GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools

Problem, Formatting or Query -  Send Feedback

Was this page helpful?-10+1


rfc:rfc4046

Network Working Group M. Baugher Request for Comments: 4046 Cisco Category: Informational R. Canetti

                                                                   IBM
                                                            L. Dondeti
                                                              Qualcomm
                                                           F. Lindholm
                                                              Ericsson
                                                            April 2005
    Multicast Security (MSEC) Group Key Management Architecture

Status of This Memo

 This memo provides information for the Internet community.  It does
 not specify an Internet standard of any kind.  Distribution of this
 memo is unlimited.

Copyright Notice

 Copyright (C) The Internet Society (2005).

Abstract

 This document defines the common architecture for Multicast Security
 (MSEC) key management protocols to support a variety of application,
 transport, and network layer security protocols.  It also defines the
 group security association (GSA), and describes the key management
 protocols that help establish a GSA.  The framework and guidelines
 described in this document permit a modular and flexible design of
 group key management protocols for a variety of different settings
 that are specialized to applications needs.  MSEC key management
 protocols may be used to facilitate secure one-to-many, many-to-many,
 or one-to-one communication.

Table of Contents

 1. Introduction: Purpose of this Document ..........................2
 2. Requirements of a Group Key Management Protocol .................4
 3. Overall Design of Group Key Management Architecture .............6
    3.1. Overview ...................................................6
    3.2. Detailed Description of the GKM Architecture ...............8
    3.3. Properties of the Design ..................................11
    3.4. Group Key Management Block Diagram ........................11
 4. Registration Protocol ..........................................13
    4.1. Registration Protocol via Piggybacking or Protocol Reuse ..13
    4.2. Properties of Alternative Registration Exchange Types .....14

Baugher, et al. Informational [Page 1] RFC 4046 MSEC Group Key Management Architecture April 2005

    4.3. Infrastructure for Alternative Registration
         Exchange Types ............................................15
    4.4. De-registration Exchange ..................................16
 5. Rekey Protocol .................................................16
    5.1. Goals of the Rekey Protocol ...............................17
    5.2. Rekey Message Transport and Protection ....................17
    5.3. Reliable Transport of Rekey Messages ......................18
    5.4. State-of-the-art on Reliable Multicast Infrastructure .....20
    5.5. Implosion .................................................21
    5.6. Incorporating Group Key Management Algorithms .............22
    5.7. Stateless, Stateful, and Self-healing Rekeying
         Algorithms ................................................22
    5.8. Interoperability of a GKMA ................................23
 6. Group Security Association .....................................24
    6.1. Group Policy ..............................................24
    6.2. Contents of the Rekey SA ..................................25
         6.2.1. Rekey SA Policy ....................................26
         6.2.2. Group Identity .....................................27
         6.2.3. KEKs ...............................................27
         6.2.4. Authentication Key .................................27
         6.2.5. Replay Protection ..................................27
         6.2.6. Security Parameter Index (SPI) .....................27
    6.3. Contents of the Data SA ...................................27
         6.3.1. Group Identity .....................................28
         6.3.2. Source Identity ....................................28
         6.3.3. Traffic Protection Keys ............................28
         6.3.4. Data Authentication Keys ...........................28
         6.3.5. Sequence Numbers ...................................28
         6.3.6. Security Parameter Index (SPI) .....................28
         6.3.7. Data SA Policy .....................................28
 7. Scalability Considerations .....................................29
 8. Security Considerations ........................................31
 9. Acknowledgments ................................................32
 10. Informative References ........................................33

1. Introduction: Purpose of this Document

 This document defines a common architecture for Multicast Security
 (MSEC) key management protocols to support a variety of application-,
 transport-, and network-layer security protocols.  It also defines
 the group security association (GSA) and describes the key management
 protocols that help establish a GSA.  The framework and guidelines
 described in this document permit a modular and flexible design of
 group key management protocols for a variety of different settings
 that are specialized to applications needs.  MSEC key management
 protocols may be used to facilitate secure one-to-many, many-to-many,
 or one-to-one communication.

Baugher, et al. Informational [Page 2] RFC 4046 MSEC Group Key Management Architecture April 2005

 Group and multicast applications in IP networks have diverse security
 requirements [TAXONOMY].  Their key management requirements, briefly
 reviewed in Section 2.0, include support for internetwork-,
 transport- and application-layer security protocols.  Some
 applications achieve simpler operation by running key management
 messaging over a pre-established secure channel (e.g., TLS or IPsec).
 Other security protocols benefit from a key management protocol that
 can run over an already-deployed session initiation or management
 protocol (e.g., SIP or RTSP).  Finally, some benefit from a
 lightweight key management protocol that requires few round trips.
 For all these reasons, application-, transport-, and IP-layer data
 security protocols (e.g., SRTP [RFC3711] and IPsec [RFC2401]) benefit
 from different group key management systems.  This document defines a
 common architecture and design for all group key management (GKM)
 protocols.
 This common architecture for group key management is called the MSEC
 group key management architecture.  It is based on the group control
 or key server model developed in GKMP [RFC2094] and assumed by group
 key management algorithms such as LKH [RFC2627], OFT [OFT], and MARKS
 [MARKS].  There are other approaches that are not considered in this
 architecture, such as the highly distributed Cliques group key
 management protocol [CLIQUES] or broadcast key management schemes
 [FN93,Wool].  MSEC key management may in fact be complementary to
 other group key management designs, but the integration of MSEC group
 key management with Cliques, broadcast key management, or other group
 key systems is not considered in this document.
 Key management protocols are difficult to design and validate.  The
 common architecture described in this document eases this burden by
 defining common abstractions and an overall design that can be
 specialized for different uses.
 This document builds on and extends the Group Key Management Building
 Block document of the IRTF SMuG research group [GKMBB] and is part of
 the MSEC document roadmap.  The MSEC architecture [MSEC-Arch] defines
 a complete multicast or group security architecture, of which key
 management is a component.
 The rest of this document is organized as follows.  Section 2
 discusses the security, performance and architectural requirements
 for a group key management protocol.  Section 3 presents the overall
 architectural design principles.  Section 4 describes the
 registration protocol in detail, and Section 5 does the same for
 rekey protocol.  Section 6 considers the interface to the Group
 Security Association (GSA).  Section 7 reviews the scalability issues
 for group key management protocols and Section 8 discusses security
 considerations.

Baugher, et al. Informational [Page 3] RFC 4046 MSEC Group Key Management Architecture April 2005

2. Requirements of a Group Key Management Protocol

 A group key management (GKM) protocol supports protected
 communication between members of a secure group.  A secure group is a
 collection of principals, called members, who may be senders,
 receivers, or both receivers and senders to other members of the
 group.  Group membership may vary over time.  A group key management
 protocol helps to ensure that only members of a secure group can gain
 access to group data (by gaining access to group keys) and can
 authenticate group data.  The goal of a group key management protocol
 is to provide legitimate group members with the up-to-date
 cryptographic state they need for secrecy and authentication.
 Multicast applications, such as video broadcast and multicast file
 transfer, typically have the following key management requirements
 (see also [TAXONOMY]).  Note that the list is neither applicable to
 all applications nor exhaustive.
 1. Group members receive security associations that include
    encryption keys, authentication/integrity keys, cryptographic
    policy that describes the keys, and attributes such as an index
    for referencing the security association (SA) or particular
    objects contained in the SA.
 2. In addition to the policy associated with group keys, the group
    owner or the Group Controller and Key Server (GCKS) may define and
    enforce group membership, key management, data security, and other
    policies that may or may not be communicated to the entire
    membership.
 3. Keys will have a pre-determined lifetime and may be periodically
    refreshed.
 4. Key material should be delivered securely to members of the group
    so that they are secret, integrity-protected and verifiably
    obtained from an authorized source.
 5. The key management protocol should be secure against replay
    attacks and Denial of Service(DoS) attacks (see the Security
    Considerations section of this memo).
 6. The protocol should facilitate addition and removal of group
    members.  Members who are added may optionally be denied access to
    the key material used before they joined the group, and removed
    members should lose access to the key material following their
    departure.

Baugher, et al. Informational [Page 4] RFC 4046 MSEC Group Key Management Architecture April 2005

 7. The protocol should support a scalable group rekey operation
    without unicast exchanges between members and a Group Controller
    and Key Server (GCKS), to avoid overwhelming a GCKS managing a
    large group.
 8. The protocol should be compatible with the infrastructure and
    performance needs of the data security application, such as the
    IPsec security protocols AH and ESP, and/or application layer
    security protocols such as SRTP [RFC3711].
 9. The key management protocol should offer a framework for replacing
    or renewing transforms, authorization infrastructure, and
    authentication systems.
 10. The key management protocol should be secure against collusion
     among excluded members and non-members.  Specifically, collusion
     must not result in attackers gaining any additional group secrets
     than each of them individually are privy to.  In other words,
     combining the knowledge of the colluding entities must not result
     in revealing additional group secrets.
 11. The key management protocol should provide a mechanism to
     securely recover from a compromise of some or all of the key
     material.
 12. The key management protocol may need to address real-world
     deployment issues such as NAT-traversal and interfacing with
     legacy authentication mechanisms.
 In contrast to typical unicast key and SA negotiation protocols such
 as TLS and IKE, multicast group key management protocols provide SA
 and key download capability.  This feature may be useful for point-
 to-point as well as multicast communication, so that a group key
 management protocol may be useful for unicast applications.  Group
 key management protocols may be used for protecting multicast or
 unicast communications between members of a secure group.  Secure
 sub-group communication is also plausible using the group SA.
 There are other requirements for small group operation with many all
 members as potential senders.  In this case, the group setup time may
 need to be optimized to support a small, highly interactive group
 environment [RFC2627].
 The current key management architecture covers secure communication
 in large single-sender groups, such as source-specific multicast
 groups.  Scalable operation to a range of group sizes is also a
 desirable feature, and a better group key management protocol will
 support large, single-sender groups as well as groups that have many

Baugher, et al. Informational [Page 5] RFC 4046 MSEC Group Key Management Architecture April 2005

 senders.  It may be that no single key management protocol can
 satisfy the scalability requirements of all group-security
 applications.
 It is useful to emphasize two non-requirements: technical protection
 measures (TPM) [TPM] and broadcast key management.  TPM are used for
 such things as copy protection by preventing the device user from
 getting easy access to the group keys.  There is no reason why a
 group key management protocol cannot be used in an environment where
 the keys are kept in a tamper-resistant store, using various types of
 hardware or software to implement TPM.  For simplicity, however, the
 MSEC key management architecture described in this document does not
 consider design for technical protection.
 The second non-requirement is broadcast key management when there is
 no back channel [FN93,JKKV94] or for a non-networked device such as a
 digital videodisc player.  We assume IP network operation with two-
 way communication, however asymmetric, and authenticated key-exchange
 procedures that can be used for member registration.  Broadcast
 applications may use a one-way Internet group key management protocol
 message and a one-way rekey message, as described below.

