WISA 2004 (23-25, Aug)
Efficient Group Authenticated Key
Agreement Protocol for Dynamic Groups
Kui Ren*, Hyunrok Lee*, Kwangjo Kim*, and Taewhan Yoo**
* IRIS, Information and Communications University, Daejeon, Korea
** Electronics and Telecommunications Research Institute, Daejeon, Korea
Contents
Introduction
 EGAKA Overview
 Notation and Primitives
 EGAKA

EGAKA-KE (Key Establishment)
 EGAKA-KU (Key Update)




Complexity & Security Analysis
Conclusion
Q&A
2
Introduction

Secure group communication

A (large) group of users communicate with one another in
a secure way


(1/3)
Ex) Teleconferencing, Collaborative work,
Multiple interactive game, VPN (Virtual Private Networks),
Wireless Ad-hoc Networks
Dynamic Peer Groups
Relatively small (~ 100 of members)
 No hierarchy
 Frequent membership changes
 Any member can be sender and receiver

3
Introduction

(2/3)
Group Key Management
 A group key
 Shared only by current group members
 Communication encrypted/decrypted by the group key
 Difficult aspect  Dynamics
 Join



Leave:



Backward secrecy
Allow the joining member(s) to decrypt future messages, but not
previous messages
Forward secrecy
Prevent the leaving member(s) from decrypting future messages
Burst behavior:

Multiple joins and/or multiple leaves simultaneously.
4
Introduction

Classification

Group Key Distribution



One party generates a secret key and distributes to others
Not suitable for dynamic groups
Group Key Agreement




(3/3)
Secret key is derived jointly by two or more parties
Key is a function of information contributed by each member
No party can pre-determine the key
Motivation

Need Group Key Agreement




Strong security
Dynamic membership management
Adapt to heterogeneous environments
Efficiency in communication and computation
5
EGAKA Overview

(1/2)
EGAKA
 Efficient Group Authenticated Key Agreement protocol
 Important Properties






Can be built on any two-party authenticated key exchange
protocols



Distributed
Fault-tolerant
Efficient dynamic group membership management
Mutual authentication among group members
Secure against both passive and active attacks
E.g. Diffie-Hellman protocol, password based protocol
Achieves scalability and robustness in heterogeneous
environments
provides efficient member join services

Low communication and computation costs, and they are constant
to the group size.
6
EGAKA Overview

Trust Model


(2/2)
Any single current member can authenticate the
new members and accept them.
Assumption




Do not consider insider attacks
 The secrecy of group keys and the integrity of group
membership
The size of dynamics group < 200
Group members in dynamic groups have different security
primitives
For generating the group key

Use Common two-party key exchange protocol
7
Notation and Primitives
(1/4)
8
Notation and Primitives
(2/4)
Root node
KG
N 6
d 3
N11
K135
N 21
K15 B15
N 22
 K123456
B135  h( K135 )
K3
l0
N12
K 246 B246
M1
K 5 N 32
M5
Key pair: Kij & Bij
l 1
B4
N 23
N 24
K 26 B26
K4 l  2
B3
M3
K1 N 31
Interior node
M4
K 6 N 33
K 2 N 34
M6
M2
Isolated Leaf node
l 3
Leaf node
9
Notation and Primitives
K G  K123456
N 6
d 3
(3/4)
N11
K135
B135  h( K135 )
N 21
N 22
K15 B15
K3
l0
N12
K 246 B246
CP5* = {N31, N22, N12}
l 1
B4
N 23
N 24
K 26 B26
K4 l  2
B3
M3
M4
K1 N 31
K 5 N 32
K 6 N 33
K 2 N 34
M1
M5
M6
M2
l 3
KP5* = {N32, N21, N11}
10
Notation and Primitives
KG
N 6
d 3
N11
K135
N 21
K15 B15
N 22
 K123456
B135  h( K135 )
K3
l0
N12
K 246 B246
M1
K 5 N 32
M5
l 1
B4
N 23
N
K 26 B26 24 K 4 l  2
B3
M3
K1 N 31
(4/4)
M4
K 6 N 33
K 2 N 34
M6
M2
l 3
M2’s view of the group which could be divided into l subgroups
11
EGAKA

Two basic sub-protocol

EGAKA-KE : Key Establishment Protocol

EGAKA-KU : Key Update Protocol

Both sub-protocols are subtle integrations of above
mentioned binary key tree structure, one way functions
and two-party key agreement protocol, as well as
symmetric encryption algorithm.
12
EGAKA-KE

EGAKA-KE includes two phases:

Phase I


To complete group entity authentication by applying any
chosen two-party authenticated key agreement protocol
Phase II

The group key generation process.
13
EGAKA-KE: Phase I

(1/6)
Tasks to accomplish

choose the two-party protocol in common

generate the key tree structure

perform mutual authentication according to generated tree
structure

establish peer-to-peer session keys among members.
14
EGAKA-KE: Phase I
M2
M3
Hello, here is the
key tree
structure
Hello, I want to use
DH protocol, and M4
can be the one to
generate the key
tree structure
M1
M7
(2/6)
M6
M4
M5
M4
M2
M1
M5
M3
M 2 M 3 M 5 M1 M1 M 7
M7
M2
M6
M 3 M1 M 4 M 6
M2
15
EGAKA-KE: Phase I
r
2
r
M2
r
3
(3/6)
M3
1
M1
M4
M7
M6
M5
16
EGAKA-KE: Phase I
(4/6)
M2
r S
M3
rS
2 12
3 13
M1
r S
4 24
rS
7 37
M7
M4
rS
6 26
M6
rS
5 15
M5
17
EGAKA-KE: Phase I
(5/6)
M4
K 24
M1
K12 , K13 , K15
M5 M 3
M7 M2
M6 K 26
Session Key
K ij  
ri r j
K15 K13 , K 37 K 37 K12 , K 24 , K 26
Execution Results of EGAKA-KE: Phase I
18
EGAKA-KE: Phase I
(6/6)

