rfc2094.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

   validation send to them the current GKP.(Access control is not
   defined in this document, but it is assumed that both hierarchical
   and discretionaly (rule-based and identity-based) access control will
   be supported.) These regional key distributors perform the same
   functions as the controller, except that they do not create the GKP.
   This concept can be expanded to the point where all current members
   are capable of downloading the GKP, and passing on that capability.

   Group Rekey --   When the group need rekeying the procedure would be
   identical to the sender initiated case.  The controlling GKM
   application selects a member, creates a new GKP, creates a new GRP
   (which is encrypted in the previously distributed next GKEK) and
   broadcasts it to the group.

2.3 GKMP Features

   This section highlights areas which we believe the GKMP approach has
   advantages over the "traditional" KDC based approaches.

2.3.1 Multicast

   Multicast protocols are a growing area of interest for the Internet.
   The largest benefit of a multicast protocol is the ability of several
   receivers to simultaneously get the same transmission.  If the
   transmission is of a sensitive nature, it should be encrypted.  This



Harney & Muckenhirn           Experimental                      [Page 6]

RFC 2094                   GKMP Architecture                   July 1997


   means that the all members of the group must share the same
   encryption key to take benefit of the multicast transmission.

   To date the only way of setting up a group of symmetric keys is with
   the assistance of a centralized key management facility.  This
   facility would act as a key broker creating a distributing key to
   qualified group members.  There are several problems with this
   centralized concept.  These problems give rise to many of the
   following motivations for creating a distributed key management
   protocol.

2.3.2 Increase the autonomy of key groups

   The GKMP proposes to extend the pairwise key paradigm to grouped
   keys.  This protocol can be integrated into the communication
   protocols or applications and can become invisible to the host's
   operator.  We will use peer review to enforce our security policy.

   The GKMP allows any host on a network to create and manage a secure
   group.  Maintenance of these group keys can be performed by the hosts
   interested in the group.  The groups themselves will be relatively
   autonomous.  This simplifies the installation of this technology
   allowing more host to use secure multicast communications.

2.3.3 Latency

   Latency refers to the time to set-up or tear down or to re-key a
   group.  In short this corresponds to the length of time it would take
   to set-up a multicast address.

   The GKMP can allow delegation of group creation authority to any host
   in the network.  In essence, when a host needs a group it will have
   the tools needed to create that group and manage it.  Additionally,
   since the host only needs to create a single group it can concentrate
   on that particular group.

   In the current centralized key distribution approach.  The group must
   be requested from the central site.  The central site would process
   that request in accordance with it's priority and current workload.
   Latencies would develop if the workload of the central site gets
   unwieldy or if the communications to the site become overloaded.

2.3.4 Extendibility

   One of the problems with a centralized key distribution system is the
   concentration of key management workload at a single site.  The
   process of creating key groups -- key creation, access review,
   communication to group members takes time and effort.  As the number



Harney & Muckenhirn           Experimental                      [Page 7]

RFC 2094                   GKMP Architecture                   July 1997


   of groups on the network grows and the number of group members group.
   The workload at that central sight quickly reaches capacity.

   GKMP should allow a great number of groups to exist on the Internet
   without overloading any particular host.  Delegation of the net wide
   group creation and management workload places the burden of
   maintaining groups on the hosts interested in using those groups.
   Not only is this more efficient, but it places the burden in an
   appropriate location.

   The GKMP distributes the communication requirements to manage groups
   across the network.  Each group manages the group using the same
   communication resources needed to pass traffic.  It is likely that if
   a communication group can support the traffic of a group, it will be
   able to support the minimal traffic needed to management the keys for
   that group.

   GKMP provides it's own access control, based on signed netwide
   permission certificates.  This partially disseminates the burden of
   access control and permission management.  A system wide authority
   must assign the permission certificates, but day to day access
   control decisions are a GKMP responsibility.

2.3.5 Operating expense

   A centralized key distribution site contains, at one time or another,
   the keys for the net.  This is a valuable target for someone to
   compromise.  To protect this site physical and procedural security
   mechanisms are employed (e.g., guards, fences, intrusion alarms, two
   person safes, no-alone zones).  These mechanisms do not come cheap.

   Allowing the hosts to create and manage their keys eliminates the
   need for an on-line centralized key distribution site.  The protocol
   approach restricts access to the keys to the hosts using them (the
   minimal set).  Since, the encryption mechanisms will have already
   incurred the cost to be physically secured there is no additional
   cost levied on the system by the key management system.

2.3.6 Communication Resources

   Because a centralized site is involved in creating, distributing,
   rekeying, and providing access control for every group, it is
   frequently accessed.  The communication resources available to this
   site often become a bottle neck for the groups.  Therefore a big pipe
   is usually installed to this facility.






Harney & Muckenhirn           Experimental                      [Page 8]

RFC 2094                   GKMP Architecture                   July 1997


   The GKMP proposes delegating most of the key creation, distribution,
   rekey and access control mission to the hosts that need the secure
   communication.  There no longer is a single third party that must be
   consulted prior to every group key management action.  Hence, the
   communications requirements to manage the keys have shifted to the
   groups themselves.  The need for special high capacity communications
   has been eliminated.

