- Email: [email protected]
SGKMP: A scalable group key management protocol
Sustainable Cities and Society 39 (2018) 37–42
Contents lists available at ScienceDirect
Sustainable Cities and Society journal homepage: www.elsevier.com/locate/scs
SGKMP: A scalable group key management protocol a,⁎
a
b
b
T c
d
Shaukat Ali , Azhar Rauf , Naveed Islam , Haleem Farman , Bilal Jan , Murad Khan , Awais Ahmade a
Department of Computer Science, University of Peshawar, Pakistan Department of Computer Science, Islamia College University, Peshawar, Pakistan Department of Computer Science, FATA University, FR Kohat, Pakistan d Department of Computer Science & IT, Sarhad University of Science and Information Technology, Peshawar, Pakistan e Department of Information and Communication Engineering, Yeungnam University, Gyeongsan, Republic of Korea b c
A R T I C L E I N F O
A B S T R A C T
Keywords: Security Group key Group communication Elliptic curve cryptography
The Online Social Network (OSN) has changed the ways of communication among users from one-to-one toward the group communication. The users of a particular group are interested in communicating securely among the group members using secure group key. Although the data remains secure during the transmission when it is encrypted with the group key, however, the group key management and generation is a challenge while using the insecure channel and untrusted server. The contributory key management is a solution in such situations, but the creation process of the group key, among the group members itself, is a challenge. In the literature, the contributory key generation requires at least n rounds to accomplish the group key generation process. Modification in a group requires the re-keying process for backward and forward security, and it also needs the same number of rounds again. In this paper, a scalable group key management protocol (SGKMP) is proposed, which requires only two rounds to complete the group key generation process, irrespective of group size and it is secure from the eavesdropper in the middle. The backward and forward secrecy is maintained when any user joins or leaves the group while doing a single activity by the group leader. The proposed protocol is implemented using Java as a programming language in order to validate the applicability of the protocol.
1. Introduction With the emergence of network technologies, the communication among the online users increases day by day. However, in social networking through online services have created vulnerabilities regarding privacy and security. The unicast communication can easily be secured as compared to group communication by using the encryption techniques but in the shared environment, there are situations where the group communication is needed, for example, stock quote distribution, scientific discussions, project management, teleconferencing, etc. For group communication, a secure group key is required to protect the communication from unauthorized users, but group key management is an issue during the key setup phase and key update phase whenever a user leaves or joins the group. The group key management techniques that have been proposed in the literature can be mainly classified into three categories: centralized group key management, decentralized group key management, and contributory group key management schemes (Aparna & Amberker, 2009). In centralized group key management scheme, a single trusted key distribution center is used which
⁎
is responsible for the creation and secure distribution of the group key to all the group members (Canetti, Garay, et al., 1999; Canetti, Malkin, & Nissim, 1999; Harn, Hsu, & Li, 2016; Rafaeli & Hutchison, 2003; Raji, Miri, & Davarpanah Jazi, 2014; Sherman & McGrew, 2003). In decentralized key management scheme, the entire group is divided into more than one distinct subgroups, and each subgroup is managed by a manager (De Salve, Di Pietro, Mori, & Ricci, 2016; Dondeti, Mukherjee, & Samal, 1999; Molva & Pannetrat, 1999; Sepulveda, Flórez, Immler, Gogniat, & Sigl, 2017). In contributory key agreement schemes, there is no centralized authority, in this scheme all the group members contribute equally to generate the secure group key, but the problem with the contributory key management scheme is the use of multiple rounds carried out during the group key generation (Chen, Huang, & Jan, 2016; Kim, Perrig, & Tsudik, 2000; Steiner, Tsudik, & Waidner, 1996; Wu et al., 2016). In contributory key generation protocols, all the participating users are assured that his contribution is selected by him randomly; therefore, all other users will not be able to guess his secret key or calculate the final group key without contributing all the group users. Therefore,
Corresponding author. E-mail address: [email protected] (S. Ali).
https://doi.org/10.1016/j.scs.2018.01.003 Received 5 September 2017; Received in revised form 22 November 2017; Accepted 5 January 2018 2210-6707/ © 2018 Published by Elsevier Ltd.
Sustainable Cities and Society 39 (2018) 37–42
S. Ali et al.
4 discusses the proposed scalable group key management protocol, Section 5 analyze and discuss the proposed protocol, and Section 6 concludes the work.
contributory key generation protocols are fairer enough that all group users are equally participating in it and more secure than direct key transmission protocols. Thus, the contributory key generation protocol is often recommended to prevent some users from having any kind of superior position over the others (Ateniese, Steiner, & Tsudik, 2000). The performance of group key generation protocols is measured with respect to computational and communication complexities. The communication complexity is measured as both the number of rounds during the key generation process and communication among the group users, while the computational complexity is measured as the computational time of each operation in each round. For a group key generation protocol to be efficient enough that it executes the entire process in a fixed number of rounds. Similarly, when an existing member leaves the group or any new member joins the group, the forward and backward security is an issue in the group communication. To maintained the forward and backward security in such situations the rekeying process is initiated in the existing techniques. The re-keying process in the existing techniques means that a new group key will be generated because it is a new group now after the addition or removal of any group member. In the proposed key management protocol the rekeying process is reduced to one user with limited operations, while forward and backward security is maintained. The proposed protocol, SGKMP, has the following highlights:
2. Preliminaries The Elliptic Curve Cryptography(ECC) is used for the evaluation of the proposed group key management protocol that's why the ECC is explained a little bit in this section. The ECC is a public key cryptographic approach which gives strong security with smaller key size as compared to RSA based cryptography (Rebahi et al., 2008). The following subsections explain general domain and recommended domain parameters for ECC. 2.1. Domain parameters To use ECC, all group members must be agreed upon the public elements defining the elliptic curve over the finite field Fp, that is, the domain parameters of the scheme {a, b, p, G, m, h}. The constants a and b are used to define the curve y2 = (x3 + ax + b)modp, where p is order of the curve. G is the generator point (XG, YG), this is some random point on the curve for cryptographic operations and is used to multiply all the future points by it, and m is the order of the generator point G. All the scalar values used for multiplication with generating point to get public keys and is chosen as a number between 1 and m. h is a co-factor which needs to be smallest as possible, and it is the ratio between the number of points on the curve and prime order m. i.e. h = E(Fp)/m, where E(Fp) is the total number of points on the elliptic curve (Anoop, 2007).
• The number of rounds during the key generation process is limited
• • •
to two rounds, irrespective of group size. Similarly, every user in the group participates at most two times in the key generation process. Furthermore, the number of messages during the key generation process is reduced to two only for each user in the group irrespective of group size. The message transmission and the computational process of the key are distributed among all the group users. Due to the use of Diffie–Hellman key exchange method by the proposed protocol, which allows the key generation process is not limited to secure channel or trusted server and is secure from the eavesdropper (Diffie & Hellman, 1976). Each group member, has equal authority with respect to security and privacy in the group. No one can view or even guess the secure key of any other user in the group, similarly, no one can estimate or calculate the final group key before the completion of the group key setup phase. In the group environment some of the users may leave, or new members may join the group. In such situations, the forward and backward securities are maintained without involving all the user (group members) in the re-keying process.
