Table Of ContentAntigone: A Flexible Framework for Secure Group Communication
PatrickMcDaniel AtulPrakash Peter Honeyman
EECSDept. EECSDept. CenterforInformationTechnologyIntegration
UniversityofMichigan UniversityofMichigan UniversityofMichigan
AnnArbor AnnArbor AnnArbor
[email protected] [email protected] [email protected]
May23, 1999
Abstract shared secret, called a session key, to secure application
traffic. Groupmembershipmaychangewithouteffecting
Many emerging applications on the Internet requiring thesecuritycontext. Apotentialsecurityriskisthatpast
group communication have varying security require- membersofthegroupmayhaveaccesstocurrentcontent.
ments. Significant strides have been made in achieving Theadvantageofthisapproachislowcost;rekeyingafter
strongsemanticsandsecurityguaranteeswithingroupen- membershipchangesisnotneeded.
vironments. However, in existing solutions, the scope Conversely, secure group communication systems
of available security policies is often limited. This pa- [Rei94] typically have threat models that require the
perpresentstheAntigoneframework. Antigoneprovides changing of the security context after each membership
a suite of mechanisms from which flexible application change. Thus, protectionfrommembersnotcurrentlyin
security policies may be implemented. Using this ap- the group is achieved at the cost of the context change.
proach,developersmaychoseapolicythatbestaddresses Somesystemssupportstrongerthreatmodelsthanstrictly
theirsecurityandperformancerequirements.Wedescribe requiredbyapplicationsatahighperformancecost.
theAntigone’smechanisms,consistingofasetofmicro- The Antigone framework providesa flexible interface
protocols,andshowhowdifferentsecuritypoliciescanbe for the definition and implementation of a wide range
implemented using those mechanisms. We also present of secure group policies. A central element of the
aperformancestudyillustratingthesecurity/performance Antigone architecture is a set of mechanisms that pro-
tradeoffsthatcanbemadeusingAntigone. videthebasicservicesneededforsecuregroups.Policies
areimplementedbythecompositionandconfigurationof
these mechanisms. Thus, Antigone does not dictate the
1 Introduction availablesecuritypoliciestoanapplication,butprovides
high-levelmechanismsforimplementingthem.
IPmulticast[Dee89]servicesarebecomingmorewidely Tomakethetaskofapplicationdevelopmenteasier,we
available on the Internet. The use of group communi- also provide a facility for rapidly configuring a security
cation based on IP multicast as a fundamental building policyfroma setof standardpoliciesthathavebeenim-
block for a variety of applications such as video confer- plementedusing the Antigonemechanisms. An applica-
encing will increase. Many interesting applications that tionisfreetouse thesestandardpolicies, iftheyaresat-
require group communication, such as video conferenc- isfactoryforitspurpose,orbuilditsownusingthehigh-
ing, collaborative applications, data casting, and virtual levelmechanismsprovidedbyAntigone.
communities, are emerging on the Internet. These ap- Antigone is targeted for those systems that are likely
plications, depending on the perceived risks and perfor- torequireIP-multicastservices. Themajorityofexisting
mance requirements, require different levels of security. multicastbasedsystemsdistributehighbandwidthcontent
In this paper, we presenta system, called Antigone, that toahighlydynamicmembership. A naturalrequirement
providesmechanismsforbuildingarangeofsecuritypoli- of these systems is for efficientgroupand security man-
ciesforgroupcommunication. agement.
Therearetwopredominantpoliciesprovidedbyexist- Weseevideoconferencingasrepresentativeofthetypes
ingapproaches.Securemulticastsystems[HM97,Atk95] ofapplicationsthatmaybenefitfromtheAntigoneframe-
view groups as collections of participants that require a work. However, we do notlimit Antigoneto continuous
1
mediasystems.Afullyfunctionalsecuregroupcommuni- 2 Group Security Policies
cationsystemmaybebuiltontheAntigonemechanisms.
While there are well known techniques for providing Different group communication applications require dif-
securegroups,Antigonehasseveralgoalswhichmakeit ferent security policies, dependingon their threat model
unique. We state the followingas the five primarygoals and performancerequirements. In this section, we point
ofAntigone. out some of key dimensionsalong which group security
policiesvary.Toaddresstherequirementsofawiderange
of applications, Antigoneattempts to providea basic set
1. FlexibleSecurityPolicy-Anapplicationshouldbe
ofhigh-levelmechanismsthatcan be used to implement
able to use a wide range of security policies, with
a range of group security policies. The dimensions that
appropriateperformancetradeoffs.
arediscussedbeloware: sessionrekeyingpolicy,applica-
tion message policy, membership awareness policy, and
2. FlexibleThreatModel-Thesystemshouldsupport
failurepolicy. Thesessionrekeyingpolicydefinesthere-
threatmodelsappropriateforawiderangeofappli-
action of the group to changes in membership in terms
cations.
ofrekeyingsessions. Theapplicationmessagepolicyde-
3. SecurityInfrastructureIndependence-Oursolu- finesthesecurityguaranteeswithwhichapplicationmes-
tionshouldnotbedependentontheavailabilityofa sagesaretransmitted.Themembershippolicydictatesthe
specificsecurityinfrastructure. availabilityofmembershipinformationtomembers. The
failure policy defines the type of failures handled by the
4. Transport Layer Independence - The solution system.Theremainderofthissectiondescribesthenature
should not depend on the availability of any single andimplicationsofthesepolicydecisions.
transportmechanism(suchasIPMulticast[Dee89]). After joining the group, Antigone assumes that all
Ontheotherhand,oursolutionshouldbeabletotake groupmembersaretrusted,i.e.,memberswillnotactively
advantageofIP-multicastswhentheyareavailable. attempt to circumvent the security of the system. Non-
members however may attempt to intercept messages,
5. Performance - The performance overheads of im-
modifymessages,orpreventmessagesfrombeingdeliv-
plementingsecuritypoliciesshouldbekeptlow.
ered.
