Many applications require an efficient and secure mechanism to distribute information to a dynamically changing trusted community. Typically, such a mechanism involves forming a secure group whose members share a secret cryptographic key. This key is updated to a new version when a new member joins the group (so that the new member cannot access previously shared information protected by the key—so-called “backward confidentiality”) or leaves the group (so that the leaving member cannot access future shared information protected by the key—so-called “forward confidentiality”). The responsibility for controlling the shared key, and therefore the membership of the group, is carried out by a functional entity which is referred to herein as the key manager. A simple implementation of the key manager involves the latter making a private communication to a new member and each existing member (in the case of a newly joining member), or to each remaining member (in the case of a member leaving the group) to provide the new version of the shared key. However, in order to make this key update operation more scalable, there are well-known techniques that combine a multicast transport with a Logical Key Hierarchy (LKH), reducing the complexity of this operation to logarithmic with the size of the group (see, for example, “Key management for multicast: Issues and architectures” Internet Request for Comment RFC 2627, Internet Engineering Task Force, June 1999).
Unfortunately, robust key management in known multicast LKH schemes generally requires that members are always on-line to reliably receive key updates in a timely manner. This can limit the applicability of these schemes when the community is large and loosely coupled, or the connectivity between members is poor, or just simply when the most common behaviour of a member is to be off-line. In these cases it can be too expensive (in terms of processing and communication resources used) to treat members as being evicted from the group concerned when they go off-line.
Various proposals have been made in respect of improving the reliability of group re-keying with a focus on key recovery for on-line members when there are failures of the multicast transport. Such proposals assume that only a few key updates are lost, or that members will always be able to take an immediate recovery action. An extreme of this approach are key distribution schemes that assume a reliable group communication middleware underneath, e.g., extended virtual synchrony semantics, in order to update keys reliably.
In the context of secure distribution of copyright protected material, detailed studies have been made concerning how to encrypt broadcasted content so that only a dynamically changing group can decrypt it (see broadcast encryption), and how to trace and exclude possible “traitors” that leak information. Typically, these schemes assume a single source and do not deal with an arbitrary number of “traitors” colluding. Moreover, in some cases they also assume that clients cannot update state dynamically, e.g., a DVD player with some pre-configured secrets, and this can make managing the forever-growing revocation information impractical.
The paper “Efficient state updates for key management” Benny Pinkas, ACM CCS Workshop on Security and Privacy in Digital Rights Management, LNCS 2001 considers how to minimize the amount of information needed to recover a client that is back on-line after missing some LKH key updates. However, it is assumed that this information is optimised for a particular client, and downloaded directly from the key manager.
It is an object of the present invention to facilitate key update management for members of a group who have missed a number of updates.