Key bundles and parcels: Secure communication in many groups

  • 372 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
372
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Computer Networks 50 (2006) 1781–1798 www.elsevier.com/locate/comnet Key bundles and parcels: Secure communication in many groups Eunjin Jung *, Alex X. Liu, Mohamed G. Gouda Department of Computer Sciences, The University of Texas at Austin, 1 University Station C0500, Austin, TX 78712, United States Received 30 March 2005; received in revised form 22 July 2005; accepted 28 July 2005 Available online 31 August 2005 Responsible Editor: D. Frincke Abstract We consider a system where each user is in one or more elementary groups. In this system, arbitrary groups of users can be specified using the operations of union, intersection, and complement over the elementary groups in the system. Each elementary group in the system is provided with a security key that is known only to the users in the elementary group and to the system server. Thus, for any user u to securely multicast a data item d to every user in an arbitrary group G, u first forwards d to the system server which encrypts it using the keys of the elementary groups that comprise G before multicasting the encrypted d to every user in G. Every elementary group is also provided with a key tree to ensure that the cost of changing the key of the elementary group, when a user leaves the group, is small. In [E. Jung, A.X. Liu, M.G. Gouda, Key bundles and parcels: secure communication in many groups, in: LNCS 2816, Group Com- munications and Charges, 2003], we introduced two methods for packing the key trees of elementary groups into key bundles and into key parcels. We also showed that packing into key bundles has the advantage of reducing the number of encryptions needed to multicast a data item to the complement of an elementary group, while packing into key par- cels has the advantage of reducing the total number of keys in the system. In this paper, we present more details of key bundles and parcels: the algorithms that construct key bundles and parcels, and more simulation results comparing key bundles and parcels. We also discuss how to reconfigure key bundles and parcels when the user joins or leaves different elementary groups and how to balance the load among multiple servers. Ó 2005 Elsevier B.V. All rights reserved. Keywords: Security; Network security; Group communication; Multicast; Key tree * Corresponding author. Tel.: +1 512 471 9532; fax: +1 512 471 8885. E-mail addresses: ejung@cs.utexas.edu (E. Jung), alex@cs.utexas.edu (A.X. Liu), gouda@cs.utexas.edu (M.G. Gouda). 1389-1286/$ - see front matter Ó 2005 Elsevier B.V. All rights reserved. doi:10.1016/j.comnet.2005.07.013
  • 2. 1782 E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1. Introduction This scheme is based on a distributed data structure called a key tree. A key tree is a directed, We consider a system that consists of n users incoming, rooted, balanced tree where each node denoted ui, 0 6 i < n. The system users share one represents a key. The root of the tree represents security key, called the system key. Each user ui the system key and each leaf node represents the can use the system key to encrypt any data item individual key of a system user. The number of leaf before sending it to any subset of the system users, nodes is n, which is the number of users in the sys- and can use it to decrypt any data item after tem. Each user knows all the keys on the directed receiving it from any other system user. (Examples path from its individual key to the root of the tree, of such systems are secure multicast systems [1–4], and the server knows all the keys in the key tree. secure peer-to-peer systems [5], and secure wireless Thus, in a binary key tree, each user knows networks [6].) d log2 ne + 1 keys, and the server knows (2n À 1) When a user ui leaves the system, the system key keys. needs to be changed so that ui can no longer An example of a key tree for a system of eight decrypt the encrypted data item exchanged within users is depicted in Fig. 1(a). The root of the key the system. This requires to add a server S to the tree represents the system key K01234567 that is system and to provide each system user uj with known to all users in the system. Each user also an individual key Kj that only user uj and server knows all the keys on the directed path from its S know. When a user ui leaves the system, server individual key to the root of the key tree. For S changes the system key and sends the new key example, user u7 knows all the keys K7, K67, to each user uj, other than ui, encrypted using its K4567, and K01234567. individual key Kj. The cost of this rekeying Fig. 1(a) and (b) illustrates the protocol for scheme, measured by the number of needed updating the system key when user u7 leaves the encryptions, is O(n), where n is the number of users system. In this case, the system server S is required in the system. to change the keys K01234567, K4567, and K67 that Clearly, this solution does not scale when the user u7 knows. To update these keys, S selects number of users become large. More efficient new keys K0123456(7), K456(7), and K6(7), encrypts rekeying schemes have been proposed in [7–14]. them, and sends them to the users that need to A particular efficient rekeying scheme [3,4,12] is know them. To ensure that u7 cannot get a copy shown to cost merely O(log n) encryptions. This of the new keys, S needs to encrypt the new keys scheme is extended in [15–17], and is shown to be using keys that u7 does not know. Therefore, S optimal in [18]. encrypts the new K0123456(7) with the old K0123, system key K 01234567 K 0123456(7) u 7 leaves K 0123 K4567 K 0123 K456(7) K 01 K 23 K 45 K 67 K 01 K23 K45 K6(7) K0 K1 K2 K3 K4 K5 K6 K7 K0 K1 K2 K3 K4 K5 K6 individual keys (a) (b) Fig. 1. A binary key tree before and after u7 leaves.
  • 3. E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1783 encrypts the new K0123456(7) and the new K456(7) subset of the system users and one elementary with the old K45, encrypts the new K0123456(7), the group has all the system users. Every elementary new K456(7), and the new K6(7) with K6. Then, S group has a unique identifier Gj, 0 6 j 6 m À 1. multicasts the encrypted keys to the corresponding The identifier for the elementary group that has holders of these keys. The protocol can be speci- all users is G0. As an example, Fig. 2 illustrates a fied as follows: system that has eight users u0 through u7 and five S ! u0 ; ...; u6 : fu0 ;u1 ;u2 ;u3 g; K 0123 hK 0123456ð7Þ jchki; elementary groups G0, G1, G2, G3, and G4. S ! u0 ; ...; u6 : fu4 ;u5 g; K 45 hK 0123456ð7Þ jK 456ð7Þ jchki; The system needs to be designed such that any user ui can securely multicast data items to all S ! u0 ; ...; u6 : fu6 g; K 6 hK 0123456ð7Þ jK 456ð7Þ jK 6ð7Þ jchki. users in any elementary group Gj. Moreover, any This protocol consists of three steps. In each step, user ui can securely multicast data items to all server S broadcasts a message consisting of two users in any group, where a group is defined recur- fields to every user in the system. The first field de- sively according to the following four rules: fines the set of the intended ultimate destinations of the message. The second field is an encryption, 1. Any of the elementary groups G0, . . . , GmÀ1 is a using an old key, of the concatenation of the group. new key(s) and the checksum chk computed over 2. The union of any two groups is a group. the new key(s). Note that although the broadcast 3. The intersection of any two groups is a group. message is sent to every user in the system, only 4. The complement of any group is a group. (Note users in the specified destination set have the key that the complement of any group G is the set of used in encrypting the message and so only they all users in G0 that are not in G.) can decrypt the message. The above system architecture is based on the Thus, the set of groups is closed under the three assumption that the system users constitute a single operations of union, intersection, and group. In our previous work and this paper, we complement. extend this architecture to the case where the sys- Each group can be defined by a group formula tem users form many groups. In [19], we introduced that includes the following symbols. two methods for packing the key trees of elemen- tary groups into key bundles and into key parcels. • G0 through GmÀ1, We also showed that packing into key bundles has • _ for union, the advantage of reducing the number of encryp- • ^ for intersection, tions needed to multicast a data item to the comple- • : for complement. ment of an elementary group, while packing into key parcels has the advantage of reducing the total number of keys in the system. In this paper, we present more details of key bundles and parcels: G0 the algorithms that construct key bundles and par- G3 cels, and more simulation results comparing key G1 u2 u4 bundles and parcels. We also discuss how to recon- figure key bundles and parcels when the user joins u3 u5 or leaves different elementary groups and how to G2 balance the load among multiple servers. u0 u1 G4 u7 2. Groups and group algebra u6 Assume that the system has m, m P 1, elemen- tary groups: each elementary group is a distinct Fig. 2. A sample system.
