The present invention relates to multicast communications systems in general, and in particular to key distribution mechanisms suitable for use in multicast communications systems.
Multicast communications systems, particularly Internet Protocol (IP) multicast communication systems, are well-known in the art. As is well-known in the art, in an IP multicast message, a single address is used by the sender to indicate a multicast comprising plurality of recipients, possibly including recipients at many different locations.
Multicast is an internetwork service that provides efficient delivery of data from a source to multiple recipients. It reduces sender transmission overhead, network bandwidth requirements, and the latency observed by receivers. IP Multicast enables efficient, many-to-many datagram distribution over an IP network.
Multicast is more susceptible to attacks than unicast for many reasons. Multicast presents many more opportunities for interception of traffic. When an attack on a multicast service does take place, a larger number of principals is affected. It is easier for an attacker to target an attack, as multicast services are generally well advertised and their addresses are well-known. Lastly, multicast services typically involve a xe2x80x9ccrowdxe2x80x9d of principals, making it potentially easier for an attacker to pose as another (legitimate) principal or to try to attack in parallel at several locations.
The following references discuss multicast technology and related security issues known in the art:
R. Canetti, B. Pinkas, xe2x80x9cA taxonomy of multicast security issuesxe2x80x9d, draft-canetti-secure-multicast-taxonomy-00.txt, May 1998.
D. Harkins and D. Carrel, xe2x80x9cThe Internet Key Exchange (IKE)xe2x80x9d, draft-ietf-ipsec-isakmp-oakley07.txt, March 1998.
A. Aziz, T. Markson, and H. Prafullchandra, xe2x80x9cSimple Key-Management for Internet Protocols (SKIP)xe2x80x9d.
D. Maughan, M. Schertler, M. Schneider, and J. Turner, xe2x80x9cInternet Security Association and Key Management Protocol (ISAKMP)xe2x80x9d, draft-ietf-ipsec-isakmp-09.txt, March 1998.
H. Orman, xe2x80x9cThe OAKLEY Key Determination Protocolxe2x80x9d, draft-ietf-ipsec-oakley-02.txt, July 1997.
H. Krawczyk, xe2x80x9cSKEME: A Versatile Secure Key Exchange Mechanism for Internetxe2x80x9d. IEEE Proceedings of the 1996 Symposium on Network and Distributed Systems Security.
P. Karn and W. Simpson, xe2x80x9cPhoturis: Session-Key Management Protocolxe2x80x9d, draft-simpson-photuris-17.txt, November 1997.
H. Harney and C. Muckenhim, xe2x80x9cGroup Key Management Protocol (GKMP) Specification +Architecturexe2x80x9d, RFC2093 and RFC2094, July 1997.
A. Aziz, T. Markson, and H. Prafullchandra, xe2x80x9cSKIP Extensions for IP Multicastxe2x80x9d.
A. Ballardie, xe2x80x9cScalable Multicast Key Distributionxe2x80x9d, RFC1949, May 1996.
T. Hardjono, B. Cain, N. Doraswamy, xe2x80x9cA Framework for Group Key Management for Multicast Securityxe2x80x9d, draft-ietf-gkmframework-00.txt, July 98.
D. Harkins and N. Doraswamy, xe2x80x9cA Secure Scalable Multicast Key Management Protocol,xe2x80x9d ETF, IETF Draft draft-ietf-ipsecond-00.txt, November 1997.
S. Mittra, xe2x80x9cThe Iolus Framework for Scalable Secure Multicasting,xe2x80x9d presented at Proceedings of ACM SIGCOMM97, 1997.
M. Handley and V. Jacobson, xe2x80x9cSDP: Session Description Protocolxe2x80x9d, RFC 2327, April 1998.
A television system for controlling access to broadcast transmissions is described in U.S. Pat. Nos. 5,282,249 and 5,481,609, both to Cohen et al.
The disclosures of all references mentioned above and throughout the present specification are hereby incorporated herein by reference.
The present invention seeks to provide improved apparatus and methods for key distribution, suitable for use in a multicast communication system. While the apparatus and methods of the present invention are particularly suited to an Internet Protocol (IP) Multicast system, it is appreciated that the present invention would also be applicable to other types of Multicast systems, with appropriate modifications as will be appreciated by persons skilled in the art. Without limiting the generality of the foregoing, the example of IP Multicast will generally be used throughout the present specification, and the example of IP Multicast will be taken to include Multicast over an Intranet wherever applicable.