2.2. Recommended domain parameters There are some domain parameters which are recommended for required standard security levels using the ECC implementation. These standards parameters include SEC 1 (E.C.C. SECG, 2000), ANSI X9.62 (X. ANSI, 1999), ANSI X9.63 (X. ANSI, 1998), and IEEE P1363 (I.P.W. Group, others, 2004). It is recommended by Certicom Research to use selected standard parameters by the programmer for ECC-based cryptographic solutions. The 256-bit recommended elliptic curve domain parameters, which has key size of 256 bits and provides the security level equal to 3072 bits of RSA (Rivest, Shamir, and Adelman) based cryptosystems (S. SEC, 2000). Definition 1. The multiplication in elliptic curve is the process of repeated addition of the generating point G = (XG, YG) along the curve G + G +G +⋯+ G , where 1 < s ≤ m − 1 and and is denoted as sG =
In this paper, a novel scalable group key management protocol (SGKMP) is proposed which is secured from eavesdropper even using the public non-secure network channel and at the same time complexity of transmission is reduced to only two rounds during the setup phase of the key for any number of users in the group. It means that the complexity of key generation process is reduced to only two rounds for any group size. Similarly, the protocol is scalable enough that existing members can leave or new member can join it without changing the secure keys of the group users; for this purposes, the re-keying process when any member leaves or new user joins the group is made simple and restricted to the group leader only with single activity. If a user leaves the group or new member joins it, the private keys of the users remain the same in both cases. The public key of each user changes when a change occurs in the group. In case of update in the group, a new public key is issued to each member of the current group. These existing users can calculate the shared group key, using their secure key and private keys. Since the new shared key is the combination of private key and new public key, that's why it is different from the old shared key, which was based on the secure key and old public key. Rest of the paper is organized as follow: Section 2 explains the preliminaries for the proposed protocol, Section 3 gives motivation scenarios. Section
m is the prime order of the G.
s times
Definition 2. The group key is secured if it is computationally infeasible to be computed by any adversary. Definition 3. Backward security: The backward security means when any new user joins the group he/she should not view the old discussion before joining. Definition 4. Forward security: The forward security means when any member leaves the group he/she should not be able to view the communication after leaving the group.
3. Motivation With the advancement of internet technologies, the way of communication is changed from uni-cast communications toward group communication, and the social interaction is increased. The interest in secure communication and user uncertainty about the security and privacy increases with time when any conspiracy comes especially after 38
Sustainable Cities and Society 39 (2018) 37–42
S. Ali et al.
row vector. The user u3 uses his own secure key s3, where 1 < s3 ≤ m − 1 to multiply the second row vector of the matrix, changes three values of the vector by multiplying his secure key and stores it in the third row of the matrix. This process continues upto the user un−1, the user un−1 uses his secure key sn−1, where 1 < sn−1 ≤ m, to multiply the (n − 2)th row vector of the matrix upto (n − 1)th values and stores it in (n − 1)th row of the matrix. The user un of the group uses his secure key sn, where 1 < sn ≤ m − 1, to multiply the (n − 1)th row vector of the matrix starting from the second value of the row vector till the nth value and stores in the nth vector of the matrix. The first round process of the key setup phase is based on the following equation:
the Edward Snowden revealed about secret surveillance programs of the U.S. Government (Landau, 2013). The interest to secure the data not only from the adversary but also from the service provider has increased in the community (Ali, Rauf, Islam, Farman, & Khan, 2017). The unicast communication is easy to secure using encryption, but when there is a group communication as in stock quote distribution, scientific discussions, teleconferencing, social media group communication, etc. a secure group key is required to protect such communication. The social networking communication is a group communication because in OSN every user in the group shares data with the group which is a many-to-many communication (Ali, Rauf, Islam, & Farman, 2017). For many-to-many or multicast communication, a group key is needed to secure the data during transmission and from the service provider, but secure group key generation and management itself is a challenge. The user is secure if there is no single centralized authority and he can contribute to the creation of the group key, but the contribution of all the group user needs multiple rounds during the key setup phase. Similarly, when a group member leaves or a new member joins the group, the re-keying process is initiated to ensure the forward and backward securities. In the existing techniques, the re-keying process means to create a new key for the group after addition/removal of any member, which is time consuming and all the group members participate again in this process. In this paper, an efficient contributory key management protocol is proposed in which all group users have equal participation, and the numbers of rounds are reduced to only two rounds irrespective of group size. Similarly, the re-keying process after the addition/removal of any user to/from the group is also restricted to only one group member.
K i, j =
The second round starts again from user u1 and goes up to user un−2, the user u1 again uses his secure key s1 and multiplies it with nth row of the matrix. The multiplication starts from the third value of the nth row vector and ends on nth value of the row vector and replaces these values in these positions in the (n + 1)th row of the matrix. Similarly, the user u2 uses his secure key s2 and multiplies it with (n + 1)th row of the matrix. The multiplication starts from the fourth value of the row vector and continues till the last value of the row vector. Next multiplication starts from the 5th, 6th, …, nth value of the row vector to its last value. The multiplication process continuous till user un−2, the user un−2 uses his secure key sn−2 and multiplies the last value of the (2n − 3)th row of the matrix and stores it in the last position of the (2n − 2)th row vector. The following equation gives the second round process of the key setup phase:
In the proposed protocol, the user who initiates the initial group key generation would be considered as group leader. The group leader is just like other users and cannot view the secret keys of other group members. Let n be the number of users in the group, the group leader takes a matrix of size (2n − 2) × n as given below:
⋯ k1, n ⎞ ⋯ k2, n ⎟ ⋱ ⋮ ⎟ ⋯ k2n − 2, n ⎟⎠
Ki, j = si − n Ki − 1, j
for 1 ≤ i ≤ 2n − 2,
1≤j≤n
K i, j =
(2)
for 2 ≤ i ≤ n − 1,
⋯ ⋯ G ⎞ ⋯ ⋯ G ⎟ ⋯ ⋯ G ⎟ ⎟ ⋱ ⋯ G ⎟ ⋱ ⋱ ⋮ ⎟ ⋱ sn − 1 G G ⎟ ⋮ ⋱ sn G ⎟ ⋯ ⋯ s1 sn G ⎟ ⋯ ⋯ s1 s2 sn G ⎟ ⋱ ⋱ ⋮ ⎟ ⋱ ⋱ s1 s2⋯sn − 3 sn G ⎟ ⎟ ⋯ G s1 s2⋯sn − 2 sn G ⎠
(6)
1≤j≤i
i=n n < i ≤ 2n − 2
(5)
The diagonal elements denoted by K[n−1,1], K[n,2], K[n+1,3], …, K[2n−2,n] represent the public keys for all users in the group as shown in the matrix (6). The retrieval of public keys from this matrix is based on the following equation:
for i = j = 1
for 2 ≤ j ≤ i, ⎨ si Ki − 1, j ⎪ s K for 3 ≤ j ≤ n, i n i 1, j − − ⎩
n < i ≤ 2n − 2
s1 G G G G ⎛ s1 s2 G s2 G G G ⎜ ⋮ s 2 s3 G s3 G G ⎜ ⎜ ⋮ ⋮ s3 s 4 G s4 G ⎜ ⋮ ⋮ ⋮ ⋱ ⎜ sn − 1 sn − 2⋯s1 G ⋮ ⋮ ⋮ K i, j = ⎜ ⋮ ⋮ G sn sn − 1⋯s2 G ⎜ ⋮ G G s1 sn sn − 1⋯s3 G ⎜ G G G s1 s2 sn sn − 1⋯s4 G ⎜ G G G G ⎜ G G G G ⎜ ⎜ G G G G ⎝
(1)
For the proposed group key generation process, two rounds are required to complete it, irrespective of the group size. The group key setup phase in based on the following equation:
⎧ si Ki, j ⎪ si Ki − 1, j
for 3 ≤ j ≤ n,
The resultant matrix after the completion of both rounds for the key setup phase of the Scalable Group Key Management Protocol is given in the following matrix.
The entire matrix is initialized with generating point G = (XG, YG), the initialization process is mathematically modeled using the following equation.
