Dynamic security analysis of group key agreementprotocol

H. Sun and D.D. Lin

Abstract: Group key agreement is a fundamental building block for increasing collaborativeapplications. The protocol is more complicated than peer-to-peer communication owing to itsdynamic characteristics, but the research to date on group key agreement protocols (GKAP)mainly focuses on the static security and the most distinctively dynamic characteristic of GKAP isdifficult to analyse by existing methods. The paper attempts to extend the strand space theory toanalyse the dynamic security of GKAP. With the aid of the theory, the AT-GDH protocol is takenas an example to discuss the general conditions of the security retention in dynamic cases. A newscheme is proposed of updating the session key when some member leaves the group based onSA-GDH.2 protocol to avoid the single-point weakness.

1 Introduction

With the development of networks, group key agreementprotocols [1–3] (GKAP) have been one of the hotspots inthe research of security protocols. Attempts were first madeto extend directly the simple key agreement protocols toGKAP, such as A-GDP.2 [4, 5] protocol. But it had beenproved to be insecure because the entity authenticationcannot be retained. Also, GKAP needs security retention inthe case of dynamic member actions. In other words,whenever a new member joins the group or some groupmember exits, the protocol should remain secure. Thismakes it particularity difficult to extend the methods ofprotocol analysis and relate the simple protocols to groupones. We focus on applying strand space to describe andanalyse the dynamic security of GKAP. We take AT-GDHas an example to prove the security under dynamic status.Then the general conditions for security retention in the caseof dynamic member actions are derived. We also propose anew scheme of updating the session key when some memberleaves the group based on SA-GDH.2 protocol to avoidsingle-point failure.

2 Basal definition of strand space theory andGKAP

In strand space theory [6, 7] an execution of a protocolincludes a set of actions. We use send and receive actions torepresent send message and receive message, respectively.For simplicity we denote /send aS and /receive aS assigned terms /+aS and /�aS, respectively. Then the setof a finite sequence of signed terms as (7A)* describes theevent sequences in the execution of the protocol. There mayhave different roles in an instance of the execution of a

protocol. A strand represents a sequence of actions of aninstance of a role.Definition 1: A strand space is a set S with a trace mappingtr : S! ð�AÞ�.

(i) A node is a pair /s, iS with s 2 S and i an integersatisfying 1rirlength(tr(s)). We say n¼/s, iS belongs to astrand s, denoted as nAs. The set of nodes is denoted as N.

(ii) If n¼/s, iSAN then index(n)¼ i and strand(n)¼ s.Define term(n) to be (tr(s))i, i.e. the ith signed term in thetrace of s. Similarly, uns_term(n) is ((tr(s))i)2, i.e. theunsigned part of the ith signed term in the trace of s.

(iii) If n1, n2AN, then n1-n2 means that term(n1)¼+a andterm(n2)¼�a. This represents that n1 sends a message aand n2 receives the message.

(iv) If n1, n2AN, then n1) n2 means that n1, n2 occur in thesame strand with index(n2)¼ index(n1)+1. This representsan event n1 followed immediately by n2 in the same strand.

(v) A term t originates from a node nAN iff sign(n)¼+;tCterm(n); and whenever n0 precedes n on the same stand,t 6� termðn0Þ.(vi) A term t uniquely-originates from node n iff t originateson a unique nAN. Nonces and other freshly generatedterms are usually uniquely-originated.

Definition 2: A bundle represents the protocol execution. Abundle C¼ (NC, E) is a subgraph of N, where E � ð![)Þ is the set of the edges and NC � N is the set of nodesincident with the edges in E. A bundle holds the followingproperties:

(i) C is non-empty and finite.

(ii) If n1AC and signðn1Þ ¼ �, then there is a unique n2 suchthat n2-n1AC.

(iii) If n1AC and n2 ) n1, then n2AC.

(iv) C is acyclic.

