A Secure Multicast Key Agreement Scheme
Wu et al. proposed a key agreement to securely deliver a group key to group members. Their scheme utilized a polynomial to deliver the group key. When membership is dynamically changed, the system refreshes the group key by sending a new polynomial. We commented that, under this situation, the Wu et al.’s scheme is vulnerable to the differential attack. This is because that these polynomials have linear relationship. We exploit a hash function and random number to solve this problem. The secure multicast key agreement (SMKA) scheme is proposed and shown in this paper which could prevent from not only the differential attack, but also subgroup key attack. The modification scheme can reinforce the robustness of the scheme.
KeywordsCryptography Security Secure multicast Conference key Key distribution
Many security protection schemes [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 14] have been developed for an individual multicast group. Some schemes address secure group communications by using secure filter [1, 2, 3, 4] to enhance performance of the key management. Wu et al.  proposed a key agreement to securely deliver a group key to specific members efficiently. The system conceals the group key within a polynomial consisting of the common keys shared with the members. In the Wu et al.’s scheme, the polynomial is called as a secure filter. Through their scheme, only the legitimate group members can derive a group key generated by a central authority on a public channel. Nevertheless, for the dynamic membership, the scheme is suffered from the differential attack which we describe later. The dynamic membership means the addition and subtraction of the group members. Naturally, the membership changes by the reason caused by network failure or explicit membership change (application driven) [5, 6]. If an adversary collects the secure filters broadcasted among the group members, as the membership changes, the group keys sent to the group members with the secure filter will be discovered through the differential attack .
The secure multicast key agreement (SMKA) scheme is proposed in this paper, which is a kind of secure filter to resist against the differential attack. The proposed secure filter is based on the properties of a cryptographically secure one-way hash function. Moreover, the complexity of the modified secure filter is almost the same with the complexity of the original one.
The rest of this paper consists of the following parts. The Sect. 2 gives an overview of the secure filter and the differential attack against the secure filter for the dynamic membership. The Sect. 3 introduces our scheme. The Sect. 4 gives the security proof of our scheme. Then we conclude our scheme in the Sect. 5.
2 The Secure Filter and the Differential Attack
2.1 Wu et al.’s Scheme
Then the central authority broadcasts the coefficient of each item. For the M i , upon receiving the coefficients, he can derive s by computing f(h(k i )). Any adversary can not derive the s because he doesn’t know any k i , where i = [1, 2, ···, n].
2.2 A Differential Attack on Wu et al.’s Scheme
For the coefficient a n′-1, the adversary can compute a n-1 - a n′-1 to derive h(x 3). Through the h(x 3), the adversary can derive the previous group keys through the preceding secure filters. Moreover, as the M 3 returns into the group, the central authority will refresh the group key through another secure filter composed of the secure factor h(x 3). Then the adversary who already derives the h(x 3) through the differential attack can derive any group key as long as the M 3 is in the group.
3 Our Scheme
number of the group members at the session t
h( · )
cryptographically secure one-way function
random number used at the session t
group key for the session t
i-th group member
common key only shared with the CA and the i-th user
secure factor of the modified secure factors
f t (x)
modified secure filter for the session t
3.1 SMKA Scheme
The CA broadcasts the set of the coefficients, denoted as A, and c t , where A = [a n , a n-1, ···, a 0]. After receiving the A and the c t , the group member M i compute the secure factor, x i through the procedure of (1) with the common key k i and c t . Next, the M i derive s t by calculating f t (x i ) = f t (h(k i ||c t )). In the next session t + 1, the CA generates a new random number c t+1 and repeats the procedures of (1) to (3) to send the secret s t+1 to the G t+1, where the G t+1 may not be the same as G t .
4 Security and Complexity Analyses
In this section, we show that the modified secure filter can resist against the differential attack. Moreover, we proof that the modified secure filter can also prevent from the subgroup key attack [13, 14] which could compromise other common keys through factorizing algorithm .
