Add Journal to My Library
The Computer Journal
, Volume Advance Article – Jun 5, 2018

4 pages

/lp/ou_press/security-issues-in-a-group-key-establishment-protocol-xtheGxJQqx

- Publisher
- Oxford University Press
- Copyright
- © The British Computer Society 2018. All rights reserved. For permissions, please e-mail: journals.permissions@oup.com
- ISSN
- 0010-4620
- eISSN
- 1460-2067
- D.O.I.
- 10.1093/comjnl/bxy058
- Publisher site
- See Article on Publisher Site

Abstract Major shortcomings in a recently published group key establishment protocol are described; this protocol enables any participant to choose and broadcast a secret key to a group of other participants. We show that any valid recipient of a broadcast can successfully impersonate the originator of that broadcast to send a new key to the original set of recipients. Also, if a broadcast key is ever compromised, then any party (insider or outsider) who learns this key can force its reuse indefinitely. These shortcomings are sufficiently serious that the protocol should not be used. 1. INTRODUCTION Harn and Hsu [1] recently published a protocol designed to provide authenticated group key establishment. In this brief note, we describe a number of serious security issues with this scheme; in particular, it does not provide the properties claimed. The remainder of the paper is structured as follows. Section 2 defines the protocol, including the intended context of use. Section 3 then describes a number of serious issues with the protocol. The paper concludes in Section 4. 2. THE HARN–HSU KEY ESTABLISHMENT PROTOCOL 2.1. Context and goals The protocol is intended for use by a pre-established community of users, and enables any subset (group) of this community to agree on a shared secret key, where this secret key can be chosen and distributed by any member of the community. Group key establishment protocols have been widely discussed in the literature for many years—see, for example, chapter 6 of Boyd and Mathuria [2]. Indeed, the area is so well-established that an ISO/IEC standard for group key establishment [3] was published back in 2011. The threat model for such protocols varies, but typically the goal is that, after completion of the protocol, all participants agree on the same key, they know it is ‘fresh’, and that no parties other than those intended learn anything about the key. As far as the protocol described by Harn and Hsu [1] is concerned, the following statements are made regarding its intended use and properties: ‘In our protocol, each member needs a pair of long-term DH [Diffie–Hellman] private and public keys and the long-term DH public key has been digitally signed by a trusted Certificate Authority (CA)’. ‘The group key is determined by an initiator of the group communication and broadcasts the group key to all group members. The initiator can be any member in a group communication. Each group key is used for only one communication session. When a new group communication session is established, a new group key will be generated by an initiator’. From this statement (and the use of ‘long-term’), it is clear that the DH private and public keys are intended for use to establish many group keys. ‘The digital certificate of public keys of group members will be used by an initiator to assure that the group key can only be decrypted by legitimate group members but not by any non-members’. This establishes a key goal of the protocol, i.e. to ensure that the established key is only available to the parties intended by the initiator. Section 2.2 of Harn and Hsu [1] (entitled ‘Types of attackers’) describes the two classes of attackers against which the protocol is intended to be robust, namely insider attackers and outside attackers. The paper states ‘The insider attacker is a legitimate member who knows the group key … [and] is able to impersonate other members in a secure group communication’. As we show in Section 3.4 below, precisely such an insider attack is possible. This contradicts the claim made ([1], Section 2.2.2) that ‘none of these attacks can work properly against our protocol’. 2.2. Related work The Harn–Hsu protocol uses a combination of secret sharing and DH key agreement. The use of secret sharing as part of a group key establishment protocol is long-established (see, for example, section 6.7.2 of Boyd and Mathuria [2]). However, this approach is known to have shortcomings; in particular the following issue is described in [2]. However, when we look at the question of sending different session keys over time, there are some problems. A malicious principal who obtains one key gains information regarding the shares of other principals … As we describe below, a related problem arises with the Harn–Hsu scheme. Indeed, the fact that the Harn–Hsu protocol has serious flaws is hardly surprising given the unfortunate history of the area. Back in 2010, Harn and Lin [4] described a group key transfer protocol based on secret sharing which is not only mathematically flawed, but also possesses very serious security issues; this gave rise not only to a number of papers pointing out the flaws (see, for example, [5, 6]), but also to further flawed protocols attempting to ‘fix’ these flaws. Some of the history of this domain can be found in the recent paper of Liu et al. [7]. 