MULTI-PARTY AUTHENTICATION IN DYNAMIC SETTINGS Abstract Emerging technologies are introducing new ways of using applications performing transactions, and processing information in global and open networks. Modern computer networks are a complex assembly of databases, web and other application servers, web browsers, and various network devices. In such an environment transactions are usually not simple client-server arrangements, but complex actions involving multiple participants. In distributed, multi-party environments, there is usually no clear distinction as to who initiated a transaction, which parties should participate in a transaction, which components are used to perform the transaction, and finally which recipient(s) complete the transaction. Many components and aspects of a transaction are often determined dynamically on an ad hoc basis, even after the transaction has been initiated. In such circumstances the reliability of transactions, authentication of participating parties, creation and verification of roles and authorization schemes, non–repudiation, and other security issues are becoming increasingly difficult to establish and enforce. Simple extension of client-server security protocols to multi-party security protocols is not possible. Basic security services needed in a multi party setting are largely the same as in point-to-point communication: viz. data secrecy and integrity, and entity authentication. These services cannot be attained without secure, efficient, and robust group key management. This report gives a detailed survey and classification of group key management protocols. We propose to look at some open challenges in the area of admission control and access control in dynamic groups. 1. Introduction The increasing use of collaborative applications on the Internet and new Information technologies, is leading to a rapid change from simple client server model towards a multi-party model. Many modern computing environments involve dynamic peer groups. Distributed simulation, multi-user games, conferencing applications and replicated servers, broadcasting stock quotes are just a few examples. Security is crucial for such distributed and collaborative applications that operate in a dynamic network environment and communicate over insecure networks such as the Internet. Basic security services needed in such a group setting are largely the same as in point-to-point communication: viz. data secrecy and integrity, and entity authentication. These services cannot be attained without secure, efficient, and robust group key management. An application like stock broadcasting authentication may be a fundamental requirement and not confidentiality, while for video-conferencing applications both authentication and confidentiality are essential. Group key management (GKM} is the most important issue in secure group communication. The security challenge for multicast is in providing an effective method for controlling access to the group and its information. A primary method of limiting access to information is through encryption and selective distribution of the keys used to encrypt group information. The main difficulty for Group Key Management arises because of member dynamics. The issues that arise are the method of distribution of a shared key to all group members and computation of a new key when a new member joins or an old member leaves the group. Several group key agreement techniques have been proposed in the last decade, all assuming the existence of an underlying group communication infrastructure for reliable message delivery. The specific security requirements and needs of dynamic peer groups, in particular key management are still considered as open network challenges. 2. Desired Properties for a Group Key Agreement Protocol 2.1 Security Requirements: 1. Forward Secrecy: This requires that users who have left the group should not have access to any future key, so that they cannot decrypt any data after leaving the group. 2. Backward Secrecy: This states that a new user joining the session should not have access to any old key. 3. Collusion Freedom: Any set of fraudulent users should not be able to deduce current session key. 4. Key Independence: Disclosure of a key should not compromise other keys. 5. Minimal Trust: Key management scheme should not place trust in high number of entities. 2.2 Quality of Service Requirements 1. Low Bandwidth Overhead: Re-Key of a group should not induce a high number of messages. 2. 1-effects-n: A protocol suffers from 1-effects-n if a single membership change affects all group members. 3. Minimal Delay: Applications like multimedia are sensitive to jitters and delays. It is essential to minimize the impact of key management on packet delays. 4. Service Availability: The failure of a single entity should not prevent the operation of the entire group. 2.3 Other Requirements Key Management schemes must not induce high storage of keys or high computation overhead. Distributing the group key to valid members is a complex problem. Re-keying a group before the join of a new member is trivial as the new key can be sent to the old group members encrypted with the old group key, but re-keying after a member leaves is more complicated. The old key cannot be used to distribute a new one, because the leaving member knows the old key. There should be a scalable mechanism to re-hkey the group. 3. Key Agreement in Peer Groups Key management has a great impact not only on the security and fault tolerance of the overall system, but also on its performance. Many group key management protocols have been proposed in the past and broadly fall into three categories Centralized group key distribution (CGKD) Decentralized group key management (DGMM) Contributory/Distributed group key agreement (CGKA). 