Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
www.elsevier.com/locate/jss
The Journal of Systems and Software 80 (2007) 356–370
SEAL: A secure communication library for building dynamicgroup key agreement applications q
Patrick P.C. Lee a, John C.S. Lui b,*, David K.Y. Yau c
a Department of Computer Science, Columbia University, New York, NY 10027, USAb Department of Computer Science & Engineering, The Chinese University of Hong Kong, Hong Kong
c Department of Computer Sciences, Purdue University, West Lafayette, IN 47907, USA
Received 3 June 2005; received in revised form 31 January 2006; accepted 18 April 2006Available online 12 June 2006
Abstract
We present the SEcure communicAtion Library (SEAL) [source can be downloaded from: http://www.cse.cuhk.edu.hk/~cslui/ANSRlab/software/SEAL/], a Linux-based C language application programming interface (API) library that implements secure groupkey agreement algorithms that allow a communication group to periodically renew a common secret group key for secure and privatecommunication. The group key agreement protocols satisfy several important characteristics: distributed property (i.e., no centralized keyserver is needed), collaborative property (i.e., every group member contributes to the group key), and dynamic property (i.e., groupmembers can join or leave the group without impairing the efficiency of the group key generation). Using SEAL, we developed a testingtool termed Gauger to evaluate the performance of the group key agreement algorithms in both wired and wireless LANs according todifferent levels of membership dynamics. We show that our implementation achieves robustness when there are group members leavingthe communication group in the middle of a rekeying operation. We also developed a secure chat-room application termed Chatter toillustrate the usage of SEAL. Our SEAL implementation demonstrates the effectiveness of group key agreement in real network settings.� 2006 Elsevier Inc. All rights reserved.
Keywords: Secure group communication; Group key agreement implementation
1. Introduction
Many group-oriented applications require communica-
tion confidentiality, meaning that the communication dataamong a group of authorized members are secure and inac-cessible to group outsiders. Examples of these applicationsinclude secure chat-rooms, business conferencing systems,file sharing tools, programmable router communication,and network games in strategy planning. To offer data pri-vacy, an effective approach is to require all group membersto establish a common secret group key, which is held onlyby group members, but not outsiders, for encrypting thetransmitted data. In particular, rekeying, or renewing the
0164-1212/$ - see front matter � 2006 Elsevier Inc. All rights reserved.
doi:10.1016/j.jss.2006.04.016
q This research is supported in part by the RGC Earmarked Grant.* Corresponding author. Tel.: +852 2609 8407; fax: +852 2609 5024.
E-mail address: [email protected] (J.C.S. Lui).
group key, is necessary whenever there is any change inthe group membership (e.g., a new member joins the groupor an existing member leaves the group) in order to guaran-tee both backward confidentiality (i.e., no joining membercan read the previous data) and forward confidentiality(i.e., no leaving member can access the future data).
One simple way for a communication group to performrekeying is to set up a centralized key server that is respon-sible for renewing the group key and distributing it to allgroup members. However, relying on a centralized keyserver introduces the single-point-of-failure problem sinceif the key server is compromised, the whole key establish-ment process fails. Moreover, centralized management isnot adequate for decentralized network settings such aspeer-to-peer or mobile ad hoc networks. Therefore, weshould design a secure group key agreement scheme thatallows the group members to agree upon the group key
0
M1 M2 M5
M4M3
1 2
3 4 5 6
14137 8M6
Fig. 1. A possible key tree used in the TGDH algorithm.
P.P.C. Lee et al. / The Journal of Systems and Software 80 (2007) 356–370 357
without relying on a centralized key server. The group keyagreement scheme should satisfy three properties. The firstone is the distributed property, which means no centralizedkey server is required. The second one is the collaborative
property, which means all group members contribute theirown secret piece of information to the generation of thegroup key. Both distributed and collaborative propertiesseek to eliminate the single-point-of-failure problem suchthat when one member is compromised, the group can stillcontinue with its secure communication by excluding thecompromised member. The final property is the dynamic
property, which means the group key agreement schemeretains both accuracy and efficiency even if the group keyagreement scheme involves dynamic membership events,such as when a new member joins or an existing memberleaves the group.
In Lee et al. (2002), we proposed three interval-based dis-
tributed rekeying algorithms (or interval-based algorithms
for short) called Rebuild, Batch, and Queue-batch, each ofwhich performs rekeying (i.e., renews the group key) on abatch of join and leave requests periodically at regularrekeying intervals and satisfies the distributed, collabora-tive, and dynamic properties. Instead of performing rekey-ing for each single join or leave event, the interval-basedalgorithms use the periodic rekeying approach so that therekeying efficiency is preserved in response to the frequentjoin and leave events, with a tradeoff of weakening bothbackward and forward confidentialities. In Lee et al.(2002), we evaluated the performance of the interval-basedalgorithms via mathematical modeling and simulationexperiments. However, there are still open issues aboutthe actual implementation and performance of the inter-val-based algorithms in a real network environment.
In this paper, we present the SEcure communicAtion
Library (SEAL), an application programming interface(API) library that implements the interval-based algo-rithms in the C language under Linux and allows a commu-nication group to agree upon a common secret group keyfor data encryption in real-life group-oriented applications.Through the implementation framework, we analyze thedesign issues that are critical for implementing the algo-rithms. Furthermore, we export from SEAL a set of APIfunction calls that can be used to develop secure group-oriented applications.
Using SEAL, we developed a performance testing toolcalled Gauger that simulates a member application partici-pating in a secure group communication. We evaluate therekeying performance of the interval-based algorithms ina wired LAN where 40 Gaugers continuously join andleave a communication group according to different levelsof membership dynamics. We show that the Queue-batchalgorithm generally takes less than 1 s to complete a rekey-ing operation. Also, we show that our implementationachieves robustness when there are group members leavingthe group in the middle of a rekeying operation. Further-more, we evaluate SEAL using both wired and wirelessLAN testbeds so as to provide preliminary insights on
how different deployment environments vary the perfor-mance of SEAL.
We further used SEAL to implement a secure chat-roomapplication called Chatter to illustrate how to deploySEAL in real-life applications. Also, we identify a numberof potential applications that can benefit from SEAL.
The rest of the paper proceeds as follows. In Section 2,we overview the group key agreement algorithms that sub-stantiate our implementation. Section 3 presents the designof the SEAL implementation and address the design issues.Section 4 provides the implementation details. In Section 5,we present a set of SEAL API functions for building securegroup-oriented applications. In Section 6, we evaluate theperformance of the interval-based algorithms using wiredand wireless LAN testbeds. In Section 7, we introduceChatter, a secure chat-room application built upon SEAL.We also suggest other potential applications where SEALfits their development needs. Section 8 discusses relatedwork, and Section 9 concludes and suggests future work.
2. Group key agreement algorithms
In this section, we first overview the Tree-based GroupDiffie–Hellman (TGDH) protocol (Kim et al., 2004). Wethen describe the group key agreement algorithms (Leeet al., 2002) that substantiate the group key agreement pro-tocols in our SEAL implementation.
2.1. Tree-based group Diffie–Hellman (TGDH)
In TGDH, each group member holds a binary key tree.Each node v is associated with a secret (or private) key Kv
and a blinded (or public) key BKv. All arithmetic operationsare performed in a cyclic group of prime order p with thegenerator a. Mathematically, the keys Kv and BKv arerelated by the formula BKv ¼ aKv mod p.
Each member, denoted by Mi for some integer i, holdsthe secret keys along its key path, which is the sequenceof nodes starting from its corresponding leaf node up tothe root node. In addition, each member holds the blindedkeys along its co-path, which contains the nodes whosesiblings belong to its key path, although the member maycache the blinded keys associated with other nodes.Fig. 1 depicts a possible key tree composed of six membersM1 to M6. M1 holds the secret keys of nodes 7, 3, 1, and 0,and the blinded keys of nodes 8, 4, and 2. Since node 0 lies
358 P.P.C. Lee et al. / The Journal of Systems and Software 80 (2007) 356–370
on the key paths of all members, its associated secret key ischosen as the group key.
