Design and Implementation of Secure Communication Channels over UPnP Networks

Design and Implementation of Secure Communication Channels over UPnP Networks

Jiunn-Jye Lee, Chun-Ying Huang, and Chin-Laung Lei {jye,huangant}@fractal.ee.ntu.edu.tw, lei@cc.ee.ntu.edu.tw

National Taiwan University

Abstract

The scale of smart living spaces can be varied from small, e.g. a household, to large, e.g. a building or a campus, scales. As the scale of the space increases, we can expect that the requirements for the two fea- tures – zero-configuration and secure data communi- cation channels – are getting more important. The feature of zero-configuration reduces the cost to setup the network and secure data communication channels guarantee both the privacy and confidentiality of possi- ble sensitive data transmitted in the network. In this paper, we integrated two technologies, UPnP and se- cure group communication techniques, to construct an almost zero-configuration secure environment for smart living spaces. A secure and flexible communication en- vironment is constructed as follows. An UPnP con- troller is implemented to manage devices in the same administrative domain and hence these devices can be treated as members in the same communication group.

Then, by leveraging group key management algorithms, we successfully build both point-to-point and broadcast secure channels over the UPnP network.

1 Introduction

As the maturing of computer and communication technologies, integrating modern technologies into peo- ple’s daily life becomes an inevitable trend. Traditional information systems, such as bulletin boards on cam- puses, touring maps in national parks, and billboards in shopping malls, can now be replaced by interconnected smarter devices. Since nodes in the same network are able to communicate with each other, services and con- tent displayed at the user end can be presented much more interactively and dynamically.

To build a communication network that supporting intelligent devices, in addition to those basic design

issues such as scalability, fault tolerance, and availabil- ity, there are two more design issues that must be taken into consideration. The first is the ease of system con- figuration because it could greatly reduce the cost of maintenance. For example, deploying more than hun- dreds of information systems in a large shopping mall may require repeating similar setups on each device. A easy-to-configure system can thus reduce the cost of de- ployment. Second, as the information loaded on these intelligent devices can be customized to the users, the security and privacy of data that transmitted between the device and the network must be protected.

According to the factors discussed above, we adopt the concept of the Universal Plug and Play (UPnP) Device Architecture [1] for the ease of device discov- ery and management. The UPnP architecture sup- ports zero-configuration networking. When a device joins the network, it can be automatically discovered and integrated into the existing system. The device then conveys its own capabilities to other devices and also receives the information about capabilities of other devices. With the benefits brought by the UPnP archi- tecture, service providers do not have to worry about the complicated network settings, and thus can con- centrate more on the content.

Based on the UPnP architecture, to provide se- cure communication channels, some aspects have to be taken into account. In the proposed architecture, con- trol messages are managed by a central control point.

Since application layer services may require both uni- cast and multicast communication, the control point must have the ability to transform message for the two different secure channels. Furthermore, the intro- ducing to key management algorithm should not break the zero-configuration property of UPnP architecture.

Thus, we proposed a secure-UPnP (SUPnP) framework to integrate both the UPnP architecture and secure communication channels.

The rest of this paper is organized as follows. We first introduce the proposed system architecture in Sec-

Server I Server II Server III Client A Client B Client C

Secure UPnP Network

Controller/Forwarder

Figure 1. The system architecture of the se- cure UPnP environment.

tion 2. Section 3 shows the details of the SUPnP pro- tocol, which includes the node registration protocol, the construction of secure data communication chan- nels and the message relaying protocol. Several as- pects of the proposed framework will be discussed in Section 4 and we finally conclude in Section 5.

2 System Architecture

For the convenience of discussion, in this paper, we assume that devices are connected by a local area net- work (LAN). Practically, this assumption can be re- laxed by the establishment of secure tunnels between devices or by appropriated configured routers. Figure 1 illustrates the proposed system architecture. A central- ized control point device, abbreviated as the controller, is accounted for managing the whole system. Once a UPnP-compatible device wants to join the network, it sends an IGMP join message to introduce itself and re- ceives IGMP messages sent from the controller. After the device has joined into the system, it will obtain its own keys through the SUPnP node registration proto- col, which will be in detail in section 3.1. On complet- ing the registration procedure, services on the device will be advertised to other existing devices.

Devices except the controller in the proposed system are categorized into client devices and server ones. Un- der UPnP network, it is unnecessary for the devices to have the knowledge of other devices’ network settings (such as IP addresses, domain names, service ports, ..., etc.). Once a request message is generated by a client device, it will be sent to the controller through the secure unicast channel. The controller will ana- lyze the request and then broadcast it to the back-end server devices through the secure broadcast channel.