K i, j = G
(4)
4.2. Second round
4. Proposed group key management protocol
k1,2 k1,3 k1,4 ⎛ k1,1 k2,1 k2,2 k2,3 k1,4 ⎜ K i, j = ⎜ ⋮ ⋮ ⋮ ⋮ ⎜k ⎝ 2n − 2,1 k2n − 2,2 k2n − 2,3 k2n − 2,4
si Ki, j for i = j = 1 ⎧ ⎪ si Ki − 1, j for 2 ≤ i ≤ n − 1, 1 ≤ j ≤ i ⎨ ⎪ si Ki − 1, j for 2 ≤ j ≤ i, i = n ⎩
(3)
PKu = Ki, j
for 1 ≤ j ≤ n,
i = n + j − 2,
u = (imodn) + 1
(7)
The positions K[n,2], K[n+1,3], …, K[2n−2,n], K[n−1,1] in the matrix (6) contain the public keys for users {u1, u2, u3, …, un} respectively. Eq. (7) is used to retrieve the public keys for all the group users U from the matrix (6), created during the key generation process. Algorithm 1 shows the algorithmic steps for the key setup or key generation process by group users and diagrammatically represented in Fig. 1. In the contributory key management schemes, there is no central authority to control the user and key distribution among the group users. The Diffie–Hellman key exchange method for two users is extended to n users. In the Diffie–Hellman key exchange method, shared
4.1. First round Let U = {u1, u2, u3, …, un} be the set of n users in the group and S = {s1, s2, s3, …, sn} be the set of their secret keys respectively. In the first round, user u1 selects a secure key s1, where 1 < s1 ≤ m − 1 and performs modular multiplication with the first value of the first row vector of the matrix (1) and stores it within the same row vector. The user u2 of the group uses his secure key s2, where 1 < s2 ≤ m − 1 to multiply the first two values of the first row vector of the matrix already changed by user u1 and replaces second row of the matrix with this new 39
Sustainable Cities and Society 39 (2018) 37–42
S. Ali et al.
8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19:
end for end for k[1,1] ⟵ s1k[1,1] for i ⟵ 2 to n − 1 do for j ⟵ 1 to i do k[i,j] ⟵ sik[i−1,j] end for end for for j ⟵ 2 to n do k[n,j] ⟵ snk[n−1,j] end for PK[un]⟵k[n − 1,1]
20: 21: 22: 23: 24:
k⟵2 for i ⟵ n + 1 to 2n − 2 do k⟵k+1 j⟵k PK[uj − 2]⟵k[i − 1, j − 1]
25: 26: 27: 28: 29:
for j to n do k[i,j] ⟵ si−nk[i−1,j] end for end for PK[un − 1]⟵k[2n − 2, n]
30:
End
4.3. Modifications in group The change in group occurs when someone leaves or any new member joins the group. In the group key management, the modification in the group is also a challenge because of the forward and backward secrecy/security of data. In the existing contributory key management techniques when any change occurs in the group, the entire process of the group key generation restarts for the remaining group members as new group (Chen et al., 2016). In the proposed protocol the addition/removal of a user from a group is restricted to one activity instead of the entire process of re-generating the group key.
Fig. 1. Flow of setup phase for SGKMP.
key can be exchanged by the users securely using the unsecured channel and non-trusted server. In the proposed protocol, the shared group key has two parts; one part is the secure key which is known the respective user only. Every user in the group has its secure key. The other part of the shared key is public which is created during the key setup phase. The shared group key will be created by each group member by multiplying his secure (SKu) and public keys (PKu) to get the shared group key (K) as given below:
PK1
×
SK1
=
K
PK2 PK3 ⋯ ⋯ PKn
× ×
SK2 SK3 ⋯ ⋯ SKn
= =
K K ⋯ ⋯ K
×
=
4.3.1. Removal of user In the groups, different users leave the group as in real life. For example, in the research group a member may leave the group by moving to some other department or research group; therefore, the rest of discussion in this group need to be secured from such ex-members. The privacy preservation from the ex-members of a group is called forward secrecy. In the proposed protocol the removal of a user from the group is single step activity within the proposed protocol. Any user from the group takes the public keys of all users from the matrix (6) using Eq. (7). The user also chooses a random number r where 1 < r ≤ m − 1 and uses elliptic curve multiplication to change all the public keys of group members except the one who will be removed from the group and sends new public keys to all the remaining group members. The secure keys of all user remain unchanged. The user removal process is based on the following equation:
PKu = r × (Ki, j − KRemoved User ) for 1 ≤ j ≤ n, Algorithm 1. Group key setup phase.
= (imodn) + 1
i = n + j − 2,
u (8)
The remaining group members use their secure keys and new public keys for rest of the communication within the group. The user who is dropped from the group will be unable to read the new communication, and thus the forward secrecy is maintained. The complexity for the removal of a user from the group is one-time multiplication and one multicast message by only one group member. In case of removal of a user, the public keys of all remaining users in the group changes and the public key of the removed user remains unchanged, and that's why he cannot calculate the new group key. In case of addition of a user in the group, the public keys need to be changed for two reasons, one for the
Require: Domain parameters of the ECC and total number of users (n) Ensure: The public keys (PK) for each group members ui 1: Procedure KeySetup(Domain Parameters, n) 2: Begin 3: U = {u1, u2, u3, …, un} 4: S = {s1, s2, s3, …, sn} 5: for i ⟵ 1 to 2n − 2 do 6: for j ⟵ 1 to n do 7: k[i,j] ⟵ G
40
Sustainable Cities and Society 39 (2018) 37–42
S. Ali et al.
Ensure: Returns new public key of all group members after the addition of new member 1: Procedure OperationByNewUser (PKu, PKNewuser) 2: Begin 3: PK ⟵ PKNewuser 4: sk⟵ Secure key of New User 5: for j ⟵ 1 to n do 6: PKu ⟵ sk × PKu 7: end for 8: return PKu 9: End
backward security of the group's old discussion and other for the adding the new user's contribution in the public keys of all existing group members. The algorithmic steps for the removal of any user from the group are given in algorithm 2. Algorithm 2. Modification in group: removal of user. Require: The user number ux and a random number r where 1
5. Analysis and discussion Contributory key generation is a technique used to create group key by the group members. The problem with the contributory key generation is the complexity of generation process and the addition and removal of group members. In the existing contributory key management protocols, the minimum participation/rounds of a user to create a key is n which is time consuming and complex with respect to computation and transmission. Similarly, the addition or removal of group member needs to create new group key for the remaining group members. The significance of the proposed protocol is that it reduced the number of rounds to two in the key generation process irrespective of the group size. Similarly, the process of addition and removal of a user is restricted to the single group member only and rest of the members need not to participate in the addition or removal of any user. The proposed protocol is implemented in Java as proof of concept in order to validate the practical applicability of the protocol. For the implementation purposes the Elliptic Curve Cryptography (ECC) is used, whose public parameters (discussed in Section 2.1) are supposed to be known to all the group members. The recommended elliptic curve domain parameters proposed in research (S. SEC, 2000) is used for implementation.
4.3.2. Adding new user In the proposed protocol, when any new user joins the group he is assigned a public key without disclosing the secret keys of other group members. To start the process of public key generation for the newly added user in the group, It is also a single user activity by any group member. The group member takes a random number r where 1 < r ≤ m − 1 and multiplies all the public keys of all the members of the group, which are stored in the last diagonal of the matrix (6) and sends it to the newly added user. The random number multiplication is needed for backward security of the group from the newly added group member. The new member selects its secure key snew where 1 < snew ≤ m − 1 and multiplies all the public keys sent by the group member with it as in Eq. (9) and sends back to the same group member.
PKu = snew × Ki, j
for 1 ≤ j ≤ n,
i = n + j − 2,
u = (imodn) + 1 (9)
The group member multiplies its secure key with its own old public key (the one before sending to the newly added user) and sends it to the newly added member. It is now the public key for the newly added member. After this process with the newly added user, the group member sends the new public keys to all the old group members. The algorithmic steps by the group leader/member for the addition of new user and operations needed by the newly added user are given in Algorithms 3 and 4 respectively.
