An effective key distribution for secure internet pay-tv using access key hierarchies

Transcription

1 SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2016; 9: Published online 27 October 2016 in Wiley Online Library (wileyonlinelibrary.com) RESEARCH ARTICLE An effective key distribution for secure internet pay-tv using access key hierarchies Pandi Vijayakumar 1, Ramu Naresh 1,SKHafizulIslam 2 * and Lazarus Jegatha Deborah 1 1 Department of Computer Science and Engineering, University College of Engineering, Tindivanam, Melpakkam, Tamilnadu , India 2 Department of Computer Science and Engineering, Indian Institute of Information Technology, Kalyani, West Bengal , India ABSTRACT Distribution of keys in a Conditional Access System takes long computation time because a huge number of keys is to be updated if any user leaves or joins the system. Moreover, it is necessary to send the keys securely to the authorized members. Thus, an effective key distribution protocol for Internet Pay-TV system is designed in this article to lower the computation time taken to compute the re-keying information. In the proposed protocol, when the Service Provider needs to refresh a new shared secret key and link values, only a few key updating operations are needed, and they can be achieved using four primary operations, namely, hash function, addition, subtraction, and multiplication. From the experimental results, we perceive that the proposed approach takes less computation cost, communication cost and storage cost compared with other competitive protocols available in the literature. Copyright 2016 John Wiley & Sons, Ltd. KEYWORDS key distribution; hash function; access key hierarchy; pay-tv broadcasting; forward secrecy *Correspondence SK Hafizul Islam, Department of Computer Science and Engineering, Indian Institute of Information Technology, Kalyani, West Bengal , India. hafi786@gmail.com 1. INTRODUCTION Internet-based Pay-TV broadcasting system is one of the most popular applications, which charges the authorized subscribers if they want to broadcast video service from the Service Provider (SP). The SP is responsible for providing video channels to the authorized subscribers only. The Conditional Access System (CAS) for Pay-TV is a security system in which only the authorized subscribers are allowed to access broadcast video service channels. In general, the existing CAS-based Pay-TV broadcasting systems is classified into two categories, namely, Pay- Per-Channel (PPC) and Pay-Per-View (PPV). In PPC, a subscriber subscribes to one or multiple group(s) of channels for a fixed period of time. A subscriber can subscribe to an arbitrary combination of channels according to their preference instead of being pre-arranged by SP. In this system, the authorized subscribers are also allowed to unsubscribe (leave) from the system at any time. However, SP does not allow the leaving subscribers to access the future data. This is called the forward secrecy. On the other hand, the new subscribers can also join the system. However, SP does not allow the new subscribers to access the past communication to provide backward secrecy in Pay- TV communication. This provides the backward secrecy in Pay-TV communication. The role of SP is to distribute the updated group-key and link values to the authorized subscribers. Therefore, only the authorized subscribers will receive the keys required to decrypt the encrypted program provided by SP. The key used for encryption (scrambling) and decryption (descrambling) is frequently updated for every 5 20 seconds. The goal of the proposed key distribution protocol is to ensure the secure key distribution to the authorized subscribers only so that they can decrypt the video data correctly and obtain the original data. In addition, the proposed key distribution protocol ensures the secure distribution, backward secrecy, and forward secrecy of the group-keys [1,2] Our contributions The first module of the proposed algorithm focuses on creating dynamic groups by allowing the subscriber to choose the available channels based on their preferences. Copyright 2016 John Wiley & Sons, Ltd. 5085

2 An effective key distribution for secure internet pay-tv using access key hierarchies P. Vijayakumar et al. Note that the group member often changes the group, and hence, dynamic key generation and update operations are performed frequently. In a real environment, these operations need huge computation time, and thus, an effective key distribution protocol is required for the Pay-TV system. To facilitate the reduction in computation complexity, the proposed access key hierarchy based key distribution protocol performs simple addition, subtraction, multiplication, and hashing operations. Moreover, reduction of the computation complexity and sharing of the workload of SP among subscribers can also be performed by allowing the subscribers to derive the key when the group membership changes. Therefore, the proposed protocol makes the existing subscribers to derive the sub level group-keys from the level at which the subscribers are registered. The second module of the proposed protocol aims to minimize the communication complexity by sending short messages from SP to subscriber. The objective of the third module of the proposed protocol is to reduce the amount of information to be stored by both SP and subscribers Roadmap of the article The remainder of this paper is organized as follows. Section 2 provides a survey of related works. Section 3 explains the proposed system architecture. Section 4 discusses the proposed key distribution protocol. Section 5 discusses the security, performance, and comparative analysis of the proposed protocol. Finally, Section 6 gives the concluding remarks. 