3. Overall Design of Group Key Management Architecture

 The overall group key management architecture is based upon a group
 controller model [RFC2093,RFC2094,RFC2627,OFT,GSAKMP,RFC3547] with a
 single group owner as the root-of-trust.  The group owner designates
 a group controller for member registration and GSA rekeying.

3.1. Overview

 The main goal of a group key management protocol is to securely
 provide group members with an up-to-date security association (SA),
 which contains the needed information for securing group
 communication (i.e., the group data).  We call this SA the Data SA.
 In order to obtain this goal, the group key management architecture
 defines the following protocols.
 (1) Registration Protocol
    This is a unicast protocol between the Group Controller and Key
    Server (GCKS) and a joining group member.  In this protocol, the
    GCKS and joining member mutually authenticate each other.  If the
    authentication succeeds and the GCKS finds that the joining member
    is authorized, then the GCKS supplies the joining member with the
    following information:

Baugher, et al. Informational [Page 6] RFC 4046 MSEC Group Key Management Architecture April 2005

    (a) Sufficient information to initialize the Data SA within the
        joining member.  This information is given only if the group
        security policy calls for initializing the Data SA at
        registration, instead of, or in addition to, as part of the
        rekey protocol.
    (b) Sufficient information to initialize a Rekey SA within the
        joining member (see more details about this SA below).  This
        information is given if the group security policy calls for a
        rekey protocol.
    The registration protocol must ensure that the transfer of
    information from GCKS to member is done in an authenticated and
    confidential manner over a security association.  We call this SA
    the Registration SA.  A complementary de-registration protocol
    serves to explicitly remove Registration SA state.  Members may
    choose to delete Registration SA state.
 (2) Rekey Protocol
    A GCKS may periodically update or change the Data SA, by sending
    rekey information to the group members.  Rekey messages may result
    from group membership changes, from changes in group security
    policy, from the creation of new traffic-protection keys (TPKs,
    see next section) for the particular group, or from key
    expiration.  Rekey messages are protected by the Rekey SA, which
    is initialized in the registration protocol.  They contain
    information for updating the Rekey SA and/or the Data SA and can
    be sent via multicast to group members or via unicast from the
    GCKS to a particular group member.
    Note that there are other means for managing (e.g., expiring or
    refreshing) the Data SA without interaction between the GCKS and
    the members.  For example in MARKS [MARKS], the GCKS pre-
    determines TPKs for different periods in the lifetime of the
    secure group and distributes keys to members based on their
    membership periods.  Alternative schemes such as the GCKS
    disbanding the secure group and starting a new group with a new
    Data SA are also possible, although this is typically limited to
    small groups.
    Rekey messages are authenticated using one of the two following
    options:
    (1) Using source authentication [TAXONOMY], that is, enabling each
        group member to verify that a rekey message originates with
        the GCKS and none other.

Baugher, et al. Informational [Page 7] RFC 4046 MSEC Group Key Management Architecture April 2005

    (2) Using only group-based authentication with a symmetric key.
        Members can only be assured that the rekey messages originated
        within the group.  Therefore, this is applicable only when all
        members of the group are trusted not to impersonate the GCKS.
        Group authentication for rekey messages is typically used when
        public-key cryptography is not suitable for the particular
        group.
    The rekey protocol ensures that all members receive the rekey
    information in a timely manner.  In addition, the rekey protocol
    specifies mechanisms for the parties to contact the GCKS and re-
    synch if their keys expired and an updated key has not been
    received.  The rekey protocol for large-scale groups offers
    mechanisms to avoid implosion problems and to ensure reliability
    in its delivery of keying material.
    Although the Rekey SA is established by the registration protocol,
    it is updated using a rekey protocol.  When a member leaves the
    group, it destroys its local copy of the GSA.  Using a de-
    registration message may be an efficient way for a member to
    inform the GCKS that it has destroyed, or is about to destroy, the
    SAs.  Such a message may prompt the GCKS to cryptographically
    remove the member from the group (i.e., to prevent the member from
    having access to future group communication).  In large-scale
    multicast applications, however, de-registration can potentially
    cause implosion at the GCKS.

3.2. Detailed Description of the GKM Architecture

 Figure 1 depicts the overall design of a GKM protocol.  Each group
 member, sender or receiver, uses the registration protocol to get
 authorized and authenticated access to a particular Group, its
 policies, and its keys.  The two types of group keys are the key
 encryption keys (KEKs) and the traffic encryption keys (TEKs).  For
 group authentication of rekey messages or data, key integrity or
 traffic integrity keys may be used, as well.  We use the term
 protection keys to refer to both integrity and encryption keys.  For
 example, the term traffic protection key (TPK) is used to denote the
 combination of a TEK and a traffic integrity key, or the key material
 used to generate them.
 The KEK may be a single key that protects the rekey message,
 typically containing a new Rekey SA (containing a KEK) and/or Data SA
 (containing a TPK/TEK).  A Rekey SA may also contain a vector of keys
 that are part of a group key membership algorithm
 [RFC2627,OFT,TAXONOMY,SD1,SD2].  The data security protocol uses TPKs
 to protect streams, files, or other data sent and received by

Baugher, et al. Informational [Page 8] RFC 4046 MSEC Group Key Management Architecture April 2005

 the data security protocol.  Thus the registration protocol and/or
 the rekey protocol establish the KEK(s) and/or the TPKs.
 +------------------------------------------------------------------+
 | +-----------------+                          +-----------------+ |
 | |     POLICY      |                          |  AUTHORIZATION  | |
 | | INFRASTRUCTURE  |                          | INFRASTRUCTURE  | |
 | +-----------------+                          +-----------------+ |
 |         ^                                            ^           |
 |         |                                            |           |
 |         v                                            v           |
 | +--------------------------------------------------------------+ |
 | |                                                              | |
 | |                    +--------------------+                    | |
 | |            +------>|        GCKS        |<------+            | |
 | |            |       +--------------------+       |            | |
 | |     REGISTRATION or          |            REGISTRATION or    | |
 | |     DE-REGISTRATION          |            DE-REGISTRATION    | |
 | |         PROTOCOL             |               PROTOCOL        | |
 | |            |                 |                  |            | |
 | |            v                REKEY               v            | |
 | |   +-----------------+     PROTOCOL     +-----------------+   | |
 | |   |                 |    (OPTIONAL)    |                 |   | |
 | |   |    SENDER(S)    |<-------+-------->|   RECEIVER(S)   |   | |
 | |   |                 |                  |                 |   | |
 | |   +-----------------+                  +-----------------+   | |
 | |            |                                    ^            | |
 | |            v                                    |            | |
 | |            +-------DATA SECURITY PROTOCOL-------+            | |
 | |                                                              | |
 | +--------------------------------------------------------------+ |
 |                                                                  |
 +------------------------------------------------------------------+
              Figure 1: Group Security Association Model
 There are a few distinct outcomes to a successful registration
 Protocol exchange.
    o  If the GCKS uses rekey messages, then the admitted member
       receives the Rekey SA.  The Rekey SA contains the group's rekey
       policy (note that not all of the policy need to be revealed to
       members), and at least a group KEK.  In addition, the GCKS
       sends a group key integrity key for integrity protection of
       rekey messages.  If a group key management algorithm is used
       for efficient rekeying, the GCKS also sends one or more KEKs as
       specified by the key distribution policy of the group key
       management algorithm.