An early versionof Antigone into has been integrated
2.1 SessionRekeying Policy
intothevic[Net96]videoconferencingsystem. There-
sult of that effort, called the Secure Distributed Virtual Acommonstrategytosupportsecuregroupcommunica-
Conferencing (SDVC) application, was used to securely tionamongtrustedmembersistouseacommonsymmet-
broadcastthe September 1998 Internet 2 Member Meet- ric session key. An important policy issue for a group
ing to several sites across the United States. The broad- communicationapplicationiswhena sessionis rekeyed,
castandotherLANtestsindicatetheviabilityofourap- i.e.,theoldsessionkeyisdiscardedandanewsessionkey
proach. Using high speed cryptographic algorithms we issenttoallthemembers.
wereabletoattaintelevision-likesecurevideoframerates Thereisacloserelationshipbetweensession rekeying
(30frames/second)overaLAN.Detailsoftheimplemen- and groupmembership. Applicationsoften need protec-
tationandourexperiencesdeployingSDVCcanbefound tion from members not in the current view. Therefore,
1
in[MHP98,AAC 99]. changes in group membership require the session to be
+
The remainder of the paper is organized as follows. rekeyed.Ifrekeyingisnotperformedaftereachchangein
Section2describesthedesignspaceofsecuregroupcom- membership,theviewwillnotreflectasecuregroup,but
munication policies. Section 3 outlines existing designs onlyindicatewhichmembersareactivelyparticipatingin
andtechniquesofsecuregroupcommunication.Section4 thesession. Pastmembersmayretainthesessionkeyand
outlines the Antigone’s high-level layered architecture. continuetoreceivecontent. Futuremembersmayrecord
Section 5 presents the mechanisms that can be used to andlaterdecodecurrentandpastcontent. Inapplications
implementa wide rangeofgroupsecuritypolicies. Sec- thatdonotneedprotectionfrompastorfuturemembers,
tion6showsthatawiderangeofsecuritypoliciescanbe rekeyingaftermembershipeventsisunnecessary.
implementedusingthesemechanisms.Section7presents Wedefinetheviewgrouptobethesetofmembersinthe
theavailablemulticasttransportmodesofAntigone.Sec- currentgroupmembershipview.Akeygroupisthesetof
tion8presentspreliminaryperformanceresultsforsome
Agroupviewisthesetofidentitiesassociatedwiththemembersof
of the policies that can be implemented using Antigone. 1
thegroupduringaperiodwherenochangesinmembershipoccur.Ifthe
Section9summarizesourconclusionsandpresentsdirec-
membershipchanges(amemberjoinsorleavesthegroup),thenanew
tionsforfuturework. viewiscreated.Thisisasimilarconcepttoagroupviewin[Bir93].
2
memberswhohaveaccesstothecurrentsessionkey.The use Key Encrypting Keys (KEK) [HM97] to reduce the
keygroupmaybeasubset,asuperset,oroverlaptheview costs of rekeying. In systems that use KEKs, the key
group. group contains all previous and current members of the
We say that a group security policy is said to be sen- group. Thisapproachislimitedinthatanymembermay
sitive to an eventif it changesthe security contextin re- continue to access the group content after leaving. Sys-
sponsetothereceptionoftheevent. Typically,thesecu- temsthatuseKEKscannotforciblyejectmemberswith-
ritycontextischangedbydistributinga newsession key outadditionalinfrastructure.
(rekeying). All rekeying in Antigone is session key independent.
Groupsecuritypolicyisoftensensitivetogroupmem- Session key independence states that knowledge of one
bership events. Group membership events include (1) sessionkeyprovidesnoinformationaboutothers. Dueto
JOINevent,whichistriggeredwhenamemberisallowed this independence,Antigoneprovidesa slightly stronger
to join the group; (2) LEAVE events, which is triggered guarantee than time sensitive groups that use KEKs. A
whenamemberleavesthegroup;(3)PROCESS FAIL- member who has left the group may continue to access
UREevents,whenamemberisassumedtohavefailedin thegroupcontentonlyuntilthenextrekey. Apastmem-
some manner; and (4) MEMBER EJECT events, when a bercannotaccesscurrentorfuturegroupcontentwithout
previouslyadmittedmemberispurgedfromthegroupac- againjoiningasamember.
cordingto some grouppolicy. In addition, sessions may
berekeyedwhenaspecifiedtimeintervalhaspassedsince Leave-SensitiveRekeyingPolicy
thelastsessionrekey. Groups implementing a leave-sensitive policy rekey af-
The sensitivity of a policy directly defines its threat terLEAVE,PROCESS FAILURE,andMEMBER EJECT
model. Forexample,consideragroupmodelthatisonly events.Thus,thekeygroupmaybearbitrarilylargerthan
sensitivetoMEMBER EJECTevents.Becausethesession theviewgroup.
isrekeyedaftermemberejection,thekeygroupwillnever The threat model implied by leave sensitive groups
contain an ejected member. Thus, the application is as- states that any member who has left the group will not
suredthatnoejectedmemberwilleverhaveaccesstofu- have access to currentor future content. For example, a
turecontent.However,thesessioncontentisnotprotected business conferencing system that supports negotiations
fromprocesses thathave left voluntarily,are assumed to betweena company’srepresentativesanda suppliermay
havefailed,orjoininthefuture. benefit from leave-sensitive rekeying. Once the supplier
ThesensitivitymechanismsinAntigonecanbeusedto leaves, aleave-sensitiverekeypolicywouldpreventsub-
builda largenumberofsessionrekeyingpolicies. Inthe sequentdiscussions from beingavailable to the supplier,
followingtext, we define and illustrate four generalpur- evenifthesupplierisabletointerceptallthemessages.
posepoliciesthatarerepresentativeofthepoliciesimple- TheIolus[Mit97]implementsa leave-sensitiverekey-
mentedinexistingsystems. ingpolicy.