2.3. The protocol The following requirements apply for use of the protocol: The protocol is designed to work within a set U={U1,U2,…,Un} of n users. Integers p, q and g must be agreed by all members of U, where p is a large prime (a length of 1024 bits is suggested), q is a prime factor of p−1 (a length of 160 bits is suggested) and g ( 1<g<p) is a generator of Zq. All participants must also agree on a one-way hash-function h. Every user Ui must: have a unique identifier IDi (an integer satisfying 0≤IDi≤q−1), and choose a DH private key xi∈Zq, and obtain a CA-signed certificate for the associated public key yi=gximodq. Now suppose user Uw wishes to act as an initiator, and establish a new secret key K between the members of a group of users U′ ( U′⊆U). It is not stated explicitly, but the initiator can choose the key K freely (and, presumably, at random). Suppose U′={Uz1,Uz2,…,Uzℓ} for some ℓ ( 1≤ℓ≤n), where 1≤zi≤n for every i (1≤i≤ℓ). Observe that we have made two minor changes to the notation of [1] to avoid possible confusion. Harn and Hsu refer to the initiator as Us, but they also use s to denote a ephemeral secret known only to the initiator. They refer to the members of the group U′ as {Ur1,Ur2,…,Urℓ}, but they then use r to denote a function of the ephemeral secret s. The initiator proceeds as follows: The initiator selects a one-time (ephemeral) secret s∈Zq, and computes r=gsmodq. The initiator obtains trusted copies of the public keys yzi of every member of U′, e.g. by obtaining and verifying the relevant public key certificates, and for every i ( 1≤i≤ℓ) uses its own private key xw and the ephemeral secret s to compute a one-time shared secret key kzi=(yzixw+smodp)modq. The initiator uses Lagrange interpolation to determine a polynomial f(x) of degree ℓ which passes through the following set of ℓ+1 points: {(0,K),(IDz1,kz1),(IDz2,kz2),…,(IDzℓ,kzℓ)} observing that the key K is treated here as an integer in Zq, i.e. the choice of q constrains the length of the established key K. The initiator chooses an arbitrary set S={a1,a2,…,aℓ} of size ℓ, where ai∈Zq for every i and S∩U′=∅, and computes the ℓ+1 public values (a1,f(a1)),(a2,f(a2)),…,(aℓ,f(aℓ)) and h(t∣∣K), where t is a timestamp. The initiator now broadcasts r, t and the ℓ+1 public values (a1,f(a1)),(a2,f(a2)),…,(aℓ,f(aℓ)),h(t∣∣K) to all members of U′. On receipt of the broadcast, each user Uzi∈U′ ( 1≤i≤ℓ) proceeds as follows: Uzi recomputes the one-time secret key (shared with the initiator) as kzi=((ryw)xzimodp)modq. Uzi uses Lagrange interpolation to recompute the polynomial f(x) of degree ℓ, using the following set of ℓ+1 points: {(IDzi,kzi),(a1,f(a1)),(a2,f(a2)),…,(aℓ,f(aℓ))}. Uzi can now recover K′=f(0). Uzi verifies that the received timestamp t is sufficiently recent, computes h(t∣∣K′), and checks that this equals the received hash value. If so, the recomputed key K′ is correct, i.e. K′=K, and can be used for group communication. 2.4. Security claims Amongst others, Harn and Hsu [1] make the following claims regarding the security properties of the protocol: The protocol provides key authentication. The meaning of this is not made completely clear, but it would appear that (and following common use of the term) this means that the group member can verify that the key originates from the claimed initiator and that it is a ‘fresh’ key, i.e. it was sent by the initiator at the time indicated in the timestamp t. The security of the secret sharing encryption is unconditionally secure. 3. ANALYSIS We now describe a number of serious issues with the protocol, including cases where the protocol does not satisfy the security properties claimed of it. 3.1. Missing information We first observe that, apart from the abuses of notation observed above, the specification is missing certain key elements, including the following: It is not explicitly stated that IDi must be an element of Zq. The message broadcast by the initiator must contain both the identifier of the initiator and the identifiers of the members of the group U′. If the latter was not the case, then every user in U would be obliged to attempt to obtain the key K, and will only discover they are not a member of the group U′ when the hash comparison fails. This would impose a very significant unnecessary computational load on the global user set. Moreover, the intended recipients would not know which other users know the key, making its use problematic. 3.2. Unconditional security It is claimed that ‘the security of the secret sharing encryption is unconditionally secure’ (see claim 2 of Section 2.4). However, it is easy to see that the only part of the scheme which can be considered as in any sense unconditionally secure is the reconstruction of f. However, if the discrete logarithm problem can be solved with respect to g in Zp, then clearly all user private keys can be obtained from their public keys, meaning that anyone with access to the relevant public keys can obtain K from a broadcast. That is, in no sense is the encryption of K unconditionally secure. 3.3. Effects of compromise of a group key Suppose a group key K is compromised, i.e. it becomes available to a malicious party M (insider or outsider), who also has access to the corresponding broadcast message, i.e. r,t,h(t∣∣K),(a1,f(a1)),(a2,f(a2)),…,(aℓ,f(aℓ)). M can now, at any time, choose a current timestamp, t′ say, and compute h(t′∣∣K). M can now impersonate the initiator and send the slightly modified broadcast message r,t′,h(t′∣∣K),(a1,f(a1)),(a2,f(a2)),…,(aℓ,f(aℓ)). This will be accepted as valid by all the recipients of the original (valid) broadcast, i.e. they will accept K as a newly generated, authentic key. This attack can be repeated as many times as M wishes, i.e. M can force continued use of a compromised key indefinitely, breaking key authentication (i.e. claim 1 of Section 2.4). 