Baugher, et al. Informational [Page 9] RFC 4046 MSEC Group Key Management Architecture April 2005

    o  If rekey messages are not used for the Group, then the admitted
       member receives TPKs (as part of the Data Security SAs) that
       are passed to the member's Data Security Protocol (as IKE does
       for IPsec).
    o  The GCKS may pass one or more TPKs to the member even if rekey
       messages are used, for efficiency reasons and according to
       group policy.
 The GCKS creates the KEK and TPKs and downloads them to each member,
 as the KEK and TPKs are common to the entire group.  The GCKS is a
 separate logical entity that performs member authentication and
 authorization according to the group policy that is set by the group
 owner.  The GCKS may present a credential signed by the group owner
 to the group member, so that member can check the GCKS's
 authorization.  The GCKS, which may be co-located with a member or be
 physically separate, runs the rekey protocol to push rekey messages
 containing refreshed KEKs, new TPKs, and/or refreshed TPKs to
 members.  Note that some group key management algorithms refresh any
 of the KEKs (potentially), whereas others only refresh the group KEK.
 Alternatively, the sender may forward rekey messages on behalf of the
 GCKS when it uses a credential mechanism that supports delegation.
 Thus, it is possible for the sender, or other members, to source
 keying material (TPKs encrypted in the Group KEK) as it sources
 multicast or unicast data.  As mentioned above, the rekey message can
 be sent using unicast or multicast delivery.  Upon receipt of a TPK
 (as part of a Data SA) via a rekey message or a registration protocol
 exchange, the member's group key management functional block will
 provide the new or updated security association (SA) to the data
 security protocol.  This protects the data sent from sender to
 receiver.
 The Data SA protects the data sent on the arc labeled DATA SECURITY
 PROTOCOL shown in Figure 1.  A second SA, the Rekey SA, is optionally
 established by the key management protocol for rekey messages as
 shown in Figure 1 by the arc labeled REKEY PROTOCOL.  The rekey
 message is optional because all keys, KEKs and TPKs, can be delivered
 by the registration protocol exchanges shown in Figure 1, and those
 keys may not need to be updated.  The registration protocol is
 protected by a third, unicast, SA between the GCKS and each member.
 This is called the Registration SA.  There may be no need for the
 Registration SA to remain in place after the completion of the
 registration protocol exchanges.  The de-registration protocol may be
 used when explicit teardown of the SA is desirable (such as when a
 phone call or conference terminates).  The three SAs compose the GSA.
 The only optional SA is the Rekey SA.

Baugher, et al. Informational [Page 10] RFC 4046 MSEC Group Key Management Architecture April 2005

 Figure 1 shows two blocks that are external to the group key
 management protocol:  The policy and authorization infrastructures
 are discussed in Section 6.1.  The Multicast Security Architecture
 document further clarifies the SAs and their use as part of the
 complete architecture of a multicast security solution [MSEC-Arch].

3.3. Properties of the Design

 The design of Section 3.2 achieves scalable operation by (1) allowing
 the de-coupling of authenticated key exchange in a registration
 protocol from a rekey protocol, (2) allowing the rekey protocol to
 use unicast push or multicast distribution of group and data keys as
 an option, (3) allowing all keys to be obtained by the unicast
 registration protocol, and (4) delegating the functionality of the
 GCKS among multiple entities, i.e., to permit distributed operation
 of the GCKS.
 High-capacity operation is obtained by (1) amortizing
 computationally-expensive asymmetric cryptography over multiple data
 keys used by data security protocols, (2) supporting multicast
 distribution of symmetric group and data keys, and (3) supporting key
 revocation algorithms such as LKH [RFC2627,OFT,SD1,SD2] that allow
 members to be added or removed at logarithmic rather than linear
 space/time complexity.  The registration protocol may use asymmetric
 cryptography to authenticate joining members and optionally establish
 the group KEK.  Asymmetric cryptography such as Diffie-Hellman key
 agreement and/or digital signatures are amortized over the life of
 the group KEK.  A Data SA can be established without the use of
 asymmetric cryptography; the TPKs are simply encrypted in the
 symmetric KEK and sent unicast or multicast in the rekey protocol.
 The design of the registration and rekey protocols is flexible.  The
 registration protocol establishes a Rekey SA or one or more Data SAs
 or both types of SAs.  At least one of the SAs is present (otherwise,
 there is no purpose to the Registration SA).  The Rekey SA may update
 the Rekey SA, or establish or update one or more Data SAs.
 Individual protocols or configurations may use this flexibility to
 obtain efficient operation.

3.4. Group Key Management Block Diagram

 In the block diagram of Figure 2, group key management protocols run
 between a GCKS and member principal to establish a Group Security
 Association (GSA).  The GSA consists of a Data SA, an optional Rekey
 SA, and a Registration SA.  The GCKS may use a delegated principal,
 such as the sender, which has a delegation credential signed by the
 GCKS.  The Member of Figure 2 may be a sender or receiver of
 multicast or unicast data.  There are two functional blocks in Figure

Baugher, et al. Informational [Page 11] RFC 4046 MSEC Group Key Management Architecture April 2005

 2 labeled GKM, and there are two arcs between them depicting the
 group key-management registration (reg) and rekey (rek) protocols.
 The message exchanges are in the GSA establishment protocols, which
 are the registration protocol and the rekey protocol described above.
 Figure 2 shows that a complete group-key management functional
 specification includes much more than the message exchange.  Some of
 these functional blocks and the arcs between them are peculiar to an
 operating system (OS) or vendor product, such as vendor
 specifications for products that support updates to the IPsec
 Security Association Database (SAD) and Security Policy Database
 (SPD) [RFC2367].  Various vendors also define the functions and
 interface of credential stores, CRED in Figure 2.
   +----------------------------------------------------------+
   |                                                          |
   | +-------------+         +------------+                   |
   | |   CONTROL   |         |   CONTROL  |                   |
   | +------^------+         +------|-----+  +--------+       |
   |        |                       |  +-----| CRED   |       |
   |        |                       |  |     +--------+       |
   |   +----v----+             +----v--v-+   +--------+       |
   |   |         <-----Reg----->         |<->|  SAD   |       |
   |   |   GKM    -----Rek----->   GKM   |   +--------+       |
   |   |         |             |         |   +--------+       |
   |   |         ------+       |         |<->|  SPD   |       |
   |   +---------+     |       +-^-------+   +--------+       |
   |   +--------+      |         | |   |                      |
   |   | CRED   |----->+         | |   +-------------------+  |
   |   +--------+      |         | +--------------------+  |  |
   |   +--------+      |       +-V-------+   +--------+ |  |  |
   |   |  SAD   <----->+       |         |<->|  SAD   <-+  |  |
   |   +--------+      |       |SECURITY |   +--------+    |  |
   |   +--------+      |       |PROTOCOL |   +--------+    |  |
   |   |  SPD   <----->+       |         |<->|  SPD   <----+  |
   |   +--------+              +---------+   +--------+       |
   |                                                          |
   |     (A) GCKS                     (B) MEMBER              |
   +----------------------------------------------------------+
             Figure 2: Group Key Management Block in a Host
 The CONTROL function directs the GCKS to establish a group, admit a
 member, or remove a member, or it directs a member to join or leave a
 group.  CONTROL includes authorization that is subject to group
 policy [GSPT] but its implementation is specific to the GCKS.  For
 large scale multicast sessions, CONTROL could perform session

Baugher, et al. Informational [Page 12] RFC 4046 MSEC Group Key Management Architecture April 2005

 announcement functions to inform a potential group member that it may
 join a group or receive group data (e.g., a stream of file transfer
 protected by a data security protocol).  Announcements notify group
 members to establish multicast SAs in advance of secure multicast
 data transmission.  Session Description Protocol (SDP) is one form
 that the announcements might take [RFC2327].  The announcement
 function may be implemented in a session directory tool, an
 electronic program guide (EPG), or by other means.  The Data Security
 or the announcement function directs group key management using an
 application programming interface (API), which is peculiar to the
 host OS in its specifics.  A generic API for group key management is
 for further study, but this function is necessary to allow Group
 (KEK) and Data (TPKs) key establishment to be scalable to the
 particular application.  A GCKS application program will use the API
 to initiate the procedures for establishing SAs on behalf of a
 Security Protocol in which members join secure groups and receive
 keys for streams, files, or other data.
 The goal of the exchanges is to establish a GSA through updates to
 the SAD of a key management implementation and particular Security
 Protocol.  The Data Security Protocol ("SECURITY PROTOCOL") of Figure
 2 may span internetwork and application layers or operate at the
 internetwork layer, such as AH and ESP.

4. Registration Protocol

 The design of the registration protocol is flexible and can support
 different application scenarios.  The chosen registration protocol
 solution reflects the specific requirements of specific scenarios.
 In principle, it is possible to base a registration protocol on any
 secure-channel protocol, such as IPsec and TLS, which is the case in
 tunneled GSAKMP [tGSAKMP].  GDOI [RFC3547] reuses IKE Phase 1 as the
 secure channel to download Rekey and/or Data SAs.  Other protocols,
 such as MIKEY and GSAKMP, use authenticated Diffie-Hellman exchanges
 similar to IKE Phase 1, but they are specifically tailored for key
 download to achieve efficient operation.  We discuss the design of a
 registration protocol in detail in the rest of this section.

4.1. Registration Protocol via Piggybacking or Protocol Reuse

 Some registration protocols need to tunnel through a data-signaling
 protocol to take advantage of already existing security
 functionality, and/or to optimize the total session setup time.  For
 example, a telephone call has strict bounds for delay in setup time.
 It is not feasible to run security exchanges in parallel with call
 setup, since the latter often resolves the address.  Call setup must
 complete before the caller knows the callee's address.  In this case,
 it may be advantageous to tunnel the key exchange procedures inside

Baugher, et al. Informational [Page 13] RFC 4046 MSEC Group Key Management Architecture April 2005

 call establishment [H.235,MIKEY], so that both can complete (or fail,
 see below) at the same time.
 The registration protocol has different requirements depending on the
 particular integration/tunneling approach.  These requirements are
 not necessarily security requirements, but will have an impact on the
 chosen security solution.  For example, the security association will
 certainly fail if the call setup fails in the case of IP telephony.
 Conversely, the registration protocol imposes requirements on the
 protocol that tunnels it.  In the case of IP telephony, the call
 setup usually will fail when the security association is not
 successfully established.  In the case of video-on-demand, protocols
 such as RTSP that convey key management data will fail when a needed
 security association cannot be established.
 Both GDOI and MIKEY use this approach, but in different ways.  MIKEY
 can be tunneled in SIP and RTSP.  It takes advantage of the session
 information contained in these protocols and the possibility to
 optimize the setup time for the registration procedure.  SIP requires
 that a tunneled protocol must use at most one roundtrip (i.e., two
 messages).  This is also a desirable requirement from RTSP.
 The GDOI approach takes advantage of the already defined ISAKMP phase
 1 exchange [RFC2409], and extends the phase 2 exchange for the
 registration.  The advantage here is the reuse of a successfully
 deployed protocol and the code base, where the defined phase 2
 exchange is protected by the SA created by phase 1.  GDOI also
 inherits other functionality of the ISAKMP, and thus it is readily
 suitable for running IPsec protocols over IP multicast services.

