Fault-tolerant, scalable, and reliable communication services have become critical in modern computing. An important trend is to convert traditional centralized services (e.g., file sharing, authentication, web, and mail) into distributed services spread across multiple systems and networks. Many of these newly distributed and other inherently collaborative applications (e.g., conferencing, white-boards, shared instruments, and command-and-control systems) need secure communication. However, experience shows that security mechanisms for collaborative, dynamic peer groups tend to be both expensive and unexpectedly complex. Note that dynamic peer groups are different from non-collaborative, centrally managed, one-to-many broadcast groups such as those encountered in Internet multicast.
Although peer groups tend to be relatively small, group members may be spread throughout the Internet and must be able to deal with arbitrary partitions due to network failures, congestion, and hostile attacks. In essence, a group can be split into a number of disconnected partitions each of which must persist and function as an independent and secure peer group.
Security requirements of collaborative peer groups present interesting research challenges. Key management, as the cornerstone of most other security services, presents the initial and formidable obstacle. Although centralized key management might initially appear attractive, it is inherently unsuitable for dynamic peer groups. The reasons are as follows.
First, centralization violates the peer nature of the group by concentrating all key generation in a single point, hence centralizing trust, and replacing key agreement with key distribution. Second, a centralized key server becomes both a single point of failure and an attractive attack target. Of course, a key server can be sufficiently replicated and fortified to address these issues. However, we claim that it is very costly (if not altogether impossible) to guarantee the availability of a key server in any and all possible partitions of a network, thus, each group member must be prepared to become a key server. This raises a policy issue as far as the criteria for selecting a member to act as a key server. Furthermore, each new key server needs to establish a pairwise secure channel with every other group member in order to distribute keys. This can become prohibitively expensive.
For the above reasons, we focus on contributory key agreement. In this work, we unify two important trends in group key management: 1) the use of so-called key trees to efficiently compute and update group keys and 2) the use of group Diffie-Hellman key exchange to achieve provably secure and fully distributed protocols. This yields a secure, surprisingly simple and efficient key management solution. Moreover, the resulting protocol suite is inherently robust by virtue of being able to cope with cascaded (nested) key management operations which can stem from tightly spaced group membership changes. We believe this to be an issue of independent interest.
The rest of this paper is organized as follows. Section 2 introduces our notation and terminology. Section 3 explains our assumptions and requirements of the reliable group communication system, while section 4 introduces the cryptographic requirements of our group key agreement protocol. The actual protocols are described in section 5 and refinements are discussed in section 6. Section 7 treats the security, complexity, and implementation issues. The paper concludes with the summary of previous and related work in section 8.