2. LITERATURE SURVEY There are many key distribution protocols [3 16] existing in the literature. In these protocols, different types of group members obtain a new group-key for encrypting the multimedia data for every session. In 1992, ITU-R 810 [4] defined the requirements for CAS and proposed a threelevel hierarchy. In the three-level hierarchy, three keys are used, namely, Control Word (CW), Authorization Key (AK) and Distribution Key (DK). In addition, two information are used, called, Entitlement Checking Message (ECM) and Entitlement Management Message (EMM). On the receiver side, processing of both the entitlement messages takes place in the security module of CAS. In order to get AK and CW, each security module contains DK. The main drawback of [4] is that the effect of privacy is unavoidable since DK is common to all. Later on, Tu et al., [5] proposed a key distribution protocol for CAS, which is based on four-level key hierarchy. The protocol proposed in [5] used CW, AK, Receiving Group-Key (RGK) and Master Private Key (MPK). In this protocol, the key for each level is used to encrypt/decrypt the keys for the previous level. The CW is used to scramble/descramble programs on channels, where each channel has a unique CW at a specific time. The CWs are updated frequently for every 5 20 seconds for the security reasons. The RGK is used to encrypt/decrypt AK for each group. The MPK is the secret key and is held by the subscriber in the smart card, which is used to encrypt/decrypt the RGK. The main drawback of the protocol [5] is that in the midst of achieving high security using four-level key hierarchy, the performance level is not optimum because it needs larger amounts of package broadcasting to update the Data Encryption Key (DEK). Huang et al., [16] designed a protocol for period subscription services, which is also based on a four-level key hierarchy. In [16], two efficient key distribution protocols for key updates are introduced for subscription channel protection. The first protocol, called group-oriented key distribution protocol, is used for subscription channels. In this protocol, channels are organized into disjoint groups, each of which has corresponding keys, AK, and DK. The second protocol, called rating-oriented key distribution protocol, is used for subscription channels classified by video program ratings. By subscribing the higher rating channels, the subscriber can view the lowest rating channels also. However, this protocol is not secure because all AKs are closely correlated, and thus, any subscriber can compute other subscribers AK from his/her AK. In 2008, Wang et al., [6] proposed three different protocols to deliver the authorization keys to all the legitimate users and to revoke the keys without affecting the others. In these protocols, the users can select any set of predefined packages and channels. Similar to the protocol [16], the four-level key hierarchy is also used in these protocols. In these protocols, the range keys are sent as a broadcast message to the users according to their subscription period. The broadcast message which is sent to the users is called as channel link. The drawback of this protocol is that, the size of the broadcast message is larger compared with other approaches. Based on properties and the advantages of PPC and PPV, Sun et al., [17] put forwarded a new CAS for Flexible-Pay-Per-Channel (F-PPC). The proposed CAS in [17] is flexible, efficient, and scalable because the binary tree method is used for storing and managing the keys. In this protocol, each channel and group have a binary tree where users are at the leaf node of the group tree and groups are placed in the leaf node of channel tree. The limitation of this approach is that the group-key is updated in an insecure manner and hence, it violates backward secrecy. Kim et al., [18] proposed a system by overcoming the weakness of the CAS system of Sun et al., [17]. In order to achieve both forward secrecy and backward secrecy, the changes made to the system of Sun et al., are the following: (i) a group-key is updated when a member joins a group and leaves a group; and (ii) the hash operation is applied to a group-key updating process when a member leaves the group. However, maintaining trees both in the SP side and subscriber side is difficult, and hence, it increases storage complexity. For maintaining the frequent updates and changes of membership dynamically, Chen et al., [19] proposed a system in which a Linear Key Hierarchy (LKH) is used for group-key management. The way of maintaining the common decryption key of a TV program to a dynamic 5086 Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

3 P. Vijayakumar et al. An effective key distribution for secure internet pay-tv using access key hierarchies subscription group of members is called the group-key management. The protocol proposed in [19] handles the key update for reconnected members who have missed the group-key updates in their off-line period of time. However, the computation time and storage is more for finding the updated key for the off-line users. If the number of multiplications or divisions used in the key distribution algorithms are reduced, then the computation complexity can be reduced substantially. Wong et al., [20] presented a key management protocol using key graphs. In this protocol, they have explained about a creation of secure group and key management graphs protocol using Star-based and Tree-based methods. The main limitation of this approach is that it takes high computational cost at group center. To compute a tree of keys, Sherman and McGrew [21] proposed a new groupkeying method based on the one-way functions, called, One-way Function Tree (OFT) protocol. In this method, the keys are computed from leaf nodes to the root node of the tree. This approach reduces re-keying broadcast to only to logn keys. The major limitation of this approach is that the storage complexity is high. However, the time complexity is more important than space complexity. The storage complexity of Group Center (GC) is 2nk, and group member is lk, where l is the number of levels and k is the key size in terms of bits. Vijayakumar et al., [22] presented a new binary tree-based key distribution protocol that reduces the computation time taken to compute the re-keying information, and the re-keying is performed by performing simple mathematical operations like XOR and multiplication whenever there is a change in the multicast group. The main limitations of this approach are that storage and communication complexities are high. In this article, we focused on the reduction of computation, storage, and communication time complexity. Therefore, we have proposed a new access key hierarchy based protocol to reduce the computational complexity, and it can be reduced by reducing the required number of multiplication operations. We also make the group members of the various groups to derive the required keys for accessing the various channels located as a group/individual channel in the access key hierarchy. Moreover, in the proposed protocol, each user is allowed to store only the minimum amount of information for recovering the updated sub group-key and the group-key if there is a change in the group membership. 3. SYSTEM ARCHITECTURE The list of notations used in this article is given in Table 1. The proposed system architecture, which is shown in Figure 1, explains the process of the secure Pay-TV System. In this architecture, users subscribe to the TV programs by registering to SP. After successful registration, users will be identified by a unique identity and MPK, which are issued by SP. This subscription information is used to classify the subscribers into N-receiving groups. The subscribers in the same receiving group, who are subscribed to a particular list of channels, are assigned with a sub group-key and a group-key. When any subscriber changes the subscribed channels or leaves the entire sys- Figure 1. The proposed system architecture. Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 5087