4.2. Properties of Alternative Registration Exchange Types

 The required design properties of a registration protocol have
 different trade-offs.  A protocol that provides perfect forward
 secrecy and identity protection trades performance or efficiency for
 better security, while a protocol that completes in one or two
 messages may trade security functionality (e.g., identity protection)
 for efficiency.
 Replay protection generally uses either a timestamp or a sequence
 number.  The first requires synchronized clocks, while the latter
 requires retention of state.  In a timestamp-based protocol, a replay
 cache is needed to store the authenticated messages (or the hashes of
 the messages) received within the allowable clock skew.  The size of
 the replay cache depends on the number of authenticated messages
 received during the allowable clock skew.  During a DoS attack, the
 replay cache might become overloaded.  One solution is to over-

Baugher, et al. Informational [Page 14] RFC 4046 MSEC Group Key Management Architecture April 2005

 provision the replay cache, but this may lead to a large replay
 cache.  Another solution is to let the allowable clock skew be
 changed dynamically during runtime.  During a suspected DoS attack,
 the allowable clock skew is decreased so that the replay cache
 becomes manageable.
 A challenge-response mechanism (using Nonces) obviates the need for
 synchronized clocks for replay protection when the exchange uses
 three or more messages [MVV].
 Additional security functions become possible as the number of
 allowable messages in the registration protocol increase.  ISAKMP
 offers identity protection, for example, as part of a six-message
 exchange.  With additional security features, however, comes added
 complexity:  Identity protection, for example, not only requires
 additional messages, but may result in DoS vulnerabilities since
 authentication is performed in a late stage of the exchange after
 resources already have been devoted.
 In all cases, there are tradeoffs with the number of message
 exchanged, the desired security services, and the amount of
 infrastructure that is needed to support the group key management
 service.  Whereas protocols that use two or even one-message setup
 have low latency and computation requirements, they may require more
 infrastructure such as secure time or offer less security such as the
 absence of identity protection.  What tradeoffs are acceptable and
 what are not is very much dictated by the application and application
 environment.

4.3. Infrastructure for Alternative Registration Exchange Types

 The registration protocol may need external infrastructures to handle
 authentication and authorization, replay protection, protocol-run
 integrity, and possibly other security services such as secure
 synchronized clocks.  For example, authentication and authorization
 may need a PKI deployment (with either authorization-based
 certificates or a separate management) or may be handled using AAA
 infrastructure.  Replay protection using timestamps requires an
 external infrastructure or protocol for clock synchronization.
 However, external infrastructures may not always be needed; for
 example pre-shared keys are used for authentication and
 authorization.  This may be the case if the subscription base is
 relatively small.  In a conversational multimedia scenario (e.g., a
 VoIP call between two or more people), it may be the end user who
 handles the authorization by manually accepting/rejecting the
 incoming calls.  In that case, infrastructure support may not be
 required.

Baugher, et al. Informational [Page 15] RFC 4046 MSEC Group Key Management Architecture April 2005

4.4. De-registration Exchange

 The session-establishment protocol (e.g., SIP, RTSP) that conveys a
 registration exchange often has a session-disestablishment protocol
 such as RTSP TEARDOWN [RFC2326] or SIP BYE [RFC3261].  The session-
 disestablishment exchange between endpoints offers an opportunity to
 signal the end of the GSA state at the endpoints.  This exchange need
 only be a unidirectional notification by one side that the GSA is to
 be destroyed.  For authentication of this notification, we may use a
 proof-of-possession of the group key(s) by one side to the other.
 Some applications benefit from acknowledgement in a mutual, two-
 message exchange signaling disestablishment of the GSA concomitant
 with disestablishment of the session, e.g., RTSP or SIP session.  In
 this case, a two-way proof-of-possession might serve for mutual
 acknowledgement of the GSA disestablishment.

5. Rekey Protocol

 The group rekey protocol is for transport of keys and SAs between a
 GCKS and the members of a secure communications group.  The GCKS
 sends rekey messages to update a Rekey SA, or initialize/update a
 Data SA or both.  Rekey messages are protected by a Rekey SA.  The
 GCKS may update the Rekey SA when group membership changes or when
 KEKs or TPKs expire.  Recall that KEKs correspond to a Rekey SA and
 TPKs correspond to a Data SA.
 The following are some desirable properties of the rekey protocol.
    o  The rekey protocol ensures that all members receive the rekey
       information in a timely manner.
    o  The rekey protocol specifies mechanisms allowing the parties to
       contact the GCKS and re-sync when their keys expire and no
       updates have been received.
    o  The rekey protocol avoids implosion problems and ensures
       reliability in delivering Rekey information.
 We further note that the rekey protocol is primarily responsible for
 scalability of the group key management architecture.  Hence, it is
 imperative that we provide the above listed properties in a scalable
 manner.  Note that solutions exist in the literature (both IETF
 standards and research articles) for parts of the problem.  For
 instance, the rekey protocol may use a scalable group key management
 algorithm (GKMA) to reduce the number of keys sent in a rekey
 message.  Examples of a GKMA include LKH, OFT, Subset difference
 based schemes etc.

Baugher, et al. Informational [Page 16] RFC 4046 MSEC Group Key Management Architecture April 2005

5.1. Goals of the Rekey Protocol

 The goals of the rekey protocol are:
    o  to synchronize a GSA,
    o  to provide privacy and (symmetric or asymmetric)
       authentication, replay protection and DoS protection,
    o  efficient rekeying after changes in group membership or when
       keys (KEKs) expire,
    o  reliable delivery of rekey messages,
    o  member recovery from an out-of-sync GSA,
    o  high throughput and low latency, and
    o  support IP Multicast or multi-unicast.
 We identify several major issues in the design of a rekey protocol:
    1.  rekey message format,
    2.  reliable transport of rekey messages,
    3.  implosion,
    4.  recovery from out-of-sync GSA,
    5.  incorporating GKMAs in rekey messages, and
    6.  interoperability of GKMAs.
 Note that interoperation of rekey protocol implementations is
 insufficient for a GCKS to successfully rekey a group.  The GKMA must
 also interoperate, i.e., standard versions of the group key
 management algorithms such as LKH, OFT, or Subset Difference must be
 used.
 The rest of this section discusses these topics in detail.

5.2. Rekey Message Transport and Protection

 Rekey messages contain Rekey and/or Data SAs along with KEKs and
 TPKs.  These messages need to be confidential, authenticated, and
 protected against replay and DoS attacks.  They are sent via
 multicast or multi-unicast from the GCKS to the members.

Baugher, et al. Informational [Page 17] RFC 4046 MSEC Group Key Management Architecture April 2005

 Rekey messages are encrypted with the Group KEK for confidentiality.
 When used in conjunction with a GKMA, portions of the rekey message
 are first encrypted with the appropriate KEKs as specified by the
 GKMA.  The GCKS authenticates rekey messages using either a MAC,
 computed using the group Authentication key, or a digital signature.
 In both cases, a sequence number is included in computation of the
 MAC or the signature to protect against replay attacks.
 When group authentication is provided with a symmetric key, rekey
 messages are vulnerable to attacks by other members of the group.
 Rekey messages are digitally signed when group members do not trust
 each other.  When asymmetric authentication is used, members
 receiving rekey messages are vulnerable to DoS attacks.  An external
 adversary may send a bogus rekey message, which a member cannot
 identify until after it performs an expensive digital signature
 operation.  To protect against such an attack, a MAC may be sent as
 part of the rekey message.  Members verify the signature only upon
 successful verification of the MAC.
 Rekey messages contain group key updates corresponding to a single
 [RFC2627,OFT] or multiple membership changes [SD1,SD2,BatchRekey] and
 may contain group key initialization messages [OFT].

5.3. Reliable Transport of Rekey Messages

 The GCKS must ensure that all members have the current Data Security
 and Rekey SAs.  Otherwise, authorized members may be inadvertently
 excluded from receiving group communications.  Thus, the GCKS needs
 to use a rekey algorithm that is inherently reliable or employ a
 reliable transport mechanism to send rekey messages.
 There are two dimensions to the problem.  Messages that update group
 keys may be lost in transit or may be missed by a host when it is
 offline.  LKH and OFT group key management algorithms rely on past
 history of updates being received by the host.  If the host goes
 offline, it will need to resynchronize its group-key state when it
 comes online; this may require a unicast exchange with the GCKS.  The
 Subset Difference algorithm, however, conveys all the necessary state
 in its rekey messages and does not need members to be always online
 or keeping state.  The Subset Difference algorithm does not require a
 back channel and can operate on a broadcast network.  If a rekey
 message is lost in transmission, the Subset Difference algorithm
 cannot decrypt messages encrypted with the TPK sent via the lost
 rekey message.  There are self-healing GKMAs proposed in the
 literature that allow a member to recover lost rekey messages, as
 long as rekey messages before and after the lost rekey message are
 received.

