IEEE 802.21 Contribution Title Page

2014-1-17 21-14-0004-00-MuGM

Project IEEE 802.21d

Title Group key wrapping and unwrapping

DCN TBD

Date 17th Jan, 2014 Submitted

Source(s) Yoshikazu Hanatani (Toshiba)

Re: IEEE 802.21 Session #60 in Los Angels

Abstract This is a text and a figure to explain the procedures of a group key wrapping and a group key unwrapping.

Purpose This contribution provides texts and flow diagrams to resolve the comments #50 and #107 in LB7a. This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for Notice discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this Release contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that IEEE 802.21 may make this contribution public. The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board Patent bylaws and in Understanding Patent Issues During Policy IEEE Standards Development http://standards.ieee.org/board/pat/faq.pdf

1 2014-1-17 21-14-0004-00-MuGM

Remedy for Cmt#50 and #107 in LB7a. Change the original text to following new text.

New text:

9.4.2.1 Master group key wrapping

To encapsulate an MGK as a GroupKeyData, an MIHF of a PoS first computes a CompleteSubtree for a specific group using the algorithm described in section 9.4.1.2. Let N be the number of node keys contained in the CompleteSubtree. The MIHF encrypts the MGK using each of the N node keys and obtains an ordered list of N encrypted versions of the MGK such that i-th element of the ordered list corresponds to i-th node key in the CompleteSubtree for all i in [1,N]. The obtained ordered list becomes the GroupKeyData. Figure X is a flow diagram of the master group key wrapping.

For example, let CS a CompleteSubtree given as ((0x01,0b00000000), (0x03, 0b10100000), (0x03,11100000)). Let X be an MGK. Then, the GroupKeyData for CS and X is (Enc(k<0>, X), Enc(k<101>, X), Enc(k<111>, X)) where Enc is an encapsulation algorithm.

If a master group key is not used, the master group key wrapping step should be omitted. Error: Reference source not found provides an example of creation of GKBs at a GKB Generator.

2 2014-1-17 21-14-0004-00-MuGM

Start master group key wrapping

Input a master group key MGK and a complete subtree S

Set GroupKeyData = null.

Read a node n which is a first element of the complete subtree S

Read K which is a node key of the node n.

Compute C = Enc(K, MGK)

Add C to GroupKeyData

Remove n from the complete subtree S

The complete subtree S is null?

Yes

Return GroupKeyData

Figure X: Flow diagram of the group key wrapping.

Figure Y is a flow diagram of the master group key unwrapping.

9.4.2.2 Master group key unwrapping

The master group key unwrapping procedure for a complete subtree S and a GroupKeyData is described as follows:

3 2014-1-17 21-14-0004-00-MuGM a) An MIHF finds i-th node index n in the complete subtree S and a device key k in the device keys that the MIHF itself owns where the node index n and the node index of the device key k are identical. If the MIHF fails to find such node index, the procedure shall terminate. b) Using the node key k, the MIHF decrypts the i-th encrypted group key in the GroupKeyData. The

result of the decryption is a master group key MGK.

Start master group key unwrapping

Input a complete subtree S and a GroupKeyData.

Find n in REPIENT_MIHF_BASE such that n is i-th element of the complete subtree S. Then extract and a device key k that corresponds to ing with n. is recorded in own RECIPIENT_MIHF_BASE .

Succeed to find ni and k?

Yes

Read C from which is i-th element of the GroupKeyData.

Compute MGK = Denc(k, CMGK)

Return error Return MGK

Figure Y: Flow diagram of the group key unwrapping.

Remove the original text (shown below) : Section 9.4.2.1 and 9.4.2.2 in P802 21d_D03-LLC-0114-2014.doc.

9.4.2.1 Master group key wrapping

[This should use the content in 9.4.2.5.1 encapsulation. But new text is needed. The current text is just an example. It needs to be more general.] Error: Reference source not found provides an example of creation of GKBs at a GKB Generator. In the last example, two GKBs are given: GKB2-1 = {[8, 15], {11, 100}, {[Kb], [Kb]}} and GKB2-2 = {[0, 7], {0011, 0100}, {[Kb], [Kb]}}. The Subgroup Ranges [8, 15], [0, 7] are expressed by sequences of two octets: (0x08, 0x0f) and (0x00, 0x07). They make SubgroupRange TLVs. The Node Indices for the nodes labeled ‘11’ and ‘100’ are (0x02, 0b1100) and (0x03, 0b1000) respectively though the size 4 of the Node Indices is not compliant to this specification. Those Node Indices make a Complete Subtree TLV. Likewise, the Node Indices for

4 2014-1-17 21-14-0004-00-MuGM the node labeled ‘0011’ and ‘0100’ are (0x04, 0b0011) and (0x04, 0b0100). Those Node Indices also make a Complete Subtree TLV. The Key Data TLVs for GKB 2-1 and GKB2-2 are made of {[Kb]} and {[Kb], [Kb]}.

9.4.2.2 Master group key unwrapping

[This should use the content in 9.4.2.5.2 decapsulation.] At first, the decapsulation procedure for a GKB with a group key data part is described as follows: c) An MIHF finds a Node Index in the complete subtree part of the GKB and a Device Key in the device keys that the MIHF itself owns such that the Node Index and the Node Index of the Device Key are identical. Suppose that the Node Index thus found is the n-th Node Index in the complete subtree part. If the MIHF fails to find such Node Indices, the procedure shall terminate.  If the procedure terminates here, it means that the MN does not belong to the group designated by the TargetIdentifier defined in Error: Reference source not found. The MN shall leave the group if it currently belongs to the group. d) Using the Node Key in the Device Key found in a), the MIHF decrypts the n-th encrypted group key in the group key data part. The result of the decryption is a group key KG.

 The group key KG is the group key for the group designated by the TargetIdentifier. The MN shall belong to the group. e) Check the MAC in the VerifyGroupCode field using the group key KG. If it fails, the decapsulation procedure shall abort. If a GroupKeyData TLV is absent in an MIH_Net_Group_Manipulate indication message, the following procedure applies: f) An MIHF tries to find a Node Index in the complete subtree part of the GKB and a Node Index in the device keys, which the MIHF itself owns such that the two Node Indices are identical.  If the MIHF fails to find a matching pair, it means that the MN does not belong to the group designated by the TargetIdentifier defined in Error: Reference source not found. The MN leaves the group if it currently belongs to the group.  If the procedure succeeds to find a matching pair, it means that the MN belongs to the group designated by the TargetIdentifier defined in Error: Reference source not found. The MN joins in the group if it does not currently belong to the group. Note that an MN need not necessarily have device keys when GKBs without keys are used. Then, an MN is only required to have a sequence of Node Indices.