Internet Engineering Task Force Thomas Hardjono (VeriSign) INTERNET-DRAFT Brian Weis (Cisco) draft-ietf-msec-arch-00.txt Expires May 2003 November 2002 The Multicast Security (MSEC) Architecture Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document provides a foundation for the protocols developed by the Multicast Security (MSEC) group. The document begins by introducing a Reference Framework, and proceeds to identify functional areas which must be addressed as part of a secure multicast solution. Hardjono, Weis Expires May, 2003 1 MSEC Architecture October, 2002 Table of Contents 1. Introduction.......................................................2 1.1 Summary of Contents of Document.................................2 1.2 Audience........................................................3 1.3 Related Documents...............................................3 2. Architectural Design: The MSEC Reference Framework.................4 2.1 A Reference Framework...........................................4 2.2 Elements of the Reference Framework.............................5 2.2.1 Group Controller and Key Server.............................5 2.2.2 Sender and Receiver.........................................6 2.2.3 Policy Server...............................................6 2.2.4 Centralized and Distributed Designs.........................7 3. Functional Areas...................................................7 3.1 Multicast Data..................................................7 3.2 Management of Keying Material...................................8 3.3 Multicast Security Policies.....................................8 4. Group Security Associations (GSA).................................10 4.1 SAs and Multicast..............................................10 4.1 Structure of a GSA: Reasoning..................................11 5. Security Services.................................................14 5.2.1 Multicast Data Confidentiality.............................14 5.2.2 Multicast Source Authentication and Data Integrity.........15 5.2.3. Multicast Group Authentication............................15 5.2.4 Multicast Group Membership Management......................16 5.2.5 Multicast Key Management...................................16 5.2.6 Multicast Policy Management................................17 6. MSEC Documents Roadmap............................................18 7. Conclusion........................................................19 8. Acknowledgments...................................................19 9. References........................................................19 9.1 Normative References...........................................19 9.2 Informative References.........................................20 Authors Addresses....................................................21 1. Introduction Securing IP multicast communication is a complex task that involves many aspects. Consequently, a secure IP multicast protocol suite must have a number of functional areas that address different aspects of the problem. This document describes those functional areas, and protocols which have been developed which fit into those component areas. 1.1 Summary of Contents of Document Hardjono, Weis Expires May, 2003 2 MSEC Architecture October, 2002 This document provides an architectural overview of the work being conducted in the MSEC Working Group. It provides a Reference Framework for covering the scope of the problems in multicast security, and explains the elements of the Reference Framework. The Reference Framework, in turn, provides the division of labor along three Functional Areas pertaining to security. These cover the treatment of data from a security perspective when it is to be sent to a group, the management of keying material used to protect the data and the policies governing a group. Another important item in this document is the definition and explanation of Group Security Associations (GSA), which is the multicast counterpart of the unicast Security Association (SA). The GSA is specific to multicast security, and is the foundation of the work on group key management. 1.2 Audience This document is addressed to the technical community and implementers of IP multicast security technology others interested in gaining a general background understanding of multicast security. This document assumes that the reader is familiar with the Internet Protocol, the IPsec suite of protocols (e.g. IPsec, IKE, ISAKMP), related networking technology, and general security terms and concepts. 1.3 Related Documents Other documents provide detailed explanations of the Functional Areas within the MSEC Reference Framework. These include the following set of documents: a. "Group Key Management Architecture" document [BCDL] -- a document that provides the key management architecture for multicast security, building on the Group Security Association (GSA) concept defined in the current document. b. "Group Domain of Interpretation" [BHHW] and "GSAKMP Light" [HSC], which are two instances of protocols implementing the group key management function. c. "Multicast Encapsulating Security Payload" [BCCR], which provides the definition for Multicast ESP, for data traffic. d. "Multicast Source Authentication Transform Specification" [PCW], which defines the use of the TESLA algorithm for source authentication in multicast. Hardjono, Weis Expires May, 2003 3 MSEC Architecture October, 2002 2. Architectural Design: The MSEC Reference Framework This section considers the complex problems of multicast security in the context of a heuristic device, the Reference Framework diagram, shown in Figure 1. The Reference Framework is used to classify functional areas, functional elements, and interfaces. 