3.1 Centralized Group key Distribution (CGKD) This involves a single entity or a group of entities, which function as a centralized server to distribute keys to group members. The centralized key server must however be continuously available and present in every possible subset of a group in order to support continued operation. It works well in one-to-many multicast scenarios. Centralized protocols are further classified into three categories depending on the technique used to distribute the encryption key. 3.1.1 Pair-wise Secure Channel: The group controller shares a secret key with each group member thus establishing pair-wise secure channels. 3.1.1.1 Group Key Management Protocol (GKMP): Harney and Muckenhirn [15] proposed the Group Key Management Protocol (GKMP) that uses pair-wise secure channel approach. The key server generates a group key packet that contains two keys: a Group Traffic Encryption key (GTEK) and a group key encryption key (GKEK). When a new member joins the session the key server generates a new GKP and sends it securely to the new member encrypted with the new KEK established with this member and to the old members encrypted with the GTEK previously established. When an old member leaves the key server generates a new a GKP and sends it to remaining members encrypted with the old KEK that it shares with each member. To ensure forward secrecy this approach requires O(n) re-key messages for each leave from the group. 3.1.2 Broadcast Approach: The re-keying of a group is based on broadcast messages instead of peer-to-peer secret transmissions. 3.1.2.1 Secure Locks: Chiou and Chen [ ] proposed Secure Locks a key management protocol where the key server requires only a single broadcast to establish the group key or to re-key the entire group in case of a leave. 3.1.3 Hierarchy of Keys Approach In order to reduce the number of message updates required when a key server shares pair-wise keys with members of the group, in this approach the key server maintains a tree of keys and shares keys with subgroups of secure groups in addition to pair-wise channels. Sub-group secret keys allow to reduce the number of update messages. 3.1.3.1 Logical Key Hierarchy Wong et al. [2000] and Wallner et al. [1999] proposed the use of a Logical Key Hierarchy (LKH). In this approach, a KDC maintains a tree of keys. The nodes of the tree hold key encryption keys. The leaves of the tree correspond to group members and each leaf holds a KEK associated with that one member. Each member receives and maintains a copy of the KEK associated with its leaf and the KEKs corresponding to each node in the path from its parent leaf to the root. The key held by the root of the tree is the group key. For a balanced tree, each member stores at most (log2n) + 1 keys, where (log2n) is the height of the tree. Example: The figure below shows a multicast group with six members {u1, u2, u3, u4,u5, u6}. The key server builds a hierarchy of keys. Each member owns a secret key which is a leaf in the tree as well as all the keys on its path to the root. The root represents the encryption key TEK shared by the members. The other keys are used to reduce the required re-keying messages. According to the figure: u1 owns{ k1, k12, k1234, TEK}, u2 owns{ k2, k12, k1234,TEK}, u3 owns{ k3, k34, k1234, TEK}, u4 owns{ k4, k34,k1234, TEK}, u5 owns{ k5, k56, TEK} and u6 owns{ k6, k56, TEK}. TEK K1234 K12 K1 U1 K34 K2 U2 Figure K3 1. U3 K56 K4 U4 K5 U5 K6 U6 Member Join A joining member is associated with a leaf, all KEKs in the nodes from the new leaf’s parent in the path to the root are compromised and should be changed. A re-key message produced is at most 2.log2n keys long. Member Leave: Assume that u5 leaves the group, KS updates k56 int 56, 56 to u6 encrypted with k6. TEK is updated into TEK’ and sent to {u1,u2,u3,u4} encrypted with k1234 and to u6 56 and hence only three messages are required instead of five messages if GKMP were used. The key hierarchy allows to reduce the number of re-key messages to O(logn) instead of O(n). 3.1.3.2 3.1.3.3 One-way Function Trees (OFT): McGrew and Sherman [ ] proposed an improvement over LKH called One-way Function Trees (OFT). OFT allows to reduce the number of re-key messages from 2log2(n) to only log2(n).With OFT, a KEK is calculated by members rather than attributed by the key server. Each KEK ki is computed using its child KEKs using the formula: ki = f(g(kleft(i)), g(kright(i))) where left(i) and right(i) denote respectively the left and right children of node i, and g is a one-way function. The result of applying g to a key k: g(k), is called the blinded key version of k. In this protocol, each member maintains its leaf secret key and its blinded sibling key and the set of blinded sibling KEKs of its ancestors. Canetti et al. [10] proposed a similar approach One-way Function Chain Tree(OFCT) that has the same communication overhead. Their scheme uses a pseudo-random generator to generate new KEKs instead of a one-way function. Efficient Large-Group Key (ELK): Perrig et al. [2001] proposed the Efficient Large-group Key (ELK) protocol. The ELK protocol uses a hierarchical tree and is very similar to the OFT in the sense that a parent node key is generated from its children keys. ELK uses pseudo-random functions (PRFs) to build and manipulate the keys in the hierarchical tree. Attributes used to evaluate the efficiency of centralized key management protocols: 1-affects-n:. Forward and Backward