Change Operation - A Channel-based Key Management Protocol

Chapter 3 A Channel-based Key Management Protocol for IPTV Services

3.4 A Channel-based Key Management Protocol

3.4.3 Change Operation

Change Operation is used when an old subscriber changes the group. As show in Figure 18, when an old subscriber, S9, decides to subscribe different channels, he/she leaves G1 and joins G2. The join operation and leave operation are used for updating keys: RGK1, RGK2, KEKsGroup1, KEKsGroup2, AKs, KEKsChannel, RsGroup1, RsGroup2, Rs_Channel.

Figure 24: A channel group

There channel trees are classified to three parts, when members change their subscriptions and groups. Fist part is those channels which members do not subscribe any more. Second part is those channels which members still subscribe. Third part is those new channels which members are going to subscribe. Take Figure 24 as an example. The symbol “Cs_Gj” means a set of channels Gj subscribes. The symbol “Cs_Gf” means a set of channels Gf subscribes. The symbol “CsGjGf” means a set of channels both G_j and G_f subscribe.

When a user (uk) changes his/her group from Gj to Gf,those channels‟ key‟s must are updated in “A” and “B”. Because of both forward and backward secrecy, those channels in “A” must do “Leave operation”, and those channels in “B” must do “Join operation”. However, the channel trees‟ key encryption keys in “C” are possibly suffered from collusion attack. Therefore, AKs, KEKsChannel and RsChannel are must updated. Lots of group trees are included in channel trees, Figure 9.

When uk changes his/her group from Gj to Gf, the processes of change operation in channel tree and group tree are following. Those processes in channel tree are clearly shown in Figure 24and Figure 25: However, the processes of change operation in group tree are specifically described in the leave operation and join operation.

1. Server broadcasts {CHANGE, Nuk, Gj, Gf}

2. Rest members in G_j do the operation leave. Group members in G_f do the join operation.

3. Updating keys in channel trees.

1). Those groups in channel trees of CsGj do “Leave Operation”. The keys in channel trees will be updated by groups who subscribe same channels with Gj

2). Those groups in channel trees of Cs_Gf do “Join Operation”. The keys in channel trees will be updated by groups who subscribe same channels with G_f.

3). Those groups in channel trees of CsGjGf

 If groups‟ corresponding nodes relate to CAT_Gj&Gf of channel tree, those nodes‟ corresponding keys do not need to be updated. The CAT_Gj&Gf is those nodes which both in CAT_Gj and CATGf, when CATGj and CATGf are on a same channel tree.

 If groups‟ corresponding nodes do not relate to CATGj&Gf, nodes‟ corresponding KEKs and Rs need to be updated.

i. If groups‟ corresponding nodes relate to CATGj- CATGj&Gf, groups do “Leave Operation”. CATGj is those corresponding nodes on the channel tree of ancestors and affected leaves, when G j does the join operation or leave operation.

ii. If groups‟ corresponding nodes relate to CATGf- CAT_Gj&Gf, groups do “Join Operation”. CATGf is those corresponding nodes on the channel tree of ancestors and affected leaves, when G f does the join operation or leave operation.

4. Server unicasts new keys to u_k. MPK_uk{RGK_f‟,KEKsGroup‟, RRGKf‟, RsGroup‟, AKs‟, KEKsChannel‟ , RsAK‟, RsChannel‟}

Figure 25: The change operation in channel tree

More specifically in third process, assume that channel number 1 (AK1) belongs to “CsGjGf”, user k (uk) changes group from group number 1 (G1) to group number 3(G₃) in Figure 26. Firstly, in channel tree number 1, KEK₁₂ and R₁₂ are updated by the leave operation, due to the nodes is on the path of G1 and not on the path of G3 to the root, CAT_Gj- CAT_Gj&Gf. Then, G₂ are going to calculate KEK₁₂‟= H (KEK12, R_RGK2) and R12‟= H (KEK12‟, R12). Service provider multicasts KEK12‟ and R12‟ and encrypts those by RGK₁‟, RGK1‟ { KEK12‟, R12‟}. KEK34, however, is on the path of G₃ to the root. The node corresponding to KEK34 and R34 are going to do the join operation, CAT_Gf- CAT_Gj&Gf. KEK₃₄ and R₃₄ is updated through KEK₃₄‟=H (KEK34, R₃₄) and R34‟=H (KEK34‟, R34). The other nodes‟ corresponding keys do not need to change.