Each member has to determine the secret keys along itskey path. First, it obtains the secret key at its correspond-ing leaf node through a secure random number generator.Then it computes the secret key at each non-leaf node, sayv, from the keys at the child nodes of v based on the Diffie–Hellman algorithm (Diffie and Hellman, 1976). Mathemat-ically, given a non-leaf node v, its child nodes are repre-sented by 2v + 1 and 2v + 2, and its secret key is given by
Kv ¼ ðBK2vþ1ÞK2vþ2 ¼ ðBK2vþ2ÞK2vþ1 ¼ aK2vþ1K2vþ2 modp: ð1ÞTo understand how each member computes the group
key, we consider again the group shown in Fig. 1. Eachmember Mi first generates its own secret key which is thenassociated with one of the leaf nodes in the key tree. Forexample, member M1 first generates K7 and requests theblinded key BK8 from M2, BK4 from M3, and BK2 fromeither M4, M5, or M6. Given M1’s secret key K7 and theblinded key BK8, M1 can generate the secret key K3 accord-ing to Eq. (1). Given the blinded key BK4 and the newlygenerated secret key K3, M1 can generate the secret keyK1 based on Eq. (1). Given the secret key K1 and theblinded key BK2, M1 can generate the secret key K0 atthe root. Other members can follow a similar approachto compute the group key. From that point on, any com-munication in the group can be encrypted based on thesecret key (or group key) K0.
When a member joins or leaves the group, all groupmembers carry out a rekeying operation, in which theyrenew the group key to ensure both backward confidential-ity (i.e., no joining member can read the previous data) andforward confidentiality (i.e., no leaving member can accessthe future data). In each rekeying operation, all groupmembers elect a member called sponsor, which is responsi-ble for broadcasting the updated blinded keys. By conven-tion, the sponsor is the rightmost member under thesubtree rooted at the sibling of the joining or leaving mem-ber. We point out that the presence of a sponsor does notviolate the collaborative property since the sponsor onlyfacilitates the rekeying operation but does not add extracontribution to the group key.
Fig. 2 illustrates the idea of the rekeying operationunder both single join and single leave cases. In the singlejoin case, suppose that a new member M7 joins the group.
0
M1 M2
M4M3
1 2
3 4 5 6
7 8
M7 joins
0
M1 M2
M3
1
3 4 5
7 8M4(S)
11M5 M6
13 14
Fig. 2. TGDH rekeying at a single join and a single leave. Note that the shadedthe notation Mi(s) means that member Mi becomes a sponsor.
To keep the key tree balanced, M7 should be added to thehighest leaf node in the key tree. Here, member M7 can beassociated with node 12, which is attached under node 5.The renewed nodes, the ones whose keys need to berenewed, are then identified. These include nodes 5, 2 and0 (the nodes shaded in Fig. 2). Also, member M4 is electedto be the sponsor. It renews K5, K2, and K0 using BK12,BK6, and BK1, respectively, and broadcasts the blindedkeys BK5 and BK2. Members M1, M2 and M3 can computeK0 upon receiving BK2, and members M5 and M6 can com-pute K0 upon receiving BK5. In this example, we assumethat when M7 joins the group, it broadcasts its individualblinded key (i.e., BK12) and learns the required blindedkeys for computing the group key from other members.In the single leave case, suppose that member M4 wantsto leave the group. Nodes 5 and 12 pruned, and node 11is promoted to be node 5. The renewed nodes are nodes2 and 0. Also, M7 is elected to be the sponsor. It renewsK2 and K0, and broadcasts BK2. All remaining memberscan then obtain the group key. It should be noted thatalthough the keys of node 5 (i.e., the individual keys ofM7) remain intact, M7 may have to broadcast the blindedkey BK5 since node 5, which is initially node 11, does notbelong to the co-paths of M5 and M6 before the rekeyingoperation.
Based on the above join and leave events in Fig. 2, if wesimply change the member association of node 5 from M4
to M7, we can save one rekeying operation. This intuitionmotivates the use of interval-based rekeying in which thecommunication group performs rekeying on a batch of joinand leave events periodically. We describe the interval-based rekeying approach in the following subsection.
2.2. Interval-based distributed rekeying algorithms
In this subsection, we overview three interval-based dis-tributed rekeying algorithms (Lee et al., 2002) (or interval-based algorithms for short), namely Rebuild, Batch, andQueue-batch, which are developed based on the TGDHalgorithm and perform rekeying on a batch of join andleave events periodically at regular intervals. Interval-basedrekeying maintains the rekeying frequency regardless of thedynamics of join and leave events, with a tradeoff of weak-ening both backward and forward confidentialities as aresult of delaying the update of the group key. In practice,
2
6
M7
12M5 M6
13 14
0
M1 M2
M3
1 2
3 4 5 6
7 8M7(S)
M4 leaves
M5 M6
13 14
nodes are the nodes whose corresponding keys need to be renewed. Also,
P.P.C. Lee et al. / The Journal of Systems and Software 80 (2007) 356–370 359
system administrators can decide the length of the rekeyinginterval to balance the tradeoff between performance andsecurity.
The interval-based algorithms are developed based onthe following assumptions:
• All group members are trusted in the key establishmentprocess. This is justified since the group members partic-ipate in the secure group communication.
• The group communication satisfies view synchrony
(Fekete et al., 1997; Kim et al., 2004) that defines reli-able and ordered message delivery under the same mem-bership view. Intuitively, when a member broadcasts amessage under a membership view, the message is deliv-ered to same set of members viewed by the sender. Notethat this view-synchrony property is essential not onlyfor group key agreement, but also for reliable multi-point-to-multipoint group communication in whichevery member can be a sender (Kim et al., 2004).
• Rekeying operations of all members are synchronized tobe carried out at the beginning of every rekeying interval.
• To obtain the blinded keys of the renewed nodes, thekey paths of the sponsors should contain those renewednodes. Since the interval-based rekeying operationsinvolve nodes lying on more than one key paths, morethan one sponsors may be elected. Also, a renewed nodemay be rekeyed by more than one sponsor. Therefore,we assume that the sponsors can coordinate with oneanother such that the blinded keys of all the renewednodes are broadcast only once.
• At the beginning of a rekeying operation, all membersknow the current key tree structure and the correspond-ing blinded keys in their own co-path.
In the subsequent sections, we discuss how the aboveassumptions are addressed in our implementation. In thefollowing, we provide the basic ideas behind the three inter-val-based algorithms. Readers may refer to Lee et al. (2002)for the detailed description and simulation analysis of theinterval-based algorithms.
• Rebuild: The idea of Rebuild is to reconstruct the keytree to a complete tree in order to minimize the treeheight and hence the rekeying steps by group membersin subsequent rekeying intervals. All the non-leaf nodesneed to be renewed. Also, we assume that all membersbecome sponsors and they coordinate with each otherin broadcasting the renewed blinded keys. Rebuild issuitable for some cases, such as when the membershipevents are so frequent that we can directly reconstructthe whole key tree for simplicity, or when some memberslose the rekeying information and the simplest way ofrecovery is to rebuild the key tree.
• Batch: The main idea of Batch is to add joining membersat suitable positions in the key tree. Given a set of join-ing and leaving members, Batch replaces leaving mem-bers with joining members since the keys held by the
leaving members have to be renewed anyway. It thenadds joining members to the shallowest possible posi-tions in the key tree. Also, it tries to maintain a balancedkey tree to prevent members from being located at deeppositions and performing extensive rekeying steps.
• Queue-batch: Unlike Rebuild and Batch, Queue-batchpre-processes joining members within the idle periodof every rekeying interval. This alleviates the processingload during the rekeying operation conducted at thebeginning of every rekeying interval and hence speedsup the start of the secure communication with the latestgroup key. Queue-batch consists of two phases: Queue-
subtree and Queue-merge. In the Queue-subtree phase,which occurs in the midst of the rekeying interval, join-ing members are attached to a subtree T 0, like howTGDH manages the single join event. In the Queue-merge phase, which occurs at the start of the next rekey-ing interval, the subtree T 0 is attached to the key tree.