Baugher, et al. Informational [Page 18] RFC 4046 MSEC Group Key Management Architecture April 2005

 Rekey messages are typically short (for single membership change as
 well as for small groups), which makes it easy to design a reliable
 delivery protocol.  On the other hand, the security requirements may
 add an additional dimension to address.  There are some special cases
 in which membership changes are processed as a batch, reducing the
 frequency of rekey messages but increasing their size.  Furthermore,
 among all the KEKs sent in a rekey message, as many as half the
 members need only a single KEK.  We may take advantage of these
 properties in designing a rekey message(s) and a protocol for their
 reliable delivery.
 Three categories of solutions have been proposed:
    1.  Repeatedly transmit the rekey message.  In many cases rekey
        messages translate to only one or two IP packets.
    2.  Use an existing reliable multicast protocol/infrastructure.
    3.  Use FEC for encoding rekey packets (with NACKs as feedback)
        [BatchRekey].
 Note that for small messages, category 3 is essentially the same as
 category 1.
 The group member might be out of synchrony with the GCKS if it
 receives a rekey message having a sequence number that is more than
 one greater than the last sequence number processed.  This is one
 means by which the GCKS member detects that it has missed a rekey
 message.  Alternatively, the data-security application, upon
 detecting that it is using an out-of-date key, may notify the group
 key management module.  The action taken by the GCKS member is a
 matter of group policy.  The GCKS member should log the condition and
 may contact the GCKS to rerun the re-registration protocol to obtain
 a fresh group key.  The group policy needs to take into account
 boundary conditions, such as reordered rekey messages when rekeying
 is so frequent that two messages might get reordered in an IP
 network.  The group key policy also needs to take into account the
 potential for denial of service attacks where an attacker delays or
 deletes a rekey message in order to force a subnetwork or subset of
 the members to simultaneously contact the GCKS.
 If a group member becomes out-of-synch with the GSA then it should
 re-register with the GCKS.  However, in many cases there are other,
 simpler methods for re-synching with the group:
    o  The member can open a simple unprotected connection (e.g., TCP)
       with the GCKS and obtain the current (or several recent) rekey
       messages.  Note that there is no need for authentication or

Baugher, et al. Informational [Page 19] RFC 4046 MSEC Group Key Management Architecture April 2005

       encryption here, since the rekey message is already signed and
       is multicast in the clear.  One may think that this opens the
       GCKS to DoS attacks by many bogus such requests.  This,
       however, does not seem to worsen the situation; in fact,
       bombarding the GCKS with bogus resynch requests would be much
       more problematic.
    o  The GCKS can post the rekey messages on some public site (e.g.,
       a web site) and the out-of-synch member can obtain the rekey
       messages from that site.
 The GCKS may always provide all three ways of resynching (i.e., re-
 registration, simple TCP, and public posting).  This way, the member
 may choose how to resynch; it also avoids adding yet another field to
 the policy token [GSPT].  Alternatively, a policy token may contain a
 field specifying one or more methods supported for resynchronization
 of a GSA.

5.4. State-of-the-art on Reliable Multicast Infrastructure

 The rekey message may be sent using reliable multicast.  There are
 several types of reliable multicast protocols with different
 properties.  However, there are no standards track reliable multicast
 protocols published at this time, although IETF consensus has been
 reached on two protocols that are intended to go into the standards
 track [NORM,RFC3450].  Thus, this document does not recommend a
 particular reliable multicast protocol or set of protocols for the
 purpose of reliable group rekeying.  The suitability of NAK-based,
 ACK-based or other reliable multicast methods is determined by the
 application needs and operational environment.  In the future, group
 key management protocols may choose to use particular standards-based
 approaches that meet the needs of the particular application.  A
 secure announcement facility may be needed to signal the use of a
 reliable multicast protocol, which could be specified as part of
 group policy.  The reliable multicast announcement and policy
 specification, however, can only follow the establishment of reliable
 multicast standards and are not considered further in this document.
 Today, the several MSEC group key management protocols support
 sequencing of the rekey messages through a sequence number, which is
 authenticated along with the rekey message.  A sender of rekey
 messages may re-transmit multiple copies of the message provided that
 they have the same sequence number.  Thus, re-sending the message is
 a rudimentary means of overcoming loss along the network path.  A
 member who receives the rekey message will check the sequence number
 to detect duplicate and missing rekey messages.  The member receiver
 will discard duplicate messages that it receives.  Large rekey
 messages, such as those that contain LKH or OFT tree structures,

Baugher, et al. Informational [Page 20] RFC 4046 MSEC Group Key Management Architecture April 2005

 might benefit from transport-layer FEC in the future, when
 standards-based methods become available.  It is unlikely that
 forward error correction (FEC) methods will benefit short rekey
 messages that fit within a single message.  In this case, FEC
 degenerates to simple retransmission of the message.

5.5. Implosion

 Implosion may occur due to one of two reasons.  First, recall that
 one of the goals of the rekey protocol is to synchronize a GSA.  When
 a rekey or Data SA expires, members may contact the GCKS for an
 update.  If all, or even many, members contact the GCKS at about the
 same time, the GCKS might not be able to handle all those messages.
 We refer to this as an out-of-sync implosion.
 The second case is in the reliable delivery of rekey messages.
 Reliable multicast protocols use feedback (NACK or ACK) to determine
 which packets must be retransmitted.  Packet losses may result in
 many members sending NACKs to the GCKS.  We refer to this as feedback
 implosion.
 The implosion problem has been studied extensively in the context of
 reliable multicasting.  The proposed feedback suppression and
 aggregation solutions might be useful in the GKM context as well.
 Members may wait a random time before sending an out-of-sync or
 feedback message.  Meanwhile, members might receive the necessary key
 updates and therefore not send a feedback message.  An alternative
 solution is to have the members contact one of several registration
 servers when they are out-of-sync.  This requires GSA synchronization
 between the multiple registration servers.
 Feedback aggregation and local recovery employed by some reliable
 multicast protocols are not easily adaptable to transport of rekey
 messages.  Aggregation raises authentication issues.  Local recovery
 is more complex because members need to establish SAs with the local
 repair server.  Any member of the group or a subordinate GCKS may
 serve as a repair server, which can be responsible for resending
 rekey messages.
 Members may use the group SA, more specifically the Rekey SA, to
 authenticate requests sent to the repair server.  However, replay
 protection requires maintaining state at members as well as repair
 servers.  Authentication of repair requests is meant to protect
 against DoS attacks.  Note also that an out-of-sync member may use an
 expired Rekey SA to authenticate repair requests, which requires
 repair servers to accept messages protected by old SAs.

Baugher, et al. Informational [Page 21] RFC 4046 MSEC Group Key Management Architecture April 2005

 Alternatively, a simple mechanism may be employed to achieve local
 repair efficiently.  Each member receives a set of local repair
 server addresses as part of group operation policy information.  When
 a member does not receive a rekey message, it can send a "Retransmit
 replay message(s) with sequence number n and higher" message to one
 of the local repair servers.  The repair server can either ignore the
 request if it is busy or retransmit the requested rekey messages as
 received from the GCKS.  The repair server, which is also another
 member may choose to serve only m requests in a given time period
 (i.e., rate limits responses) or per a given rekey message.  Rate
 limiting the requests and responses protects the repair servers as
 well as other members of the group from DoS attacks.

5.6. Incorporating Group Key Management Algorithms

 Group key management algorithms make rekeying scalable.  Large group
 rekeying without employing GKMAs is prohibitively expensive.
 Following are some considerations in selecting a GKMA:
    o  Protection against collusion.
       Members (or non-members) should not be able to collaborate to
       deduce keys for which they are not privileged (following the
       GKMA key distribution rules).
    o  Forward access control
       The GKMA should ensure that departing members cannot get access
       to future group data.
    o  Backward access control
       The GKMA should ensure that joining members cannot decrypt past
       data.

5.7. Stateless, Stateful, and Self-healing Rekeying Algorithms

 We classify group key management algorithms into three categories:
 stateful, stateless, and self-healing.
 Stateful algorithms [RFC2627,OFT] use KEKs from past rekeying
 instances to encrypt (protect) KEKs corresponding to the current and
 future rekeying instances.  The main disadvantage in these schemes is
 that if a member were offline or otherwise failed to receive KEKs
 from a past rekeying instance, it may no longer be able to
 synchronize its GSA even though it can receive KEKs from all future
 rekeying instances.  The only solution is to contact the GCKS

Baugher, et al. Informational [Page 22] RFC 4046 MSEC Group Key Management Architecture April 2005

 explicitly for resynchronization.  Note that the KEKs for the first
 rekeying instance are protected by the Registration SA.  Recall that
 communication in that phase is one to one, and therefore it is easy
 to ensure reliable delivery.
 Stateless GKMAs [SD1,SD2] encrypt rekey messages with KEKs sent
 during the registration protocol.  Since rekey messages are
 independent of any past rekey messages (i.e., that are not protected
 by KEKs therein), a member may go offline but continue to decipher
 future communications.  However, stateless GKMAs offer no mechanisms
 to recover past rekeying messages.  Stateless rekeying may be
 relatively inefficient, particularly for immediate (not batch)
 rekeying in highly dynamic groups.
 In self-healing schemes [Self-Healing], a member can reconstruct a
 lost rekey message as long as it receives some past and some future
 rekey messages.

5.8. Interoperability of a GKMA

 Most GKMA specifications do not specify packet formats, although many
 group key management algorithms need format specification for
 interoperability.  There are several alternative ways to manage key
 trees and to number nodes within key trees.  The following
 information is needed during initialization of a Rekey SA or included
 with each GKMA packet.
    o  GKMA name (e.g., LKH, OFT, Subset Difference)
    o  GKMA version number (implementation specific).  Version may
       imply several things such as the degree of a key tree,
       proprietary enhancements, and qualify another field such as a
       key ID.
    o  Number of keys or largest ID
    o  Version-specific data
    o  Per-key information:
  1. key ID,
  2. key lifetime (creation/expiration data) ,
  3. encrypted key, and
  4. encryption key's ID (optional).