The third process is also shown in Figure 25.

Figure 26: Key structure of change operation

3.4.4 Per_update Operation

Moreover, if the group membership in a group is not changed in a period of time, Per_update Operation is used to update the subscribers‟ group key and channel keys.

The group key is encrypted by the subscribers‟ old group key or channel keys. After that, each subscriber updates their own administration keys and R values. For example, when channel keys are updated, AK {AK‟} is used. It‟s the same that group keys are updated through RGK {RGK‟}. By using Per_update, the risk of cracking keys is going down.

3.5 Balance Tree: A Problem of the Proposed Protocol and its solutions

The possible problem is that a tree easily becomes unbalanced, when lots of group members join and leave the group. Key management is inefficient when a tree is unbalance.

Service manager also transmits more multicasting messages when the tree is unbalance.

Therefore, keep trees in balance is needed. In this section, there are two operations to solve a possible problem of this proposed protocol: Multi-LeaveNode Operation and Multi-JoinNode Operation.

For efficiently key management in tree structure, binary searching tree is implemented in this thesis. There is more efficient in searching, adding, and deleting certain node, when implement a binary searching tree. Besides, there are two operations to manage keys and

maintain a tree‟s balance: Multi-LeaveNode Operation and Multi-JoinNode Operation.

Multi-LeaveNode Operation is used when more than half of tree‟s leaf nodes are vacant.

Multi-JoinNode Operation is used when the number of group subscribers is more than the number of tree‟s leaf nodes. Following sections are going to describe in detail.

3.5.1 Multi-LeaveNode Operation

When numbers of vacant leaf nodes are half more than all tree‟s leaf node, Multi-LeaveNode Operation is trigger by service providers for efficient key management. Multi-LeaveNode Operation also reconstructs a smaller tree and minimizes the service manager‟s loading as much as possible. Service manager‟s computation and transmitting messages are increasing, when service manager reconstruct a tree and new keys. Hence, minimize the service manager‟s loading also is a key issue. For those issues have described, there are two parts in this section: first is maintaining a tree‟s balance and second is key updated when a tree‟s structure is changed.

In Multi-LeaveNode Operation, there are processes to determine the method deleting nodes. A new tree then needs to be constructed and add leaf nodes depending on the tree‟s key structure. In other word, those processes are:

1. A Service manager checks that is there a sibling node of the tree‟s each vacant leaf nodes, when choosing the deleted nodes.

2. Service manager updates keys.

3. Service manager checks each interior node.

4. Reconstruct a new tree and move the old tree to a new tree. Add new leaf nodes if necessary.

5. Update keys again.

In the first and second procedures, if there is a sibling node of the vacant leaf node, service provider deletes the vacant leaf node and its upper level interior node. The

steps are described as following, Figure 27:

1. Delete NLeaving,NLeaving -1

2. Do “Leave Operation”:

 Update KEKLeaving-2 and RLeaving-2

3. Service provider sends MPK_{s_Leaving} {KEK_Leaving-2, R_Leaving-2}

Figure 27: Multi-LeaveNode Operation (1)

There is an example clearly explained in Figure 27: When delete the leaving node (NLeaving) corresponding to MPK 8, delete upper level node of leaving node (NLeaving-1) corresponding to KEK78, too. Then Leave Operation is triggered, then the two upper level node of leaving node (NLeaving-2) corresponding to KEK58 is updated through KEK58‟=H (KEK58, R56), and R58 is also updated along with KEK58, R58‟=H (KEK58‟, R58). However, NLeaving-1 don‟t need to be updated, and it already was deleted before. Service provider needs to send new messages to the sibling node of leaving node (Ns_Leaving) corresponding to MPK7. The message includes the KEK and R value of two upper level node of leaving node (KEK58‟ and R58‟).

