Gothic : A Group Access Control Gothic : A Group Access Control Architecture for Secure Multicast Architecture for Secure Multicast

and Anycastand AnycastPaul Judge, Mostafa AmmarPaul Judge, Mostafa Ammar

Georgia Institute of TechnologyGeorgia Institute of Technology

Presenters:Presenters:Dheeraj ThummaDheeraj Thumma

Boppanna MadhriraBoppanna Madhrira

OutlineOutline Communication ParadigmsCommunication Paradigms Security IssuesSecurity Issues Security ObjectiveSecurity Objective Proposed DesignProposed Design EvaluationEvaluation ConclusionConclusion

Communication Communication ParadigmsParadigms

UnicastUnicast Point-to-point flow of packets

MulticastMulticast Point-to-multipoint flow of packets

AnycastAnycast Point-to-point flow of packets

Unicast Point-to-point flow of packets between a

source (client) and destination (server) host Server is identified by a unique IP unicast

address contained in the header of each packet sent from the client

Routers make a best-effort attempt to deliver the packet to the destination host identified by unicast address.

Examples - Web-browsing, file transfer (FTP)

UnicastUnicast

ReceiverSender

Receiver

MulticastMulticast Point-to-multipoint flow of packets between a

single source host and one or more destination hosts.

Source host sends a single copy of the packet to group address (e.g. 227.12.33.2).

Destination hosts configured with a multicast group address.

Routers deliver the multicast packets to all destination hosts identified by the multicast group address.

Example - Broadcast-style videoconferencing

MulticastMulticast

ReceiverSender

Receiver

Receiver

AnycastAnycast Point-to-point flow of packets between a single

client and the “nearest” destination server identified by an anycast address.

Client sends packets to any one of several possible servers offering a particular service or application but does not really care which one.

A single anycast address is assigned to one or more servers contained within an anycast group.

Sends packets to an anycast server by placing the anycast address in the packet header.

Routers attempt to deliver the packet to a server with the matching anycast address.

AnycastAnycast

Must maintain security of transmission, Must maintain security of transmission, while allowing users to join or leave the while allowing users to join or leave the multicast sessionmulticast session

New members into the session should not New members into the session should not be able to decrypt earlier transmissions, nor be able to decrypt earlier transmissions, nor should ex-members be able to decrypt later should ex-members be able to decrypt later transmissionstransmissions We need a system of changing keys, while We need a system of changing keys, while

assuring ourselves that all legitimate assuring ourselves that all legitimate members are able to transmit and receive members are able to transmit and receive to/from all other legitimate membersto/from all other legitimate members

Multicast SecurityMulticast Security

Vulnerabilities of Vulnerabilities of MulticastMulticast

Multicast suffers from increased Multicast suffers from increased vulnerability due to:vulnerability due to: Sessions are frequently advertisedSessions are frequently advertised Greater number of points of Greater number of points of

vulnerabilityvulnerability Attack affects a broader base of Attack affects a broader base of

peoplepeople Attacker can pose as a legitimate Attacker can pose as a legitimate

user easier (larger “crowd” of user easier (larger “crowd” of principals)principals)

Anycast SecurityAnycast Security Similar issues as in multicast

security and more! Unauthenticated server

advertisements Anycast server authenticity Secure anycast communications Connection and SA migration – For fault-tolerance

What does ‘security’ What does ‘security’ need to provide?need to provide?

AuthenticationAuthentication Verify the user is who he says he isVerify the user is who he says he is

AuthorizationAuthorization Only admit those with proper Only admit those with proper

authorization into the groupauthorization into the group IntegrityIntegrity

Group members maintain privacy from Group members maintain privacy from those not in the groupthose not in the group

System must be scalableSystem must be scalable

GothicGothic Multicast group access control (MGAC)Multicast group access control (MGAC)

Control ability of hosts join multicast Control ability of hosts join multicast groupgroup

Anycast server group access control Anycast server group access control (ASGAC) (ASGAC) Control the ability of a host to advertise Control the ability of a host to advertise

itselfitself for the anycast addressfor the anycast address MGAC + ASGAC = GAC = GOTHICMGAC + ASGAC = GAC = GOTHIC