3.4. Impersonation of an initiator Suppose user Uzi is a valid recipient of a broadcast, i.e. Uzi∈U′; then, since Uzi can compute the polynomial f(x) used in this broadcast, Uzi can also compute all the one-time secret keys kz1,kz2,…,kzℓ for members of the group U′, simply by computing f(zj) for every j ( 1≤j≤ℓ, j=i). This information enables Uzi to impersonate the valid initiator in a broadcast of a key chosen by Uzi to the original set of recipients (or any subset of the original set of recipients) at any time. The attack works in the following way: Uzi chooses a new key K* and a current timestamp t*. Uzi uses Lagrange interpolation to determine a polynomial f*(x) of degree ℓ which passes through the following set of ℓ+1 points: {(0,K*),(IDz1,kz1),(IDz2,kz2),…,(IDzℓ,kzℓ)}. Uzi now chooses a set S*={a1*,a2*,…,aℓ*} of size ℓ, where ai*∈Zq for every i and S*∩U′=∅, and computes the ℓ+1 values (a1*,f(a1*)),(a2*,f(a2*)),…,(aℓ*,f(aℓ*)) and h(t*∣∣K*). Finally Uzi impersonates the original initiator to broadcast r (taken from the original valid broadcast), t* and the ℓ+1 values computed in the previous step to all members of U′. It is straightforward to verify that the broadcast will be accepted by all members of the group U′. That is, at any time after the original broadcast, any of the recipients of the broadcast can send a new broadcast message containing a new key and timestamp to all the members of the original group, impersonating the original initiator. This insider attack clearly breaks the key authentication property (i.e. claim 1 of Section 2.4), and is also clearly something that the designers of the protocol did not intend to be possible since, as discussed in Section 2.1, insider attackers are part of the Harn–Hsu threat model. Note that this attack relates to the observation made by Boyd and Mathuria [2] regarding the security properties of key establishment protocols based on secret sharing—see Section 2.2. 4. CONCLUSIONS As demonstrated above, the protocol proposed by Harn and Hsu [1] fails to possess the properties claimed of it. In particular, any valid recipient of a broadcast can successfully impersonate the originator of that broadcast to send a new key to the original set of recipients. Also, if a broadcast key is ever compromised, then any party (insider or outsider) who learns this key can force its reuse indefinitely. This means that the protocol should not be used. It is important to observe that the Harn–Hsu paper does not include a rigorous security proof using the state of the art ‘provable security’ techniques, nor is there a formal model of security for the protocol. This helps to explain why fundamental flaws exist. Indeed, the following observation, made by Liu et al. [7] with respect to a number of previously proposed but flawed group key establishment protocols, is hugely pertinent. The security proof for each vulnerable GKD protocol only relies on incomplete or informal arguments. It can be expected that they would suffer from attacks. It would, of course, be tempting to try to repair the protocol to address the issues identified, but, unless a version can be devised with an accompanying security proof, there is a strong chance that subtle flaws will remain. Certainly the analysis necessary to find the flaws listed above was completed in a couple of hours, and no attempt was made to discover all the possible attacks. REFERENCES 1 Harn , L. and Hsu , C.-F. ( 2017 ) A practical hybrid group key establishment for secure group communications . Comput. J. , 60 , 1582 – 1589 . 2 Boyd , C. A. and Mathuria , A. ( 2003 ) Protocols for Key Establishment and Authentication. Springer-Verlag . Google Scholar CrossRef Search ADS 3 International Organization for Standardization Genève , Switzerland ( 2011 ) ISO/IEC 11770-5: 2011, Information Technology—Security Techniques—Key Management—Part 5: Group Key Management. 4 Harn , L. and Lin , C. ( 2010 ) Authenticated group key transfer protocol based on secret sharing . IEEE Trans. Comput. , 59 , 842 – 846 . Google Scholar CrossRef Search ADS 5 Nam , J. , Kim , M. , Paik , J. , Jeon , W. , Lee , B. and Won , D. ( 2011 ) Cryptanalysis of a Group Key Transfer Protocol based on Secret Sharing . In Kim , T.-H. , Adeli , H. , Slezak , D. , Sandnes , F. E. , Song , X. , Chung , K.-I. , and and Arnett , K. P. (eds.), Future Generation Information Technology – Third International Conference, FGIT 2011 in Conjunction with GDC 2011, Jeju Island, Korea, December 8–10, 2011. Proceedings, Lecture Notes in Computer Science, Vol. 7105 , pp. 309 – 315 . Springer-Verlag , Berlin . 6 Nam , J. , Kim , M. , Paik , J. and Won , D. ( 2012 ) Security weaknesses in Harn–Lin and Dutta–Barua protocols for group key establishment . KSII Trans. Internet Inf. Syst. , 6 , 751 – 765 . 7 Liu , J. , Wu , Y. , Liu , X. , Zhang , Y. , Xue , G. , Zhou , W. and Yao , S. ( 2017 ) On the (in)security of recent group key establishment protocols . Comput. J. , 60 , 507 – 526 . Author notes Handling editor: Fionn Murtagh © The British Computer Society 2018. All rights reserved. For permissions, please e-mail: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/about_us/legal/notices)

