On the Security of an Efficient Group Key Agreement Scheme for MANETs

Similar documents
On the Security of Group-based Proxy Re-encryption Scheme

An Improved Remote User Authentication Scheme with Smart Cards using Bilinear Pairings

An IBE Scheme to Exchange Authenticated Secret Keys

On the Security of a Certificateless Public-Key Encryption

Efficient Compilers for Authenticated Group Key Exchange

Security properties of two authenticated conference key agreement protocols

Session key establishment protocols

A robust smart card-based anonymous user authentication protocol for wireless communications

Session key establishment protocols

Insecurity of an Dynamic User Revocation and Key Refreshing for Attribute-Based Encryption Scheme

A compact Aggregate key Cryptosystem for Data Sharing in Cloud Storage systems.

Collusion-Resistant Identity-based Proxy Re-encryption

Secure Data Sharing in Cloud Computing: Challenges and Research Directions

Fine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing

A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS

Attribute-based encryption with encryption and decryption outsourcing

Security Analysis of Batch Verification on Identity-based Signature Schemes

REMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM

Public Key Broadcast Encryption

Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing

Queue and tree based Group Diffie Hellman Key Agreement Protocol for E-Commerce Security

Security Weaknesses of an Anonymous Attribute Based Encryption appeared in ASIACCS 13

Wireless Network Security Spring 2011

Encryption from the Diffie-Hellman assumption. Eike Kiltz

Cryptanalysis of Two Password-Authenticated Key Exchange. Protocols between Clients with Different Passwords

Authenticated Key Agreement without Subgroup Element Verification

Extended Diffie-Hellman Technique to Generate Multiple Shared Keys at a Time with Reduced KEOs and its Polynomial Time Complexity

Insecure Provable Secure Network Coding

Cryptanalysis on Two Certificateless Signature Schemes

Inter-domain Identity-based Proxy Re-encryption

On the security of a certificateless signature scheme in the standard model

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

Collusion-Resistant Group Key Management Using Attributebased

Multi-Channel Broadcast Encryption

(a) Symmetric model (b) Cryptography (c) Cryptanalysis (d) Steganography

Enhancing Reliability and Scalability in Dynamic Group System Using Three Level Security Mechanisms

An efficient and practical solution to secure password-authenticated scheme using smart card

Secure Group Key Management Scheme for Multicast Networks

Verifiably Encrypted Signature Scheme with Threshold Adjudication

A New Hierarchical ID-Based Cryptosystem and CCA-Secure PKE

Structure-Preserving Certificateless Encryption and Its Application

Key-Policy Attribute-Based Encryption

A weakness in Sun-Chen-Hwang s three-party key agreement protocols using passwords

A Mutual Authentication Protocol Which Uses Id for Security from Privileged Insider Attacks

Hierarchical Identity-Based Online/Offline Encryption

Implementation of IBE with Outsourced Revocation technique in Cloud Computing

ISSN: (Online) Volume 3, Issue 5, May 2015 International Journal of Advance Research in Computer Science and Management Studies

Security Analysis of Shim s Authenticated Key Agreement Protocols from Pairings

Robust EC-PAKA Protocol for Wireless Mobile Networks

IND-CCA2 secure cryptosystems, Dan Bogdanov

Certificateless Public Key Cryptography

Key Establishment and Authentication Protocols EECE 412

A Hierarchical Key Management Scheme for Wireless Sensor Networks Based on Identity-based Encryption

DAC-MACS: Effective Data Access Control for Multiauthority Cloud Storage Systems

A modified eck model with stronger security for tripartite authenticated key exchange

A PROPOSED AUTHENTICATION SCHEME USING THE CONCEPT OF MINDMETRICS

INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET)

Key Escrow free Identity-based Cryptosystem

Delegation Scheme based on Proxy Re-encryption in Cloud Environment

Remove Key Escrow from The Identity-Based Encryption System

Kurose & Ross, Chapters (5 th ed.)