On receipt of a request, each server device parses the request header and decides whether it should process the request or not. When a server replies, the con- troller will forward the replied messages to the original client device. According to the demand of different service types, a client request may require one or more

SUPnP APP -

Client APP -

Server I APP - Server II

APP - Key Manager

(Server)

IP/TCP/UDP PHYSICAL NETWORK

UPnP APP - Forwarder (Controller/Server)

Figure 2. The protocol architecture of the se- cure UPnP environment.

responses from the server devices. The detail of secure channel construction for client devices, the server de- vices, and the message relaying service will be further explained in Section 3.2, 3.3 and 3.4, respectively.

3 The Design of SUPnP

In this section, we explain how the secure UPnP environment is built in detail. Figure 2 shows the pro- tocol architecture of the SUPnP design. The design of the SUPnP network is a layered design. As the un- der layer follows the UPnP basic device definition [2], the SUPnP protocol is able to coexist with any other UPnP devices.

Most of the smart devices are built on top of the SUPnP layer. These devices can be classified into two categories, namely the client and the server devices.

By definition, the major work of a client devices is to interact with the environments and make requests to server devices. On the contrast, server devices are in charge of answering requests from clients. Beside generic clients and servers, we have two special com- ponents in the SUPnP network. One is the “key man- ager”, which is run as a server device, and the other is the “forwarder”, which is also run as a server coop- erating with an UPnP controller. The key manager is responsible to maintain the relationship of devices in the SUPnP network. It also generates required secret keys for those devices that have successfully joined the secure group. Thus, when a device enters the network, it has to register to the key manager. The forwarder is a bridge between clients and servers. All the mes- sages exchanged between clients and servers should be relayed and transformed by the forwarder.

In our SUPnP network design, when a client submits a request, the request is relayed¹through the forwarder

1The design for that all messages exchanged between clients and servers are relayed through the forwarder is for convenient and security considerations. Here we just ignore the discussion of the detailed fault-tolerant and scalability issues of such a de- sign. Readers with interests on this issue may refer to our brief discussions in Section 4.

RE G RE Q U E S T : S E Q #, I D LE N , I D

R EG R EP L Y: S EQ# , S A L T , R ND # 1, ID L EN, ID RE G C O N F I RM :

S E Q #, H( RN D #1 , H( S A LT , PWD ) ) , I D LE N , I D R EG D ONE:

S EQ# , R ND # 2 , ID L EN, ID , ENC^{S - K E Y}( R ND # 2 , Ke y R i n g )

Member Key Server

S-KEY = H(RND#2, H(SALT, PWD))

Figure 3. The node registration protocol for new comers in the SUPnP network.

and then broadcasted to all servers. In the meantime, the client collects all the responses, which is also re- layed through the forwarder, from the servers in a given time constraint. Thus, it is apparently that we need different secure channels for clients and servers because a request from a client should be known to all servers but not known to other clients. In the later parts of this section, we will introduce the registration protocol for new member to join/leave the secure group, the con- struction of secure channels for both clients and servers, and also how messages are relayed between clients and servers.

3.1 The Node Registration Protocol

The node registration protocol used in the SUPnP network is illustrated in Figure 3. The protocol is de- signed with two important ideas – simplicity and secu- rity – in mind. We would like to minimize the number of configurations that required on the devices and also the protocol of course must be secure. As a result, in our registration protocol, each device has to maintain only its device ID and password. By using a challenge- response like protocol design, it is unnecessary to send passwords as plain texts during the device registration process.

All the nodes in the SUPnP network must be reg- istered first to access the infrastructure. The node registration protocol works as follows. When a device has joined the UPnP network and wants to be a mem- ber of the SUPnP network, it has to send a registra- tion request (REG REQUEST) along with a randomly

generated sequence number and its device ID. At this time, the new comer does not know where the server is. However, as the message is relayed through the forwarder, the registration request is then broadcasted to all the servers and only the key manager would re- ply for the registration protocol, which is the second registration acknowledgement (REG REPLY) message.

Note that during a registration process, the sequence number and the ID is the key to uniquely identify the process on both the member side and the key man- ager side. Therefore, all the messages for a registration process must contain the same sequence number and identity. Thus, besides the common required fields, theREG REPLYmessage also contains theSALTused to protect user password and a randomly generated num- berRND#1.

