Key Mechanisms

Home	FAQ	Download
User Guide	Applications	Internals
License	Publications	Contact

Key Management Mechanisms

Mechanism

Description

Key-Encryption Key Management
"kekkey" Distributes sessions keys (in this instances called a traffic encyrpting keys) using a key-encyrption-key. Keys are distributed to joining members encyrpted using the pair key negotiated under the authentication mechanism.

There are a variety of parameters that control when a rekey is performed. If unsure about whether the desired policy is being implemented, turn on logging and a an indication of rekeys and the events that caused them will be logged.

Config Meaning/Value
rekeyperiod periodicity of timed rekey (integer, > 0)

hash Hash function used to ensure key distribution message integrity (enum, values "md5")

crypt Cryptographic algorithm used to secure authentication protocol (enum, values "des")

Authenticated Group Key Management
"agkmkey" Low cost distributes of authenticated sessions keys. Keys are distributed to joining members encyrpted using the pair key negotiated under the authentication mechanism. Further session keys are calcuated from seed values broadcast in clear text. Seed information is able to generate up to kychlen keys, after which a seed values are signed and distruted.

Config	Meaning/Value
kychlen	length of key chains (integer, > 0)
rekeyperiod	periodicity of timed rekey (integer, > 0)
hash	Hash function used to ensure key distribution message integrity (enum, values "md5")
crypt	Cryptographic algorithm used to secure authentication protocol (enum, values "des")

Logical Key Hierarchy (lkh)
"lkhkey" This is an implementation of a commonly known and reasonably efficient key distribution system which uses a binary tree of keys to re-key groups. It supports backwards and forwards secrecy, either of which may be disabled to improve performance.

The performance savings is mostly in terms of minimizing network traffic. Turning off backwards or forwards secrecy means that when the related event occurs, a rekey will not be performed. For more finely tunable control, the leave events are catagorized as either member leave, eject, or fail. This may be acceptable for example, when a member leaves the group they are trusted not to give away keys.

Config Type (units) Default Description

hashfunc hash function md5 Hashing function used for signing data packets.

crypt encryption algorithm blowfish Algorithm to use when encrypting data and rekey packets. This has some implications as far as network traffic.

rekeyperiod floating point >= 0 (seconds) 5.0 Maximum number of seconds between rekeys. This is a way of making sure that the group key stays fresh to help protect data from attacks which require a lot of time. Set this value to zero to disable periodic rekeys.

minrekeyperiod floating point >= 0 (seconds) 0.0 Require at a minimum this amount of time to elapse before performing a rekey. Setting this value has the effect of batching multiple rekeys into a single rekey.
This may be useful in large, dynamic groups where frequent joins and leaves would otherwise swamp the network with rekey overhead. This setting will override other settings that indicate a rekey should be done.

retryperiod floating point >= 0 (seconds) 5.0 Time to wait before retrying a failed communication. This rekey mechanism provides reliability for performing its functions. This does not imply reliability for handling of user data.

retryvariance floating point >= 0 (percent) 0.05 Maximum random percentage to be added to the retryperiod when retrying failed communications. This is supported to handle situations where there are multiple communications failures, which may happen simultaneously under certain circumstances, which may in turn overload a network. This allows the retrys to be spread out.
By way of example, a value of 0.05 and a retryperiod value of 6.0 means that a retry of communications will be attempted after waiting some random time from 6.0 to 6.3 seconds.

joins integer >= 0 1 If this number of joins occur without a rekey, then a rekey will be performed. This is similar to specifying rekeyperiod, but is membership based instead of time based. This may be overridden by minrekeyperiod. If zero, this value will be ignored.

leaves integer >= 0 1 If this number of member leaves occur without a rekey, then a rekey will be performed. This is similar to specifying rekeyperiod, but is membership based instead of time based. This may be overridden by minrekeyperiod. If zero, this value will be ignored.

fails integer >= 0 1 If this number of membership failures occur without a rekey, then a rekey will be performed. This is similar to specifying rekeyperiod, but is membership based instead of time based. This may be overridden by minrekeyperiod. If zero, this value will be ignored.