  • 4. 1784 E. Jung et al. / Computer Networks 50 (2006) 1781–1798 Group formulae can be manipulated using the As a second example, consider a student regis- well-known laws of algebra: associativity, commu- tration system in some university. This system tativity, distribution, De Morgan’s, and so on. For has m elementary groups G0 through GmÀ1, where example, the group formula each Gi is a list of the students registered in one course section. A professor who is teaching three G1 _ :ð:G2 ^ G1 Þ sections G5, G6, G7 of the same course, may wish can be manipulated as follows: to securely multicast any information related to the course to all the students in the group G1 _ :ð:G2 ^ G1 Þ G 5 _ G 6 _ G 7. ¼ fby De Morgan’sg G1 _ ð::G2 _ :G1 Þ As a third example, we consider the following ¼ fby associativity of _g G1 _ ::G2 _ :G1 military scenario. There are three overlapping reg- ¼ fby definition of complementg G1 _ G2 _ :G1 iments, G1, G2 and G3, in a battle field. The general commander of these regiments gets the informa- ¼ fby commutativity of _g G1 _ :G1 _ G2 tion that some soldiers in regiment G3 cannot be ¼ fby definition of complementg G0 _ G2 trusted. In this case, he might want to inform the ¼ fby definition of _g G0 . soldiers in G1 and G2, but not in G3, that the mes- sages from G3 should not be trusted. Therefore, he From this formula manipulation, it follows that can multicast this message to all the soldiers in the the group defined by the formula G1 _ : regiment ðG1 _ G2Þ ^ :G3. ð:G2 ^ G1 Þ is the set of all system users. Thus, for a user ui to securely multicast a data item d to every user in the group G1 _ :ð:G2 ^ G1 Þ, it is 3. Key bundles sufficient for ui to securely broadcast d to every user in the system. The above problem suggests the following sim- In the rest of this paper, we consider solutions ple solution (which we show below that it is inef- for the following problem. How to design the sys- fective). First, assign to each elementary group Gj tem so that any system user ui can securely multi- a security key to be shared by all the users of Gj. cast data items to any group G in the system. Any Second, assign to the complement :Gj of each ele- reasonable solution for this problem needs to take mentary group Gj a security key to be shared by into account that the users can leave any elemen- every member of this complement. Third, provide tary group in the system or leave the system alto- a key tree for each elementary group and another gether, and these activities may require to change key tree for its complement. Note that the two key the security keys associated with the elementary trees provided for an elementary group and its groups from which users leave. In particular, the complement span all the users in the system. Thus, solution should utilize key trees, discussed in Sec- these two trees can be combined into one complete tion 1, that can reduce the cost of changing the key tree that spans all system users in the system. security keys from O(n) to O(log n), where n is Fig. 3 shows the four complete key trees that are the total number of users in the system. This prob- provided for the four elementary groups and their lem is also discussed in [20]. complements in the system in Fig. 2. The above problem has many applications. As a From Fig. 3(a), the key for the elementary first example, consider a cable TV broadcasting group G1 is K0123 and the key for its complement system that has four packages: Basic, Standard, is K4567. From Fig. 3(b), the key for the elementary Cinema, and Sports. When the cable TV provider group G2 is K01 and the key for its complement is wants only users who subscribe both Standard K234567. From Fig. 3(c), the key for the elementary and Sports packages to be able to watch Super group G3 is K2345, and the key fro its complement Bowl game, then the provider securely multicasts is K0167. From Fig. 3(d), the key for the elementary the game to all users in the group, Standard ^ group G4 is K67, and the key for its complement is Sports. K012345.
  • 5. E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1785 G0 K01234567 G0 K01234567 K234567 G2 G1 K0123 K4567 G1 K2345 K01 K23 K45 K67 G2 K 01 K23 K45 K67 K0 K1 K2 K3 K4 K5 K6 K7 K0 K1 K2 K3 K4 K5 K6 K7 (a) (b) G0 K01234567 G0 K01234567 G3 K2345 K0167 G3 G4 K012345 K0123 K01 K23 K45 K67 K01 K23 K45 K67 G4 K0 K1 K2 K3 K4 K5 K6 K7 K0 K1 K2 K3 K4 K5 K6 K7 (c) (d) Fig. 3. The complete key trees for the elementary groups and their complements: (a) Groups G0 ; G1 ; :G1 ; (b) Groups G0 ; G2 ; :G2 ; (c) Groups G0 ; G3 ; :G3 ; (d) Groups G0 ; G4 ; :G4 . Note that these complete trees have the same G1 and G2 are non-conflicting since G1 is a subset key for group G0, and the same individual key of G0, and G2 is a subset of G1. On the other hand, for each user. Nevertheless, the total number of the two elementary groups G1 and G3 are conflict- distinct keys in these complete trees is 19, which ing, because they share two users u2 and u3 and is relatively large for this rather simple system. In neither group is a subset of the other. general, this method requires O(mn) keys, where A bundle of a system is a maximal set of non- m is the number of elementary groups and n is conflicting elementary groups of the system. In the number of users in the system. the system example in Fig. 2, the four elementary To reduce the total number of needed keys, sev- groups G0, G1, G2, G4 constitute one bundle B0, eral elementary groups can be added to the same and the four elementary groups G0, G2, G3, G4 complete key tree, provided that these elementary constitute a second bundle B1. groups are ‘‘non-conflicting’’. This idea suggests A bundle cover of a system is a set the following three definitions of non-conflicting {B0, . . . , BmÀ1} of system bundles such that the elementary groups, bundles, and bundle covers. following two conditions hold: Two elementary groups are non-conflicting if and only if either their intersection is empty or 1. Completeness: Each elementary group of the one of them is a subset of the other. In the system system appears in some bundle Bi in the bundle example in Fig. 2, the three elementary groups G0, cover.
