Topological Decoupled Group Key Management for Cellular Networks

,


INTRODUCTION
The advances in cellular networks along with the developments on multicast communication motivate the deployment of several multiparty multimedia applications on mobile environments. Examples of such applications are interactive mobile TV and mobile social networks (Tjondronegoro et al., 2006;Pietilainen et al., 2009;Gaol and Widjaja, 2008). One common aspect in these applications is the requirement of efficient security group communications services.
A practical way to provide group security services is by using cryptography methods, where keys are shared among the group of members. For dynamic groups, the membership frequently changes, introducing the need of to update the shared keys. When a new member joins the group, it is necessary to prevent such member from accessing the previously transmitted data (backward secrecy). On the other hand, when a member leaves the group, such member must be disabled from continuing to access the new data transmitted (forward secrecy). The process of updating keys is called rekeying and it is handled by the group key management.
The key management for dynamic groups introduces high communication and storage overheads. Although there are several group key management schemes in the literature (Hardjono et al., 2003;Rafaeli and Hutchison, 2003;Eskicioglu, 2003), they are not suitable for cellular networks since these networks are characterized by a limited storage and processing capabilities at the mobile devices, in addition to presenting a limited bandwidth on wireless channels. This is the reason that motivates the design of better group key management schemes for such environments.
In this study we propose an efficient group key management scheme suitable for cellular networks. Our scheme reduces the number of keys to be updated. At the communication channel, we reduce the number of keys to be transmitted; and at a mobile host we reduce the number of keys to be stored and the number of ciphering operations.
The scheme is based on a two tier structure in order to dissociate the mobile hosts' distribution from the topological network. The two tier structure logically organizes the entities of the system in the following way. In the first tier, contiguous cells are organized in entities called areas. In the second tier, the mobile hosts within an area are organized in logical entities called clusters. A cluster intersects one or more cells in an area. At each cluster, an individual key hierarchy is used, making transparent the mobile host cell distribution. Our scheme allows us to offer security services to a large number of mobile hosts by transmitting a reduced set of keys in the rekeying process, due to the way we use the clusters and areas. This attribute is the core of our scheme.

Related work:
The main function of a Group Key Management (GKM) is to update a set of keys each time the group membership changes during a work session (Hardjono et al., 2003). This process is called rekeying. The rekeying performance is commonly evaluated using the following parameters: communication cost, measured by the number of exchanged messages during a rekeying operation; storage cost, measured by the number of keys stored by the group entities; and computational cost, measured by the number of encryption/decryption operations performed to obtain the updated keys.
Several solutions for group key management have been proposed. The broadly used technique to organize keys for a GKM is the Logical Key Hierarchy (LKH) (Wu et al., 2009;Xu et al., 2008) since it allows the reduction of the communication and storage overhead. The LKH organizes the keys in balanced trees. The set of keys in a hierarchy is called Key Encryption Keys (KEKs). The root key is used as the Session Key (SK). The set of keys of the leaves are used as individual keys for the members. A member knows and stores the set of KEKs in the path from its individual key to the session key. The costs using LKH are O(d log n) for communication, O(log n) for storage at a group member and dn 1 O( ) d 1 − − at a group manager (Rafaeli and Hutchison, 2003).
A way to increase the efficiency of the LKH is using derivation techniques (Jen-Chiun et al., 2009;Gu et al., 2009) which enable to the group of members to derive new keys instead of being ciphered and transmitted by the key server. The derivation techniques create new keys from already existing keys. With this kind of technique, the communication cost may be reduced to even O(log n).
There are some approaches based on LKH designed for cellular networks (Um and Delp, 2008;Sun et al., 2004;Wang et al., 2006;Bruschi and Rosti, 2002). All these approaches are based on the network topology. This means that their key structures reflect the physical distribution of the entities. The main advantage of associating the key structure to the network topology is that the transmission of messages is bounded to a small region. However, strongly coupled key structure to the physical topology has as a main disadvantage: a significant increase in the communication and storage overhead, especially when the tracking of mobile devices is needed. Tracking refers to the task of determining the current location of a mobile host in the system. The tracking results in the relocation of the mobile host from one key structure to another when it changes from communication service point.

