1. Introduction
The IP multicast is an efficient protocol to delivering group traffic in a group-based application by requiring a sender to transmit data only once to many receivers along a multicast distribution tree. IP multicast can use the network bandwidth efficiently that it is widely deployed in group-based applications such as televised company meetings, commercial stock exchanges, pay-per-view stream video [7], chat-room and so on. Some group-based applications require multicast to embed certain security mechanisms to protect the integrity of group traffic from modifications, guard for confidentiality of communication from electronic eavesdrop, and verify message originator. To provide the above security-enhanced services for IP multicast, it is necessary to have a robust group key generation and distribution scheme.
A simple method to generate a group key is to rely on a specific server called as group key distributor (GKD) [19]. Each group member shares a pre-shared key with the GKD. After the GKD generates a new group key, it encrypts the group key by each member’s pre-shared key and sends out the encrypted group key to each member separately. In this way, the rekeying message complexity is O(t) for member joining/leaving a group, where t is the group size.
Many schemes [1,3-9,11-13,16-18] address group key management to reduce the number of the rekeying messages. The schemes [1,5-9,11-12,16,18] establish a key tree for a group. The tree root stores the group key, the internal nodes of the tree store the auxiliary keys used to renew the group key, and each leaf of the tree stored the pre-shared key known by both of the GKD and a group member only. For t members in a group, the GKD must maintain a group key, O(t) auxiliary keys and O(t) pre-shared keys. The number of auxiliary keys maintained by a member is dependent on the level of this member (leaf node) on the tree. For a balanced tree, the GKD must send O(log t) rekeying messages during the rekeying process. If the key tree is a skewed one, the rekeying messages will be O(t). It is obvious that a balanced tree has better rekeying performance than a skewed one. However, in a highly dynamic group, the overhead to maintain a tree being balanced is heavy. Furthermore, such schemes require that each member must keep O(log t) auxiliary keys.
Harn and Lin [4] propose an authenticated group key transfer protocol (AGKTP) based on secret sharing scheme that the GKD broadcasts group key information to all group members and only the authorized group members can recover the group key. No auxiliary keys are needed and only two broadcast messages are sent out by the GKD, but the AGKTP protocol requires each member to send a random challenge to the GKD during the rekeying process. That makes the complexity of the rekeying messages to be O(t).
Naranjo et al. [20] extend the Extended Euclidean algorithm to develop a suite of algorithms for key distribution and authentication (SAKDA) in centralized secure multicast environments. The SAKDA allows the GKD to renew a group key by a single multicast message. However, the security is dependent on the practical difficulty of factoring a private secret value which is the product of t large and different primes. It is not affordable for large groups and it has heavy computation overhead.
In this paper, we propose a secure authenticated group key management based on (2, 2) secret sharing [10] to improve the drawbacks of the above schemes. By our protocol, no key tree is needed, and each member can generate a group key by itself after receiving the rekeying message multicast by the GKD. No message is required to be sent out by members in contrast with the work of Harn and Lin [4]. Only one multicast message is generated at our rekeying scheme. During the self-generation of group key process, each member and the GKD perform mutual authentication implicitly. Our GKD generates a unique polynomial of degree one for each member, and the group key is stored at the constant term of the polynomial. By the secret sharing scheme, the group key can be reconstructed when two shadows of the polynomial are combined together. That using Lagrange interpolation [10] to recover the group key makes our scheme have better computation performance in comparison with the works of AGKTP [4] and SAKDA [20].
The rest of the paper is organized as follows. Section 2 describes the concept of the proposed protocol. Section 3 illustrates our protocol in detail. Section 4 and Section 5 are security analysis and performance analysis respectively. Finally, the conclusion remark is given in Section 6.
2. Overview
Our system has a trusted GKD to setup all system parameters, generate a pre-shared key when a user registers at the system, and enforce mutual authentication between the GKD and each registered user while executing the rekeying process. Henceforth a registered user is called as a member whenever the user joins a group.
