On optimal batch rekeying for secure group communications in wireless networks

Advances in wireless communications and mobile computing have led to the emergence of group communications and applications over wireless. In many of these group interactions, new members can join and current members can leave at any time, and existing members must communicate securely to achieve application-specific missions or network-specific functionality. Since wireless networks are resource-constrained, a key challenge is to provide secure and efficient group communication mechanisms that satisfy application requirements while minimizing the communication cost. Instead of individual rekeying, i.e., performing a rekey operation right after each join or leave request, periodic batch rekeying has been proposed to alleviate rekeying overhead in resource-constrained wireless networks. In this paper, we propose an analytical model to address the issue of how often batch rekeying should be performed. We propose threshold-based batch rekeying schemes and demonstrate that an optimal rekey interval exists for each scheme. We further compare these schemes to identify the best scheme that can minimize the communication cost of rekeying while satisfying application requirements when given a set of parameter values characterizing the operational and environmental conditions of the system. In a highly dynamic wireless environment in which the system parameter values change at runtime, our work may be used to adapt the rekeying interval accordingly.     

Host mobility key management in dynamic secure group communication

The key management has a fundamental role in securing group communications taking place over vast and unprotected networks. It is concerned with the distribution and update of the keying materials whenever any changes occur in the group membership. Wireless mobile environments enable members to move freely within the networks, which causes more difficulty to design efficient and scalable key management protocols. This is partly because both member location dynamic and group membership dynamic must be managed concurrently, which may lead to significant rekeying overhead. This paper presents a hierarchical group key management scheme taking the mobility of members into consideration intended for wireless mobile environments. The proposed scheme supports the mobility of members across wireless mobile environments while remaining in the group session with minimum rekeying transmission overhead. Furthermore, the proposed scheme alleviates 1-affect-n phenomenon, single point of failure, and signaling load caused by moving members at the core network. Simulation results shows that the scheme surpasses other existing efforts in terms of communication overhead and affected members. The security requirements studies also show the backward and forward secrecy is preserved in the proposed scheme even though the members move between areas.     

Cloud data secure deduplication scheme via role-based symmetric encryption

The rapid development of cloud computing and big data technology brings prople to enter the era of big data,more and more enterprises and individuals outsource their data to the cloud service providers.The explosive growth of data and data replicas as well as the increasing management overhead bring a big challenge to the cloud storage space.Meanwhile,some serious issues such as the privacy disclosure,authorized access,secure deduplication,rekeying and permission revocation should also be taken into account.In order to address these problems,a role-based symmetric encryption algorithm was proposed,which established a mapping relation between roles and role keys.Moreover,a secure deduplication scheme was proposed via role-based symmetric encryption to achieve both the privacy protection and the authorized deduplication under the hierarchical architecture in the cloud computing environment.Furthermore,in the proposed scheme,the group key agreement protocol was utilized to achieve rekeying and permission revocation.Finally,the security analysis shows that the proposed role-based symmetric encryption algorithm is provably secure under the standard model,and the deduplication scheme can meet the security requirements.The performance analysis and experimental results indicate that the proposed scheme is effective and efficient.     

一种改进的TLCH组播密钥管理方案

TLCH协议是一个适用于安全组播通信且可扩展性较好的组播密钥管理协议。它基于LKH的思想,采用双层的控制者的层次结构,并使用单向函数进行密钥更新,达到了较低的计算开销。使用hash函数对TLCH组播密钥管理方案中成员加入时的密钥更新算法进行改进。与原来的TLCH相比,改进后的TLCH可以进一步降低了通信开销。     

High Performance Group Merging/Splitting Scheme for Group Key Management

The group merging/splitting event is different to the joining/leaving events in which only a member joins or leaves group, but in the group merging/splitting event two small groups merge together into a group or a group is divided into two independent parts. Rekeying is an importance issue for key management whose target is to guarantee forward security and backward security in case of membership changes, however rekeying efficiency is related to group scale in most existing group key management schemes, so as to those schemes are not suitable to the applications whose rekeying time delay is limited strictly. In particular, multiple members are involved in the group merging/splitting event, thus the rekeying performance becomes a worried problem. In this paper, a high performance group merging/splitting group key management scheme is proposed based on an one-encryption-key multi-decryption-key key protocol, in the proposed scheme each member has an unique decryption key that is corresponding to a common encryption key so as to only the common encryption key is updated when the group merging/splitting event happens, however the secret decryption key still keeps unchanged. In efficiency aspect, since no more than a message on merging/splitting event is sent, at time the network load is reduced since only a group member’s key material is enough for other group members to agree a fresh common encryption key. In security aspect, our proposed scheme achieves the key management security requirements including passive security, forward security, backward security and key independence. Therefore, our proposed scheme is suitable to the dynamitic networks that the rekeying time delay is limited strictly such as tolerate delay networks.     

