Extensions of the Trees

When the tree is full, the tree needs an extension of one more level from the old tree. The old trees‟ leaf nodes are move to the left child nodes in the new tree, as shown in Figure 11. Server needs to transmit the new sibling node‟s R values to the group member, after the extension of the tree and new members join the group.

Figure 11: Extension of the tree

Besides, server assigns the old member in the same leaf nodes, when an old member rejoins the same group again. The reason is that each member should not know the R value on the path related to them. If the origin old leaf node is occupied, there are two ways to handle this situation. Firstly, server would extend the origin old leaf node one more level, and move the origin old leaf node to be left child node of new level, Figure 12. The extension to the tree will make un-balance tree, and rearrange the tree periodically would be necessary. Secondly, server just place old member to the other vacant leaf node and update the information old member known before, Figure 13 as an example.

20

Figure 12: S2 rejoins the group on the same path related to itself

Figure 13: S2 rejoins the group in different leaf node

2.3.4 Improvement of Sun’s et al. ‘s Conditional Access System

Jung-Yoon Kim and Hyoung-Kee Choi [9] proposed two weaknesses and solve those problems. Firstly, the key updating algorithm was so simple that a member could get R value related to its self, when the member rejoin same group and is at the same leaf node. For example, when a subscriber leaves the group, the group key is updated as RGK‟=RGK⊕R S. However, when a subscriber rejoins the group, he/she will get the new RGK‟. The new RGK‟ could easily calculate the R value by Rs= RGK‟⊕

RGK. The other weakness of the F-PPC system is forward secrecy problem, and group keys and channel keys were not updated when a member joins a group

As those reason mentioned, the improvement of Sun‟s et al. „s CAS is the robust algorithm and to satisfy both backward and forward secrecy. The keys need to be updated whenever a user joins or leaves the group. For example, if a user joins the group, the RGK is updated by RGK‟=RGK⊕R S which is same algorithm with Sun‟s et al.

21

CAS. RGK is updated by RGK‟=H(RGK⊕R _S) when a group member leaves instead.

This thesis will implement the architecture of Sun‟s et al. „s CAS system on IPTV services. The both forward and backward securities also take into concerned. In order to avoid collusion attack and solve rejoining members‟ problem, there is another way to manage the membership in those groups in next chapter.

22

Chapter 3 A Channel-based Key Management Protocol for IPTV Services

In this chapter, an idea of channel-based key management protocol for IPTV service is proposed. The motivations and objectives of this thesis are mentioned in chapter one. In chapter two, the IPTV services, related security issues, and key management protocols explain the reason of choosing centralized key structure and group key management, and also illustrate problems in Sun‟s et al. ‟s CAS. Following this chapter, there will define the problems first, and then delineate the channel-based key management protocol for IPTV services.

3.1 Design Issues

This thesis is going to solve the critical issues based on the Sun‟s et al.‟s CAS:

 Collusion attack prevention: Leaving users could not get the keys and contents from group messages by working together in this thesis. It is also impossible to get the keys and contents from group messages, when leaving members leave group one after another.

 Refreshments of keys and R values: There are forward and backward secrecy problems in Sun‟s et al.‟s CAS proposed and solved by [9]. Nevertheless, there is another way to achieve both forward and backward secrecy by updating keys and R values proposed in this thesis, when members join/leave/change the group.

 Tree rebalances: The trees easily become unbalanced trees, when group members join/leave groups. Reconstructions and maintenances keys in the tree also take in to concern in this thesis.

3.2 Abbreviations and Acronyms

There are lots of abbreviations and acronyms in this thesis. Table 5 shows the

23

explanations of those abbreviations.

Table 5: Abbreviations and acronyms

Index Explanations

RGKj

A receiving group key corresponds to group j. Authorized subscribers have the rights to get group messages by using RGK.

AK

An authorization key or channel key. Authorized subscribers have rights to watch channels by using AK.

MPK_sk

A master private key corresponds to subscriber k, sk. Each subscriber holds it and only the subscriber himself/herself has the key.