4 An effective key distribution for secure internet pay-tv using access key hierarchies P. Vijayakumar et al. tem, the corresponding sub group-key and group-key must be updated to achieve forward secrecy. Similarly, when a new user joins the system, the sub group-key and groupkey are updated. This makes the system to provide the backward secrecy. In order to provide forward secrecy and backward secrecy, the key hierarchy proposed in our system makes use of the existing four-level key hierarchy that contains four keys, namely, CW, sub group-key, group-key and MPK. The CW is used as a seed to generate pseudo-random sequence and then scramble the TV program stream using the generated sequence. In order to spread CW securely, group-key and sub group-key are used for the encryption and to securely spread CW, respectively. After informing sub group-key, this sub group-key is used for encrypting the group-key to inform this to subscribers in a secure way. The CAS contains following phases: (i) initial phase; (ii) user registration; (iii) subscription phase; and (iv) key updation and distribution phase. The CAS system [23] is the major block, which delivers the video signal securely to a group of authorized subscribers. The main advantage of designing a four-level hierarchy in the CAS is to deliver CW securely. In our CAS, to communicate CW in a secure way, the group-key and sub group-key are used. The main contribution of our proposed algorithm works in the initial phase, and key updation and distribution phase used on the subscriber s side Initial phase The initial phase is used to construct a Directed Acyclic Graph (DAG). The nodes of DAG are the receiving group information, which contains a single or group of channels. The SP assigns a group-key for each node and generates an Access Key Hierarchy (AKH) for each receiving group G j. The leaf node of the DAG contains the nodes, which are filled with individual channel and group-key. This DAG is stored in the database, which is maintained by the SP User registration phase This phase is invoked when a new subscriber u k joins the Pay-TV system. When a new user joins, a secure unicast communication is established to deliver a master private key MPK in a secure way by using Secure Socket Layer (SSL). In such case, SP assigns a unique identity u k and delivers a private key MPK k in a secure way by using SSL. The newly assigned MPK k is used to update the sub group-key (SGK j ). When a subscriber u k subscribes to some channels, SP classifies u k into the corresponding receiving group G j. After that, SP transmits all the necessary secret information and public link values L k to u k, including SGK i, K i (group-key) for all the channels available in the group. These public link values and key values are stored in the set-top box, which is available on the subscriber s side in the Pay-TV system Subscription phase After successful registration, each u k can select a set of channels according to his/her choice. After the channel selection, SP generates a sub group-key and inform this to all the registered users in a secure way using MPK k. Once the sub group-key is delivered, the group-key will be generated, and it is encrypted using the corresponding sub group-key, and this encrypted value is sent as a multicast message. In this way, the sub group-key and the group key are informed to the registered users. All these values are stored in user s database. Based on the channels selected by the new user, he/she will be placed in any one of the nodes in the AKH. The group-key K i of that node is sent to u k by encrypting it by using the sub group-key. The link values of that node are sent as a broadcast message to the subscribers who are registered to that node Key updation and distribution phase When a user joins/leaves the system, all the old keys, which are known to that leaving user, need to be updated. In this phase two keys namely, sub group-key and group-key get updated Sub group-key updating phase. When a user u k leaves a group G j, its SGK j is updated. Then SP broadcasts the message {Leave, u k } to notify all other subscribers of G j. Now, all the subscribers of G j other than u k obtain the new sub group-key Group-key Updating Phase. The group-key updating phase is invoked in three situations. Firstly, when a user u k of the group G j is suspended from the system, the group-key of the corresponding node subscribed by u k is to be updated. Secondly, when u k of the group G j is unsubscribed from the system, then the group-key needs to be updated. Finally, when a new user u j wants to join the existing group G j, then the group-key needs to be updated. The new updated group-key is used to encrypt the CW, which is used to scramble/descramble the multimedia data. 4. PROPOSED PROTOCOL The proposed protocol consists of four phases, namely initial phase, registration phase, subscription phase and, key updation and distribution phase. This proposed protocol makes use of AKH approach for efficient key distribution in the Pay-TV broadcasting system. The AKH is represented as a DAG in which each node contains a group-key. In the DAG, the group-key is used for the users who are attached to that particular node. Note that each node in AKH is connected with an edge where a public link value L i is attached. In addition, each user can derive the lower level key values by using their own group-key value K i and a set of link values L i Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