Secure communication in CloudIoT through design of a lightweight authentication and session key agreement scheme

Internet of Things (IoT) is a newly emerged paradigm where multiple embedded devices, known as things, are connected via the Internet to collect, share, and analyze data from the environment. In order to overcome the limited storage and processing capacity constraint of IoT devices, it is now possible to integrate them with cloud servers as large resource pools. Such integration, though bringing applicability of IoT in many domains, raises concerns regarding the authentication of these devices while establishing secure communications to cloud servers. Recently, Kumari et al proposed an authentication scheme based on elliptic curve cryptography (ECC) for IoT and cloud servers and claimed that it satisfies all security requirements and is secure against various attacks. In this paper, we first prove that the scheme of Kumari et al is susceptible to various attacks, including the replay attack and stolen-verifier attack. We then propose a lightweight authentication protocol for secure communication of IoT embedded devices and cloud servers. The proposed scheme is proved to provide essential security requirements such as mutual authentication, device anonymity, and perfect forward secrecy and is robust against security attacks. We also formally verify the security of the proposed protocol using BAN logic and also the Scyther tool. We also evaluate the computation and communication costs of the proposed scheme and demonstrate that the proposed scheme incurs minimum computation and communication overhead, compared to related schemes, making it suitable for IoT environments with low processing and storage capacity.     

Protocol design for scalable and reliable group rekeying

We present the design and specification of a protocol for scalable and reliable group rekeying together with performance evaluation results. The protocol is based upon the use of key trees for secure groups and periodic batch rekeying. At the beginning of each rekey interval, the key server sends a rekey message to all users consisting of encrypted new keys (encryptions, in short) carried in a sequence of packets. We present a scheme for identifying keys, encryptions, and users, and a key assignment algorithm that ensures that the encryptions needed by a user are in the same packet. Our protocol provides reliable delivery of new keys to all users eventually. It also attempts to deliver new keys to all users with a high probability by the end of the rekey interval. For each rekey message, the protocol runs in two steps: a multicast step followed by a unicast step. Proactive forward error correction (FEC) multicast is used to reduce delivery latency. Our experiments show that a small FEC block size can be used to reduce encoding time at the server without increasing server bandwidth overhead. Early transition to unicast, after at most two multicast rounds, further reduces the worst-case delivery latency as well as user bandwidth requirement. The key server adaptively adjusts the proactivity factor based upon past feedback information; our experiments show that the number of NACKs after a multicast round can be effectively controlled around a target number. Throughout the protocol design, we strive to minimize processing and bandwidth requirements for both the key server and users.     

A key management scheme for secure group communication using binomial key trees

Numerous emerging applications, such as teleconferencing, board meetings, pay-per-view and scientific discussions, rely on a secure group communication model. Scalable group rekeying is an important issue in the secure group communication model as the nature of the group is dynamic. The number of encryptions performed and rekey messages constructed should be minimized to carry out updating of the group key, and secure delivery of the group key should be carried out in an efficient manner. In this paper, we propose a new scheme to manage the secure group using the binomial key tree approach. In this scheme, the number of encryptions performed and rekey messages constructed during membership change are fewer compared to the scheme proposed by Wong and others. Further, it is not required to balance the tree after each membership change. We show that, for a large group, the average encryption cost and rekey message cost are independent of the size of the group for join operation and logarithmic in size of the group for leave operation. Hence our scheme is scalable. Copyright © 2010 John Wiley & Sons, Ltd.     

A secure and robust group key distribution and authentication protocol with efficient rekey mechanism for dynamic access control in secure group communications

In today's Internet era, group communications have become more and more essential for many emerging applications. Given the openness of today's networks, efficient and secure distribution of common key is an essential issue for secure communications in the group. To maintain confidentiality during communication in the group, all authorized members require a common key called the group key in advance. This paper proposes a group key distribution and authentication protocol for dynamic access control in secure group communication using Chinese remainder theorem (CRT), which is highly secure and computationally efficient. The proposed protocol (1) has drastically reduced the computation complexity of group controller ( GC ) and members, (2) has provided intense security by means of an additional secret parameter used by GC and members, (3) has minimized storage and communication overheads, (4) has been decentralized for higher scalability so that it can efficiently handle large‐scale changes in the group membership, and (5) is suitable for many practical applications due to intense security along with low computation and storage overheads. Detailed security analysis proves that our protocol can guarantee the privacy and security requirements of group communications. Moreover, performance analysis also verifies the efficiency and effectiveness of the proposed protocol. The proposed protocol has been experimented on star topology‐based key distribution system and observed that the protocol significantly reduces the computation cost and minimizes the communication and storage overheads.     