  • 6. 1786 E. Jung et al. / Computer Networks 50 (2006) 1781–1798 2. Compactness: Each bundle Bi has at least one 15 distinct keys compared with the 19 distinct keys elementary group that does not appear in any in the four complete trees in Fig. 3. This represents other bundle Bj in the bundle cover. more than 20% reduction in the total number of keys in the server. Note that the set {B0, B1}, where B0 = {G0, G1, The system server S knows the two key bundles G2, G4} and B1={G0, G2, G3, G4}, is a bundle cover in Fig. 4, and each user ui knows only the keys that for the system in Fig. 2. exist on the paths from its individual key Ki to the The security keys for the elementary groups in a key of group G0. Thus, each user ui needs to col- bundle can be arranged in a complete key tree. For laborate with the system server S in order to example, Fig. 4(a) shows the complete key tree for securely multicast data items to any elementary B0. In this tree, the key for group G0 is K01234567, group or any group that can be defined by inter- the key for group G1 is K0123, the key for G2 is section, union, and complement of elementary K01, and the key for G4 is K67. Note that users u4 groups. This point is illustrated by the following and u5 in G0 do not belong to any other elementary four examples. group in the bundle, and so they are viewed as For the first example, assume that user u0 wants forming a complement group C0 whose key is to securely multicast a data item d to every user in K45. We refer to a complete key tree that corre- group G4. In this case, user u0 can execute the sponds to a bundle as a key bundle. following protocol: Fig. 4(b) shows the complete key bundle for B1. Note that in this bundle every user in G0 is also in u0 ! S : K 0 hdjG4 jchki; another elementary group. Thus, the resulting S ! u0 ; . . . ; u7 : G4 ; K 67 hdju0 jchki. complete key tree does not have a complement group as in the former key tree in Fig. 4(a). This protocol consists of two steps. In the first step, Comparing the two key bundles in Figs. 4(a) user u0 sends a message K0hdjG4jchki to server S. and (b), one observes that each of the elementary This message consists of three concatenated fields, groups G0, G2, and G4 appear in both key bundles namely the data item d, its intended destination G4, because none of them conflict with any elementary and the checksum chk; the message is encrypted by group or any group in the system. One also the individual key K0 of user u0. In the second step, observes that each of these groups has the same server S multicasts the message G4, K67hdju0jchki group key in both key bundles, and that the indi- where the second field consists of the data item d, vidual key of each user is the same in both key the message source u0, and the checksum chk and bundles. Note that these key bundles have only is encrypted with the group key of G4. G0 K 01234567 G0 K 01234567 G1 K 0123 G3 K 2345 G2 K 01 K 23 C1 K 45 C0 K 67 G4 G2 K 01 K 23 K 45 K 67 G4 K0 K1 K2 K3 K4 K5 K6 K7 K0 K1 K2 K3 K4 K5 K6 K7 (a) (b) Fig. 4. The complete key trees for the two bundles B0 and B1: (a) B0 = {G0, G1, G2, G4} and (b) B1 = {G0, G2, G3, G4}.
  • 7. E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1787 For the second example, assume user u1 wants After server S receives this message, it translates to securely multicast a data item d to the users in :G1 to C0 _ G4 then multicasts the message either group G1 or G3, namely the users in the C0 _ G4, K45hdju5jchki, K67hdju5jchki. The users union of G1 and G3. In this case, user u1 can in group C0 can get d using the group key K45, execute the following protocol: and the users in group G4 can get d using the group key K67. u1 ! S : K 1 hdjG1 _ G3 jchki. S ! u0 ; . . . ; u7 : G1 _ G3 ; K 0123 hdju1 jchki; K 2345 hdju1 jchki. 4. Construction of key bundles In the second step of this protocol, server S multi- In this section, we describe a procedure that can casts the message G1 _ G3, K0123hdju1jchki, be used by the server of a system to construct and K2345hdju1jchki to the two groups G1 and G3. maintain key bundles for that system. This proce- The users in group G1 can get d by using the group dure consists of two algorithms. The first algo- key K0123 to decrypt K0123hdju1jchki and the users rithm, presented in Section 4.1, constructs a in group G3 can get d by using the group key K2345 bundle cover for the given system. The second to decrypt K2345hdju1jchki. Note that if it is u2 who algorithm, presented in Section 4.2, computes a wants to send d to G1 _ G3, then since u2 belongs complete key tree (i.e. a key bundle) for each bun- to both G1 and G3, u2 already knows both K0123 dle in the bundle cover constructed by the first and K2345. Therefore, u2 can send the encrypted d algorithm. directly to the users in G1 and G3 as follows: u2 ! u0 ; . . . ; u7 : G1 _ G3 ; K 0123 hdju2 jchki; 4.1. Algorithm for bundle cover construction K 2345 hdju2 jchki. This algorithm takes any given system with m For the third example, assume that user u4 wants elementary groups G0, . . . , GmÀ1 and constructs a to send a data item d to all the users in the intersec- bundle cover {B0, . . . , BrÀ1} for the given system, tion of G1 and G3. In this case, user u4 can execute where r 6 m. the following protocol. In this algorithm, the given system is repre- u4 ! S : K 4 hdjG1 ^ G3 jchki. sented by a m · m boolean matrix C, where each element C[i][j] is defined as follows: S ! u0 ; . . . ; u7 : G1 ^ G3 ; K 0123 hK 2345 hdju4 jchkii.  false if Gi Gj ¼ ; or Gi & Gj or Gj & Gi ; In the second step of this protocol, server S multi- C½iŠ½jŠ ¼ true otherwise. casts a message G1 ^ G3, K0123hK2345hdju4jchkii to the group G1 ^ G3. Here the concatenation of d, u4 The algorithm starts with m empty bundles, and chk is encrypted by both the group key of G1, B0, . . . , BmÀ1. Then the algorithm proceeds to add which is K0123, and the group key of G3, which is elementary groups of the given system to the bun- K2345. The encrypted message can only be de- dles, one by one, until each elementary group is crypted by the users that are in both G1 and G3 be- added to at least one bundle. Finally, the algo- cause only these users know the two group keys rithm keeps the bundles B0, . . . , BrÀ1 that have ele- K0123 and K2345. mentary groups and discards the remaining empty For the fourth example, assume that user u5 bundles Br, . . . , BmÀ1. wants to send a data item d to all the users in The algorithm uses an array added [0 . . . m À 1] the complement of group G1. In this case, user u5 of m integers, where added[j] records the number executes the following protocol: of bundles that the elementary group Gj is added to. We call added[j] the counter of the elementary u5 ! S : K 5 hdj:G1 jchki. group Gj. Initially, the counter of every elementary S ! u0 ; ... ;u7 : C 0 _ G4 ; K 45 hdju5 jchki;K 67 hdju5 jchki. group is zero. Whenever an elementary group Gj is
  • 8. 1788 E. Jung et al. / Computer Networks 50 (2006) 1781–1798 added to a bundle, its counter added[j] is incre- B0 ¼ fG0 ; G1 ; G2 ; G4 g; mented by one. B1 ¼ fG0 ; G2 ; G3 ; G4 g. The bundle construction algorithm is specified in Algorithm 1. Note that Lines 7 and 12 in this Consider a system with six elementary groups algorithm call a boolean function NOCON- G0, . . . , G5. Assume that G0 conflicts with G1, G2. FLICT(Br, Gy). This function is specified in As this algorithm computes a bundle cover with Algorithm 2. O(m3) time complexity, note that computing a bundle cover with minimum number of bundles Algorithm 1. Bundle cover construction algorithm is NP-Complete. The proof is in Theorem 1. 1: r :¼ 0; Theorem 1. Given a system with elementary 2: for x = 0 to m À 1 groups, computing a bundle cover of the system 3: if added[x] > 0 then goto line 2; with the minimum number of bundles is NP- 4: Br :¼ Br [ {Gx}; Complete. 5: added[x] :¼ 1; 6: for y = (x + 1) to m À 1 Proof. The proof consists of two parts. The first 7: if added[y] = 0 and NOCONFLICT part shows that there is a polynomial algorithm (Br, Gy) that verifies whether a set of bundles is a bundle 8: then Br :¼ Br [ {Gy}; cover or not. The second part shows that a well- 9: added[y] :¼ 1 known NP-Complete problem, Vertex Coloring, 10: endfor; can be reduced into computing a bundle cover 11: for y = 0 to (m À 1) with minimum number of bundles in polynomial 12: if NOCONFLICT(Br, Gy) time. The Vertex Coloring problem is defined as 13: then Br :¼ Br [ {Gy}; follows: given a graph G = (V, E), each vertex is 14: added[y] :¼ added[y] + 1 assigned with a color such that no adjacent vertices 15: endfor; are in the same color. Finding an assignment with 16: r :¼ r + 1 minimum number of colors is NP-Complete. 