2.1 A Reference Framework Based on the three broad functional areas, a reference framework is proposed (Figure 1). The reference framework attempts to incorporate the main entities and functions relating to multicast security, and to depict the inter-relations among them. At the same time, it also tries to express the complex multicast security question from the perspective of problem classification (i.e., the three functional areas), from the perspective of architectures (centralized distributed), of multicast types (1-to-M or M-to-N), and protocols (the exchanged messages). The aim of the reference framework is to provide some general context within which functional areas can be identified and classified and the relationships among the functional areas can be recognized. Note that some issues span more than one so-called functional area. In fact, the framework encourages the precise identification and formulation of issues that involve more than one functional area or those which are difficult to express in terms of a single functional area. An example of such a case is the expression of policies concerning group keys, which involves both the functional areas of group key management and multicast policies. When considering the reference framework (Figure 1) it is important to realize that the singular "boxes" in the framework do not necessarily imply a corresponding singular entity implementing a given function. Rather, a box in the framework should be interpreted loosely as pertaining to a given function related to a functional area. Whether that function is in reality implemented as one or more physical entities is dependent on the particular solution. As an example, the box labeled "Key Server" must be interpreted in broad terms as referring to the functions of key management. Similarly, the Reference Framework acknowledges that some implementations may in fact merge a number of the "boxes" into a single physical entity. The reference framework can be viewed horizontally and vertically. Horizontally, it displays both the entities and functions as singular boxes, expressing each of the three broad functional areas. Vertically, it expresses the basic architecture designs for solutions, namely a centralized architecture and a distributed architecture. The protocols to be standardized are depicted in Figure 1 by the arrows that connect the various boxes. See more details in Section 4, below. Hardjono, Weis Expires May, 2003 4 MSEC Architecture October, 2002 +-----------------------------------------------------------------+ | CENTRALIZED \ DISTRIBUTED | | DESIGNS \ DESIGNS | | FUNCTIONAL \ | | AREAS \ | | +------+ \ +------+ | | Multicast |Policy|<-------\------------------------>|Policy| | | Security |Server| \ |Server| | | Policies +------+ \ +------+ | | ^ \ ^ | | | \ | | | | \ | | | v \ v | | +------+ \ +------+ | | Group |Group |<-------------- \---------------> |Group | | | Key |Ctrl/ |<---------+ \ |Ctlr/ | | | Management |Key | | \ |Key | | | |Server| V \ |Server| | | +------+ +--------+ \ +------+ | | ^ | | \ ^ | | | |Receiver| \ | | | | | | | | | | v +--------+ | | | | +------+ ^ | V | | | | | | +--------+ | | Multicast |Sender|<---------+ | | | | | Data | |<--------------------- |-------->|Receiver| | | Handling | | | | | | | +------+ | +--------+ | +-----------------------------------------------------------------+ Figure 1: MSEC Reference Framework 2.2 Elements of the Reference Framework The Reference Framework diagram of Figure 1 contains boxes and arrows. The boxes are the functional entities and the arrows are the interfaces between them. Standard protocols are needed for the interfaces, which support the multicast services between the functional entities. There are three sets of functional entities in both centralized and distributed designs as discussed below. 2.2.1 Group Controller and Key Server The Group Controller and Key Server (GCKS) represent both the entity and functions relating to the issuance and management of cryptographic keys used by a multicast group, which is subject to the user-authentication and authorization checks conducted on the candidate member of the multicast group. Hardjono, Weis Expires May, 2003 5 MSEC Architecture October, 2002 In a distributed architecture the GCKS entity also interacts with other GCKS entities to achieve scalability in the key management related services. In such a case, each member of a multicast group may interact with one or more GCKS entity (say, the "nearest" GCKS entity, measured in terms of a well-defined and consistent metric). Similarly, in a distributed architecture a GCKS entity may interact with one or more Policy Servers, also arranged in a distributed architecture. We remark that the Key Server (KS) and the Group Controller (GC) have somewhat different functionality and may in principle be regarded as separate entities. Currently the framework regards the two entities as one "box" in order to simplify the design, and in order not to mandate standardization of the protocol between the KS and the GC. It is stressed that the KS and GC need NOT be co-located. Furthermore, future designs may choose to standardize the protocol between the GC and the KS, without altering other components. 