1. IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-14-0173-00-MuGM
Title: Reducing the size of Complete Subtree TLV in the Group manipulation messages
Date Submitted: Nov, 5, 2014
Presented at IEEE d Sponsor Ballot comment resolution
Authors or Source(s):
 Yoshikazu Hanatani, Yoshihiro Ohba (Toshiba)
Abstract: The Sponsor Ballot Comment Resolution i-12.
MuGM

2. IEEE 802.21 presentation release statements
This document has been prepared to assist the IEEE Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE
The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws < and in Understanding Patent Issues During IEEE Standards Development
IEEE presentation release statements
This document has been prepared to assist the IEEE Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE
The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual < and in Understanding Patent Issues During IEEE Standards Development
MuGM

3. MIH Header Fields (SID=1, Opcode=1, AID=12 )
Problem
The size of the group manipulation message may be huge.
MIH_Net_Group_Manipulation indication/request
MIH Header Fields (SID=1, Opcode=1, AID=12 )
Source Identifier = sending MIHF ID
(Source MIHF ID TLV)
Destination Identifier = receiving MIHF ID
(Destination MIHF ID TLV)
GroupKeyUpdateFlag
(Group Key Update Flag TLV)
TargetIdentifier
(Group Identifier TLV)
SequenceNumber (Optional)a
(Sequence Number TLV)
TransportAddress (Optional)
(Transport Address TLV)
SubgroupRange (Optional)
(Subgroup Range TLV)
UserSpecificData (Optional)
(Aux Data TLV)
CompleteSubtree
(Complete Subtree TLV)
ComplementSubtreeFlag (Optional)b
(Complement Subtree Flag TLV)
GroupKeyData (Optional)
(Group Key Data TLV)
SecurityAssociationID (Optional)
(SAID Notification TLV)
The data sizes of CompleteSubtree and GroupKeyData depend on a selection of group members.
The data size of CompleteSubtree depends on the number of elements in GroupKeyData.
A list of Node Indices
A list of encrypted group keys
MuGM

4. Current method The CompleteSubtree TLV is a list of Node Indices.
GroupKeyData
LIST(Node_Index) = LIST(SEQUENCE(
NODE_DEPTH
NODE_INDEX_VALUE ))
LIST(ENCRYPTED_KEY_ECB) Not recommend
or LIST(ENCRYPTED_KEY_KEY_WRAP)
I1 || I2 || I3
C1 || C2 || C3
The list of Node Indiceis detects
- a device key which decrypt an element of GroupKeyData
- The element of GroupKeyData
MuGM

5. Suggested remedies Remedy 1: Use Bloom Filter as CompleteSubtree
Remedy 2: Omit CompeteSubtree
CompleteSubtree
GroupKeyData
BLOOM_FILTER = SEQUENCE(OCTET_STRING, UNSIGNED_INT(1))
LIST(ENCRYPTED_KEY_ECB) Need VerifyGroupCode
or LIST(ENCRYPTED_KEY_KEY_WRAP)
CompleteSubtree
GroupKeyData
LIST(ENCRYPTED_KEY_ECB) Need VerifyGroupCode
or LIST(ENCRYPTED_KEY_KEY_WRAP)
Strong point : Reduce the data size of CompleteSubtree.
Weak point: The MIHF have to unwrap GroupKeyData by try and error (It will be explained later.)
MuGM

6. Benefits (1/2) A1 v.s. B1: 7.0% ~ 16.6% A2 v.s. B2: 10.1% ~ 22.9%
Data size of CompleteSubtree + GroupKeyData (Byte)
A1: Current method (AES-key wrap)
B1: Remedy 1 (AES-key wrap)
C1: Remedy 2 (AES-key wrap)
A2: Current method (AES-ECB) B2: Remedy 1 (AES-ECB)
C2: Remedy 2 (AES-ECB)
Parameter of Bloom Filter k = 8, m = 1.44*kN
The number of elements in GroupKeyData
A1 v.s. B1: 7.0% ~ 16.6%
A2 v.s. B2: 10.1% ~ 22.9%
A1 v.s. B2: 37.5% ~ 43.9%
A1 v.s. C1: 7.7% ~ 17.2%
A2 v.s. C2: 11.1% ~ 23.7%
A1 v.s. C2: 38.2% ~ 44.6%
MuGM