17: endfor; Part 1: Given a set of bundles, we can verify 18: discard the empty bundles Br, . . . , BmÀ1; whether the set is a bundle cover or not in 19: discard each bundle in which the counter polynomial time. For each elementary group, find of each elementary group is greater than 1 a bundle it belongs to. If there is any elementary group that does not belong to any bundle, the set of bundles is not a bundle cover. This step takes Algorithm 2. Function NOCONFLICT O(mr), where m is the number of elementary groups, and r is the number of bundles. To be a Function NOCONFLICT(Br, Gy):boolean bundle cover, each bundle has to have at least one var flag: boolean elementary group that conflicts with some elemen- 1: flag :¼ true; tary group in every other bundle. Compute the 2: for every Gx in Br conflict matrix C[i][j] as described in Section 4, and 3: if C[x][y] then compute the conflicts between bundles according 4: flag :¼ false; to the matrix. We can verify all these conflicts in 5: goto line 6; O(m2 + r2) steps. 6: endfor Part 2: Given a graph G = (V, E), construct a 7: return flag system SG as follows: for each node u in V, add an elementary group Gu to SG. For each edge (u, v) in As an example, if this algorithm is applied to E, add a user useruv to both elementary groups Gu the system in Fig. 2, the algorithm constructs the and Gv in SG so that these elementary groups bundle cover {B0, B1}, where conflict with each other. Assume that we have the
  • 9. E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1789 bundle cover B0, B1, . . . , BrÀ1 of the system SG with The algorithm for constructing a complete key the minimum number of bundles. tree T for a given bundle B is shown below. First, we show that we can color the vertices The child relation between elementary groups is with r colors. Let r colors to be C0, C1, . . . , CrÀ1. computed once for all group pairs, using a new For each elementary group Gu in Bi, color the conflict matrix F. F is defined as follows: vertex u in G with color Ci. (For an elementary  true if Gi & Gj ; group Gu that is in many bundles, choose the F ½iŠ½jŠ ¼ false otherwise. smallest i of Bi can color with Ci. In fact, we can The new conflict matrix F takes O(mn) to compute, choose any i and the proof still holds.) The system and it takes O(m3) to compute isChild, the child SG is constructed so that for any two adjacent relationship matrix between all pairs of elementary nodes u and v in G, the corresponding elemen- groups. tary groups Gu and Gv conflict in SG, so they cannot be in the same bundle. Therefore, no two Algorithm 3. Key Bundle Construction Algorithm adjacent nodes in G can be colored with the same color. 1: for each elementary group Gx in B Second, we will show that r is the minimum 2: add a node Kx to T; number of colors we need to use for coloring G, by 3: for each elementary group Gx in B contradiction. Assume the minimum number of 4: for each elementary group Gy in B colors needed to color vertices in G be k, where 5: if is Child(x, y) k < r. Let the k colors used in vertex coloring be 6: then add an edge (Gx, Gy) to T; C0, C1, . . . , CkÀ1. For each color Ci, create a bundle 7: for each elementary group Gx in B B0i , and for each node u with the color Ci, assign the 8: if there is an edge (Gy, Gx) in T elementary group Gu to B0i . Add all the non- 9: then conflicting elementary groups to each bundle B0i for 10: add all users in Gx that are not in any maximality. The set of bundles B0i is a bundle cover, child elementary group of Gx to Cy; because each elementary group Gu is in some B0i 11: add a node KCy to T; (each node u in G is colored with some color Ci), 12: add an edge (KCy, Kx) to T; and each bundle B0i has an elementary group that is 13: else not in any other bundle (there is at least one node u 14: add a key tree rooted at Kx whose that is colored with Ci). Now we have a bundle leaves are labeled with cover with k bundles, where k < r. This contradicts the individual keys of the users in the to the assumption that the bundle cover elementary group Gx; B0, B1, . . . , BrÀ1 is with the minimum number of 15: for each complement node KCx in T bundles. 16: add a key tree rooted at KCx whose Therefore, finding a bundle cover with mini- leaves are labeled with mum number of bundles is NP-Complete. h the individual keys of the users in the elementary group Cx; 4.2. Algorithm for key bundle construction 8 Next we describe an algorithm that takes as > true if Gi & Gj ; and no Gx satisfies < input any bundle B in the bundle cover, con- isChild½iŠ½jŠ ¼ Gi & Gx & Gj ; > : structed by the above algorithm, and computes a false otherwise. complete key tree for B. The following definition of a child is needed in stating our algorithm. The complexity of this algorithm is O(m2 + mn). Let B be a bundle and let G and G 0 be two dis- The worst case is when this bundle includes all m tinct elementary groups in B. Then, G 0 is a child of elementary groups. The first loop in lines 1–2 takes G if and only if G 0 & G and B has no elementary O(m) as there can be as many as m elementary group G00 such that G 0 & G00 & G. groups in a bundle. The second loop in lines 3–6
  • 10. 1790 E. Jung et al. / Computer Networks 50 (2006) 1781–1798 takes O(m2). In the third loop in lines 7–14, there hand, the disadvantage is that the number of keys could be at most n users in Gx in the key tree needed in each key bundle is relatively large, and rooted at Kx. Therefore, the third loop takes so the total number of keys in the server is rela- O(mn). The last loop again takes O(mn), since tively large. (In the simulation results below shown there could be at most n À 1 users in the comple- in Fig. 7 in Section 7, we show that the number of ment group Cx. In total, the complexity of this keys in a system with key bundles is far greater algorithm is O(m2 + mn). than that with key parcels.) As an example, if this algorithm is applied to The disadvantage of bundle maximality out- the system in Fig. 2, the algorithm constructs the weighs its advantage in systems where users never key bundle shown in Fig. 4. need to securely multicast data items to the com- plements of elementary groups. Therefore, in these systems, we use ‘‘parcels’’, which are not maximal, 5. Key parcels instead of bundles, which are maximal. The defini- tions of parcels and parcel covers are given next. A bundle is defined as a maximal set of non- A parcel of a system is a set of non-conflicting conflicting elementary groups in the system. From elementary groups of the system. this definition the elementary group G0 is in every A parcel cover of a system is a sequence of par- bundle since it does not conflict with any other ele- cels (P0, . . . , PsÀ1) such that the following two con- mentary group in the system. Thus, every key bun- ditions hold: dle is a complete key tree. This feature of bundle maximality has one 1. Completeness: Each elementary group of the advantage and one disadvantage. The advantage system appears in some parcel Pi in the parcel is that the complement of any elementary group cover. in a bundle Bj can be expressed as the union of 2. Compactness: Each elementary group in each some other elementary groups in Bj. Thus, securely parcel Pi conflicts with at least one elementary multicasting a data item to the complement of any group in each of the preceding parcels elementary group can be carried out efficiently. (In P0, . . . , PiÀ1 in the parcel cover. the simulation results below shown in Fig. 9 in Section 7, we show that the average number of As an example, a parcel cover for the system in encryptions required for a complement of an ele- Fig. 2 is (P0, P1), where P0 = {G0, G1, G2, G4} and mentary group in a system with key bundles is P1 = {G3}. Fig. 5 is a parcel cover (P0, P1) for the much less than that with key parcels.) On the other system in Fig. 2. Fig. 5. The complete key trees for the parcel cover: (a) P0 = {G0, G1, G2, G4} and (b) P1 = {G3}.