The Computer Journal – Oxford University Press

**Published: ** Jun 5, 2018

Loading...

personal research library

It’s your single place to instantly

**discover** and **read** the research

that matters to you.

Enjoy **affordable access** to

over 18 million articles from more than

**15,000 peer-reviewed journals**.

All for just $49/month

Query the DeepDyve database, plus search all of PubMed and Google Scholar seamlessly

Save any article or search result from DeepDyve, PubMed, and Google Scholar... all in one place.

Get unlimited, online access to over 18 million full-text articles from more than 15,000 scientific journals.

Read from thousands of the leading scholarly journals from *SpringerNature*, *Elsevier*, *Wiley-Blackwell*, *Oxford University Press* and more.

All the latest content is available, no embargo periods.

## “Hi guys, I cannot tell you how much I love this resource. Incredible. I really believe you've hit the nail on the head with this site in regards to solving the research-purchase issue.”

Daniel C.

## “Whoa! It’s like Spotify but for academic articles.”

@Phil_Robichaud

## “I must say, @deepdyve is a fabulous solution to the independent researcher's problem of #access to #information.”

@deepthiw

## “My last article couldn't be possible without the platform @deepdyve that makes journal papers cheaper.”

@JoseServera

DeepDyve ## Freelancer | DeepDyve ## Pro | |
---|---|---|

Price | FREE | $49/month |

Save searches from | ||

Create lists to | ||

Export lists, citations | ||

Read DeepDyve articles | Abstract access only | Unlimited access to over |

20 pages / month | ||

PDF Discount | 20% off | |

Read and print from thousands of top scholarly journals.

System error. Please try again!

or

By signing up, you agree to DeepDyve’s Terms of Service and Privacy Policy.

Already have an account? Log in

Bookmark this article. You can see your Bookmarks on your DeepDyve Library.

To save an article, **log in** first, or **sign up** for a DeepDyve account if you don’t already have one.

All DeepDyve websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.

ok to continue