Professional Documents
Culture Documents
11 NOVEMBER 2011
2069
SUMMARY Group key establishment is an important mechanism to more than two participants. Therefore, a group key estab-
construct a common session key for group communications. Conventional lishment protocol is needed for group communications. In
group key establishment protocols use an on-line trusted key generation
general, group key establishment protocols can be classified
center (KGC) to transfer the group key for each participant in each session.
However, this approach requires that a trusted server be set up, and it incurs into two major types. In the first type, a trusted third party,
communication overhead costs. In this article, we address some security such as a group key generation center (KGC), generates the
problems and drawbacks associated with existing group key establishment common session key and assigns the key to all group mem-
protocols. Besides, we use the concept of secret sharing scheme to propose bers. In the second type, the common session key is gen-
a secure key transfer protocol to exclude impersonators from accessing the
group communication. Our protocol can resist potential attacks and also
erated by group members directly without any third party
reduce the overhead of system implementation. In addition, comparisons joining. In addition, the protocols of the second type can
of the security analysis and functionality of our proposed protocol with be subdivided into group key transfer protocols and group
some recent protocols are included in this article. key agreement protocols. The group key transfer protocol is
key words: key transfer protocol, group key, Diffie-Hellman key agreement,
that an initiator (a chairperson) demands to organize a group
secret sharing
communication, and then he/she selects a group key and dis-
tributes the key to the other participants. On the other hand,
1. Introduction the group key agreement protocol is that all participants to-
gether compute a common session key for the group com-
With the development of computer and network technolo- munication. Even though group key agreement protocols
gies, network communications have become a part for many have more flexibility to generate the group key, these pro-
people’s daily lives. It is well known that data confiden- tocols usually have heavy communication cost to construct
tiality is one of the most important issues for secure com- the group key.
munications. To prevent an adversary from gaining access In 1995, Klein et al. [4] first proposed group key agree-
to the sensitive content of communications, a session key ment protocol with fault-tolerance. The goal of fault-
can be used for encryption/decryption. Therefore, before tolerance is to exclude malicious participants from the
exchanging communication messages, a key establishment group. In 2002, Tzeng [5] pointed out that Klein et al.’s
protocol must be used to construct the session keys for legit- protocol is quite inefficient and its security is not rigidly
imate participants in the communication. As we know, the proven. Thus, Tzeng proposed a secure fault-tolerant group
Diffie-Hellman (DH) key agreement protocol [1] is the most key agreement protocol to overcome those drawbacks. In
commonly used protocol for constructing a common session 2009, Huang et al. [6] proposed an enhanced group key
key between two parties. Since the public-key itself does agreement protocol based on Discrete Logarithm Problem
not provide the property of authentication, a digital signa- (DLP) and they claimed that their protocol is more efficient
ture [2] or certificate [3] can be attached to the public-key to in terms of computation and communication. In 2010, Zhao
ensure authentication. However, the DH key agreement pro- et al. [7] proposed a group key agreement protocol based on
tocol is not suitable for a group communication, such as an RSA cryptosystem [8] to improve the performance of Huang
e-conference, e-learning, and multi-user games, which has et al.’s protocol.
On the other hand, secret sharing has been used to
Manuscript received May 2, 2011. design group key distribution protocols in recent years.
†
The author is with the Department of Computer Science and There are two different methods to implement secret shar-
Information Engineering, National Chung Cheng University, Chi- ing scheme, i.e., the first method assumes that an off-line
ayi 62102, Taiwan.