In a bundle C, the C-height of a strand s is the largest isuch that /s, iSAC. C-trace(s)¼ ((tr(s))1, y, (tr(s))m),where m¼C-height(s). For other definitions and detailed

The authors are with the State Key Laboratory of Information Security,Institute of Software, Chinese Academy of Sciences, Beijing 100080, People’sRepublic of China

E-mail: hsun@is.iscas.ac.cn

r IEE, 2005

IEE Proceedings online no. 20045193

doi:10.1049/ip-com:20045193

Paper first received 5th September and in revised form 14th November 2004

134 IEE Proc.-Commun., Vol. 152, No. 2, April 2005

discussions of strand space theory refer to [6, 7]. As what wediscuss is based on the DH problem we define the subtermrelation as a � gx iff a � x or a ¼ gx (here a and gx areboth some terms). We denote the set of terms as gx to G andwe have K \ T \ E \ C \ G ¼+ [6, 7], where K repre-sents cryptographic keys, T atomic messages, E the space ofencryption text and C concatenated messages. The numberof group member changes frequently in dynamic groupprotocol, but there is only one member joining or leavingthe group in one step, so the bundle can also be deemedfinite and satisfies the finite property of a bundle defined instrand space theory.

The AT-GDH protocol is one authenticated group keyagreement protocol based on A-GDH.2 [4, 5]. To avoid theflaw existing in A-GDH.2 [4], all information should besigned before transmitting in AT-GDH protocol. The AT-GDH protocol is as follows:

Step i (0oion): Mi !Miþ1 : ðfN, M1 . . .Mi; far1...ri=rjgjj 2 ½1; i�g; ar1...rn�1ÞSi�1

Step n: Mn !MifM1 . . .Mn�1, far1...rn=rjgjj 2 ½1; n�g;Hðar1r2...rnÞgSn

K ¼ ar1r2...rn

Here, N is the nonce challenge of Mn, M1yMi are themembers of the group, H( ) is a hash function, Si is thesignature key of Mi and K is the session key of the group.

3 Security analysis of AT-GDH protocol

In strand space theory the analysis of authenticationdepends on the unique origination of terms. In general,the realisation of authentication in one protocol requires anauthenticator to originate a unique special term so that theverifier can confirm that the creator of the term is just theauthenticator. Here we denote this term as auth_term, forexample the fNaNbBgKb and fNbgKa in NSL protocol [6].Definition 3: For any two strands s1, s2, if there exists anegative node n2 on s2, and we can make sure there exists apositive node n1 that originates uniquely on s1 (n1 is the l1-thnode on s1) we say s2 authenticates /s1, l1S.Definition 4: We call the node n2 in Definition 3 as anincoming-auth_node of s2.Proposition 1: For any two adjacent strands s1 and s2, s2authenticates s1 iff there exists an incoming-auth_node n ons2 and term(n) uniquely originates on s1.Definition 5: For two nodes n1 and n2, if there exists a pathcomposed by - and ) alternately from n1 to n2, we sayn1rn2.Theorem 1: Let C be a bundle, S1ySm are strands in C,n1ynm are the incoming-auth_nodes on S1ySm, respec-tively, and n1ryrnm. If Sj can authenticate Si

(0riojrm, and j¼ i+1), then Sm can authenticate S1.Proof: Sm can authenticate Sm�1. By Proposition 1, theincoming-auth_node nm of Sm uniquely originates on Sm�1.Suppose nm can confirm the lm�1-th node n0 on Sm�1, thenSm can authenticate /Sm�1, lm�1S. Obviously n0 is apositive node. The incoming-auth_node nm�1 of Sm�1 hasnm�1rnm, so nm�1rn0rnm. Sm�1 can authenticate Sm�2,and term (nm�1) uniquely originates on Sm�2. Suppose itoriginates on the lm�2-th node of Sm�2, then Sm canauthenticate/Sm�2, lm�2S. Similarly, by n1ryrn m�2 wecan prove Sm authenticates S1 inductively. &

