Key-update distribution in secure group communication

We focus on the problem of distributing key updates in secure dynamic group communication. In secure groups, to reflect changing group membership, the group controller needs to change and distribute new keys to ensure confidentiality of the group communication. However, in the current key management algorithms, which include the well-known logical key hierarchical algorithms, the group controller broadcasts all key updates even if only a Subset of users need them. In this paper, we describe key-update distribution algorithms for distributing keys to only those users who need them. Our algorithms consist of a descendant tracking scheme - to track downstream users in the multicast tree and forwarding mechanisms - to forward key updates using the descendant tracking information. The forwarding mechanisms, in turn, depend on the type of key management algorithm used by the group controller. Using our descendant tracking scheme, a node forwards an encrypted key update only if it believes that there are descendents who know the encrypting key which enables them to decrypt the required key update. Our descendant tracking scheme requires minimal state overhead, of the order of log N bits for a group of N users, to be stored at the intermediate nodes in the multicast tree. We also describe an identifier assignment algorithm that assigns closely clustered logical identifiers to users who are in physical proximity in the multicast tree. Our identifier assignment algorithms leverages the fact that logically clustered users require the approximately same set of key updates. We show that our identifier assignment algorithm improves the performance of our key update distribution algorithms as well as that of a previous solution. Furthermore, we show that, Our proposed algorithms reduce the cost of secure data distribution in applications where data needs to be sent securely to only a subset of the group users. To validate our algorithms, we tested them on different key management algorithms for distributing key updates and data. Our simulations results show that a bandwidth reduction of up to 55%, compared to broadcast, is achieved by our algorithms. We also discuss implications of topology matching and logical key tree balancing on Our key distribution algorithm and show that it is possible to achieve bandwidth saving up to 90% by combining all three techniques. (C) 2010 Published by Elsevier B.V.