MATERIALS AND METHODS
System model: In this study we consider that a distributed Multimedia Group Communication (MGC) runs on a cellular network which consists of two kinds of entities: Base Station (BS) and Mobile Host (MH). A BS has the necessary infrastructure to support and to communicate with mobile hosts. The BS communicates with mobile hosts through wireless communication channels. The geographic area covered by a BS is called cell. An MH is an entity that undergoes BSs while retaining its network connection. At any time, an MH is assumed to be served by at most one BS which is called its local BS. An MH can communicate with other MHs and BSs only through its local BS. We have two communication levels: inter-base and intra-base. The inter-base communication is provided by a static network, which is formed by wired channel connecting BSs. The intra-base communications is provided by a wireless channel that links MHs to BSs. A representation of such a cellular network is depicted by Fig. 1. Bandwidth on wireless channels is a scarce resource compared to that of wired channel. We assume both inter-base and intra-base communication levels are reliable, with an arbitrary but finite amount of time to deliver messages. The mobility of an MH among BSs is managed by a handoff procedure at a communication level .

Fig. 1: Example of cellular network
Generally, the cellular networks are modeled as hexagonal structures for design purposes (Alhunaity, 2006). Each hexagonal shape represents a cell, as it is depicted on Fig. 1. Generally, all existent theoretical analysis for this kind of network is based on such representation. In this study we use the hexagonal representation to explain our proposed scheme.

Topological Decoupled Key Management Scheme for Cellular Network (TDKMS-CN):
In this section we introduce the proposed group key management scheme suitable for cellular network. The scheme is based on a two tier structure to organize the cells in areas and the mobile hosts in clusters within an area. This reduces the number of keys to be transmitted and to be stored at a mobile host in the presence of frequent membership changes. Based on this structure, we build the key architecture. Then, we present the rekeying procedures for join and leave events that compose the scheme.
Organizational model: The entities of the system are organized in a two tier structure. This arrangement dissociates the mobile hosts' distribution from the topology of the network.
In the first tier, we divide the entire wireless cellular network into small group of cells called area. Each area is composed of seven contiguous cells, as it is depicted in Fig. 2.
In each area we have a Group of Base Stations (BSG) and a Group of Mobile Hosts (MHG). We define an Area Key Controller (AKS) on each area. The AKS generates the Session Key (SK) and distribute it to its entire area.
In the second tier, the AKS subdivides the Mobile Host Group (MHG) located at an area into some clusters, as it is depicted in Fig. 3. Each base station in the BSG is assigned as a Cluster Controller (CC) which is responsible for the group key management for its cluster in the area. With this, we still affect only a small number of cells as it is done by topology matching approaches, but we reduce the number of rekeying messages and the number of rekeying processes triggered during a session since no tracking is needed for a mobile host within an area.
Key architecture: In the TDKMS-CN, in the first tier, the keys and mobile hosts in an area are organized in a key forest. The key forest is composed of different key trees, each one associated with a cluster (Fig. 4). Each key tree is maintained by a base station. The tree is composed of the Key Encryption Keys (KEKs) and the Cluster Key (CK). The KEKs are used as auxiliary keys for the rekeying operations.
The CK key is used to securely communicate the Area Key (AK), which is used to distribute in a secure manner the Session Key (SK).  In the second tier, all the roots of the key forest are logically connected to the common AK, which is maintained by the AKS.
Rekeying processes: Below we introduce the procedures to update the key management architecture for the rekeying process from join and leave events. The procedures use the nomenclature given in Table 1. As a form to improve the generation of key we implement the derivation techniques described next.

Key derivation technique:
We introduce the shared derivation key technique over key tree presented in the work of Lin et al. (2009). It improves the performance of rekeying operations by allowing members to derive new keys by themselves. The improvement is achieved by the use of a key derivation function f (.) in the server and in the group members. With this function, new keys are derived based on old keys, which are called the derivation keys.
We assume that the key structure has a tree arrangement and a node can be added or deleted at a time. A key tree or key subtree whose root node is x i,j is denoted as y i,j and the key k i,j stored in the node x i,j is also called the key of y i,j . Assume where, i+1,s i+1 k is the derivation key and the old key i,p i k is used as a salt value.
Join rekeying: When a mobile host joins the group it is assigned by the AKS to a cluster. The AKS generates the new SK and AK keys and sends them to its area ciphered with the previous area key:

AKS⇒MHG: {AK', SK'} AK
The base station controlling the cluster, where the mobile host joins the group, performs the join procedure to rekey the cluster key structure. As an example, let mh 1 in Fig. 4 be a mobile host joining the group via the cluster controlled by the bs 1 . The controller will update its key structure. The following keys are updated: Leave rekeying: When a mobile host leaves the group or it is expelled by the AKS, it must be unsubscribed from the cluster it belongs. The AKS generates the new SK and AK keys and send them to its cluster controllers via a secure channel: The controller of a cluster with removed mobile hosts performs the rekeying process. As an example, according to Fig. 4 let mh 1 be the mobile host leaving the group. The controller (bs 1 ) deletes the key node corresponding to the leaving mobile and performs the rekeying process for the deleted node as it was described above for the key derivation technique. First, bs 1 generates 1 The first message is sent to mobile hosts unable to derive the keys and the second one is sent to mobile hosts able to derive such keys.
Finally, each cluster controller transmits the AK and SK keys ciphered with its cluster key: i i k 1,1 bs MHG:{AK',SK'} ⇒ Handoff: In our approach we perform the rekeying process only for a mobile host switching from one area to another instead for mobile host switching from one cell to another. This results in a reduction on the rekeying cost for intra area mobility. When a mobile hosts arrives to a different area it performs a rekeying process similar to that performed for join rekeying. The difference here is that the session key is not updated; whereas, when a mobile host exits from an area it performs a rekeying process similar to the leaving process but without updating the session key.