2.2.2 Sender and Receiver The Sender is an entity that sends data to the multicast group. In a 1-to-N multicast group only a single sender is allowed to transmit data to the group. In an M-to-N multicast group, many (or even all) group members can transmit data to the group. Both Sender and Receiver must interact with the GCKS entity for the purpose of key management. This includes user-authentication, the obtaining of keying material in accordance with some key management policies for the group, obtaining new keys during key-updates, and obtaining other messages relating to the management of keying material and security parameters. The influence of policies on both Senders and Receivers is seen as coming indirectly through the GCKS entities, since the event of joining a multicast group is typically coupled with the Sender/Receiver obtaining keying material from a GCKS entity. This does not preclude the direct interaction between the Sender/Receiver and the Policy Server. The reference framework displays two Receiver boxes corresponding to the situation where both the Sender and Receiver employ the same GCKS entity (centralized architecture) and where the Sender and Receiver employ different GCKS entities (distributed architecture). 2.2.3 Policy Server The Policy Server represents both the entity and functions used to create and manage security policies specific to a multicast group. The Policy Server interacts with the GCKS entity in order to install and manage the security policies related to the membership of a given multicast group and those related to keying material for a multicast group. Hardjono, Weis Expires May, 2003 6 MSEC Architecture October, 2002 The interactions between the Policy Server and other entities in the reference framework is dependent to a large extent on the security circumstances being addressed by a given policy. 2.2.4 Centralized and Distributed Designs The need for solutions to be scalable to large groups across wide geographic regions of the Internet requires the elements of the framework to also function as a distributed system. This implies that a GCKS entity must be able to interact securely with other GCKS entities in a different location. Similarly, Policy Servers must interact with each other securely to allow the communication and enforcement of policies across the Internet. 3. Functional Areas In order to begin to address the problems in securing IP multicast, we identify three functional area emanating from the reference framework. The three functional area are: ¡ Multicast data handling. This area covers problems concerning the security-related treatments of multicast data by the sender and the receiver. This functional area is further discussed in Section 3.1. ¡ Group Key Management. This area is concerned with the secure distribution and refreshment of keying material. This functional area is further discussed in Section 3.2. ¡ Multicast security policies. This area covers aspects of policy in the context of multicast security, taking into consideration the fact that policies may be expressed in different ways, that they may exist at different levels in a given multicast security architecture and that they may be interpreted differently according to the context in which they are specified and implemented. This functional area is further discussed in Section 3.3. 3.1 Multicast Data In a secure multicast group, the data typically needs to be: 1. Encrypted using the group key, mainly for access control and possibly also for confidentiality. 2. Authenticated, for verifying the source and integrity of the data. Authentication takes two flavors: 2.1 Source authentication and data integrity. This functionality guarantees that the data originate with the claimed source and was not modified en route (either by a group member or an external attacker). Hardjono, Weis Expires May, 2003 7 MSEC Architecture October, 2002 2.2 Group authentication. This type of authentication only guarantees that the data was generated (or last modified) by some group member. It does not guarantee data integrity unless all group members are trusted. While multicast encryption and group authentication are fairly standard and similar to encrypting and authenticating point-to-point communication, source authentication for multicast is considerably more involved. Consequently, off-the-shelf solutions (e.g., taken from IPSec [RFC2406], TLS [RFC2246]) may be sufficient for encryption. For source authentication, however, special-purpose transformations are necessary. See [CP99] for further elaboration on the concerns regarding the data transforms, on present solutions and remaining challenges. 3.2 Management of Keying Material The term "keying material" refers to the cryptographic key belonging to a group, the state associated with the keys and the other security parameters related to the keys. Hence, the management of the cryptographic keys belonging to a group necessarily requires the management of their associated state and parameters. A number of solutions for specific problems must be addressed. These may include the following: ¡ Methods for member identification and authentication. ¡ Methods to verify the membership to groups. ¡ Methods to establish a secure channel between a GCKS entity and the member, for the purpose of delivery of shorter-term keying material pertaining to a group. ¡ Methods to establish a long-term secure channel between one GCKS entity and another, for the purpose of distributing shorter-term keying material pertaining to a group. ¡ Methods to effect the changing of keys and keying material ¡ Methods to detect and signal failures and perceived compromises to keys and keying material The needs related to the management of keying material must be seen in the context of the policies that prevail within the given circumstance. Core to the problem of key management is Security Association (SA) Management, which will be discussed further below. 3.3 Multicast Security Policies Multicast Security Policies must provide the rules for operation for the other elements of the Reference Framework. While much of the work for the Multicast Security Policy area is focused in the Policy Controller, there are potential areas for work in the application of policy at the Group Controller element and the member (sender and receiver) elements. While there is already a basis for security policy management in the IETF between the Policy Working Group and Hardjono, Weis Expires May, 2003 8 MSEC Architecture October, 2002 the IP Security Policy Working Group, multicast security policy management will extend the concepts developed for unicast communication in the areas of: ¡ Policy creation, ¡ High-level policy translation, and ¡ Policy representation. Examples of work in multicast security policies include the Dynamic Cryptographic Context Management project [Din], Group Key Management Protocol [Har1, Har2], and Antigone[McD]. Policy creation for secure multicast has several more dimensions than the single administrator specified policy assumed in the existing unicast policy frameworks. Secure multicast groups are usually large and by their very nature extend over several administrative domains, if not spanning a different domain for each user. There are several methods that need to be explored for the creation of a single, coherent group security policy. They include a top-down specification of the group policy from the group initiator and negotiation of the policy between the group members (or prospective members). Negotiation can be as simple as a strict intersection of the policies of the members or extremely complicated using weighted voting systems. High-level policy translation is much more difficult in a multicast group environment, especially when group membership spans multiple administrative domains. When policies are specified at a high level with a Policy Management tool, they must then be translated into more precise rules that the available security mechanisms can both understand and implement. When dealing with multicast communication and its multiple participants, it is essential that the individual translation performed for each participant result in the use of a mechanism that is interoperable with the results of all of the other translations. Typically, the translation from high-level policy to implementation mechanisms must result in the same mechanism in order to achieve communication between all of the group members. The requirement that policy translation results in the same mechanism places constraints on the use and representations in the high-level policies. It is also important that policy negotiation and translation be performed as an integral part of joining a group. Adding a member to a group is meaningless if they will not be able to participate in the group communications. Multicast security policies must represent, or contain, more information than a traditional peer-to-peer policy. In addition to representing the security mechanisms for the group communication, the policy must also represent the rules for the governance of the secure group. Policy must be established for the basic group operations of add and remove, as well as more advanced operations such as leave, rejoin, or resynchronize. Hardjono, Weis Expires May, 2003 9 MSEC Architecture October, 2002 4. Group Security Associations (GSA) 4.1 SAs and Multicast It is clear that the security associations (SA) for group key management are more complex, or at least more numerous, than for Internet key management [RFC2409]. The latter establishes a key management SA to protect application SAs (where a minimum of two are needed to key an Internet application process). However, group key management requires at least three: There is a registration SA between the group member and the GCKS, a rekey SA between the GCKS and all the group members, and an SA to protect application data from sender-members to receiver-members. In fact, each sender to the group may use a unique key for their data and use a separate SA: there may be more SAs than there are group senders. Group key management, therefore, uses a different set of abstractions than ISAKMP and IKE. Notwithstanding, the abstractions used in our Group Key Management functional area may be built from the ISAKMP abstractions. In our approach the Group Security Association (GSA) includes the attributes of the Internet Security Architecture SA, which is succinctly defined as the encapsulation of keys and policies [RFC2409] as follows. - An SA has selectors, such as source and destination transport addresses. - An SA has properties, such as an security parameter index (SPI) or cookie pair, and identities. - An SA has cryptographic policy, such as the algorithms, modes, key lifetimes, and key lengths used for authentication or confidentiality. - An SA has keys, such as authentication, encryption and signing keys. As is discussed in the next section of this memo, a GSA contains the SA attributes plus some additional ones. As shown in Figure 2 (a), the GSA is a superset of the SA. ¡ A GSA has group policy attributes, such as the kind of signed credential needed for group membership and whether the group will be given new keys when a member is added (called "backward re-key" below) or whether group members will be given new key when a member is removed from the group ("forward re-key"). - A GSA has SAs as attributes. Hardjono, Weis Expires May, 2003 10 MSEC Architecture October, 2002 +------------------------------------------------------------+ | | | +---------------+ +-------------------+ | | | GSA | | GSA | | | | | | +-----+ +-----+ | | | | | | | SA1 | | SA2 | | | | | +----+ | | +-----+ +-----+ | | | | | SA | | | +-----+ | | | | +----+ | | | SA3 | | | | | | | +-----+ | | | +---------------+ +-------------------+ | | | | (a) superset (b) aggregation | | | +------------------------------------------------------------+ Figure 2: Relationship of GSA to SA 4.1 Structure of a GSA: Reasoning There are three categories of SAs aggregated into a GSA in Figure 2(b). We choose this structure to better realize a GSA in our key management environment. There is a need to maintain SAs between a Key Server and a group member (either a sender, a receiver or both) and among members. The Key Server is called the "GCKS," which is charged with access control to the group keys, with policy distribution to client members or prospective members, and with group key dissemination to sender and receiver client members. This structure is common in many group key management environments [HH, CP99, RFC2627, BMS]. There are two SAs established between the GCKS and the members, and there is an SA established among the sending and receiving members as shown in Figure 3. The first category of SA (namely REG in Figure 3, for "registration SA") is initiated by the member to pull GSA information from the GCKS. This is how the member requests to join the secure group or has its GSA keys re-initialized after being disconnected from the group (e.g., when its host computer has been turned off during re-key operations as described below). The GSA information pulled down from the GCKS include the SA, keys and policy used to secure the data transmission between sending and receiving members; this is DATA in Figure 3, "for data security SA". Note that DATA is a category of SA, and this implies that there may be multiple SAs established between member senders and member receivers - at least as an option. There may exist, for example, a single DATA SA in which all senders share common keys and associated information. On the other hand, there may be one or more DATA SAs that are unique to the particular sender. A DATA SA may be reestablished or have its keys modified through re-key operations, which occur over a REKEY SA (for "rekey SA). Keys are pushed through a REKEY SA to support subscription groups. Hardjono, Weis Expires May, 2003 11 MSEC Architecture October, 2002 Thus, despite the fact that the data to be protected are multicast, registration exchanges through a REG SA should be unicast or point- to-point key determination exchanges. Some group key management solutions rely solely point-to-point. Most others combine unicast exchanges for initialization with multicast distribution for re-key. In some cases, such as in a pure "pay-per-session" application, all of the SA information needed for the session may be distributed at the time of registration or selection of a session, i.e. over a REG SA; re-key and re-initialization may not be necessary, so there is no REKEY SA. For subscription groups where keying material is changed as membership changes, a REKEY SA is needed to re-initialize a DATA SA. +------------------------------------------------------------+ | | | +------------------+ | | | GCKS | | | | | | | | REG REG | | | | / REKEY \ | | | +---/-----|----\---+ | | / | \ | | / | \ | | / | \ | | / | \ | | / | \ | | +-------------/------+ | +------\-------------+ | | | REG | | | REG | | | | REKEY-----+----REKEY | | | | MEMBER SENDER | | MEMBER RECEIVER| | | | DATA----------DATA | | | +--------------------+ +--------------------+ | | | | | +------------------------------------------------------------+ Figure 3: GSA Structure and 3 categories of SAs 4.2 Definition of GSA The GSA includes an aggregate of the three aforementioned categories of SAs. The three categories of SAs correspond to the three kinds of communications as seen from the point of view of the Receiver (Member). Figure 3 depicts this concept: - Registration (REG) SA: An SA is required for (bi-directional) unicast communications between the GCKS and a group member (be it a Sender or Receiver). This SA is established only between the GCKS and a Member. The GCKS entity is charged with access control to the group keys, with policy distribution to members (or prospective members), and with group key dissemination to Sender and Receiver members. This use of a (unicast) SA as a starting point for key management is Hardjono, Weis Expires May, 2003 12 MSEC Architecture October, 2002 common in a number of group key management environments [HH, CP99, RFC2627, BMS, Bris99]. Note that this (unicast) SA is used to protect the other elements of the GSA (such as the other following two categories of SAs), either in a "push" or "pull" model. As such, this SA is crucial and is inseparable from the other two SAs as the definition of a GSA. From the perspective of one given GCKS, there are as many unique registration SAs as there are members (Senders and/or Receivers) in the group. This may constitute a scalability concern for some applications, so a registration SA may be used on-demand whereas re-key and data security SAs are established at least for the life of the sessions that they support. - Re-key (REKEY) SA: An SA is required for the multicast transmission of key management messages (unidirectional) from the GCKS to all group members. As such, this SA is known by the GCKS and by all members of the group. This SA is not negotiated, since all the group members must share it. Thus, the GCKS must be the authentic source and act as the sole point of contact for the group members to obtain this SA. From the perspective of each participant in a group (GCKS and all members), there is at least one registration SA for the group. Note that this allows for the possibility of the GCKS deploying multiple re-key SAs for group key management purposes. - Data Security (DATA) SA: One or more SAs are required for the multicast transmission of data-messages (unidirectional) from the Sender to other group members. This SA is known by the GCKS and by all members of the group. Similarly, regardless of the number of instances of this third category of SA, this SA is not negotiated. Rather, all group members obtain it from the GCKS. The GCKS itself does not use this category of SA. From the perspective of the Receivers, there is at least one data security SA for the member sender (one or more) in the group. This allows for the possibility of including group IDs (GID) in transmission of data packets from the senders in the group. There are a number of possibilities with respect to the number of data security SAs and the use of Group IDs (GIDs): (i) Each sender in the group could be assigned a unique dta security SA, thereby resulting in each receiver having to Hardjono, Weis Expires May, 2003 13 MSEC Architecture October, 2002 maintain as many data security SAs as there are senders in the group. (ii) The entire group deploys a single data security SA for all senders, together with the use of GIDs. Receivers would then be able to filter based on the GIDs, whilst maintaining only one data security SA. (iii) A combination of (i) and (ii) above. 5. Security Services Referring to our Reference Diagram, this section identifies security services for designated interfaces of Figure 1. In this section, distinct security services are assigned to specific interfaces. For example, multicast source authentication, data authentication, and confidentiality occur on the multicast data interface between Senders and Receivers in Figure 1. Authentication and confidentiality services may also be needed between the Key Server and key clients (i.e., the Senders and Receivers of Figure 1), but the services that are needed for multicast key management may be unicast as well as multicast. A security service for multicast security, therefore, identifies a specific function along one or more Figure 1 interfaces. This paper does not attempt to analyze the trust relationships, detailed functional requirements, performance requirements, suitable algorithms, and protocol specifications for IP multicast and application-layer multicast security. Instead, we propose these tasks as future work that will occur as the functional building blocks are further defined and realized in algorithms and protocols. We identify a set of security services in the following sections. This preliminary list of services is intended to serve as a basis for discussion in the MSEC working group. 5.2.1 Multicast Data Confidentiality This security service handles the encryption of multicast data at the Sender's end and the decryption at the Receiver's end. This security service may also apply the keying material that is provided by Multicast Key Management in accordance with Multicast Policy Management, but it is independent of both. An important part of the future work on the Multicast Data Confidentiality building block is in the identification of and motivation for specific ciphers that should be used for multicast data. Obviously, not all ciphers will be suitable for IP multicast and application-layer multicast traffic. Since this traffic will usually be connectionless UDP flows, stream ciphers may be unsuitable though hybrid stream/block ciphers may have advantages over some block ciphers. Those working on this security service will need to evaluate the real-time and other requirements of multicast senders and receivers, and recommend a small set of promising ciphers and Hardjono, Weis Expires May, 2003 14 MSEC Architecture October, 2002 data protocols for IP multicast and application-layer multicast data confidentiality. Regarding application-layer multicast, some consideration is needed to consider the effects of sending encrypted data in a multicast environment lacking admission-control, where practically any application program can join a multicast event independently of its participation in a multicast security protocol. Thus, this security service is also concerned with the effects of multicast confidentiality services, intended and otherwise, on application programs in all senders and receivers. In Figure 1, the Multicast Data Confidentiality security service is placed in Multicast Data Handling Area along the interface between Senders and Receivers. The algorithms and protocols that are realized from work on this security service may be applied to other interfaces and areas of Figure 1 when multicast data confidentiality is needed. 5.2.2 Multicast Source Authentication and Data Integrity This security service handles source authentication and integrity verification of multicast data. It includes the transforms to be made both at the Sender's end and at the Receiver's end. It assumes that the appropriate signature and verification keys are provided via Multicast Key Management in accordance with Multicast Policy Management as described below. Work done by MSEC Working Group members suggests that this is one of the harder areas of multicast security. This is due to the connectionless and real-time requirements of many IP multicast applications. There are classes of application-layer multicast security, however, where offline source and data authentication will suffice. As discussed previously, not all multicast applications require real-time authentication and data- packet integrity. A robust solution to multicast source and data authentication, however, is necessary for a Whole Protocol solution to multicast security. In Figure 1, the Multicast Source and Data Authentication security service is placed in Multicast Data Handling Area along the interface between Senders and Receivers. The algorithms and protocols that are produced for this functional area may have applicability to building blocks in other functional area that use multicast services such as Group Key Management. 