3. Design of SEAL
In this section, we present the design mechanisms ofSEAL on how to enable a communication group to per-form a rekeying operation (i.e., to renew the group key)in actual implementation.
3.1. Summary of design
We first summarize how SEAL implements a rekeyingoperation:
(i) When a new member joins a communication group, itconnects to a Spread daemon (Amir et al., 2004a), agroup communication service that guarantees thereliable and ordered message delivery under the samemembership view.
(ii) Among the existing group members, the communica-tion group selects a leader, a single member that isresponsible for synchronizing the rekeying operationscarried out by all group members. At regular rekey-ing intervals, the leader notifies all other group mem-bers to start a new rekeying operation via thebroadcast of a rekeying message.
(iii) Each group member updates its own key tree basedon the agreed-upon interval-based algorithm (i.e.,Rebuild, Batch, or Queue-batch) and checks whetherit is a sponsor. Any member that becomes the spon-sor will broadcast the updated blinded keys.
(iv) Each member carries out the key confirmation process(Ateniese et al., 1998) to assure that every other mem-ber has actually obtained the same group key. If thiskey confirmation process succeeds, then the rekeyingoperation is finished.
(v) If there are some members leaving the communicationgroup in the middle of a rekeying operation (i.e., afterthe leader initiates the rekeying operation but before
360 P.P.C. Lee et al. / The Journal of Systems and Software 80 (2007) 356–370
the group key is confirmed), the communicationgroup either continues with its existing rekeying oper-ation, or starts a rekeying operation reflecting thedepartures of those members.
3.2. Reliable group communication
Our implementation is built upon the Spread toolkit(Amir et al., 2004a), which implements the view synchronyproperty for reliable group communication. When a newmember joins a communication group, it connects to aSpread daemon, a group communication service whichmaintains an active TCP connection to all other Spreaddaemons and keeps track of the current membership statusof the communication group. Each Spread daemon can beassociated with more than one member, so the group com-munication model forms a two-level hierarchy consisting ofthe Spread daemons and the group members. When amember joins or leaves the group, every member willreceive the latest membership view from its associatedSpread daemon. Also, the Spread daemon associated withthe joining or leaving member notifies other daemons toflush the remaining messages to the original membershipview and to block the transmission of new messages untilall Spread daemons and existing group members installthe updated membership view. Similarly, if a Spreaddaemon fails, the associated members are removed fromthe membership view by the remaining Spread daemons.Therefore, every existing group member always holds thelatest membership view. Also, all messages are originatedfrom the sender and delivered to all members under thesame membership view, or equivalently between two con-secutive membership events. To ensure the ordered deliv-ery, the Spread daemons append a timestamp to everytransmitted message.
Here, we implicitly assume that the Spread daemonsalways provide trusted membership views. Maintainingan authenticated membership view involves the change ofimplementation in Spread and is not the focus of thispaper. We pose this problem as future work.
The Spread toolkit provides a set of API functions formembers to send or receive messages through the Spreaddaemon under the view synchrony model. We use thoseAPI functions as the foundation for our implementationof the interval-based algorithms.
3.3. Leader
The leader is the single member that is responsible forperiodically notifying all group members to start a rekeyingoperation synchronously at regular rekeying intervals. Weselect the member that stays in the communication groupfor the longest time to be the leader. When a group memberjoins the group as a new participant or is notified that theleader has left the group, it decides which member shouldbe the current leader based on the agreed-upon member-
ship view provided by its associated Spread daemon (seeSection 3.2). Since each member holds the identical mem-bership view, any member that falsely claims to be the lea-der will be detected by other group members and excludedfrom the communication group. We point out that theleader is not a centralized key server that generates thegroup key, so the contributory requirement of ourproposed algorithms still holds.
When a member is selected to be the leader of a commu-nication group, it immediately broadcasts a rekeying mes-
sage to the group and repeats the broadcast periodicallyat regular rekeying intervals. Since new members do notknow the rekeying information including the present joinand leave events as well as the existing key tree when theyjoin the group, each rekeying message should contain theexisting key tree as well as the join and leave requests inthe last rekeying interval. The exact construction of therekeying message will be discussed in Section 4.
It is possible that a newly selected leader does not knowthe current key tree structure. This occurs when it has justjoined the group and has not started any rekeying opera-tion. In this case, the leader should include only an emptytree and the join events in the first rekeying message. Theleave events, however, are not required as they do not takeeffect in an empty tree.
3.4. Sponsor
Sponsors, as previously stated, refer to the group mem-bers that need to broadcast the blinded keys associatedwith the nodes in a key tree during a rekeying operation.Since each member holds the blinded keys along its ownco-path, which is a list of nodes whose siblings belong toits key path, the sponsors have to broadcast the blindedkeys of the non-renewed nodes, which are the children ofthe renewed nodes so that members can compute the secretkeys of the renewed nodes. Broadcasting non-renewedblinded keys is essential for the new members which knownothing about the group before they join, as well as for theexisting members whose co-path does not include the non-renewed nodes prior to the rekeying operation. (We willlater illustrate how it helps the existing members with anexample.) Therefore, in our implementation, we appointthe sponsors to broadcast the blinded keys of two typesof nodes: (1) all renewed nodes and (2) the non-renewednodes whose parents are renewed nodes.
We first refine the sponsor election criterion as follows:in each rekeying interval, a member becomes a sponsor ifit is the rightmost member of the subtree whose root is anon-renewed node but the parent of the root is a renewednode (if the member is the only member in the group, nosponsor is elected). It should be noted that all new mem-bers are elected to be sponsors based on this criterion.
After being elected, the sponsors have to decide theexact nodes whose corresponding blinded keys need to bebroadcast. We call this decision-making process to be spon-
sor coordination, whose pseudo-code is presented in Fig. 3.
Fig. 3. Pseudo-code of the sponsor coordination process.
P.P.C. Lee et al. / The Journal of Systems and Software 80 (2007) 356–370 361
To understand how it works, consider Fig. 4, in which thekey tree contains a number of renewed nodes (i.e., nodes 0,1, 2, and 6). Based on our sponsor election criterion, M1,M2, M5, M7, and M8 are elected to be sponsors. Accordingto the algorithm in Fig. 3, member M1 broadcasts BK3, M2
broadcasts BK4 and BK1, M5 broadcasts BK5, M7 broad-casts BK13, and M8 broadcasts BK14, BK6, BK2, and BK0.Furthermore, Fig. 4 illustrates the need of broadcastingthe blinded keys of non-renewed nodes (i.e., nodes 3, 4,5, 13, and 14) to existing members. For example, M6 andM7 do not hold the blinded key of node 14 if it is promotedfrom one of its child nodes since the node is not originallyon their co-paths. Therefore, they have to obtain theblinded key from the sponsors.
The sponsor coordination process satisfies three proper-ties. First, it is self-computable because it does not involveany communication between sponsors to determine whichblinded keys are to be broadcast. Also, it is lightweight
because it only requires a sponsor to traverse its key path
0
M1(S) M2(S)
1 2
3 4 5 6
1211 1413
M3 M4
23 24 2827
M5(S)
M6 M7(S)
M8(S)
M1 broadcasts BK3M2 broadcasts BK4 and BK1
M5 broadcasts BK5M7 broadcasts BK13M8 broadcasts BK14,BK6,BK2,and BK0
Fig. 4. Example to illustrate the sponsor coordination process in Fig. 3.
once. Its worst-case complexity is O(h), where h is the depthof the leaf node associated with the sponsor. Lastly, it isbroadcast-efficient since it broadcasts the keys in a mini-mum number of rounds. To elaborate the last property,we consider an example in which a renewed node vp isthe root of a subtree and has the left child node vl andthe right child node vr, whose corresponding sponsors areMl(s) and Mr(s), respectively. To decide which sponsor isto be selected to broadcast the blinded key of vp, we con-sider two cases. In the first case, if only one child node isrenewed – say vl is renewed but vr is not – Ml(s) can com-pute the secret key of vp based on the unchanged blindedkey of vr. This implies that Ml(s) can broadcast the blindedkeys of vl and vp in one round. We therefore select Ml(s) tobroadcast the blinded key of vp. In the second case, if bothchild nodes are renewed, i.e., vl and vr are renewed nodes,both sponsors have to wait for the updated blinded keysof vl and vr to compute the secret key of vp. They needtwo rounds to broadcast the blinded key of vp. We cantherefore select any one sponsor, say the sponsor Mr(s)
under the right child node, to take this responsibility. Com-bining the two cases, we can apply similar arguments whenvl is not a renewed node but vr is and when both vl and vr
are not renewed nodes.
