Abstract

Mobile networks are composed of heterogeneous mobile devices with peer-to-peer wireless communication. Their dynamic and self-organizing natures pose security challenge. We consider secure group key management for peer dynamic groups in mobile wireless networks. Many group based applications have achieved remarkable growth along with increasing use of multicast based services. The key sharing among the group members is an important issue for secure group communication because the communication for many participants implies that the likelihood of illegal overhearing increases. We propose a group key sharing scheme and efficient rekeying methods for frequent membership changes from network dynamics. The proposed method enables the group members to simply establish a group key and provide high flexibility for dynamic group changes such as member join or leave and group merging or partition. We conduct mathematical evaluation with other group key management protocols and finally prove its security by demonstrating group key secrecy, backward and forward secrecy, key independence, and implicit key authentication under the decisional Diffie-Hellman (DDH) assumption.

1. Introduction

Advances in wireless communications and mobile devices have made various types of mobile networks such as mobile ad hoc networks (MANETs), wireless mobile sensor networks (WMSNs), and Internet of things (IoT). In mobile networks, heterogeneous devices such as smartphones, laptops, and smart sensors perform peer-to-peer (machine-to-machine) communications without depending on any fixed infrastructure. Mobile networks have features distinct from conventional networks. First, network topology changes dynamically due to the mobility of nodes, which causes frequent switching of network connection state. Additionally, many applications in mobile networks support one-to-many (multicast) communication, where common data are transferred to multiple destinations from a source, for instance, military communication (battlefield), health care system, industrial monitoring, on-line conferencing, collaborative workspace, and disaster management. They build a collaborative group of entities, called group members, which participate in multicast group communications as a group member and manage group membership changed by node mobility.

Group communication over wireless networks is susceptible to illegal overhearing such as packet sniffing. When a group deals with sensitive information, secure group communication must be achieved by sharing a common secret key—group key for confidentiality of group messages with data encryption. In other words, it is essential to decide how to share a key among group members and how to update the group key for group membership change [13]. A typical approach is based on centralized key distribution with a trusted third party (TTP) [48]. It provides scalable group key management for large groups using symmetric encryption such as advanced encryption standard (AES) and hierarchical logical key tree. However, it fairly depends on a constantly accessible TTP. This requirement is not suitable for mobile networks with peer-to-peer communication. To apply a symmetric key based approach without a TTP, a node should establish secure connection for sharing a pairwise key with all other mobile nodes in a group. It requires much communication and depends on another key sharing scheme [9]. Diffie-Hellman (DH) key exchange [10] is a protocol to establish a common key based on asymmetric keys without any TTP. It allows two parties to share a key using their secrets over an insecure channel. To extend DH into group setting, group key agreement (GKA) protocols have been developed [1116]. In the protocols, also known as contributory key agreement, all group members contribute to generation of a common key. While providing dynamic group key management, they require considerable messages or operations to establish and update group keys. An approach for reducing computation cost deploys tree structure to handle key management. Tree-based group key protocols [1518] need to support management of tree structure and require ordered message delivery for calculation from leaves to the root of the tree.

In this paper, we investigate secure group key distribution and management for collaborative groups with high group flexibility. We propose a DH-based group key management protocol and show security proof of the proposed scheme and mathematical evaluation with other GKA protocols.

The remainder of the paper is organized as follows. In Section 2, we address related works. Section 3 explains our group key management scheme with group membership events and security requirements. Section 4 describes performance analysis and Section 5 shows security proof for the proposed key management. We conclude the paper in Section 6.

Over the past few decades, a considerable number of studies have been conducted on group key establishment and management. A typical approach is centralized key distribution based on constantly accessible TTP and pairwise keys [48]. These studies showed apparent efficiency for large groups such as wireless sensor network (WSN). Since, however, a mobile network is comprised of peer-to-peer communications with dynamic mobility and without a TTP, it is difficult to provide scalable group key management on arbitrary group setting [15].