Time-sensitiveRekeyingPolicy Join-sensitiveRekeyingPolicy
Groupsimplementingatime-sensitivepolicyperiodically Groups implementing a join-sensitive policy rekey only
rekey,independentofgroupmembershipevents.Periodic after membership JOIN events. The threat model im-
rekeying prevents the session key from “wearing out”. pliedbyjoinsensitivegroupsstatesthatanymemberjoin-
Thegroupattemptstoguardagainstcryptanalysisbyus- ing the groupshould not have access to past content. A
ingasessionkeyonlyforalimitedperiod. join-sensitive rekeying policy, by itself, does not ensure
By periodically rekeying, the group may be protected thatmemberswholeftthegrouporwereejectedfromthe
from an adversary who wishes to block the delivery of grouparenotabletoaccesscurrentsessioncontent. The
new session keys. An adversaryblockingrekeyingmes- assumptionisthatpastmemberscanbetrustedtobenot
sagesmayintendofhavingthegroupcontinuetousethe interestedincurrentcontent.
currentsessionkey.Withatime-sensitiverekeyingpolicy, Inpractice,ajoin-sensitiverekeyingpolicyislikelyto
ifa newkeyisnotsuccessfullyestablishedafterthecur- be used in conjunction with a time-sensitive or a leave-
rentsessionkeyexpires,groupmemberscanchoosetono sensitive rekeying policy so as to limit the duration for
longer communicate rather than use the expired session pastmemberscanaccesscurrentsessioncontent.
key.
Time-sensitive rekeying can be useful in a secure on- Membership-sensitiveRekeyingPolicy
linesubscriptionservice.Payingmemberswouldperiodi- Groups implementing a membership-sensitive policy
callybesentanewkeythatisvaliduntilthenextsubscrip- rekey after every membership event. The threat model
tioninterval. TheGKMP[HM97]protocolimplementsa implied by membership sensitive groups states that any
time-sensitiverekeyingpolicy. group member joining the group will not have access to
Typically,systemsimplementingtime-sensitivegroups past content, and that members who have left the group
3
willnothaveaccesstocurrentorfuturecontent.Thispol- differentguarantees,dependingonthenatureofthemes-
icyisthecombinationofleave-sensitiveandjoin-sensitive sageandtheassumedthreatmodel.
rekeying.
Applications with comprehensive security require-
2.3 Membership Policy
ments will likely need a membership-sensitive rekeying
policy. Providing strong guarantees for message deliv- Identificationofthemembershipwithinagroupsessionis
ery (e.g. atomicity, reliability) often requires tight con- animportantrequirementforalargeclassofapplications.
trols over the message content. Without tight controls, Asevidencedbya numberofgroupcommunicationsys-
the guarantees may be circumvented. The RAMPART tems,achievingstrongguaranteesfortheavailabilityand
[Rei94] system provides a type of membership-sensitive correctnessofgroupmembershipcanbecostly.Inprovid-
service. ing availability, any change in membership requires the
distribution of the new group membership view to each
OtherRekeyingPolicies
member.
Applicationsmayrequireacombinationofabovepolicies
Conversely,membersinanotherclassofsystemsneed
ormayusedifferentpoliciesdependingontheapplication
not be aware of group membership at all. This is the
stateandthespecificattributesofanevent.
modelused in typical multicast applications. In this en-
In the businessconferencingapplication,for example,
vironment, providing other services (such as reliability,
thepolicymaybetorekeyonlywhentheamemberwith
fault-tolerance,etc.) iscommonlylefttotheapplication.
theroleSupplierleaves,butnotwhenamemberwiththe
Amembershippolicyindicatestheavailabilityofgroup
role Representative leaves. Allowing policies that make
membership information. If the policy states that group
distinction between members may allow the application
membership be supported, the group view (membership
tooptimizerekeying.
information)isdistributedtoeachmemberasneeded.
In certain circumstances it may be important for the
Antigoneprovidesmechanismstodistributekeyswith
group to be more sensitive at certain times, but less at
andwithoutmembershipinformation,primarilyto allow
others. Groups may wish sensitivity to be a function of
higher-performance applications when members do not
group size or resource availability. In this way, a group
needmembershipinformation.
could provide as strong a security model as can be sup-
Currently, Antigone doesnot attemptto guarantee the
portedbythenetworkandhostinfrastructure.
confidentiality of group membership. In general, hiding
Time-sensitive rekeying can be useful in combination
the groupmembershipfrom membersand non-members
withanyoftheotherschemes.Time-sensitiverekeyingin
isdifficultto do in currentnetworkswithoutintroducing
combinationwithmembership-sensitiverekeying,forex-
noisenetworktraffic.Thisisprimarilybecausetheability
ample,helpsensurethatanadversarycannotpreventses-
tointerceptmessagesonthenetworkallowsaccesstothe
sionrekeyingindefinitelywithoutdetectionafteramem-
sourceanddestinationofpackets(incaseofunicasts)and
bershipchangeevent.
atthemulticasttree(incaseofIPmulticasts).Inmounting
this traffic analysis attack), an adversary may deduce a
closeapproximationofgroupmembership.