3.5. Key confirmation
Key confirmation (Ateniese et al., 1998) assures eachmember that all other members are actually holding thesame group key. Providing complete key confirmationrequires every member to demonstrate its knowledge ofthe group key to all other members. One way to achievethis is to ask every member to broadcast the one-way func-tion result of the group key after it is generated. However,this involves many broadcasts and may be infeasible. Inanother approach given in Just and Vaudenay (1996), eachmember only needs to prove its knowledge of the group keyto its neighbors, provided that all members are arranged ina ring. However, such an approach is vulnerable to thecollusion attack (Just and Vaudenay, 1996).
In SEAL, we design a weaker but feasible key confirma-tion approach. We appoint a sponsor based on the spon-sor-coordination algorithm to broadcast the blindedgroup key which lets every member verify if its computedblinded group key is identical to the one it receives. If amember finds that the keys are different, it will report theerror. The rekeying operation is finished if every memberverifies that both keys are identical.
We do not require any member to explicitly indicate thesuccessful verification of the group key. When a memberwants to broadcast a data message, it simply encrypts themessage with the latest group key that has been obtained.Any member that has not yet confirmed the correctness ofthe group key will cache the message until the group keyis verified. In general, the duration of a rekeying operationis on the order of seconds (see Section 6), so any cachedencrypted message will be decrypted after a short while.
362 P.P.C. Lee et al. / The Journal of Systems and Software 80 (2007) 356–370
3.6. Robustness
We close this section by discussing how SEAL achievesrobustness in a rekeying operation. It is possible that agroup member leaves the group or encounters system fail-ures during the execution of a rekeying operation. Depend-ing on the type of the leaving member, we consider twocases. First, if the leaving member is neither the leadernor one of the sponsors, or if it is a sponsor but has broad-cast all necessary blinded keys for the current rekeyingoperation, the communication group continues with theexisting rekeying operation without being affected andthe leave event is reflected in the next rekeying operation.Second, if the leaving member is the leader or a sponsorthat has not yet broadcast all required blinded keys, thecommunication group first selects a new leader if the leav-ing member is the leader (see Section 3.3). Then the leaderbroadcasts a rekeying message to start a new rekeyingoperation which reflects the current leave event. Anyrenewed nodes whose blinded keys have not yet beenbroadcast remain renewed in the new rekeying operation.Also, the nodes that are on the key path of the leavingmember become the renewed nodes. Given the set ofrenewed nodes, new sponsors are selected to broadcastthe updated blinded keys according to the sponsor-coordi-nation algorithm (see Section 3.4). This so-called self-
stabilizing property (Kim et al., 2004) is realized in ourimplementation.
In addition, within a single rekeying interval, a membermay join and then leave the communication group, or itmay leave and then join the group. In the former case,the membership events of the member are simply ignoredin the next rekeying operation. The latter case, however,is treated as two separate membership events: the leaveevent of an existing member and the join event of a newmember.
4. Implementation details of SEAL
In this section, we present the implementation details ofSEAL. We first describe the preliminary requirements forthe library. Then we discuss the system components thatconstitute the implementation.
4.1. System preliminaries
SEAL is implemented in C under Linux and requirestwo toolkits: Spread (Amir et al., 2004a) (see Section 3.2)and OpenSSL (Viega, 2002). Our implementation usesthe exported API functions from Spread to send or receivepackets according to the view-synchrony group communi-cation model. OpenSSL is a security toolkit offering a cryp-tography library and a certificate generation tool. We use itto implement cryptographic algorithms as well as to createpublic-key certificates for the authentication of groupmembers. Both toolkits are the pre-requisites for the SEALdevelopment.
We require that each group member applies digital sig-natures to every packet that is to be sent to the network.Each group member should first obtain its public-keycertificate from a trusted certificate authority (CA). Thenthe member signs the packets with its long-term (perma-nent) private key before the packets are sent over the net-work. In our implementation, we select the X509certificate standard (ITU-T Recommendation X.509,1993) and the 1024-bit RSA (Rivest et al., 1978) withSHA-1 (National Institute of Standards and Technology,1995) signature scheme.
The implementation of SEAL contains several require-ments. First, we require that both Spread and OpenSSLare pre-installed in a Linux system. Also, the Diffie–Hellman parameters, which are 1024-bit long in our imple-mentation, should have been initialized and stored in theSEAL source directory before SEAL starts running. Inaddition, each group member should have a configurationfile stating the unique member identifier, the membershipdetails of all possible communication groups, and the con-nectivity information specifying which Spread daemon is tobe connected. Furthermore, each group member shouldbeforehand obtain its long-term private key and the certif-icates of other group members from a trusted CA. For con-sistency, a central repository can be set up to provide allnecessary information related to the requirements.
4.2. System components
SEAL is composed of four types of components: (1)engines, the entities which hold variables and methods forvarious functionalities, (2) queues, the linked-list structureswhich store and dispatch packets in first-in-first-out order,(3) threads, the execution contexts which handle all proto-col operations, and (4) packets, the information which isexchanged between group members.
The SEAL packets are classified into two categories:membership packets and regular packets. Membershippackets, including the JOIN, LEAVE, and DISCON-NECT packets, are defined in the Spread specification(Amir et al., 2004a). They store the membership informa-tion essential for SEAL and the Spread daemons. Regularpackets, however, are defined by SEAL. They are used bySEAL for rekeying operations and by underlying group-oriented applications for secure group communication.They include the REKEY, BKEY, and MESSAGE pack-ets. Fig. 5 illustrates the formats of the SEAL regularpackets.
To achieve secure group communication, the memberapplications that have SEAL installed will exchange SEALpackets with one another. The general operations on thereceived packets can be summarized into several steps: (1)The received_thread receives packets from the connectedSpread daemon and adds them into the packet_queue. (2)The process_thread retrieves packets from the packet_queue
if the queue is non-empty. (3) The process_thread verifies thesignatures attached to the packets. (4) Based on the packet
rekeyingsequencenumber
rekeyingalgorithm
joiningmembers
leavingmembers
keytree signature
keytreesize
numberof
joins
numberof
leaves
signed
(a)
rekeyingsequencenumber
rekeyingalgorithm signature
number ofblindedkeys
a list ofblinded keys
signed
(b)
rekeyingsequencenumber
messagelength
signaturemessage
signed
encrypted
(c)
Fig. 5. Formats of the regular packets: (a) REKEY packet, (b) BKEYpacket and (c) MESSAGE packet.
P.P.C. Lee et al. / The Journal of Systems and Software 80 (2007) 356–370 363
types, the process_thread carries out the correspondingoperations with the member_engine, the leader_engine, thekeytree_engine, the sesskey_engine, and the message_queue.(5) If the process_thread needs to send packets, it creates pack-ets with the packet_engine. (6) The process_thread signs thepackets with the certkey_engine. (7) Finally, the pro-
cess_thread sends the packets via the packet_engine to the con-nected Spread daemon and then to the communication group.Fig. 6 illustrates the operations on the received packets.
Let us take a more detailed look at how the pro-
cess_thread responds to the received packets according todifferent packet types:
• Operations on a JOIN/LEAVE/DISCONNECT packet:
The process_thread inserts the joining or leaving memberinto the member_engine. Also, depending on the mem-bership events, it performs leader election, and createsthe leader-specific components if the member becomes
Network
Spread Daemon
receivethread
packetqueue
processthread
(3) verify packets
(4) processpackets
CertKeyEngine
PacketEngine
(5) create packets
MemberEngine
LeaderEngine
KeytreeEngine
SesskeyEngine message
queue
(1) addpackets
(2) retrievepackets
(7) send packets
(6) sign packets
Fig. 6. General operations on the received packets.
the leader (the operations of the leader-specific compo-nents are described later in this subsection). It shouldbe noted that the operations on the LEAVE and DIS-CONNECT packets are both identical.