This theorem describes the authentication pipelinecomposed by auth_terms. We call this path the history ofterm(n) to term(n0) (nrn0). The theorem describes how

authentication transfers among group members in GKAP.Now we analyse the static security of the AT-GDHprotocol. For succinctness we only analyse the authentica-tion of the AT-GDH protocol, the analysis of other securityproperties is easy, refer to [4, 6, 8, 9].Theorem 2: In the AT-GDH protocol, if the entire sessionsecret ri is uniquely originated and all signature keys havenot been leaked, then for any two group members Mi andMj, Mi can authenticate Mj. When jan the height of strandj is at least 2, when j¼ n the height of strand j is at least 3.Proof: By the traces of participants we know that for anytwo adjacent users Mi and Mi+1 there must exist a pair ofnodes n, n0 satisfying n! n0 and uns termðnÞ ¼ uns termðn0Þ¼ fN; M1 . . .Mi, ðar1...ri=rjÞjj 2 ½1; i�, ar1...rigSi

. For the

node n0 on strand Si+1, termðn0Þ ¼ �fN;M1 . . .Mi,

ðar1...ri=rjÞjj 2 ½1; i�, ar1...rigSi, let S ¼ ftjuns termðtÞ ¼ fN,

M1 . . .Mi, ðar1...ri=rjÞjj 2 ½1; i�; ar1...rigSig. Obviously this set

is not empty, because the bundle is finite there exists aminimal member n of the set and termðnÞ ¼ þfN;M1 . . .Mi, ðar1...ri=rjÞjj 2 ½1; i�; ar1...rigSi

. As ri is un-

iquely originated and the signature key hasn’t been leaked,so by the traces n is the second node on Si. Therefore userMi+1 can authenticate the entity of userMi and the height ofSi is at least 2. The height of Sn is at least 3 when userM1,y,Mn�1 authenticate Mn because Sn has a originalnode +N. Here for any two adjacent users there exists apair of nodes n and n0, term(n) and term(n’) are auth_terms,n0 is a negative node. By Definition 4, n0 is incoming-auth_node before a positive node. So there exists a list ofincoming-auth_nodes n1ryrnn. By Theorem 1 theauthentication has been satisfied. &

4 Dynamic security analysis of AT-GDH-MAprotocol

We now consider the dynamic case of the AT-GDHprotocol. For convenience, we consider just the case when anew member joins the group (AT-GDH-MA protocol); thedynamic analysis when a member leaves is similar. The AT-GDH-MA protocol [4] is as follows:

Mn !Mnþ1 : fN;M1 . . .Mn, ðar1...rnr0=rjÞjj 2 ½1; n�, ar1...rnr0 gSn

Mnþ1 !Mi : fN;M1 . . .Mn, ðar1...rnþ1r0=riÞji 2 ½1; nþ 1�,Hðar1r2...rnþ1r0 ÞgSnþ1

K 0 ¼ ar1r2...rnþ1r0

Here Mn+1 is the new member, r0 and rn+1 are new randomnumbers originated by Mn and Mn+1, respectively. Theanalysis of this protocol is similar to that for the AT-GDHprotocol. From the foregoing, the authentication amongM1yMn has been proved; here we just need to discuss theauthentication between M1yMn and Mn+1. Because thesignature key has not been leaked, by verifying thebroadcast information M1yMn can authenticate Mn+1.By the same method used in the previous Section, Mn+1 canauthenticate Mn. So now any two adjacent users canauthenticate reciprocally and there exists a list of incoming-auth_nodes n1ryrnn+1. The conditions of Theorem 1have been satisfied, so the authentication of AT-GDH-MAprotocol can be guaranteed. The analysis of secrecy of theprotocol is the same as for the AT-GDH protocol [4, 8, 9].Here we need to illuminate the independence of new sessionkey K0 to previous session key K. If K has been leaked,because r0 and rn+1 are uniquely originating the attacker cannot obtain r0 and rn+1 effectively, K0 will not be leaked. If K0

IEE Proc.-Commun., Vol. 152, No. 2, April 2005 135

has been leaked, the attacker needs to obtain K from K0

requiring solution of the discrete logarithm problem whichis computational infeasible. So the independence of thesession key can be guaranteed.

From the A-GDH.2, AT-GDH and AT-GDH-MAprotocols, we find that they have a common pattern: thecalculation of the session key is based on an exponentialoperation; the objects of a user’s operation are the elementsof G. The last user broadcasts information to finish theagreement of the session key; the manner of the originationof the session key and the manner of adding a member aresimilar. So now we can conclude the general conditionsunder which the protocol can remain secure from thepattern when group members occur in dynamic transfor-mation.

For convenience we define some notations. The originalbundle is denoted C, the set of new nodes and edges whennew member joins the group is denoted C?, the new bundleis denoted C0ðC; r0; r00Þ, r0 and r00 are the new randomnumbers. Obviously C0ðC; r0; r00Þ ¼ C [ C?. We call thenode that sends information to a new member the opennode; we require that in our pattern, the open node isunique. ICðPÞ [10] denotes the ideal that the attackerconstructs by knowledge obtained from C and from whatwas held.Theorem 3. Suppose the security of C has been proved, theopen node in C is the last node of broadcaster Mn. The newmember can authenticate the entity of Mn, r0; r00 areuniquely originated by Mn and the new member (Mn+1)respectively. Other users can use the information broad-casted by Mn+1 as incoming-auth_nodes. For any node

n 2 C?, termðnÞ=2ICðP Þ. The new session key is K 0 ¼ Kr0r00

and ðK 0;K; r0; r00Þ=2IC?ðPÞ, then C0ðC; r0; r00Þ can retain thesecurity of C.Proof: The authentication of C has been proved andbecause for any node n 2 C? termðnÞ=2ICðP Þ, the attackercannot fabricate the auth_terms. Other users can use theinformation broadcast by Mn+1 as incoming-auth_node,thenM1yMn can authenticateMn+1. The authentication ofMn+1 to M1yMn is the same as the AT-GDH-MAprotocol, Mn+1 can authenticate Mn, that the open node inC is the last node of broadcaster Mn guarantees theexistence of the authentication path from Mn+1 to Mi. ByTheorem 1, the authentication can be retained. Because r0;r00 are uniquely originated by Mn and Mn+1, respectively,and for any node n 2 C?; termðnÞ=2ICðP Þ, the terms in

broadcast information depend on r0 and r00. By K 0 ¼ Kr0r00

and ðK 0;K; r0; r00Þ=2IC?ðP Þ, we have K 0=2IC?ðP Þ. So attackercannot obtain the new session key. By ðK; r0; r00Þ=2IC?ðP Þand the deducible relation between K 0 ¼ Kr0r00 and K,attacker cannot obtain K0 from K. Getting K from K0

requires solving the discrete logarithm problem, so theindependence of session key can be retained. &

When a member leaves the group the analysis of this caseis relatively simple because there are no new nodes andedges originate.Theorem 4: Suppose the security of C has been proved.After the member left the group, the new random secret r0i isuniquely originated by the new broadcaster, for everyterm(n) in the information that is necessary to betransmitted for updating session key, termðnÞ=2ICðP Þ. Thenew session key K 0 ¼ Kri0 and ðK 0;K; r0iÞ=2IC?ðPÞ, thenC0ðC; r0iÞ can retain the security of C.Proof: Because there are no new members, the authentica-tion of remaining members had been proved. C0 can retainthe authentication. The analysis of other security propertiesis similar to Theorem 3. &

5 New updating session key scheme based onSA-GDH.2 protocol

The SA-GDH.2 protocol [11] is also a mutation of the A-GDH.2 protocol. In SA-GDH.2 each two members, suchas Mi and Mj, share a secret key Kij and its inverse. Thesesecret keys are used for authentication. For simplicity weomit these keys from exponents of messages and thesimplified SA-GDH.2 protocol as follows:

(i) Mi chooses ri randomly.

(ii) Mi receives a set of fVkj1 � k � ng (toM1, the set is+)

Vk ¼ ar1...ri�1=rk if k � ði� 1Þar1...ri�1 if k4ði� 1Þ

�

(iii) Mi updates Vk

Vk ¼Vkð Þri¼ ar1:::ri=rk if koiVkð Þri¼ ar1...ri if k4i

Vk if k ¼ i

8<:

(iv) Mi sends Vk toMi+1, if i¼ n, broadcasts (V1,y, Vn�1).

