running, any client
that wants to join and communicate with the group members needs to authenticate
itself to the server, through the authentication or login process and obtain a
set keys consisting of the group key, subgroup key and the user session key.
The login process can be summarized as in the steps below:
Server
ß { send public key request }
Client
ß {server’s Public_Key}
Server ß {Name, Password, Session_Key}
Public_Key
Client ß {Group_Key, Subgroup_Key,
Unique_Session_Key }Session_Key
4.2.2
Message Transfer Module (MessageTransfer.java)
This module handles the transfer of messages
between the clients. When the user authenticates himself to the server, the
user also gets the multicast address to which they can attach for sending
messages as well as to listen for the arrival of messages from other clients.
These user messages are encrypted using the group key and sent as a datagram to
all the users who have attached to the multicast address. Only authorized users
will be having the group key and hence can decrypt the message.
4.2.3 Rekey
Message Handler Module (Client. java)
A client can receive a rekey message at any
time during its active participation in the group communication. The actual
rekey message consists of the various keys i.e., group key and subgroup key,
that has changed and required by the respective user. But the message sent to
the client consists of encrypted rekey message as well as a message digest
computed on the actual message, encrypted with the server’s private key. On
receiving this, the client decrypts the actual rekey message using a suitable
key and then computes the message digest MD-1. The client then decrypts the
message digest that the server had sent using the server’s public key to get
MD-2. It then compares the two message digests MD-1 and MD-2. If both are
equal, then the client’s keys are updated to the values specified by the rekey
message. Otherwise the rekey message is discarded as it has failed to confirm
that the server sent it.
Key Tree after user “NewUser” joined the group: Since a user has joined the
group at SubGroup-1, new keys have been applied at root and SubGroup-1.
Key Tree after the user “NewUser” logged-in: As the user logged-in, his
node in the key tree is made active.
Key Tree after user “paran” logged out: As the user logged-out, his
node in the key tree is made inactive.
Key Tree after user “NewUser” left the group: Once the user permanently
leaves the group, his node is completely removed from the key tree.
5.0
CONCLUSION
We have
implemented secure group communications to study the security and key
management features. Our implementation
consists of a key graph that holds information about the system users in a
hierarchical order. The Join/Leave protocols using the user-oriented rekeying
strategy have been implemented in an efficient manner to update the keys at the
server as well as the clients. Efficient cryptographic algorithms like RSA and
DES algorithms have been implemented to preserve the confidentiality and
integrity of messages transferred between the server and the clients, as well
as those that are transferred between clients.
The overhead of encrypting rekey messages
with every users session key has been considerably reduced using the concept of
subgroups and subgroup keys. Though this paper deals with the implementation of
secure group communication model using a chat application, this model can be
easily extended to other applications such as teleconferencing, distributed
interactive simulation, information services like instant news service or share
market related application and any other application that involves secure
communication between a group of users.
5.1 Limitations of the work
5.2 Future enhancements to
this work
ACKNOWLEDGMENT
The authors
wish to thank the anonymous reviewers for their constructive comments.
[1] C.K.
Wong, M. Gouda, and S.S. Lam, “Secure Group Communications
Using
Key Graphs,” IEEE/ACM Trans. Networking, February 2000.
[2]
S.E.Deering, “Multicast routing in internetworks and extended LANs,”
in
Proc.ACM SIGCOMM’88, Aug. 1988, pp.55-64.
[3] A.O. Freier, P.Karlton, and P.C.Kocher, The
SSL Protocol Version 3.0,
1996. Work in progress, Netscape
Communication.
[4] J.G.
Steiner, C. Neuman, and J. I. Schiller, “Kerberos: An authentication
service for open network systems,” in Proc. USENIX
Winter Conf., Feb.
1988,
pp. 191-202
[5] T.Y.C.
Woo, R. Bindignavle, S. Su, and S.S Lam, “SNP: An interface fo
secure
network programming,” in Proc. USENIX’94 Summer Technical
Conf.,
Boston, M.A, June 1994.
[6] William
Stallings, “Cryptography and Network Security: Principles and
Practice,” Second Edition, Prentice Hall.
[7] http://vsys-www.infomatic.uni-hamburg.de
/documents/docs /jdk1.3/api
/java