• Operations on a REKEY packet: The process_thread firstretrieves the rekeying information including the rekey-ing sequence number (the identifier of a REKEY packetand hence a rekeying operation), the joining and leavingmembers, as well as the key tree, from the receivedREKEY packet. The process_thread then starts therekeying operation, which consists of (1) specifying theleader’s identity in the leader_engine; (2) synchronizingthe joining and leaving members with those in the mem-
ber_engine; (3) updating the key tree in the key-tree_engine based on the selected interval-basedalgorithm; and (4) updating the secret and blinded keysof the key path in the sesskey_engine and broadcastingany blinded keys if the group member becomes asponsor.
• Operations on a BKEY packet: The process_thread
obtains the blinded keys from the packet, which is com-posed of a sequence of blinded keys of some key treenodes on a key path. If the blinded keys help the groupkey generation, the process_thread computes the secretkeys along the key path, which is maintained by thesesskey_engine. Besides, if the group member is a spon-sor and the sesskey_engine contains the new blindedkeys to be broadcast, the process_thread will broadcasta BKEY packet consisting of the blinded keys.
• Operations on a MESSAGE packet: The process_threadinserts the MESSAGE packet, which contains the appli-cation-level messages, into the message_queue. Theenqueued packets will later be processed by the applica-tion. Here, we derive three independent sub-keys fromthe latest group key and encrypt/decrypt the messagecontent based on the Triple-DES-CBC standard (Schne-ier, 1996). In addition, we use the ‘‘signature beforeencryption’’ approach (Schneier, 1996) as shown inFig. 5.
If a group member is elected to be leader, theprocess_thread will create the leader-specific components,composed of the rekey_poll_thread, the rekey_send_thread,and the rekey_queue. To send a rekeying message to thegroup, the leader performs the following procedure: (1)The rekey_poll_thread periodically issues a rekeying signal(the indicator of performing a rekeying operation) into therekey_queue and notifies the rekey_send_thread to sendREKEY packets. The rekeying signal also specifies theinterval-based algorithm to be performed. (2) When therekey_send_thread is notified, it removes the rekeying signalfrom the rekey_queue. (3) The rekey_send_thread gathersthe rekeying sequence number from the leader_engine, thejoining and leaving members from the member_engine,and the existing key tree from the keytree_engine. (4) Therekey_send_thread constructs the REKEY packet basedon the gathered details. (5) The rekey_send_thread signs
Network
Spread Daemon
rekeypoll
thread
rekeyqueue
rekeysend
thread
(3) retrieveinformation
for REKEY packets
CertKeyEngine
PacketEngine
MemberEngine
LeaderEngine
KeytreeEngine
(1) addREKEYsignals
(2) retrieveREKEYsignals
Leader-specificcomponents
(4) create REKEY packets
(6) send REKEY packets
(5) sign REKEY packets
Fig. 7. Leader-specific components.
364 P.P.C. Lee et al. / The Journal of Systems and Software 80 (2007) 356–370
the REKEY packet with the certkey_engine. (6) Finally,the rekey_send_thread sends the packet over the network.
To ensure that each REKEY packet contains the latestinformation, the rekey_send_thread retrieves the nextrekeying signal from the rekey_queue and sends its corre-sponding REKEY packet only after all engines are updatedin response to the previous rekeying operation. Fig. 7 illus-trates the leader-specific components and their interactionswith other components.
5. SEAL API
SEAL comprises a number of API functions that allowdevelopers to implement the interval-based algorithms intheir secure group-oriented applications. The operationsof the API functions rely on a SEAL session object, whichholds all the components constituting the system architec-ture of SEAL. Table 1 describes the details of the APIfunctions.
Table 1Description of the SEAL API functions
Functions Synopsis
SEAL_init( ) It creates and initializes an SEAL sessionsubsequent SEAL operations
SEAL_set_passwd() It retrieves the long-term private key fromSEAL_join( ) It connects to the Spread daemon and jo
specified communication group. It also incomponents inside the SEAL session obj
SEAL_send( ) It encrypts the application messages withgroup key and sends them to the commu
SEAL_recv( ) It receives the application messages fromgroup and decrypts them with the curren
SEAL_read_membership( ) It reports the current group membershipexisting members, the joining members a
SEAL_leave( ) It disables any operations and frees the rcomponents inside the SEAL session objthe communication group and disconnec
SEAL_destroy( ) It destroys the SEAL session object and
Fig. 8 illustrates the flowchart of using the SEAL APIfunctions in a typical secure group-oriented application.The flow is described as follows: (1) the application instan-tiates a SEAL session object with SEAL_init( ); (2) itretrieves the long-term private key from a password-pro-tected file with SEAL_set_passwd( ); (3) it joins a specifiedcommunication group with SEAL_join( ); (4) it implementsits application protocols with SEAL_send( ), SEAL_recv( ),and SEAL_read_membership( ) in order to send messages,receive messages, and read the current membership status,respectively; (5) it leaves the group with SEAL_leave( ); and(6) it either joins another or the same group with SEAL_join( ), or destroys the SEAL session object with SEAL_destroy( ) and ends.
6. Experiments
In this section, we evaluate SEAL under real networksettings. Using SEAL, we implemented Gauger, a memberapplication that repeatedly joins and leaves a communica-tion group at different times. We then used Gauger to mea-sure the performance of a rekeying operation in Rebuild,Batch, and Queue-batch based on different levels of mem-bership dynamics.
We make two remarks for our evaluation. First, as men-tioned in Section 3.6, it is possible that at least one sponsorleaves the group in the middle of the rekeying operation. Inthis case, a member will receive more than one rekeyingmessage from the leader before the group key is confirmed.Therefore, when we consider the duration of a rekeyingoperation, it starts from the instant at which a memberreceives the first rekeying message that indicates the begin-ning of a rekeying operation to the instant at which theupdated group key is confirmed. Second, for Queue-batch,we only consider the Queue-merge phase but not theQueue-subtree phase. The pre-processing steps in the latterdo not influence the underlying secure communication,which is protected with the current group key. Thus, by
Return values
object for An initialized session object onsuccess and NULL on failure
a password-protected file 1 on success and 0 on failureins theitializes all
ect
1 on success and 0 on failure
the currentnication group
1 on success and 0 on failure
the communicationt group key
1 on success and 0 on failure
status including thend the leaving members
1 on success and 0 on failure
esources of allect. It then leavests from the Spread daemon
1 on success and 0 on failure
free its resources 1 on success and 0 on failure
SEAL_init()
SEAL_join()
SEAL_destroy()
SEAL_leave()
SEAL_set_passwd()
(for application protocols)
SEAL_send()SEAL_recv()
SEAL_read_membership()
Fig. 8. Flowchart of using the SEAL API functions.
P.P.C. Lee et al. / The Journal of Systems and Software 80 (2007) 356–370 365
focusing on the Queue-merge phase, our measurementsreflect the latency of generating the latest group key start-ing from the beginning of a rekeying interval.
Our experiment consider the following metrics for arekeying operation:
• Rekeying time: It measures the duration (in seconds) of arekeying operation.
• Number of exponentiations: It measures the computa-tional cost involving the exponentiation operations inthe secret key and blinded key computations.
• Number of broadcast blinded keys: It measures the com-munication cost involving the number of blinded keysbeing broadcast within a rekeying operation.
• Number of BKEY packets (see Section 4.2): It measuresthe number of broadcast packets of blinded keys duringa rekeying operation and hence the computational costof signing or verifying the broadcast packets. Note thateach packet may contain more than one blinded keydepending on the number of blinded keys that can becomputed in one round.
We point out that the measured rekeying time has ahigher value and a higher deviation than does the actualrekeying time because of the background processes withinthe testbed machines. On the other hand, the other threemetrics are attributed to the rekeying algorithms only.