2.2 ApplicationMessagePolicy
Anapplicationmessagepolicystatesthetypesofsecurity
2.4 Process FailurePolicy
guaranteesrequiredforapplicationmessages. Forexam-
ple,anapplicationwishingtoensurenopartyexternalto Aprocessfailurepolicystatesthesetoffailurestobede-
the groupbe able to access contentwilldefine confiden- tectedandthe security to beappliedto the failuredetec-
tialityaspartofitspolicy. tion mechanism. The defining characteristic of a failure
The most common types of message security guaran- detection mechanism is the definition of its fault model.
teesare: integrity,confidentiality,groupauthenticity,and The fault model defines the types of behavior exhibited
sender authenticity. Confidentiality guarantees that no byafaultyprocessthatthemechanismwilldetect. Typi-
memberoutsidethegroupmaygainaccesstothesession calcrashmodelsincludefail-stop,messageomissions,or
traffic. Integrity guarantees that any modification of an timingerrors[Mul93].Inthestrongest(Byzantinefailure)
applicationmessageisdetectablebyreceivers. Asession model,afaultyprocessmayexhibitanybehaviorwhatso-
keyistypicallyusedtoobtaintheseguarantees.However, ever.
some guarantees (such as sender authenticity) are diffi- Aprocessfailurepolicymayalsostatetheneedforse-
cult to obtain without additional security infrastructure. cure failure detection. In securing the failure detection,
Antigonesupportsthesefourmessageguarantees. thegroupmaybeprotectedfromthemaskingofprocess
Notethatasinglepolicyneednotapplytoeverymes- failures by an adversary. However, protecting the group
sage.Inmostapplications,differentmessageswillrequire fromanadversarywhoattemptstogeneratefalsefailures
4
maybemoredifficult.Failuresmaybeforcedbyblocking of processesto reach agreementon the course of action.
allcommunicationbetweenthegroupparticipants.Thisis Amembership-sensitivegroupisbuiltona securegroup
a denial of service attack which is difficult to address in membershipprotocol.Thesecuritycontextisnotchanged
software. throughsharedsessionkeys,butthesecuredistributionof
Antigonesupportsdetectionoffail-stopfaultsofgroup new group views. Messages have sender-authentication
members. Topreventproblemsduetotimingerrors,syn- andintegrity.
chronizedclocksortimestampsarenotusedinAntigone Alimitationofmanysecuregroupcommunicationsys-
protocols. However,somemechanismsforfailuredetec- tems is that they do not scale to larger networks. In
tion and time-sensitive rekeying in Antigone do rely on [Mit97], Mittra defines the 1 effects n failure, where a
timeoutsatindividualprocesses. A processwhoseclock singlemembershipchangeeventeffectstheentiregroup.
progressesatincorrectratemaytakelongertodetectfail- TheIolussystem[Mit97],attemptstoaddressesthislimi-
ures of other processes(if its clock progressestoo slow) tationbyintroducinglocallymaintainedsubgroups.Each
or may mistakenly assume their is a failure (if its clock subgroupmaintainsitsownsessionkey,whichisreplaced
progressestoofastandthustimeoutsbeforeanevent). afteramembershipchangeeventinthesubgroup. There-
fore,theeffectofamembershipchangeislocalizedtothe
subgroup. Iolusprovidesaleave-sensitivegroup,andall
3 Related Work
applicationmessagesareencryptedwiththegroupsession
key.NomembershipinformationisdistributedinIolus.
Inthissection,wereviewseveralofthekeyconceptsand
The Group Key Management Protocol (GKMP)
knowntechniquesinthedesignofframeworksforgroup
[HM97] attempts to minimize the costs associated with
communication.Twofieldsapplicabletoourinvestigation
sessionkeydistributionbylooseningtherequirementthat
are secure group communication and design approaches
each session key be independent of others. After being
forconfigurableprotocols. Wepresentsomeofthemajor
acceptedintothegroup,newlyjoinedmembersreceivea
findingsineachoftheseareas.
KeyEncryptingKey (KEK)underwhicha futuresession
Muchoftheexistingtechnologyonwhichgroupcom-
key will be delivered. A limitation of this group is that
munication is based was originally implemented in the
misbehaving members can only be ejected by the estab-
ISIS[Bir93] andlater HORUS[RBM96] groupcommu-
lishmentofanewgroup. GKMPreducesthecostsofau-
nication systems. Using these frameworks, developers
thenticationbyintroducingapeer-to-peerreviewprocess
canexperimentwith a numberof protocolfeatures. One
inwhichpotentialmembersareauthenticatedbydifferent
importantfeature of the HORUS system is the introduc-
membersofthegroup.Thejoiningmember’sauthenticity
tionofacomprehensivesecurityarchitecture.Anelement
isassertedbyexistingmembers. GKMPprovidesatime-
ofthisarchitectureisahighlyfault-tolerantkeydistribu-
sensitivegroupbyrekeyingat the endof a session key’s
tion scheme. Process group semantics are used to facil-
lifetime. Notethatthisisakeymanagementprotocol,and
itate secure communication. The session key distributed
assuchdoesnotmandatehowthesessionkeyisused. No
to members in HORUS is maintained for the entire ses-
membershipinformationisprovidedtomembers.
sion,thusprovidingnosensitivitytomembershipchange
events. However, the vulnerability to attacks from past TheIPSec [Atk95] standardsattemptto achieveInter-
orfuturemembersislimited. Applicationmessageshave net security by introducing security mechanisms at the
senderauthenticityandmaybeconfidential. network layer. The Scalable Multicast Key Distribution
Virtual networks provide developers with an abstrac- (SMKD) [Bal96] standard extends this infrastructure to
tionforbuildingapplicationsdesignedfor(logically)lo- the multicast environment. Intended as an extension to
calnetworktraffic,butexecutedacrossacrossphysically Core Based multicast routing [BFC93], SMKD uses the
larger networks. The Enclaves system [Gon96] extends router fabric to distribute session keys. As the multicast
thismodeltosecuregroupcommunication.Enclavespro- tree is constructed, leaf routers obtain the ability to au-
videsaleave-sensitivegroup,distributinganewgroupkey thenticate and deliver session keys to joining members.
aftereachmemberleave.Also,itisimpliedthatthegroup Thus, the cost of authentication and session key deliv-
keyshouldbechangedperiodically(time-sensitive). En- erycan bedistributedamongthe leafrouters. Similar to
clavessupportsmembershipinformationbutisnotdepen- GKMP,SMKDsessionkeysareprovidesatime-sensitive
dent on it. Messages have confidentiality and through groupwhichisrekeyedattheendofasessionkey’slife-
point-to-pointcommunication,senderauthenticity. time.