††
The author is with the School of Software, Dalian University trusted server is involved only at initialization [9], [10], and
of Technology, Dalian, Liaoning 116024, China. the second method assumes that an on-line trusted server,
††† such as KGC, is involved in all processes [11]. In 1991,
The author is with the Department of Computer Science
Electrical Engineering, University of Missouri-Kansas City, MO Berkovits [12] employed the same concept of [11] to pro-
64110, USA. pose scheme to distribute group messages. This scheme
††††
The author is with the Department of Information Engineer- can be adopted to transfer the session key for group mem-
ing and Computer Science, Feng Chia University, Taichung 40724,
Taiwan. bers. However, Harn and Lin [13] indicated that this kind
a) E-mail: ccc@cs.ccu.edu.tw of method might suffer from the insider attack. Thus, they
DOI: 10.1587/transinf.E94.D.2069 used modulus N, a composite integer, to prevent this kind
Copyright
c 2011 The Institute of Electronics, Information and Communication Engineers
IEICE TRANS. INF. & SYST., VOL.E94–D, NO.11 NOVEMBER 2011
2070
of attack. Unfortunately, the on-line KGC is required in dis- the number of participants. In fact, this is a serious prob-
tributing the group key; therefore it increases the overhead lem to system overhead. In 2007, Tseng [18] demonstrated
of the system. that Tzeng’s protocol does not provide forward secrecy and
In this article, we adopt the advantages of the DH key then proposed a secure group key agreement protocol based
agreement and the secret sharing to design an efficient key on the decisional Diffie-Hellman (DDH) problem. In 2009,
transfer protocol that is secure. The rest of this article is Huang et al. proposed a group key protocol based on DLP to
organized as follows. In Sect. 2, we review some group key enhance the performance of Tzeng’s scheme. In 2010, Zhao
establishment protocols and then discuss some drawbacks. et al. proposed a similar protocol based on RSA cryptosys-
In Sect. 3, we illustrate the design concept of the improved tem and also claim that their scheme can achieve the ability
scheme and a practical design example is proposed. Some of fault-tolerant. In this article, we demonstrate that Zhao
security issues and required functionalities regarding group et al.’s protocol cannot exclude adversaries from the group
key establishment protocols are discussed in Sect. 4. Finally, completely. Also, Zhao et al.’s protocol depends on unicas-
some conclusions are summarized in Sect. 5. ting to distribute the sub-key for each group member, this
means that heavy communication costs for messages trans-
2. Survey of Group Key Establishment Protocols mission.
Secret sharing schemes have been used to establish the
Since conventional group key establishment protocols use group key in recent years. Unfortunately, most group key
an on-line trusted third party, such as the KGC, to trans- establishment protocols based on secret sharing may suffer
fer the session key for each participant, it may increase the from the insider attack. In 2010, Harn and Lin proposed a
overhead of the system and lose the flexibility of the group secure group key transfer protocol based on Shamir’s (t, n)
key. Some group key establishment protocols without on- secret sharing [19], denoted as (t, n)-SS. They also modified
line KGC have been proposed to overcome those drawbacks Shamir’s (t, n)-SS as modulus N, a composite integer, to
in recent years. withstand the insider attack.
In 1996, Steiner et al. [14] proposed a key agreement In this section, we first summarize the characteristics of
protocol based on the natural extension of the DH key some existing group key establishment schemes in Table 1.
agreement protocol for the group communication. In 2001, Next, we review three recent schemes, i.e., Huang et al.’s
Steiner’s protocol has been enhanced with the property of scheme, Zhao et al.’s scheme, and Harn and Lin’s scheme,
authentication by Bresson et al. [15]. In 2006, Bohli [16] respectively, and then indicate some potential drawbacks.
proposed a framework for robust group key agreement that
provides security against malicious insiders and active ad- 2.1 Huang et al.’s Scheme
versaries in public point-to-point network. However, most
DH based group key agreement protocols do not scale well Huang et al.’s scheme is composed of five phases, i.e.,
and, in particular, require O(n) rounds. In 2007, Katz and parameter generation, secret distribution and commitment,
Yung [17] proposed the first constant-round and fully scal- sub-key computation and verification, fault detection, and
able group key exchange protocol to reduce the message session key computation. The detailed processes are illus-
transmission overhead. trated as follows.