6.1. Wired LAN
We start our evaluation with a communication groupresiding in a wired LAN based on the following configura-tions. We are interested in a single communication groupwith the group population size of 40 Gaugers. We assignthe group members evenly to eight Pentium 4/2.5 GHzLinux machines (i.e., each machine has five Gaugers
installed). All eight machines are interconnected in a singleLAN and are reachable from each other through broad-casts. A Spread daemon with configured parameters is run-ning on each machine. When a Gauger starts execution, itconnects to the Spread daemon in the same local machine.In addition, we fix the length of the rekeying interval to be15 s. To observe the effect of the length of the rekeyinginterval, we vary the frequencies of join and leave eventsin our experiments. Analysis of varied rekeying intervalscan be found in Setia et al. (2000).
Each Gauger repeatedly joins and leaves the same com-munication group. The duration for which a Gauger staysinside and outside the group are respectively given byTin + c and Tout + c, where Tin and Tout are exponentiallydistributed, and c denotes a constant period specifyingthe minimum duration between two membership eventsfor a group member. The reason that we add a constantto the time lengths is to prevent a member from joiningor leaving the communication group abruptly so as toguarantee a sufficient amount of time for the resources tobe re-allocated between membership events. Throughoutour experiments, we set c to be 10 s, meaning that a mem-ber may join (resp. leave) and then leave (resp. join) thecommunication group within a single rekeying interval(see Section 3.6). We perform our measurements for twohours for each specified pair of Tin and Tout.
Experiment 1 (Average analysis of Rebuild, Batch, and
Queue-batch with fixed Tout’s and varied Tin’s): In thisexperiment, we evaluate the performance metrics ofRebuild, Batch and Queue-batch. We fix Tout to be 30and 90 s and vary Tin. The reason of fixing Tout’s is to con-trol the rate that members join the communication group.The metrics are averaged over the number of existing mem-bers in the group at each rekeying interval and then overthe number of rekeying intervals.
Fig. 9(a)–(h) presents the results. The metric costs atTout = 30 s are larger than those at Tout = 90 s. With asmaller Tout, more members stay in the group and partic-ipate in a rekeying operation. Thus, the size of the key treeis larger and more operations are required to generate agroup key. Also, we observe Queue-batch outperformsthe other two algorithms in all metrics. For instance, itsrekeying time is less than 1 s on average for all values ofTin and Tout. This shows the performance gain of Queue-batch by dispersing its rekeying workload throughout therekeying interval. Although Rebuild has the worstperformance as compared to other two algorithms, itprovides a simple way to recover the whole key tree (seeSection 2.2).
Experiment 2 (Average analysis of Batch and Queue-
batch under different levels of membership dynamics): Thisexperiment investigates the performance of Batch andQueue-batch with respect to the frequencies of the joinand leave occurrences. We set Tin equal to Tout and changethe pair of Tin and Tout from 30 s to 90 s. The smaller thevalues of Tin and Tout are, the higher the membershipdynamics is. We average the metrics as in Experiment 1.
0.6
0.8
1
1.2
1.4
1.6
1.8
2
30 40 50 60 70 80 90
Ave
rage
rek
eyin
g tim
e (in
sec
)
(in sec)
RebuildBatch
Queue-batch
0.4
0.6
0.8
1
1.2
1.4
30 40 50 60 70 80 90
Ave
rage
rek
eyin
g tim
e (in
sec
)
Tin(in sec)
RebuildBatch
Queue-batch
4
5
6
7
8
9
10
11
12
13
30 40 50 60 70 80 90
Ave
rage
num
ber
of e
xpon
entia
tions
Tin(in sec)
RebuildBatch
Queue-batch
4
5
6
7
8
9
30 40 50 60 70 80 90
Ave
rage
num
ber
of e
xpon
entia
tions
Tin(in sec)
RebuildBatch
Queue-batch
0
20
40
60
80
100
30 40 50 60 70 80 90
Ave
rage
num
ber
of b
road
cast
blin
ded
keys
Tin(in sec)
RebuildBatch
Queue-batch
0
10
20
30
40
50
60
30 40 50 60 70 80 90
Ave
rage
num
ber
of b
road
cast
blin
ded
keys
Tin(in sec)
RebuildBatch
Queue-batch
0
20
40
60
80
100
30 40 50 60 70 80 90
Ave
rage
num
ber
of B
KE
Y p
acke
ts
Tin(in sec)
RebuildBatch
Queue-batch
0
10
20
30
40
50
60
30 40 50 60 70 80 90
Ave
rage
num
ber
of B
KE
Y p
acke
ts
Tin(in sec)
RebuildBatch
Queue-batch
Fig. 9. Experiment 1: Average analysis at different fixed Tout’s. (a) Average rekeying time, Tout = 30 s. (b) Average rekeying time, Tout = 90 s. (c) Averagenumber of exponentiations, Tout = 30 s. (d) Average number of exponentiations, Tout = 90 s. (e) Average number of broadcast blinded keys, Tout = 30 s.(f) Average number of broadcast blinded keys, Tout = 90 s. (g) Average number of BKEY packets, Tout = 30 s. (h) Average number of BKEY packets,Tout = 90 s.
366 P.P.C. Lee et al. / The Journal of Systems and Software 80 (2007) 356–370
Fig. 10(a)–(d) depicts the results. As stated at the begin-ning of this section, the rekeying time has a higher devia-tion as compared to the other metrics. Nevertheless, forboth Batch and Queue-batch, the results of all metricsshow a decreasing trend when the membership events occurless frequently (i.e., when Tin and Tout are larger).Fig. 10(b)–(d) shows that Queue-batch performs much bet-ter than Batch when the group is highly dynamic (i.e., when
Tin and Tout are small). This conforms to the simulationresults in Lee et al. (2002).
Experiment 3 (Analysis of Queue-batch in each rekeying
operation): In Section 3.6, we mention how our implemen-tation achieves robustness in response to the case where atleast one of the sponsor leaves the group in the middle of arekeying operation. In this experiment, we evaluate howQueue-batch addresses this robustness issue in each rekey-
0.6
0.65
0.7
0.75
0.8
0.85
0.9
0.95
30 40 50 60 70 80 90
Rek
eyin
g tim
e (in
sec
)
(in sec)
BatchQueue-batch
3
3.5
4
4.5
5
5.5
6
6.5
7
30 40 50 60 70 80 90
Ave
rage
num
ber
of e
xpon
entia
tions
Tin = Tout (in sec)
BatchQueue-batch
(a) (b)
10
15
20
25
30
30 40 50 60 70 80 90
Ave
rage
num
ber
of b
road
cast
blin
ded
keys
Tin=Tout (in sec)
BatchQueue-batch
10
15
20
25
30
30 40 50 60 70 80 90
Ave
rage
num
ber
of B
KE
Y p
acke
ts
Tin=Tout (in sec)
BatchQueue-batch
(c) (d)
Fig. 10. Experiment 2: Average analysis at different levels of membership dynamics. (a) Average rekeying time, (b) average number of exponentiations, (c)average number of broadcast blinded keys and (d) average number of BKEY packets.
P.P.C. Lee et al. / The Journal of Systems and Software 80 (2007) 356–370 367
ing operation. We consider two cases of membershipdynamics where Tin = Tout = 30 s and Tin = Tout = 90 s,corresponding to the high and low membership dynamics,respectively. Here, we focus on the rekeying time of eachoperation, which is averaged over the number of membersparticipating in the rekeying operation.
Fig. 11(a) and (b) illustrates the rekeying times of thefirst 200 rekeying operations. The ‘‘spikes’’ shown in thefigures indicate that the leader restarts the current rekeyingoperation in response to the departures of the previousleader or the sponsors that have not yet broadcast theblinded keys for which they are responsible. Fig. 11(a)shows more spikes than Fig. 11(b), indicating that underhigher membership dynamics (i.e., smaller Tin and Tout),more members leave the group during a rekeying opera-tion, and thus the leader needs to restart rekeying more fre-quently. In general, our implementation can adapt quicklyto the sponsors’ departures during rekeying and complete
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
0 20 40 60 80 100 120 140 160 180 200
Rek
eyin
g tim
e (in
sec
)
Rekeying operation
Fig. 11. Experiment 3: Analysis of Queue-batch in each rekeyin
the whole rekeying operation in no more than 2 s. Thisdemonstrates the robustness of our implementation. Wepoint out that this robustness property is achievable inour implementation regardless of the choice of the inter-val-based algorithms.