We focus on DH based group key management, known as group key agreement (GKA), in which a common key is generated by all group members’ equal contributions. DH protocol allows two parties to share a key using their secrets over an insecure channel [10]. The key computation of DH uses the multiplicative group of integer modulo , where is a large prime number. Each party chooses a random number in and computes , where is a primitive root (generator) . They exchange the computed values, and , and agree on the common key:

For extending it to group setting, Burmester and Desmedt (BD) proposed a conference key exchange system [11] depending on a broadcast manner. When the number of group members is n, the group key (GK) of BD becomes As BD system requires large communication messages, Steiner et al. proposed group key agreement protocols called group Diffie-Hellman (GDH) [12, 13]. In GDH, They showed not only that DH can be extended efficiently to group setting, but also that their protocol can deal efficiently with group membership change. They presented three distinct group key agreements GDH.1, GDH.2, and GDH.3, which later was advanced as a protocol suite known as CLIQUES [13]. In GDH.x, group members can individually or massively join and leave; CLIQUES also considers group integration and group division. A variant of GDH protocol is a centralized key distribution (CKD) scheme. In CKD, a controller distributes the group key to every member using pairwise temporal keys between the controller and each of the members, which is computed using DH fashion.

As group dynamics have become an important issue, some studies have adopted tree-based approach [1518]. Skinny tree (STR) protocol [16] has good performance for member addition. In STR, While STR uses unbalanced key tree for group key computation, tree-based group Diffie-Hellman (TGDH) leverages balanced tree structure. Given eight group members in TGDH, the group key is computed as follows: STR and TGDH require a sponsor node which distributes intermediate computing keys in the tree during membership event changes. As tree-based protocols apparently help to reduce communication cost and operation cost, there have been several variants of TGDH [17, 18]. However, they need to support management for tree balance and require message delivery order due to hierarchical tree structure. In mobile networks, much communication would be required to make sure that the group members can keep the synchronized tree structure.

In summary, DH-based group key protocol is generally known as GKA protocol. Although our protocol is based on DH, we do not classify it as a GKA protocol because of key distribution feature from a controller. Our proposed scheme provides the advantage of dynamics and collaborative contribution in computing group keys with a modified key agreement method.

3. Secure Group Key Management for Mobile Networks

3.1. Membership and Security Requirements

Group membership events occur with either insertion of a new node or deletion of an existing member. We define the insertion event as member join and the deletion event as member leave. When there is only one event node specifically, we call each single join and single leave, and when there are two or more event nodes we call each mass join and mass leave. Furthermore, we consider a group insertion into a group and a group partition into two distinct groups. We define them as group merging and group partition, respectively. Figure 1 shows summary of defined membership events.

Group membership change is closely related to security of group communication. Outgoing members should have no access to group communication after it leaves the group, and ingoing nodes should be prevented from accessing previous group communication before it joins the group. We define cryptographic properties in which a secure group, depending on a group key, should meet group key secrecy that guarantees an adversary who knows that messages sent to group members cannot discover any group key in polynomial time, backward secrecy that guarantees a new member or an adversary who knows that the current group key cannot discover any previous group key in polynomial time, forward secrecy that guarantees a former group member or an adversary who knows that previous group keys cannot discover any subsequent group key in polynomial time, key independence that guarantees an adversary who knows that a proper subset of group keys cannot discover any other group keys in polynomial time, and (implicit) key authentication that guarantees that no one apart from a group member recovers the group key.

3.2. Group Key Establishment

We present a new group key protocol, collaborative Diffie-Hellman (CODH). CODH has centralized topology and key distribution property from a leader node. But, unlike conventional centralized scheme with TTP, in CODH, a group leader computes and distributes a group key by using public keys of group members. We formalize the group key protocol and prove its security.

CODH has one leader called master. The leader is also one of group members. It consumes more energy than normal nodes for communication and operation in managing group keys. There will be a policy for choosing a leader. In mobile networks, signal strength, degree to neighbors, identity, and resources (CPU, memory, battery, and bandwidth) would be criteria for leader election [1921]. When a group is created, the first master is elected among group members and performs group key initialization. Afterwards, group members select a new master when receiving master notification for leader change. Once a new group master is selected for group management, the previous master forwards information about group members to the new master; that is, a delegation process is run (refer to Sections 3.3 and 3.4). On the other hand, connection failure may occur by network isolation or denial of service attacks. (We assume that group participants are honest and not compromised. However, they can be threatened by network adversaries who can perform all of network-based attacks.) We consider the connection failure as a kind of member leave whether the left node is a member or the master.