5.1. Complexity The complexity of the proposed protocol is reduced to constant time complexity as compared to other contributory key management schemes, in the term of computation and transmission. The proposed key management protocol requires only two rounds for the key generation process irrespective of the group size; therefore, the communication process is reduced to two messages. Similarly, the computational complexity is also reduced as the rounds of the key generation process is restricted to two only. The number of rounds, messages need to be transmitted during the key setup phase, key update phase during the addition or removal of a user to/from the group and computation of complexity for multiplication on a local computer is given in Table 1:
Algorithm 3. Modification in group: addition of user. Require: A random number r, where 1 < r < m Ensure: Changes all the public keys of existing members to for backward security 1: Procedure Adding User (r) 2: Begin 3: for j ⟵ 1 to n do 4: i⟵n+j−2 5: u ⟵ (imodn) + 1 6: PKu ⟵ r × k[i,j] 7: end for 8: PKNewuser ⟵ s1 × PK1 9: OperationByNewUser(PKu, PKNewuser) 10: End
Table 1 User operations during the key generation process. Phases
Key setup Update: removal of user Update: addition of user
Algorithm 4. Operations by the newly added user in the group. Require: Public keys of all group users and public key of newly added user
41
Total users involved
Rounds for participation
Transmission by each user Unicast
Multicast
Number of multiplications by each user
n 1
2 0
2 0
0 1
2 1
1
0
1
1
1
Sustainable Cities and Society 39 (2018) 37–42
S. Ali et al.
5.2. Security evaluation
Ali, S., Rauf, A., Islam, N., Farman, H., & Khan, S. (2017). User profiling: A privacy issue in online public network. Sindh University Research Journal-SURJ (Science Series), 49(1), 125–128. Anoop, M. (2007). Elliptic curve cryptography, an implementation guide. X. ANSI (1998). 63: Public key cryptography for the financial services industry, key agreement and key transport using elliptic curve cryptography. American National Standards Institute. X. ANSI (1999). 62: Public key cryptography for the financial services industry: The elliptic curve digital signature algorithm (ECDSA). American National Standards Institute. Aparna, R., & Amberker, B. (2009). Key management scheme for multiple simultaneous secure group communication. IEEE international conference on Internet multimedia services architecture and applications (IMSAA), 1–6 IEEE. Ateniese, G., Steiner, M., & Tsudik, G. (2000). New multiparty authentication services and key agreement protocols. IEEE Journal on Selected Areas in Communications, 18(4), 628–639. Canetti, R., Garay, J., Itkis, G., Micciancio, D., Naor, M., & Pinkas, B. (1999). Multicast security: A taxonomy and some efficient constructions. Eighteenth annual joint conference of the IEEE computer and communications societies, Vol. 2, 708–716 IEEE. Canetti, R., Malkin, T., & Nissim, K. (1999). Efficient communication-storage tradeoffs for multicast encryption. International conference on the theory and applications of cryptographic techniques, 459–474 Springer. Chen, Y.-Y., Huang, C.-C., & Jan, J.-K. (2016). The design of secure group communication with contributory group key agreement based on mobile ad hoc network. International symposium on computer, consumer and control (IS3C), 455–460 IEEE. De Salve, A., Di Pietro, R., Mori, P., & Ricci, L. (2016). Logical key hierarchy for groups management in distributed online social network. IEEE symposium on computers and communication, 710–717 IEEE. Diffie, W., & Hellman, M. (1976). New directions in cryptography. IEEE Transactions on Information Theory, 22(6), 644–654. Dondeti, L. R., Mukherjee, S., & Samal, A. (1999). A dual encryption protocol for scalable secure multicasting. IEEE international symposium on computers and communications, 2–8 IEEE. Harn, L., Hsu, C.-F., & Li, B. (2016). Centralized group key establishment protocol without a mutually trusted third party. Mobile Networks and Applications, 1–9. I.P.W. Group, others (2004). Standard specifications for public-key cryptography. 254 Main web page at http://grouper.ieee.org/groups/1363. Kim, Y., Perrig, A., & Tsudik, G. (2000). Simple and fault-tolerant key agreement for dynamic collaborative groups. Proceedings of the 7th ACM conference on computer and communications security, 235–244 ACM. Landau, S. (2013). Making sense from Snowden: What's significant in the NSA surveillance revelations. IEEE Security Privacy, 11(4), 54–63 doi:10.1109/MSP.2013.90 Molva, R., & Pannetrat, A. (1999). Scalable multicast security in dynamic groups. Proceedings of the 6th ACM conference on computer and communications security, 101–112 ACM. Rafaeli, S., & Hutchison, D. (2003). A survey of key management for secure group communication. ACM Computing Surveys (CSUR), 35(3), 309–329. Raji, F., Miri, A., & Davarpanah Jazi, M. (2014). A centralized privacy-preserving framework for online social networks. The ISC International Journal of Information Security, 6(1), 35–52. Rebahi, Y., Pallares, J. J., Minh, N. T., Ehlert, S., Kovacs, G., & Sisalem, D. (2008). Performance analysis of identity management in the session initiation protocol (SIP). IEEE/ACS international conference on computer systems and applications, 711–717 IEEE. S. SEC (2000). Recommended elliptic curve domain parameters. Standards for Efficient Cryptography Group, Certicom Corp. E.C.C. SECG (2000). Standards for efficient cryptography group. Sepulveda, J., Flórez, D., Immler, V., Gogniat, G., & Sigl, G. (2017). Efficient security zones implementation through hierarchical group key management at NoC-based MPSoCs. Microprocessors and Microsystems, 50, 164–174. Sherman, A. T., & McGrew, D. A. (2003). Key establishment in large dynamic groups using one-way function trees. IEEE Transactions on Software Engineering, 29(5), 444–458. Smart, N. P. (1999). The discrete logarithm problem on elliptic curves of trace one. Journal of Cryptology, 12(3), 193–196. Steiner, M., Tsudik, G., & Waidner, M. (1996). Diffie–Hellman key distribution extended to group communication. Proceedings of the 3rd ACM conference on computer and communications security, 31–37 ACM. Wu, Q., Qin, B., Zhang, L., Domingo-Ferrer, J., Farràs, O., & Manjon, J. A. (2016). Contributory broadcast encryption with efficient encryption and short ciphertexts. IEEE Transactions on Computers, 65(2), 466–479.
Theorem 1. Let S = {s1, s2, s3, …, sn} be the set of private keys for the set of users U = {u1, u2, u3, …, un}, then any secure key si of user ui is computationally infeasible to calculate it from the public parameters by the adversary. Proof of Theorem 1. Let A be the adversary who is interested to calculate the secure key si of user ui. The adversary A will try to calculate it from the public parameters which are the intermediate values during the group key generation process and traveling through insecure channels or from the final public keys of users. In both cases, the secure keys are computationally infeasible to calculate and protected due to the Discrete Logarithm Problem (Smart, 1999). □ Theorem 2. The group key can only be calculated by the group members and no person other than group members can obtain the group key. Proof of Theorem 2. To get the group key, the adversary A would need the secure key si of any user ui from the group, the public key for user ui can be obtained easily either from the insecure channel or any other place. If the adversary A gets the secure key si and public key of user ui, he can calculate the group key. As proofed in theorem 1, getting the secure key of any user in the group is computationally infeasible because of Discrete Logarithm Problem; therefore, the group key is protected from any user other than the group members. □ 6. Conclusion In this paper, a secure and scalable contributory group key management protocol is proposed. The protocol takes only two rounds for the group key generation process, which reduces both the transmission and computational complexities of the key generation process. The communication complexity is distributed among the group users, and each user needs only two transmissions for the entire process of the group key generation. Similarly, the re-keying process is limited to the single user with constant computational complexity, and rest of the members do not need to contribute again for the re-keying process. The protocol does not require any secure channel or trusted server for the key management. The applicability the protocol is tested by implementing it in Java programming language as proof of concept. In future, we will extend the use of this protocol to other different areas in which the group communication is involved. The proposed protocol can easily be extended to those types of networks in which the performance and resource utilization are also important along with the security. For example, the wireless sensor network which is resource restricted in terms of battery power, and transmission consumes more battery power as compared to processing, but in the proposed protocol the transmission is reduced to two only from n messages, where n is the number users in the group. References Ali, S., Rauf, A., Islam, N., & Farman, H. (2017). A framework for secure and privacy protected collaborative contents sharing using public OSN. Cluster Computing, 1–12.
