RFC 2093 (rfc2093) - Page 3 of 23


Group Key Management Protocol (GKMP) Specification



Alternative Format: Original Text Document



RFC 2093                   GKMP Specification                  July 1997


   The GKMP is an application layer protocol.  It's independent of the
   underlying communication protocol.  However, if multicast service is
   available it will speed the rekey of the cryptographic groups.
   Hence, the GKMP does use multicast services if they are available.

2 Overview:  GKMP Roles

   Creation and distribution of grouped key require assignment of roles.
   These identify what functions the individual hosts perform in the
   protocol.  The two primary roles are those of key distributor and
   member.  The controller initiates the creation of the key, forms the
   key distribution messages, and collects acknowledgment of key receipt
   from the receivers.  The members wait for a distribution message,
   decrypt, validate, and acknowledge the receipt of new key.

2.1 Group controller

   The group controller (GC) is the a group member with authority to
   perform critical protocol actions (i.e., create key, distribute key,
   create group rekey messages, and report on the progress of these
   actions).  All group members have the capability to be a GC and could
   assume this duty upon assignment.

   The GC helps the cryptographic group reach and maintain key
   synchronization.  A group must operate on the same symmetric
   cryptographic key.  If part of the group loses or inappropriately
   changes it's key, it will not be able to send or receive data to
   another host operating on the correct key.  Therefor, it is important
   that those operations that create or change key are unambiguous and
   controlled (i.e., it would not be appropriate for multiple hosts to
   try to rekey a net simultaneously).  Hence, someone has to be in
   charge -- that is the controller.

2.2 Group member

   Simply stated a group member is any group host who is not acting as
   the controller.  The group members will:  assist the controller in
   creating key, validate the controller authorization to perform
   actions, accept key from the controller, request key from the
   controller, maintain local CRL lists, perform peer review of key
   management actions, and manage local key.










Harney & Muckenhirn           Experimental