5 P. Vijayakumar et al. An effective key distribution for secure internet pay-tv using access key hierarchies 4.1. Initial phase In the initial phase, the construction of DAG takes place at the SP side. In DAG, each node represents one of the combinations of channels c i and contains a group-key value K i. Moreover, the SP also generates the group-key values and link values during this period. Then SP stores the generated group-keys and the link values in the database. If there are N channels in the system, then there will be N levels and 2 N 1 nodes in the AKH. In the AKH, each node is connected by using L links. The key K i is defined as the group-key value, which is a public value for the users who registered for a particular node, and the link values L i are made as public information for all the users registered in the system. In DAG, each leaf node contains a single channel along with its group-key, and the root node contains all the channels available in the Pay-TV system. Furthermore, each user can access the channels located in any node and at any level of the DAG. Based on user subscription to the particular node or channels in the DAG, the corresponding group-key value K i and the link value L i are issued to the user/subscriber. This key is used by a subscriber to derive the lower level group-keys of the subscribed channels. The user at higher level uses a one-way Hash function to derive the lower level group-key values. The one-way hash function used in the proposed protocol is H : {0, 1} *! {0, 1} p where p is a large prime number [24 28]. The following equation is used to find the link values L i. L i = H(K ij )+K i (1) The lower level group-key values K i are derived using the Equation (1) as shown in the following: K i = L i H(K ij ) (2) where K i denotes the group-key value of the lower level node, and K ij denotes the group-key value of the higher level node. The DAG structure shown in Figure 2 explains the previous discussion. If a user subscribes for channels at (N 1) th level of the DAG, the key value K i of the corresponding node and the link value L i for the child nodes are given to that subscriber by the SP. Figure 2 represents the overall tree structure that contains group-keys and link values for the system with four channels available in the Pay-TV broadcasting system. The root node contains all four channels c 1, c 2, c 3, and c 4. The users who subscribe to the root node can view all the channels available in that particular node. When a user subscribes to any one of the intermediate nodes, then the subscriber can view all the leaf node channels connected to that particular node. For example, when a user subscribes to the set of channels c 1, c 2 and c 4, the SP provides a group-key value K 124 and the link values L 14, L 15, L 16, L 17, L 18, L 25, L 26, L 27, and L 28. From these link values and the group-key value K 124 provided by the SP, each user can derive the group-key values of the subscribed channels c 1, c 2, and c 4 using the Equation (1). In order to derive the lower level group-key values, we use a pruning method in this paper. This pruning method is used to avoid the visiting of redundant nodes in the AKH and to improve the computation and storage complexities. For example, when a user registers for the root node c 1, c 2, c 3, and c 4 shown in Figure 2, the user can generate only the two sublevel group-keys located in the nodes c 1, c 2, c 3 and c 2, c 3, c 4 in turn can generate the group-key values of c 1, c 2 and c 3, c 4 located in the next level. From these two nodes, the users can generate individual channel keys c 1, c 2, c 3, and c 4 located in the leaf nodes. Figure 2. Access key hierarchy for "four" channels. Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 5089

6 An effective key distribution for secure internet pay-tv using access key hierarchies P. Vijayakumar et al Construction of sub level graph. Let us consider the situation at the intermediate level, where two different nodes located in the higher level are connected to the same leaf node with different link values. The construction of sub level group-key value by using the link and the higher level group key values are shown in Figure 3. For example, let us consider the Pay-TV system that consists of "four" channels as shown in Figure 2. This is represented in an AKH in which (N 1) th level has a maximum of "six" nodes with "two" channels in each node. The link values are computed by the SP. After the link values are computed, the SP issues the corresponding link values required for the users who have registered for the level N 1. From the recently issued group-key and link values, each subscriber derives the group-key values of the lower level nodes. In Figure 3, the subgraph construction for deriving the group key for the channel c 1 from c 1 c 2 and c 1 c 3 is shown with L i values that are generated using the Equation (1) Registration phase The second phase of the proposed protocol is the member registration phase, in which each member sends the registration request to the SP and gets a unique secret key MPK k and a unique identity u k for that user. The MPK k is given securely using SSL to the subscribers who are registered in the Pay-TV system. The MPK k is mainly used for updating the sub group-key of each node Subscription phase After successful registration, the user u k becomes an authenticated user, and hence, he/she can select a set of channels according to his/her choice. After the channel selection, SP sends the SGK i and link L i to all the newly joined users. All these values are stored in user s storage space. According to the channels selected by the new user, he/she will be placed in any one of the nodes in the AKH. The group-key of that node is sent to u k by encrypting it using the sub group-key. The link values of that node are sent as a broadcast message to the subscribers who are registered to that node. Figure 3. Sub graph of access key hierarchy. Table I. List of notations. Symbol Description CAS Conditional Access System PPC Pay-Per-Channel PPV Pay-Per-View CW Control Word AK Authorization Key DK Distribution Key ECM Entitlement Checking Message EMM Entitlement Management Message DEK Data Encryption Key RGK Receiving Group-Key MPK Master Private Key F-PPC Flexible-Pay-Per-Channel LKH Linear Key Hierarchy OFT One-way Function Tree K i Group-Key SGK i Sub Group-Key L i Link value GC Group Center AKH Access Key Hierarchy DAG Directed Acyclic Graph SP Service Provider p A large prime number Z p * A multiplicative group u k The k-th subscriber (user) I k The identity of u k chosen by SP MPK k The master key of u k chosen by SP H() One-way hash function, where H : {0, 1} *! {0, 1} p 4.4. Key updation and distribution phase In this phase, the sub group-key and group-key are updated to provide the forward secrecy and backward secrecy. The key updating phase has not taken more computation time for a user join operation because the old group-key, which is not known to the newly joined user, is used for communicating the new group. However, it takes more computing power [9] for updating the group-key when a user leaves from the system, and hence, this paper focuses more on user leave operation User leave. When a subscriber leaves the system, sub group-key, group-key, and links (L i ) known to the particular subscriber need to be updated to provide the forward secrecy. The sub group-key is updated by using the method described in [8]. The SP selects a large prime p to define a multiplicative group Z p *. It also selects a small prime q for each node of AKH, where p > q and q is used to fix a threshold value and = a + q. Here, a is a randomly selected from Z p * and hence, when a increases, also increases. Note that the different is given for different nodes of AKH. When Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

