Security Analysis

j  ;

Step 7:

/* KS resumes the suspended members, assigns them to the positions where the departed members stayed before, and gives them administration keys. Finally, these resumed members have a new session key and some administration keys.*/

Call Join(n,k,m,{p1,p2,...,p|RL|});

Since all departed members do not have any knowledge about i, they cannot derive ai. Consequently, no adversary can attack the proposed system even though he/she has gotten all administration keys from the departed members; thus, forward secrecy is guaranteed.

4.4 Security and Performance Analyses

In this section, both the security and performance of the proposed scheme are analyzed.

4.4.1 Security Analysis

In the following paragraphs, we analyze the security of the proposed scheme with respect to data confidentiality, authenticity, backward secrecy and forward secrecy, and collusion attack.

4.4.1.1 Data Confidentiality

To provide data confidentiality service, an encryption scheme must be applied. In this dissertation, transmitted messages are encrypted with SK, i.e. {Messages}SK, to keep undesirable users from eavesdropping and tapping. The encryption algorithm could be any one of the symmetric encryption standards, like AES (Advanced Encryption Standard). An attacker who is not a group member could not get session key SK and could not decrypt the encrypted messages except the brute-force attack.

Thus, data confidentiality of transmitted messages is guaranteed. No one can decrypt the encrypted messages without SK. Therefore, data confidentiality is guaranteed by the proposed scheme.

4.4.1.2 Authenticity

Authentication protocols include entity authentication and message authentication which are used to verify the identity of a user and the resource of a message, respectively. Entity authentication is provided by the first step of operation join. In operation join, a new member xix who wants to join the group has to issue its own identity to announce that he/she is the right one. Therefore, entity authentication is provided before operation join. If a group member pi wants to communicate with

KS, a mutual authentication algorithm is proposed as follows:

 Step 1: 'pi,KS Ki

pi i KS

p i KS

p

i KS: ID ,ID ,{ID ||ID ||N ||CK }

p 

 Step 2: ''KS,pi Ki

i KS i p p i KS

p KS

i KS: ID ,ID ,{ID ||ID ||N 1||N ||CK }

p  

 Step 3: pi KS: IDpi,IDKS,{IDpi||IDKS ||NKS 1}CK_pi,KS

Both IDp_i and IDKS are the identities of pi and KS , respectively. Random nonces, Np_i and NKS are used to prevent replay attack. And, both CK'pi,KS and

pi , ''KS

CK are partial common session key between pi and KS. The common session key CKpi,KS could be computed by XOR operation, i.e. ''KS,pi

KS i,

'p CK

CK  , by

themselves. Finally, pi and KS could communicate with each other by sending encrypted messages, e.g. {Messages}CKpi,KS .

Moreover, Message authentication is not considered in this dissertation. However, the message authentication protocol can be implemented by keyed one-way hash function, such as HMAC described in RFC 2104 [17].

4.4.1.3 Backward Secrecy

A security scheme supports backward secrecy only if new members cannot collaborate to learn the previous traffic patterns. Hence, it is often required that a

member who joins be denied access to messages that were sent to the group prior to its membership.

In operation join, since a joining request does not have any knowledge about both

SK and administration keys; thus, {SK'}SK is not compromised. Given a key space

Hence, backward secrecy is guaranteed in operation join and the collusion attack is never happened.

4.4.1.4 Forward Secrecy

A security scheme supports forward secrecy only if the departed members cannot collaborate to learn the future traffic patterns. Hence, the rekeying operation is needed to assure that messages sent to the group cannot be accessed by a former member whose membership has been revoked.

In operation L/CR, we assume that departed members would not cooperate to

) SK

Pr( l . Therefore, forward secrecy is clear.

In operation L/CF, all departed members conspire still cannot compromise SK^'

although they may have all administration keys before they left. Therefore, forward secrecy is clear.

From sections 4.4.1.3 and 4.4.1.4, this dissertation demonstrates that the proposed scheme holds both backward secrecy and forward secrecy. In addition, session keys are generated independently and are protected by old sessions in operation join and administration keys in operations L/CR and L/CF. Each member‟s administration keys are updated by themselves if a rekeying operation happens. This means that the proposed batch rekeying scheme supports both perfect forward secrecy and perfect backward secrecy. The disadvantages of proposed batch rekeying scheme are: for batching join and leave requests, a joining member postpones accessing multicast data and a departing member constantly gets communication data until batch rekeying is completed.

4.4.1.5 Administration Keys Secrecy

The administration keys are kept by the legal group members. Each of them holds a subset of a set A and updates their own administration keys by themselves. The administration key‟s updating operation based on one-way hash function, i.e.

) A , SK ( h

A' ' i

i  , is executed after a rekeying operation has been done. Since an attacker has no knowledge about the administration keys and the group session key, he/she can only launch the birthday attack on the underlying hash function. To avoid this attack, the length of the output stream of the hash function has to be long enough so as to make the birthday attack computationally infeasible.

4.4.1.6 Collusion Attack

A collusion attack is a kind of attack where a number of nodes collaborate to reveal all administration keys and even the session key and consequently capture the network. EBS solution as well as tree-based solutions, however, may suffer from collusion attacks. Two or more departed members collude when they share their keys

with each other. In other words, colluding nodes would grow their knowledge about the network security measures. When using EBS scheme, administration keys are reused in multiple members and only key combinations are unique. Therefore, it is conceivable that few departed nodes can collude and reveal all the administration keys.

Take an example in Table 2, if members p1 and p5 left the group at the same time, and they collaborate to reveal the administration keys A1 , A2, A3 , and A4. Therefore, KS could not distribute SK^' to its group members by any combinations of administration keys. In this dissertation, operation L/CR has the same problem as EBS scheme. But operation L/CF, mentioned in section 4.3.2.2.3, solves this problem.

In addition, from the previous discussions in sections 4.4.1.3 and 4.4.1.4, they indicate that the proposed operation L/CF supports both backward secrecy and forward secrecy. Thus, key independency is guaranteed. Consequently, the proposed scheme can resist collusion attacks from adversaries.