Design GoalsDesign Goals Maintain SecurityMaintain Security

Scalable SystemScalable System Low overhead on RoutersLow overhead on Routers Low message overheadLow message overhead Low support infrastructure Low support infrastructure

requirementsrequirements

FunctionsFunctions Group policy specification Group policy specification

Specify group policy, authenticate host, Specify group policy, authenticate host, verify group ownerverify group owner

Group owner ?Group owner ? Access Request Access Request

Notify wish to become memberNotify wish to become member Access Control Access Control

Receive request, authorizeReceive request, authorize

Gothic ArchitectureGothic Architecture Group Policy Management System (GPMS) = Specify group Group Policy Management System (GPMS) = Specify group

policypolicy Group Member Authorization System (GMAS) = Access request Group Member Authorization System (GMAS) = Access request

+ Access control+ Access control

GPMSGPMS Group owner provides list of Group owner provides list of

authorized members and the security authorized members and the security policy to access control server (ACS)policy to access control server (ACS)

Problem – How to verify that host is a Problem – How to verify that host is a group owner?group owner?

Solution – Group Owner Solution – Group Owner determination and Authentication determination and Authentication System (GODAS) System (GODAS)

GMASGMAS Perform authorization before host is Perform authorization before host is

allowed to become member allowed to become member Authorization protocolAuthorization protocol Reauthorizations and RevocationsReauthorizations and Revocations

Authorization ProtocolAuthorization Protocol Host H, Router R, Access Control Host H, Router R, Access Control

Server (ACS)Server (ACS) Assume H & ACS possess public key Assume H & ACS possess public key

pairs or certificatespairs or certificates K K +H, +H, KK +ACS +ACS public keyspublic keys K K -H, -H, KK -ACS -ACS private keysprivate keys CERT CERT K+XK+X certificate with certificate with

public key K public key K +x+x

[message] [message] K-X K-X digitally signed digitally signed messagemessage

Authorization ProtocolAuthorization Protocol 1. 1. H H ACS ACS :: AR = [GID, CERT KAR = [GID, CERT K+ H+ H] ] KK-- H H 2. 2. ACS ACS H H :: AA = CAP = [IP AA = CAP = [IP H, H, DN DN H, H, GIDGID,, T T exp, exp, CERT KCERT K+ +

ACSACS]] KK-- ACS ACS 3. 3. H H R : R : JR = CAPJR = CAP 4. 4. R R H : H : JA = StatusJA = Status

Reauthorizations and Reauthorizations and RevocationsRevocations

Protocol uses time-limited capabilities Protocol uses time-limited capabilities for revocationfor revocation

Members refresh their membership stateMembers refresh their membership state Problem – Refreshing state heavyweightProblem – Refreshing state heavyweight Solution – Extend lifetime of capabilitiesSolution – Extend lifetime of capabilities Drawback – Weakens SecurityDrawback – Weakens Security Tradeoff reauthorization overhead and Tradeoff reauthorization overhead and

security security

Ideal – Small revocation window and Ideal – Small revocation window and low reauthorization overheadlow reauthorization overhead

Proposed MethodProposed Method Host uses the group key as the Host uses the group key as the

authenticatorauthenticator Requires router to possess group keyRequires router to possess group key

Reauthorizations and Reauthorizations and RevocationsRevocations

Group Policy Management Group Policy Management SystemSystem

This system involves a group owner This system involves a group owner providing the list of authorized providing the list of authorized members and possibly other security members and possibly other security policy for the group to the ACS.policy for the group to the ACS.

How the system verifies that a How the system verifies that a particular host is the group owner?particular host is the group owner?

Two solutions are proposed that Two solutions are proposed that provide group owner determination provide group owner determination and authentication.and authentication.

Group owner certificatesGroup owner certificates Similar to Similar to

traditional digital traditional digital certificates.certificates.

The group owner The group owner certificate can be certificate can be issued by a local issued by a local certificate certificate authority (CA).authority (CA).

Group ownership serviceGroup ownership service This service is a This service is a

query/reply protocol query/reply protocol based service.based service.

It accepts queries It accepts queries specifying a specifying a particular group particular group address and address and responds with the responds with the identity of the host identity of the host that owns the group.that owns the group.