Secrecy: Capability of a protocol to provide secrecy despite changes to group membership Storage at the key server: The number of keys that should be maintained by a key server. Storage at a member: The number of keys that should be maintained by a group member. Join re-key overhead: Number of re-key messages sent by the key server to redistribute the group TEK after a join. Leave re-key overhead: Number of re-key messages sent by the key server to redistribute the group TEK after a leave. Table 1. gives a comparison of the centralized GKM protocols based on above attributes. Protocol GKMP LKH OFT Secure Lock ELK Secrecy Bac k Y Y Y Y Forw 1effect s-n Re-Key Overhead Join Multicast Unicast N Y Y Y Yes Yes Yes No 2 Log2(n)-1 Log2(n)+1 0 2 2n n+2 Log2(n)+1 2n-1 Log2(n)+1 Log2(n)+1 2n-1 2 0 2n 3 Log2(n)+1 Log2(n)+1 2 Y Y Yes 0 Log2(n)+1 -- Log2(n)+1 Leave Storage Overhead Key Member Server 2n-1 n: number of group members Table 1. Comparison of Centralized Group Key Management Protocols The GKMP protocol achieves an excellent result for storage at the members However, the method for re-keying of the group is re-creating the entire group which induces a O(n) re-key messages overhead, n being the number of the remaining group members. Secure Lock also achieves excellent results for storage and communication overheads on both members and the key server. However, these results are achieved by increasing the computation overhead at the key server due to the Chinese Remainder calculations. So far, the best solutions for centralized group key management appear to be those using a hierarchical tree of KEKs. They achieve good overall results without compromising any aspects of security. Features that make centralized key distribution unsuitable for Dynamic Peer Groups: The Centralized key server acting as a trusted third party for generating and distributing for a multitude of groups is a single point of failure and a likely performance bottleneck. A TTP presents a very attractive attack target for adversaries. In highly dynamic groups, each group member cannot be assumed to be present all the time. However, most centralized key distribution protocols assume fixed centers. A single party generating a group key might be unacceptable in cases where each party needs assurance that the resulting group key is fresh and random Achieving perfect forward secrecy and resistance to known-key attacks in an efficient manner is very difficult in the centralized key distribution setting. 3.2 Decentralized group key management The management of a large group is divided among sub-group managers to avoid a single point of failure. A hierarchy of key managers, share the task of distributing the TEK to group members. In this class of protocols re-keying is of two kinds viz: i) Membership Driven: Key is changed whenever a join or leave occurs ii) Time Driven: Key is changed periodically. 3.2.1 Scalable Multicast Key Distribution (SMKD): Ballardie proposed in RFC1949 [3] the Scalable Multicast Key Distribution (SMKD); a protocol where the multicast tree is rooted at a main core. Secondary cores can exist eventually. The main core creates an access control list (ACL), a session key GTEK and key encryption key GKEK used to update the session key GTEK. The ACL, the GTEK and the GKEK join the multicast tree after their authentication. Any router in the path of a joining member from its location to the primary core can authenticate the member since the router is authenticated with the primary core.. With SMKD there is no solution for forward secrecy other than to recreate an entirely new group without the leaving members. 3.2.2 Iolus Mittra proposed Iolus [Mittra 1997], where a hierarchy of agents splits a large group into small subgroups. A Group Security Agent (GSA) manages each subgroup. The GSAs are also grouped in a top-level group that is managed by a Group Security Controller. Changes that affect a subgroup are not reflected in other subgroups. If a subgroup controller (namely GSA) fails, only its subgroup is affected. 3.2.3 Kronos Setia et al. [2000] proposed Kronos. This is based on a periodic re-key approach where a new group key is generated after a certain period of time, irrespective of whether any member has joined, left or been ejected from the group. The network is divided into domains and each domain is divided into areas managed by different Area Key Distributors (AKDs). The Domain Key Distributor DKD does not directly generate the group key. Instead, each Area Key Distributor AKD independently generates the same group key and transmits it to its members at the end of the predetermined period. Kronos does not provide key independence because it generates new keys based on old ones, and if any past key is compromised, all future keys are disclosed. 3.2.4 Hydra Rafaeli and Hutchison [2002] proposed Hydra. In Hydra, the large group is divided into smaller subgroups, and a server called the Hydra Server (HS) controls each subgroup. Hydra is a decentralized group key management scheme without a central subgroup controller. If a membership change takes place at HSi , and a new key must be generated, it can generate the new group key and send this key to the other HSj involved in that session. A special synchronized group key distribution protocol is used to distribute the group key to all HSs, to ensure that only a single valid HS is generating the new group key at a given time. Attributes used to evaluate the efficiency of decentralized key management protocols: Key independence: Disclosure of a key must not compromise past keys. 1-affects-n Decentralized Controller: Centralizing manager