There are other group key establishment protocols • Parameter generation
based on non-DH key agreement approach. In 2002, Tzeng All the group members must register with the trusted
proposed a secure group key agreement protocol with fault- server to obtain their public-key and private-key. For each
tolerant. With this ability, the protocol can detect malicious registered member Ui , for i = 1 to n, where n is the total
participants and prevent them from joining the group com- numbers of the group members, the server performs the fol-
munications. However, each participant needs to maintain lowing processes:
n n-degree polynomials, where the parameter n depends on 1) Selects a large prime p comprised of 2q + 1, where q is
2) Assigns an integer si ∈ [2, Ni ] as the private-key for each (b) When receiving parameters Ri and Ki from Ui , each
Ui , and computes fi such that fi ·si ≡ 1 mod φ(Ni ), where participant Um (m i) executes the following pro-
φ(Ni ) = (pi −1)(qi −1). Note that the server should ensure cesses to detect fault:
that si is unique for each registered member. (i) Check (Ri IDi ) fm mod Nm = Iim mod Nm . If
?
3) Delivers si to Ui via a secure channel and publishes the the result is wrong, Ui must be the malicious
values ( fi , Ni ). member.
?
(ii) Compute hi = h(Ki T i ) and then check hi =
• Sub-key Distribution and Commitment hi .
In order to distribute his/her temporary sub-key Ki to If both results provided by (i) and (ii) are cor-
the other participants securely, each Ui executes the follow- rect, U j is identified as a malicious member.
ing processes: Otherwise, it means that Ui is the malicious
member.
1) Computes Ri = (Ki ) si mod Ni .
2) Remove all the malicious members from the group and
2) Computes Ii j = (Ri IDi ) f j mod N j for each participant restart the protocol.
U j ( j i), where IDi is the public identity of Ui . Then,
computes hi = h(Ki T i ), where T i is the current times- • Session Key Computation
tamp. When malicious members are excluded from the group,
each honest member of the set U = {U1 , U2 , · · · , Un } can
3) Publishes Mi = (T i , hi , Ii1 , Ii2 , · · · , Ii(i−1) , Ii(i+1) , · · · , Iin ). compute the group key as k = K1 + K2 + · · · + Kn . After
establishing the group key k, each member will destroy the
• Sub-key Recovery and Verification temporary sub-key.
After receiving Mi from Ui , each participant U j ( j i) Although Zhao et al. claimed that their scheme can de-
performs the following procedures: tect and exclude the malicious participant in the group com-
1) Checks whether the timestamp T i is valid. If the result munication, we demonstrate below a possible case in which
is valid, U j continues the next process. Otherwise, U j Zhao et al.’s scheme cannot detect the malicious participant.
claims that Ui is fraudulent. Assuming that an adversary wants to masquerade as an hon-
est member Ui to join the group communication, he or she
2) Recovers Ri and IDi by computing (Ri IDi ) = might perform the following processes:
(Ii j ) s j mod N j , and then uses the corresponding fi to ob-
tain Ki by computing Ki = (Ri ) fi mod Ni . 1) Randomly select Ri ∈ Z∗Ni and then compute the tempo-
rary sub-key as Ki = (Ri ) fi mod Ni .
?
3) Computes hi = h(Ki T i ) and then checks hi = hi . If 2) Compute Ii j = (Ri IDi ) fi mod N j for each participant U j
the result is equivalent, broadcasts v ji = success or else, for j = 1 to (n − 1), j i.
broadcasts v ji = f ailure.
3) Compute hi = h(Ki T i ), where T i is the current times-
After the above processes are completed, there are tamp, and then publish
three possible cases:
Mi = (T i , hi , Ii1 , Ii2 , · · · , Ii(i−1) , Ii(i+1) , · · · , Iin ).
Case 1: v ji = success, this means that each member is le-
gitimate, and, later, all the group members directly In the sub-key recovery and verification phase, we can
execute the session key computation phase. ?
prove that the equivalence of hi = hi is true according to the
Case 2: v ji = f ailure and Ui is the malicious member. following derivation:
We have Ki = (Ri ) fi mod Ni = (Ri ) fi mod Ni = Ki ,
Case 3: v ji = f ailure and U j is the malicious member. In hence hi = h(Ki T i ) = h(Ki T i ) = hi .
this case, U j might cheat others who are honest Thus, each U j will broadcast v ji = success, meaning
members and exclude the honest member Ui . that the adversary can pass through the detection mechanism
successfully, and the malicious participant is not excluded
• Fault Detection
from the group communication.