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Encryption. INST 346, Section 0201 April 3, 2018

A Group-oriented Access Control Scheme for P2P Networks 1

Delegatability of an Identity Based Strong Designated Verifier Signature Scheme

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

An Efficient Certificateless Proxy Re-Encryption Scheme without Pairing

Chapter 9 Public Key Cryptography. WANG YANG

A Novel Identity-based Group Signature Scheme from Bilinear Maps

Cluster Based Group Key Management in Mobile Ad hoc Networks

Remote User Authentication Scheme in Multi-server Environment using Smart Card

Security Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017

Group-based Proxy Re-encryption Scheme Secure against Chosen Ciphertext Attack

A Hybrid Attribute-Based Encryption Technique Supporting Expressive Policies and Dynamic Attributes

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Real World Crypto January 11, Geo Key Manager. Nick Sullivan Brendan McMillion

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Secure Key-Evolving Protocols for Discrete Logarithm Schemes

CSC 774 Advanced Network Security

Efficient password authenticated key agreement using bilinear pairings

Notes for Lecture 14

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Efficiency Optimisation Of Tor Using Diffie-Hellman Chain

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Strongly Anonymous Communications in Mobile Ad Hoc Networks

Cryptographic Systems

Group Oriented Identity-Based Deniable Authentication Protocol from the Bilinear Pairings

A Short Certificate-based Signature Scheme with Provable Security

Brief Introduction to Provable Security

EFFECTIVE KEY GENERATION FOR MULTIMEDIA AND WEB APPLICATION

BCA III Network security and Cryptography Examination-2016 Model Paper 1

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Efficient Auditable Access Control Systems for Public Shared Cloud Storage

The Modified Scheme is still vulnerable to. the parallel Session Attack

CS 161 Computer Security

Attribute-Based Authenticated Key Exchange

CMSC 414 S09 Exam 2 Page 1 of 6 Name:

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

An Efficient ID-KEM Based On The Sakai Kasahara Key Construction

Transcription:

On the Security of an Efficient Group Key Agreement Scheme for MANETs Purushothama B R 1,, Nishat Koti Department of Computer Science and Engineering National Institute of Technology Goa Farmagudi, Ponda-403401, Goa, INDIA. Email: {puru}@nitw.ac.in Abstract Yang et al. have proposed an efficient group key agreement scheme for Mobile Adhoc Networks. The scheme is efficient as only one bilinear computation is required for group members to obtain the session key. The scheme is analyzed for security without random oracle model. However, we prove that their scheme is not secure. In particular, we show that any passive adversary (or non-group member) can compute the session key without having access to the individual secret keys of the group members. Hence, Yang et al. scheme cannot be used for secure group communication. We also show that, the scheme cannot be used for secure group communication unless there exists a central entity, and hence cannot be used for secure communication in mobile adhoc networks. Keywords: Key agreement, MANET, Cryptanalysis, Group Communication. 1. Introduction Secure group communication among the set of users can be achieved by encrypting the group message with a key known as group key. The members of the group who possess the group key can obtain the message. The primary challenge in secure group communication is key management; to distribute Corresponding Author: Email: puru@nitgoa.ac.in, Phone: +91 9404882132 March 1, 2015

the group key efficiently among the group users. Group communication is also used in Mobile Adhoc Networks (MANET). MANETs have diverse applications ranging from small, static networks that are constrained by power sources to large-scale, mobile, highly dynamic networks. Security is a major concern for MANETs. For group communication among the MANET users, it should be ensured that only the intended receivers get the message and no adversary has access to the group message. An energy efficient group key agreement scheme is a demand in MANET, as devices in MANETs are battery operated and become unusable after the battery dies out. Therefore, energy of the nodes need to be used optimally. Also, MANETs are decentralized (there is no central server managing the group communication). This property of MANETs poses a challenge on group key agreement research for wireless mobile ad-hoc networks. Group key management schemes may vary for different scenarios. There are centralized group key management schemes [1] which have the inherent problem of a single point of failure. Decentralized schemes [2] also exist with a few number of controllers for the users. However, these schemes would not prove efficient in MANETs. Diffie-Hellman protocol [3] can be used on a oneto-one basis for group key exchange. The two-party Diffie-Hellman protocol has been extended to multi-party protocols [4, 5, 6, 7]. In these protocols, one of the users has to carry out heavy computation, and hence it is not suitable for ad-hoc networks because of the extensive power requirements. Yang et al. [8] have proposed an efficient group key management for MANET. The scheme is efficient and any group user need to perform only one bilinear operation to obtain the session key for the group communication. Yang et al. have compared their scheme with some of the existing secure key agreement schemes in [9, 10, 11, 12, 13, 14] and shown that their scheme is efficient. Also, they have analyzed the scheme for security and provided the proof of security under q BDHI assumption. However, we show that the scheme by Yang et al. [8] is not secure. Precisely, we show that any non-group user can get the session key of the group. Rest of the paper is organized as follows. In Section 2 we briefly explain the Yang et al. [8] scheme. In Section 3, we comment on the security of their scheme and show that their scheme is insecure followed by conclusion. 2

