John S. Baras

Scaleable Multicast Security

Most recently I have initiated research on Internet security, and in particular on multicast security over the Internet. The key problem I have investigated is the development of a key management protocol for large scale, sender oriented secure multicast groups. Several Internet applications dealing with information dissemination lack the ability to provide group level security. Having such a feature will allow several applications to be profitable instead of being free over the Web. The important components of the multicast key management that needed additional research were: Providing a scalable key management scheme; Providing a tight key generation procedure so that a set of remote nodes such as routers can be delegated to jointly generate the desired keys; Developing efficient key revocation schemes with prevention of user collusion. The main components of the key management scheme that we have developed are: A Scalable hierarchical key management framework; A distributed shared key generation scheme using Fractional Keys (Patent disclosure); A family of dynamic Elgamal Public Keys and Elliptic keys (Patent disclosure); Tools based on entropy for average performance in terms of hardware key generation rate and the bound on the key length as a function of the number of users supported by the session (This is a completely new contribution since the key length was often thought to be a function of attacker capabilities, desired time duration of the message secrecy and the computational capabilities of the communicating parties).

Our results todate are superior from alternate approaches to these problems including: GKMP (Group Key Management Protocol -- SPARTA); CBT (Core Based Trees -- Ballardie); Dirk (Distributed Registration and Key Distribution -- ISI Berkeley -- Patented 1998); IoLus. Our Approach -- PKM (Panel Based Key Management Protocol -- PCB) employs panel based key generation. No single member has control over the key that is generated. Inside the clusters, we use a rooted tree based key distribution scheme that further reduces the number of update messages needed for member revocation/deletion. A cluster panel manages each cluster. Cluster panel members jointly generate the required keys. The basic model is scalable and recursive in nature. Furthermore, in our research we have demonstrated that the following schemes are breakable: Sun Microsystems & ETH Zurich (1999, which proposes a rooted tree based scheme), IBM (March 1999, which proposes a rooted tree based scheme, essentially a minor improvement over the SUN scheme).

We have applied todate for two patents based on our research results.

Biography | Site Map | Contact Dr. Baras | Send Feedback | ©2005 ISR