Baugher, et al. Informational [Page 23] RFC 4046 MSEC Group Key Management Architecture April 2005

 Key IDs may change in some implementations in which case one needs to
 send:
       o List of <old id, new id> pairs.

6. Group Security Association

 The GKM architecture defines the interfaces between the registration,
 rekey, and data security protocols in terms of the Security
 Associations (SAs) of those protocols.  By isolating these protocols
 behind a uniform interface, the architecture allows implementations
 to use protocols best suited to their needs.  For example, a rekey
 protocol for a small group could use multiple unicast transmissions
 with symmetric authentication, while a rekey protocol for a large
 group could use IP Multicast with packet-level Forward Error
 Correction and source authentication.
 The group key management architecture provides an interface between
 the security protocols and the group SA (GSA).  The GSA consists of
 three SAs: Registration SA, Rekey SA, and Data SA.  The Rekey SA is
 optional.  There are two cases in defining the relationships between
 the three SAs.  In both cases, the Registration SA protects the
 registration protocol.
 Case 1: Group key management is done WITHOUT using a Rekey SA.  The
    registration protocol initializes and updates one or more Data SAs
    (having TPKs to protect files or streams).  Each Data SA
    corresponds to a single group, which may have more than one Data
    SA.
 Case 2: Group key management is done WITH a Rekey SA to protect the
    rekey protocol.  The registration protocol initializes the one or
    more Rekey SAs as well as zero or more Data SAs, upon successful
    completion.  When a Data SA is not initialized in the registration
    protocol, initialization is done in the rekey protocol.  The rekey
    protocol updates Rekey SA(s) AND establishes Data SA(s).

6.1. Group Policy

 Group policy is described in detail in the Group Security Policy
 Token document [GSPT].  Group policy can be distributed through group
 announcements, key management protocols, and other out-of-band means
 (e.g., via a web page).  The group key management protocol carries
 cryptographic policies of the SAs and the keys it establishes, as
 well as additional policies for the secure operation of the group.

Baugher, et al. Informational [Page 24] RFC 4046 MSEC Group Key Management Architecture April 2005

 The acceptable cryptographic policies for the registration protocol,
 which may run over TLS [TLS], IPsec, or IKE, are not conveyed in the
 group key management protocol since they precede any of the key
 management exchanges.  Thus, a security policy repository having some
 access protocol may need to be queried prior to establishing the
 key-management session, to determine the initial cryptographic
 policies for that establishment.  This document assumes the existence
 of such a repository and protocol for GCKS and member policy queries.
 Thus group security policy will be represented in a policy repository
 and accessible using a policy protocol.  Policy distribution may be a
 push or a pull operation.
 The group key management architecture assumes that the following
 group policy information may be externally managed, e.g., by the
 content owner, group conference administrator or group owner:
    o  the identity of the Group owner, the authentication method, and
       the delegation method for identifying a GCKS for the group;
    o  the group GCKS, authentication method, and delegation method
       for any subordinate GCKSs for the group;
    o  the group membership rules or list and authentication method.
 There are two additional policy-related requirements external to
 group key management.
    o  There is an authentication and authorization infrastructure
       such as X.509 [RFC3280], SPKI [RFC2693], or a pre-shared key
       scheme, in accordance with the group policy for a particular
       group.
    o  There is an announcement mechanism for secure groups and
       events, which operates according to group policy for a
       particular group.
 Group policy determines how the registration and rekey protocols
 initialize or update Rekey and Data SAs.  The following sections
 describe potential information sent by the GCKS for the Rekey and
 Data SAs.  A member needs the information specified in the next
 sections to establish Rekey and Data SAs.

6.2. Contents of the Rekey SA

 The Rekey SA protects the rekey protocol.  It contains cryptographic
 policy, Group Identity, and Security Parameter Index (SPI) [RFC2401]
 to uniquely identify an SA, replay protection information, and key
 protection keys.

Baugher, et al. Informational [Page 25] RFC 4046 MSEC Group Key Management Architecture April 2005

6.2.1. Rekey SA Policy

    o  GROUP KEY MANAGEMENT ALGORITHM
       This represents the group key revocation algorithm that
       enforces forward and backward access control.  Examples of key
       revocation algorithms include LKH, LKH+, OFT, OFC, and Subset
       Difference [RFC2627,OFT,TAXONOMY,SD1,SD2].  If the key
       revocation algorithm is NULL, the Rekey SA contains only one
       KEK, which serves as the group KEK.  The rekey messages
       initialize or update Data SAs as usual.  However, the Rekey SA
       itself can be updated (the group KEK can be rekeyed) when
       members join or the KEK is about to expire.  Leave rekeying is
       done by re-initializing the Rekey SA through the rekey
       protocol.
    o  KEK ENCRYPTION ALGORITHM
       This specifies a standard encryption algorithm such as 3DES or
       AES, and also the KEK KEY LENGTH.
    o  AUTHENTICATION ALGORITHM
       This algorithm uses digital signatures for GCKS authentication
       (since all shared secrets are known to some or all members of
       the group), or some symmetric secret in computing MACs for
       group authentication.  Symmetric authentication provides weaker
       authentication in that any group member can impersonate a
       particular source.  The AUTHENTICATION KEY LENGTH is also to be
       specified.
    o  CONTROL GROUP ADDRESS
       This address is used for multicast transmission of rekey
       messages.  This information is sent over the control channel
       such as in an ANNOUNCEMENT protocol or call setup message.  The
       degree to which the control group address is protected is a
       matter of group policy.
    o  REKEY SERVER ADDRESS
       This address allows the registration server to be a different
       entity from the server used for rekeying, such as for future
       invocations of the registration and rekey protocols.  If the
       registration server and the rekey server are two different
       entities, the registration server sends the rekey server's
       address as part of the Rekey SA.

Baugher, et al. Informational [Page 26] RFC 4046 MSEC Group Key Management Architecture April 2005

6.2.2. Group Identity

 The group identity accompanies the SA (payload) information as an
 identifier if the specific group key management protocol allows
 multiple groups to be initialized in a single invocation of the
 registration protocol, or multiple groups to be updated in a single
 rekey message.  It is often simpler to restrict each registration
 invocation to a single group, but such a restriction is unnecessary.
 It is always necessary to identify the group when establishing a
 Rekey SA, either implicitly through an SPI or explicitly as an SA
 parameter.

6.2.3. KEKs

 Corresponding to the key management algorithm, the Rekey SA contains
 one or more KEKs.  The GCKS holds the key encrypting keys of the
 group, while the members receive keys following the specification of
 the key management algorithm.  When there are multiple KEKs for a
 group (as in an LKH tree), each KEK needs to be associated with a Key
 ID, which is used to identify the key needed to decrypt it.  Each KEK
 has a LIFETIME associated with it, after which the KEK expires.

6.2.4. Authentication Key

 The GCKS provides a symmetric or public key for authentication of its
 rekey messages.  Symmetric key authentication is appropriate only
 when all group members can be trusted not to impersonate the GCKS.
 The architecture does not rule out methods for deriving symmetric
 authentication keys at the member [RFC2409] rather than pushing them
 from the GCKS.

6.2.5. Replay Protection

 Rekey messages need to be protected from replay/reflection attacks.
 Sequence numbers are used for this purpose, and the Rekey SA (or
 protocol) contains this information.

6.2.6. Security Parameter Index (SPI)

 The tuple <Group identity, SPI> uniquely identifies a Rekey SA.  The
 SPI changes each time the KEKs change.

6.3. Contents of the Data SA

 The GCKS specifies the data security protocol used for secure
 transmission of data from sender(s) to receiving members.  Examples
 of data security protocols include IPsec ESP [RFC2401] and SRTP
 [RFC3711].  While the contents of each of these protocols are out of

Baugher, et al. Informational [Page 27] RFC 4046 MSEC Group Key Management Architecture April 2005

 the scope of this document, we list the information sent by the
 registration protocol (or the rekey protocol) to initialize or update
 the Data SA.

6.3.1. Group Identity

 The Group identity accompanies SA information when Data SAs are
 initialized or rekeyed for multiple groups in a single invocation of
 the registration protocol or in a single Rekey message.

6.3.2. Source Identity

 The SA includes source identity information when the group owner
 chooses to reveal source identity to authorized members only.  A
 public channel such as the announcement protocol is only appropriate
 when there is no need to protect source or group identities.

6.3.3. Traffic Protection Keys

 Regardless of the data security protocol used, the GCKS supplies the
 TPKs, or information to derive TPKs for traffic protection.

6.3.4. Data Authentication Keys

 Depending on the data authentication method used by the data security
 protocol, group key management may pass one or more keys, functions
 (e.g., TESLA [TESLA-INFO,TESLA-SPEC]), or other parameters used for
 authenticating streams or files.

6.3.5. Sequence Numbers

 The GCKS passes sequence numbers when needed by the data security
 protocol, for SA synchronization and replay protection.

6.3.6. Security Parameter Index (SPI)

 The GCKS may provide an identifier as part of the Data SA contents
 for data security protocols that use an SPI or similar mechanism to
 identify an SA or keys within an SA.

6.3.7. Data SA policy

 The Data SA parameters are specific to the data security protocol but
 generally include encryption algorithm and parameters, the source
 authentication algorithm and parameters, the group authentication
 algorithm and parameters, and/or replay protection information.

