On the security of group communication schemes based on symmetric key cryptosystems

Abstract

Many emerging applications in both wired and wireless networks, such as information dissemination and distributed collaboration in an adversarial environment, need support of secure group communications. There have been many such schemes in the setting of wired networks. These schemes can be directly adopted in, or appropriately adapted to, the setting of wireless networks such as mobile ad hoc networks (MANETs) and sensor networks. In this paper we show that the popular group communication schemes that we have examined are vulnerable to the following attack: an outsider adversary who compromises a legitimate group member could obtain some or all past group keys as well as the current group key; this is in sharp contrast to the widely-accepted belief that a such adversary can only obtain the current group key. This attack is very powerful also because it provides the adversary the following flexibility: since the adversary knows which members are the "most valuable" ones from its own perspective of view, compromise of any such member leads to the exposure of all the past and current group keys. This flexibility is particularly relevant in the setting of MANETs and sensor networks because they are typically deployed in a small area and the adversary can capture and compromise the easiest-to-obtain node. In order to deal with this powerful attack, we formalize two security models for stateful and stateless group communication schemes, respectively. We show that some practical methods can make a subclass of the group communication schemes immune to this attack at the following extra expense: at each rekeying event, a group member conducts logarithmically-many pseudorandom function evaluations.