7 P. Vijayakumar et al. An effective key distribution for secure internet pay-tv using access key hierarchies ever a new user u k is authorized to join any node of AKH for the first time, SP chooses a secret key MPK k randomly from Z * p and sends it to u k using a secure unicast channel. It is to be noted that all MPK k of the users who have registered for a particular node of AKH are greater than. If this condition is not satisfied, then a must be adjusted so that MPK k >. Using this MPK k, sub group-key, and a group-key K i are given for that user u k, which will be kept in the storage space of u k. The following steps describe the key updating process used for a member leave operation at SP. (1) SP selects ˇ randomly from Z * p for each user u k. (2) SP computes the sub group-key as = ˇa mod p (3) (3) SP calculates g = MPK i (4) i=1 (4) SP computes d = g ) and x, y using the Extended Euclidian algorithm [29] such that x + g = d (5) (5) SP multicasts (ˇ, x, p, q, d) to the group members. Upon receiving (ˇ, x, p, q, d), the user u k of the current group executes the following steps to obtain the new sub group-key. Compute x 1 = x mod MPK i. Compute = x 1 1 mod MPK i (6) at a higher level, the updated group-key is sent as a multicast message by encrypting it using their corresponding node group-key value. For instance, for the subscribers registered at c 1 c 2 c 3 and c 1 c 3 c 4 the updated key value is informed them by encrypting it using their own group-key K 123 and K 134. Therefore, the overall communication cost of user leave operation performed in the proposed algorithm takes two multicast messages in which one is used for informing the sub group-key and another one is used for informing the updated group-key and one broadcast message for informing the link values User join. When a new subscriber u l joins to the Pay-TV broadcasting system, the sub group-key, group-key, and the link values need to be updated to achieve the backward secrecy. Initially, the sub group-key and the group-key values are updated and encrypt them using the old group-key and then multicast the encrypted message to the existing group members. For u l, the updated sub group-key and groupkey are encrypted using MPK l (secret key of u l ) and then unicast to u l. This updated group-key is transmitted to the subscribers who have subscribed to the same channel and located on the upper level after performing an encryption using the upper level group-key value. After the values are modified, the public link values are updated. This updated public link values are broadcasted to all the group members. Thus, the overall communication complexity of user join operation of our proposed algorithm takes one multicast, one unicast, and one broadcast operations. 5. SECURITY AND PERFORMANCE ANALYSIS OF THE PROPOSED PROTOCOL Find the sub group-key as = ˇd q mod p (7) In this section, we discussed the security analysis and performance analysis of the proposed protocol. In addition, we compared the proposed protocol with the related protocols. After updating the sub group-key, group-key is randomly generated and the link values are generated using the newly generated group-key by using Equation (1). This newly generated group-key is sent to the users who have subscribed to that node by using the updated sub groupkey. Therefore, the new group-key of the node where a user leave operation takes place is encrypted by using the newly updated sub group-key, and it is sent as a multicast message to the remaining group members. The updated group-key is transmitted to the subscribers who have subscribed to the same channel and located in the upper level after performing an encryption using the upper level group-key. For instance, consider a subscriber, who has subscribed to the channels c 1 and c 3, wishes to leave the system. Therefore, the group-key value K 13 and the link values L 19 and L 20 are modified by the SP. The updated group-key is informed to other users subscribed to c 1 c 3 by sending a multicast message. In order to inform this to other users who are 5.1. Security analysis This subsection analyzes the proposed algorithm for collusion attack, forward secrecy, and backward secrecy. The assumption of the implemented protocol is that an adversary might be a group member sometime and SP keeps all users MPK as secret. In addition, we also assume that each user keeps his/her MPK value secret Collusion attack. The collusion attack is the one in which two or more adversaries act as legitimate members when they are in the group and then cooperatively trying to compute the updated group-key after leaving the group. In the proposed protocol, SGK i and K i are updated after a leaving operation is performed in a multicast group. The SGK i value is updated initially by dividing g value by MPK i to obtain a 0 g.next,anewˇ is generated to find a new Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 5091

8 An effective key distribution for secure internet pay-tv using access key hierarchies P. Vijayakumar et al. x and d, and it is sent as a multicast message to the existing group members. From the newly multicast (ˇ, x, p, q, d), user u i cannot find the newly computed SGK i because his/her MPK i value is excluded g. This is also possible if any number of previous users cooperatively try to compute the newly computed SGK i. The following scenario describes a kind of collusion attack in which two adversaries act as legitimate members. Suppose that u 1 is an adversary A who knows the key values MPK 1, SGK j, and K j, and u 3 is an adversary B who knows the key values MPK 3, SGK j, and K j at time (t 2). In time (t 1), A leaves the group with the keys MPK 1, SGK j, and K j. B receives the rekeying message SGK 0 j from SP at time (t) and computes Kj 0. In time (t + 1), B leaves the group with the three keys MPK 3, SGK 0 j, and K0 j. Both of A and B exchange their known key values MPK 1,MPK 3, SGK j, SGK 0 j, K j, and Kj 0. However, using these values, A and B cannot cooperatively find the updated group-key K 00 j, which is broadcasted at time (t + 2) in