Modern group oriented and collaborative applications for data exchange between network elements of a group of network elements in a network system make increased use of the peer-to-peer principle. Compared to centralized approaches of the client-server configuration, this offers the advantage of a greater independence from a possibly costly infrastructure, as is the case, for example, for audio and video conferences with H.32x systems. Decentralized systems have proven to be more flexible here, since there is no Single Point of Failure and the dependence from an infrastructure is reduced. Decentralized solutions support in particular the spontaneous data exchange and the mobility of the users of the network elements. This is advantageous, for example, for business communication over the Internet.
However, decentralized configurations require mechanisms to assure the confidentiality of the exchanged data. This requires, in particular, methods for exchanging keys, which are used for decrypting/encrypting the exchanged data, where the key exchange method must ensure consistent key renewal for all network elements engaged in a group of network elements. While there are viable solutions for centralized approaches, the development of efficient and secure methods for distributed configurations is the object of intense research.
Secure data exchange within a group of network elements requires that only actively participating network elements dispose of a current group key or session key for the encryption/decryption of the exchanged data parts. In the case of a varying group composition, that is, the joining of a further network element into the group, or if a network element leaves the group, it can additionally be desirable and necessary for the content and subject matter of a session between users of the network elements to be inaccessible to entering users who join the session later or leave it earlier. This complex variant of a confidential session is examined in the following text. Variants having lower confidentiality demands on a varying composition of a group of network elements can be derived therefrom.
A range of different demands is made on a key management in such a group of network elements. (1) Each network element of the group must ensure that nobody outside the group can obtain access to the group key (“key authentication”). Prerequisite for this is a mutual authentication of each network element when the network element joins the group, which assures that the joining network element is also the network element expected by the group of network elements, and which, conversely, provides the joining network element and its user, respectively, the assurance that he can trust the group. (2) A network element leaving the session at any point in time shall not obtain access to a subsequently generated key for the exchange of data between the network elements in order to decrypt the subsequent communication (“forward confidentiality”). (3) Network elements, which join the group later, shall not obtain access to a previously used key in order to disclose data, which were exchanged prior to joining between the network elements of the group. (4) None of the network elements leaving the group of network elements shall be capable of utilizing older keys to derive a currently used key (“collusion freedom”).
It is furthermore desirable for a key compromising not to lead to the uncovering of previous keys (“perfect forward secrecy”) and for the uncovering of keys from previous sessions not to lead to the compromising of the current key (“resistance to known key attacks”). The demand for an efficient exchange protocol for the keys, which would minimize interference periods in the data exchange for key renewal, in particular for real-time applications such as audio and video conferences, seems almost obvious, since in the asynchronous Internet, hosts are generally not capable of renewing the keys in a synchronous manner.
Two types of key exchange protocols in groups of network elements are distinguished in principle, namely the key agreement protocols and the key distribution protocols. Both types of protocols differ by the type of key renewal, that is, with respect to the method by which a previously used key is replaced by a new key for the encryption/decryption of the exchanged data.
Key agreement protocols are based on the Diffie-Hellman key exchange principle (cf. E. Rescorla: Diffie-Hellman Key Agreement Method. RFC 2631, June 1999). The basic principle is that every network element of the group of network elements is required to contribute to the generation of the key. For this, a network element is selected from the group of network elements, which generates an intermediate key, which is then distributed to the remaining members of the group of network elements. The remaining network elements subsequently generate a group key from the intermediate keys and from their own contribution. Known examples for this type of key exchange protocols are CLIQUES (cf. M. Steiner et al.: CLIQUES: A new approach to group key agreement. IEEE International Conference on Distributed Computing Systems, 1998, pp. 380-397) and TGDH (cf. Y. Kim et al.: Simple and fault-tolerant key agreement for dynamic collaborative groups. In S. Jajodia (ed.): 7th ACM Conference on Computer and Communications Security, Athens, Greece, November 2000, ACM Press, pp. 235-244). The latter is currently regarded as very efficient key agreement protocol.
In contrast to this, key distribution protocols dynamically define one of the network elements, which generates the new key and distributes it securely to the remaining network elements of the group. Most approaches use a key distribution tree. They are distinguished by the way in which the network elements of the group obtain the key through the key distribution tree. Examples for such key distribution protocols are DTKM (cf. L. Dondeti et al.: Disec: A distributed framework for scalable secure many-to-many communication, Proceedings of The Fifth IEEE Symposium on Computers and Communications (ISCC 2000), July 2000) and a distribution tree proposed by Rodeh et al. (cf. O. Rodeh et al.: Optimized Group Rekey for Group Communications Systems. In Symposium Network and Distributed System Security (NDSS), San Diego, Calif., February 2000, pp. 39-48), which is an extension of a centralized logical key hierarchy (cf. C. Wong et al.: Secure group communication using key graphs, IEEE/ACM Transaction on Networking 8 (1) 16-30, 2000).
Key distribution protocols are regarded as more efficient, since, overall, they require a smaller computational and communication expenditure for the generation and distribution of the key.