The RAMPART system [Rei94] providessecure com- With respect to security, the policies implemented by
munication in the presence of actively malicious pro- thesesystemsareessentiallyfixed. Applicationsmustse-
cesses and Byzantine failures. The system uses secure lecta solutionthatprovidesa policythatbestfits a min-
channelsbetweentwomembersoftheprotocoltoprovide imalsetofrequirements. However,theacceptedsolution
authenticity. Protocols depend greatly on the consensus may provide unnecessary functionality at an increased
5
cost. AntigonemechanismsinSection6.
An interesting development in configurable software
is the introduction of the micro-protocol [HS98] design 5 Mechanisms
methodology. In using micro-protocols, a system de-
signer may decompose the facilities provided by proto-
We chose a composite protocolapproach[HS98] for the
cols into their atomic components. Composite protocols
designofAntigonemechanisms. Incompositeprotocols,
are constructed from a collection of the smaller micro-
featuresarepartitionedintomodulesconsistingofshared
protocols.Differingfacilitiesandguaranteesmaybepro-
state, messages, events, and micro-protocols. This ap-
vided through the composition of the micro-protocols.
proach has several desirable properties that make it ap-
In [HS98], the authors define and demonstrate a suite
plicationtoAntigone. Firstly,themodulardesignallows
of micro-protocols for maintaining group membership
for the integration of future enhancementswith minimal
within a distributed application. Group membership is
effecton othermodules. Second, the micro-protocolap-
definedasa numberofinter-relatedpropertiesproviding
proachallows state sharing between modules. We avoid
varyingsemantics and guarantees. Developersusing the
the costs typically associated with state sharing between
framework specify the facilities that are appropriate for
protocols(messageheaders).
the current application context. Thus, the selection of a
Antigone provides mechanisms for providing the fol-
set of facilities provides a definition of the group mem-
lowing functions; authentication, member join, session
bership semantics, and indirectly the composite protocol
keyandgroupmembershipdistribution,applicationmes-
tobeusedbytheapplication.
saging, failure detection, and member leave. The
Antigonemicro-protocolvariantsassociatedwiththeeach
mechanism are defined in Fig. 2. Before describing the
4 Architecture
micro-protocols, we explain the principals in the proto-
colsandthenotationused.
DescribedinFig.1,theAntigonearchitectureconsistsof
three software layers; the broadcast transport layer, the Fig. 3 shows the principals in an Antigone logical
mechanismlayer,andthepredefinedpolicylayer. group. A distinct member of the group whose identity
Thoughnottypicallyassociatedwithsecurecommuni- is known in advance to all members, called the session
cation services, the broadcast transport component pro- leader (SL), is the arbiter of group operations such as
videsanabstractionforunreliablegroupcommunication. group joins, leaves, etc. We chose an arbitrated group
Arealityoftoday’sInternetisthattherearevaryinglevels because of its low cost and its applicability to many ap-
ofsupportformulticastservices. Althoughsignificantef- plications. For example, in a secure pay-per-view video
forthasbeenexpendedonthedevelopmentofWANmul- broadcastapplication, the cable companywould provide
ticasting, no single solution has been found to meet the a session leader that enforces the desired access control
requirementsofallusers. Developersspecifythelevelof andkeydistributionpolicy.
multicast support of the target environment at run time. A Trusted Third Party (TTP) providesthe mechanism
WedescribethebroadcasttransportlayerinSection7. forthesessionleadertoauthenticatejoininggroupmem-
The mechanism layer provides a set of mechanisms bers. Eachpotentialmember,A,ofagroup(includingthe
usedtoimplementapplicationpolicies. Themechanisms sessionleader)hasasharedsecret registeredwiththe
represent the basic features required for a secure group. trustedthirdparty(TTP).ThissecrKetAkeyisgeneratedand
Policiesareflexiblydefinedandimplementedthroughthe registeredwith theTTP beforethe party attemptsto join
selectionandinteractionofmechanisms.Associatedwith any session. We assume an out of band method for reg-
each mechanism is a micro-protocol[HS98]. The group isteringthese keysand forinformingeveryoneaboutthe
protocol, called a composite protocol, is defined by the identityofthesessionleader.
compositionofthemechanismmicro-protocols.Weiden- Inourprotocoldescriptions,weusethetermSLtorefer
tifyanddescribethedesignoftheAntigonemechanisms totheidentityofthesessionleader, torefertoacurrent
inSection5. orpotentialmemberofthesession,aAndTTPtorefertothe
The predefined policy layer provides a suite of gen- trusted third party. refers to message X encrypted
eral purpose policies. These policies represent those underthekeyk.ThefvXiegwkidentifier,g,isusedtouniquely
commonlyprovidedbysecuregroupcommunicationsys- tag the changingviews of group membership. The term
tems. Clearly, there are many other policies than avail- referstoasessionkeyinview ,and forthe
able in this layer. Where required, an application may (SnKexgt)view . ThetermI,possgiblywiSthKag+su1bscript,
extendorreplacethesepoliciesbydirectlyaccessingthe referstoangon+ce1value. Keydistributionprotocolsbased
broadcasttransportandmechanismslayers. We describe onLeighton-Micalidefineaterm ,calledapairkey,
how the predefinedpolices are implementedthroughthe used to support secret communic(cid:25)atAio;Bn between collabo-
6
Application
Application Membership Process Failure
Rekeying Policy
Message Policy Policy Policy
Predefined Policies
Rekey/Group Application
Authenticate Join Failure Detection Leave
Membership Message
Mechanisms
Point-to-point Asymmetric Multicast Symmetric Multicast
Broadcast Transport
Multicast/TCP
IP
Figure 1: The architectureof Antigoneconsists of three layers; the broadcasttransportlayer, the mechanism layer,
and the predefined policy layer. The broadcasttransport componentprovidesa single broadcastabstraction for en-
vironmentswith differinglevelsof supportfor multicast. Themechanismlayer providesa set of primitivesused to
implement application policies. The predefined policies layer provides a suite of general purpose policies. Where
required,applicationsmaydefineotherpoliciesbyaccessingthemechanismandbroadcasttransportlayerdirectly.
rating members A and B. Derived from the pair key, the tionprocess. Thepublickeyisusedtoreducethecostof
sessionleaderandapotentialmemberAmaintainashared sendingsecureheartbeatsfromthesessionleader.
secretkey . A MD5 hash[Riv92] for the text is Wheresenderauthenticityisconfigured,weassumethe
describedb(cid:27)ySL;A . x existence of a certificate distribution service [HFPS98].