should not manage the sub-group managers. Local re-keying: Membership changes in a sub-group should be treated locally. Keys vs. data. The data path should be independent of the key management path, which means that re-keying the subgroup should not impose any interference or delays to the data communication; Re-key per membership. Related to backward and forward secrecy; Type of communication. Groups with a single data source are said to use 1-to-n communication, and groups with several or all members being able to transmit are characterized by using n-to-n communication. Protocol Key Indep SMKD Kronos Hydra Iolus Yes No Yes Yes 1efectsn Yes Yes No Local Key re-key Data No No No Yes Yes Yes Yes No vs Rekey No No Yes No Fault Tolerant Comm Type No Yes Yes No Both Both Both 1-to-n Table II: Comparison of some Decentralized Group Key management Protocols 3.3 Distributed Key-Agreement Protocols With distributed key-agreement protocols, the group members cooperate to establish a group key. Contributory group key agreement protocols compute a group key as a (usually, one-way) function of individual contributions from all members and can provide both key independence and PFS properties. This is appropriate for dynamic peer groups. This approach avoids problems with single point of trust and failure, and also does not always require the establishment of pair-wise secure channels between group members. At the same time, contributory group key agreement presents a tough practical challenge: Its multi- round nature must be reconciled with the possibility of crashes, partitions, and other events affecting group membership that can occur during the execution of the group key agreement.. The protocols of this category are further classified into three sub-categories depending on the virtual topology created by the members for cooperation. 3.3.1 Ring-Based Cooperation In this sub-category, the cooperation of group members forms a virtual ring. 3.3.1.1 Ingemarson et al. protocol (ING): The protocol proposed by Ingemarson et al. in [ ] for teleconferencing is one of the earliest propositions to extend DiffieHellman key agreement protocol. In this protocol, members are organized into a virtual ring; in a way that member Mi communicates with member Mi+1 and member Mn with member M1. The group members compute the group key within (n−1) rounds. Initially, each member Mi generates a random value Ni, computes gNi and sends it to the next member Mi+1. Then, in each round, each member Mi raises to the power Ni the intermediate value received from member Mi−1, and sends the result to the member Mi+1. Each member performs n exponentiations and gets the group key Kn = gN1N2...Nn after (n−1) rounds. The ING protocol is inefficient: 1. Every member has to start synchronously 2. n-1 rounds are required to compute a group key 3. This protocol is not suitable for dynamic groups because it requires the execution of the entire algorithm after each membership change. 3.3.1.2 Group Diffie-Hellman (GDH): GDH is a protocol based on group extensions of the two-party Diffie–Hellman key exchange [Steiner et al. 2000] and provides fully contributory key agreement. GDH is fairly computationintensive, requiring O(n) cryptographic operations for each key change. It is, however, bandwidth efficient. The shared key is never transmitted over the network (in the clear or otherwise). Instead, a list of partial keys, one for each member, is generated and sent. Upon receipt, each member uses its partial key to compute the group secret. One particular member of the group (controller) is charged with the task of building and distributing this list. The controller is not fixed and has no special security privileges. The protocol runs as follows: The group agrees on a pair of primes (q and α) and starts calculating in a distributed way the intermediate values. Member 1 calculates generates a random number x1 and computes gx1 and sends it to the next member. Each subsequent member receiving the set of intermediary values, raises them using its own secret number generating a new set: A set generated by the ith member will have i intermediate values with i−1 exponents and a cardinal value containing all exponents. So fourth member for e.g receives the set: { α x2x3, α x1x3, α x1x2, α x1x2x3} and generates the set { α x2x3x4, α x1x3x4, α x1x2x4, α x1x2x3, α x1x2x3x4}. The cardinal value in this example is α x1x2x3x4 . The last member can easily calculate the group key k from the cardinal value: k = α x1x2x3….xn mod q. The last member raises all intermediate values to its secret value and multicasts the whole set to all group members. Upon receiving this message, each member j extracts its respective intermediate value and calculates k by exponentiation of the jth value to xj The setup time and the length of messages are linear in terms of the number of group members n since all members must contribute to generating the group key. Merge Protocol (K members are added to a group of size n) When a merge event occurs the current controller Mn generates new exponent r'n є Zq and computes new key token α r1….rn-1rn' mod p and unicasts the message to one of the new members Mn+1. When the new member Mn+1 receives the token, it generates its own contribution rn+j є Zq and computes α r1….rn'…rn+j mod p and forwards the result to Mn+j+1 the next new member. Eventually, the token reaches the last new member Mn+k. This new member, who is slated to become the new controller, broadcasts the token to the group without adding its contribution. Upon receiving the broadcast token, each group member Mi for all i є [1, n+k-1] factors out its contribution