This phase is executed when v ji = f ailure. It can detect
From the above analysis, we show that Zhao et al.’s
the real adversary by using the following processes:
scheme cannot achieve the property of fault-tolerance,
1) After receiving v ji = f ailure, each member waits for the i.e., completely detect and exclude the adversary. On
fault detection message {Ri , Ki } from Ui . Actually, there the other hand, each participant Ui must publish Mi =
are two probable situations: (T i , hi , Ii1 , Ii2 , · · · , Ii(i−1) , Ii(i+1) , · · · , Iin ) in the sub-key distri-
bution and commitment phase. As the previous analysis of
(a) If no one receives the message from Ui in a valid Huang et al.’s scheme, unicasting must be used for publish-
period, mark Ui as the malicious member. ing the term Ii j ( j i), therefore, the communication cost
LEE et al.: SECURE KEY TRANSFER PROTOCOL BASED ON SECRET SHARING FOR GROUP COMMUNICATIONS
2073
would be increased. To overcome these drawbacks, we pro- f (x) with degree t to pass through (t + 1)
posed a secure group key transfer protocol based on secret points, (0, k) and xi , yi ⊕ Ri , for i = 1, 2, · · · , t.
sharing. We illustrate the detailed processes of our scheme The KGC also computes t additional points,
in the next session. Pt , for i = 1, 2, · · · , t, on f (x) and Auth =
h(kU1 U2 · · · Ut R1 R2 · · · Rt P1 P2 · · · Pt ),
2.3 Harn and Lin’s Scheme where h(·) is a collision-free, one-way hash func-
tion and is the concatenation operator that com-
In 2010, Harn and Lin proposed an efficient, authenticated bines the two values into one. The KGC broadcasts
group key transfer protocol based on Shamir’s (t, n)-SS. {Auth, Pi } for i = 1, 2, · · · , t to all group members.
As we know, Shamir’s (t, n)-SS scheme satisfies two ba- All computations are performed in Z∗N .
sic security requirements, as follows: 1) with knowledge
of any t or more than t shares, it can reconstruct the secret Step 5. Each group member, Ui , who knows the shared se-
s easily and 2) with knowledge of fewer than t shares, it cret, (xi , yi ⊕ Ri ), and t additional public points,
cannot recover the secret s. In other words, the security Pi , for i = 1, 2, · · · , t, on f (x), can reconstruct the
of Shamir’s (t, n)-SS scheme is information-theoretically polynomial f (x) and recover the group key k =
secure since the scheme satisfies the above two require- f (0). Afterwards, each group member Ui computes
ments without making any computational assumptions. In h(kU1 U2 · · · Ut R1 R2 · · · Rt P1 P2 · · · Pt ),
Shamir’s (t, n)-SS scheme, the secret of each shareholder is and then determines whether this hash value is iden-
simply the y-coordinate of f (x). However, Harn and Lin’s tical to Auth. If the result is correct, the authenti-
scheme requires both the x-coordinate and the y-coordinate cated key k is established among all group mem-
for each shareholder’s secret. Moreover, in Shamir’s (t, n)- bers.
SS scheme, the modulus p used for all computations is a
Although Harn and Lin’s scheme can provide high se-
large prime number. To prevent the insider attack, Harn and
curity and distribute the group key efficiently, it requires an
Lin used modulus N, a composite integer, to replace modu-
on-line KGC to construct and transfer the group key, which
lus p. In addition, Harn and Lin’s scheme consists of three
increases the overhead required to implement the system
processes, i.e., 1) initialization of KGC, 2) user registration,
and reduces its flexibility. In addition, Harn and Lin did
and 3) group key generation and distribution. Each of these
not propose a practical method to share the secrets (xi , yi )
processes is described below.
between the KGC and users Ui for real-life applications.