In our protocol, the GKD maintains a pre-shared key Ki with each registered user i and requires each member by itself to generate a group key after receiving a rekeying message. It is assumed that a group is consisted of t members whenever a group key GK is required. The first step for the GKD is to generate t polynomials of degree 1 as the form fi(x)=aix+GK, where i=1, 2,…, t. Each fi(x) is designed as a line passing through the two points (0, GK) and (Ki, H(Ki||T)), where T is a timestamp. Note that the coefficient ai must be computed as After that, the GKD selects a random number R and multicasts T, R and fi(R) (for i=1 to t) to the group members.
Fig. 1 illustrated that each member regards the group key GK as a secret of a polynomial of degree one. By (2, 2) secret sharing scheme, the group key GK can be reconstructed by each member only when two shadows of the polynomial are combined together. In our protocol, the GKD generates a unique polynomial fi for each member i, and then reveal one shadow for each polynomial fi, that is, (R, fi(R)). Member i by itself can derive another shadow (Ki, H(Ki||T)) based on its pre-shared key Ki and the timestamp T from the multicast message sent by the GKD. After having the two shadows of its specific polynomial, each member derives the group key GK by applying Lagrange interpolating polynomial [10]. The detail of our protocol is described at the next section.
Fig. 1.Self-generation of group key GK by (2, 2) secret sharing scheme
3. Our Protocol
Our protocol consists of four processes: system initialization, group creation, member join and member leave. Table 1 illustrates the notations used in this paper.
Table 1.Notations
3.1 System Initialization
The GKD announces a prime number p, a one-way hash function H(): {0, 1}*➔Zp*, and a symmetric encryption algorithm E. Before joining any group, a user i, by presenting his/her real identity IDi, must register to GKD to get his/her pre-shared key Ki through a secure channel. Fig. 2 illustrates the message exchanged between the GKD and user i during the registration process. After that, GKD and user i must keep Ki secretly.
Fig. 2.User registration messages
3.2 Group Creation
A member who creates a new group is called as Group Initiator. For the sake of simplicity, we assume that Group Initiator is ID1. An Initiator sends a group creation request message, including a timestamp T, group identity gid, a list of group members {ID1, ID2,…, IDt} and an authentication code Auth1 = H T||gid||ID1||ID2||…||IDt||K1), to GKD. Fig. 3 shows the messages exchanged in the group creation process.
Fig. 3.Group creation messages
Upon receiving a group creation request message, GKD executes the following steps:
Each member i (i=1, 2,…, t) derives the shadow (Ki, H(Ki||T)) by itself and gets another shadow (R, yi) from the multicast message sent by the GKD. After that, each member i can reconstruct the group key GK by applying the equation: GK=fi(0)=((Ki·yi)-(R·H(Ki||T)))·(Ki-R)-1 mod p. The last step for member i is to check whether the AuthG is equal to H(GK||T||gid||R) to validate the integrity and authenticity of GK.
3.3 Member Join
Suppose that a member j wants to join a group gid which is composed of t group members (ID1, ID2,…, IDt). The member j sends a join request message containing its identity IDj, a timestamp T, the group identity gid, and an authentication code Authj = H(T||gid||Kj) to the GKD. Fig. 4 shows the messages exchanged in the member joining process.
Fig. 4.Member joining messages
Upon receiving a join-requesting message from member j, GKD executes Step 1 and Step 2 of the group creation process at first. The new group key is denoted as GK’. After that, the GKD only needs to generate one polynomial fj(x) of degree 1 passing through (0, GK’) and (Kj, H(Kj||T)) and compute a corresponding shadows (mod p) for the joining member j. GKD sends a multicast message {T, gid, R, yj, EGK[GK’], AuthG} to the joining member j and member i (i=1, 2, …, t), where AuthG=H(GK’||T||gid||R). Note that the new group key GK’ is encrypted by the old group key GK in the multicast message for existing group members. In this way, the multicast message size is smaller than that in the group creation process.
