Security Analysis of Broadcaster Group Key Exchange Protocols

Vol.11 No. 62006 1577-1580WUJNSWuhan Univeraity Journal of Natural SciencesArticle ID :1007-1202( 2006 )06-1577-04Security Analysis of Broadcaster GroupKey Exchange Protocols0 Introduction口LI Li' , ZHANG Huanguo21. School of Sofware，Wuhan University ，Wuhan; a result of the increased development of network ,430072 , Hubei , China ;2. School of Computer，Wuhan University ，WuhanAs group communication occurs in many different settings.430072 , Hubei , ChinaA number of group key exchange protocols have been pub-lished during the last years. This paper discusses theAbstract :Group key exchange protocols are basic protocols tofirst type ; we called it broadcaster protocols.provide privacy and integrity in secure group communication.Secure group communication is not a simple extension ofThis paper discusses the security of one type of group key ex-secure two-party communication. They should provide dy-change protocols and defines the kind of protocols as broad-caster group protocols. It points out two attacks on this kind ofnamic security that is the most complicated aspect. Groupprotocols. The first attack can be avoided by using fresh valuescommunication mutates ( members leave and join ) after itsin each action during one session of the group protocol. Thestart and there might not be a well-defined end. In the dy-second attack should be related with concrete application. Itnamic session ,a session key might be updated periodicallyalso proposes a dynamic key agreement protocol as an exampleof solutions at the last part of the paper.due to member change or the time limit of the session key.Key words :group key exchange protocol ; broadcaster groupThe intended properties 2.41 of group key exchange protocolprotocols , dynamic securityinclude implicit key authentication , secrecy , forward secre-CLC number :TP 918.2cy ,and fresh etc. The one of our two attacks proposed in thispaper wrecks the fresh of session key ; the other destroys thekey authentication.1 Broadcaster Group ProtocolThe structures of group key exchange protocols in Refs.[ 1-3 ,7-9 ] are all distibuted. Every member contributes tothe final key. No one can know the final key earlier than oth-ers except one member , which is called broadcaster of theprotocol. The broadcaster collects all the contribution of theReceived date :2006-03-20other members and generates his contribution , so he can cal-Foundation item : Supported by the National Natural Science Foundationof China ( 90104005 , 60473023 ) and the National High Technolog;culate the中国煤化工than others. Then heResearch and Development Program of China ( 863Program )broadcasts|YHC N M H Gontribution to others so( 2002A41051 )Biography :LI Li( 1976- ), female ,Lecturer , Ph. D. , research direc-that other members can get the last session key. For example ,tion : information security. E-mail li@ whu. edu. cn1577Wuhan Univeysit数据al of Natural Sciences Vol.11 No.6 2006A-GDH. 2protocol 1] alows a group M of n usersM .，2 Two Attacks on BGPM, arranged in a ring to share a key. We assume p to be aprime integer and q a prime divisor of p-1. G is the uniqueRef. [ 4 ] has discovered the attacks on the originalcyclic subgroupof Z" of order q ,and a is a generator ofA-GDH.2 protocol suitet 6 and the SA-GDH. 2 proto-G. G and a are public. Each group member M; is assumedcof 2]. Different atacker model leads to different securityto select a new secret random valuer;∈Zg and each pairanalysis. In Ref.[ 11 ] ,the attacker can' t be a legal prin-of users( M; ,M; ) is assumed to share a long-term secretcipal , while in Ref. [ 4 ] , the attacker can be legal princi-key K;, The messages are exchanged as follows :pal but doesnt be a member of curent group when he laun-Roundi :M;-→M;+( 1All M( l(i;Simply using some methods to avoid message-replycan't resist this kind of attack. The AKE1 protocol in●Member join protocol AT-GDH2-MA ( SupposedRef.[ 11 ] uses signature on message , but it still cant re-that the join member is M,+1 )sist this kind of attack , because in this attack , the at-SMAn[N,N" ,M,Ln ,rn+1 ,H',K']tacker is a legal member. He has his own private key and= <+N' ,-([N" McnLn H']),can generate legal signature.+[N' M;can force M; to leave the group by broadcasting a newSMA[N ,N" ,M ,L'n+1 ,K,K'](1≤i ;communication of the group. This attack takes advantage ofwhere H denotes some hash function.the lack of mechanism to provide the authentication about●Member leave protocol AT-GDP-MS :If the leavingthe will of member action. The broadcaster can utilize themember is M( 1≤j;3 Modified PorotcolSMA[N ,M ,L" ,K'](1≤i j≤nandi≠j) =<-[N+1 MenN I" (HK"))]>;Ref. [4 ] proposes a AT-GDH2 protocol. But it isIf the leave member is the current broadcaster M, ,thenonly the first step. Here we propose a complete group keythe new broadcaster is Mn_ 1 , it executes as follows :agreement protocol based on the initial static protocol ,SMS, _[N ,M ,an ,r'_ ,K"]including the dynamic protocols. We use strand space= <+[N+1 Ma-1){an-2- H(K")]1〉;theory model2s to describe our protocol as follows ,SMS[N,M,L" ,K"](1≤i ;Irke[1门Ak*1}gourp ,and the parameters denote the information it sendswherer .. rn r' r°_n∈Z;° ,a; ={a'and receives. Each member of the group has a key pair :l∈[1 i] 1≤l≤i)( a[i]); is the jth element of a;public key and private key.[ m]. denotes a signature[i[1≤j