Group owner determination Group owner determination and authentication in and authentication in

multicast environmentsmulticast environments Multicast Address Allocation Multicast Address Allocation

Architecture (MAAA).Architecture (MAAA). Source-Specific Multicast (SSM).Source-Specific Multicast (SSM). GLOPGLOP Session Announcement Protocol Session Announcement Protocol

(SAP)/Session Description Protocol (SAP)/Session Description Protocol (SDP).(SDP).

Group owner determination Group owner determination and authentication in anycast and authentication in anycast

environmentsenvironments IP Anycast.IP Anycast. Global IP Anycast.Global IP Anycast. Application-Layer Anycast.Application-Layer Anycast.

Group Access Control Group Access Control Aware GKMAware GKM

How the existence of a group access How the existence of a group access control system changes the requirements control system changes the requirements of Group key management (GKM)?.of Group key management (GKM)?.

How Gothic integrates with the How Gothic integrates with the multicast routing system?.multicast routing system?.

The group access control aware group The group access control aware group key management (GACA-GKM) technique key management (GACA-GKM) technique leverages the existence of a group access leverages the existence of a group access control system to substantially reduce control system to substantially reduce overhead.overhead.

Gothic and Routing Gothic and Routing SystemSystem

Trusted routerTrusted router correctly correctly authorizes all join requests authorizes all join requests according to the protocol.according to the protocol.

An An untrusted routeruntrusted router is a is a router that may accept router that may accept unauthorized join requests or unauthorized join requests or forward fake or unauthorized forward fake or unauthorized join requests.join requests.

Scope of trustScope of trust extends from extends from the source to the multicast the source to the multicast tree and is bordered by tree and is bordered by trusted routers.trusted routers.

Trusted subtreeTrusted subtree is a subtree is a subtree of the multicast tree rooted at of the multicast tree rooted at a trusted router.a trusted router.

GACA-GKMGACA-GKM GKM focuses on dynamic group problem. When a GKM focuses on dynamic group problem. When a

member joins or leaves, the group key must be member joins or leaves, the group key must be changed so that the new member can not decrypt past changed so that the new member can not decrypt past content or the former member can not decrypt future content or the former member can not decrypt future content.content.

With group access control in place, the host can not With group access control in place, the host can not receive the encrypted content before it is a member. receive the encrypted content before it is a member. There are similar implications for a member leave. So, There are similar implications for a member leave. So, there is no need to rekey the group.there is no need to rekey the group.

But if a new member, host A, is on a shared broadcast But if a new member, host A, is on a shared broadcast link with current group member, host B, then A had link with current group member, host B, then A had access to the distribution tree before she became a access to the distribution tree before she became a member. In cases like these we need to rekey the member. In cases like these we need to rekey the group.group.

Eavesdropping in the form of wiretaps and network Eavesdropping in the form of wiretaps and network sniffing are also possible.sniffing are also possible.

GACA-GKM techniqueGACA-GKM technique

If a host h joins multicast session G from a trusted subtree that has previously been part of the multicast tree for session G, then a rekey must occur.

If a host h leaves multicast session G from a trusted subtree that will remain part of the multicast tree for session G, then a rekey must occur.

Otherwise, there is no need to rekey.

Related WorkRelated Work Hardjono and Cain.Hardjono and Cain. They present a method for They present a method for

delivering keys to enable delivering keys to enable IGMP authentication .IGMP authentication .

The authorization server The authorization server provides capability-like provides capability-like access tokens to group access tokens to group members and access control members and access control list (ACL)- like token lists to list (ACL)- like token lists to routers.routers.

Two vulnerabilities identified. Two vulnerabilities identified. Replay attacks and Replay attacks and Malicious users can cause the Malicious users can cause the

router to accept fake access router to accept fake access tokens since issuer signature tokens since issuer signature is not verified by router.is not verified by router.

Ballardie and CrowcroftBallardie and Crowcroft.. They present a version of They present a version of

IGMP that allows receivers to IGMP that allows receivers to be authorized before joining be authorized before joining the group. the group.

The architecture has The architecture has authorization servers that authorization servers that possess ACLs distributed by possess ACLs distributed by an initiator.an initiator.