Baugher, et al. Informational [Page 28] RFC 4046 MSEC Group Key Management Architecture April 2005

7. Scalability Considerations

 The area of group communications is quite diverse.  In
 teleconferencing, a multipoint control unit (MCU) may be used to
 aggregate a number of teleconferencing members into a single session;
 MCUs may be hierarchically organized as well.  A loosely coupled
 teleconferencing session [RFC3550] has no central controller but is
 fully distributed and end-to-end.  Teleconferencing sessions tend to
 have at most dozens of participants.  However, video broadcast that
 uses multicast communications and media-on-demand that uses unicast
 are large-scale groups numbering hundreds to millions of
 participants.
 As described in the Requirements section, Section 2, the group key
 management architecture supports multicast applications with a single
 sender.  The architecture described in this paper supports large-
 scale operation through the following features.
 1. There is no need for a unicast exchange to provide data keys to a
    security protocol for members who have previously registered in
    the particular group; data keys can be pushed in the rekey
    protocol.
 2. The registration and rekey protocols are separable to allow
    flexibility in how members receive group secrets.  A group may use
    a smart-card based system in place of the registration protocol,
    for example, to allow the rekey protocol to be used with no back
    channel for broadcast applications such as television conditional
    access systems.
 3. The registration and rekey protocols support new keys, algorithms,
    authentication mechanisms and authorization infrastructures in the
    architecture.  When the authorization infrastructure supports
    delegation, as in X.509 and SPKI, the GCKS function can be
    distributed as shown in Figure 3 below.
 The first feature in the list allows fast keying of data security
 protocols when the member already belongs to the group.  While this
 is realistic for subscriber groups and customers of service providers
 who offer content events, it may be too restrictive for applications
 that allow member enrollment at the time of the event.  The MSEC
 group key management architecture suggests hierarchically organized
 key distribution to handle potential mass simultaneous registration
 requests.  The Figure 3 configuration may be needed when conventional
 clustering and load balancing solutions of a central GCKS site cannot
 meet customer requirements.  Unlike conventional caching and content

Baugher, et al. Informational [Page 29] RFC 4046 MSEC Group Key Management Architecture April 2005

 distribution networks, however, the configuration shown in Figure 3
 has additional security ramifications for physical security of a
 GCKS.
                 +----------------------------------------+
                 |       +-------+                        |
                 |       |  GCKS |                        |
                 |       +-------+                        |
                 |         |   ^                          |
                 |         |   |                          |
                 |         |   +---------------+          |
                 |         |       ^           ^          |
                 |         |       |    ...    |          |
                 |         |   +--------+  +--------+     |
                 |         |   | MEMBER |  | MEMBER |     |
                 |         |   +--------+  +--------+     |
                 |         v                              |
                 |         +-------------+                |
                 |         |             |                |
                 |         v      ...    v                |
                 |     +-------+   +-------+              |
                 |     |  GCKS |   |  GCKS |              |
                 |     +-------+   +-------+              |
                 |         |   ^                          |
                 |         |   |                          |
                 |         |   +---------------+          |
                 |         |       ^           ^          |
                 |         |       |    ...    |          |
                 |         |   +--------+  +--------+     |
                 |         |   | MEMBER |  | MEMBER |     |
                 |         |   +--------+  +--------+     |
                 |         v                              |
                 |        ...                             |
                 +----------------------------------------+
             Figure 3: Hierarchically Organized Key Distribution
 More analysis and work is needed on the protocol instantiations of
 the group key management architecture, to determine how effectively
 and securely the architecture can support large-scale multicast
 applications.  In addition to being as secure as pairwise key
 management against man-in-the-middle, replay, and reflection attacks,
 group key management protocols have additional security needs.
 Unlike pairwise key management, group key management needs to be
 secure against attacks by group members who attempt to impersonate a
 GCKS or disrupt the operation of a GCKS, as well as by non-members.

Baugher, et al. Informational [Page 30] RFC 4046 MSEC Group Key Management Architecture April 2005

 Thus, secure groups need to converge to a common group key when
 members are attacking the group, joining and leaving the group, or
 being evicted from the group.  Group key management protocols also
 need to be robust when DoS attacks or network partition leads to
 large numbers of synchronized requests.  An instantiation of group
 key management, therefore, needs to consider how GCKS operation might
 be distributed across multiple GCKSs designated by the group owner to
 serve keys on behalf of a designated GCKS.  GSAKMP [GSAKMP] protocol
 uses the policy token and allows designating some of the members as
 subordinate GCKSs to address this scalability issue.

8. Security Considerations

 This memo describes MSEC key management architecture.  This
 architecture will be instantiated in one or more group key management
 protocols, which must be protected against man-in-the-middle,
 connection hijacking, replay, or reflection of past messages, and
 denial of service attacks.
 Authenticated key exchange [STS,SKEME,RFC2408,RFC2412,RFC2409]
 techniques limit the effects of man-in-the-middle and connection
 hijacking attacks.  Sequence numbers and low-computation message
 authentication techniques can be effective against replay and
 reflection attacks.  Cookies [RFC2522], when properly implemented,
 provide an efficient means to reduce the effects of denial of service
 attacks.
 This memo does not address attacks against key management or security
 protocol implementations such as so-called type attacks that aim to
 disrupt an implementation by such means as buffer overflow.  The
 focus of this memo is on securing the protocol, not on implementing
 the protocol.
 While classical techniques of authenticated key exchange can be
 applied to group key management, new problems arise with the sharing
 of secrets among a group of members:  group secrets may be disclosed
 by a member of the group, and group senders may be impersonated by
 other members of the group.  Key management messages from the GCKS
 should not be authenticated using shared symmetric secrets unless all
 members of the group can be trusted not to impersonate the GCKS or
 each other.  Similarly, members who disclose group secrets undermine
 the security of the entire group.  Group owners and GCKS
 administrators must be aware of these inherent limitations of group
 key management.
 Another limitation of group key management is policy complexity.
 While peer-to-peer security policy is an intersection of the policy
 of the individual peers, a group owner sets group security policy

Baugher, et al. Informational [Page 31] RFC 4046 MSEC Group Key Management Architecture April 2005

 externally in secure groups.  This document assumes there is no
 negotiation of cryptographic or other security parameters in group
 key management.  Group security policy, therefore, poses new risks to
 members who send and receive data from secure groups.  Security
 administrators, GCKS operators, and users need to determine minimal
 acceptable levels of security (e.g., authentication and admission
 policy of the group, key lengths, cryptographic algorithms and
 protocols used) when joining secure groups.
 Given the limitations and risks of group security, the security of
 the group key management registration protocol should be as good as
 the base protocols on which it is developed, such as IKE, IPsec, TLS,
 or SSL.  The particular instantiations of this group key management
 architecture must ensure that the high standards for authenticated
 key exchange are preserved in their protocol specifications, which
 will be Internet standards-track documents that are subject to
 review, analysis, and testing.
 The second protocol, the group key management rekey protocol, is new
 and has unknown risks.  The source-authentication risks described
 above are obviated by the use of public-key cryptography.  The use of
 multicast delivery may raise additional security issues such as
 reliability, implosion, and denial-of-service attacks based upon the
 use of multicast.  The rekey protocol specification needs to offer
 secure solutions to these problems.  Each instantiation of the rekey
 protocol, such as the GSAKMP Rekey or the GDOI Groupkey-push
 operations, need to validate the security of their rekey
 specifications.
 Novelty and complexity are the biggest risks to group key management
 protocols.  Much more analysis and experience are needed to ensure
 that the architecture described in this document can provide a well-
 articulated standard for security and risks of group key management.

9. Acknowledgments

 The GKM Building Block [GKMBB] I-D by SMuG was a precursor to this
 document; thanks to Thomas Hardjono and Hugh Harney for their
 efforts.  During the course of preparing this document, Andrea
 Colegrove, Brian Weis, George Gross, and several others in the MSEC
 WG and GSEC and SMuG research groups provided valuable comments that
 helped improve this document.  The authors appreciate their
 contributions to this document.

Baugher, et al. Informational [Page 32] RFC 4046 MSEC Group Key Management Architecture April 2005

10. Informative References

 [BatchRekey]    Yang, Y. R., et al., "Reliable Group Rekeying: Design
                 and Performance Analysis", Proc. ACM SIGCOMM, San
                 Diego, CA, August 2001.
 [CLIQUES]       Steiner, M., Tsudik, G., and M. Waidner, "CLIQUES: A
                 New Approach to Group Key Agreement", IEEE ICDCS 97,
                 May 1997
 [FN93]          Fiat, A. and M. Naor, "Broadcast Encryption, Advances
                 in Cryptology", CRYPTO 93 Proceedings, Lecture Notes
                 in Computer Science, Vol. 773, pp. 480-491, 1994.
 [GKMBB]         Harney, H., M. Baugher, and T. Hardjono, "GKM
                 Building Block: Group Security Association (GSA)
                 Definition," Work in Progress, September 2000.
 [GSAKMP]        Harney, H., Colegrove, A., Harder, E., Meth, U., and
                 R.  Fleischer, "Group Secure Association Key
                 Management Protocol", Work in Progress, February
                 2003.
 [GSPT]          Hardjono, T., Harney, H., McDaniel, P., Colegrove,
                 A., and P.  Dinsmore, "The MSEC Group Security Policy
                 Token", Work in Progress, August 2003.
 [H.235]         International Telecommunications Union, "Security and
                 Encryption for H-Series (H.323 and other H.245-based)
                 Multimedia Terminals", ITU-T Recommendation H.235
                 Version 3, Work in progress, 2001.
 [JKKV94]        Just, M., Kranakis, E., Krizanc, D., and P. van
                 Oorschot, "On Key Distribution via True
                 Broadcasting", Proc. 2nd ACM Conference on Computer
                 and Communications Security, pp. 81-88, November
                 1994.
 [MARKS]         Briscoe, B., "MARKS: Zero Side Effect Multicast Key
                 Management Using Arbitrarily Revealed Key Sequences",
                 Proc.  First International Workshop on Networked
                 Group Communication (NGC), Pisa, Italy, November
                 1999.
 [MIKEY]         Arkko, J., Carrara, E., Lindholm, F., Naslund, M.,
                 and K. Norrman, "MIKEY: Multimedia Internet KEYing",
                 RFC 3830, August 2004.