If the sibling node of vacant leaf node is also vacant, service provider deletes four nodes: the vacant leaf node, its sibling node and its upper levels‟ two interior nodes.

The steps are described as following, Figure 28:

1. Delete N_Leaving, N_{s_Leaving},N_{Leaving -1}, ,and N_Leaving-2 2. Do “Leave Operation”:

 Update upper levels KEKand Rvalue if there is necessary.

3. Service provider sends KEKs_Leaving-1 {KEKupper_levels, Rupper_levels}

Figure 28: Multi-LeaveNode Operation (2)

As shown in Figure 27. When delete the leaving node (NLeaving) corresponding to MPK 8, its sibling node (N_{s_Leaving}) corresponding to MPK7, and upper levels‟ two nodes of leaving node (NLeaving-1, NLeaving-2) corresponding to KEK78 and KEK58, too. Then Leave Operation is triggered, if it is a subtree in Figure 28. Then the processes of Leave Operation are same with that there is a sibling node of vacant leaf node.

After first and second steps, service manager will check each interior node. If there is/isn‟t branches the way to update key and delete node are same with above. If there are two branches, there are no actions. If there is only a branch, the interior node needs to be deleted. Its upper node‟s key needs to be updated by the R value of the interior node‟s branch node. If there is no branches, service manager needs to delete the interior node, and check upper two level nodes. This process will keep in loop until the node is root.

In the fourth procedure, the new tree needs to be reconstructed. After deleting nodes, the tree easily become unbalance, and construct a new tree is needed. A full balanced tree is supposed to build, and the size of the tree is according to the rest member in group. For example, the numbers of group member are five, then the height of full balanced tree is 4, ceil (log25)+1. The tree is binary searching tree and each node‟s number is arranged in order as described before. Service manager moves old tree to the new tree in order. However, there is a circumstance that two leaf nodes are arranged together. Service manager adds a new interior node between those two leaf nodes, and keep the tree from disorder.

In the last process, keys are updated more frequently if the original tree„s order is in a mess. After a balance tree constructed, the key structure will check by service manager. The ways to update keys are measuring each interior nodes‟ parents are the same with in original tree. If each interior node from leaf node to root is not same after rebalance, those interior nodes update by one of its branch‟s R values. Then service provider transmits those new keys to users who should hold those keys.

3.5.2 Multi-JoinNode Operation

When numbers of joiners are more than the tree‟s vacant leaf node, Multi-JoinNode Operation is used to construct a bigger tree. Another goal of Multi-JoinNode Operation is maintaining keys still usable in the group, and cutting down the service loading as much as possible. There are also two parts in this section:

first is maintaining a tree‟s balance and second is key updated when a tree‟s key structure is extended.

In Multi-JoinNode Operation, a full balanced binary searching tree is supposed to build. The way to build a new tree is similar with the new tree reconstruction in Multi-LeaceNode Operation. The size of the new tree depends on the all numbers of group members. After a new tree built, the original tree supposes to be the subtree of the new tree. The processes are:

1. Make a new tree whose height is ceil (log₂NAll_members ). The NAll_members is the total numbers of group member, and those numbers are summation from the original group members and new joiner, NAll_members = Noriginal_members + N_joiner. 2. Move old tree to a new tree in order. Old tree becomes the left subtree of new

tree.

3. The keys are managed and changed:

 Service provider transmits KEKOldRoot {KEK NewRoot, R NewRoot}, and updates keys in the original key structure.

 Service provider unicasts keys and relations to each joined nodes.

Take Figure 29 as an example. Assume that the height of original tree is three and the tree contains at most four members. Multi-JoinNode Operation is triggered, when the original tree is full of members and there are still more than two members need to join in the group. The original tree is shown as the left part in Figure 29 in red color.

