A note on breaking and repairing a secure broadcasting in large networks

Research note

A note on breaking and repairing a secure broadcasting in large networks

Hung-Min Sun

*, Shiuh-Pyng Shieh

, Hsin-Min Sun

a

Department of Information Management, Chaoyang University of Technology, Wufeng, Taichung County, Taiwan 413 b_{Department of Computer Science and Information Engineering, National Chiao Tung University, Hsinchu, Taiwan 30050}

c_{Chianan College of Science and Pharmacy, Tainan, Taiwan}

Received 1 May 1998; received in revised form 24 September 1998; accepted 24 September 1998

Abstract

In this note, we show that a proposed secure broadcasting scheme is insecure. We also present a modified scheme to overcome this weakness. The modified scheme has the extra advantage that each participant can derive his group keys from group identities without the need of knowing other information.䉷 1999 Elsevier Science BV. All rights reserved.

Keywords: Secure system; Broadcasting; Network security; Cryptography; Computer network

1. Introduction

Recently, Sun and Shieh [1] proposed a secure broadcast-ing scheme (SS scheme in short) based on the assumption that users or hosts in a large network are partitioned and organized as a hierarchical tree where children of the common parent form a group. In this note, we show that SS scheme is insecure because those groups with the common parent have the same group key. We also present a modified scheme to overcome this weakness. The modi-fied scheme has the extra advantage that each principal can derive his group keys from group identities without the need of knowing other information.

Basically, SS scheme contains two parts: a key manage-ment mechanism in a hierarchical tree of principals which is responsible for key generation and group key derivation, and a secure broadcasting protocol which is responsible for encryption by the sending principal and decryption by the legal receiving principals. In SS scheme, users or hosts in a large network are partitioned and organized as a hier-archical tree where children of the same parent form a group. A group may contain one or many principals. Every principal in a network system is regarded as a group and is represented by a leaf in a tree. Groups (chil-dren) sharing some characteristics form a sup-group (parent group), represented by a subtree. That is, the union of groups in a subtree forms their parent group. The root of

the tree represents the universal group which is the group of all principals in the network system. Owing to the charac-teristics of the tree structure, SS scheme uses a key manage-ment mechanism to generate the corresponding group key for each group. Every principal in a group can recover the group key by using his secret-key, but principals outside this group cannot. SS scheme also uses a secure broadcasting protocol for encryption and decryption. The sending princi-pal encrypts a message into a ciphertext by using the public-keys of the receiving groups and then broadcasts this cipher-text to the principals in these groups. Each principal in a legal group can derive his group key and then decrypt the ciphertext into the message, while illegal principals cannot. As the insecurity of SS scheme comes from the weakness of the key management mechanism, for simplicity, we describe only the key management mechanism here.

1.1. Key generation algorithm:

A center authority (CA) first selects two large prime numbers, p and q, satisfying the RSA assumption and then computes N ˆ p·q. CA travels the nodes in the tree of hierarchical principal groups from the root to leaves, and from left to right.

1. If the node is Guwhich is the root of the tree, then CA

assigns a random number ku(mod N) as the group key of Guand selects a pair of (Tu, Su) such that Tu·Suˆ 1 (mod

f(N)), where Tuis public and Suis secret.

2. If the node Giis not the root or a leaf, we assume that Gj

is the parent of node Giand the group key of Gjis kj. CA

computes kiˆ …kj†sj…modN† as the group key of Giand

Computer Communications 22 (1999) 193–194

0140-3664/99/$ - see front matter䉷 1999 Elsevier Science BV. All rights reserved. PII: S 0 1 4 0 - 3 6 6 4 ( 9 8 ) 0 0 2 5 3 - 9

* Corresponding author. Tel.: 0886 4 3323000 7122; fax: 08864 3742337; e-mail: [email protected]; e-mail: [email protected]; e-mail: [email protected]

selects a pair of (Ti, Si) such that Ti·Siˆ 1 (mod f(N)),

where Tiis public and Siis secret.

3. If the node Gi is a leaf (the group contains only one

principal) of the tree, we assume that node Gj is the

parent of node Gi and the group key of Gj is kj. CA

computes kiˆ …kj†

s_{j…modN† as the group key of G}

i(the

secret key of the principal).

1.2. Key derivation algorithm:

Assume usis a principal in the group Gi, who wants to get

the group key kiof Gi. We assume that the principal

corre-sponds to the group Gs, i.e., Gs ˆ {us}, and Gfis the parent

of Gs.

1. If Gs ˆ Gi, then the group key kiof Giis equal to ks(the

secret key of the principal).

2. If Gs 苷 Gi, then Gs傺 Gf債 Gi. Uswho owns the group

key ks can compute the group key kf of Gf by kf ˆ

…ks†Tf…modN†: Upon the group key kfof Gfis determined,

the group key kr of Gr can be computed by krˆ

…kf†

T_{r…modN† where node G}

r is the parent of node Gf.

The same processes are repeated until the group key ki

is derived.

2. Weakness of SS scheme

In [1], they considered only the security problem whether a principal outside the group Gican derive the group key ki

of Gi. They ignored the possibility that a principal inside a

group Gibut outside a group Gj, where Gj傺 Gi, can derive

the group key kj of Gj. We point out the details in the

following.

In the key management mechanism of SS scheme, if node

Giis a child of Gj and the group key of Gjis kj, CA will

assign kiˆ …kj†

sj…modN† as the group key of G

i. If node Ghis

another child of Gj, CA will assign khˆ …kj†

sj…modN† as the

group key of Gh. It is unfortunate that kiˆ khˆ

…kj†sj…modN†:

Therefore, all groups with the common parent own the same group key. This leads SS scheme to be insecure because any principals in an illegal group can correctly decrypt the ciphertext into the message provided that the illegal group has the common parent with any legal groups.

3. A modified key management mechanism

We revise the key management mechanism of SS scheme as follows:

3.1. Key generation algorithm:

(10) If the node is Guwhich is the root of the tree, then CA

assigns a random number ku(mod N) as the group key of

node Gu.

(20) If the node Giis not the root, we assume that node Gj

is the parent of node Giand the group key of node Gjis kj.

CA computes a value Sisatisfying F(IDi)·Siˆ 1 (mod

f(N)), where IDiis the group identity of Giand F(k) is the

function of the maximum prime number which is less than or equal to k. CA computes kiˆ …kj†

si…modN† as

the group key of node Gi. After kiis computed, Sishall

be discarded. If a node Giis a single principal, the group

key kiis the secret key of the principal.

3.2. Key derivation algorithm:

Step 2 in the previous key derivation algorithm is modi-fied as follows:

(20) If Gs 苷 Gi, Gs傺 Gf債 Gi, principal uscomputes the

group key kfof node Gf by kf ˆ …ks†

F_{IDs†…modN†: Once}

the group key kfof node Gfis determined, the group key kr

of node Gr can be also computed by krˆ

…kf†

F…IDf†…modN† where node G

r is the parent of node Gf. The same processes are repeated until the group key kiis derived

.

The modified scheme can overcome the weakness of the previous key management mechanism. In addition, the modified scheme has the extra advantage that each principal can derive his group keys from group identities without the need of knowing other information.

Acknowledgements

This work was supported in part by the National Science Council, Taiwan, under contract NSC-87-2213-E324-003. The authors would like to thank anonymous reviewers for their useful comments.

References

[1] H.M. Sun, S.P. Shieh, Secure broadcasting in large networks, Compu-ter Communications 21 (3) (1998) 279–283.

H.-M. Sun et al. / Computer Communications 22 (1999) 193–194