and unicasts the factor out token α r1….rn'…rn+k-1/ ri mod p back to Mn+k, the new controller. The new controller collects all the factor-out tokens, generates new exponent rn+k and produces α r1….rn'…rn+k/ ri mod p | for all i є [1, n+k-1] and broadcasts it to the group. Every member obtains the group key by factoring in its contribution into the corresponding partial key in the broadcasted list. Each Mi for all i є [1, n+k-1] computes the key K=( α r1….rn'…rn+k/ ri)ri mod p = α r1….rn'…rn+k mod p. Partition Protocol When some of the members leave the group the controller (who, at all times, is the most recent remaining group member) removes their corresponding partial keys from the list of partial keys, refreshes each partial key in the list and broadcasts the list to the group. Each remaining member can then compute the shared key. If the current controller leaves, the last remaining member becomes the controller of the group. Assume that L members is leaving a group of size n Step 1: The controller Md generates a new exponent r'd є Zq and computes α r1….rd'/ ri mod p and broadcasts it to the remaining group Step 2: Upon receipt of the broadcast, every member Mi, computes the key K = (α r1….rd'/ ri)ri = gr1….rd’ mod p. 3.3.2 Hierarchy-Based Cooperation 3.3.2.1 Octopus: Becket and Wille [ ] proposed the Octopus protocol which is also based on Diffie-Hellman key exchange protocol []. A large group (composed of n members) is split into four sub-groups (n/4 members each). Each sub-group agrees internally on an intermediate DH value: Isubgroup = αu1u2...un/ 4, where ui is the contribution from user i, and then the subgroups exchange their intermediary values. All group members can then calculate the group key. The leader member in each sub-group is responsible for collecting contributions from its sub-group members and calculating the intermediary DH value (Isubgroup). Example: Assume four subgroup leaders A, B, C and D. 1. A and B, using DH, exchange their intermediary values Ia and Ib 2. A and B create αIa.Ib. 3. C and D do the same and create αIc.Ib . 4. A and C exchange αIa.Ib and αIc.Id. 5. Leaders, B and D do the same. 6. All calculate αIa.Ib.Ic.Id . 7. A, B, C and D send to their respective subgroups α Ia.Ib.Ic.Id /ui , where i = 1. . . (n−4)/4, and all members of the group are capable of calculating the group key. STR Protocol The STR protocol [Steer et al. 1990; Kim et al. 2004a] is a contributory protocol with an unbalanced tree structure whose height is always (n−1). The key tree is organized as follows: each node is associated with a key and a corresponding blinded key. The root is associated with the group and each leaf with a distinct member. The root key represents the group key shared by all members, and a leaf key represents the random contribution of a group member. Every member knows all keys on the path from its leaf node to the root as well as all blinded keys of the entire key tree. The protocol relies on the fact that every member can compute a group key if it knows all blinded keys in the key tree. The leaves are associated to group members. Each leaf is identified by its position LNi in the tree and holds a secret random ri (generated by the corresponding member Mi) and its public blinded version bri = gri mod p, where g and p are DH parameters. Each internal node is identified by its position INi in the tree and holds a secret random ki and its blinded public version bki = gki mod p. The secret key is the result of a Diffie–Hellman key agreement between the node’s two children. Each secret ki is recursively calculated as follows: ki = (bki−1)ri mod p= (bri)ki−1 mod p. The group key is the key associated to the root: kn = grngrn−1...gr2r1 . Due to the linear structure of the tree, this solution induces a O(n) key calculations in order to establish the group key associated to the root of the tree. Besides, each member should store and maintain all the public keys associated to all the nodes of the tree. Figure 4 illustrates an STR tree with four members. IN4 LN4 IN3 LN3 M4 IN2 LN2 M3 LN1 M1 M2 Figure: 4 STR Tree In case of a membership change (join / leave) the tree is re-built consequently and hence all the members update the group key which is the new key kn associated to the root of the tree. After a partition, the sponsor is defined as the member corresponding to the leaf node just below the lowest leaving member. After deleting all leaving nodes the sponsor refreshes its key share, computes all (key, blinded key) pairs up to the level just below the root node. Finally, the sponsor broadcasts the updated key tree thus allowing each member to compute the new group key. STR merge runs in two rounds. In the first round, each sponsor (topmost leaf node in each of the two merging tree) first refreshes its key share and computes the new root key and root blinded key. Then, the sponsors exchange their respective key tree views containing all blinded keys. The topmost leaf of the larger tree becomes the sole sponsor in the second round in the protocol (see Figure 8). Using the blinded keys from the key tree it received in the first round, the sponsor computes every (key, blinded key) pair up to the level just below the root node. It then broadcasts the new key tree to the entire group. All members now have the complete set of blinded keys which allows them to compute the new group key. Diffie Hellman - Logical Key Hierarchy (DH-LKH): Perrig et al. [ ] proposed a variant of STR using a binary tree (less deeper) in order to reduce the number of key calculations from the order of O(n) to O(log (n)). The proposed protocol is a distributed version of