5.2.3. Multicast Group Authentication This security service provides a limited amount of authenticity of the transmitted data: It only guarantees that the data originated with (or was last modified by) one of the group members. It does not guarantee authenticity of the data in case that other group members are not trusted. Hardjono, Weis Expires May, 2003 15 MSEC Architecture October, 2002 The advantage of group authentication is that it is guaranteed via relatively simple and efficient cryptographic transforms. Therefore, when source authentication is not paramount group authentication becomes useful. In addition, performing group authentication is useful even when source authentication is later performed: it provides a simple-to-verify weak integrity check that is useful as a measure against denial-of -service attacks. The Multicast Group Authentication security service is placed in the Multicast Data Handling Area along the interface between Senders and Receivers. 5.2.4 Multicast Group Membership Management This security service describes the functionality of registration and de-registration of members. Registration includes member authentication, notification and negotiation of security parameters, and logging of information according to the policies of the group controller and the would-be member. (Typically, an out-of-band advertisement of group information would occur before the registration takes place. The registration process will typically be invoked by the would-be member.) De-registration may occur either at the initiative of the member or at the initiative of the group controller. It would result in logging of the de-registration event by the group controller and an invocation of the appropriate mechanism for terminating the membership of the de-registering member (see Section 5.2.5). This security service also describes the functionality of the communication related to group membership among different GC+KS servers in a distributed group design. In Figure 1, the Multicast Group Membership security service is placed in the Group Key Management Area and has interfaces to Senders and Receivers. 5.2.5 Multicast Key Management This security service describes the functionality of distributing and updating the cryptographic keying material throughout the life of the group. Components of this building may include: - GC+KS to Client (Sender or Receiver) notification regarding current keying material (e.g. group encryption and authentication keys, auxiliary keys used for group management, keys for source authentication, etc). - Updating of current keying material, depending on circumstances and policies. Hardjono, Weis Expires May, 2003 16 MSEC Architecture October, 2002 - Termination of groups in a secure manner, including the multicast group itself and the associated keying material. Among the problems to be solved by this security service is the secure management of keys between Key Servers and Clients, the addressing issues for the multicast distribution of keying material, and the scalability or other performance requirements for multicast key management [RFC2627, BMS]. To allow for an interoperable and secure IP multicast security protocol, this security service may need to specify host abstractions such as a group security association database (GSAD) and a group security policy database (GSPD) for IP multicast security. The degree of overlap between IP multicast and application-layer multicast key management needs to be considered. Thus, work on this security service must take into account the key management requirements for IP multicast, the key management requirements for application-layer multicast, and to what degree specific realizations of a Multicast Key Management security service can satisfy both. ISAKMP, moreover, has been designed to be extensible to multicast key management for both IP multicast and application-layer multicast security [RFC2408]. Thus, multicast key management protocols may use the existing ISAKMP standard's Phase 1 and Phase 2 protocols, possibly with needed extensions (such as an ISAKMP Domain of Interpretation for IP multicast or application-layer multicast security). This security service also describes the functionality of the communication related to key management among different GC+KS servers in a distributed group design. Multicast Key Management appears in both the centralized and distributed designs as shown in Figure 1 and is placed in the Group Key Management Area. 5.2.6 Multicast Policy Management This security service handles all matters related to multicast group policy including membership policy and multicast key management policy. Indeed, one of the first tasks in further defining this security service is identifying the different areas of multicast policy. Multicast Policy Management includes the design of the policy server for multicast security, the particular policy definitions that will be used for IP multicast and application-layer multicast security, and the communication protocols between the Policy Server and the Key Server. This security service may be realized using a standard policy infrastructure such as a Policy Decision Point (PDP) and Policy Enforcement Point (PEP) architecture. Thus, it may not be necessary to re-invent a separate architecture for multicast security policy; we expect that this work will evaluate use of the products of IETF efforts in the areas of network and security policy. At minimum, however, this security service will be Hardjono, Weis Expires May, 2003 17 MSEC Architecture October, 2002 