2.3.7 Reliability

   Delegating key management responsibility to the groups eliminates the
   centralized key management site as a single point of failure.  The
   groups that will use the key are responsible for it.  If the
   communications system fails for the key management it is also down
   for the communications.

   The GKMP will attempt to delegate as many functions to the group as
   possible.  There will be some functions which still need to be
   performed outside of the group (granting of privileges).  These
   functions can still fail.  The GKMP will operate on the old set of
   permissions.  These functions need not be in-line.  They are
   performed separate from the key management actions and are not
   crucial to day-to-day operation.

2.3.8 Security

   People are the most risky element for security.  A distributed
   protocol eliminates many people from the key distribution chain.
   This limits "exposure" of the key.

3 GKMP Protocol Overview

3.1 Supporting functions

   A secure key management protocol needs a number of supporting
   functions, especially in a military environment.  The two major
   support functions are security management and network group
   management.  In the commercial world a company could provide these
   support functions.

   The issue of Security Management is permission management, in a
   military environment separation of data occurs along classical
   classification lines (i.e., TOP SECRET to UNCLASSIFIED). In the
   commercial world these levels are proprietary or need to know access.

   Network group management provides an interface to the communications
   system and control of network resources.  Some entity either a
   commercial or military system, the host or network operations center,



Harney & Muckenhirn           Experimental                      [Page 9]

RFC 2094                   GKMP Architecture                   July 1997


   must provide the key management protocol with a list of the group
   members.  Also, if the network resources, bandwidth and processing,
   are considered scarce a management structure must allocate them.

3.1.1 Security management

   Security management is a role performed for the entire network.  It
   involves netwide issues of permission management, initialization of
   software, and compromise recovery.  The GKMP relies on security
   management to operate.  Refer to figure 1:  Security management view.

   The GKMP must assume trusted handling of the protocol software prior
   and during installation.  If the GKMP is to use peer to peer access
   control the system must control the assignment of permissions.  These
   permissions must be monitored and updated as needed.  Finally,
   overview of these permissions must include the maintenance of a
   Certificate Revocation List.

   Secure start-up  We need to control the process of loading GKMP
   software onto a host and initializing it.  The protocol needs keys,


   Security Manager --> --> --> --> --> --> --> --> --> --> --> Network
                                   Permissions
                                   Secure Start-ups
                                   Compromise recovery

                    Figure 1:  Security Management View

   public and private, to operate.  It also must have identify
   information of the host on whose behalf it will act.

   There are some life cycle and security concerns with the software
   while in transit, stored, distributed, and installed.  A one time
   start-up procedure must verify the identity of the host.  Procedural
   and physical identification techniques will verify the identity of
   the host (i.e., the Armed Forces Courier Service (ARFCS) accounting,
   or registered mail).  Upon key delivery the security manager logs
   it's receipt and assumes responsibility for the key.

   After proper installation of the software a paper trail verifies the
   recipient.  The computer would initiate an association with the
   security management function to initialize the protocol software
   (create a unique public and private key pair for network operation
   and receive network permissions).  This activation process uses keys
   distributed with the software (good only for initialization) to
   secure an exchange with the security manager.  The host then creates
   a unique public and private pair and sends the public key to the



Harney & Muckenhirn           Experimental                     [Page 10]

RFC 2094                   GKMP Architecture                   July 1997


   security manager.  The security manager creates a credential that
   uniquely identifies the host and it permissions.  This credential is
   signed by the security management with its private key and can be
   verified by all net members with the public key.

   Permission management  Each host on the network is given a
   permissions certificate signed by the security management which
   uniquely identify that host and identifies the access permissions it
   is allowed.  These permission certificates are used by the network
   hosts to assign permissions to other hosts.

   This process assigns permissions to equipment or human beings in
   accordance with their duties.  This process involves security
   clearances and human judgment therefore it is outside the scope of
   this protocol.

   The security management function, especially in military operations,
   would be responsible for managing permissions and classifications at
   each host.  In the commercial world, permission management
   corresponds to projects or duties.


   Compromise recovery management  If a group member is found
   compromised, the protocol must facilitate the exclusion of the
   compromised member and return to secure operations.  The security
   management function will provide control of compromise recovery.

   Usually, physical inspections or accounting techniques find
   compromises.  These separate systems report the compromise to the key
   management system.  We must assume the loss of all key resident at
   that host.  The security management function will rescind the
   permission allocated to this compromised host.  We create a list of
   all know compromised hosts and distribution that list across the
   network.  Each host is then responsible for reviewing the propriety
   of each association and enforcing access control to data.

3.1.2 Group management

   The group manager interacts with other management functions in the
   network to provide the GKMP with group membership lists and group
   relevant commands.  The GKMP deals strictly with cryptographic key.
   It relies on external communication and network management services
   to supply network related information.  Primarily, it relies on the
   network management service to provide it with the addresses of group
   members (if the group is sender initiated).






Harney & Muckenhirn           Experimental                     [Page 11]