Self-healing group-wise key distribution schemes with time-limited node revocation for wireless sensor networks

In this article two novel group-wise key distribution schemes with time-limited node revocation are introduced for secure group communications in wireless sensor networks. The proposed key distribution schemes are based on two different hash chain structures, dual directional hash chain and hash binary tree. Their salient security properties include self-healing rekeying message distribution, which features a periodic one-way rekeying function with efficient tolerance for lost rekeying messages; and time-limited dynamic node attachment and detachment. Security evaluation shows that the proposed key distribution schemes generally satisfy the requirement of group communications in WSNs with lightweight communication and computation overhead, and are robust under poor communication channel quality.     

Scalable and fault‐tolerant key agreement protocol for dynamic groups

With the widespread use of the Internet, the popularity of group communication‐based applications has grown considerably. Since most communications over the Internet involve the traversal of insecure networks, basic security services are necessary for these collaborative applications. These security services can be facilitated if the authorized group members share a common secret. In such distributed applications, key agreement protocols are preferred to key distribution protocols. In the past two decades, there have been many proposals for key agreement protocols. Most of these protocols are not efficient and limit the size of the underlying group. In this paper, we consider the scalability problem in group key agreement protocols. We propose a novel framework based on extension of the Diffie–Hellman key exchange protocol. The efficiency of our protocol comes from the clustering of the group members, where the common session key is established collaboratively by all participants. We present the auxiliary protocols needed when the membership changes. We show that our protocol is superior in complexity in both communication and computation overheads required to generate the session key. Copyright © 2006 John Wiley & Sons, Ltd.     

基于LKH混合树模型的新型组播密钥更新方案

安全组播是组播技术走向实用化必须解决的问题。在组成员动态变化时,设计一个高效的密钥管理方案是安全组播研究的主要问题。提出了一种基于新型混合树模型的组播密钥更新方案。该方案将GC的存储开销减小为4,同时,在成员加入或离开组时,由密钥更新引起的通信开销与nm保持对数关系(n为组成员数,m为每一族包含的成员数)。     

LNT: A logical neighbor tree secure group communication scheme for wireless sensor networks

Secure group communication is a paradigm that primarily designates one-to-many communication security. The proposed works relevant to secure group communication have predominantly considered the whole network as being a single group managed by a central powerful node capable of supporting heavy communication, computation and storage cost. However, a typical Wireless Sensor Network (WSN) may contain several groups, and each one is maintained by a sensor node (the group controller) with constrained resources. Moreover, the previously proposed schemes require a multicast routing support to deliver the rekeying messages. Nevertheless, multicast routing can incur heavy storage and communication overheads in the case of a wireless sensor network. Due to these two major limitations, we have reckoned it necessary to propose a new secure group communication with a lightweight rekeying process. Our proposal overcomes the two limitations mentioned above, and can be applied to a homogeneous WSN with resource-constrained nodes with no need for a multicast routing support. Actually, the analysis and simulation results have clearly demonstrated that our scheme outperforms the previous well-known solutions.     

Efficient Group Key Management for Non-reliable Link Networks

Some multi communication networks don’t provide a reliable link for group key management, so as to implementing rekeying is failure frequently. To deal with the question, this paper presents a novel group key management scheme for non-reliable link networks, a ciphertext encrypted a secret shared key can be decrypted with any legitimate members whose scale is more than the threshold value, even if part of members’ links aren’t reliable. In rekeying process, each key fragment is divided into two parts with he shared production mechanism, so as to the member’s independent key fragments still keep unchanged, but imperative updated key belongs to the group manager. Therefore, in efficient aspect, the message and computation cost of rekeying is reduced, and the dependence of the reliable channel is reduced; in the security aspect, our proposed scheme can guarantee forward security and backward security, and secure against collusion attack even if the number of leaving member is more than the threshold value. Therefore, our proposed scheme is suitable to the non-reliable link networks.     

A trust enhanced secure clustering framework for wireless ad hoc networks

Secure clustering in Wireless Ad Hoc Networks is a very important issue. Traditional cryptographic solution is useless against threats from internal compromised nodes. In light of this, we propose a novel distributed secure trust aware clustering protocol that provides secure solution for data delivery. A trust model is proposed that computes the trust of a node using self and recommendation evidences of its one-hop neighbors. Therefore, it is lightweight in terms of computational and communication requirements, yet powerful in terms of flexibility in managing trust. In addition, the proposed clustering protocol organizes the network into one-hop disjoint clusters and elects the most qualified, trustworthy node as a Clusterhead. This election is done by an authenticated voting scheme using parallel multiple signatures. Analysis of the protocol shows that it is more efficient and secure compared to similar existing schemes. Simulation results show that proposed protocol outperforms the popular ECS, CBRP and CBTRP in terms of throughput and packet delivery ratio with a reasonable communication overhead and latency in presence of malicious nodes.     