realized in a set of policy definitions, such as multicast security conditions and actions. The Multicast Policy Management security service describes the functionality of the communication between an instance of a GC+KS to an instance the Policy Server. The information transmitted may include policies concerning groups, memberships, keying material definition and their permissible uses, and other information. This security service also describes communication between and among Policy Servers. Thus, the Multicast Policy Management security service is placed in Problem Area 3, along the interface between Key Servers and Policy Servers. Group members are not expected to directly participate in this security service. However, this option is not ruled out. 6. MSEC Documents Roadmap The roadmap of MSEC WG documents is shown the in the following. +--------------+ | MSEC | | Requirements | +--------------+ : : +--------------+ | MSEC | | Architecture | +--------------+ : .....................:....................... : : : +--------------+ +--------------+ +--------------+ | Policy | | GKM | | Data Security| | Architecture | | Architecture | | Architecture | +--------------+ +--------------+ +--------------+ : : : : : : . +------------+ : +------------+ : . | GDOI | : |TESLA/MESP | : | Resolution |-: | |-: | | : | | : +------------+ : +------------+ : : : : : +------------+ : +------------+ : | GSAKMP- | : | | : | Resolution |-: | TBD |-: | | : | | : +------------+ : +------------+ : : : Hardjono, Weis Expires May, 2003 18 MSEC Architecture October, 2002 : : +------------+ : +------------+ : | | : | | : | RE-KEY |-: | TBD |-: | | : | | : +------------+ : +------------+ : : : . . . . Figure 4: MSEC Document Roadmap 7. Conclusion This document has provided an architectural overview of the work being conducted in the MSEC Working Group and introduced several important aspects of the standardization efforts in the MSEC WG. A Reference Framework for covering the scope of the problems in multicast security was introduced, and a division of labor along three Functional Areas pertaining to security was discussed. These cover the treatment of data from a security perspective when it is to be sent to a group, the management of keying material used to protect the data and the policies governing a group. This document also defined the notion of Group Security Associations (GSA), which is the foundation of the work on group key management in the MSEC Working Group. 8. Acknowledgments This document was derived from an IRTF SMuG Working Group draft that was originally co-authored by Thomas Hardjono, Ran Canetti, Mark Baugher, and Pete Dinsmore. 9. References 9.1 Normative References [BCDL] M. Baugher, R. Canetti, L. Dondeti, F. Lindholm, Group Key Management Architecture, draft-ietf-msec-gkmarch-03.txt. IETF, October 2002. Work in Progress. [HSC] H. Harney, A. Schuett, A. Colegrove, GSAKMP Light. draft-ietf- msec-gsakmp-light-sec-01.txt. IETF, July 2002. Work in Progress. [BHHW] M. Baugher, T. Hardjono, H. Harney, B. Weis, The Group Domain of Interpretation, draft-ietf-msec-gdoi-06.txt. IETF, February 2002. Work in Progress. Hardjono, Weis Expires May, 2003 19 MSEC Architecture October, 2002 [BCCR] M. Baugher, R. Canetti, P. Cheng, P. Rohatgi, MESP: Multicast Encapsulating Security Payload, draft-ietf-msec-mesp-00.txt. IETF, October 2002. Work in Progress. [PCW] A. Perrig, R. Canetti, B. Whillock, TESLA: Multicast Source Authentication Transform Specification. draft-ietf-msec-tesla-spec- 00.txt. IETF, October 2002. Work in Progress. 9.2 Informative References [BMS] D. Balenson, D. McGrew, A. Sherman, Key Management for Large Dynamic Groups: One-Way Function Trees and Amortized Initialization, http://www.ietf.org/internet-drafts/draft-balenson-groupkeymgmt-oft- 00.txt, February 1999, Work in Progress. [CP99] R. Canetti and B. Pinkas, A taxonomy of multicast security issues, http://search.ietf.org/internet-drafts/draft-irtf-smug- taxonomy-01.txt, April 1999, Work in Progress. [Din] Dinsmore, P., Balenson, D., Heyman, M., Kruus, P., Scace, C., and Sherman, A., "Policy-Based Security Management for Large Dynamic Groups: An Oerview of the DCCM Project," DARPA Information Survivability Conference and Exposition, To Be Published. [Har1] Harney, H., and Muckenhirn, C., "Group Key Management Protocol (GKMP) Specification," RFC 2093, July 1997. [Har2] Harney, H., and Muckenhirn, C., "Group Key Management Protocol (GKMP) Architecture," RFC 2094, July 1997. [HH] H. Harney, E. Harder, Group Secure Association Key Management Protocol, http://search.ietf.org/internet-drafts/draft-harney- sparta-gsakmp-sec-00.txt, April 1999, Work in Progress. [McD] McDaniel, P., Honeyman, P., and Prakash, A., "Antigone: A Flexible Framework for Secure Group Communication," Proceedings of the Eight USENIX Security Symposium, pp 99-113, August, 1999. [RFC2246] Dierks, T. and C. Allen, The TLS Protocol Version 1.0, RFC 2246, January 1999. [RFC2406] S. Kent, R. Atkinson, IP Encapsulating Security Payload (ESP),November 1998. [RFC2408] D. Maughan, M. Shertler, M. Schneider, J. Turner, Internet Security Association and Key Management Protocol, November 1998. [RFC2409] D. Harkins, D. Carrel, The Internet Key Exchange (IKE), November, 1998. Hardjono, Weis Expires May, 2003 20 MSEC Architecture October, 2002 [RFC2627] D. M. Wallner, E. Harder, R. C. Agee, Key Management for Multicast: Issues and Architectures, September 1998. Authors Addresses Thomas Hardjono VeriSign 401 Edgewater Place, Suite 280 Wakefield, MA 01880 (781) 245-6996 thardjono@verisign.com Brian Weis Cisco Systems 170 W. Tasman Drive, San Jose, CA 95134-1706, USA (408) 526-4796 bew@cisco.com Hardjono, Weis Expires May, 2003 21