TheformatHof(xth)eidentity,nonce,key,andviewidenti- Thecertificateservicewouldprovideaccesstocertificates
fiervaluesusedinourcurrentprotocolimplementationis foreachgroupmember( ). Notethatnocertificatedis-
as follows. Each identity is a unique16 byte null termi- tributionserviceisrequirCedAinourprotocoltogenerateor
natedASCIIstringofalphanumericcharacters. Apoten- distributethe( , )asymmetrickeypair.
tialmemberisassignedthisvaluewhenregisteringalong We use DESP[uPGubP77r]Gfor all encryptionin the current
term key with the TTP. Nonce values are unique 64 bit implementation. Its inherentstrength is evidentfrom its
values. To ensurenoncesarenotreused, somesourceof 20-yearhistory,yetits56-bitkeylengthhaslongbeenthe
monotonicvalues,suchasthesystemclock,maybeused. subjectofdebate. Relatedalgorithmssuchastriple-DES
Key format is algorithm dependent. The DES standard [Ass85]orDESX[KR96]offerthestrengthofDESwith
usesaneightbytekey(includingeightparitybits). Inthe considerably longer keys. Our protocols are not tied to
future, as other ciphers are integrated into Antigone, we any specific propertyof DES, and may be replacedwith
willneedtosupportotherformats. Theviewidentifier othercryptographicalgorithmsasnecessary.
consistsofatwoparts. Thefirstpartisaneightbytenulgl Weassumethatallprocessesthathaveachievedmem-
terminatednamestringthatidentifiesthegroup,usedonly bership, and thus have been authenticated, adhere to the
fordisplayinganddebuggingpurposes. Thesecondisan systemspecification. Weassumenomemberwillingfully
eight bit nonce value. Each time a new view is created disclosesitslongtermorsessionkeys. Allmemberstrust
( ), a new nonce in generated and appended to the theTTPnottodisclosetheirlongtermkey,andtogener-
ggro+up1namestringtocreatethenewviewidentifier. atepairkeysaccordingtothespecification.
A is distributed by the session leader Thefollowingtextdescribeseachofthemicro-protocol
toeac[hpoglriocyupbmloecmk]berduringtheauthenticationprocess. modules in Fig. 2. All cited message numbers refer to
Definedbytheapplication,thepolicyblockisanarbitrary Fig.2.
bytestring statingthe grouppolicy. We describethe use AuthenticationMechanism - The authentication mech-
ofthisdatabythepredefinedpolicieslayerinSection6. anism providesfacilities for the authentication of poten-
Thesessionleadercreatesaasymmetrickeypair( , tial group members. The purpose of this mechanism is
) duringgroupinitialization. Thepublic key(PuG) twofold. First,thesessionleaderauthenticatesthepoten-
iPsrdGelivered to potential members during the authePntuicGa- tial groupmember. Second, a shared secret between the
7
Authenticate
1. (authenticationrequest)
2. A!SL:A;I0 (pairkeyrequest)
3. SL!TTP :SL;A;I1 (pairkeyresponse)
4. TTP !SL:f[(cid:25)SL;A =fAgKSL(cid:8)fSLgKA];I1gKSL (autneticationresponse)
SL!A:SL;A;fg;A;I0;I2;[policyblock];PuGg(cid:27)SL;A
Join
5. (joinrequest)
A!SL:A;fA;I2g(cid:27)SL;A
Rekey/GroupMembership
6a. (keydistribution)
6b. SL!A:g;SSL;(A;fg;SKgg(cid:27)SL;A)fH(g;SSL;(A;fg;SKgg(cid:27)SL;A))gSKg
SL!A:g;SSL;(A;fg;SKgg(cid:27)SL;A);B;C;D;:::;fH(g;SSL;(A;f(gk;eSy/Kgrgogu(cid:27)pSLm;Aem);bBe;rsCh;ipDd;i:s:tr:)ibguStKiogn)
6c.
SL!group:g;SSL;(A;fg+1;SKg+1g(cid:27)SL;A);(B;fg+1;SKg+1g(cid:27)SL;B);:::; (sessionrekey)
fH(g;SSL;(A;fg+1;SKg+1g(cid:27)SL;A);:::)gSKg+1
ApplicationMessaging
7a. (withintegrity)
7b. A!group:g;A;[message];fH(g;A;message)gSKg (withconfidentiality)
7c. A!group:g;fA;[message]gSKg (withintegrityandconfidentiality)
7d. A!group:g;fA;[message];H(g;A;message)gSKg (withsenderauthenticity)
A!group:g;A;[message];H(g;A;message)CA
FailureDetection
8. (memberheartbeat)
9. A!SL:g;SA;H(g;SA)(cid:27)SL;A (sessionleaderheartbeat)
10. SL!group:g;SSL;H(g;SSL)PrG (keyretransmitmessage)
A!SL:g;A
Leave
11. (leaverequest)
A!SL:A;fg;A;fg;BgSKgg(cid:27)SL;A
Figure 2: Antigone Micro-Protocol Description - micro-protocols for the various operating modes. A composite
protocolisconstructedfromtheselectionofasubsetofthesemodes.Insomeconfigurations,someoftheseprotocols
maybeomittedentirely.