2. Yang et al. Scheme [8] In this section, we elaborate the group key agreement scheme proposed by Yang et al. [8] based on Identity Based Encryption System (IBES). 2.1. Bilinear maps Let G 1 and G 2 be two multiplicative cyclic groups of prime order p and g be a generator of G 1. The bilinear map, e : G 1 G 1 G 2 has the following properties: 1. Bilinearity: For all u, v G 1 and a, b Z p, e(u a, v b ) = e(u, v) ab is easily computable. 2. Non-degeneracy: e(g, g) 1, 3. Symmetric: e(g a, g b ) = e(g, g) ab = e(g b, g a ). 2.2. System Model Let U = {id 1, id 2,..., id N } be the group of all N possible ad-hoc members that can form MANETs. There is a Private Key Generator (PKG) whose job is to set up the system parameters, authenticate the identity of the users, generate the private key for each authorized user, and distribute securely the generated private keys to their respective users. The scheme consists of four phases: Setup, Extract, Encrypt and Decrypt. 1. Setup: The PKG will generate the Master Secret Key MK and the public parameter P K for the system. 2. Extract: The PKG will first verify the identity of the user id i and then will generate the corresponding private key s idi, if the verification of the user id i is successful. 3. Encrypt: Consider a situation in which a group of users S = {id 1,..., id n } have been selected to be the receivers using their wireless devices. There is a need to establish a session key (or group key) K for this group. The broadcaster will generate an encapsulation header Hdr for the group key K, after knowing the identities of the receivers. Then, the broadcaster will broadcast (S, Hdr). 4. Decrypt: After receiving (S, Hdr), the intended user with the identity id i S, i = 1,..., n, will be able to compute the group key K with his/her corresponding private key s idi. Any user with identity id i / S, will not be able to get any information about K. 3

After the group key K is set up for the dynamic ad-hoc group, the message M will be encrypted using K to obtain ciphertext C by using an efficient symmetric encryption algorithm like AES or DES. The ciphertext C can be decrypted by the users who has the key K. 2.3. Yang et al. Scheme 1. Setup: Security parameter k is chosen along with N, which is the maximum number of MANET members of the system. PKG chooses the group G 1 with order p. Also defines bilinear map as defined in section 2.1. Let the hash function be H 1 : {0, 1} Z p. Randomly chooses a generator g of G 1 and β, λ Z p. And, computes U = g β, V = g λ. PKG output the public parameter P K = (g, U, V ). PKG keeps secret the master secret key MK = (β, λ). 2. Extract: PKG authenticates a user with identity id i and computes the private key for the corresponding user. PKG chooses randomly r i Z p such that H 1 (id i ) + β + r i λ 0 mod p. PKG computes the private 1 H key s idi = (s i,0, s i,1 ) = (r i, g 1 (id i )+β+r iλ ), and securely gives to user with identity id i. 3. Encrypt: W.l.o.g, suppose the set of receivers is S = {id 1,..., id n }, n N. The broadcaster chooses randomly a session key K G 1 and randomly chooses τ Z p. Broadcaster computes Hdr = (C 0, C 1, C 2, C 3 ) where, C 0 = Ke(g, g) τ, C 1 = g τ n j=1 H 1(id j ), C 2 = U τ, C 3 = V τ and broadcasts (S, Hdr). 4. Decrypt: The user with the identity id i S receives (S, Hdr) and computes as below to get the group key K. K = C 0 1 nj=1,j i H 1 (id j ) e(c1.c 2.C s i,0 3, s i,1 ) 3. Comment on the security of Yang et al. Scheme In this section, we show that the scheme of Yang et al. [8] is not secure. Precisely, we show that the non-member of the group can get the session key of the group without possessing the private key of any of the group member. 4