• Initialization of KGC
The KGC randomly generates two large, safe prime
numbers p and q (i.e., prime numbers such that p = p−1 3. Improvement of Group Key Establishment Protocol
2 and
q = q−1 2 are also prime numbers) and computes N = p · q,
where N is publicly known. We propose a secure group key transfer protocol which over-
• User Registration comes the drawbacks in the previous schemes. In addition,
Each user is required to register with the KGC for sub- the proposed scheme is more efficient in term of communi-
scribing to the group key distribution service. The KGC cation overhead. We first describe the concept of our design
shares a secret, (xi , yi ), with each user Ui , where xi , yi ∈ Z∗N . in Sect. 3.1. Next, a practical design example is presented in
• Group Key Generation and Distribution Sect. 3.2.
Upon receiving a group key generation request from
any user, the KGC selects a group key randomly and dis- 3.1 The Concept of Our Design
tributes this group key to all group members in a secure
manner. Assume that a group consists of t members, When the confidentiality of group communications must
{U1 , U2 , · · · , Ut } and the shared secrets are (xi , yi ) for i = be assured, a one-time session key (group key) should be
1, 2, · · · , t. The key generation and distribution process con- shared among communication members. The well-known
tains the following five steps: Shamir’s (t, n)-SS scheme can be employed to establish the
common session key for all the group members. However,
Step 1. The initiator sends a key generation request to the conventional group key transfer schemes based on secret
the KGC with a list of group members, i.e., sharing (SS) require an on-line, trusted KGC as the dealer to
{U1 , U2 , · · · , Ut }. issue the shares (shadows) for each member. In addition, the
KGC must generate a secret key as the group key and then
Step 2. The KGC broadcasts the list of all participating use the SS scheme to transmit the group key to all members.
member, {U1 , U2 , · · · , Ut }, as the response. Actually, this approach can result in loss of flexibility and
Step 3. Each participating member selects a random num- cause an increase in the overhead associated with the imple-
ber Ri ∈ Z∗N and then sends Ri to the KGC. mentation of the system. To overcome these drawbacks, an
initiator, one of the group members, is endowed with the
Step 4. The KGC randomly generates a group key k authority to select a secret key as the group key and to orig-
and then generates an interpolated polynomial inate the group communication. In addition, the initiator
IEICE TRANS. INF. & SYST., VOL.E94–D, NO.11 NOVEMBER 2011
2074
must share secrets with the other members by using an effi- In the session key transfer phase, the initiator and the
cient method. other participating members U j execute the following pro-
It is well know that the interactive key agreement pro- cesses:
tocol can construct a one-time secret between two parities
in public environments. In our design, the concept of DH 1) The initiator separates each shared secret s j into two
key agreement protocol is used to share secrets between the parts to derive the point (x j , y j ), where (x j y j ) = s j ,
initiator and the others members of the group. Further, the and randomly generates a session key k. Then, the
initiator can construct an interpolated polynomial f (x) pass- initiator constructs an interpolated polynomial f (x) of
ing through these shares and the selected session key by us- degree (t − 1) to pass through t points, (0, k) and (x j , y j ),
ing Lagrangian interpolation, where the degree of f (x) is for j = 1 to (t − 1), by using Lagrangian interpola-
equal to the number of group members minus one, and the tion. Afterwards, the initiator also computes (t − 1)
session key is the term f (0). Afterwards, the initiator pub- additional points Pi on f (x), where Pi = (xi , yi ), for
lishes some additional points on f (x), where the number of i = 1 to (t − 1). Finally, the initiator computes Auth =
those public points is equal to the number of group mem- h(kri U1 U2 · · · Ut P1 P2 · · · Pt−1 ) and broadcasts
bers minus one. On the other hand, each group member the message {Auth, Pi }, for i = 1 to (t − 1), to U j .
except the initiator is able to use his/her secret with those 2) For each participating member U j , knowing s j and
public points to reconstruct the polynomial f (x) and derive (t − 1) additional points Pi , for i = 1 to (t − 1),
the session key as f (0) by using the Lagrangian interpola- is able to reconstruct the polynomial f (x) and de-
tion. Finally, all group members share a common session rive the group key k = f (0) by using Lagrangian
key for group communications. A practical design example interpolation. Afterward, U j computes Auth∗ =
is illustrated in the next section. h(kri U1 U2 · · · Ut P1 P2 · · · Pt−1 ) and then checks
?
the hash value Auth∗ = Auth. If the result is correct, the
3.2 The Design Example
group key k is authenticated.