Storage, communication and computational costs:
In our scheme we use key tree structures of d degree to organize the KEKs (KEK-tree) involved in a cluster. Indeed the KEK-tree uses two additional keys located above the root of the KEK-tree to store the AK and the SK keys. The KEK-trees are maintained as balanced as possible.
We assume that on each cluster we have a n l mobile hosts. Then the number of key nodes in a KEKtree is given by O((dn l -1)/(d-1)). As the CC is responsible for maintaining the KEK-tree, it needs to store O((dn l -1)/(d-1)) KEKs and the two additional keys (AK and SK).
The mobile host needs to store the path of KEKs from its leaf to the root of the KEK-tree and the two additional keys. Therefore, the mobile host stores O(log d n l ) KEKs and the two additional keys.
The key tree must be updated when a join or a leave event occurs. In both cases, a path of the KEKtree is compromised. Then, O(log d n l ) KEKs and the two additional keys must be updated. However, the transmission cost and the computational cost of the key updating is different in each case.
For the join event, as the new member cannot generate the keys, the CC sends to it a unicast message with the set of updated keys of the KEK-tree and the new AK and SK keys ciphered with the individual key of the new member. Then, the CC needs to cipher O(log d n l ) keys and to send O(log d n l ) keys to the new member. After that, the new member perform O(log d n l ) decipher operations to get the set of keys. For the remaining mobile hosts, the CC sends a multicast message with the updated keys IDs of the KEK-tree. Thus, the CC sends O(log d n l ) IDs. The new AK and SK keys are multicasted by using the previous AK key. Then, the number of transmitted keys and the number of cipher/decipher operations are O(1).
For the leave event, when a mobile host leaves the system, the CC multicasts O((d-1) log d n l ) messages with KEKs of the affected path to the users which cannot derive them. This means that the CC needs to perform O((d-1) log d n l ) cipher operations. Meanwhile, a mobile host needs to perform an average of

Comparison:
We compare our scheme with the SGKM scheme presented by Um and Delp (2008). We use the results given by Um et al. and the result obtained in the previous analysis of cost. We compare the number of keys and the number of secrets that are transmitted under both schemes. We denoted by S the size of a secret and by K the size of a key. In Table 2-5 n l refers to the number of mobile hosts involved in a key hierarchy and h = log d n l refers to the height of the key tree. In the case of SGKMS, a key hierarchy contains the keys used for a mobile host in a cell. In our scheme, a key hierarchy represents the keys used by a mobile host in a cluster, which is composed by more than one cell.
In Table 2, we refer to a Server as the key server in the SGKMS and to the cluster controller in TDKMS-CN.
From Table 3 we can observe that the communication cost for join and leave events in both schemes are similar. The main difference between SGKMS and TDKMS-CN is that in a base case, when a mobile host undergoes seven contiguous cells (area), with TDKMS-CN the mobile host does not perform any rekeying, while with SGKMS a mobile host needs to update keys each time it changes from one cell to another.
We note that, by using our approach, if the organization arrangement of area-cluster is replicated in the whole system, eventually the number of triggered rekeying processes will be substantially decreased since the rekeying process is triggered at an area level instead of at a cell level.     In Tables 4 and 5 we estimate the computational cost as the number of cipher/decipher operations performed by the entities of the system. We observe a difference in computational cost at the server level and at non-requesting members. Such difference is the improvement of the key derivation technique. Note that the computational cost for each operation depends on the algorithm implemented for encryption on each scheme.
In both schemes there is a computational cost for evaluating both the key derivation function and the polynomial function. In both cases, this cost depends on the type of function implemented and on the algorithms used to evaluate the function.
In addition, in the SGKMS an additional computational cost emerges from the need of processing the construction of the polynomials used to generate the keys from the shares. There is a 1-1 correspondence between the number of polynomials constructed by the server and the number of encryptions performed by the server. Also, there is 1-1 correspondence between the number of polynomials constructed by each member and the number of decryptions performed by each member.