Information Technology Reference
In-Depth Information
such a tree. Every user key is only known by its owner and the Key Server. A
Data Encryption Key (DEK), namely group key , is placed at the root node: it
encrypts the actual broadcast information, while intermediate tree nodes keep
Key Encryption Keys (KEKs), used in the re-key process. A user knows only
the keys in her key path , i.e., the keys in the path from its leave to the root.
The arrival or departure of a member implies that the group key, the member's
keypath and those nodes that are siblings to the keypath must be refreshed. For
balanced trees, the number of required multicast messages for a single join oper-
ation is 2 h
1 while the new member must receive h +1keys.A leaverequires
2 h keys updated. Appropriate tree configurations for optimal bandwidth usage
are discussed in [8] and [9]. Subsequent efforts seek to reduce the number of
messages sent by LKH. A widely adopted approach is to use one-way functions
or combinations of one-way functions with pseudo-random number generators
(PRNGs). LKH+ [10], LKH++ [11] and the recent SKD [12] use this approach in
a temporary manner: new keys are derived from old ones by means of a one-way
function, independently of their position within the tree. LKH++ and SKD ap-
proximately halve LKH's bandwidth usage in join operations. Additionally, SKD
claims a large reduction of the computation effort required at the Key Server.
One-way Function Trees (OFT) [13], One-way Function Chain Trees (OFCT)
[14] and ELK [15] use the one-way function approach in a spatial manner: ev-
ery key in the tree is derived from its children, therefore the tree is built in
a bottom-up fashion, starting at user keys (which are randomly picked by the
Key Server). These schemes assume one-way functions to be perfect, but Horng
proposed a collusion attack against OFT in [16] which was taken into account
by Ku and Chen in order to develop an improved collusion resistant version of
that protocol [17]. ELK addresses bandwidth reduction and reliability simulta-
neously: a communication-computation tradeoff is introduced, and some degree
of tolerance against message losses is achieved. Members need no aid from the
Key Server to derive their key path and, with the use of batch and scheduled
re-keys, no multicast messages are required in joins.
The Flat Table (FT) approach [18] (contemporary to LKH) also uses a hi-
erarchical key tree arrangement though there are subtle differences which allow
storage-communication-optimality [19]. However, vulnerabilities against collusion
attacks were soon discovered [20]. The recent EGK scheme [20] retakes the Flat
Table idea and smartly solves the collusion problem. Its authors claim to obtain
storage-communication-optimality and constant small message sizes. The Clus-
tering approach [21] groups members within clusters of fixed size (say c ). Every
cluster is placed at a tree leave and assigned a KEK. The storage overhead at
the Key Server is reduced, but leaves require one by one key encryptions within
the affected cluster.
SecureLock [22], and the scheme proposed in [23] may be also included in the
general-purpose category although their approach is mainly focused on using the
computational capabilities of the Key Server rather than arranging members in
a given structure. The scheme in [23] is stateless but needs large re-key messages
which prevent it from being used in very large networks. The SecureLock is also
 
Search WWH ::




Custom Search