6.2. Comparison between a Wired LAN and a Wireless LAN
We envision that the hybrid wired/wireless LAN envi-ronment would be a common platform for most reliablepeer communication applications. Thus, in this subsection,we further evaluate SEAL using both wired and wirelessLAN testbeds. Our objective is to study how a wirelessLAN, which offers less available communication band-width than does a wired LAN, affects the rekeying perfor-mance of SEAL.
Fig. 12 illustrates the wired and wireless LAN testbedsthat are used in our evaluation. In Fig. 12(a), we intercon-
0
0.2
0.4
0.6
0.8
1
1.2
1.4
0 20 40 60 80 100 120 140 160 180 200
Rek
eyin
g tim
e (in
sec
)
Rekeying operation
g operation. (a) Tin = Tout = 30 s and (b) Tin = Tout = 90 s.
Fast EthernetSwitch
Campus-wide wireless LAN
(a) (b)
Gauger
Machine with a Spread daemon
Fig. 12. The wired and wireless LAN testbeds for the evaluation ofrekeying performance.
368 P.P.C. Lee et al. / The Journal of Systems and Software 80 (2007) 356–370
nect three Pentium 4/1.8 GHz Linux machines with a100 Mbps Fast Ethernet switch and thus form a single wiredLAN. Each machine has a Spread daemon installed and isassociated with five Gaugers. This wired LAN testbedserves as a baseline for performance comparison. InFig. 12(b), we interconnect the same three machines overa campus-wide wireless LAN, which follows the IEEE802.11g standard and has a maximum data rate at 54 Mbps.
Our measurements are based on the same setting as inSection 6.1, i.e., each of the 15 Gaugers iteratively joinsand leaves the same communication group according tothe values of Tin and Tout. Here, we use Queue-batch asthe rekeying algorithm. values of Tin and Tout.
Table 2 presents the metric results for both wired andwireless LAN testbeds when Tin = Tout = 30, 60, and 90 s.Overall, the rekeying time in the wired LAN testbed is about0.40–0.45 s, while that in the wireless LAN testbed is about0.48–0.53 s. As pointed out at the beginning of this section,the measured rekeying time is subject to a high deviation,so we conjecture that the difference between the actual rekey-ing times in both testbeds could be smaller. In fact, for everypair of Tin and Tout, we note that both testbeds have veryclose results in each of the metrics except the rekeying time,with difference no more than 3%. Therefore, the rekeyingperformance is still preserved in the wireless LAN testbeddespite its less available communication bandwidth.
Although the wireless LAN testbed may degrade theperformance of the Spread daemons in maintaining viewsynchrony, we believe that the impact is quite insignificant.Amir et al. (2004a) showed that reliable group communica-tion is scalable to at least 20 Spread daemons with 1000members in a Fast Ethernet network and that messages
Table 2Metric results for both wired and wireless LAN testbeds, with group size = 15
Tin = Tout = 30 s T
Wired Wireless Diff. (%) W
Rekeying time (in seconds) 0.45 0.48 6.7 0No. of exponentiations 4.08 4.07 �0.2 3No. of broadcast blinded keys 7.16 7.13 �0.4 6No. of BKEY packets 6.24 6.24 0.0 5
Note that the percentage difference is computed with respect to the metrics in
can be delivered to all members reliably on the order ofmilliseconds. Since each of our testbeds only involves threeSpread daemons, the overhead incurred by the Spread dae-mons should be minimal.
This experiment aims to provide a preliminary insight onhow the deployment platforms with different communica-tion constraints influence the rekeying performance. Weemphasize that the efficacy of SEAL also depends on a vari-ety of factors, including the computational resources, thesize of a communication group, the membership dynamics,and the choices of cryptographic parameters. Also, connec-tions with very scarce bandwidth (e.g., dialup) can severelyimpair the performance of SEAL and the Spread daemons.We plan to study these factors in our future work.
7. Applications
To demonstrate how SEAL can be used in real-lifeapplications, we use the SEAL API functions to build asecure chat-room application called Chatter. The Chatterapplication encrypts the chat-room messages based onthe group key (see Section 4 for implementation details).Thus, the group communication is kept confidentialagainst group outsiders.
We implemented Chatter in both graphical and textmodes. Its screenshots are illustrated in Fig. 13. The graph-ical mode is built atop the X Window system in Linux. Thetext mode, on the other hand, is built to provide users witha text-based command console without the need of anygraphical-compliant platform. Both interface modes arecompatible and can be used together within the same com-munication group.
In addition to the chat-room applications, SEAL is fea-sible in a number of potential applications:
• Audio/video conferencing systems: Business parties mayhold audio/video conferences with their laptop or desk-top computers. The conferencing systems usually transfermassive streaming data which may contain confidentialbusiness information. They can hence use SEAL to agreeupon a secret group key to encrypt the streaming data.
• File sharing tools: File sharing is prevalent in peer-to-peer networks. Most shared files usually do not involvesensitive information, but some do. Therefore, if a filesharing application intends to distribute a private fileto a group of users, SEAL will help protect the file data.
in = Tout = 60 s Tin = Tout = 90 s
ired Wireless Diff. (%) Wired Wireless Diff. (%)
.43 0.53 23.3 0.40 0.52 30.0
.81 3.83 0.5 3.66 3.73 1.9
.70 6.67 �0.4 6.39 6.56 2.7
.83 5.79 �0.7 5.59 5.76 3.0
the wired LAN testbed.
Fig. 13. Illustration of chatter: (a) graphical mode and (b) text mode.
P.P.C. Lee et al. / The Journal of Systems and Software 80 (2007) 356–370 369
• Programmable router communication: Software pro-grammable routers (Kohler et al., 2000; Yau et al.,2005 ) provide programmable flexibility over traditionallayer-3 routers. One application is to defend against dis-tributed denial-of-service (DDoS) attacks (Yau et al.,2005). In this case, a communication group is formedamong routers. Any information exchanged within thecommunication group should be inaccessible to theattackers in order for the defense mechanism to succeed.Therefore, SEAL can be used to protect the exchangedinformation.
• Network games in strategy planning: In network games,players may co-operate with each other in deciding thewinning strategies over other competitors. This type ofinteraction involves numerous message exchanges.Thus, the games can use SEAL to encrypt the messagesagainst any cheating attacks, such as eavesdropping andmodification of the transmitted game data.
In short, SEAL implements the interval-based algo-rithms that achieve group key agreement without any cen-
tralized key server, and hence is adequate for any securegroup-oriented applications in decentralized environmentssuch as peer-to-peer networks or mobile ad hoc networks.
8. Related work
To achieve secure group communication, Wallner et al.(1997) and Wong et al. (2000) independently proposed thekey tree approach that associates keys in a hierarchical treeand rekeys in each join or leave event. Li et al. (2001) andYang et al. (2001) later applied the periodic rekeying con-cept in Kronos (Setia et al., 2000) to the key tree setting.All the key-tree-based approaches (Li et al., 2001; Wallneret al., 1997; Wong et al., 2000; Yang et al., 2001) require acentralized key server for key generation.