After receiving {T, gid, R, yj, EGK[GK’], AuthG} from GKD, the joining member j generates the new group key by GK’=fj(0)=((Kj·yj)-(R·H(Kj||T)))·(Kj-R)-1 mod p. As for each existing member i (=1, 2, …, t), it executes DGK[EGK[GK’]] to get the GK’. After that, each member checks whether the AuthG is equal to H(GK’||T||gid||R) to validate the integrity and authenticity of GK’.
3.4 Member Leave
The member leave process can be treated as the group creation process. It is assumed that the group consists of t members (ID1, ID2,…, IDt) after a member leaving the group. The first member ID1 is required to send a group creation request message to the GKD to renew the group key.
4. Security Analysis
In this section, we analyze the security of the proposed protocol. We first show that the protocol enforces mutual authentication between the GKD and each group member while executing the rekeying process, and assures forward secrecy and backward secrecy. Then we describe that the protocol is able to resist from replay attack, impersonating attack, group key disclosing attack and malicious insider attack.
4.1 Mutual Authentication between GKD and Group member i:
The proposed protocol requires that each member i must register to GKD to get a pre-shared key Ki, which is shared by the member i and GKD only. During group creation phase, the GKD authenticates a group initiator by validating the authentication code Auth1 containing the pre-shared key K1. For authenticating the other members i in the group, the GKD divides the group key GK into two shadows (Ki, H(Ki||T)) and (R, yi). Only the legal member i with Ki can recover the group key GK. It indicated that a member i is authenticated by the GKD implicitly, though members authenticate the GKD by AuthG.
At the member join phase, the GKD authenticates the joining member j by validating the authentication code Authj. For authenticating the other existing members, the GKD uses the old group key GK to encrypt the new group key GK’. Only the legal members with the old GK can decrypt EGK[GK’] to be authenticated by the GKD implicitly. After members get the group key GK, they authenticate the GKD by AuthG.
4.2 Forward Secrecy
When a member leaves a group, the group creation process is executed to renew the old group key. The ID of the leaving member is excluded from the group creation request message. Since no shadow of the new group key for the leaving member is generated by the GKD, the leaving member can not recover the new group key even he/she eavesdrops the multicast message.
4.3 Backward Secrecy
When a member joins a group, the GKD randomly generates a new group key. It is impossible that the new group key can be inferred from the old group key since they are totally irrelevant.
4.4 Replay Attack
In our protocol, the messages are designed to contain a timestamp T and an authentication code Auth to resist replay attacks.
4.5 Impersonating Attack
Neither member impersonating attack nor GKD impersonating attack could succeed in our protocol. An attacker can’t impersonate a group member i unless the attacker got the pre-shared key Ki to generate a valid authentication code Authi. The same reason is given for an attacker to impersonate the GKD successfully only if the attacker got all the pre-shared keys of a group.
4.6 Group Key Disclosing Attack
In our protocol, the group key is recovered by each member individually. An attacker without knowing any pre-shared key can not recover the group key even eavesdroping the rekeying message {R, y1, y2, …, yt }. It is shown by the property of the linear underdetermined system. A system of linear equations is called underdetermined if there are fewer equations than unknowns, and an underdetermined system has either no solution or infinitely many solutions. By eavesdroping the rekeying message, the attacker has a system of t equations of the form yi=ai·R+GK mod p. The attacker has t+1 unknows (a1,…, at and GK). In our protocol, when p is large enough or p is kept secret, it is infeasible for an attacker to know the GK without any pre-shared key Ki.
4.7 Malicious Insider Attack
In this attack, we consider that a member i attempts to find out the pre-shared key Kj of a member j. Since the member i by itself can recover the group key GK, and also knows the yj by the message multicast by the GKD. Recall that fj(x) is designed as a line pass through the two points (0, GK) and (Kj, H(Kj||T)). The member i can reconstruct the line fj(x) of member j by applying the two points (0, GK) and (R, yj), and then try all possible points under Zp* to figure out the point (Kj, H(Kj||T)). To resist such an attack, the size of p must be large enough to make it infeasible for a member to find out the pre-shared key of other member.
5. Performance Analysis
In this section, we compare the performance of the proposed protocol with the GKMP [19], the AGKTP [4] and the SAKDA [20], in terms of the number and the size of the rekeying messages, the number of stored keys and the computation overhead during rekeying process.
5.1 Rekeying Messages
Table 2 gives the comparison results of the number of the messages and the size of a broadcast/multicast of the works of GKMP [19], AGKTP [4], SAKDA [20] and ours.
Table 2.t: the number of group members l: bit length of each parameter in a multicast/broadcast message
5.2 The Number of Stored Keys
In AGKTP [4], the GKD shares a pair of secrets (xi, yi) with each member i. It means that each group member needs to store 2 keys, and the GKD needs to store 2t keys for a group with t members. Each member in GKMP [19], SAKDA [20] and our scheme is required to store only one key and the GKD needs to store t keys for a group with t members. Thus, the GKMP, the SAKDA, and our scheme require less number of keys than the work of the AGKTP. The comparison result is shown in Table 3.
Table 3.t: the number of group members
5.3 Computation Overhead during Rekeying Process
Table 4 depicts the computation overhead of the GKD and each group member during rekeying process. For simplicity, we only consider the computation overhead for generating a polynomial, restoring the constant term of a polynomial by using Lagrange interpolation, and computing the modular multiplicative inverse of L.
Table 4.t: the number of group members Gen_fd(x): generate a polynomial of degree d [4] Gen_fd(0): restore the constant term of fd(x) [4] inv: modular multiplicative inverse exp: modular exponentiation enc/dec: symmetric encryption/decryption
6. Conclusion
In this paper, we design a secure authenticated group key management scheme based on (2, 2) secret sharing technology without maintaining a key tree as the works of Wuu and Chen [12] and Yu et al. [15] to reduce the number of rekeying messages to be one. Each member in our protocol only needs to maintain a pre-shared key safely, and then apply the pre-shared key to recover a group key by itself at the rekeying process. The proposed scheme enforces mutual authentication, forward secrecy and backward secrecy properties, and resists replay attack, impersonating attack, group key disclosing attack and malicious insider attack. In comparison with the works of Harn and Lin, [4] and Naranjo et al. [20], our protocol has smaller multicast message size, and less key storage requirement as well as the computation overhead.
The proposed member joining protocol uses the current group key to encrypt the new one. An attacker could have all future group keys for this session if the attacker had gotten the currect group key. To overcome the problem, a simple way is to apply the group creation process whenever a member joins. However, the enhanced security of the group key is at the expsense of the efficncy of the member joining process. It would be our future work to improve our protocol to have both efficiency and security.
참고문헌
- Adusumilli P, Zou X, and Ramamurthy B., "DGKD: distributed group key distribution with authentication capability," in Proc. of the IEEE Workshop on Information Assurance and Security, pp. 286-293, June 15-17, 2005.
- Ateniese G, Steiner M, Tsudik G. "New multiparty authentication services and key agreement protocols, " IEEE Journal on Selected Areas in Communications , Vol. 18, No.4, pp.628-639, April, 2000. https://doi.org/10.1109/49.839937
- Daza V, Herranz J, Saez G. "On the computational security of a distributed key distribution scheme," IEEE Transactions on Computers, Vol.57, No.8, pp.1087-1097, August, 2008. https://doi.org/10.1109/TC.2008.50
- Harn L, Lin C. "Authenticated group key transfer protocol based on secret sharing," IEEE Transactions on Computers, Vol.59, No.6, pp.842-846, June, 2010. https://doi.org/10.1109/TC.2010.40
- Kwak DW, Kim J. "A decentralized group key management scheme for the decentralized P2P environment," IEEE Communications Letters, Vol.11, No.6, pp.555-557, June, 2007. https://doi.org/10.1109/LCOMM.2007.070037
- Ng WHD, Cruickshank H, Sun Z. "Scalable balanced batch rekeying for secure group communication," Computers and Security, Vol.25, No.4, pp.265-273, June, 2006. https://doi.org/10.1016/j.cose.2006.02.006
- Ng WHD, Howarth M, Sun Z, Cruickshank H. "Dynamic balanced key tree management for secure multicast communications," IEEE Transactions on Computers, Vol.56, No.5, pp.590-605, May, 2007. https://doi.org/10.1109/TC.2007.1022
- Parvatha Varthini B, Valli S. "Generation of group key using enhanced one way function tree group rekey protocol," in Proc. of Int. Conf. on Computing: Theory and Applications, pp.176-181, March 5-7, 2007.