KEK_i

Key encryption key corresponds to node i. It is an administration key, and is used to manage key distribution to subgroup members. There are subgroups in a tree, and subgroup members share the same KEK.

Ri Relational secrete number corresponds to node i.

R_RGKj Relational secrete number corresponds to root node of group tree and RGK j.

R_AK Relational secrete number corresponds to root node of channel tree and AK.

CAT

Combined ancestor tree. CAT is those corresponding nodes on the group tree of ancestors and affected leaves, when members join or leave a group.

Sub-CAT

Subtree of combined ancestor tree. Those corresponding nodes on CAT except root node and its affected leave node.

c Total numbers of channels that IPTV service provider provides.

r A random number.

sk A subscriber with a serial number k.

Gj A group with a number j.

Ns_k A node corresponds to subscriber k.

KEKs_Group A set of KEK in a group tree.

24

KEKsChannel A set of KEK in a channel tree.

Rs_Group A set of R in a group tree.

RsChannel A set of R in a channel tree.

AKs A set of AK.

KEKs A set of KEK Rs A set of R

RsAK A set of R corresponds to root node of channel trees and AKs.

i-1 Node i-1is the affected leaf node which corresponds to ancestor node i.

R_i-1

Node i-1is the affected leaf node which corresponds to ancestor node i. R_i-1 is the affected leaf node‟s R value.

KEK_i-1

Node i-1is the affected leaf node which corresponds to ancestor node i.

KEK_i-1 is the affected leaf node‟s KEK.

CsGj A set of channels group j subscribes.

CsGjGf A set of channels both group j and group f subscribe.

CAT_Gj

CAT is those corresponding nodes on the channel tree of ancestors and affected leaves, when G j does the join operation or leave operation.

CATGj&Gf

The CATGj&Gf is those nodes which both in CATGj and CATGf, when CATGj

and CAT_Gf are on a same channel tree.

3.3 The Architecture

There four-level key hierarchy and two-level trees constructed in this protocol which same with Sun‟s et al. ‟s CAS, Figure 9. IPTV services are the convergence of telecommunication, internet protocols (IP), and broadcasting network. It is more suitable implement four-level key hierarchy structure, so this architecture could both feasible on both the broadcasting and IP network.

The centralized tree structure and group key managements are implemented. In this

25

thesis, we assume that there are n channels which are provided by the IPTV service provider.

Each possible combination of these channels is assigned a group key to protect these programs. Therefore, there are, at most, 2^c

-1 group keys which the IPTV service provider

must kept. c are total numbers of channels IPTV service provider provides. Moreover, the subscribers are classified into groups. A group will share the same group key, and the group keys are mutually different from each other. As shown in Figure 9, the subscribers in the same group subscribe same channels and share the same group key.

In other words, each user needs to keep MPK, RGK, AKs, RRGK, and RAK in Sun‟s et al. ‟s CAS. In this thesis, each user needs to keep additional key encryption keys (KEKs).

Besides, R values are generated by service provider using KEK and a random number under a hash function, R_i=H (KEK_i, r). KEKs are used to manage key distribution to subgroups, so server could avoid collusion attacks. The key structure shows in Figure 14.

Figure 14: The key structure

3.4 A Channel-based Key Management Protocol

In this section, an idea of channel-based key management protocol for IPTV service is proposed. To prevent an illegal access to IPTV services, there are three phases in the paper.

They are:

 Subscriber register phase:

Users register to IPTV service provider to get login ID and password. After that, they become the member of the IPTV service, and get authority to login to the system by sending Account ID and password to the center server. On the other hand, users gets

26

a MPK and a random number through a secure channel, and generate R_user by themselves through hash function, Ruser=H(H(IDuser),MPKuser⊕ r) as an example, Figure 15.

Figure 15: Subscriber register phase

 Channel subscribing phase:

Users subscribe lots of channels. According to their subscribing information, the IPTV service provider gathers the subscribers into a group and they subscribe the same channels. Each group is assigned a group key used to encrypt and protect these programs. The group key is kept by each subscriber, Figure 9. In addition, each subscriber keeps some administration keys used to encrypt the group key, Figure 14.