  • 11. E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1791 The security keys for the elementary groups in a The complexity of this parcel cover construc- parcel can be arranged in a key tree that is not nec- tion algorithm is O(m3), but in general the com- essarily a complete tree. Fig. 5(a) shows the key plexity of computing a parcel cover for a given tree for parcel P0 consisting of the elementary system with the minimum number of parcels is groups G0, G1, G2, and G4. Fig. 5(b) shows the NP-Complete. The proof is given in Theorem 2. key tree for parcel P1 consisting of the elementary group G3. Note that the key tree for parcel P1 is Theorem 2. Given a system with elementary not a complete tree. We refer to a key tree that groups, computing a parcel cover of the system with corresponds to a parcel as a key parcel. the minimum number of parcels is NP-Complete. Proof. The proof consists of two parts. The first 6. Construction of key parcels part shows that there is a polynomial algorithm that verifies whether a set of parcels is a parcel In this section, we describe a procedure that can cover or not. The second part shows that a well- be used by the server of a system to construct and known NP-Complete problem, Vertex Coloring, maintain key parcels for that system. This proce- can be reduced into computing a parcel cover with dure consists of two algorithms. minimum number of parcels in polynomial time. The first algorithm constructs a parcel cover for The Vertex Coloring problem is defined as follows: any given system. This algorithm takes any given given a graph G = (V, E), each vertex is assigned system with m elementary groups G0, . . . , GmÀ1 with a color such that no adjacent vertices are in and constructs a parcel cover (P0, . . . , PsÀ1) for the same color. Finding an assignment with mini- the given system, s 6 m. This parcel cover con- mum number of colors is NP-Complete. struction algorithm uses the same data structures Part 1: Given a set of parcels, we can verify and the same NOCONFLICT function used in whether the set is a parcel cover or not in the bundle cover construction algorithm in Algo- polynomial time. For each elementary group, find rithm 2. The parcel cover construction algorithm a parcel it belongs to. If there is any elementary is shown in Algorithm 4. group that does not belong to any parcel, the set of Note that the array added used in Algorithm 4 parcels is not a parcel cover. This step takes O(ms), is actually a boolean array. The value of added[x] where m is the number of elementary groups, and s for each elementary group Gx is either 0 or 1, is the number of parcels. To be a parcel cover, each where 0 means it is not assigned to any parcel parcel has to have at least one elementary group yet and 1 means it is assigned to some parcel. that conflicts with some elementary group in every Algorithm 4 Parcel Cover Construction algorithm other parcel. Compute the conflict matrix C[i][j] as described in Section 6, and compute the conflicts 1: s :¼ 0; between parcels according to the matrix. We can 2: for x = 0 to m À 1 verify all these conflicts in O(m2 + s2) steps. 3: if added[x] > 0 then goto line 2; Part 2: Given a graph G = (V, E), construct a 4: Ps :¼ Ps [ {Gx}; system SG as follows: for each node u in V, add an 5: added[x] :¼ 1; elementary group Gu to SG. For each edge (u, v) in 6: for y = (x + 1) to m À 1 E, add a user useruv to both elementary groups Gu 7: if added[y] = 0 and NOCONFLICT and Gv in SG so that these elementary groups (Ps, Gy) conflict with each other. Assume that we have the 8: then Ps :¼ Ps [ {Gy}; parcel cover P0, P1, . . . , PsÀ1 of the system SG with 9: added[y] :¼ 1 minimum number of parcels. 10: endfor; First, we show that we can color the vertices 11: s :¼ s + 1 with s colors. Let s colors to be C0, C1, . . . , CsÀ1. 12: endfor; For each elementary group Gu in Pi, color the 13: discard the empty parcels Ps, . . . , PmÀ1 vertex u in G with color Ci. The system SG is
  • 12. 1792 E. Jung et al. / Computer Networks 50 (2006) 1781–1798 constructed so that for any two adjacent nodes u that join significantly more elementary groups and v in G, the corresponding elementary groups than the average. Each elementary group that u Gu and Gv conflict in SG, so they cannot be in the joins is chosen randomly among all the elementary same parcel. Therefore, no two adjacent nodes in groups from uniform distribution. In our simula- G can be colored with the same color. tion shown in Figs. 6–9, we used a class of syn- Second, we will show that s is the minimum thetic systems with the following properties: number of colors we need to use for coloring G, by contradiction. Assume the minimum number of 1. The number of users in each system varies from colors needed to color vertices in G be k, where 1000 to 10 000. k < s. Let the k colors used in vertex coloring be 2. Each system has 500 elementary groups. C0, C1, . . . , CkÀ1. For each color Ci, create a parcel 3. In each system, a user joins 2 elementary groups P 0i , and for each node u with the color Ci, assign on average. the elementary group Gu to P 0i . By the definition of vertex coloring, no two adjacent nodes are colored Each system is simulated 100 times. The aver- with the same color. This set of parcels P 0i is a ages of the following four items are computed over parcel cover: Each elementary group Gu belongs to at least to one parcel, since each vertex u in G is colored with some color. Also, each parcel has at 7 least one elementary group that was not in the preceding parcels, since for each color Ci, at least 6 number of bundles/parcels one vertex is colored with Ci and with no other 5 color. Now we have a set of parcels with k parcels, where k < s. This contradicts to the assumption 4 that the parcel cover P0, P1, . . . , PsÀ1 is with the 3 minimum number of parcels. 2 Therefore, finding a parcel cover with minimum number of parcels is NP-Complete. h 1 bundles parcels The second algorithm computes a key tree (i.e. 0 0 2 4 6 8 10 a key parcel) for each parcel in the parcel cover number of users (in 1000s) constructed by the first algorithm. This algorithm is exactly the same as the one presented in Section Fig. 6. Number of bundles or parcels. 4.2. 7. Simulation results 90 bundles # of keys in the server (in 1000s) 80 parcels In this section, we present the results of simula- 70 tions that we carried out to demonstrate the feasi- 60 bility of key bundles and key parcels. The 50 simulation is written in Java. For each system, 40 we decide the number of users, the number of ele- mentary groups, and the average number of ele- 30 mentary groups that each user joins. For the 20 given average number of elementary groups c, we 10 generate a random number ku from Poisson distri- 0 0 2 4 6 8 10 bution for each user u, and user u joins ku elemen- number of users (in 1000s) tary groups. The reason that we use Poisson distribution is to simulate the effect of a few users Fig. 7. Number of keys in the server.
