Abstract
Multicast applications, such as video broadcast and multicast file transfer, typically have the following key management requirements Note that the list is neither applicable to all applications nor exhaustive. Group members receive security associations that include encryption keys, authentication/integrity keys, cryptographic policy that describes the keys, and attributes such as an index for referencing the security association (SA) or particular objects contained in the SA.
Description of Multicast Security
In addition to the policy associated with group keys, the group owner or the Group Controller and Key Server (GCKS) may define and enforce group membership, key management, data security, and other policies that may or may not be communicated to the entire membership.
Keys will have a pre-determined lifetime and may be periodically refreshed.
Key material should be delivered securely to members of the group so that they are secret, integrity-protected and verifiably obtained from an authorized source.
The key management protocol should be secure against replay attacks and Denial of Service (DoS) attacks The protocol should facilitate addition and removal of group members. Members who are added may optionally be denied access to the key material used before they joined the group, and removed members should lose access to the key material following their departure. The protocol should support a scalable group rekey operation without unicast exchanges between members and a Group Controller and Key Server (GCKS), to avoid overwhelming a GCKS managing a large group.
The protocol should be compatible with the infrastructure and performance needs of the data security application, such as the IPsec security protocols AH and ESP, and/or application layer security protocols such as SRTP The key management protocol should offer a framework for replacing or renewing transforms, authorization infrastructure, and authentication systems.
The key management protocol should be secure against collusion among excluded members and non-members. Specifically, collusion must not result in attackers gaining any additional group secrets than each of them individually are privy to. In other words, combining the knowledge of the colluding entities must not result in revealing additional group secrets. The key management protocol should provide a mechanism to securely recover from a compromise of some or all of the key material. The key management protocol may need to address real-world deployment issues such as NAT-traversal and interfacing with legacy authentication mechanisms.
In contrast to typical unicast key and SA negotiation protocols such as TLS and IKE, multicast group key management protocols provide SA and key download capability. This feature may be useful for point- to-point as well as multicast communication, so that a group key management protocol may be useful for unicast applications.