LKH. The tree is built recursively from bottom to up. Initially, each member Mi generates a random ri as a secret key associated to its leaf. To build upper level of the tree, two members: one as a leader of a left subtree and another one as a leader of a right subtree, broadcast their respective DH computations and hence allow all the members to calculate the group key corresponding to the root of the tree. Using the tree in figure 5, intermediate keys are k12 = αk1k2 mod p, k34 = αk3k4 mod p and the group key is k14 = αk12k34 mod p. K14 K12 K34 K4 K1 U1 K2 U2 K3 U3 U4 Figure: DH-LKH Tree Broadcast-Based Approach In this approach, the key agreement relies on broadcasting secret messages and distributed computations that culminate into the group key. Burmester and Desmedt protocol(BD): Burmester and Desmedt [ ] proposed a very efficient protocol that executes in only three rounds and is stateless. Therefore, the same key management protocol is performed regardless of the type of group membership change. BD is completely decentralized and has no sponsors, controllers, or any other members charged with any special duties. The main idea in BD is to distribute the computation among members, such that each member performs only three exponentiations. This is performed in two communication rounds, each consisting of n broadcasts. Round 1. Member Mi generates its random exponent ri and broadcasts Zi = αri ; Round 2. Mi computes and broadcasts Xi = (Zi+1/Zi−1)ri ; Round 3. Mi computes the key Kn = Zi−1nri.Xn−ii ….Xn−2 mod p. The group key calculated by each member is then Kn = αN1N2+N2N3+…NnN1 . This protocol requires n+1 exponentiations per member. The drawback is the requirement of 2n broadcast messages. Attributes used to evaluate the efficiency of distributed key management protocols: Number of rounds: The number of iterations required before the members commit to a group key should be minimized to reduce processing and communication requirements; Number of messages. The number of messages exchanged between members in order to compute the group key should be minimized to reduce unbearable delays. Processing during setup. Setting up the group requires most of the computation involved in maintaining the group, because all members need to be contacted; DH exchange: Identify whether the protocol uses Diffie–Hellman (DH) [Diffie and Hellman 1976] to generate the keys. The use of DH to generate the group key implies that the group key is generated in a contributory fashion. Leader required: Identify whether the protocol requires the existence of a leader or leaders for the operation of the key agreement protocol Protocol ING GDH STR DH-LKH D-OFT OCTOPUS BD No. of No of messages rounds Multicast Unicast DH key 0 n n log2n 0 0 n(n-1) n-1 0 0 2log2n 3n-4 Yes Yes Yes Yes No Yes Setup Leader Reqd No No No No No Yes n-1 n n log2n log2n 2(n-4)/4 +2 3 2n 0 No No Others Table III: Comparison Table of Distributed Key Management Protocols Centralized and distributed key management rely on symmetric encryption to distribute group keys, while contributory protocols rely on modular exponentiations. Therefore, the former do not provide Perfect Forward Secrecy. However, such protocols scale to large groups and have a lighter overhead than contributory ones. Group Key Management Centralized Pair wise Key GKMP Broadcast secret Distributed Key Agreement Decentralized Key hierarchy Secure lock LKH OFT ELK Membership Driven re-keying SMKD Hydra Iolus Time driven re-keying Kronos Ring based cooperation ING GDH Hierarchical cooperation Octopus STR DH-LKH D-LKH D-OFT Broadcast cooperation BD Figure: Taxonomy of Group Key management Protocols Authenticated n-party Key Agreement Protocols The initial contributory group key agreement protocols were obtained by extending Diffie-Hellman exchange method to groups of n-parties[1, 1996]. Drawback was that it did not provide authentication of the parties involved and hence was prone to man-in-the middle attacks Giuseppe Ateniese, Michael Steiner, and Gene Tsudik[2,2000], studied the security services in the context of dynamic peer groups (DPG's). They leveraged the results of [1] to develop practical and secure authenticated key agreement protocols for DPG's viz Authenticated Diffie Hellman Key Exchange protocol for groups A-GDH. Other relevant security features such as key confirmation, key integrity and entity authentication were also considered here. AKE protocols perform an initial key agreement IKA within a group. Once a group is formed and initial key agreed upon, members may leave or new members may join. Any membership change causes a corresponding group key change. Re-running the full IKA for each membership change is expensive. Auxillary key agreement (AKA) protocols handle issues like member addition, member deletion etc. A-GDH.2 Contributory Key Agreement Protocol Michael Steiner and Gene Tsudik [] developed an extension to the Diffie Hellman key agreement method for n-parties which provides key authentication. Their protocol is a contributory protocol that provides PFS, implicit key authentication, and is resistant to known key attacks . Protocol A- GDH.2: Round i (1 ≤ i < n): Mi → Mi+1 : {α(r1...ri)/rj |j € [1, i]}, αr1...ri Round n: Mn →All Mi: {α(r1...rn)/ri. Kin |i € [1, n[} Upon receipt of the above, every Mi computes the group key as: Sn(Mi) = α(r1...rn)/ri ·ri·K−1in = αr1...rn The above protocol (A-GDH.2) achieves implicit key authentication in a relatively weak form since the key is not directly authenticated between an arbitrary Mi and Mj (i ≠ j). Instead, all key authentication is performed through Mn. This may suffice in some