Baugher, et al. Informational [Page 33] RFC 4046 MSEC Group Key Management Architecture April 2005

 [MSEC-Arch]     Hardjono, T. and B. Weis, "The Multicast Group
                 Security Architecture", RFC 3740, March 2004.
 [MVV]           Menzes, A.J., van Oorschot, P.C., and S.A. Vanstone,
                 "Handbook of Applied Cryptography", CRC Press, 1996.
 [NORM]          Adamon, B., Bormann, C., Handley, M., and J. Macker,
                 "Negative-acknowledgment (NACK)-Oriented Reliable
                 Multicast (NORM) Protocol", RFC 3940, November 2004.
 [OFT]           Balenson, D., McGrew, P.C., and A. Sherman, "Key
                 Management for Large Dynamic Groups: One-Way Function
                 Trees and Amortized Initialization", IRTF Work in
                 Progress, August 2000.
 [RFC2093]       Harney, H. and C. Muckenhirn, "Group Key Management
                 Protocol (GKMP) Specification", RFC 2093, July 1997.
 [RFC2094]       Harney, H., and C. Muckenhirn, "Group Key Management
                 Protocol (GKMP) Architecture" RFC 2094, July 1997.
 [RFC2326]       Schulzrinne, H., Rao, A., and R. Lanphier, "Real Time
                 Streaming Protocol (RTSP)", RFC 2326, April 1998.
 [RFC2327]       Handley, M. and V. Jacobson, "SDP: Session
                 Description Protocol", RFC 2327, April 1998.
 [RFC2367]       McDonald, D., Metz, C., and B. Phan, "PF_KEY Key
                 Management API, Version 2", RFC 2367, July 1998.
 [RFC2401]       Kent, S. and R. Atkinson, "Security Architecture for
                 the Internet Protocol", RFC 2401, November 1998.
 [RFC2408]       Maughan, D., Schertler, M., Schneider, M., and J.
                 Turner, "Internet Security Association and Key
                 Management Protocol (ISAKMP)", RFC 2408, November
                 1998.
 [RFC2409]       Harkins, D. and D. Carrel, "The Internet Key Exchange
                 (IKE)", RFC 2409, November 1998.
 [RFC2412]       Orman, H., "The OAKLEY Key Determination Protocol",
                 RFC 2412, November 1998.
 [RFC2522]       Karn, P. and W. Simpson, "Photuris: Session-Key
                 Management Protocol", RFC 2522, March 1999.

Baugher, et al. Informational [Page 34] RFC 4046 MSEC Group Key Management Architecture April 2005

 [RFC2693]       Ellison, C., Frantz, B., Lampson, B., Rivest, R.,
                 Thomas, B., and T. Ylonen, "SPKI Certificate Theory",
                 RFC 2693, September 1999.
 [RFC3261]       Rosenberg, J., Schulzrinne, H., Camarillo, G.,
                 Johnston, A., Peterson, J., Sparks, R., Handley, M.,
                 and E. Schooler, "SIP: Session Initiation Protocol",
                 RFC 3261, June 2002.
 [RFC3280]       Housley, R., Polk, W., Ford, W., and D. Solo,
                 "Internet X.509 Public Key Infrastructure Certificate
                 and Certificate Revocation List (CRL) Profile", RFC
                 3280, April 2002.
 [RFC2627]       Wallner, D., Harder, E., and R. Agee, "Key Management
                 for Multicast: Issues and Architectures", RFC 2627,
                 June 1999.
 [RFC3450]       Luby, M., Gemmell, J., Vicisano, L., Rizzo, L., and
                 J.  Crowcroft, "Asynchronous Layered Coding (ALC)
                 Protocol Instantiation", RFC 3450, December 2002.
 [RFC3547]       Baugher, M., Weis, B., Hardjono, T., and H. Harney,
                 "The Group Domain of Interpretation", RFC 3547, July
                 2003.
 [RFC3550]       Schulzrinne, H., Casner, S., Frederick, R., and V.
                 Jacobson, "RTP: A Transport Protocol for Real-Time
                 Applications", STD 64, RFC 3550, July 2003.
 [RFC3711]       Baugher, M., McGrew, D., Naslund, M., Carrara, E.,
                 and K.  Norrman, "The Secure Real-time Transport
                 Protocol (SRTP)", RFC 3711, March 2004.
 [SD1]           Naor, D., Naor, M., and J. Lotspiech, "Revocation and
                 Tracing Schemes for Stateless Receiver", Advances in
                 Cryptology - CRYPTO, Santa Barbara, CA: Springer-
                 Verlag Inc., LNCS 2139, August 2001.
 [SD2]           Naor, M. and B. Pinkas, "Efficient Trace and Revoke
                 Schemes", Proceedings of Financial Cryptography 2000,
                 Anguilla, British West Indies, February 2000.
 [Self-Healing]  Staddon, J., et. al., "Self-healing Key Distribution
                 with Revocation", Proc. 2002 IEEE Symposium on
                 Security and Privacy, Oakland, CA, May 2002.

Baugher, et al. Informational [Page 35] RFC 4046 MSEC Group Key Management Architecture April 2005

 [SKEME]         H. Krawczyk, "SKEME: A Versatile Secure Key Exchange
                 Mechanism for Internet", ISOC Secure Networks and
                 Distributed Systems Symposium, San Diego, 1996.
 [STS]           Diffie, P. van Oorschot, M., and J. Wiener,
                 "Authentication and Authenticated Key Exchanges",
                 Designs, Codes and Cryptography, 2, 107-125 (1992),
                 Kluwer Academic Publishers.
 [TAXONOMY]      Canetti, R., et. al., "Multicast Security: A Taxonomy
                 and some Efficient Constructions", IEEE INFOCOM,
                 1999.
 [TESLA-INFO]    Perrig, A., Canetti, R., Song, D., Tygar, D., and B.
                 Briscoe, "TESLA: Multicast Source Authentication
                 Transform Introduction", Work in Progress, December
                 2004.
 [TESLA-SPEC]    Perrig, A., R. Canetti, and Whillock, "TESLA:
                 Multicast Source Authentication Transform
                 Specification", Work in Progress, April 2002.
 [tGSAKMP]       Harney, H., et. al., "Tunneled Group Secure
                 Association Key Management Protocol", Work in
                 Progress, May 2003.
 [TLS]           Dierks, T. and C. Allen, "The TLS Protocol Version
                 1.0," RFC 2246, January 1999.
 [TPM]           Marks, D. and B. Turnbull, "Technical protection
                 measures:  The Intersection of Technology, Law, and
                 Commercial Licenses", Workshop on Implementation
                 Issues of the WIPO Copyright Treaty (WCT) and the
                 WIPO Performances and Phonograms Treaty (WPPT), World
                 Intellectual Property Organization, Geneva, December
                 6 and 7, 1999.
 [Wool]          Wool, A., "Key Management for Encrypted broadcast",
                 5th ACM Conference on Computer and Communications
                 Security, San Francisco, CA, Nov. 1998.

Baugher, et al. Informational [Page 36] RFC 4046 MSEC Group Key Management Architecture April 2005

Authors' Addresses

 Mark Baugher
 Cisco Systems
 5510 SW Orchid St.
 Portland, OR  97219, USA
 Phone: +1 408-853-4418
 EMail: mbaugher@cisco.com
 Ran Canetti
 IBM Research
 30 Saw Mill River Road
 Hawthorne, NY 10532, USA
 Phone: +1 914-784-7076
 EMail: canetti@watson.ibm.com
 Lakshminath R. Dondeti
 Qualcomm
 5775 Morehouse Drive
 San Diego, CA 92121
 Phone: +1 858 845 1267
 EMail: ldondeti@qualcomm.com
 Fredrik Lindholm
 Ericsson Research
 SE-16480 Stockholm, Sweden
 Phone: +46 8 58531705
 EMail: fredrik.lindholm@ericsson.com

Baugher, et al. Informational [Page 37] RFC 4046 MSEC Group Key Management Architecture April 2005

Full Copyright Statement

 Copyright (C) The Internet Society (2005).
 This document is subject to the rights, licenses and restrictions
 contained in BCP 78, and except as set forth therein, the authors
 retain all their rights.
 This document and the information contained herein are provided on an
 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

 The IETF takes no position regarding the validity or scope of any
 Intellectual Property Rights or other rights that might be claimed to
 pertain to the implementation or use of the technology described in
 this document or the extent to which any license under such rights
 might or might not be available; nor does it represent that it has
 made any independent effort to identify any such rights.  Information
 on the procedures with respect to rights in RFC documents can be
 found in BCP 78 and BCP 79.
 Copies of IPR disclosures made to the IETF Secretariat and any
 assurances of licenses to be made available, or the result of an
 attempt made to obtain a general license or permission for the use of
 such proprietary rights by implementers or users of this
 specification can be obtained from the IETF on-line IPR repository at
 http://www.ietf.org/ipr.
 The IETF invites any interested party to bring to its attention any
 copyrights, patents or patent applications, or other proprietary
 rights that may cover technology that may be required to implement
 this standard.  Please address the information to the IETF at ietf-
 ipr@ietf.org.

Acknowledgement

 Funding for the RFC Editor function is currently provided by the
 Internet Society.

Baugher, et al. Informational [Page 38]

/data/webs/external/dokuwiki/data/pages/rfc/rfc4046.txt · Last modified: 2005/04/29 22:47 (external edit)