On receipt of the REG REPLY message, the new comer has to make a confirmation to let the key man- ager know that it has the right password. To prove that, firstly, it has to compute a value s, which is the hash of SALT plus the password. Then, it has to compute a value r, which is the hash of RND#1 plus the value s, and finally send the value r back to the key manager. The server now should be able to make sure the identity of the new comer since it knows the RND#1, the SALT, and the password²of the given ID.

If the user identity can be verified, the key manager can send back a registration done (REG DONE) mes- sage to the new comer. Otherwise, a REG FAIL reg- istration failure message is returned. If the registra- tion process is successfully finished, a symmetric key S-KEY shared between the new member and the key manager can be established by computing the hash of RND#2, which is included in the REG DONE message, and the value s. If the new comer is going to be a server in the SUPnP network, all the extra keys used for secure group communications well be sent to it en- crypted using S-KEY. It should be noted that when a new comer has successfully joined or left the SUPnP network, all the corresponding user and key informa- tion should be synchronized with the forwarder, which is responsible for relaying messages between the secure client and server networks.

3.2 Secure Client Channels

As we mentioned before, we need different secure channels for clients and servers in the SUPnP network.

The secure client channels is by nature constructed af- ter the symmetric key S-KEY is established between

2The key manager does not really need to know the plain text password for all user IDs. To enhance the security, we can only store the SALT and the hashed result of SALT plus the plain text password, instead of the plain text password itself.

the key manager and the new comer. Thus, if the new comer is a client device, which is differentiated by the device ID known to the key manager, there will be no more secret keys assigned to the new comer.

3.3 Secure Server Channels

If the new comer of the SUPnP network is a server device, all the required secure group keys should be delivered to that device with theREG DONE message.

Therefore, when the symmetric key S-KEY is estab- lished, the device should also share a group key with other servers in the same communication group. We do not assume which secure group communication mech- anism to be used in the SUPnP network. Most kinds of these mechanisms should be able to work with our framework. In general, key management mechanisms for secure group communications can be classified into three categories, namely centralized, decentralized, and distributed [5]. Since the network has a centralized forwarder, the number of members varies dynamically, and the main purpose of the secure communication is to broadcast requests, we suggest to use centralized key management mechanisms in the SUPnP network. For the reason of such a choice, we will discuss later in Section 4.

At the current stage, we choose logical key hierarchy (LKH) [8, 9] as the core group key management algo- rithm because it is simple and also efficient among all the other choices. Like other group key management algorithms, LKH also maintains a set of key encryp- tion keys (KEKs) for members in the secure group. In LKH, the key distributor center (KDC) maintains a logical tree like the one in Figure 4. The number of leaf nodes equals to the maximum number of mem- bers (i.e. capacity) in the group. However, the KDC should assign KEKs to all the nodes in the logical tree.

When a new member joins, the KDC should send all the KEKs on the path from the root node of the log- ical tree to the position that the member joins. For example, if a new member joins at the fifth position in Figure 4, then it has to know k1–8, k5–8, k5–6, and k₅. The shared group secret key can be delivered to all members in the secure group by encrypting using the key k1–⁸.

A group key management mechanism always needs to re-key, i.e., updates parts of the KEKs, when the memberships of the group changes. The purpose of re-key is to keep both forward secrecy and backward secrecy. The former prevents a left member from get- ting something from the secure channel and the later prevents a new comer from knowing what are trans- mitted before it joins. In LKH, all KEKs on the path

k¹

k^1-8

k^1-4 k^5-8

k^1-2 k^3-4 k^5-6 k^7-8

k² k³ k⁴ k⁵ k⁶ k⁷ k⁸

1 2 3 4 5 6 7 8

Figure 4. A sample tree topology for the log- ical key hierarchy (LKH) key management al- gorithm.

from the joined/left member to the root node have to be updated. For example, if the fifth member in Fig- ure 4 is left, k1–8, k5–8, k5–6, and k5, which are known to the left member, should be updated. The KDC is responsible to update these affected keys. At the same time, the KDC should also notify all the active mem- bers who hold the updated KEKs. To minimize the re-key overheads, the notification should be done in a one time multicast/broadcast. Suppose the KDC has updated k1–8, k5–8, and k5–6with k₁⁰–8, k₅⁰–8, and k₅⁰–6, respectively. To minimize the cost, the KDC can en- crypt {k₁⁰–8} using k1–4, encrypt {k⁰₁–8and k⁰₅–8} using k7–8, also encrypt {k⁰₁–8, k₅⁰–8, and k₅⁰–6} using k6. Fi- nally, it sends all these encrypted updated keys in one shoot. The cost for LKH is summarized here. For a group containing N members, the KDC has to main- tain (2N − 1) KEKs. On the other hand, each member only need to store log(N ) KEKs. When a re-key is re- quired, only log(N ) KEKs are affected and key updates can be done in one shoot (with a key size in an order of log(N )).