In this protocol the number of the terms processed by everymember is the same. Now we suppose this protocol appliesthe same signature scheme and hash function as the AT-GDH.2 protocol. For convenience we ignore these aspreviously. Now this protocol is deemed to be secure. Theanalysis of security of this protocol is similar to the AT-GDH.2 protocol. But obviously, when a member (denotedby Mj, jan) leaves the group, Mn originates a newnonce r0 and recomputes the broadcast information

fN;M1 . . .MnnMj; ðar1...rnr0=riÞji 2 ½1; n� n j;Hðar1...rnr0ÞgSn,then broadcasts the new information to make everymember compute the new session key. Now the securityof the new session key just depends on the new nonce r0

which is originated by Mn. So if some member Mk

obtains the private key of Mn, the member can leave thegroup at once, and when updating the session key cansubstitute Mn to originate the new nonce so that Mk can

get the new session key K 0ðK 0 ¼ Kr0 Þ while not being amember of the group. This weakness is because the newsession key depends only on Mn and the new announceris fixed. Strictly speaking, if the new announcer is fixedthis weakness cannot be avoided. Because Mj can alwaysattack the new announcer and, as long as Mj obtains theannouncer’s private key he can complete the attack andanother member of the group cannot validate the newsession key. To avoid this weakness we advance a newscheme for updating the session key when a groupmember leaves to make the new announcer unfixed.

First we describe the improved SA-GDH.2 protocol. Forconvenience we do not consider the key shared by groupmembers. As to the AT-GDH protocol, we suppose eachmember has a private key and a public key for signature,and the mutual authentication has been realised. Now theSA-GDH.2 protocol when some member leaves is asfollows. When Mi (ian) leaves, Mn will not be the newannouncer but chooses the new announcer randomly asfollows (here ri denotes the random nonce held by Mi in theprevious session):

(i) Chooses two nonce r0; r00 randomly and uses r00 to updatethe Vkð1 � k � n and k 6¼ iÞ received, sets rn ¼ rnr00 andat the same time chooses one member from M1,yMi-1, Mi+1,y, Mn�1 randomly as the new announcer, say

Mj, then constructs ðar1...rnr0=rj;Hðar1...rnr0 ÞÞ and sends thepair of values and Vk to M1;

136 IEE Proc.-Commun., Vol. 152, No. 2, April 2005

(ii) When member Mm(1rmrj and mai) receives

ðar1...rnr0lrj;Hðar1...rnr0 ÞÞ and the updated Vk, he uses his rm

and ar1...rnr0lrj to compute Hðar1...rnmr0=rjÞ(a) If the result equals the hash value received, Mm becomesthe new announcer, namely m¼ j. Mj originates new noncer0j, updates Vk, broadcasts ðV1; . . . ; VnÞ n Vi and computes

the new session key,

(b) If not, Mm chooses r0m randomly and updates Vk, then

sends ðar1...rnr0rm0lrj;Hðar1...rnr0rm0 ÞÞ and Vk to the nextmember and updates rm ¼ rmr0m; go to step (ii).

If Mn leaves, Mn�1 will finish as described. If M1 leaves, M2

will be the next member to Mn. Now the new session key

becomes K 0 ¼ ar1...rnr0 , here rn and rmð1 � m � j;m 6¼ iÞare the current nonces to members.

The security of the new session key does not depend onlyon the nonce originated by Mn but on the j+1 noncesoriginated by members from the previous announcer Mn (ifMn leaves, it is Mn�1) to the new announcerMj (if 1rioj, itis j nonces). Obviously the new announcer is not fixed butchosen randomly. When some attacker gets the private keyof Mn, the attacker can only choose the new announcer Mj

and a new nonce; to complete the attack, the private key ofMj, must be acquired so the difficulty for the attacker hasbeen doubled. Certainly, when Mj affirms itself as the newannouncer, another new announcer can be chosen by Mj asdone by Mn; this will further boost the security. So thedegree of choice depends on the security requirement. Thesecurity analysis of this scheme is similar to the AT-GDHand SA-GDH.2 protocols [4, 8, 9].