42
Contents lists available at ScienceDirect
Sustainable Cities and Society journal homepage: www.elsevier.com/locate/scs
SGKMP: A scalable group key management protocol a,⁎
a
b
b
T c
d
Shaukat Ali , Azhar Rauf , Naveed Islam , Haleem Farman , Bilal Jan , Murad Khan , Awais Ahmade a
Department of Computer Science, University of Peshawar, Pakistan Department of Computer Science, Islamia College University, Peshawar, Pakistan Department of Computer Science, FATA University, FR Kohat, Pakistan d Department of Computer Science & IT, Sarhad University of Science and Information Technology, Peshawar, Pakistan e Department of Information and Communication Engineering, Yeungnam University, Gyeongsan, Republic of Korea b c
A R T I C L E I N F O
A B S T R A C T
Keywords: Security Group key Group communication Elliptic curve cryptography
The Online Social Network (OSN) has changed the ways of communication among users from one-to-one toward the group communication. The users of a particular group are interested in communicating securely among the group members using secure group key. Although the data remains secure during the transmission when it is encrypted with the group key, however, the group key management and generation is a challenge while using the insecure channel and untrusted server. The contributory key management is a solution in such situations, but the creation process of the group key, among the group members itself, is a challenge. In the literature, the contributory key generation requires at least n rounds to accomplish the group key generation process. Modification in a group requires the re-keying process for backward and forward security, and it also needs the same number of rounds again. In this paper, a scalable group key management protocol (SGKMP) is proposed, which requires only two rounds to complete the group key generation process, irrespective of group size and it is secure from the eavesdropper in the middle. The backward and forward secrecy is maintained when any user joins or leaves the group while doing a single activity by the group leader. The proposed protocol is implemented using Java as a programming language in order to validate the applicability of the protocol.
1. Introduction With the emergence of network technologies, the communication among the online users increases day by day. However, in social networking through online services have created vulnerabilities regarding privacy and security. The unicast communication can easily be secured as compared to group communication by using the encryption techniques but in the shared environment, there are situations where the group communication is needed, for example, stock quote distribution, scientific discussions, project management, teleconferencing, etc. For group communication, a secure group key is required to protect the communication from unauthorized users, but group key management is an issue during the key setup phase and key update phase whenever a user leaves or joins the group. The group key management techniques that have been proposed in the literature can be mainly classified into three categories: centralized group key management, decentralized group key management, and contributory group key management schemes (Aparna & Amberker, 2009). In centralized group key management scheme, a single trusted key distribution center is used which
⁎
is responsible for the creation and secure distribution of the group key to all the group members (Canetti, Garay, et al., 1999; Canetti, Malkin, & Nissim, 1999; Harn, Hsu, & Li, 2016; Rafaeli & Hutchison, 2003; Raji, Miri, & Davarpanah Jazi, 2014; Sherman & McGrew, 2003). In decentralized key management scheme, the entire group is divided into more than one distinct subgroups, and each subgroup is managed by a manager (De Salve, Di Pietro, Mori, & Ricci, 2016; Dondeti, Mukherjee, & Samal, 1999; Molva & Pannetrat, 1999; Sepulveda, Flórez, Immler, Gogniat, & Sigl, 2017). In contributory key agreement schemes, there is no centralized authority, in this scheme all the group members contribute equally to generate the secure group key, but the problem with the contributory key management scheme is the use of multiple rounds carried out during the group key generation (Chen, Huang, & Jan, 2016; Kim, Perrig, & Tsudik, 2000; Steiner, Tsudik, & Waidner, 1996; Wu et al., 2016). In contributory key generation protocols, all the participating users are assured that his contribution is selected by him randomly; therefore, all other users will not be able to guess his secret key or calculate the final group key without contributing all the group users. Therefore,
Corresponding author. E-mail address: [email protected] (S. Ali).
https://doi.org/10.1016/j.scs.2018.01.003 Received 5 September 2017; Received in revised form 22 November 2017; Accepted 5 January 2018 2210-6707/ © 2018 Published by Elsevier Ltd.
Sustainable Cities and Society 39 (2018) 37–42
S. Ali et al.
4 discusses the proposed scalable group key management protocol, Section 5 analyze and discuss the proposed protocol, and Section 6 concludes the work.
contributory key generation protocols are fairer enough that all group users are equally participating in it and more secure than direct key transmission protocols. Thus, the contributory key generation protocol is often recommended to prevent some users from having any kind of superior position over the others (Ateniese, Steiner, & Tsudik, 2000). The performance of group key generation protocols is measured with respect to computational and communication complexities. The communication complexity is measured as both the number of rounds during the key generation process and communication among the group users, while the computational complexity is measured as the computational time of each operation in each round. For a group key generation protocol to be efficient enough that it executes the entire process in a fixed number of rounds. Similarly, when an existing member leaves the group or any new member joins the group, the forward and backward security is an issue in the group communication. To maintained the forward and backward security in such situations the rekeying process is initiated in the existing techniques. The re-keying process in the existing techniques means that a new group key will be generated because it is a new group now after the addition or removal of any group member. In the proposed key management protocol the rekeying process is reduced to one user with limited operations, while forward and backward security is maintained. The proposed protocol, SGKMP, has the following highlights:
2. Preliminaries The Elliptic Curve Cryptography(ECC) is used for the evaluation of the proposed group key management protocol that's why the ECC is explained a little bit in this section. The ECC is a public key cryptographic approach which gives strong security with smaller key size as compared to RSA based cryptography (Rebahi et al., 2008). The following subsections explain general domain and recommended domain parameters for ECC. 2.1. Domain parameters To use ECC, all group members must be agreed upon the public elements defining the elliptic curve over the finite field Fp, that is, the domain parameters of the scheme {a, b, p, G, m, h}. The constants a and b are used to define the curve y2 = (x3 + ax + b)modp, where p is order of the curve. G is the generator point (XG, YG), this is some random point on the curve for cryptographic operations and is used to multiply all the future points by it, and m is the order of the generator point G. All the scalar values used for multiplication with generating point to get public keys and is chosen as a number between 1 and m. h is a co-factor which needs to be smallest as possible, and it is the ratio between the number of points on the curve and prime order m. i.e. h = E(Fp)/m, where E(Fp) is the total number of points on the elliptic curve (Anoop, 2007).
• The number of rounds during the key generation process is limited
• • •
to two rounds, irrespective of group size. Similarly, every user in the group participates at most two times in the key generation process. Furthermore, the number of messages during the key generation process is reduced to two only for each user in the group irrespective of group size. The message transmission and the computational process of the key are distributed among all the group users. Due to the use of Diffie–Hellman key exchange method by the proposed protocol, which allows the key generation process is not limited to secure channel or trusted server and is secure from the eavesdropper (Diffie & Hellman, 1976). Each group member, has equal authority with respect to security and privacy in the group. No one can view or even guess the secure key of any other user in the group, similarly, no one can estimate or calculate the final group key before the completion of the group key setup phase. In the group environment some of the users may leave, or new members may join the group. In such situations, the forward and backward securities are maintained without involving all the user (group members) in the re-keying process.