Burmester and Desmedt (1995), Kim et al. (2001, 2004),Steiner et al. (1998) extend the Diffie–Hellman protocol(Diffie and Hellman, 1976) to group key agreement schemesfor secure communications in a peer-to-peer network. Bur-mester and Desmedt (1995) proposed a computation-effi-cient protocol at the expense of high communicationoverhead. Steiner et al. (1998) developed Cliques, in whichevery member introduces its key component into the resultgenerated by its preceding member and passes the newresult to its following member. Cliques is efficient in rekey-ing for leave or partition events, but imposes a high work-load on the last member in the chain. Kim et al. (2004)proposed TGDH to arrange keys in a tree structure. Everymember holds the keys along its key path and the rekeyingworkload is distributed to all members. The settings ofTGDH are similar to the One-Way Function Tree (OFT)scheme (Sherman and McGrew, 2003) except that TGDHuses Diffie–Hellman instead of one-way functions for thegroup key generation. Kim et al. (2001) also suggested avariant of TGDH called STR which minimizes the commu-nication overhead by trading off the computational com-plexity. All the above schemes are decentralized and henceavoid the single-point-of-failure problem in the centralizedcase, though they involve higher message traffic for distrib-uted communication. Kim et al. (2001, 2004) and Steineret al. (1998) consider rekeying at single join, single leave,merge, or partition events. Our paper considers the moregeneral case with a batch of join and leave events.
Amir et al. (2004b), McDaniel et al. (2001) and Wongand Lam (2000) focus on the implementation issues ofsecure group communication. Antigone protects the groupcommunication data via the specification of security poli-cies. In terms of group key management, Keystone (Wongand Lam, 2000) considers the architectural design of thecentralized group key distribution protocol based on thekey tree setting. It uses UDP over IP and forward errorcorrection (FEC) to provide efficient and reliable deliveryof keys. Another work that is closely related to ours isSecure Spread (Amir et al., 2004b), which implements acentralized group key distribution protocol and a numberof distributed group key agreement protocols includingthe Burmester–Desmedt model (Burmester and Desmedt,
370 P.P.C. Lee et al. / The Journal of Systems and Software 80 (2007) 356–370
1995), Cliques (Steiner et al., 1998), TGDH (Kim et al.,2004), and STR (Kim et al., 2001). The project studiesthe group key management schemes under join, leave,merge, and partition events, and provides a set of functioncalls suitable for secure application development. In ourwork, we implemented a programming library based onthe interval-based approach and built applications withthe library to demonstrate its strengths and effectiveness.
9. Conclusion and future directions
This paper presents SEAL, an API library that imple-ments the group key agreement protocols. The libraryallows a dynamic peer group to undergo secure group com-munication through the establishment of a common secretgroup key without any centralized key server. We describedthe implementation framework for SEAL and addressedseveral design issues for implementing the group key agree-ment protocols. We used a set of API functions exportedfrom SEAL to build two group-oriented applicationstermed Gauger and Chatter. We used Gauger as a perfor-mance testing tool to evaluate the group key agreementalgorithms in a local area network and to demonstratethe robustness of our implementation during a rekeyingoperation. We also used Chatter, a secure chat-room appli-cation, to illustrate how developers can write secure group-oriented applications readily.
Several enhancements can be made to enrich our currentimplementation. First, our current implementation assumesthat multiple groups independently manage their own keytree. If there exist some members associated with more thanone group, then it is possible to bundle multiple key treestogether to facilitate the implementation (Jung et al.,2003). Second, we currently assume that Spread daemonsprovide trusted membership information. It would be inter-esting to incorporate membership authentication into ourfuture implementation. Finally, we seek to expand the scaleof our evaluation and investigate the scalability of ourimplementation.
References
Amir, Y., Danilov, C., Miskin-Amir, M., Schultz, J., Stanton, J., 2004a.The Spread Toolkit: architecture and performance. CNDS-2004-1,Johns Hopkins University.
Amir, Y., Kim, Y., Nita-Rotaru, C., Schultz, J.L., Stanton, J., Tsudik, G.,2004b. Secure group communication using robust contributory keyagreement. IEEE Transactions on Parallel and Distributed Systems 15(5), 468–480.
Ateniese, G., Steiner, M., Tsudik, G., 1998. Authenticated group keyagreement and friends. In: Proceedings of the 5th ACM Conferenceon Computer and Communications Security, November, pp. 17–26.
Burmester, M., Desmedt, Y., 1995, A secure and efficient conference keydistribution system. In: Advances in Cryptology – EUROCRYPT’94950, pp. 275–286.
Diffie, W., Hellman, M., 1976. New directions in cryptography. IEEETransactions on Information Theory IT-22 (6), 644–654.
Fekete, A., Lynch, N., Shvartsman, A., 1997. Specifying and using apartionable group communication service. In: ACM PODC’97,August, pp. 53–62.
ITU-T Recommendation X.509, 1993. Information Technology – OpenSystems Interconnection – The Directory: Authentication Framework,November.
Jung, E., Liu, A.X., Gouda, M.G., 2003. Key Bundles and parcels: securecommunication in many groups. In: Proceedings of the 5th Interna-tional Workshop on Network Group Communication (NGC). LNCS,vol. 2816, pp. 119–130.
Just, M., Vaudenay, S., 1996. Authenticated multi-party key agreement.In: Advances in Cryptology ASIACRYPT ’96LNCS, vol. 1163.Springer-Verlag, pp. 36–49.
Kim, Y., Perrig, A., Tsudik, G., 2001. Communication-efficient group keyagreement. In: Information Systems Security, Proceedings of the 17thInternational Information Security Conference IFIP SEC’01,November.
Kim, Y., Perrig, A., Tsudik, G., 2004. Tree-based group key agreement.ACM Transactions on Information and System Security 7 (1), 60–96.
Kohler, E., Morris, R., Chen, B., Jannotti, J., Frans-Kaashoek, M., 2000.The Click Modular Router. ACM Transactions on Computer Systems18 (3), 263–297.
Lee, P.P.C., Lui, J.C.S., Yau, D.K.Y., 2002. Distributed collaborative keyagreement protocols for dynamic peer groups. In: Proceedings of the10th IEEE International Conference on Network Protocols (ICNP),November, pp. 322–333.
Li, X.S., Yang, Y.R., Gouda, M.G., Lam, S.S., 2001. Batch rekeying forsecure group communications. In: Proceedings of the Tenth Interna-tional World Wide Web Conference (WWW10), Hong Kong, China,May, pp. 525–534.
McDaniel, P., Prakash, A., Irrer, J., Mittal, S., Thuang, T., 2001. Flexiblyconstructing secure groups in Antigone 2.0. In: Proceedings of theDARPA Information Survivability Conference and Exposition II,June, pp. 55–67.
National Institute of Standards and Technology, 1995. The secure hashalgorithm (SHA-1). NIST FIPS PUB 180-1, April, US Department ofCommerce.
Rivest, R., Shamir, A., Adleman, L., 1978. A method for obtaining digitalsignatures and public key cryptosystems. Communications of theACM (February).
Schneier, B., 1996. Applied Cryptography. Wiley.Setia, S., Koussih, S., Jajodia, S., 2000. Kronos: a scalable group re-keying
approach for secure multicast. In: Proceedings of the IEEE Sympo-sium on Security and Privacy, May, pp. 215–228.
Sherman, A.T., McGrew, D.A., 2003. Key establishment in large dynamicgroups using one-way function trees. IEEE Transactions on Softwareand Engineering 29 (5), 444–458.
Steiner, M., Tsudik, G., Waidner, M., 1998. Key agreement in dynamicpeer groups. IEEE Transactions on Parallel and Distributed Systems11 (8), 769–780.
Viega, J., 2002. Network Security with OpenSSL. O’Reilly.Wallner, D.M., Harder, E.J., Agee, R.C., 1997. Key Management for
Multicast: Issues and Architectures. Internet draft: draft-wallner-key-arch-00.txt, Internet Engineering Task Force, July.
Wong, C.K., Lam, S.S., 2000. Keystone: a group key management service.In: Proceedings of the International Conference on Telecommunica-tions. Acapulco, Mexico, May.
Wong, C.K., Gouda, M., Lam, S.S., 2000. secure group communicationsusing key graphs. IEEE/ACM Transactions on Networking 8 (1), 16–30.
Yang, Y.R., Li, X.S., Zhang, X.B., Lam, S.S., 2001. Reliable grouprekeying: a performance analysis. In: Proceedings of the ACMSIGCOMM’01, August.
Yau, D.K.Y., Lui, J.C.S., Liang, F., Yam, Y., 2005. Defending againstdistributed denial-of-service attacks with max–min fair server-centricrouter throttles. IEEE/ACM Transactions on Networking 13 (1).