  • 13. E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1793 14 the number of keys in the case of key bundles bundles parcels grows much faster in the case of key parcels. This 12 is because each key bundle is a complete key tree avg # of keys per user 10 while each key parcel is not necessarily complete. 8 As shown in Fig. 8, the number of keys that each user needs to store increases as a logarithm 6 function with the number of users in the system. 4 Fig. 9 shows how many encryptions are needed per complement of an elementary group when the 2 Key Bundle or the Key Parcel approach is used. 0 The Key Bundle approach shows better perfor- 0 2 4 6 8 10 mance than the Key Parcel approach, and the dif- number of users (in 1000s) ference becomes greater as the number of users Fig. 8. Number of keys per user. increases. The number of encryptions in the Key Bundle approach decreases as the number of users increases, while that in the Key Parcel approach 8 increases linearly as the number of users increases. bundles The following two paragraphs explain why. 7 parcels When the Key Bundle approach is used, the # of enc per compl in 1000s 6 average number of encryptions performed for a 5 complement of an elementary group decreases as the number of users increases (the actual number 4 is from around 500 to 400). As the number of users 3 increases, the probability of two groups’ conflict- 2 ing increases. Therefore, the average number of 1 groups can be put in a bundle decreases. Since we use the keys of other groups in the same bundle 0 1 2 3 4 5 6 7 8 9 10 that contains an elementary group to encrypt for number of users (in 1000s) the complement of the elementary group (for Fig. 9. Number of encryptions per complement. example, we use K01 and K67 for :G3 in Fig. 4), the number of encryptions decreases as the number of users increases. the 100 simulation runs for each system: the num- On the other hand, the number of encryptions ber of bundles or parcels in the system cover, the for a complement performed in the Key Parcel total number of keys in the server, the number of approach linearly increases as the number of users keys per user, and the number of encryptions grows. It is because that in the Key Parcel needed to multicast a data item to the users in approach, we use the individual keys of users that the complement of an elementary group. The are not in any elementary group in the same par- results of these simulations are shown in Figs. 6–9. cel. For example, to securely multicast to :G3 in As shown in Fig. 6, the number of bundles in a Fig. 5, we need to use the individual keys of bundle cover more or less equals the number of K0, K1, K6, K7. As the number of users increases, parcels in a parcel cover. Note that this number the probability of two groups’ conflicting increases logarithmically as the number of users increases, so the average number of groups in a in the simulated system grows. parcel decreases. Therefore, as the number of users As shown in Fig. 7, the number of keys in sys- increases, we need to use more individual keys to tems that use key bundles and the number of keys encrypt for a complement. in systems that use key parcels grow linearly as the We also ran simulations with the following number of users in the system increases. However, parameters.
  • 14. 1794 E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1. The number of users in each system is 5000. more conflicts between elementary groups exist, 2. Each system has 500 elementary groups. so the number of bundles or parcels increases. 3. In each system, the average number of elemen- As shown in Fig. 11, the number of keys in serv- tary groups each user joins varies from 2 to 2.8. ers that use key bundles and the number of keys in servers that use key parcels grow linearly as the Each system is simulated 100 times. The aver- average number of elementary groups each user ages of the following two items are computed over joins in the system increases. However, the number the 100 simulation runs for each system: the num- of keys in the case of key bundles grows much fas- ber of bundles or parcels in the system cover and ter in the case of key parcels. This is the same ten- the total number of keys in the server. The results dency with Fig. 7 where the number of users in the of these simulations are shown in Figs. 10 and 11. system varies. As shown in Fig. 10, the number of bundles in a bundle cover more or less equals the number of parcels in a parcel cover. As the average number 8. Bundle/parcel cover reconfiguration of elementary groups each user joins increases, We have shown how to construct a bundle/ parcel cover for a system with elementary groups. As we discussed in Section 2, users in this system 8 can join or leave any elementary group in the sys- 7 tem, or leave the system altogether, and these number of bundles/parcels activities may require to change the security keys 6 associated with the elementary groups which users 5 join or leave. In this section, we discuss how to 4 handle these changes. Handling join and leave 3 operations does not differ either in a system based on key bundles or in a system based on key 2 parcels, so the following discussion is based on 1 bundles key parcels. parcels 0 When a user u joins an elementary group G in a 1.8 2 2.2 2.4 2.6 2.8 3 parcel P, this join operation may render G to con- group density flict with other elementary groups in P. Also, when Fig. 10. Number of bundles or parcels. a user u leaves an elementary group G in a parcel P, this leave operation may render G to conflict with its child group, or not to conflict with some 50 elementary groups in other parcels. We do not bundles expect that the parcel cover of the system will be # of keys in the server (in 1000s) 45 parcels 40 reconfigured for a certain period, say a year or 35 six months, according to the nature of the applica- 30 tion. During this period, the changes in conflicts 25 will be handled tentatively. 20 Join operations can be handled by assigning 15 additional individual keys to the joining users. If 10 user ui, who is already in a group Gj, joins another 5 group G0j in the same parcel P, then the two groups 0 Gj and G0j become conflicting and should be 1.8 2 2.2 2.4 2.6 2.8 3 assigned to different parcels. Instead of recomput- group density ing a new parcel cover for the system, when user ui, Fig. 11. Number of keys in the server. who is already in group Gj, joins group G0j , another
  • 15. E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1795 user u0i joins G0j instead of ui. In this case a new tecture can be presented where multiple key and individual key is assigned to user u0i (although the multicast servers are deployed in a system that two users ui and u0i in fact correspond to the same use key bundles). physical user). The net effect of this solution is that the two groups Gj and G0j are still not conflicting 9.1. Architecture and can remain in the same parcel P. The conflict will be resolved when the current period expires Consider a system that has been partitioned and the parcel cover is recomputed. into a parcel cover (P0, . . . , PsÀ1), as described in For the leave operations, we assume that it is Section 6. In this case, s key servers, okay for leaving users to be able to understand KS0, . . . , KSsÀ1, are deployed such that each key the communications until the current period server KSk maintains the keys in parcel Pk. expires and the parcel cover is recomputed. In fact, When a user ui leaves a group Gj in parcel Pk this is what happens in many subscription-based then only key server KSk needs to update a small services. Even if users specify their intentions to number of keys in its parcel of Pk and to inform leave any service or the whole system altogether the other users in Gj. (The updated keys are multi- in the middle of