Notation section represents notations used to illustrate our group key protocol. The index “s” stands for the master node in a group that is distinct from or which indicates a general member node. Therefore, or means an identity for general member, while denotes the master. Lock-secret is defined as a secret value of a member. It locks the group key so that can securely transfer the group key to the members. General members use their unlock-secret to extract the group key from ’s broadcast message of a locked group key.

We adopt inverse exponentiation for obtaining the group key. Let be a group of size ; that is, and . To share the initial group key, the group runs steps in Box 1 for the initial phase.

The initial phase consists of two rounds. In the first round, all members except the group master send their locker to the master via unicast and the master produces the locker list, , from receiving messages. In the second round, the master selects a random secret and computes and broadcasts the locked group key using . Then, each member can compute the group key using their own unlock-secret, , as follows:

The group key is equal to the locker of the group master when is the master’s secret. Therefore, operations for computing and group messages never include .

3.3. Group Rekeying for Member Join and Leave

The master-secret should be renewed when membership changes, since it is used for the new group key . In Box 2 (member join process), means a new master-secret that selects. Let be the first new member and let be the last new member, when new members join the group (if a single member joins, the new member is only one node, ). A new member sends its locker to the master, and then broadcasts locked new group key to all the group members in the same manner as second round of initial phase, as in Box 2. All members, including new members, can extract the new group key in the same way as (6).

Unlike the join event, member leave process does not require the first round for sending lockers to the master. Let a subset of for leaving members be (). Group members conduct rekeying operations for the new group key as in Box 3.

The leaving nodes cannot learn the new group key because the broadcast message from does not contain any locker for leaving members. Note that the set for the leaving node does not include the master. Leaving of the master requires ‘delegation’ during which the master forwards locker list for group to new group master as follows: The delegation can be used for another case where the master wishes to finish its master’s role for a reason such as network topology change or resource exhaustion; that is, the master turns to a group member not leaving the group. In this case, the delegation message includes the former master’s locker generated with new selected secret as follows:

When group members detect unexpected disconnection from the master, they restart group key initialization with new master selection. At the worst case, members can suffer from frequent connection failure with the master. In this case, the first protocol should be slightly modified to make all of group members have the locker list and any member be the group master to proceed Box 3. For instance, a general member at the first step of Box 1 broadcasts its locker to the group as follows: The group members continue secure communication with a fresh group key obtained through group rekeying. We provide formal security proofs in Section 5.

3.4. Group Rekeying for Group Merging and Partition

There are two ways to integrate two groups into one group completely: individual join and group join. The former is that members of a group join another group individually. It is similar to the mass joining process, saving that the joining master should generate his lock-secret, , and locker, . The latter way is that a group is absorbed into the other group via delegation process between both group masters.

Let two groups be merged and (). The master of survives after group merging, while the master of becomes a member of the merged group. Smaller group members () become a member of ; that is, and after group merging. Group merging process runs with delegation (in the first round) as in Box 4. Figure 2 represents an instance for a merging process for a current group and a merged group . In Figure 2, the number in a circle indicates members’ index (such as by a joined order). Before they are merged, the number of the current group is four including the group master (i.e., , ) and the number of members of joining group is three (i.e., , ). To be merged, the master of sends the master of the locker list for and . Note that the master of must forward its locker after changing its own secret because it was used as the former group key. The master of becomes the master for the merged group. It updates and generates key-locks with a new selected random .

As shown in Figure 3, the current group will be divided into two groups. When the number of left members is , the current group will have () members after the partition process. Group partition requires one more master for a separated subgroup (). Group partition process can be easily conducted through delegation, from the master of group to the fresh master of subgroup . The divided groups perform a group key initial phase after the delegation process, as in Box 5.

