Distributed applications such as multimedia conferencing, computer-supported collaborative work, distributed computing, and remote consultation and diagnosis systems for medical applications depend on efficient information exchange among multiple participants. Multi-destination communication and data exchange over a public network is essential for such applications. Some applications, generally including a small number of sending parties and a large, dynamically changing group, of receiving parties are typically referred to as “broadcasting applications.” Other applications generally referred to as “conferencing applications,” involve a large number of sending and receiving participants. When a group of people seeks to communicate in a conference over a public network (such as the Internet), every message sent out by one of the participants is received by all other participants. The mechanism used to perform this type of communication is referred to as “multicast.” Any Internet subscriber or user with access to a public network may subscribe to a multicast group and subsequently receive all messages sent by users of this group. Additionally, any multicast recipient may be able to send messages to the whole group.
Multicast is rapidly becoming an important mode of communication as well as an effective platform for building group-oriented communication services. However, when used for secure or trusted communication, existing multicast techniques should be supplemented by tools for protecting (i.e., encrypting and authenticating) traffic, controlling participation, and restricting access from unauthorized users.
A need for secure electronic information exchange over insecure public networks is increasingly apparent. As compared to conventional unicast, (i.e., point-to-point communication), multicast is more susceptible to attack. Typically, multicast transmissions present substantially more opportunities for interception of the traffic because multiple senders and receivers exist, increasing the possibility of at least one of the messages communicated across the network may be intercepted. Thus, when an attack occurs, a large number of multicast participants are affected. Further, because multicast addresses are often well known, finding targets is easier for attackers. Moreover, multicast typically involves a large number of authorized users, allowing attackers to easily pose as a legitimate user and attempt attacks in parallel.
To help achieve secure electronic information exchange, a network security protocol should allow authorized participants to communicate securely over an insecure network under conditions where an attacker is assumed to be able to read, insert, modify, and delete raw communications. Typically, this protocol is achieved by creating a security association between the authorized participants through authentication and key exchange. The security association defines a set of keying material shared only by the authorized participants. The set of keying material may be used for a variety of security objectives, such as authentication, confidentiality, and integrity verification.
In a multicast scenario, the security association between participants is dynamic to support membership changes. Further, a secure multicast ensures that participants are only allowed to participate during authorized periods. A participant may be authorized to participate in the secure multicast during some periods of time and not authorized to participate during other periods. For example, with pay-per-view program access privileges, a receiver is only authorized for the time period for which he/she has paid. The security association and group keying material defined for each of the participants in a multicast scenario is changed each time a participant joins or leaves the multicast group. This change is required to ensure that a joining participant is not able to access previously multicast data and the leaving participant is unable to continue to accessing data multicast after authorization expires. The management and distribution of dynamic security association and keying material is a fundamental challenge in a secure multicast protocol.
Conventional methods for managing group members for secure group-wise communication have relied upon a central group manager, which maintains all the keys. Further, the central group manager may use the knowledge of all the keys within the group to perform a key change. In addition, conventional methods typically require that all members are present when the key change is performed (see, e.g., U.S. Pat. No. 6,049,878).