pre-defined period, they can still cast to the other users in Gj according to the key receive the service until the current subscription tree algorithm [4].) Similarly, when a user ui joins period expires. a group Gj in parcel Pk then only the key server KSk needs to update a number of keys in its parcel and to inform the other users in Gj. 9. Server distribution The multicast servers know individual keys of all users and group keys of all groups in the sys- So far, we have presented the server as if it were tem. Thus whenever key server KSk updates the a single entity in the system. In fact, the server does keys of its parcel Pk, KSk securely multicast the not have to be a single entity. In this section, we updated group keys in its parcel to all the multicast present a way to distribute the functionality of servers in the system. the server among several servers. As explained earlier, the server has two tasks: 9.2. Convergence 1. Key Management: The server generates new At an ideal state of this system, each key K in keys when a user joins or leaves a group, and each key parcel is known to user ui if and only if distributes the newly generated keys to the either K is the individual key of ui or ui is a descen- appropriate set of users. dant of node K in the key parcel. Such a system is 2. Secure Multicast: If a user does not know guaranteed to converge to an ideal state provided appropriate group keys to secure its message, its initial state is ideal. it has to encrypt the message using its individual When a user ui leaves a group Gj in a parcel Pk, key and forward it to the server. The server then the key server KSk needs to update the keys that decrypts the message using the individual key of are on the path from the individual key Ki to the the user, encrypts the message using the appro- group key GKj in the parcel. Now some keys of priate group keys, and multicasts the message the parcel have been updated and the updated keys to the ultimate destination. are not known to all the users that need to know them, so this state is not ideal. Key server KSk uses We deploy two types of servers to perform these the key distribution protocol in [4] to distribute the two tasks: key servers to perform key management updated keys. The key distribution protocol and multicast servers to perform secure multicast. ensures that only the users that are descendants In the following we present an architecture where of a key K can acquire the updated key K 0 . After multiple key and multicast servers are deployed the key distribution is completed, the system is in in a system that use key parcels. (A similar archi- an ideal state.
  • 16. 1796 E. Jung et al. / Computer Networks 50 (2006) 1781–1798 Similar argument can be given for the case and key parcels provides a reasonable perfor- when user ui joins a group Gj in a parcel Pk. User mance to the whole system. The number of keys ui has individual key Ki shared with the servers. stored per user in the case of key bundles is 12 The system is not in an ideal state until user ui for 10 000 user system, while that in the case of acquires all the keys on the path from Ki to GKj key parcels is 5. Instead, the number of encryp- in the key parcel. Key server KSk uses the key dis- tions needed for a complement in the case of key tribution protocol in [4] to transmit keys, and after bundles is far less than that in the case of key par- the key transmission is finished the system is in an cels as shown in Fig. 9. ideal state. Key bundles and key parcels are two extremes So far, we have only discussed how to use key in the spectrum of solutions supporting secure servers to store each key parcel. These key servers group communication in many groups. Key bun- can be implemented using the protocol in [4], but dles put emphasis on supporting complement of also can be implemented using the technique in an elementary group with relatively large number [13,21]. of keys in the system, while key parcels save the number of keys in the system but in result cannot support complement of an elementary group with- 10. Conclusion out considerably far more number of encryptions. As a future work, we would like to find a hybrid We consider a system where each user is in one between these two methods, which needs less num- or more elementary groups. In this system, arbi- ber of keys in the system than in the case of key trary groups of users can be specified using the bundles and at the same time supports comple- operations of union, intersection, and complement ment of an elementary group with less number of over the elementary groups in the system. Each encryptions than in the case of key parcels. elementary group in the system is provided with We are also interested in conducting a case a security key that is known only to the users in study of these methods in a real world application. the elementary group and to the system server. The case study includes to define appropriate Thus, for any user u to securely multicast a data scopes of elementary groups and to maintain key item d to every user in an arbitrary group G, u first bundles or key parcels accordingly. As a typical forwards d to the system server which encrypts it application of secure group communication, a using the keys of the elementary groups that com- peer-to-peer knowledge sharing system can take prise G before multicasting the encrypted d to advantage of these methods. An elementary group every user in G. Every elementary group is also will represent an access control list for a specific provided with a key tree to ensure that the cost domain of knowledge. Using key bundles or key of changing the key of the elementary group, when parcels, users may securely communicate with a user leaves the group, is small. We describe two any set of users according to the needs at the given methods for packing the key trees of elementary time. For example, any two taskforces in a com- groups into key bundles and into key parcels. pany may merge temporarily for a current task. Packing into key bundles has the advantage of They do not have to change their security keys, reducing number of encryptions needed to multi- nor need to initialize a new security domain. Still, cast a data item to the complement of an elemen- the users in two taskforces can securely communi- tary group. Packing into key parcels has the cate with one another. advantage of reducing the total number of keys As described in Section 3, if the sender of mes- in the system. We apply these two methods to a sage m does not know the keys required to encrypt class of synthetic systems: each system has from m appropriately, the system server has to encrypt 1000 to 10 000 users and 500 elementary groups, m and multicast. This requirement for the server’s and a user in each system is in 2 elementary groups help may cause performance bottleneck at the ser- on average. Simulations of these systems show that ver. To reduce the workload of the system server, our proposal to pack key trees into key bundles we have discussed in Section 9 how multiple serv-