The proposed protocol consists of two phases, i.e., 1) the After the above processes have been executed success-
secret establishment phase and 2) the session key trans- fully, the session key k is established among all group mem-
fer phase. Suppose that a set of t participants, U = bers. Later, the key k can be used for secure group commu-
{U1 , U2 , · · · , Ut }, wants to set up a secure communication. nications.
Each participant must maintain a public/private key pair
(puk, prk), such that puk = g prk mod p, where g ∈ Z∗p , p 4. Discussion
is a large, safe prime number. Note that the long-term pair
(puk, prk) is authenticated by a trusted authority with the In this section, we focus on two kinds of possible attacks,
corresponding certificate. An initiator, one of the group i.e., the insider attack and the outsider attack, for analyz-
members, is endowed with the authority to select a secret ing the security of our protocol. In addition, we also discuss
key as the group key and to originate the group communica- some security requirements, such as group key security and
tion. The secret establishment phase contains the following forward secrecy. Finally, we compare the required function-
processes. alities of our scheme with three other related works.
1) The initiator broadcasts a request containing a random 4.1 Withstand Possible Attacks
number ri ∈ Z∗p , his/her long-term public-key puki , and
a list of members, U = U1 , U2 , · · · , Ut , to announce the We discuss some possible attacks and perform the heuristic
group communication. security analyses for these attacks. First, the basic assump-
2) Upon receiving the announcement from the initiator, tion is given as follows:
each participating group member U j ( j initiator), for Assumption 1 (The Computational Diffie-Hellman
j = 1, 2, · · · , (t − 1), selects a random number r j ∈ Z∗p (CDH) Assumption). Let G =
g be a multiplicative cyclic
and uses his/her private-key prk j to compute the se- group of order q, and two random integers a, b are chosen
prk ·r ·r in Z∗q . Given g, ga , and gb , the adversary has a negligible
cret as s j = puki j i j mod p. Afterwards, U j com-
success probability ε for obtaining an element z ∈ G, such
putes Auth j = h(s j ri ), and sends {r j , puk j , Auth j } to the
that z = gab within polynomial time.
initiator as a response.
Based on the CDH assumption, we consider two sce-
3) After receiving the message from each U j , the initia- narios of attacks, i.e., the adversaries are outsiders and the
prk ·r ·r adversaries are insiders of the group. In the first type, the
tor computes s∗j = puk j i i j mod p and then checks
?
outside adversary might try to masquerade as a group mem-
Auth j = h(s∗j ri ). If the result is valid, the initiator be- ber and to obtain the secret group key. We will show that
lieves that the secret s j = g prki ·prk j ·ri ·r j mod p is shared the outside attacker cannot recover the group key since the
with corresponding U j . Otherwise, the initiator claims attacker cannot obtain the one-time shared secret. In the
that U j is fraudulent and then restarts the protocol. second type, the attackers are insiders of a group who are
LEE et al.: SECURE KEY TRANSFER PROTOCOL BASED ON SECRET SHARING FOR GROUP COMMUNICATIONS
2075
5. Conclusions
4.2 Security of Group Key
In this article, we discussed some potential drawbacks of
In our protocol, we focus on protecting group key informa- existing group key establishment protocols and proposed a
tion transferred from the initiator. Since the group key k is practical key transfer protocol based on secret sharing for
the constant term f (0) of the polynomial f (x) by employing group communications. The group members can construct
Shamir (t, n)-SS, a participant who has t shares or more than and share the common session key efficiently without an on-
t shares can reconstruct the polynomial and recover the se- line KGC. Besides, malicious participants can be excluded
cret key k = f (0). In other words, Shamir (t, n)-SS scheme completely from the group. Moreover, our scheme uses ran-
IEICE TRANS. INF. & SYST., VOL.E94–D, NO.11 NOVEMBER 2011
2076
dom nonces to withstand replay attacks; therefore, it does work time protocol,” IEEE/ACM Trans. Networking, vol.6, no.5,
not require additional time-synchronized mechanisms [20], pp.505–514, Oct. 1998.
[21] in implementation.
References