Applying LKH to our SUPnP environment is fairly simple. When a device is successfully registered with the key manager with a server identity, all the required KEKs on the path from the root to the assigned logical position for that new comer are updated first. Then, those updated KEKs are sent to the new server device using theREG DONEresponse.

3.4 Message Relaying

The forwarder is an important component in the SUPnP network. It is bound with the UPnP controller.

The two secure channels for client and the server de- vices are bridged by the forwarder. When messages are exchanged between the two different secure networks,

these encrypted messages must be transformed to make them understandable by message receivers. Thus, the forwarder must have the same knowledge to key man- ager, which includes all the symmetric keysS-KEYthat established with all the members and all the KEKs used in secure group communication.

The relayed messages are handled in the following two ways. For a request message sent from a client device, since the message must be encrypted using the sharedS-KEY between the client and the key manager, the forwarder can decrypt the request and then broad- cast the request securely using the group secret key.

Note that all the server devices in the SUPnP network can read the request and response to it depending on what kinds of service they provide. On replying a re- quest, a server can encrypt the response by using either its symmetric key or the group secret key. In either way, the forwarder is able to decrypt the response and then re-encrypt the message using the symmetric key of the receiver.

4 Discussions

In this section, we discuss several aspects related to the proposed architecture and protocols. The fol- lowing issues will be addressed: The choice of central- ized group key management; fault-tolerant and scal- ability of the UPnP controller/SUPnP forwarder; the co-existence of SUPnP and UPnP networks; the possi- bility of extending such an architecture to deploy over wide area networks; and finally, a guide to develop smart applications over the SUPnP infrastructure.

4.1 Centralized Group Key Management

The design choice of the secure group key man- agement mechanism, as we mentioned before, is cen- tralized key management mechanism. This choice is based on the following reasons. First, since the original UPnP network already has a (centralized) controller, it is na¨ıve for us to leverage that device. The second rea- son is that the server devices in the SUPnP network can be joined or left dynamically. Therefore, it may be not suitable to use distributed key management mech- anisms such as [6] because such key management mech- anisms require members to know each other and then compute the shared secret key using contributory pro- tocols. In our SUPnP network, to reduce the time to query group memberships and repeating the contribu- tory protocols, we decide not to use distributed mech- anisms. As to decentralized mechanisms [3, 4], for the reason of dynamically changed memberships and the use of only secure broadcast channels, we also do not

consider decentralized ones. Decentralized key man- agement mechanisms divide a whole group into several subgroups and thus each subgroup must have a sub- group leader. Electing subgroup leader may be a prob- lem because members in the SUPnP network are not supposed to know which member will stay longer in the network. Such an uncertainty may lead to a very un- stable subgroup. On the other hand, since the major use of the secure group communication channel is to broadcast requests, it is not necessary to relay through subgroup leaders.

Centralized key management mechanisms are easier to implement and maintain. The only thing for all the members in the group is to find the key manager. The cost for key updates can be also reasonably bounded in log scales. However, problems of centralized key man- agement mechanisms are the ability for fault-tolerant and the scalability. We will address this issue later.

4.2 Fault-Tolerant and Scalability

The techniques used to build services on clusters are getting matured. To achieve the requirement for fault-tolerant and scalability, we can apply techniques similar to that in [7]. In summary, we can setup mul- tiple controllers and make them all on-line at the same time. The states of memberships, secret keys, and log- ical tree topologies can be synchronized between these devices using the same protocol as synchronizing be- tween the key manager and the forwarder. Load can be shared by dispatching or migrating members of the SUPnP network to different controllers and these or- phaned members caused by the failure of controllers can be also picked up by active controllers.