Hence, in the proposed paper, each subscriber has to keep four types of keys: receiving group key (RGK), channel key (AK, authorization key), administration key (KEK, key encryption key), and master private key (MPK).

 Membership management phase:

Membership management is used to manage those possible activities about a subscriber. There are some scenarios: a new subscriber joins a group; an old subscriber cancels his/her subscription; an old subscriber changes his/her subscription. Any kinds of scenarios in the above, the group key has to be refreshed and then distributed to the

27

group members by rekeying operations.

There are rekeying operations: join, multi-join, leave, multi-leave and change operations. Those rekeying operations work on the combined ancestor trees (CAT) [15]

or Subtree of combined ancestor tree (Sub-CAT). CAT is those corresponding nodes on a group tree of ancestors and affected leaves, when members join or leave a group, as shown in Figure 16. When u3 joins a group, the CAT is those gray nodes and the size of CAT are numbers of gray nodes. Sub-CAT is those corresponding nodes in CAT except root node and it‟s affected leave node. As shown in Figure 17, when u3 joins/leaves a group, the Sub-CAT is those gray nodes. The size of Sub-CAT are numbers of gray nodes in Figure 17. Hence, the last phase is used to manage the generating and distributing of the group keys by rekeying operations.

Figure 16: A combined ancestor trees (CAT), when u3 joins or leaves a group

Figure 17: A Sub-CAT, when u3 joins or leaves a group

When a group membership is changed, a rekeying operation is used to generate and distribute the new group key for the group. And Per_update Operation is used to execute a

28

periodical update when a membership is not changed. In addition, a subscriber will not be in more than one group.

Figure 18: Subscriber joins, leaves, and changes the group

In Figure 18, a new user, S1, registers to the IPTV service and subscribes lots of channels. According to the subscription information about S1, he/she will be assigned to a group, G1, and get the new group key GK1^' and some relation numbers (R values) and administration keys (KEKs).

Because of the paper limitation, this thesis focuses on depicting the concept of the last phase. The following are the operations details.

3.4.1 Join Operation

The join operation is used when a new subscriber, s_k, joins the group. Server broadcasts a message. After group members receive the message, they will automatically updated group key by using R value and hash function. There are some group members who relate to the path from leaf sk to the root. They also can automatically update key encryption keys and R values (KEK_i‟, Ri‟). There is an example as following, Figure 19:

There is a procedure when a subscriber (s_k)joins group j (G_j):

1. Server broadcasts {JOIN, Gj, Nsk}

2. Existing group members can automatically updates the ancestors in CAT of s_k. Members, who relate to those ancestors in CAT, will update RGK, KEKi, Ri

and RRGK.

1) RGKj and all KEKs update by RGKj‟=H(RGKj,RRGKj) ,

29

KEK_i‟=H(KEKi,R_i).

2) The Ri and RRGK value are updated by Ri‟=H(KEKi‟,Ri) and R_RGKj‟=H(RGKj‟,RRGKj)

3. Server unicasts to sk: MPKsk {RGKj‟,KEKsGroup‟, RRGKj‟, RsGroup‟, AKs‟, KEKs_Channel‟ , RsAK‟, RsChannel‟}

Figure 19: Join operation

More specifically, as shown in Figure 20, there is a new joiner (u3). The IPTV service provider broadcasts a message{JOIN, G1, Nu3} to all subscribers in Operation Join. The group key (RGK₁‟) and R value (RRGK1‟) are updated by all group members, RGK1‟=H (RGK1, RRGK1), RRGK1‟=H (RGK1‟, RGK). Key encryption key (KEK14) and R value (R₁₄) which u1 and u2 hold are automatically updated by himself/herself, KEK14‟=H (KEK14, R14) and R14‟=H (KEK14‟, R14). Key encryption key key (KEK34) and R value (R₃₄) of u4 are updated by himself/herself using XOR operation under a hash function, KEK34‟=H(KEK34,R34) and R34‟=H (KEK34‟, R34). Then service provider unicasts a message, {RGK₁‟, KEK34‟,KEK14‟, R RGK1‟, R34‟,R14‟, AKs‟, KEKsChannel‟ , RsAK‟, RsChannel‟}, encrypted by MPKu3.