A Multi-service Group Key Management Scheme for Stateless Receivers in Wireless Mesh Networks

Wireless mesh networks facilitate the development of the many group oriented applications by extending the coverage area of the group communication. Group communication in a wireless mesh network is complicated due to dynamic intermediate mesh points, access control for communications between different administrative domains, and the absence of a centralized network controller. In this study, we propose a topology-matching decentralized multi-service group key management scheme for wireless mesh networks. It allows service providers to update and deliver their group keys to valid members in a distributed manner using the identity-based encryption scheme. The analysis result indicates that the proposed scheme has advantages with regard to the rekeying cost and storage overhead for a member and a mesh point in multi-sender group communication environments. The stateless property is also achieved such that a stateless member, who could not be constantly online, can easily decrypt the rekeying messages without recording the past history of transmission.     

Secure group communications using key graphs

Many emerging network applications are based upon a group communications model. As a result, securing group communications, i.e., providing confidentiality, authenticity, and integrity of messages delivered between group members, will become a critical networking issue. We present, in this paper, a novel solution to the scalability problem of group/multicast key management. We formalize the notion of a secure group as a triple (U,K,R) where U denotes a set of users, K a set of keys held by the users, and R a user-key relation. We then introduce key graphs to specify secure groups. For a special class of key graphs, we present three strategies for securely distributing rekey messages after a join/leave and specify protocols for joining and leaving a secure group. The rekeying strategies and join/leave protocols are implemented in a prototype key server we have built. We present measurement results from experiments and discuss performance comparisons. We show that our group key management service, using any of the three rekeying strategies, is scalable to large groups with frequent joins and leaves. In particular, the average measured processing time per join/leave increases linearly with the logarithm of group size     

A multicast key management scheme based on characteristic values of members

A new collusion attack on Pour-like schemes is proposed in this paper. Then, we present a collusion-free centralized multicast key management scheme based on characteristic values of members. The re-keying method that other group members calculate new keys when a member is joining or leaving is also designed. It achieves forward secrecy and backward secrecy. Compared with typical existing centralized schemes, the storage of Group Key Controller (GKC) in our scheme halves the storage overhead of others, and communication overhead of GKC is 2 in case of joining re-keying. Especially, the leaving re-keying overhead is log₂ n, and the overall performance is excellent.     

基于LKH的组播密钥分发改进方案R-LKH

随着Internet的发展，组播技术得到了广泛的应用，其中组密钥管理是组播安全的核心问题。分析了已有密钥管理方案的优缺点，特别是被广泛关注的LKH方案，提出了一个基于LKH的密钥管理新方案R—LKH．并给出相应的更新算法。通过对本方案和其他方案的通信开销、密钥存储开销和计算开销的分析表明．该方案可有效降低密钥开销，且具有可行的通信效率，适用于大型的动态群组。     

Distributed collaborative key agreement and authentication protocols for dynamic peer Groups

We consider several distributed collaborative key agreement and authentication protocols for dynamic peer groups. There are several important characteristics which make this problem different from traditional secure group communication. They are: 1) distributed nature in which there is no centralized key server; 2) collaborative nature in which the group key is contributory (i.e., each group member will collaboratively contribute its part to the global group key); and 3) dynamic nature in which existing members may leave the group while new members may join. Instead of performing individual rekeying operations, i.e., recomputing the group key after every join or leave request, we discuss an interval-based approach of rekeying. We consider three interval-based distributed rekeying algorithms, or interval-based algorithms for short, for updating the group key: 1) the Rebuild algorithm; 2) the Batch algorithm; and 3) the Queue-batch algorithm. Performance of these three interval-based algorithms under different settings, such as different join and leave probabilities,is analyzed. We show that the interval-based algorithms significantly outperform the individual rekeying approach and that the Queue-batch algorithm performs the best among the three interval-based algorithms. More importantly, the Queue-batch algorithm can substantially reduce the computation and communication workload in a highly dynamic environment. We further enhance the interval-based algorithms in two aspects: authentication and implementation. Authentication focuses on the security improvement, while implementation realizes the interval-based algorithms in real network settings. Our work provides a fundamental understanding about establishing a group key via a distributed and collaborative approach for a dynamic peer group.