2.2. Recommended domain parameters There are some domain parameters which are recommended for required standard security levels using the ECC implementation. These standards parameters include SEC 1 (E.C.C. SECG, 2000), ANSI X9.62 (X. ANSI, 1999), ANSI X9.63 (X. ANSI, 1998), and IEEE P1363 (I.P.W. Group, others, 2004). It is recommended by Certicom Research to use selected standard parameters by the programmer for ECC-based cryptographic solutions. The 256-bit recommended elliptic curve domain parameters, which has key size of 256 bits and provides the security level equal to 3072 bits of RSA (Rivest, Shamir, and Adelman) based cryptosystems (S. SEC, 2000). Definition 1. The multiplication in elliptic curve is the process of repeated addition of the generating point G = (XG, YG) along the curve G + G +G +⋯+ G , where 1 < s ≤ m − 1 and and is denoted as sG =
In this paper, a novel scalable group key management protocol (SGKMP) is proposed which is secured from eavesdropper even using the public non-secure network channel and at the same time complexity of transmission is reduced to only two rounds during the setup phase of the key for any number of users in the group. It means that the complexity of key generation process is reduced to only two rounds for any group size. Similarly, the protocol is scalable enough that existing members can leave or new member can join it without changing the secure keys of the group users; for this purposes, the re-keying process when any member leaves or new user joins the group is made simple and restricted to the group leader only with single activity. If a user leaves the group or new member joins it, the private keys of the users remain the same in both cases. The public key of each user changes when a change occurs in the group. In case of update in the group, a new public key is issued to each member of the current group. These existing users can calculate the shared group key, using their secure key and private keys. Since the new shared key is the combination of private key and new public key, that's why it is different from the old shared key, which was based on the secure key and old public key. Rest of the paper is organized as follow: Section 2 explains the preliminaries for the proposed protocol, Section 3 gives motivation scenarios. Section
m is the prime order of the G.
s times
Definition 2. The group key is secured if it is computationally infeasible to be computed by any adversary. Definition 3. Backward security: The backward security means when any new user joins the group he/she should not view the old discussion before joining. Definition 4. Forward security: The forward security means when any member leaves the group he/she should not be able to view the communication after leaving the group.
3. Motivation With the advancement of internet technologies, the way of communication is changed from uni-cast communications toward group communication, and the social interaction is increased. The interest in secure communication and user uncertainty about the security and privacy increases with time when any conspiracy comes especially after 38
Sustainable Cities and Society 39 (2018) 37–42
S. Ali et al.
row vector. The user u3 uses his own secure key s3, where 1 < s3 ≤ m − 1 to multiply the second row vector of the matrix, changes three values of the vector by multiplying his secure key and stores it in the third row of the matrix. This process continues upto the user un−1, the user un−1 uses his secure key sn−1, where 1 < sn−1 ≤ m, to multiply the (n − 2)th row vector of the matrix upto (n − 1)th values and stores it in (n − 1)th row of the matrix. The user un of the group uses his secure key sn, where 1 < sn ≤ m − 1, to multiply the (n − 1)th row vector of the matrix starting from the second value of the row vector till the nth value and stores in the nth vector of the matrix. The first round process of the key setup phase is based on the following equation:
the Edward Snowden revealed about secret surveillance programs of the U.S. Government (Landau, 2013). The interest to secure the data not only from the adversary but also from the service provider has increased in the community (Ali, Rauf, Islam, Farman, & Khan, 2017). The unicast communication is easy to secure using encryption, but when there is a group communication as in stock quote distribution, scientific discussions, teleconferencing, social media group communication, etc. a secure group key is required to protect such communication. The social networking communication is a group communication because in OSN every user in the group shares data with the group which is a many-to-many communication (Ali, Rauf, Islam, & Farman, 2017). For many-to-many or multicast communication, a group key is needed to secure the data during transmission and from the service provider, but secure group key generation and management itself is a challenge. The user is secure if there is no single centralized authority and he can contribute to the creation of the group key, but the contribution of all the group user needs multiple rounds during the key setup phase. Similarly, when a group member leaves or a new member joins the group, the re-keying process is initiated to ensure the forward and backward securities. In the existing techniques, the re-keying process means to create a new key for the group after addition/removal of any member, which is time consuming and all the group members participate again in this process. In this paper, an efficient contributory key management protocol is proposed in which all group users have equal participation, and the numbers of rounds are reduced to only two rounds irrespective of group size. Similarly, the re-keying process after the addition/removal of any user to/from the group is also restricted to only one group member.
K i, j =
The second round starts again from user u1 and goes up to user un−2, the user u1 again uses his secure key s1 and multiplies it with nth row of the matrix. The multiplication starts from the third value of the nth row vector and ends on nth value of the row vector and replaces these values in these positions in the (n + 1)th row of the matrix. Similarly, the user u2 uses his secure key s2 and multiplies it with (n + 1)th row of the matrix. The multiplication starts from the fourth value of the row vector and continues till the last value of the row vector. Next multiplication starts from the 5th, 6th, …, nth value of the row vector to its last value. The multiplication process continuous till user un−2, the user un−2 uses his secure key sn−2 and multiplies the last value of the (2n − 3)th row of the matrix and stores it in the last position of the (2n − 2)th row vector. The following equation gives the second round process of the key setup phase:
In the proposed protocol, the user who initiates the initial group key generation would be considered as group leader. The group leader is just like other users and cannot view the secret keys of other group members. Let n be the number of users in the group, the group leader takes a matrix of size (2n − 2) × n as given below:
⋯ k1, n ⎞ ⋯ k2, n ⎟ ⋱ ⋮ ⎟ ⋯ k2n − 2, n ⎟⎠
Ki, j = si − n Ki − 1, j
for 1 ≤ i ≤ 2n − 2,
1≤j≤n
K i, j =
(2)
for 2 ≤ i ≤ n − 1,
⋯ ⋯ G ⎞ ⋯ ⋯ G ⎟ ⋯ ⋯ G ⎟ ⎟ ⋱ ⋯ G ⎟ ⋱ ⋱ ⋮ ⎟ ⋱ sn − 1 G G ⎟ ⋮ ⋱ sn G ⎟ ⋯ ⋯ s1 sn G ⎟ ⋯ ⋯ s1 s2 sn G ⎟ ⋱ ⋱ ⋮ ⎟ ⋱ ⋱ s1 s2⋯sn − 3 sn G ⎟ ⎟ ⋯ G s1 s2⋯sn − 2 sn G ⎠
(6)
1≤j≤i
i=n n < i ≤ 2n − 2
(5)
The diagonal elements denoted by K[n−1,1], K[n,2], K[n+1,3], …, K[2n−2,n] represent the public keys for all users in the group as shown in the matrix (6). The retrieval of public keys from this matrix is based on the following equation:
for i = j = 1
for 2 ≤ j ≤ i, ⎨ si Ki − 1, j ⎪ s K for 3 ≤ j ≤ n, i n i 1, j − − ⎩
n < i ≤ 2n − 2
s1 G G G G ⎛ s1 s2 G s2 G G G ⎜ ⋮ s 2 s3 G s3 G G ⎜ ⎜ ⋮ ⋮ s3 s 4 G s4 G ⎜ ⋮ ⋮ ⋮ ⋱ ⎜ sn − 1 sn − 2⋯s1 G ⋮ ⋮ ⋮ K i, j = ⎜ ⋮ ⋮ G sn sn − 1⋯s2 G ⎜ ⋮ G G s1 sn sn − 1⋯s3 G ⎜ G G G s1 s2 sn sn − 1⋯s4 G ⎜ G G G G ⎜ G G G G ⎜ ⎜ G G G G ⎝
(1)
For the proposed group key generation process, two rounds are required to complete it, irrespective of the group size. The group key setup phase in based on the following equation:
⎧ si Ki, j ⎪ si Ki − 1, j
for 3 ≤ j ≤ n,
The resultant matrix after the completion of both rounds for the key setup phase of the Scalable Group Key Management Protocol is given in the following matrix.
The entire matrix is initialized with generating point G = (XG, YG), the initialization process is mathematically modeled using the following equation.