30

Figure 20: Key structure of Join operation

For efficiency, server joins multiple users in a group at a time. Multi-Join Operation is triggered in that circumstance. The Multi-Join Operation processes are same with Join Operation. However, service provider generates new KEK‟ and R‟

values and directly transmits those to those leaf nodes, if an interior node which it‟s leaf node are both new joined members. Take Figure 20 as an example. If u3 and u4 both are new joiner, service provider will generate new KEK₃₄‟, and R34‟. R34‟ is generated by using R34‟=H (KEK34‟, r). Then, service provider unicasts messages to u3 and u4.

In this way, IPTV service provider could prevent the new subscriber get data before he/she joins the group and provide forward secrecy.

3.4.2 Leave Operation

Leave Operation is used when an old subscriber, (sk), leaves the group (Gj).

Server will broadcasts a leave message to the entire member in the service. Group members will automatically update key encryption keys and R values, if he/she relates to the Sub-CAT. After that, service provider generates and transmits new group key to the rest. New key encryption keys (KEKs‟) are transmitted to those members who held it. R values also are updated by members themselves, when those corresponding nodes key encryption keys are changed. An example is as following, Figure 21:

1. Server broadcasts{LEAVE, G_j, Ns_k,}

2. Users who relate to Sub-CAT automatically update ancestors of Sub-CAT by using affected leafs‟ R value of Sub-CAT. Those updated ancestors include

31

KEKs, Rs. Node i-1is the affected leaf node which corresponds to ancestor node i. Ri-1 is the affected leaf node‟s R value.

 KEK_i‟updates by KEK_i‟‟=H(KEKi‟, Ri-1) 3. Server generate new RGK‟‟

4. Server transmits new RGK‟‟ and KEK‟‟ to those user who need to know.

Those new RGK‟‟ and KEK‟‟ are transmitted to user and encrypted by new KEK‟‟, KEK‟‟ {RGK‟‟, KEKi-1‟‟,…}.

5. Each user automatically updates Ri‟ , Ri‟ updates by Ri‟‟=H(KEKi‟‟,Ri‟).

Figure 21: Leave Operation

Figure 22 is a clearer example. When a user (u3) stops to subscribe any channel, Leave Operation is applied to refresh the group key (RGK₁‟‟), key encryption keys (KEKs), and R values. Service provider broadcasts a leaving message to group (G1), {LEAVE, G₁, N_u3}. Then, group members relating to Sub-CAT automatically update keys. u1, u2 automatically update KEK14‟ and R14‟ value, KEK14‟=H (KEK14, R12), R₁₄‟=H (KEK14‟, R14). u4 updates KEK₃₄‟ and R34‟ value, KEK34‟=H (KEK34, R₄), R34‟=H (KEK34‟, R34). After those steps, the keys‟ relations are broken. Service

32

provider needs to multicast new RGK and KEK to users who held those before updating. Service provider transmits messages: KEK58 {RGK1‟}, KEK14‟ {RGK1‟}, KEK₃₄‟ {KEK14‟, RGK1‟}. The R values are also updated after group members receive messages. u4 needs to calculate R14‟=H (KEK14‟, R14) and u5, u6, u7, and u8 need to calculate R_RGK1‟=H (RGK‟, RRGK1). Finally, the CAT is updated.

Figure 22: Key structure of Leave operation (1)

Multi-leave is an efficient choices to service providers, and it is also called batch operation. When more than one subscriber leaves the group, the leave operation is a little different with only one subscriber leaving a group. If one interior node‟s both children leaf nodes are updated, server generates new key and transmits to those leaf nodes. As shown in Figure 23, when subscribers (u1 and u3) simultaneously leave group (G1):

1. Service provider broadcasts {LEAVE, N_u1, N_u3, G₁}.

2. Group members update KEKs and R values as describing before.

 u2 updates KEK12 and R₁₂, KEK₁₂‟=H (KEK12, R₂), R₁₂‟=H (KEK12‟, R12).

 u4 updates KEK34 and R₃₄, KEK₃₄‟=H (KEK34, R₄), R₃₄‟=H (KEK34‟, R34).