a feasible amount of time since their MPK i values are excluded g Forward secrecy. In this attack, we have explained the complexity of computing the newly updated in the proposed protocol by the old subscriber to break the forward secrecy. The time taken to find the newly updated depends on the method used to calculate u k s secret key MPK k within polynomial time bound. In this protocol, SP distributes (ˇ, x, p, q, d) to the group members through multicast communication as explained in the collusion attack (Section 5.1.1). Hence, an attacker who is not a previous group member can try to capture all the distributed elements. From these elements, the attacker can try to find the value of. This can be computed by using the secret key MPK k of u k. If the attacker is not an active adversary (i.e., not a previous member of the multicast group), captures (ˇ, x, p, q, d), then he/she can try to find. The adversary can use the brute-force method to compute MPK k of u k.ifthe size of MPK k is w bits, then the breaching probability is 1 2 w, which is negligible. For example, if the size of MPK k and the time required to perform one attempt using bruteforce attack is 1s, then the total time required to compute MPK k will be 2 63 s = 292,471 years. Therefore, when a large MPK k is used, it is computationally infeasible to find the value of, and hence, cannot be computed by an active adversary Backward secrecy. The SGK is updated each time when a user joins the group initially by multiplying MPK i with g to obtain anew@ 0 g.next,anewˇ is generated to find a new x and d as explained in collusion attack. From the newly multicast value (ˇ, x, p, q, d), and newly 0 g, a newly joined user cannot find the previously used SGK because his/her MPK value is not included in the g. Therefore, it is not possible for a newly joined user to compute the old SGK and GK values to view the past communications Computation complexity of pruned Access Key Hierarchy This subsection explains the way of measuring the computation complexity of our proposed approach. The computation time is defined as the amount of time taken to find the new group-keys for all the nodes starting from the node in which join/leave operation is performed to leaf nodes. If the Pay-TV system contains M channels, then the total number of nodes generated by AKH is 2 M 1. Among these nodes, some of the nodes are considered as redundant nodes, which are detached from the AKH when lower level group-key values are computed. After removing those redundant nodes, the tree can have (4M 7) nodes, whose keys are to be updated when a member leaves the Pay TV system. If the root node of AKH contains M channels, then AKH can have M levels. Therefore, the number of nodes affected when there is a change in the group membership is computed in three steps. Firstly, one root node to which the user has registered is affected, thereby one key is to be updated. Secondly, all the last level nodes located under the registered node are affected, which would need another M keys to be updated. Finally, the affected nodes that are located in between the root and leaf nodes are considered as intermediate nodes. The total number of intermediate nodes affected in any AKH is defined as (M +2i), where i = 0,1,2,:::, k. The value of i is considered as "0" when M =4,i = 1 when M = 5 and i = K 4 when M = k. Therefore, the total number of keys to be updated when a single rekeying/batch rekeying operation performed in AKH is defined by computing the number of affected nodes starting from the node in which membership changes is performed at the leaf node is defined as, CT = M +1+(M +2i) (8) where i = K 4 and K = M = number of channels available in the system. Substitute this value in (8). CT = M +1+(M +2(M 4)) = M +1+(M +2M 8) =2M +1+2M 8 =4M 7 Thus, the overall computation time for updating all the group-keys of AKH is (4M 7) Performance analysis In this section, we compare the proposed protocol with well-known key distribution protocols proposed in [17,19 22,30], and the comparative results are shown in Tables II, III, and IV, respectively. These key distribution protocols are classified into two categories, namely system-defined protocol and user-defined protocol. The protocols in [19 21,30] are system defined where all the groups are pre-arranged by SP. The protocols proposed in (9) 5092 Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

9 P. Vijayakumar et al. An effective key distribution for secure internet pay-tv using access key hierarchies Table II. The storage cost of various protocols. Protocol Group SP Side User Side Member secret key Public values F-PPC, Sun et al., [17] User defined M 2 log2g+1 1 +G 2 log2n+1 1 +N M(log 2 N+ log 2 G)+1 2 GKM, Chou et al., [19] System defined 2N 1 dlog 2 N+1e 2N 2 LKH, Wong et al., [20] System defined N +1 dlog 2 N+1e 2dlog 2 Ne(J + L) OFT, Sherman et al., [21] System defined 2N dlog 2 N+1e dlog 2 Ne(J + L) XOR, Vijayakumar et al., [22] User defined M (2 log2n+1 1) Mdlog 2 Ne SKD, Lin et al., [30] System defined 3N 1 2 dlog 2 N+1e 2dlog 2 NeL Proposed User defined 3 (4M 7)+N + L i 2+(4M 7) L i GKM, Group-Key Management; LKH, Logical Key Hierarchy; OFT, One-way Function Tree; XOR, Exclusive OR; SKD, Secure Key Distribution; SP, Service Provider. Table III. The communication cost of various protocols. Protocol User Join User Leave F-PPC, Sun et al., [17] 2 t broad + log 2 N + log 2 G t mul 2 t mul +2t broad GKM, Chou et al., [19] 2 t uni 2 dlog 2 Ne 3t mul LKH, Wong et al., [20] 2 dlog 2 Net mul + t uni dlog 2 Net mul OFT, Sherman et al., [21] dlog 2 Net mul +(dlog 2 Ne +1)t uni dlog 2 Net mul XOR, Vijayakumar et al., [22] M [2 t uni + t mul ] M dlog 2 N 1et mul SKD, Lin et al., [30] dlog 2 Net uni dlog 2 Ne t mul Proposed t mul + t uni + t broad 2 t mul + t broad GKM, Group-Key Management; LKH, Logical Key Hierarchy; OFT, One-way Function Tree; XOR, Exclusive OR; SKD, Secure Key Distribution. Table IV. The computation cost of various protocols. Protocol User Join User Leave F-PPC, Sun et al., [17] Backward secrecy is not provided M t x +[n j t h ]+t x GKM, Chou et al., [19] dlog 2 Net h + t h (dlog 2 Ne 2)t dec + t h + t dec LKH, Wong et al., [20] dlog 2 Net dec + dlog 2 Net dec dlog 2 Net dec + dlog 2 Net dec OFT, Sherman et al., [21] 2 dlog 2 Net h + t dec +2dlog 2 Net h + t dec 2 dlog 2 Net h + t dec +2dlog 2 Net h + t dec XOR, Vijayakumar et al., [22] 2 t enc M (log 2 N log 2N+1 2 ) (t x + t app + t mod ) SKD, Lin et al., [30] dlog 2 Net h + t h (dlog 2 Ne 1)t dec + t h +(dlog 2 Ne 1)t dec + t h Proposed t dec +(4M 7)(t h + t s ) t m + t mod + t inv +(4M 7)(t h + t s ) GKM, Group-Key Management; LKH, Logical