In securing IP Multicast traffic from one source to multiple recipients, it is desirable to implement security apparatus and methods to authenticate the source, to authenticate and to ensure integrity of the data, and possibly to encrypt and/or sign the data At first glance, it appears that these services can be provided using standard authentication, integrity, and encryption methods, based either on symmetric-key or asymmetric-key designs. One might look to known schemes, such as well-known pay television schemes, to provide such standard methods and apparatus.
A major problem in Secure Multicast systems involves distributing, in real time, the appropriate cryptographic keys from the multicast source to all the authorized recipients of the multicast. The keys used for authentication, integrity, and confidentiality may change frequently, either due to policies that determine that keys need to change, for example, every few seconds, or in response to changes in the membership of the multicast group. A multicast group membership change might comprise an existing member having just left or a new member having just joined the group.
Generally, the goal of multicast key distribution is to securely deliver common keys to all the authorized members of a multicast group. Having such keys allows a sender to authenticate and/or to encrypt the traffic destined for a multicast group. Thus, the group keys also afford membership-enforcement by allowing only key holders to verify and/or decrypt the multicast traffic. A sender must authenticate and/or encrypt all traffic that it sends to the group in order to maintain secure delivery.
In certain prior art systems, the key distribution function is assigned to a central network entity, sometimes known as the Key Distribution Center (KDC). However, this method does not scale well for wide-area multicasting, where group members may be distributed across many networks and a wide-area group may be densely populated. Even more complicated is the problem of distributing sender-specific keys in a scalable manner, sender-specific keys being required when data is to be authenticated on a per-sender basis. Pair-Wise key-management protocols and Key Distribution Centers do not provide scalable solutions for the multicast key-management problem.
Completely automatic protocols for multicast key distribution are currently not considered mature enough for use. For small multicast groups, manual. key distribution or multiple invocations of a unicast (point-to-point) key distribution protocol, such as authenticated Diffie-Hellman, appear adequate. However, for large multicast groups, new scalable techniques and protocols are needed.
In P Multicast systems, unlike in broadcast TV systems, the multicast traffic is typically routed from the sender to multiple recipients over the existing Internet infrastructure. This means that traffic may pass through intermediate nodes and that it can be listened in to in an unauthorized manner by interested parties. In addition, multicast traffic in the Internet is not synchronized in the way that broadcast over a satellite or over cables is synchronized. Due to the fact that data flows through routers, some packets may be lost, some packets may be delayed, and some packets may come out of order. Finally, the nature of the connectivity in Internet systems may make the use of different key-distribution methods than the ones used in TV broadcasting desirable.
Known multicast key-distribution methods include:
1. Star methodsxe2x80x94where the multicast sender corresponds directly with each one of the clients, and keys are handed over securely over point-to-point connections.
2. Multicast methodsxe2x80x94where keys are sent in multicast packets from the multicast sender to many recipients, and each key in the multicast packet is encrypted specifically for one client, typically using a personal key for that client.
3. Group methodsxe2x80x94where there are logical or physical subgroups, and each sub-group has a Group Controller that receives the keys from the multicast sender and distributes them inside the group, typically using one of the methods mentioned here.
4, Tree methodsxe2x80x94where each client is associated with a leaf in a logical tree, and each leaf contains the keys of all the nodes on the path from the root to it. This enables communicating securely with each client or with sub-groups of clients with a small number of keys involved. The number of keys is typically logarithmically related to the number of clients in the system.
Each of the above-mentioned methods is useful and has merits in a different range of parameters of multicast traffic. These parameters include:
1. The size of the multicast group.
2. The dynamics of the multicast group (few/many joins, few/many leaves).
3. The locality/remoteness of the multicast group members; this may include an absolute location of one or more group members, typically comprising a distance of one or more group members from the key distributor, or a relative location of one or more group members in terms of other group members.
4. The existence/nonexistence of client clusters in well defined logical or physical sub-domains.
5. The reason for key distribution (periodic mode vs. event-driven mode).
It is appreciated that other appropriate parameters may also be used.
More generally, the parameters mentioned above may also be considered to fall into the following groups:
a characteristic of the associated multicast group;
a location of at least one recipient comprised in the multicast group;
a characteristic of the key; and
a characteristic of the multicast traffic.
The present invention provides apparatus and methods to support multiple key-distribution methods in a multicast system and a methodology for selecting the method that is best suited for a given set of parameters and for switching between methods, including dynamically switching between methods, even at run time, based on a change in the parameters.
The apparatus at the sender side preferably comprises:
a generator of keys, or a repository of keys, the keys intended to be distributed to a multicast group,
multiple key-distribution sender-side methods, such as, for example, star, multicast, group, tree, as described above;
a selector that selects and activates a specific method to be used;
a decision-maker component that evaluates the multicast parameters at run-time; and
a controller that sends instructions, comprising either in-band instructions, out-of-band instructions, or any appropriate combination thereof, to client receptors regarding the method to use.
The apparatus at the client side preferably comprises:
multiple key-distribution client-side methods, corresponding to those mentioned above;
a selector that selects and activates the specific method to be used;
a control receiver that receives control instructions from the sender""s controller regarding which method to use; and
a key interpretation component, or a repository of keys received.
At the sender side the set of multicast parameters is preferably evaluated at run time and a decision is reached as to which method is best under the circumstances.
Preferably, the decision may be based on decision tables and rules for ranges of the parameters. By way of example, some appropriate rules might look like:
1. For small groups, up to X members, use the star method.
2. For medium groups, having more than Y and less than Z members, switch to the multicast method.
3. For large groups, having more than Z members. use the group method or tree method.
4. If groups are logically or physically segmented and there are more than W members in a cluster, then pick a group controller for that cluster. If the rate of membership change is low, use the star method or multicast method. If the rate of membership change is high, use the group or tree methods.
In the above example, X, Y, Z, and W are parameters of the system for which specific appropriate values could be determined.
Preferably, there would be a large number of rules in practice.
Since there could be conflicts between rules, it could be determined that some rules are dominant over others. Alternatively, a weight could be given to each rule, and the result will be based on the conclusion that has gathered the most weight.
There is thus provided in accordance with a preferred embodiment of the present invention a key distribution method for distributing, via a communications network, a key in a multicast communication system in which each one of a plurality of communications is directed to an associated multicast group including a plurality of recipients intended to receive the one communication, the method including providing a plurality of implemented key distribution methods, dynamically choosing one implemented key distribution method of the plurality of key distribution methods, and distributing at least one key using the one implemented key distribution method.
Further in accordance with a preferred embodiment of the present invention the step of dynamically choosing includes choosing based, at least in part. on at least one of the following: a characteristic of the associated multicast group, a location of at least one recipient included in the multicast group, a characteristic of the key, a multicast traffic characteristic, a multicast content characteristic and a characteristic of the multicast group.
Still further in accordance with a preferred embodiment of the present invention the characteristic of the associated multicast group includes at least one of the following: a size of the multicast group, and a dynamic parameter associated with the multicast group.
Additionally in accordance with a preferred embodiment of the present invention the location includes at least one of the following: an absolute location, typically comprising a distance from the key distributor, a relative location; and an association between the at least one recipient and a sub-domain of the communications network.
Further in accordance with a preferred embodiment of the present invention the characteristic of the multicast traffic may include at least one of the following: streaming real-time feed; and non-real time transfer.
Moreover in accordance with a preferred embodiment of the present invention characteristic of the key includes a distribution characteristic.
Further in accordance with a preferred embodiment of the present invention the communications network includes the Internet.
Still further in accordance with a preferred embodiment of the present invention the communications network includes an Intranet.
Additionally in accordance with a preferred embodiment of the present invention the plurality of implemented key distribution methods includes at least one of the following: a star distribution method, a multicast distribution method, a group distribution method, and a tree distribution method.
There is also provided in accordance with another preferred embodiment of the present invention key distribution apparatus for distributing, via a communications network, a key in a multicast communication system in which each one of a plurality of communications is directed to an associated multicast group including a plurality of recipients intended to receive the one communication, the apparatus including a plurality of implemented key distribution methods, a decision maker and selector for dynamically choosing one implemented key distribution method from the plurality of implemented key distribution methods, and a multicast distribution unit for distributing at least one key using the one implemented key distribution method.
There is also provided in accordance with another preferred embodiment of the present invention key reception apparatus for receiving, via a communications network, a key in a multicast communication system in which each one of a plurality of communications is directed to an associated multicast group including a plurality of recipients intended to receive the one communication, the key being distributed using one implemented key distribution method chosen from a plurality of methods, and indication of the one implemented key distribution method being transmitted via the communications network, the apparatus including a plurality of implemented key distribution methods, a selector, responsive to the indication of the one implemented key distribution method, for dynamically choosing the one implemented key distribution method from the plurality of implemented key distribution methods, and utilization apparatus for utilizing the key in accordance with the one implemented key distribution method.
dr
The present invention will be understood and appreciated more fully from the following detailed description, taken in conjunction with the drawings in which:
FIG. 1 is a simplified block diagram illustration of a multicast communication system constructed and operative in accordance with a preferred embodiment of the present invention;
FIG. 2 is a simplified block diagram illustration of a preferred implementation of a portion of the system of FIG. 1; and
FIG. 3 is a simplified flowchart illustration of a preferred method of operation of the apparatus of FIG. 2.