environments, e.g., when the exact membership of the group is not divulged to the individual Mi's. Another reason may be that Mn is an entity trusted by all other members, e.g., Mn is an authentication server. A-GDH.2 will result in all participants agreeing on the same key if Mn behaves correctly. However, no one, including Mn, can be sure of other members' participation. In fact, one or more of the intended group members may be “skipped" without detection. Also, a dishonest Mn could partition the group into two without detection by group members. On the one hand, we assume a certain degree of trust in all group members (including Mn), e.g., not to reveal the group key to outsiders. On the other hand, when it comes to group membership, Mn might not be universally trusted to faithfully include all (and only) group members. Distributed Group Key Distribution (DGKD): P Adusumill et all [2005] proposed a new class of protocols called Distributed Group Key Distribution with Authentication capability. This protocol does not assume any trusted third party but allows equality of capability, responsibility and trustiness among all group members. The protocol organizes the members in a tree structure and performs any rekeying operation in just two rounds which do not need to be strictly synchronized. Advantages: Provides strong authentication One key per node Independence of node keys Robust against transmission delay, network failure or compromise of node keys. No dependence on single entity, if a sponsor node fails a new sponsor for the joining/leaving member is chosen by the other members. Other Related Work: Multi-party key agreement protocols based on multi-linear forms: Boneh and Silverberg [6,2002] studied the problem of finding efficiently computable non-degenerate multi-linear maps and presented several applications to cryptography using multi-linear forms. The efficiently computable multi-linear forms would enable one round multi-party key exchange, a unique signature scheme and secure broadcast encryption with very short broadcasts. They proposed a one round multi-party key agreement protocol from multi-linear forms, where security was based on the hardness of multi-linear Diffie Hellman problems and the n-parties shared a session key after one round of broadcast. The disadvantage of their protocol is that this key is not authenticated and hence is subject to the classic man-in-the-middle attacks. Lee et.al.[7,2002] presented multi-party authenticated key agreement protocols. Their protocols are also based on multilinear forms. They presented a single protocol with (n+1) different methods for deriving a session key (MAK protocols). Their protocols overcome the disadvantage of lack of authentication in Boneh and Silverberg’s protocol by incorporating authentication into the protocol using certificates. A certification authority (CA) is used in the initial set-up stage to provide the certificates which bind user’s identities to long-term keys. Each entity verifies the authenticity of the certificates he receives. If any check fails, then the protocol is aborted. When no check fails, one of the possible session keys are computed. Consequently, this system requires a large amount of computing time and storage. Multi-linear forms: Definition A map e : G 1n → G2 is an n-multilinear map if it satisfies the following properties: (1) G1 and G2 are groups of the same prime order; (2) if a1, . . . , an є Z and x1, . . . , xn є G1 then e(x1a1 , . . . , xnan ) = e(x1, . . . , xn)a1···an; (3) The map e is non-degenerate in the following sense: if g є G1 is a generator of G1 then e(g, ..., g) is a generator of G2. The efficiently computable multilinear forms would enable secure broadcast encryption with very short broadcasts and private keys, a unique signature scheme, and one round multi-party key exchange. The multi-linear Diffie-Hellman assumption. This assumption says that giveng, ga1 , . . . , g an + 1 in G1, it is hard to compute e(g, . . . , g)a a1···aan + 1 in G2. A one round multi-party key agreement using multilinear forms: Boneh and Silverberg [ ] proposed a simple one-round multi-party Diffie Hellman key exchange protocol using multi-linear forms in which the secret session key for n-parties could be created using just one broadcast per entity. Protocol Assume A1…… An are n participants who want to share a key. Each Ai selects a uniformly random integer ai є [1, p-1] and computes gai and broadcasts it.. Each Ai computes conference key KAi as : KAi = en-1(g a1 ….. gai-1, gai+1,……. gan ) ai = en-1(g….. ....ga) a1…an є G2 Where en-1 : G1n-1 → G2 is an (n-1) multilinear map and G1 and G2 are two finite cyclic groups of the same prime order p and g is a generator of G1. The security of this protocol is based on the hardness of the multilinear Diffie- Hellman problem. This protocol however lacked authentication and was hence prone to man-in-the –middle attack. Multi-Party Authenticated Protocols: Lee et al(2004) presented authenticated multi-party key agreement protocols with n+1 methods for deriving a session key. Their protocols were also based on multi-linear forms A certification authority (CA) is used in the initial set-up stage to provide certificates which bind user’s identities to long-term keys. The certificate for entity Ai will be of the form : CetAi = (IAi║ µAi║g║SCA(IAi║µAi ║g)): IAi denotes the identity string of Ai, ║ denotes the concatenation of data items, and SCA denotes the CA’s signature. Entity Ai’s long-term public key is µAi = gxi , where xi € Zp is the long-term secret key of Ai. Element g is the public value and is induced in order to specify which element is