4.3 Co-Existence of SUPnP and UPnP

The SUPnP is built on top of an UPnP basic de- vice. Without the SUPnP support, devices should be able to send unencrypted messages to each other. To do so, the SUPnP must have the ability to tell which messages should be processed by the SUPnP layer and which messages should bypass the SUPnP layer. For this reason, we encapsulated the SUPnP message with a dedicated protocol header, as shown in Figure 5. In the header, all the first six fields are in 16-bit length and values should be stored in big-endian. The data are placed right after the sixth field. The “magic” field store a constant number. All the SUPnP data should beginning with this magic number. The flag field indi- cates how to process this message. It indicates whether the message is a control message or a data message, is encrypted or not, is sent by a client or by a server, us-

magic flag keyid nounce length cksum ……

Figure 5. The SUPnP protocol data and con- trol message header.

ing unicast channel or broadcast channel, etc. Then, there is akeyidfield to indicate which key is used to de- crypted the message (if its encrypted). Finally, there is a field to store the total length of this message includ- ing data and a checksum to verify the integrity of the message header. To tell whether a message is a SUPnP message or not, we can check both the constant magic number and the checksum value.

In the design of SUPnP, it is able to allow general unencrypted messages, unencrypted SUPnP messages, and encrypted SUPnP messages to pass the SUPnP layer. However, to make sure that all the messages are delivered in a secure manner, we suggest not to allow all unencrypted data messages bypass the SUPnP layer.

4.4 Extension of the SUPnP Network

As the scale of the smart living space grows, such a space may be built across several different subnetworks.

The UPnP architecture is originally proposed for per- sonal/home environment. Thus, the SUPnP network is also bound inside a local area network. Since it is possible to construct a virtual private local area net- work over the Internet. In this way, we can extend the SUPnP network across the network boundaries.

However, this requires a device to have more network configurations beforehand. When a device is going to enter the SUPnP network, it must have proper config- urations to access the virtual private network. Instead of having each device capable of VPN access abilities, another better solution might be to have those cooper- ated subnetworks formed a virtual local area network.

When virtual local area networks are constructed at the network level, it is unnecessary to touch all the devices.

4.5 Application Development Guidance

Based on the SUPnP infrastructure, content providers can easily implement their services on the network. To build a new service, content providers have to design their own request and reply message for- mats. These messages can be injected into the network by customized front-end clients and back-end servers using our SUPnP library. After finishing the registra- tion procedures for both the clients and servers, the

new application will be integrated seamlessly and ready to use in the SUPnP network.

5 Conclusions and Future Works

The UPnP technique was originally used to sim- plify the configuration of personal or home network devices. In this paper, we extend the UPnP technolo- gies and build an intelligent secure network. Keep the ideas of simplicity and security in mind, the proposed protocol is suitable for the construction of a flexible and easy-to-use smart living spaces. Our future works focus on further analyses on the proposed protocols, extending the scalability of the proposed architecture, and develop applications that leverage the almost zero- configuration secure communication environments. To simplify the deployment of the SUPnP network, we also prepare to construct the SUPnP network over wireless environments.

References

[1] UPnP device architecture version 1.0.1. UPnP Forum, Dec. 2003.

[2] S. Lawrence. UPnP basic device definition version 1.0.

UPnP Forum, Dec. 2002.

[3] S. Mittra. Iolus: a framework for scalable secure mul- ticasting. In Proceedings of the Conference on Appli- cations, Technologies, Architectures, and Protocols for Computer Communication, pages 277–288. ACM SIG- COMM, 1997.

[4] R. Molva and A. Pannetrat. Scalable multicast security with dynamic recipient groups. ACM Transactions on Information and System Security, 3(3):136–160, 2000.

[5] S. Rafaeli and D. Hutchison. A survey of key manage- ment for secure group communication. ACM Comput- ing Surveys (CSUR), 35(3):309–329, 2003.

[6] M. Steiner, G. Tsudik, and M. Waidner. Diffie-Hellman key distribution extended to group communication. In CCS’96: Proceedings of the 3rd ACM conference on Computer and Communications Security, pages 31–37.

ACM Press, 1996.

[7] P.-L. Tsai, C.-Y. Huang, Y.-Y. Huang, C.-C. Hsu, and C.-L. Lei. A clustering and traffic-redistribution scheme for high-performance ipsec virtual private networks. In HiPC’05: Proceedings of the International Conference on High Performance Computing, LNCS 3769, pages 432–443. Springer, 2005.

[8] D. Wallner, E. Harder, and R. Agee. Key management for multicast: Issues and architectures. RFC 2627, June 1999.

[9] C. K. Wong, M. Gouda, and S. S. Lam. Secure group communications using key graphs. IEEE/ACM Trans- actions on Networking, 8(1):16–30, 2000.