A Note on an Improved Self-Healing Group Key Distribution Scheme.

In 2014, Chen et al. proposed a one-way hash self-healing group key distribution scheme for resource-constrained wireless networks in the journal of Sensors (14(14):24358-24380, doi: 10.3390/ s141224358). They asserted that their Scheme 2 achieves mt-revocation capability, mt-wise forward secrecy, any-wise backward secrecy and has mt-wise collusion attack resistance capability. Unfortunately, this paper pointed out that their scheme does not satisfy the forward security, mt-revocation capability and mt-wise collusion attack resistance capability.

1. Introduction

Group communication includes a group manager (GM) and some group members, in which all of the group members share a common session key which is distributed by GM. In order to achieve secure group communication in unreliable wireless networks, Staddon et al. [1] introduced a group key distribution scheme with self-healing mechanism, which allows a group member to recover session keys even if he doesn’t receive the corresponding broadcast messages because of packet loss, without requesting anything to the group manager. Recently, Chen et al. [2] developed two schemes to realize the self-healing group key distribution based on one-way hash chain. The proposed Scheme 2 has the constant storage overhead and low communication overhead, thus is very suitable for the resource-constrained wireless networks. They assert that their scheme is secure, i.e., satisfies -revocation capability, -wise forward secrecy, -wise backward secrecy and resistance to -wise collusion attack. Unfortunately, we found a revoked user can recover other legitimate users’ personal secrets which can be used to recover the current session’s session key, this directly breaks the forward security, -revocation capability and -wise collusion attack resistance capability. Thus, Chen et al.’s Scheme 2 is insecure.

2. Overview of Chen et al.’s Scheme

Chen et al.’s self-healing group key distribution Scheme 2 includes five parts: Set up, Broadcast in session j, Group session key recovery and self-healing, Group member addition and Group member revocation. Here we only describe the first three parts which is helpful to understand the attack.

Set up

The GM selects a random 2t-degree polynomial and a random t-degree polynomial from . Then, the GM chooses a random value from . The GM sends the user’s personal secret to a user via a secure channel.

Broadcast in session j (for )

Let be the set of revoked users before and in session j, where is the set of users who join the group in session and are revoked before and in session j. and . are the IDs of users in . if no users joined the group in session .

The GM chooses a random value and a one-way hash function . Note that denotes applying i times hash operation. Then GM constructs the j-th key chain for session j: , where For security, is different from each other.

The GM splits the into two t-degree polynomials, and , where

To construct the revocation polynomials for session j, the GM firstly chooses number sets , where are random numbers which are not used as a user ID and different from each other. Then, the GM computes

The GM chooses a random session key from . Then, the GM computes and After that, the GM broadcasts the message where and is a symmetric encryption function.

Group session key recovery and self-healing

Any legitimate user can recover the j-th session key when he receives the broadcast message as follows.

uses his personal secret and to compute and Then, computes .

uses the hash function to compute all for in the j-th key chain.

recovers the session keys by decrypting with corresponding keys .

3. Cryptanalysis of Chen et al.’s Scheme 2

In this section we exhibit the attack on Chen et al.’s Scheme 2 step by step, and explain why this attack exists.

3.1. Attack on Chen et al.’s Scheme 2

Let denote the users who join the group in session and are still legitimate in session where . Suppose that and is revoked in session . Now we are ready to show how , who is revoked in session , recovers the personal secret of another user who is legitimate in session , furthermore uses this personal secret to compute the session key which should be kept secret from .

computes and with his personal key and the broadcast messages , and , .

In session , receives the broadcast messages , where and Note that , Equation (2) can be converted to .

Let Equation (1) + , can obtain With the values of which is computed from step (1), can obtain

Since is legitimate in session , can obtain the similar result in the same way: Let Equation (4) – Equation (5), user can obtain

computes as Take to Equation (3), computes as

gets a legitimate user’s identity, v, in session by observing where .

computes and through and . Then, pretends to compute the session key using and from the broadcast message .

Note that is revoked in session , thus he should not have computed . Therefore the scheme cannot achieve the forward security. When the revoked user obtains the session key , he can of course give this session key to a new user who joins the group after session and should not know . Hence, the scheme can not resist the collusion attack. Similarly, the scheme does not have the -revocation capability.

3.2. Analysis of the Weakness

Chen et al. [2] proposed two one-way hash chain self-healing group key distribution schemes based on the revocation polynomial in their paper. In fact, in the first scheme, each is masked by different masking polynomials, , which makes the scheme to be more secure. However, Chen et al. claimed that using multiple masking polynomials does not contribute to the security. Based on this consideration, they presented the second scheme only using one masking polynomial for each to reduce the number of masking polynomials and the personal secret stored by each user. Thus the second scheme achieves the optimal storage overhead.

Now let us check the attack again. From the above attack, it is easy to find that only using one masking polynomial to construct the personal secret directly makes the Equation (6) (in step 4) hold, where disappears when Equation (4) minus Equation (5). Furthermore, can be computed by the revoked user through the Equation (7), which leads to the exposure of those users’ personal secret who join the group in session , and finally results in the exposure of the session keys which should be kept secret from .

Chen et al. [2] list Theorem 5 to show the security of their Scheme 2, thus Theorem 5 does not hold. To sum up, multiple masking polynomials should be adopted to design a secure self-healing group key distribution schemes using the polynomial secret sharing as the basic cryptographic technique. Unfortunately, multiple masking polynomials brings in the linear storage overhead. How to design a secure self-healing group key distribution schemes with constant storage overhead based on the polynomial secret sharing technique is still an open problem.

4. Conclusions

Chen et al. claimed that their self-healing group key distribution Scheme 2 achieves all basic security properties. Unfortunately, we found that Chen et al.’s Scheme 2 is insecure. Some security flaws are pointed out in this paper, i.e., the Scheme 2 can not hold the forward security, -revocation capability and -wise collusion attack resistance capability.