K i, j = G
(4)
4.2. Second round
4. Proposed group key management protocol
k1,2 k1,3 k1,4 ⎛ k1,1 k2,1 k2,2 k2,3 k1,4 ⎜ K i, j = ⎜ ⋮ ⋮ ⋮ ⋮ ⎜k ⎝ 2n − 2,1 k2n − 2,2 k2n − 2,3 k2n − 2,4
si Ki, j for i = j = 1 ⎧ ⎪ si Ki − 1, j for 2 ≤ i ≤ n − 1, 1 ≤ j ≤ i ⎨ ⎪ si Ki − 1, j for 2 ≤ j ≤ i, i = n ⎩
(3)
PKu = Ki, j
for 1 ≤ j ≤ n,
i = n + j − 2,
u = (imodn) + 1
(7)
The positions K[n,2], K[n+1,3], …, K[2n−2,n], K[n−1,1] in the matrix (6) contain the public keys for users {u1, u2, u3, …, un} respectively. Eq. (7) is used to retrieve the public keys for all the group users U from the matrix (6), created during the key generation process. Algorithm 1 shows the algorithmic steps for the key setup or key generation process by group users and diagrammatically represented in Fig. 1. In the contributory key management schemes, there is no central authority to control the user and key distribution among the group users. The Diffie–Hellman key exchange method for two users is extended to n users. In the Diffie–Hellman key exchange method, shared
4.1. First round Let U = {u1, u2, u3, …, un} be the set of n users in the group and S = {s1, s2, s3, …, sn} be the set of their secret keys respectively. In the first round, user u1 selects a secure key s1, where 1 < s1 ≤ m − 1 and performs modular multiplication with the first value of the first row vector of the matrix (1) and stores it within the same row vector. The user u2 of the group uses his secure key s2, where 1 < s2 ≤ m − 1 to multiply the first two values of the first row vector of the matrix already changed by user u1 and replaces second row of the matrix with this new 39
Sustainable Cities and Society 39 (2018) 37–42
S. Ali et al.
8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19:
end for end for k[1,1] ⟵ s1k[1,1] for i ⟵ 2 to n − 1 do for j ⟵ 1 to i do k[i,j] ⟵ sik[i−1,j] end for end for for j ⟵ 2 to n do k[n,j] ⟵ snk[n−1,j] end for PK[un]⟵k[n − 1,1]
20: 21: 22: 23: 24:
k⟵2 for i ⟵ n + 1 to 2n − 2 do k⟵k+1 j⟵k PK[uj − 2]⟵k[i − 1, j − 1]
25: 26: 27: 28: 29:
for j to n do k[i,j] ⟵ si−nk[i−1,j] end for end for PK[un − 1]⟵k[2n − 2, n]
30:
End
4.3. Modifications in group The change in group occurs when someone leaves or any new member joins the group. In the group key management, the modification in the group is also a challenge because of the forward and backward secrecy/security of data. In the existing contributory key management techniques when any change occurs in the group, the entire process of the group key generation restarts for the remaining group members as new group (Chen et al., 2016). In the proposed protocol the addition/removal of a user from a group is restricted to one activity instead of the entire process of re-generating the group key.
Fig. 1. Flow of setup phase for SGKMP.
key can be exchanged by the users securely using the unsecured channel and non-trusted server. In the proposed protocol, the shared group key has two parts; one part is the secure key which is known the respective user only. Every user in the group has its secure key. The other part of the shared key is public which is created during the key setup phase. The shared group key will be created by each group member by multiplying his secure (SKu) and public keys (PKu) to get the shared group key (K) as given below:
PK1
×
SK1
=
K
PK2 PK3 ⋯ ⋯ PKn
× ×
SK2 SK3 ⋯ ⋯ SKn
= =
K K ⋯ ⋯ K
×
=
4.3.1. Removal of user In the groups, different users leave the group as in real life. For example, in the research group a member may leave the group by moving to some other department or research group; therefore, the rest of discussion in this group need to be secured from such ex-members. The privacy preservation from the ex-members of a group is called forward secrecy. In the proposed protocol the removal of a user from the group is single step activity within the proposed protocol. Any user from the group takes the public keys of all users from the matrix (6) using Eq. (7). The user also chooses a random number r where 1 < r ≤ m − 1 and uses elliptic curve multiplication to change all the public keys of group members except the one who will be removed from the group and sends new public keys to all the remaining group members. The secure keys of all user remain unchanged. The user removal process is based on the following equation:
PKu = r × (Ki, j − KRemoved User ) for 1 ≤ j ≤ n, Algorithm 1. Group key setup phase.
= (imodn) + 1
i = n + j − 2,
u (8)
The remaining group members use their secure keys and new public keys for rest of the communication within the group. The user who is dropped from the group will be unable to read the new communication, and thus the forward secrecy is maintained. The complexity for the removal of a user from the group is one-time multiplication and one multicast message by only one group member. In case of removal of a user, the public keys of all remaining users in the group changes and the public key of the removed user remains unchanged, and that's why he cannot calculate the new group key. In case of addition of a user in the group, the public keys need to be changed for two reasons, one for the
Require: Domain parameters of the ECC and total number of users (n) Ensure: The public keys (PK) for each group members ui 1: Procedure KeySetup(Domain Parameters, n) 2: Begin 3: U = {u1, u2, u3, …, un} 4: S = {s1, s2, s3, …, sn} 5: for i ⟵ 1 to 2n − 2 do 6: for j ⟵ 1 to n do 7: k[i,j] ⟵ G
40
Sustainable Cities and Society 39 (2018) 37–42
S. Ali et al.
Ensure: Returns new public key of all group members after the addition of new member 1: Procedure OperationByNewUser (PKu, PKNewuser) 2: Begin 3: PK ⟵ PKNewuser 4: sk⟵ Secure key of New User 5: for j ⟵ 1 to n do 6: PKu ⟵ sk × PKu 7: end for 8: return PKu 9: End
backward security of the group's old discussion and other for the adding the new user's contribution in the public keys of all existing group members. The algorithmic steps for the removal of any user from the group are given in algorithm 2. Algorithm 2. Modification in group: removal of user. Require: The user number ux and a random number r where 1
5. Analysis and discussion Contributory key generation is a technique used to create group key by the group members. The problem with the contributory key generation is the complexity of generation process and the addition and removal of group members. In the existing contributory key management protocols, the minimum participation/rounds of a user to create a key is n which is time consuming and complex with respect to computation and transmission. Similarly, the addition or removal of group member needs to create new group key for the remaining group members. The significance of the proposed protocol is that it reduced the number of rounds to two in the key generation process irrespective of the group size. Similarly, the process of addition and removal of a user is restricted to the single group member only and rest of the members need not to participate in the addition or removal of any user. The proposed protocol is implemented in Java as proof of concept in order to validate the practical applicability of the protocol. For the implementation purposes the Elliptic Curve Cryptography (ECC) is used, whose public parameters (discussed in Section 2.1) are supposed to be known to all the group members. The recommended elliptic curve domain parameters proposed in research (S. SEC, 2000) is used for implementation.
4.3.2. Adding new user In the proposed protocol, when any new user joins the group he is assigned a public key without disclosing the secret keys of other group members. To start the process of public key generation for the newly added user in the group, It is also a single user activity by any group member. The group member takes a random number r where 1 < r ≤ m − 1 and multiplies all the public keys of all the members of the group, which are stored in the last diagonal of the matrix (6) and sends it to the newly added user. The random number multiplication is needed for backward security of the group from the newly added group member. The new member selects its secure key snew where 1 < snew ≤ m − 1 and multiplies all the public keys sent by the group member with it as in Eq. (9) and sends back to the same group member.
PKu = snew × Ki, j
for 1 ≤ j ≤ n,
i = n + j − 2,
u = (imodn) + 1 (9)
The group member multiplies its secure key with its own old public key (the one before sending to the newly added user) and sends it to the newly added member. It is now the public key for the newly added member. After this process with the newly added user, the group member sends the new public keys to all the old group members. The algorithmic steps by the group leader/member for the addition of new user and operations needed by the newly added user are given in Algorithms 3 and 4 respectively.