Suppose, w.l.o.g let S = {id 1, id 2,..., id n }, n N want to form a group. The broadcaster chooses a session key K G 1 and randomly chooses τ Z p. Broadcaster computes Hdr = (C 0, C 1, C 2, C 3 ) where, C 0 = Ke(g, g) τ, C 1 = g τ n j=1 H 1(id j ), C 2 = U τ, C 3 = V τ and broadcasts (S, Hdr). By following the Decrypt method given in the previous section, the user with identity in S can get the session key K. Now consider any non-member (any user of U such that the identity of the user is not part of S) of the group or any outsider (passive adversary A). The adversary A has access to (S, Hdr). A does not have private keys of any of the user in S. However, A can obtain the session key K as below. K = = K = = C 0 e(c ( n i=1 H 1(id i )) 1, g) K.e(g, g) τ τ n H j=1 1 (id j ) ni=1 H e(g 1 (id i), g) K.e(g, g)τ e(g τ, g) K.e(g, g)τ e(g, g) τ So, adversary A can obtain the session key K without possessing any of the private key of the users with the identity in S. This scheme cannot be used for the group communication. The problem is in the design of the scheme. Any broadcaster (obviously who is a part of the MANET), will not have a public component which is the function of private keys of the users in S. Unless, there is a PKG involvement in broadcasting the session key, the scheme cannot be secure. If PKG is brought into the system, then it violates the basic idea of MANET. Also, PKG has to communicate with each user after every join and leave activity in the group which makes the scheme inefficient. Also, this scheme for obvious reasons does not support forward and backward secrecy requirement of the group communication scheme. 5

4. Conclusion In this paper, we have commented on the security of the group key agreement scheme proposed by Yang et al. We have shown that any non-member or passive adversary may have access to the session key of the group, making the scheme insecure. References [1] V. Ayyadurai, R. Ramasamy, Internet connectivity for mobile ad hoc networks using hybrid adaptive mobile agent protocol, Int. Arab J. Inf. Technol. 5 (2008) 25 33. [2] J. Hur, Y. joo Shin, H. Yoon, Decentralized group key management for dynamic networks using proxy cryptography, in: H.-H. Chen, L. Bononi (Eds.), Q2SWinet, ACM, 2007, pp. 123 129. [3] W. Diffie, M. E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (1976) 644 654. [4] I. Ingemarsson, D. T. Tang, C. K. Wong, A conference key distribution system, IEEE Transactions on Information Theory 28 (1982) 714 719. [5] M. Steiner, G. Tsudik, M. Waidner, Diffie-hellman key distribution extended to group communication, in: L. Gong, J. Stearn (Eds.), ACM Conference on Computer and Communications Security, ACM, 1996, pp. 31 37. [6] M. Steiner, G. Tsudik, M. Waidner, Cliques: A new approach to group key agreement, in: ICDCS, IEEE Computer Society, 1998, pp. 380 387. [7] M. Steiner, G. Tsudik, M. Waidner, Key agreement in dynamic peer groups, IEEE Trans. Parallel Distrib. Syst. 11 (2000) 769 780. [8] Y. Yang, Y. Hu, C. hui Sun, C. Lv, L. Zhang, An efficient group key agreement scheme for mobile ad-hoc networks, Int. Arab J. Inf. Technol. 10 (2013) 10 17. [9] D. Boneh, C. Gentry, B. Waters, Collusion resistant broadcast encryption with short ciphertexts and private keys, in: CRYPTO, 2005, pp. 258 275. 6

[10] D. Boneh, B. Waters, A fully collusion resistant broadcast, trace, and revoke system, in: ACM Conference on Computer and Communications Security, 2006, pp. 211 220. [11] C. Delerablée, Identity-based broadcast encryption with constant size ciphertexts and private keys, in: ASIACRYPT, 2007, pp. 200 215. [12] X. Du, Y. Wang, J. Ge, Y. Wang, An id-based broadcast encryption scheme for key distribution, Broadcasting, IEEE Transactions on 51 (2005) 264 266. [13] C. Gentry, B. Waters, Adaptive security in broadcast encryption systems (with short ciphertexts), in: EUROCRYPT, 2009, pp. 171 188. [14] J. H. Park, H. J. Kim, H.-M. Sung, D. H. Lee, Public key broadcast encryption schemes with shorter transmissions, TBC 54 (2008) 401 411. 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback