The present invention relates generally to secure communication. More particularly, the invention relates to a system for providing secure communication between many senders and many members.
Secure multicasting over a network such as the Internet is employed in several applications, such as stock quote distribution, private conferencing, and distributed interactive simulation. Some of these applications have a single sender distributing secret data to a large number of users while the others have a large number of users communicating privately with each other. Several approaches have been proposed in the recent past to support group communication between one sender and many members. The few solutions that exist to facilitate secure communication between many senders and many members suffer from a common failing; they employ some form of centralized group control.
Multicasting is a scalable solution to group communication; many-to-many secure multicasting protocols must also be scalable. Group access control, secret key distribution and dynamic group management are three major components of a secure group communication protocol. Most of the existing one-to-many secure multicast protocols use a centralized entity, the group manager to enforce access control and distribute secret keys. When the multicast group membership is dynamic, the group manager must also maintain perfect forward secrecy. This is to guarantee that members cannot decrypt secret data sent before they join the group and the data sent after they left. The group manager changes the appropriate secret keys when a member joins or leaves, and distributes them to the corresponding members. The rekeying process must be scalable; the key distribution overhead should be independent of the size of the multicast group.
Although it presents a single point of attack and failure, using a centralized entity for group control is natural for one-to-many secure multicasting. However, in the presence of multiple senders, it is desirable that the multicast group remains operational as long as at least one sender is operational. In other words, many-to-many secure multicasting calls for decentralized control of the group. Access control, key distribution and dynamic group management tasks should be delegated to all the senders. It is desirable to evenly distribute access control responsibilities and protocol processing overhead among all the senders in the group.
Only a few secure many-to-many group communication protocols exist in the literature. However, all such protocols in the literature use centralized group control and thus are prone to single point of attack as well as failure. One protocol exposes secret keys to third party entities which assist in key distribution and additionally employs a centralized "group security controller" (GSC) for group management. Another protocol suggests placing equal trust in all the group members. Members joining early generate the keys and distribute them to the members joining late. While this protocol works in principle, it is susceptible to collusion amongst the members. It is possible to have a very small subset of members controlling the group, allowing uneven distribution of group control and key distribution overhead. It is desirable for the structure of a communication protocol to prevent collusion between group members.
Any secure group communication protocol has three major components, group access control, secret key distribution and dynamic group management. Senders are responsible for controlling access to the secure multicast group. All members' authentication must be verified before they can join the group. Data is encrypted for privacy reasons before being sent to the group. The senders are responsible for distributing the data encryption keys to members in a secure and scalable fashion. Finally, the senders are responsible for maintaining perfect forward secrecy. To ensure perfect forward secrecy, sender(s) should change secret keys when a host joins or leaves the group. This rekeying process should be secure as well as scalable.
The requirements and desirable characteristics of a secure many-to-many protocol are as follows. A secure group communication scheme must be scalable. More specifically, key distribution overhead must be scalable as the number of members (or senders) in the group increases. All senders must be trusted equally and the group must be operational if at least one sender is operational. It is desirable to distribute access control and dynamic group management tasks to all senders. This allows the joins and leaves to be processed locally, thus avoiding global flooding of control traffic. Distribution of group management tasks also avoids performance bottlenecks and eliminates single points of attack in a multicast group. Finally, the protocol should be able to avoid or detect and eliminate any colluding members or senders efficiently.
The present invention presents a group key management system and method for providing secure many-to-many communication. The system employs a binary distribution tree structure. The binary tree includes a first internal node having a first branch and a second branch depending therefrom. Each of the branches includes a first member assigned to a corresponding leaf node. The first member has a unique binary ID that is associated with the corresponding leaf node to which the first member is assigned. A first secret key of the first member is operable for encrypting data to be sent to other members. The first member is associated with a key association group that is comprised of other members. The other members have blinded keys. A blinded key derived from the first secret key of the first member is transmitted to the key association group. Wherein, the first member uses the blinded keys received from the key association group and the first secret key to calculate an unblinded key of the first internal node. The unblinded key is used for encrypting data that is communicated between members located on branches depending from the first internal node.
For a more complete understanding of the invention, its objectives and advantages, refer to the following specification and to the accompanying drawings.