The new scheme effectively avoids single-point failureand enhances the whole security, at the cost of someefficiency. Compared with the original scheme for updatingsession key, our scheme adds a process of selecting a newbroadcaster. In this process there is some efficiency cost forsecurity. The original scheme takes n–1 modular exponen-tiations for building a new broadcast message when amember leaves the group. When the remaining membersreceive the broadcast message they each take one modularexponentiation to update the session key. It makes a total of(2n–3) modular exponentiations. The additional process inour scheme takes ðjþ 1Þ more modular exponentiations inthe selection process, where 0 � j � n. Of course, if j is toolarge, such as n, the whole efficiency will decrease but thesecurity will increase greatly. So one should choose anappropriate j to balance the requirements of efficiencyagainst security for a particular application. For n� j ¼ 2,for example, our scheme has the same calculation level withthe original one but achieves higher security.

6 Conclusions

We have described and analysed the security of GKAP-based on strand space theory. By analysing the AT-GDHand AT-GDH-MA protocols, we gave the general condi-tions under which a kind of GKAP with the same patternas the AT-GDH protocol can remain secure when themembers of group are in dynamic transformation. At thesame time, we advanced a new scheme based on the SA-GDH.2 protocol to avoid the weakness existing in theprimary version. This scheme can improve the security ofthe protocol. Of course, the amelioration may cause adecrease of system efficiency. One should choose theoptimisation according to the requirement.

7 Acknowledgment

This work was supported by the National Natural ScienceFoundation of China (NSFC90204016, NSFC60373048)and the National High Technology Development Programof China under grant 2003AA144030.

8 References

1 Steiner, M., Tsudik, G., and Waidner, M.: ‘Diffie–Hellman keydistribution extended to group communication’. Proc. 3rd ACMConf. on Computer and Communications Security, New Delhi, India,1996, pp. 31–37

2 Steiner, M., Tsudik, G., and Waidner, M.: ‘CLIQUES: A newapproach to group key agreement’. Proc. IEEE Int. Conf. ICDCS’97,Baltimore, USA, (IEEE Computer Society Press, 1997), pp. 380–387

3 Just, M., and Vaudenay, S.: ‘Authenticated multi-party keyagreement’. Proc. AsiaCrypt’96 Conf., Kyongju, South Korea, 1996(Lect. Notes Comput. Sci., 1163, pp. 36–49)

4 Pereira, O.: ‘Modelling and security analysis of authenticated groupkey agreement protocols’. PhD thesis, Louvain-la-Neuve, Belgique,2003

5 Pereira, O., and Quisquater, J.-J.: ‘A security analysis of the cliquesprotocols suites’. Proc. 14th IEEE workshop on Computer SecurityFoundations, Cap Breton, Canada, 2001, pp. 73–81

6 Thayer, F.J., Herzog, J.H., and Guttman, J.: ‘Strand spaces:Proving security protocols correct’, J. Comput. Security, 1999, 7, (2/3),pp. 191–230

7 Guttman, J.D., and Thayer, F.J.: ‘Authentication tests’. Proc. IEEESymp. on Security and Privacy, May 2000

8 Bresson, E., Chevassut, O., and Pointcheval, D.: ‘Provably authenti-cated group Diffe–Hellman key exchangeFthe dynamic case’. Proc.AsiaCrypt, Gold Coast, Australia, 2001 (Lect. Notes Comput. Sci.,2248, pp. 290–309)

9 Bresson, E., Chevassut, O., and Pointcheval, D.: ‘Dynamic groupDiffie–Hellman key exchange under standard assumptions’. Proc.Eurocrypt, Amsterdam, The Netherlands, 2002 (Lect. Notes Comput.Sci., 2332, pp. 321–336)

10 Fabrega, F.J.T., Herzog, J.C., and Guttman, J.D., ‘Honest ideals onstrand spaces’, Proc 11th IEEE workshop on Computer SecurityFoundations, June 1998

11 Ateniese, G., Steiner, M., and Tsudik, G.: ‘New multipartyauthentication services and key agreement protocols’, IEEE J Sel.Areas Commun., 2000, 18, (4), pp. 628–639

IEE Proc.-Commun., Vol. 152, No. 2, April 2005 137