two parties is negotiated. The shared secret, called the sages2and3). Derivedfromtwoidentitiesandtheiras-
shared secret key, is later used as to implementa secure sociatedlongtermkeys, the pairkeyis usedto establish
channelbetweenthetwoparties. an ephemeral secure channel between the processes. To
We chose the Leighton-Micali key distribution algo- preventreplay attacks, the session leaderverifies the en-
rithm [LM94] to authenticate the joining process and cryptednoncevalue includedintheTTP’sresponse.
negotiate the shared secret. The main advantage of The session leaderI1computesthe shared secretkey for
Leighton-Micali is low cost; it uses symmetric key en- communicatingwithAasfollows.Thesessionleadergen-
cryptionthroughout,with none of the modularexponen- eratesthevalue . ThisvalueisXOR-edwiththe
tiation operations associated with public key cryptosys- pairkey refcAegivKeSdLfromtheTTP.Theresultingvalue
tems.Publickeycryptographyrequiressignificantlymore isashare(cid:25)dSLse;Acretkey( )thatisusedto
computation than symmetric algorithms. The de-facto createasecurechannelfbSetLwgeKenAt=he(cid:27)seSsLs;iAonleaderandthe
standard for public-key cryptography, RSA, can be up prospectivememberA.
to 100 times slower in software and 1000 times slower NotethatAneednotcommunicatewiththeTTPtoob-
inhardwarethanDES,thepredominantsymmetricalgo- tain the shared secret key ; she can
rithm[Sch96]. computeit directly. A decryfpStLsgthKeAse=ssio(cid:27)nSLke;Aywith this
Aprospectivememberinitiatestheauthenticationpro- valueandvalidateshernonce.
cessbysendingamessagetothesessionleadercontaining Afterobtainingthesharedsecretkey,thesessionleader
her identity anda noncevalue (message 1). The session respondswith an authenticationresponse message (mes-
leaderthenobtainsthepairkey fromtheTTP(mes- sage4).Theresponsecontainstheidentitiesofthesession
(cid:25)A;B
8
leader and the potential group member, and a block en-
Session Trusted
cryptedwiththesharedsecretkey . Theencrypted
Leader Third Party
blockcontainstheview( )andgrou(cid:27)pSLm;Aember( )identi-
fiers,thegroupmemberngonce( ),asessionleaAdernonce
( ), policy block ( I0), and the group public
kIe2y( ). Uponre[pceoilviicnygbtlhoicskm]essage,thereceiverde-
Member LAN/WAN Member
cryptPstuhGecontentsandverifiesthenonce . 1 n
I0
JoinMechanism-Thejoinmechanismprovidesamem-
ber with facilities for gaining access to the group. The ...
mechanismalsoprovidesmeasurestoensurethereliabil- Member2
ityofthejoin. Member3
The potential group member ( ) joins the group by
transmittingmessage5tothesessiAonleader.
Figure3: AnAntigonegroupconsistsofanarbitercalled
Upon reception of message 5, the session leader val-
thesessionleader,aserviceprovidingmemberauthentic-
idates the nonce value ( ) passed to the joining mem-
itycalledthetrustedthirdparty,andthegroupmembers.
berduringtheauthenticaIti2onprocess. Ifthenonceisnot
Noassumptionsaremadeaboutthenetworktopologyor
valid, the join request is ignored, and the group contin-
connectivity.
ues. If the nonce is valid, the new member is accepted
into the group. The reaction of the session leader to the
joinrequestis dependentonthe configuredgroupmodel receiver correctly (matches the identifier in the message
(seebelow). header),thememberisassuredthattheblockwascreated
Notethatthejoinmessageisunforgeableandfresh. A bythesessionleader.
session leaderknowsthata correctjoinmessage is fresh Message6acontainsasessionkeyblockforonemem-
andwasgeneratedbythememberbecauseofthepresence ber,andno groupmembershipinformation. Message 6b
ofthe( )noncevalueencryptedunderthesharedsecret containsasessionkeyblockforonememberandenumer-
key. I2 atesthecurrentgroupmembership( ).Inmes-
Mutualauthenticationisachievedthroughtheverifica- sage6c,asessionkeyblockisgenerBat;eCd;foDr;e:a:c:hmember
tionofthesecretsAandSLsharewiththeTTP. Thepo- in the group. Group membership in message 6c is ex-
tentialmembermustbeinpossessionofthesecretshared tractedfromthesessionkeyblocks.
withtheTTPtoobtainthesessionleadernonce( )used Rekeyingisperformedbythetransmissionofmessage
injoiningthegroupinmessage5.ThesessionleadIe2rmust 6c.RekeyinginAntigoneissimilartokeydistributionaf-
beinpossessionofthesecretsharedwiththeTTP tode- ter a LEAVE operationin the Iolussystem [Mit97]. The
terminethesecretkeysharedwithA.Aisconvincedthat session leader caches the shared secret keys, so creating
message 4 is fresh by validating the nonce value sent this message is fast: encryption of 24 bytes (8 bytes of
intheoriginalrequest. I0 new session key plus 16 bytes of new group identifier)
Rekey / Group Membership Mechanism - The permember. Usingthecached,sharedsecretkey,there-
Rekey/Group Membership mechanism provides for the ceiversofthismessageextractthesession keyoutofthe
distribution of group membership and session keys. We session key block and begin using it immediately. The
notethedistinctionbetweensessionrekeyingandsession size of this message growslinearly with group size, and
key distribution. In session rekeying, all existing group is potentially large. In systems that provide session key
members must receive a newly created session key. In independence, keying material needs to be sent to each
session key distribution, the session leader transmits an memberindividually. Therefore,thesize ofthe message
existingsessionkey. is large by its nature, not as a side effect of our design.