ejects integer >= 0 1 If this number of ejects occur without a rekey, then a rekey will be performed. This is similar to specifying rekeyperiod, but is membership based instead of time based. This may be overridden by minrekeyperiod. If zero, this value will be ignored.

forwardLeaveSecrecy boolean TRUE If TRUE, then when a member leaves, a new group key will be established and that member will not be able to access subseqent data.

forwardEjectSecrecy boolean TRUE If TRUE, then when a member is ejected, a new group key will be established and that member will not be able to access subseqent data.

forwardFailSecrecy boolean TRUE If TRUE, then when a member fails, a new group key will be established and that member will not be able to access subseqent data.

backwardSecrecy boolean TRUE If TRUE, then when a member joins, a new group key will be established and the new member will not have access to old data. To to this the member would have to record and store the old data in it's encrypted form for later decryption.

Factotem Inc, Antigone Version 2.0.10, Nov 18, 2002
antigone@factotem.com
Antigone Home

Config	Type (units)	Default	Description
hashfunc	hash function	md5	Hashing function used for signing data packets.
crypt	encryption algorithm	blowfish	Algorithm to use when encrypting data and rekey packets. This has some implications as far as network traffic.
rekeyperiod	floating point >= 0 (seconds)	5.0	Maximum number of seconds between rekeys. This is a way of making sure that the group key stays fresh to help protect data from attacks which require a lot of time. Set this value to zero to disable periodic rekeys.
minrekeyperiod	floating point >= 0 (seconds)	0.0	Require at a minimum this amount of time to elapse before performing a rekey. Setting this value has the effect of batching multiple rekeys into a single rekey. This may be useful in large, dynamic groups where frequent joins and leaves would otherwise swamp the network with rekey overhead. This setting will override other settings that indicate a rekey should be done.
retryperiod	floating point >= 0 (seconds)	5.0	Time to wait before retrying a failed communication. This rekey mechanism provides reliability for performing its functions. This does not imply reliability for handling of user data.
retryvariance	floating point >= 0 (percent)	0.05	Maximum random percentage to be added to the retryperiod when retrying failed communications. This is supported to handle situations where there are multiple communications failures, which may happen simultaneously under certain circumstances, which may in turn overload a network. This allows the retrys to be spread out. By way of example, a value of 0.05 and a retryperiod value of 6.0 means that a retry of communications will be attempted after waiting some random time from 6.0 to 6.3 seconds.
joins	integer >= 0	1	If this number of joins occur without a rekey, then a rekey will be performed. This is similar to specifying rekeyperiod, but is membership based instead of time based. This may be overridden by minrekeyperiod. If zero, this value will be ignored.
leaves	integer >= 0	1	If this number of member leaves occur without a rekey, then a rekey will be performed. This is similar to specifying rekeyperiod, but is membership based instead of time based. This may be overridden by minrekeyperiod. If zero, this value will be ignored.
fails	integer >= 0	1	If this number of membership failures occur without a rekey, then a rekey will be performed. This is similar to specifying rekeyperiod, but is membership based instead of time based. This may be overridden by minrekeyperiod. If zero, this value will be ignored.
ejects	integer >= 0	1	If this number of ejects occur without a rekey, then a rekey will be performed. This is similar to specifying rekeyperiod, but is membership based instead of time based. This may be overridden by minrekeyperiod. If zero, this value will be ignored.
forwardLeaveSecrecy	boolean	TRUE	If TRUE, then when a member leaves, a new group key will be established and that member will not be able to access subseqent data.
forwardEjectSecrecy	boolean	TRUE	If TRUE, then when a member is ejected, a new group key will be established and that member will not be able to access subseqent data.
forwardFailSecrecy	boolean	TRUE	If TRUE, then when a member fails, a new group key will be established and that member will not be able to access subseqent data.
backwardSecrecy	boolean	TRUE	If TRUE, then when a member joins, a new group key will be established and the new member will not have access to old data. To to this the member would have to record and store the old data in it's encrypted form for later decryption.