Key Hierarchy; OFT, One-way Function Tree; XOR, Exclusive OR; SKD, Secure Key Distribution. [17,22] and the proposed protocol are user-defined where the subscribers can freely choose the channels without any constraints. Tables II, III, and IV compare the overall storage cost, communication cost, and computation cost of the proposed protocol with the existing key distribution protocols, namely, F-PPC protocol [17], Group-Key Management (GKM) protocol [19], LKH protocol [20], OFT protocol [21], Exclusive OR (XOR) protocol [22], and Secure Key Distribution (SKD) protocol [30]. The notations used for comparisons are defined as the following: N is the number of subscribers, G is the number of groups, J is the number of users, who join the group and L is the number of users, who leave the group. The notations t enc, t dec, t mod, t m, t app, t inv, t s, t h, and t x denote the computation time taken to perform encryption, decryption, modulo division, multiplication, appending, inverse, subtraction, hashing, and XOR operations, respectively. These operations are performed in various approaches for computing the sub group-key and groupkey values, where n j denotes the number of users who do not belong to a particular group G i ; L i denotes the number of links used in the proposed protocol. The notations t mul, t uni, and t broad represent the time take for the multicast, unicast, and broadcast messages. The computation cost is the actual time taken to compute the sub group-key and group-key at the SP side and subscribers (users) side. Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 5093

10 An effective key distribution for secure internet pay-tv using access key hierarchies P. Vijayakumar et al. The communication cost is defined as the number of messages sent by SP to the subscribers in order to perform the key updating operation. The storage cost is defined as the amount of information to be stored by SP and the group members for recovering the necessary keys. In the proposed protocol, the overall computation complexity denotes the time taken to derive the lower level group-key in the subscriber side when a subscriber leave operation is performed (refer to formula (10). This is the worst case complexity computed when the subscribers register for all the M channels available in the system. Suppose, all the subscribers subscribe to an average number of channels M avg. We use the same formula (10) to calculate the average computation complexity of the proposed protocol. In addition, each subscriber has to perform one multiplication, multiplicative inverse, and modulo division operations for computing the sub group-key with respect to Z p *. Thus, the average computation complexity of the Figure 4. Latency time measurement for various key management protocols. LKH, Linear Key Hierarchy; SKD, Secure Key Distribution; GKM, Group-Key Management; OFT, One-way Function Tree; F-PPC, Flexible-Pay-Per-Channel; XOR, Exclusive Or. Figure 5. Computation time for key updating at Service Provider side. LKH, Linear Key Hierarchy; SKD, Secure Key Distribution; GKM, Group-Key Management; OFT, One-way Function Tree; F-PPC, Flexible-Pay-Per-Channel; XOR, Exclusive Or. Figure 6. Computation time for key recovery process at the subscriber s side. LKH, Linear Key Hierarchy; SKD, Secure Key Distribution; GKM, Group-Key Management; OFT, One-way Function Tree; F-PPC, Flexible-Pay-Per-Channel; XOR, Exclusive Or Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

11 P. Vijayakumar et al. An effective key distribution for secure internet pay-tv using access key hierarchies proposed protocol is t m + t mod + t inv +(4M 7)(t s + t h ) (10) where M is the number of channels available in a particular node or in the entire Pay-TV system, t s represents the time to perform a subtraction operation to derive the lower node group-keys, and t h is the time to perform a one-way hash operation for deriving the lower node group-keys. However, in [22] the computation complexity of a user leave operation is measured as M log 2 N log 2 (N +1) (t x + t app + t mod ) (11) 2 where log 2 N log 2 (N+1) 2 is used to find the number of affected key nodes in the binary key tree used in the protocol [22]. For each node, the subscriber has to perform a XOR operation, one appending operation, and a modulo division operation which are denoted as t x + t app + t mod. If all subscribers have registered for all the M channels, then it has to be repeated for M times. Similarly, the computation complexity of a user join operation is equivalent to t dec +(4M 7)(t s +t h ) which is higher than the protocol in [22]. However, the XOR based approach in [22] has more communication and storage complexity. In the case of user leave operation, the proposed protocol has less computation complexity than all the existing protocols other than the protocol in [17]. However, the backward secrecy is not provided in the protocol [17]. In addition, the protocol in [17] has higher communication complexity. Therefore, the performance of the proposed system is better with respect to overall complexity when it is compared with other existing protocols designed in [17,19 22,30]. The storage cost of a subscriber is determined by the number of channels registered by that particular subscriber. If a subscriber has registered for a huge number of channels, then he/she has to store more keys than the users who have subscribed for less number of channels. In general, if a subscriber has registered for M channels, then (4M 7) group-keys have to be stored in the subscriber s storage space. Moreover, the subscriber has to store additional keys MPK, sub group-key, and necessary public values L i. Therefore, the overall SC (other than L i ) of a subscriber in our proposed approach is given by SC = SGK + MPK +(4M 7)K (12) where SGK and K represent the storage cost of the sub group-key and group-key, respectively. Therefore, the overall storage cost of a subscriber is summarized as 2 + (4M 7) from the Equation (12), where "2" represents the storage area used to store one sub group-key and one MPK. The storage cost of a subscriber is not such an important issue compared with the SP side storage cost. Hence, the storage cost of SP can be formulated as [3 (4M 7)] + N + L i (13) where [3 (4M 7)] is used to represent the three permanent storage locations for storing three types of values such as sub group-key, group-key, g used in all the nodes of the AKH. Here, N is used to denote the storage complexity of N subscriber s MPK values and L i is the public values used in AKH. Hence, the storage cost is minimized in the proposed approach when it is compared with other user