3.5. Implicit Key Authentication

For the secure key authentication, the messages sent from all members should be signed with a signature key. Hash-based signature such as message authentication code (MAC) is fairly efficient in terms of computation cost. However, it is too costly to share one-to-one pairwise keys between all of group members in advance.

We assume that a member holds long-term private and public keys certified by a trusted certificate authority (CA). (Each member can use a different signature algorithm such as RSA-based signature algorithm, digital signature algorithm (DSA), and elliptic curve digital signature algorithm (ECDSA). Note that some of them do not provide message encryption; that is, it is used for message signing and verifying. We consider that DSA is better for our scheme since its public key includes mod .) The group members send to the master the signed messages with their own private key; for example, in the first step of Box 1, a member, , sends to the master which signs for with its private key. Note that this process runs one-time at initial phase or it can be precomputed with .

Members can obtain the group key securely by verifying the messages of the master with signature signed with the master’s private key. All of messages from the master come with a master-signed signature for the origin and integrity of a group key. For example, in the second step of Box 1, the master broadcasts . The master produces a locked set for the group key using verified members’ locker. It implies that outsiders cannot recover the group key from the master’s messages.

4. Evaluation

We measure performance of the proposed scheme through communication and computation cost spent for all group members to complete group rekeying by membership change. Table 1 shows summary of comparison with other DH-based key management protocols: CKD, GDH, BD, STR, and TGDH. In Table 1, , , and denote the number of current group members, joining or merged-group members, and leaving or partitioned-group members, respectively. Therefore, or indicates the single-member event. For TGDH, the height of the key tree is denoted as , and, for STR, is denoted as the index of the sponsor, which helps other members to calculate group keys. Group merging is a case where a group of members is merged into a group of members (), and group partition is a case where a group of members is divided into separate subgroups: a group of members and a group of () members, where (). The costs for the group partition event include the costs for updating two subgroup keys. In computation costs, we consider concurrent execution in distributed nodes if it is possible. In CODH, we assume the master is selected by group-join order; the first master is , and when leaves the group, becomes the next master.

CKD distributes the group key in a similar way with our protocol. Its communication and computation costs are also similar to our protocol. However, the worst case of CKD is when the master leaves. It requires large costs for rekeying. On the other hand, in CODH, the rekeying cost for a leaving master is analogous to that for a leaving member due to efficient delegation or sharing of public locker list. GDH is operated through communication chain from the first node to the last node, and the last node becomes the master of the group. Steiner et al. presented three GDH protocols: GDH.1, 2, and 3. GDH.2 is the most efficient in communication whereas GDH.3 is the most efficient in computation cost among GDH.x. We select GDH.3 for comparison. As shown in Table 1, GDH has weaknesses in group merging and mass joining. BD employs a completely distributed way using broadcast messages. Without sponsors or controllers, all of members broadcast messages for updating the group key. Although it seems to be fairly efficient in computation cost, there are hidden costs for multiplications. In addition, it requires a large communication cost compared to other protocols. STR and TGDH are tree-based key agreement protocols. They use different tree structures for key management. STR, especially, uses the extremely unbalanced tree structure. Accordingly, the performance of STR depends on the location of the sponsors. In TGDH, the costs depend on the height of the resulting key tree and locations of joining or leaving members in the tree. We provide the worst case cost for TGDH.

Most of the cost in CODH comes from the master node. A general node consumes only one communication, modular exponentiation, signature, and verification in all of group rekeying process. We summarize the costs for a general member and the group master in Table 2. Although the exponentiation cost looks heavy in the master, its cost is insignificant. We conducted an experiment to measure computation delays for modular exponentiations. Table 3 shows the average delay of 10 experimental results for each. The first device has less CPU power than the second device. When modular prime is 1024 bits long and , the computation delay is less than 1 s. The average delay of one exponentiation is less than 8 ms in the second device. Moreover, reducing communication cost is important for mobile devices because data communication consumes more energy than any other process. Therefore, our group key protocols can be efficiently applied in dynamic mobile networks.

5. Security

Let be a large prime number of the form for a prime in . Let be a cyclic group of prime order and let be a generator of ; that is, . The decisional Diffie-Hellman problem (DDH) is as follows: given (, , , ), where , decide whether or a randomly chosen number. In particular, the security of our protocol is based on the divisible decisional Diffie-Hellman problem (DDDH), which is stronger assumption than the divisible computational Diffie-Hellman problem (DCDH).