7. Benefits (2/2)
Data size of CompleteSubtree + GroupKeyData (Byte)
A1: Current method (AES-key wrap)
B1: Remedy 1 (AES-key wrap)
C1: Remedy 2 (AES-key wrap)
A2: Current method (AES-ECB) B2: Remedy 1 (AES-ECB)
C2: Remedy 2 (AES-ECB)
Parameter of Bloom Filter k = 8, m = 1.44*kN
The number of elements in GroupKeyData
If the number of elements in GroupKeyData is small, AES-key wrap is good.
MuGM

8. Suggested Remedy 1 CompleteSubtree is a Bloom Filter for Node Indices.
Group Key Unwrapping Algorithm
We can reduce the data size of Complete Subtree. The group key unwrapping needs try and error.
Find a device key which can be unwrap GroupKeyData. An invalid device key may be find
with 1/256.
Find a ciphertext in GroupKeyData
by decrypting ciphertexts using the device key (try and error).
The MIHF may decrypt N * H/256 times N: the number of elements of GroupKeyData H: the number of device keys
MuGM

9. Suggested Remedy 2 The CompleteSubtree is optional.
Group Key Unwrapping Algorithm
We can reduce the data size than Remedy 1. The group key unwrapping needs try and error more than Remedy 2.
Choose a device key.
Find a ciphertext in GroupKeyData
by decrypting ciphertexts using the device key (try and error).
The MIHF may decrypt N * H times N: the number of elements of GroupKeyData H: the number of device keys
MuGM

10. VerifyGroupCode Definition and related texts are in D/03
VERIFY_GROUP_KEY
SEQUENCE (
OCTETS(16),
OCTETS(16) )
The first OCTET(16) is arbitrary data, which is an input message to AES-CMAC (defined in RFC-4493). The second OCTET(16) is the MAC value for the first OCTET(16) to be verified.
Definition and related texts are in D/03
MuGM

11. Outline of suggested remedy
For Remedy 1 (CompleteSubtree is Bloom Filter), we shall revise following subclause.
Master group key unwrapping
Table F.24- Data type for security
For Remedy 2 (CompleteSubtree is optional), we shall revise following subclause.
MIH_MN_Group_Manipulate.response
MIH_Net_Group_Manipulate.request
MIH_Net_Group_Manipulate request
MIH_Net_Group_Manipulate indication
To use AES-ECB as the key wrapping algorithm in Remedy 1 and 2, we shall restore VerifyGroupCode for AES-ECB.
MIH_MN_Group_Manipulate response
Master Group Key Wrapping
9.6.1 Group session key derivation
9.6.5 Group key distribution Ciphersuites
Table L.2- Type values for TLV encoding
Details is shown in Another contribution.
MuGM

12. Appendix 1: Sizes of Current GKB
LIST(Node Indices)
Complete Subtree
Node Index = SEQUENCE(
NODE_DEPTH
NODE_INDEX_VALUE )
NODE_DEPTH : 1 Byte
NODE_INDEX_VALUE : 1, 2, 3, 4 Byte
LIST(ENCRYPTED_KEY_ECB) Not recommend
or LIST(ENCRYPTED_KEY_KEY_WRAP)
Group Key Data
ENCRYPTED_KEY_ECB : 16 Byte
ENCRYPTED_KEY_KEY_WRA : 24 Byte
Minimum size of the pair: 18 Byte
Maximal size of the pair: 29 Byte
MuGM

13. Appendix 2: The size of Bloom Filter
N: the number of elements
1/(2^k) : error rate
The Bloom Filter may pass an invalid element with 1/(2^k)
The size of Boom Filter representing N elements
1.44 k N bits = 0.18 k N Byte
MuGM