defined protocols [17,19 22,30]. The communication cost of the proposed approach while the user joins or leaves each channel is also summarized in Table III. When a user joins in a suitable group, it requires (t mul + t uni + t broad ) messages that are transmitted from SP. When a new user joins into an existing group, SP updates sub group-key and group-key and encrypts them by using old group-key, and it is sent as a multicast message to the existing group members, which cannot be decrypted with the newly joined user. Similarly, SP encrypts the updated sub group-key and group-key using MPK of the newly joined user which takes another unicast. After updating the sub group-key and group-key, the link values L i are sent as a broadcast message. In protocol [17], it takes two broadcast messages to inform RGK and auxiliary information in a secure way. In addition, it also takes (log 2 N + log 2 G) multicast messages in order to make that newly joined user to store log 2 G secret numbers additionally for each group and log 2 N authorization keys. From this, it is clear that the proposed approach takes less communication complexity compared with all other existing approaches in [17,20 22,30] except the protocol in [19] that takes only two unicast messages, which is a system-defined approach. Similarly in user leave case, the proposed approach takes 2t mul + t broad messages transmitted from SP. The first multicast message is used for informing (ˇ, x, p, q, d) to the existing group users. The second multicast message is used to send new groupkey of the node where a user leave operation takes place by encrypting it by using the newly updated sub groupkey, and it is sent as a multicast message to the remaining group members. Therefore, the proposed system greatly reduces the communication cost of user leave operation compared with other approaches. The proposed method has been implemented in JAVA for 1000 users, and we have compared the latency time and computation time with the existing approaches. For implementation, we have used Intel Core i3 processor, with 2 GB RAM and windows 7 operating system. We then compared the latency time and computation time of the proposed method with the existing approaches, namely, F-PPC protocol [17], GKM protocol [19], LKH protocol [20], OFT protocol [21], XOR protocol [22], and SKD protocol [30] that perform the key updating operation. To construct AKH, we have taken 100 channels in the proposed protocol. The BigInteger Java class is used for handling large key values in the proposed protocol. The results shown in Figure 4 are used to compare the latency time that exists during the distribution of keying material of the proposed protocol with the Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 5095

12 An effective key distribution for secure internet pay-tv using access key hierarchies P. Vijayakumar et al. Figure 7. Key Computation time for batch leave operations. LKH, Linear Key Hierarchy; SKD, Secure Key Distribution; GKM, Group-Key Management; OFT, One-way Function Tree; F-PPC, Flexible-Pay-Per-Channel; XOR, Exclusive Or. related protocols. It compares the results obtained from our proposed approach with various key distribution protocols. In order to find the latency time shown in Figure 4, we evaluated this algorithm for various key sizes and compared it with other protocols. From this, it is observed that when the key size is about 64 bits, the latency time is found to be 103 ms for responding a single key in our proposed approach, which is found better compared with other existing protocols. Figure 5 shows the computation time required to update all the keys in the various key distribution protocols. In our proposed approach, we use simple addition, subtraction and multiplication operations for key updating and key recovery process. The overall computation time for updating a 64 bits key in SP side is measured as 231 ms, for 128 bits it takes 246 ms and for 256 bits it takes 275 nanoseconds, which are very small compared with other approaches. Therefore, the proposed protocol lowers the computation time to update all the keys when a multicast group membership changes. Similarly, the computation time measured for key recovery process on the subscriber side is shown in Figure 6. From this Figure, it is clear that the key recovery time for 64 bits key value is 300 ms in the proposed approach. In most of the existing approaches, the computation time of key recovery process takes more than 400 ms except the protocol in [17]. Similarly, the key recovery process for 128 bits, it takes 324 ms, and for 256 bits it takes 373 ms in the proposed approach. The Figure 7 shows the computation time taken to update all the necessary keys when a batch of users leaves the Pay- TV system. For example, if 25 users leave the system, the computation time taken to update all the keys in SP side is 552 ms in the proposed protocol. 6. CONCLUSION This article put forwarded a key distribution protocol for creating and distributing the keys to the group of authorized subscribers and to provide the effective security in the Pay-TV system. The proposed approach mainly aimed to give security in the Pay-TV system and to lower the computation time in the SP side and subscriber side through the use of simple arithmetic operations like addition, subtraction, multiplication, and hashing. Moreover, the computational load of SP is shared with the registered subscribers of the system. In view of the storage complexity, the number of keys stored by SP and subscriber (user) are reduced substantially by employing the AKH approach in the proposed work. ACKNOWLEDGEMENT This research work was supported by CTDT (Center for Technology Development and Transfer), Anna University, Chennai, India. REFERENCES 1. Vijayakumar P, Azees M, Kannan A, Deborah LJ. Dual authentication and key management techniques for secure data transmission in vehicular ad-hoc networks. IEEE Transactions on Intelligent Transportation Systems 2015; 17(11): Vijayakumar P, Bose S, Kannan A, Siva Subramanian S. An effective key distribution protocol for secure multicast communication. Proceedings of the Second International Conference on Advanced Computing (ICoAC 10), Chennai, Tamilnadu, India, 2010; He D, Kumar N, Shen H, Lee J-H. One-to-many authentication for access control in mobile pay-tv systems. Science China Information Sciences DOI /s Conditional-Access Broadcasting Systems, ITU-R Rec Tu FK, Laih CS, Toung SH. On key distribution management for conditional access system on pay-tv system. IEEE Transactions on Consumer Electronics 1999; 45(1): Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.