  • 17. E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1797 ers may be placed and coordinated to work in a [15] M.G. Gouda, C.-T. Huang, E. Elnozahy, Key trees and the distributed manner. Moreover, rekeying does not security of the interval multicast, in: 22nd International Conference on Distributed Computing Systems need to occur for every single join/leave. In [16], (ICDCS’02), 2002, pp. 467–468. batch rekeying showed favorable performance. [16] X.S. Li, Y.R. Yang, M.G. Gouda, S.S. Lam, Batch Also exposure-oriented rekeying in [22] can be rekeying for secure group communications, in: The Tenth used to trigger rekeying process. International World Wide Web Conference on World Wide Web, ACM Press, 2001. [17] Y.R. Yang, X.S. Li, X.B. Zhang, S.S. Lam, Reliable group rekeying: a performance analysis, in: Proceedings of the References 2001 Conference on Applications, Technologies, Architec- tures, and Protocols for Computer Communications, ACM [1] L. Gong, Enclaves: enabling secure collaboration over the Press, 2001. Internet, IEEE Journal of Selected Areas in Communica- [18] J. Snoeyink, S. Suri, G. Varghese, A lower bound for tions 15 (3) (1997) 567–575. multicast key distribution, in: IEEE INFOCOM 2001, [2] S. Mittra, Iolus: a framework for scalable secure multi- 2001. casting, in: Proceedings of the ACM SIGCOMM’97, ACM [19] E. Jung, A.X. Liu, M.G. Gouda, Key bundles and parcels: Press, 1997. secure communication in many groups, in: LNCS 2816, [3] D.M. Wallner, E.J. Harder, R.C. Agee, Key management Group Communications and Charges, 2003. for multicast: Issues and architectures, RFC 2627, 1999. [20] M.T. Goodrich, J.Z. Sun, R. Tamassia, Efficient tree-based [4] C.K. Wong, M. Gouda, S.S. Lam, Secure group commu- revocation in groups of low-state devices, in: CRYPTO’04, nications using key graphs, IEEE/ACM Transactions on 2004. Networking (TON) 8 (1) (2000) 16–30. [21] O. Rodeh, K. Birman, D. Dolev, Optimized group rekey [5] M. Steiner, G. Tsudik, M. Waidner, Key agreement in for group communication systems, in: Symposium on dynamic peer groups, IEEE Transactions on Parallel and Network and Distributed System Security, 2000. Distributed Systems 11 (8) (2000) 769–780. [22] Q. Zhang, K.L. Calvert, On rekey policies for secure group [6] L. Gong, N. Shacham, Multicast security and its extension applications, in: ICCCN, 2003. to a mobile environment, Wireless Networks 1 (3) (1995) 281–295. [7] A. Ballardie, Scalable multicast key distribution, RFC Eunjin Jung is a Ph.D candidate in the 1949, 1996. Department of Computer Sciences in [8] I. Chang, R. Engel, D.D. Kandlur, D.E. Pendarakis, D. the University of Texas at Austin. She Saha, Key management for secure internet multicast using received the BS degree in Computer boolean function minimization techniques, in: IEEE Science from Seoul National University INFOCOM 1999, vol. 2, 1999, pp. 689–698. in 1999, and the M.S. degree in Com- [9] D. Naor, M. Naor, J.B. Lotspiech, Revocation and tracing puter Sciences from the University of schemes for stateless receivers, in: CRYPTO, 2001. Texas at Austin in 2002. Her research [10] O. Rodeh, K. Birman, D. Dolev, The architecture and interests are in security in distributed performance of security protocols in the ensemble group systems. Currently she is working on communication system: using diamonds to guard the security issues in certificate systems. castle, ACM Transactions on Information and System Security (TISSEC) 4 (3) (2001) 289–319. [11] S. Setia, S. Koussih, S. Jajodia, E. Harder, Kronos: a scalable group re-keying approach for secure multicast, in: IEEE Symposium on Security and Privacy, 2000. Alex X. Liu received the B.S. degree in [12] M. Waldvogel, G. Caronni, D. Sun, N. Weiler, B. Plattner, computer sciences from Jilin Univer- The Versakey framework: versatile group key manage- sity, China, in 1996. He received the ment, IEEE Journal on Selected Areas in Communications M.S. degree in computer sciences from 17 (9) (1999) 1614–1631. the University of Texas at Austin in [13] P.P. Lee, J.C.S. Lui, D.K. Yau, Distributed collaborative 2002, where he is currently working key agreement protocols for dynamic peer groups, in: toward a Ph.D. degree in computer ICNP, 2002. sciences. He won the 2004 IEEE&IFIP [14] S.S. Kulkarni, B. Bruhadeshwar, Reducing the cost of William C. Carter Award, the 2004 the critical path in secure multicast for dynamic groups, National Outstanding Oversea Stu- in: Proceedings of the 22nd International Conference dents Award sponsored by the Minis- on Distributed Computing Systems Workshops try of Education of China, and the 2005 George H. Mitchell (ICDCSW’02), 2002. Award for Excellence in Graduate Research in The University
  • 18. 1798 E. Jung et al. / Computer Networks 50 (2006) 1781–1798 of Texas at Austin. His research interests include network the Journal of High Speed Networks. He was the program security, computer security, networks protocols, and distributed committee chairman of ACM SIGCOMM Symposium in 1989. systems. He was the first program committee chairman of IEEE Inter- national Conference on Network Protocols in 1993. He was the first program committee chairman of IEEE Symposium on Mohamed G. Gouda was born in Egypt. Advances in Computers and Communications, which was held His first B.Sc. was in Engineering and in Egypt in 1995. He was the program committee chairman of his second was in Mathematics; both IEEE International Conference on Distributed Computing are from Cairo University. Later, he Systems in 1999. He is on the steering committee of the IEEE obtained M.A. in Mathematics from International Conference on Network Protocols and on the York University and Masters and steering committee of the Symposium on Self-Stabilizing Sys- Ph.D. in Computer Science from the tems, and was a member of the Austin Tuesday Afternoon Club University of Waterloo. He worked for from 1984 till 2001. Prof. Gouda is the author of the textbook the Honeywell Corporate Technology ‘‘Elements of Network Protocol Design’’, published by John- Center in Minneapolis 1977–1980. In Wiley & Sons in 1998. This is the first ever textbook where 1980, he joined the University of Texas network protocols are presented in an abstract and formal set- at Austin where he currently holds the Mike A. Myers Centen- ting. He coauthored, with Tommy M. McGuire, the monograph nial Professorship in Computer Sciences. He spent one summer ‘‘The Austin Protocol Compiler’’, published by Springer in at Bell labs in Murray Hill, one summer at MCC in Austin, and 2005. He also coauthored, with Chin-Tser Huang, the mono- one winter at the Eindhoven Technical University in the Neth- graph ‘‘Hop Integrity in the Internet’’, to be published by erlands. His research areas are distributed and concurrent Springer in 2006. Prof. Gouda is the 1993 winner of the Kuwait computing and network protocols. In these areas, he has been Award in Basic Sciences. He was the recipient of an IBM Fac- working on abstraction, formality, correctness, nondetermin- ulty Partnership Award for the academic year 2000–2001 and ism, atomicity, reliability, security, convergence, and stabiliza- again for the academic year 2001–2002 and became a Fellow of tion. He has published over sixty journal papers, and over eighty the IBM Center for Advanced Studies in Austin in 2002. He won conference and wokshop papers. He supervised Nineteen Ph.D. the 2001 IEEE Communication Society William R. Bennet Best Dissertations. Four of his former Ph.D. students are now Full Paper Award for his paper ‘‘Secure Group Communications Professors at the University of Colorado at Colorado Springs, Using Key Graphs’’, coauthored with C.K. Wong and S.S. Lam the University of California at Santa Barbara, the University of and published in the February 2000 issue of the IEEE/ACM North Carolina at Chapel Hill, and the Ohio State University. Transactions on Networking (Volume 8, Number 1, Pages 16– Another six of his former Ph.D. students are now Associate and 30). In 2004, his paper ‘‘Diverse Firewall Design’’, coauthored Assistant Professors in the United States of America. Prof. with Alex X. Liu and published in the proceedings of the Gouda was the founding Editor-in-Chief of the Springer-Verlag International Conference on Dependable Systems and Net- journal Distributed Computing 1985–1989. He served on the works, won the William C. Carter Award. More detailed editorial board of Information Sciences 1996–1999, and he is information about the career of Prof. Gouda can be found on his currently on the editorial boards of Distributed Computing and website http://www.cs.utexas.edu/users/gouda