3. Service provider needs to generate not only RGK‟ but also KEK₁₄‟. KEK14‟ needs to generate by service provider, because node12 and node34 both

33

updated.

After those steps, the rest steps are same with the original situation that only one subscriber leaving the group. Because of the keys‟ broken relations, service provider needs to multicast new RGK and KEK to users who held those before updating.

Service provider sends a KEK58 {RGK₁‟} to u5, u6, u7 and u8, KEK12‟ {RGK1‟, KEK14‟} to u2, and KEK34‟ {RGK1‟, KEK14‟} to u4. Then, the R values corresponding to RGK and KEKs are updated by themselves, R_RGK1‟=H (RGK1‟, RRGK1) and R₁₄‟=H (KEK14‟, R14).

Figure 23: Key structure of Leave operation (2)

In this way, IPTV service provider could prevent the subscriber from watching channels, and provides the backward secrecy.

3.4.3 Change Operation

Change Operation is used when an old subscriber changes the group. As show in Figure 18, when an old subscriber, S9, decides to subscribe different channels, he/she leaves G1 and joins G2. The join operation and leave operation are used for updating keys: RGK1, RGK2, KEKsGroup1, KEKsGroup2, AKs, KEKsChannel, RsGroup1, RsGroup2, Rs_Channel.

Figure 24: A channel group

34

There channel trees are classified to three parts, when members change their subscriptions and groups. Fist part is those channels which members do not subscribe any more. Second part is those channels which members still subscribe. Third part is those new channels which members are going to subscribe. Take Figure 24 as an example. The symbol “Cs_Gj” means a set of channels Gj subscribes. The symbol “Cs_Gf” means a set of channels Gf subscribes. The symbol “CsGjGf” means a set of channels both G_j and G_f subscribe.

When a user (uk) changes his/her group from Gj to Gf,those channels‟ key‟s must are updated in “A” and “B”. Because of both forward and backward secrecy, those channels in “A” must do “Leave operation”, and those channels in “B” must do “Join operation”. However, the channel trees‟ key encryption keys in “C” are possibly suffered from collusion attack. Therefore, AKs, KEKsChannel and RsChannel are must updated. Lots of group trees are included in channel trees, Figure 9.

When uk changes his/her group from Gj to Gf, the processes of change operation in channel tree and group tree are following. Those processes in channel tree are clearly shown in Figure 24and Figure 25: However, the processes of change operation in group tree are specifically described in the leave operation and join operation.

1. Server broadcasts {CHANGE, Nuk, Gj, Gf}

2. Rest members in G_j do the operation leave. Group members in G_f do the join operation.

3. Updating keys in channel trees.

1). Those groups in channel trees of CsGj do “Leave Operation”. The keys in channel trees will be updated by groups who subscribe same channels with Gj

35

2). Those groups in channel trees of Cs_Gf do “Join Operation”. The keys in channel trees will be updated by groups who subscribe same channels with G_f.

3). Those groups in channel trees of CsGjGf

 If groups‟ corresponding nodes relate to CAT_Gj&Gf of channel tree, those nodes‟ corresponding keys do not need to be updated. The CAT_Gj&Gf is those nodes which both in CAT_Gj and CATGf, when CATGj and CATGf are on a same channel tree.

 If groups‟ corresponding nodes relate to CAT_Gj&Gf of channel tree, those nodes‟ corresponding keys do not need to be updated. The CAT_Gj&Gf is those nodes which both in CAT_Gj and CATGf, when CATGj and CATGf are on a same channel tree.

在文檔中 一個針對IPTV服務以頻道分群為基礎的金鑰管理協定 (頁 33-0)