used to construct µAi and the short term public values. Each Ai broadcasts to all other entities the short-term public value gai along with a certificate Cert Ai containing his long-term public key. Each Ai verifies the certificate he receives. If any check fails, the protocol should be aborted. When no check fails, one of the following possible session keys is computed 1. KAi = en-1(ga1 ….. gai-1, gai+1,……. gan ) gxi+1,…gxn ) xi = en-1(g ….. g ) a1…… an+ x1…. xn ai . en-1(gx1 ….. gxi-1, 2. ID-based authentication: Another direction of research on key agreement protocols is identity based protocols. In traditional PKI settings, key agreement protocols relies on the parties obtaining each other’s certificates, extracting each other’s public keys, checking certificate chains (which may involve many signature verifications) and finally generating a shared secret. The technique of identity-based encryption (IBE) greatly simplifies this process. Shamir in 1984 [ ] first formulated the concept of Identity-Based Cryptography (IBC) in which a public and private key pair is set up in a special way, i.e., the public key is the identifier (an arbitrary string) of an entity, and the corresponding private key is created by using an identity-based key extraction algorithm, which binds the identifier with a master secret of a trusted authority. The advantage of ID-based cryptosystems is that it simplifies the key management process which is a heavy burden in PKI based cryptosystems. Lee et all [2005] proposed ID-based multi party authenticated key agreement protocols based on multi linear forms. Their protocols provided perfect forward secrecy, implicit and explicit key authentication and key confirmation. Security features Key confirmation Implicit Key Authentication Perfect Forward secrecy Known key secure Key independence Table IV: Comparison of security attributes for multi party key agreement protocols Summary: Group key management protocols were placed into three main classes. Every class has its own features, requirements and goals. There is no unique solution that can achieve all requirements. While centralized schemes are easy to implement they impose an overhead on a single entity Protocols based on hierarchial sub-grouping are relatively harder to implement and raise other issues such as interfering with data or imposing security hazards on a group Distributed key management is not scalable The best solution for a particular application may not be good for another. Motivation for future work : 1. In distributed multi party environments there is no clear distinction as to who initiated a transaction, which parties should participate and finally who completes the transaction. 2. Existing contributory protocols do not clearly tackle issues like dynamic group membership control e.g who allows a member to join or leave. 3. Prioritized leave and join of members has not been considered. Currently all members are assumed to have equal rights and equal trustiness. However at times it may be desirable to have unequal rights for individuals. For e.g in a gaming application, while a certain level of players have formed a group, if a member playing at a lower level requests to join the group he should not be allowed. 4. Issues like reformation of a group based on pending requests have not been taken into consideration in all the protocols so far. 5. Membership revocation issues…….if a member is to be expelled from a group who should decide. 6. References 1. "Diffie Hellman key distribution extended to groups," Michael Steiner, Gene Tsudik, and Michael Waidner, In Third ACM Conference on Computer and Communications Security. Mar. 1996, pp. 31{37, ACM Press. 2. "New Multiparty Authentication Services and Key Agreement Protocols" Giuseppe Ateniese, Michael Steiner, and Gene Tsudik, Member, IEEE, In IEEE Journal of Selected Areas in Communications, VOL 18, NO. 4, April 2000 3. “Key Agreement in Dynamic Peer Groups”, Michael Steiner, Gene Tsudik and Michael Waidner, In IEEE Transactions on Parallel and Distributed Systems, 2000. 4. "Some Attacks upon Authenticated Group Key Agreement Protocols" Oliver Periera, Jean-Jacques UCL Crypto Group, Belium, October 2002. 5. "On the Performance of Group Key Agreement Protocols" Yair Amir Johns Hopkins University Yongdae Kim, University of Minnesota, Twin 6. 7. 8. 9. Cities Cristina Nita-Rotaru, Purdue University and Gene Tsudik, University of California, Irvine In "ACM Transactions on Information and System Security", Vol. 7, No. 3, August 2004, Pages 457–488. "Applications of Multilinear forms to Cryptography", D. Boneh and A. Silverberg, Report 2002/080, http://eprint.iacr.org, 2002. "Multi-party Authenticated Key Agreement Protocols from multilinear forms" Ho-Kyu-Lee, Hyan-Sook Lee, Youn-Ran Lee, "App. Math. and Comp. Vol. 159 , 2004, pp. 317-331, Seoul, Korea, 2002. "An attack on some multi-party key agreement protocols" Kenneth G. Paterson, Information Security Group, Royal Holloway, University of London, 2004. "ID-based Multi-party Authenticated Key Agreement Protocols from Multilinear Forms” Hyung Mok Lee, Kyung Ju HaP, and Kyo Min Ku1 J, Zhou et al. (Eds.): ISC 2005, LNCS 3650, pp. 104-117, 2005, Springer-Verlag Berlin Heidelberg 2005. 10. “Identity based cryptosystems and signature schemes”, Shamir. In Advances in Cryptology – Crypto’84, volume 0196 of Lecture Notes in Computer Science, pages 47–53. Springer-Verlag, 1984. 11. “Tree-based group key agreement” Kim, Y.,Perrig, A., And Tsudik, G. 2004.. ACM Trans. Inf. Syst.Secur. 7, 1 12. “Group Key Management Protocol”, H. Harney and C. Muckenhirn. (GKMP) Architecture, July 1997. RFC 2093. 13.