Definition 1. The DCDH problem is as follows: given (), where , compute .

Definition 2. The DDDH problem is as follows: given (), where , decide whether or a randomly chosen number.

The DDDH problem is weaker than DCDH, since if an adversary could solve the DCDH problem, he could solve the DDDH problem by computing to decide ; thus the DDDH assumption is stronger than the DCDH assumption. Similarly, the DDH problem is weaker than the computational Diffie-Hellman problem (CDH), which is weaker than discrete logarithm problem (DL) [22]. We want to prove the security of our protocol under the DDH and DDDH assumptions.

Theorem 3. The DDDH problem is equivalent to the DDH problem.

Proof. Given the DDDH input (), where , one submits () to DDH to decide whether or a randomly chosen number. Similarly, given the DDH input (), where , one submits () to DDDH to decide if or a randomly chosen number.

Therefore, we know that if there is no polynomial time algorithm to solve the DDH problem, it is hard to solve the DDDH problem.

Theorem 4. If the DDH problem is hard, it is hard to find a polynomial time algorithm to recover the group key from the proposed protocol; in other words, it provides group key secrecy against passive adversaries under the DDH assumption.

Proof. Let view() be public information for a group of members to establish a group key ; thus it is a view of passive attackers,
Suppose we had an algorithm that with significant probability succeeds to distinguish between (view(), ), where is a random number , and (view(), ) where is the group key; that is, , where , otherwise, returns 0. Then we can query to with input view for members’ information and additional input for a random number , where , that is, . It follows that , where for . Then can solve the DDDH problem since it can decide whether or a random number, given . It means that can also solve the DDH problem by Theorem 3.

Theorem 5. The proposed scheme provides backward secrecy, forward secrecy, and key independence provided the DDH problem is intractable.

Proof. Whenever membership is changed or the group key is updated, the group controller alters its own secret to , where is an independently random number to ; it implies that it is impossible to find an algorithm such that without knowledge of and . We assume that the secret values are uniformly distributed by a pseudorandom generator. Therefore, when the group key has been changed, an adversary must use new public information, , to recover the group key updated into and it depends on a solution to solve the DDH problem by Theorem 4. It follows that past members, future members, or adversaries who know a subset of previous group keys cannot learn the current group key, since the broadcast message from the master does not contain their locker in view().

Theorem 6. The proposed scheme provides implicit key authentication under the security of certified public key.

Proof. A locker which the master obtains from group members is what a group member signs with its public key certified by a CA. Concretely, a locker is hashed by a one-way function such as SHA-2, and hash () is signed with ’s private key using a digital signature algorithm such as RSA, DSA, and ECDSA. Then, the locker is verified with the public key bound to and certified by CA. If there is a locker of nonmember in the locker list of a group, it must be along with a forged signature. It means that the problem occurs in a hash collision attack or a rogue CA certificate [23]. Once all verified lockers are transferred to the master, any other nodes which are not a group member cannot recover the group key under the DDH assumption (Theorems 4 and 5).

6. Conclusion

In this paper, we propose a secure group key management protocol based on DH key agreement. The proposed key management requires only one data communication and one modular exponentiation at each member for any membership event. It shows prominent efficiency in renewing the group keys against dynamic group membership change, member join/leave and group merging/partition. We proved group key secrecy, backward/forward secrecy, key independence, and key authentication. No outsiders can learn the group key under the DDH assumption. We conclude that CODH can be adapted efficiently for multicast security in mobile networks.

Notations

n:Number of protocol participants
:
:Master node (controller),
:Prime of the form for a prime
:Generator in
:Lock-secret; random number picked by such that and
:Unlock-secret for such that
:Master-secret randomly selected in , by
:Locker;
:Current group of members; #
:Locker list of group
:Key-locks for group
:Unicast message from to
:Broadcast message from to members of .

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

The authors appreciate anonymous reviewers for their helpful comments. This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Science and Technology (2011-0011289).