The rekey and session key and distribution messages Schemes that distribute a key to each member individ-
(6a,6b,and6c)allcontainagroupidentifier( ),thelatest ually will transmit the same amount of data over many
sessionleadersequencenumber( ),andaMg ACcalcu- moremessages.
latedovertheentiremessage SSL. Thegroupidentifier A potential problem occurs during the transition of
andsequencenumberidentifHyt(h:e::c)urrentgroupcontext. group views. During the rekeying process, application
TheMACensuresintegrityofthemessage. datasuchascontinuousmediamaycontinuetobebroad-
Session keys are distributed via session key blocks cast using a previous session key. Because of delays in
( ). Theintendedmemberofeachblock the delivery of the session key, a process may receive a
isAi;dfegn;tiSfiKedggb(cid:27)yStLh;Aegroupmemberidentifier( ). There- messageencryptedwithasessionkeythatitdoesnotyet
mainderoftheblockisencryptedusingtheshAaredsecret or will never possess. An application may address this
key ( ). If the group identifier is decrypted by the issue by buffering, double encryption, droppingpackets,
(cid:27)SL;A
9
or other approaches. We present a detailed discussion
Policy JOIN LEAVE FAILURE EJECT
the positive and negative aspects of several of these ap- TimeSensitive N N N N
proachesin[MHP98]. LeaveSensitive N Y Y Y
Application Messaging Mechanism - The application JoinSensitive Y N N Y
messaging mechanism provides for the transmission of MembershipSensitive Y Y Y Y
the application level traffic. Each application level mes-
sage is secured using cryptographic keys distributed by Table1: Thepredefinedrekeyingpoliciesmaybedefined
the rekey/groupmembership mechanism, or through the bytheirsensitivityto membershipevents. Notethatjoin
useofexternalpublickeycertificates. sensitive groups are MEMBER EJECT sensitive to allow
Theformatofapplicationmessagesisdependentonthe formemberejection.
type of messaging policy. We achieve message integrity
through Message Authentication Codes (MAC) [Sch96], that they have the most currentgroupstate. The session
and confidentiality by encrypting under the session key. leader’s sequence number ensures the heartbeat is fresh.
Message7ashowstheformatofamessagewithintegrity Thepresenceofthegroupidentifierallowsagroupmem-
only,messageshows7bconfidentialityonly,and7cshows bertobecertainthattheyareusingthemostrecentsession
amessagewithbothintegrityandconfidentiality. key.Theheartbeatsareencryptedtoensurethatanadver-
A MAC is generated by encrypting the an MD5 hash sarycannotfakeheartbeats.Withouttheseprotections,an
[Riv92]ofmessagedataunderthesessionkey.Areceiver adversarymaybeabletopreventdeliveryofnewsession
confirmstheMACbydecryptingandverifyingtheMD5 keysandtrickmembersintocontinuingtotransmitunder
hash value. If the hash is correct, the receiveris assured anoldsessionkeyindefinitely.
thatmessagehasnotbeenmodifiedbysomeentityexter- A member who fails to receive current session key or
naltothegroup. membershipinformationcanattempttorecoverbysend-
Senderauthenticity(message7d)isachievedbydigital ing a key retransmitmessage (message 10). The key re-
signature [DH76]. The signature is generated using the transmit message indicates to the session leader that the
privatekeyexponentassociated with the sender’scertifi- member wishes to get the most recent group state. The
cate. Receivers obtain the sender’s certificate and verify session leaderwillsendthe mostkey/groupmembership
the signature using the associated public key. Note that distribution(message6a,6b,or6c)inresponsetothekey
a byproduct of the use of digital signatures is message retransmitmessage. Inthiscase,theprocesswillbeable
integrity. Our current implementation does not support torecoverbyinstallingthemostrecentsessionkeyand/or
senderauthenticity. groupmembership.
Failure Detection Mechanism - An application’sthreat The Antigone infrastructure’s goal at this level only
modelmayrequirethesystemtotolerateattacksinwhich provides mechanisms for reliable detection of session
anadversarypreventsdeliveryofrekeyingmessagesfrom leader’sfailureandnotrecoveryfromitsfailure. Mecha-
the session leader to the entire group or to a subset of nismsfordetectionoffailurescan, if desired, beusedto
members. In such a case, some members will continue implementrecoveryalgorithmsusing primary backupor
touseanoldsessionkey,asecurityriskiftheoldkeyis replicatedapproachesathigherlevels.
compromised. Leave Mechanism - This mechanism provides an inter-
Also, foraccurate membershipinformation,it may be face for group members to gracefully exit the group. A
necessary for the session leader to be able to detect fail- membersendsmessage11toindicatethatitisexitingthe
stopfailuresofmembers. group.
InAntigone,weprovidesecureheartbeatmessagesas Theleavemechanismhasasecondarypurpose. Using
the mechanism to detect failed processes. The session themicro-protocoldefinedinFig.2,agroupmembermay
leaderdetectsfailedprocessesthroughmemberheartbeats requesttheejectionofothermembersfromthegroup.To
(message 8). When some number of member heartbeat request an ejection, the requester places the identity of
messagesarenotreceivedbythesessionleader,themem- thememberin the block(as ). Thesession
berisassumedfailedandexpelledfromthegroup. leaderreceivingamfegs;sBaggeSKwgiththisformBatwillejectthe
Groupmembersconfirmthatthe session leaderis still memberinaccordancewithsomelocalpolicy.
operating by receiving session leader’s secure heartbeat
messages (message 9). When some number (the value
6 Policy Implementation
of which is a policy issue for higher layers) of session
leader heartbeat messages are not received, the member
Inthissection,weshowhowflexibleapplicationpolicies
canassumethatthesessionleaderhasfailed.
maybeimplementedthroughtheAntigonemechanisms.
Heartbeat messages serve a dual purpose. In addition
tofailuredetection,membersusetheheartbeatstoensure MembershipAwarenessPolicy
10
Description:the Antigone's mechanisms, consisting of a set of micro- protocols, and show The Antigone framework provides a flexible interface for the definition