5.1. Complexity The complexity of the proposed protocol is reduced to constant time complexity as compared to other contributory key management schemes, in the term of computation and transmission. The proposed key management protocol requires only two rounds for the key generation process irrespective of the group size; therefore, the communication process is reduced to two messages. Similarly, the computational complexity is also reduced as the rounds of the key generation process is restricted to two only. The number of rounds, messages need to be transmitted during the key setup phase, key update phase during the addition or removal of a user to/from the group and computation of complexity for multiplication on a local computer is given in Table 1:
Algorithm 3. Modification in group: addition of user. Require: A random number r, where 1 < r < m Ensure: Changes all the public keys of existing members to for backward security 1: Procedure Adding User (r) 2: Begin 3: for j ⟵ 1 to n do 4: i⟵n+j−2 5: u ⟵ (imodn) + 1 6: PKu ⟵ r × k[i,j] 7: end for 8: PKNewuser ⟵ s1 × PK1 9: OperationByNewUser(PKu, PKNewuser) 10: End
Table 1 User operations during the key generation process. Phases
Key setup Update: removal of user Update: addition of user
Algorithm 4. Operations by the newly added user in the group. Require: Public keys of all group users and public key of newly added user
41
Total users involved
Rounds for participation
Transmission by each user Unicast
Multicast
Number of multiplications by each user
n 1
2 0
2 0
0 1
2 1
1
0
1
1
1
Sustainable Cities and Society 39 (2018) 37–42
S. Ali et al.
5.2. Security evaluation
Ali, S., Rauf, A., Islam, N., Farman, H., & Khan, S. (2017). User profiling: A privacy issue in online public network. Sindh University Research Journal-SURJ (Science Series), 49(1), 125–128. Anoop, M. (2007). Elliptic curve cryptography, an implementation guide. X. ANSI (1998). 63: Public key cryptography for the financial services industry, key agreement and key transport using elliptic curve cryptography. American National Standards Institute. X. ANSI (1999). 62: Public key cryptography for the financial services industry: The elliptic curve digital signature algorithm (ECDSA). American National Standards Institute. Aparna, R., & Amberker, B. (2009). Key management scheme for multiple simultaneous secure group communication. IEEE international conference on Internet multimedia services architecture and applications (IMSAA), 1–6 IEEE. Ateniese, G., Steiner, M., & Tsudik, G. (2000). New multiparty authentication services and key agreement protocols. IEEE Journal on Selected Areas in Communications, 18(4), 628–639. Canetti, R., Garay, J., Itkis, G., Micciancio, D., Naor, M., & Pinkas, B. (1999). Multicast security: A taxonomy and some efficient constructions. Eighteenth annual joint conference of the IEEE computer and communications societies, Vol. 2, 708–716 IEEE. Canetti, R., Malkin, T., & Nissim, K. (1999). Efficient communication-storage tradeoffs for multicast encryption. International conference on the theory and applications of cryptographic techniques, 459–474 Springer. Chen, Y.-Y., Huang, C.-C., & Jan, J.-K. (2016). The design of secure group communication with contributory group key agreement based on mobile ad hoc network. International symposium on computer, consumer and control (IS3C), 455–460 IEEE. De Salve, A., Di Pietro, R., Mori, P., & Ricci, L. (2016). Logical key hierarchy for groups management in distributed online social network. IEEE symposium on computers and communication, 710–717 IEEE. Diffie, W., & Hellman, M. (1976). New directions in cryptography. IEEE Transactions on Information Theory, 22(6), 644–654. Dondeti, L. R., Mukherjee, S., & Samal, A. (1999). A dual encryption protocol for scalable secure multicasting. IEEE international symposium on computers and communications, 2–8 IEEE. Harn, L., Hsu, C.-F., & Li, B. (2016). Centralized group key establishment protocol without a mutually trusted third party. Mobile Networks and Applications, 1–9. I.P.W. Group, others (2004). Standard specifications for public-key cryptography. 254 Main web page at http://grouper.ieee.org/groups/1363. Kim, Y., Perrig, A., & Tsudik, G. (2000). Simple and fault-tolerant key agreement for dynamic collaborative groups. Proceedings of the 7th ACM conference on computer and communications security, 235–244 ACM. Landau, S. (2013). Making sense from Snowden: What's significant in the NSA surveillance revelations. IEEE Security Privacy, 11(4), 54–63 doi:10.1109/MSP.2013.90 Molva, R., & Pannetrat, A. (1999). Scalable multicast security in dynamic groups. Proceedings of the 6th ACM conference on computer and communications security, 101–112 ACM. Rafaeli, S., & Hutchison, D. (2003). A survey of key management for secure group communication. ACM Computing Surveys (CSUR), 35(3), 309–329. Raji, F., Miri, A., & Davarpanah Jazi, M. (2014). A centralized privacy-preserving framework for online social networks. The ISC International Journal of Information Security, 6(1), 35–52. Rebahi, Y., Pallares, J. J., Minh, N. T., Ehlert, S., Kovacs, G., & Sisalem, D. (2008). Performance analysis of identity management in the session initiation protocol (SIP). IEEE/ACS international conference on computer systems and applications, 711–717 IEEE. S. SEC (2000). Recommended elliptic curve domain parameters. Standards for Efficient Cryptography Group, Certicom Corp. E.C.C. SECG (2000). Standards for efficient cryptography group. Sepulveda, J., Flórez, D., Immler, V., Gogniat, G., & Sigl, G. (2017). Efficient security zones implementation through hierarchical group key management at NoC-based MPSoCs. Microprocessors and Microsystems, 50, 164–174. Sherman, A. T., & McGrew, D. A. (2003). Key establishment in large dynamic groups using one-way function trees. IEEE Transactions on Software Engineering, 29(5), 444–458. Smart, N. P. (1999). The discrete logarithm problem on elliptic curves of trace one. Journal of Cryptology, 12(3), 193–196. Steiner, M., Tsudik, G., & Waidner, M. (1996). Diffie–Hellman key distribution extended to group communication. Proceedings of the 3rd ACM conference on computer and communications security, 31–37 ACM. Wu, Q., Qin, B., Zhang, L., Domingo-Ferrer, J., Farràs, O., & Manjon, J. A. (2016). Contributory broadcast encryption with efficient encryption and short ciphertexts. IEEE Transactions on Computers, 65(2), 466–479.
Theorem 1. Let S = {s1, s2, s3, …, sn} be the set of private keys for the set of users U = {u1, u2, u3, …, un}, then any secure key si of user ui is computationally infeasible to calculate it from the public parameters by the adversary. Proof of Theorem 1. Let A be the adversary who is interested to calculate the secure key si of user ui. The adversary A will try to calculate it from the public parameters which are the intermediate values during the group key generation process and traveling through insecure channels or from the final public keys of users. In both cases, the secure keys are computationally infeasible to calculate and protected due to the Discrete Logarithm Problem (Smart, 1999). □ Theorem 2. The group key can only be calculated by the group members and no person other than group members can obtain the group key. Proof of Theorem 2. To get the group key, the adversary A would need the secure key si of any user ui from the group, the public key for user ui can be obtained easily either from the insecure channel or any other place. If the adversary A gets the secure key si and public key of user ui, he can calculate the group key. As proofed in theorem 1, getting the secure key of any user in the group is computationally infeasible because of Discrete Logarithm Problem; therefore, the group key is protected from any user other than the group members. □ 6. Conclusion In this paper, a secure and scalable contributory group key management protocol is proposed. The protocol takes only two rounds for the group key generation process, which reduces both the transmission and computational complexities of the key generation process. The communication complexity is distributed among the group users, and each user needs only two transmissions for the entire process of the group key generation. Similarly, the re-keying process is limited to the single user with constant computational complexity, and rest of the members do not need to contribute again for the re-keying process. The protocol does not require any secure channel or trusted server for the key management. The applicability the protocol is tested by implementing it in Java programming language as proof of concept. In future, we will extend the use of this protocol to other different areas in which the group communication is involved. The proposed protocol can easily be extended to those types of networks in which the performance and resource utilization are also important along with the security. For example, the wireless sensor network which is resource restricted in terms of battery power, and transmission consumes more battery power as compared to processing, but in the proposed protocol the transmission is reduced to two only from n messages, where n is the number users in the group. References Ali, S., Rauf, A., Islam, N., & Farman, H. (2017). A framework for secure and privacy protected collaborative contents sharing using public OSN. Cluster Computing, 1–12.
42