A cryptographically secure hash function h(·) has the properties: intractability, randomness, collision-free, unpredictability.
The Proposition 1 is assumed commonly on cryptography . The intractability means that, for only given a hash value y, where y = h(x), the value of x is intractable. The randomness means that, for a variable x, the elements in the set of the result y = h(x), denoted as Y, are uniformly distributed. The collision free means that, given y, where y = h(x), the probability of discovering x′, where x ≠ x′, that h(x) equals h(x′) is negligible. The unpredictability means that hash functions exhibit no predictable relationship or correlation between inputs and outputs.
An adversary cannot discover the group keys through the differential attack.
According to the Proposition 1, we can learn that the coefficients in (5) and (7) are predictable for an adversary. Therefore, it induces that the adversary cannot predict the linear relationship between these coefficients. Hence, the adversary cannot engage the differential attack successfully to compromise the group key distributed within a secure filter. □
A legitimate group member cannot discover other common keys shared between the CA and other group members.
According to the Proposition 1, assume that a legitimate group member has enough ability to factorize the value of f t (0) and discover the other secure factors of the f t (x); he only can discover the hash values not tractable to the common keys. Therefore, the common keys cannot be discovered by the adversary. Then we prove that the modified secure filter can resist against the subgroup key attack.
In this paper, the navel key agreement scheme by using the new secure filter to improve the robustness in order to support the security functionality on dynamically changing members in the Wu’s secure filter . The proposed secure filter is based on the properties of a cryptographically secure hash function. Via the security analysis, we proved that the modified secure filter can resist against the differential attack. Moreover, the modified secure filter can prevent from the subgroup key attack. The modified secure filter almost has the same complexity with the original secure filter. For a group communication, the dynamic membership is an unavoidable issue. Though the secure filter proposed in  gave a simple and robustness distribution scheme for the group secret, it is suffered from the problems of the dynamic membership. The modified secure filter can enhance the secure filter for the dynamic membership and keep the efficiency.
- 4.Wu, K.P., Ruan, S.J., Lai, F., Tseng, C.K.: On key distribution in secure multicasting. In: Proceedings of 25th Annual IEEE International Conference on Local Computer Networks, p. 208 (2000)Google Scholar
- 8.Chen, X., Lenzini, G., Mauw, S., Pang, J.: Design and formal analysis of a group signature based electronic toll pricing system. J. Wireless Mobile Netw. Ubiquitous Comput. Dependable Appl. (JoWUA) 4(1), 55–75 (2013)Google Scholar
- 9.Craß, S., Dönz, T., Joskowicz, G., Kühn, E., Marek, A.: Securing a space-based service architecture with coordination-driven access control. J. Wireless Mobile Netw. Ubiquitous Comput. Dependable Appl. (JoWUA) 4(1), 76–97 (2013)Google Scholar
- 10.Malik, S., Lee, J.-H.: Privacy enhancing factors in people-nearby applications. J. Wireless Mobile Netw. Ubiquitous Comput. Dependable Appl. (JoWUA) 6(2), 113–121 (2015)Google Scholar
- 11.Kent, A.D., Liebrock, L.M., Wernicke, J.: Differentiating user authentication graphs. J. Wireless Mobile Netw. Ubiquitous Comput. Dependable Appl. (JoWUA) 5(2), 24–38 (2014)Google Scholar
- 12.Moser, L.E., Amir, Y., Melliar-Smith, P.M., Agarwal, D.A.: Extended virtual synchrony. In: Proceedings of the IEEE 14th International Conference on Distributed Computing Systems, pp. 55–65 (1994)Google Scholar
- 14.Wu, K.P., Ruan, S.J., Tseng, C.K., Lai, F.: Hierarchical access control using the secure filter. IEICE Trans. Inf. Syst. E84-D(6), 700–708 (2001)Google Scholar