Rounds = 2 (except for protocol negotiation step)

Two-party key exchange protocol executes
exactly n-1 times to finish the entity
authentication among group members
19
EGAKA-KE: Phase II
round  1
M1
B15
(1/5)
round  3
round  2
M5
M3
M7 M2
B15
B37
B37
B26
M 1 : {B15 }K13
M 3 : {B37 }K13
M 2 : {B26}K 24
M 4 : {B4 }K 24
M6
B26
M4
M4
M4
B4
B4
B26
B4
B26
B1357
M1
M5
M3
M7 M2
B15
B37
B246
B15
B37
B37
B15
B37
B15
M 1 : {B37 }K15 ,{B1357 }K12
M 2 : {B4 }K 26 ,{B246 }K12
B26
B4
B1357
M6
B26
B4
M 3 : {B15 }K 37
M1
M5
B15
B37
B246
B15
B37
B246
M3
B37
B15
B246
M 1 : {B246 }K1357
M7 M2
B37
B15
B246
B37
B4
B1357
M6
B26
B4
B1357
M 2 : {B1357 }K 246
K G  h( BK1357 || BK 246 )
20
EGAKA-KE: Phase II
(2/5)
KG
M1 needs to
compute
M1 yet to know
Round 1
B246
B1357
B15
M1 knows
M4
B37
M1
M5
M3
M7 M2
M6
M1’s view of the group
21
EGAKA-KE: Phase II
M1 needs to
compute
(3/5)
KG
Round 2
M1 yet to know
B246
B1357
M1 knows
B15
M1
M5
M4
B37
M3
M7 M2
M6
M1’s view of the group
22
EGAKA-KE: Phase II
(4/5)
KG
Round 3
M1 compute
B246
B1357
M1 knows
M1
M5
M4
B37
B15
M3
M7 M2
M6
M1’s view of the group
K G  h( BK 1357 || BK 246 )
23
EGAKA-KE: Phase II
(5/5)

Rounds = d, where d equals to
of the group.
, n is the size

No computational expensive operation is needed
in this phase.
24
EGAKA-KU: Member Join Protocol
round  2
round  1
M 6 broadcasts :
(1/5)
 r , join
6
subgroup
M4
M3
M1
M5
subgroup
M2
Sponsor
M5
M1
M6
M4
M2
M3 Sponsor
subgroup
M 3 computes :
 r S , K 36   r3r6 , B36  h( K 36 ),
3 36
B1356  h( h( B15 || B36 ))
M 3 broadcasts : {B1356 || M 3}K
G
,{B36 || M 3}K135 ,
{B15 || B24 || M 3}K 36 , r3S36
M 6 computes : K 36 , B36 , K G'  h( B1356 || B24 )
M i (i  [1,5]) computes : K G'  h( B1356 || B24 )
25
EGAKA-KU: Member Join Protocol
(2/5)
26
EGAKA-KU: Member Leave Protocol
(a)
(3/5)
(b)
Sponsor
Sponsor
M2
K12 , K 24 K12 , K13
M1
M5 M6
M3 M 7
M4
K12 , K13 , K15 K15 K 36 K13 , K 36 K 47 K 47 , K 24
M2
M1
M5
Leaving
M6
M3 M 7
subgroup
M4
subgroup
M7
M1
M5 M6
subgroup
M3
M4
subgroup
M2
Leaving
27
EGAKA-KU: Member Leave Protocol
(4/5)
28
EGAKA-KU
(5/5)

In Member Join Protocol: only fixed 6 exponential
operations are needed for any member to be
added to the group and update the group key.
Moreover, this cost is constant to group size. This
property is very useful in scenarios with frequent
member additions.

Member Leave protocol is not as efficient as
member join protocol, but it’s robust and faulttolerant.
29
Complexity and Security Analysis

Complexity Analysis


Comparison between EGAKA and other well known key
establishment protocols


Communication and computation costs
A-DH is used as the underlying two-party authenticated key
agreement protocol in order to provide a quantificational
comparison.
Security Analysis

Provide informal security analysis. (Formal analysis is undergoing)

Secure against both passive and active attacks
Do not consider insider attacks
Provide forward and backward secrecy


30
Comparison
31
Conclusion

In this paper, we propose EGAKA (Efficient Group
Authenticated Key Agreement) protocol
Distributed

Fault-tolerant

Efficient dynamic group membership management

Mutual authentication among group members

Secure against both passive and active attacks
Can be built on any two-party authenticated key exchange
protocols

E.g. Diffie-Hellman protocol, password based protocol
Achieves scalability and robustness in heterogeneous environments
provides efficient member join services

Low communication and computation costs, and they are constant to
the group size.
Support fault-tolerant property to achieve robustness in member
leave service





32
Thank you for your
attention
Q&A
33