Two vulnerabilities identified. Two vulnerabilities identified. An unauthorized user can An unauthorized user can

obtain an authorization stamp obtain an authorization stamp by authenticating as itself, but by authenticating as itself, but then providing the spoofed then providing the spoofed address of an authorized user. address of an authorized user.

An unauthorized user can An unauthorized user can cause AS accept an invalid cause AS accept an invalid authorization stamp.authorization stamp.

EvaluationEvaluation Gothic evaluationGothic evaluation examines the examines the

efficiency of Gothic in terms of efficiency of Gothic in terms of message overhead and computational message overhead and computational overhead. overhead.

The evaluation is done in multicast The evaluation is done in multicast environment.environment.

GACA-GKM evaluationGACA-GKM evaluation shows the shows the reduced message overhead compared reduced message overhead compared to traditional GKM.to traditional GKM.

EvaluationEvaluation To simulate the To simulate the

performance of these performance of these schemes, they used data schemes, they used data collected by the Mlisten collected by the Mlisten tool over several days for tool over several days for the Mbone multicast of the Mbone multicast of the space shuttle mission the space shuttle mission STS-80 November 1996.STS-80 November 1996.

The session has a The session has a duration of 13 days and duration of 13 days and over 1600 join requests.over 1600 join requests.

This figure shows the This figure shows the group membership over group membership over the length of the session.the length of the session.

Gothic EvaluationGothic Evaluation This figure shows This figure shows

the total network the total network overhead at all last overhead at all last hop routers involved hop routers involved in the system.in the system.

This figure shows This figure shows the overall network the overall network overhead.overhead.

Gothic EvaluationGothic Evaluation This figure shows the This figure shows the

total network total network overhead at all group overhead at all group members.members.

This figure shows the This figure shows the cumulative network cumulative network overhead at the ACS.overhead at the ACS.

Gothic EvaluationGothic Evaluation This figure shows the This figure shows the

computational overhead computational overhead of the three schemes at of the three schemes at the router in terms of the router in terms of processing time. processing time.

The computational The computational overhead of Gothic is an overhead of Gothic is an order of magnitude less order of magnitude less than that of the other than that of the other scheme. So the Gothic scheme. So the Gothic authorization system authorization system achieved its goal of achieved its goal of reducing the reducing the computational overhead computational overhead at the router.at the router.

GACA-GKM EvaluationGACA-GKM Evaluation In addition to the session trace they also used a

trace from a simulated multicast group. This allows to simulate the performance for a range of trusted subtree sizes.

The simulated multicast group model has the following parameters:

The pool of potential receivers has 65536 receivers. Each receiver joins and leaves the group independently.

The ratio of active to inactive duration of individuals is 1:10, so the average group size is approximately 5958 during steady state.

The length of the group session is 100 τ.

GACA-GKM EvaluationGACA-GKM Evaluation This figure shows This figure shows

the results for the the results for the actual mlisten actual mlisten trace data.trace data.

GACA-GKM EvaluationGACA-GKM Evaluation This figure shows This figure shows

the simulated trace the simulated trace results.results.

This shows This shows performance in performance in terms of GKM terms of GKM message overhead message overhead at the group key at the group key controller.controller.

ConclusionConclusion This paper has generalized the problem of secure

multicast group joins and secure anycast server advertisements problems into a single group access control problem and proposed a framework that includes a group member authorization system and a group policy management system.

Proposed Gothic, a secure and scalable group access control architecture based on this framework.

Presented a novel authorization system that improves the scalability and security over previous solutions.

Identified the need for group owner determination and authentication and proposed two approaches to achieve this.

Conclusion (Contd.)Conclusion (Contd.) The discussion of group access control was

presented in the context of many flavors of multicast and anycast including global IP-anycast, application-layer anycast, source-specific multicast, and application-layer multicast.

Suggested that group key management schemes can leverage group access control systems to reduce the overhead involved in GKM.

Presented the GACA-GKM technique and presented evaluation results that show the performance improvements.

Future work remains in further integrating group access control, group key management, and content distribution.

Thank you.Thank you.

Happy Thanksgiving!!Happy Thanksgiving!!