- Pham T, Watters PA. "The efficiency of periodic rekeying in dynamic group key management," in Proc. of 4th European Conf. on Universal Multiservice Networks, pp.425-432, February, 2007.
- Shamir A. "How to share a secret," Communications of the ACM, Vol.22, No.11, pp. 612-613, November, 1979. https://doi.org/10.1145/359168.359176
- Sun Y, Liu KJR. "Hierarchical group access control for secure multicast communications," IEEE/ACM Transactions on Networking, Vol.15, No.6, pp.1514-1526, December, 2007. https://doi.org/10.1109/TNET.2007.897955
- Wuu LC, Chen HC. "A scalable framework for secure group communication," in Proc. of First International Conference on Networking-Part 2, pp.225-238, 2001.
- Xu L, Huang C. "Computation-efficient multicast key distribution," IEEE Transactions on Parallel and Distributed Systems, Vol.19, No.5, pp.577-587, May, 2008. https://doi.org/10.1109/TPDS.2007.70759
- Yi X. "Authenticated key agreement in dynamic peer groups," Journal of Theoretical Computer Science, Vol.326, No.1-3, pp.363-382, October, 2004. https://doi.org/10.1016/j.tcs.2004.08.001
- Yu W, Sun Y, Liu KJR. "Optimizing rekeying cost for contributory group key agreement schemes," IEEE Transactions on Dependable and Secure Computing, Vol.4, No.3, pp.228-242, 2007. https://doi.org/10.1109/TDSC.2007.1006
- Je DH, Lee JS, Park Y, Seo SW. "Computation-and-storage-efficient key tree management protocol for secure multicast communications," Computer Communications, Vol.33, No.2, pp.136-148, 2010. https://doi.org/10.1016/j.comcom.2009.08.007
- Kulkarni SS, Bruhadeshwar B. "Key-update distribution in secure group communication," Computer Communications, Vol.33, No.6, pp.689-705, April, 2010. https://doi.org/10.1016/j.comcom.2009.11.014
- Wu W, Li M, Chen E. "Optimal tree structures for group key tree management considering insertion and deletion cost," Theoretical Computer Science, Vol.410, No.27-29, pp.2619-2631, June, 2009. https://doi.org/10.1016/j.tcs.2009.02.039
- Harney H, Muckenhirn C, Rivers T. "Group key management protocol (GKMP) architecture," RFC 2094, IETF 1997.
- Naranjo JAM, Antequera N, Casado LG, López-Ramos JA. "A suite of algorithms for key distribution and authentication in centralized secure multicast environments," Journal of Computational and Applied Mathematics, Vol.236, No.12, pp.3042-3051, June, 2012. https://doi.org/10.1016/j.cam.2011.02.015
피인용 문헌
- Secret Key Generation from Common Randomness over Ultra-wideband Wireless Channels vol.8, pp.10, 2014, https://doi.org/10.3837/tiis.2014.10.016
- Improvements of a Group key Management based on (2,2) Secret Sharing vol.21, pp.9, 2016, https://doi.org/10.9708/jksci.2016.21.9.073
- A Computation-Efficient Group Key Distribution Protocol Based on a New Secret Sharing Scheme vol.10, pp.5, 2014, https://doi.org/10.3390/info10050175