A three round authenticated group key agreement protocol for ad hoc networks Authors: Daniel Augot, Raghav Bhaskar, Valérie Issarny, and Daniele Sacchetti Sources: Pervasive and Mobile Computing, 3(1), pp. 36-52, 2007. Reporter: Chun-Ta Li (李俊達)

Outline Motivation The proposed protocol Comparisons Comments IKA (Initial Key Agreement) Join Leave Comparisons Comments 2 2

Motivation Group key agreement Dynamism in ad hoc networks Merge and partition Simple and efficient Group leader election Security goals Key secrecy Key independence Forward secrecy

The proposed protocol Notations

The proposed protocol (cont.) IKA (Initial Key Agreement) Round 1: 2 3 U1 broadcasts {msg1,1 = {INIT, U1, N1, H(gr1)}, σ1,1} 1. msg1,1 3. msg1,2 1 Round 2: 2. msgi Ui=2,3,4,5 verifies msg1,1 ?= σ1,1 4 5 Ui sends {msgi = {IREPLY, U1, N1, Ui, Ni, gri},σi} to U1 Key computation: Round 3: Ui=2,3,4,5 verifies msg1,2 ?= σ1,2 Ui=2,3,4,5 verifies gri and H(gr1) U1 verifies msgi ?= σi Key = gr1 * Πgrir1 = gr1(1+Σri) U1 broadcasts {msg1,2 = {IGROUP, U1, N1,{Ui, Ni, gri, grir1}, σ1,2}

The proposed protocol (cont.) IKA (Initial Key Agreement) Round 1: 2 3 U1 broadcasts {msg1,1 = {INIT, U1, N1, H(gr1)}, σ1,1} Round 2: 1. msg1,1 3. msg1,2 1 U2 generates N2, gr2 to U1; U3 generates N3, gr3 to U1 2. msgi U4 generates N4, gr4 to U1; U5 generates N5, gr5 to U1 4 5 Round 3: U1 broadcasts {gr2, gr3, gr4, gr5, (gr2)r1, (gr3)r1, (gr4)r1, (gr5)r1} Key computation: Key = gr1(1+r2+r3+r4+r5)

The proposed protocol (cont.) Join (U6) Old Key = gr1(1+r2+r3+r4+r5) Round 1: 2 U6 broadcasts {msg6 = {JOIN, U6, N6, gr6}, σ6} 3 Round 2: 1 U1 generates a new secret r1* and sends {gr1*, gr2, gr3, gr4, gr5} to U6 JOIN JOIN 4 5 Round 3: 6 U6 broadcasts {gr1*, gr2, gr3, gr4, gr5, (gr1*)r6, (gr2)r6, (gr3)r6, (gr4)r6, (gr5)r6} to the group New group leader New Key = gr6(1+r1*+r2+r3+r4+r5)

The proposed protocol (cont.) Leave (U5) Old Key = gr1(1+r2+r3+r4+r5) 2 Round 1: 3 U5 sends {msg5 = {DEL, U5, N5}, σ5} to U1 1 Round 2: LEAVE U1 generates a new secret r1” and broadcasts {gr2, gr3, gr4, (gr2)r1”, (gr3)r1”, (gr4)r1”} to the group 4 5 New Key = gr1”(1+r2+r3+r4)

Comparisons Efficiency comparison of GKA protocols

Comments Security attack (A dishonest member Eve in a group; DoS attack) Eve first collects the LEAVE message that broadcasts from Bob before. Then Eve could masquerade as Bob to send the LEAVE message to the group leader. Finally, every member in a group would compute the new key except Bob.

Comments (cont.) Example Old Key = gr1(1+r2+r3+r4+rEve+rBob) Round 1: Eve sends {msgBob = {DEL, UBob, NBob}, σBob} to U1 3 Group leader Round 2: 1 U1 generates a new secret r1* and broadcasts {gr2, gr3, gr4, grEve, (gr2)r1*, (gr3)r1*, (gr4)r1*, (grEve)r1*} to the group LEAVE 4 Bob Eve New Key = gr1*(1+r2+r3+r4+rEve)

Comments (cont.) Improvement Old Key = gr1(1+r2+r3+r4+r5) 2 Round 1: 3 U5 sends {msg5 = E{Old Key{DEL, U5, N5}}, σ5} to U1 1 Round 2: LEAVE U1 generates a new secret r1” and broadcasts {gr2, gr3, gr4, (gr2)r1”, (gr3)r1”, (gr4)r1”} to the group 4 5 New Key = gr1”(1+r2+r3+r4)