According to those processes have described above, NAll_members are six. And the height of new tree is four, ceil (log₂6). In step two, the old tree structure is moved to new tree as a left subtree in Figure 29. The original keys in red don‟t be updated. Each old tree‟s members have another new keys and service provider transmits KEK14{KEK1-8, R1-8} to them. The rest two members are placed in the right subtree‟s vacant leaf nodes in order. The KEKs and R values in black color are generated by service provider. Service provider unicasts each new tree member keys and R values encrypted by his/her MPK.

Figure 29: Multi-JoinNode Operation

In this way, service provider doesn‟t need to generate all new keys for a new tree and unicast all members. Service provider only needs to transmit three packages and generate three keys (KEK1-8, KEK58, and KEK56) and corresponding relations.

3.6 Discussions

This section analyzes those issues mentioned in section 3.1 by using channel-based key management, and shows that those problems do not exist.

• Refreshments of keys and R values:

In Sun‟s et al. CAS, subscribers are not allowed to rejoin a group. In another circumstances, subscribers must be in the same node or path when rejoin the same tree, because those information he/she held before are not updated yet.

Preventing from forward and backward secrecy problems in this thesis, there are rekeying operations whenever users join/ change/ leave a group. Updating keys and R values also contribute the solid key structure and avoid collusion attacks.

Therefore, subscribers could rejoin a tree and be at any node in a tree.

Here is an example. When a user (u3) leaves a group (G1), those processes are following, Figure 22. After those steps, u3 still couldn‟t break the key structure.

1. service provider broadcasts {LEAVE, N_u3, G1}

2. u1,u2,u4 automatic update KEKs, R values:

•

u1,u2 update KEK14

and R14, through KEK14’=H(KEK14,R12) and

R14’=H(KEK14’,R14)

•

u4

updates KEK34 and R34, KEK34‟=H (KEK34,R4),

R34’=H(KEK34‟ ,R34).

3. Service provider multicasts RGK‟ to users through messages, KEK58 {RGK1’},

KEK14’ {RGK1’}, KEK34’ {KEK14’, RGK1’}.

4. u4 automatically updates R14, R14’=H(KEK14’,R14). All rest group members also automatically update RRGK‟=H (RGK1’, RRGK).

Figure 30: Key structure of user rejoining

After keys and R relations are updated, the key structure shows in Figure 30.

When the user (u3) rejoins the group in different leaf node (first place), all keys and relations are automatically updated by members:

1. Service provider broadcasts {Join, N1, G1}, and group members update RGK1 through RGK1‟‟=H (RGK1‟, RRGK‟)

• Collusion attack prevention:

There are two situations when collusion attack happened. First one is that more than two users simultaneously leave from same group. Each user only has the keys and R relations on the path from root to the node corresponding to him/ her.

The original key structures and relations are broken after Leave Operation triggered. Therefore collusion attack will not happen. Figure 23 is an example and shows in multi-leave operation.

Another situation is that users leave a group one after the other. Because there are join, leave, and change operation, the keys are hard to broken in this situation.

In Figure 23 as an example, when u1 follows up u3 leaving the group G1, the processes are following:

• When u3 leave, service provider broadcasts {LEAVE, Nu3, G1} in Figure 22.

u1,u2,u4 automatic update KEKs, R values:

•

u1,u2 update KEK14

and R14, through KEK14’=H(KEK14,R12)and

R14’=H(KEK14’,R14)

•

u4

updates KEK34 and R34, KEK34‟=H(KEK34,R4),

R34’=H(KEK34‟ ,R34).

2. Service provider multicasts RGK‟ to users through messages, KEK58

{RGK1’}, KEK14’ {RGK1’}, KEK34’ {KEK14’, RGK1’}.

u4 automatically updates R14, R14’=H(KEK14’,R14). All rest group

members also automatically update R_RGK‟=H (RGK1’, RRGK).

• When u1 follows up u3 leaving the group G1, service provider broadcasts {LEAVE, N_u1,G1} in Figure 31

u2,u4 automatically update KEKs, R values:



u4 update KEK14

and R14, through KEK14’’=H(KEK14’,R34’)and

R14’’=H(KEK14’’,R14’)



u2 updates KEK12 and R12, KEK12‟=H (KEK12, R2), R12’=H (KEK12‟, R12).

2. Service provider multicasts RGK‟ to users through messages, KEK58

{RGK1’’}, KEK14’’ {RGK1’’}, KEK12’ {KEK14’’, RGK1’’}.

u2 automatically updates R14, R14’=H(KEK14’,R14). All rest group

members also automatically update RRGK‟‟=H (RGK1’’, RRGK‟).

Figure 31: Key structure of Leave operation (3)

After those steps, the key structure is showing in Figure 32. Even though, u3 has RGK1, KEK14, KEK34, MPK3, R4, R_RGK, R14, and R34. u1 has RGK1‟, KEK14‟, KEK12, MPK1, R1, RRGK‟, R14‟, and R12. There is no way to trace the new keys or R values, if u1 and u3 work together. However, in Sun‟s et al. CAS, there are risks of collusion attacks in both situations described above.

Figure 32: Key structure of Leave operation (4)

• Tree rebalances:

The rebalance situations do not mentioned a lot in Sun‟s et al. CAS, and only extension the tree‟s size is included. There are balance operations in this thesis.

Those are triggered, when the tree is not balanced or group members are more than the tree‟s capacity. Service provider transmits messages and manages group members more efficiently after implementing those rebalancing operation.

Chapter 4: Simulation and Security Analyses

This thesis mainly proposes a key management suitable for IPTV services, which is also called IPTVP. IPTVP solves those problems in Sun‟s et al. CAS in chapter three. This chapter is going to compare and analyze security and simulation results and analyses between Sun‟s et al. CAS, group key protocols and the protocol this thesis proposed. There are abbreviations and acronyms using in this chapter and showing in Table 6.

Table 6: Abbreviations and acronyms (2)

Abbreviations and acronyms

SKDC

Simple key distribution center

n

Number of group members

LKH

Logical key hierarchy

M

L Number of leaving members

OFT

One-way function tree

M

_J Number of joining members

IPTVP

IPTV protocol

C

_K Hash function costs to generate a key

Msg

Number of messages

C

R Hash function costs to generate a relation

S_St.

Service manager‟s storages sl The size of CAT

M_St.

Each member‟s storages

*C

=C

4.1 Security Analysis

This section is going to analyze security of the method proposed in this thesis. Those security issues are mentioned in section 2.2. This thesis focuses on the dynamic group in IPTV environment. Subscribers could join/leave/change a group whenever they like. Those security requirements are:

 Confidentiality: Those data/videos/voices are transmitted in cypher text in IPTV environment. The keys are used to encrypt those packages, and only members held those keys can get decrypt text. Hence, illegal users, who do not belong to the group, could not get the messages.

 Authentication: There are subscriber register phase and channel subscribing phase to authorize users‟. Those phases could prevent unauthorized user receiving and getting contents.

 Backward and forward secrecy: Rekeying is important for service managers to provide both securities. There are join, leave, and change operations rekeying members‟ keys and collusion attacks prevention in this thesis. More detail contents are described in previous chapter.

According to those security requirements, there are comparisons with Sun's et al. CAS and the protocols this thesis proposed, Table 7. Obviously, this thesis enhances the securities, including providing both forward and backward secrecy and collusion attacks prevention.

Besides, as shown in Table 8, IPTVP is also as strong as other group protocols.

Table 7: Security analyses with Sun's et al. CAS

Confidentiality Authentication Forward

al. CAS

Sun’s et al. CAS

Y Y N N N

Table 8: Security analyses with group key protocols

Forward

4.2 Simulation Results and Analytical Analysis

There are two parts in this section. First part is going to analyze the costs from simulation results in a quantitative way when rekeying operations triggered. Second part is the simulation results showing that maintaining balance trees in two situations as examples.

在文檔中一個針對IPTV服務以頻道分群為基礎的金鑰管理協定 (頁 47-0)