information security technical report 13 (2008) 158–164

available at www.sciencedirect.com

www.compseconline.com/publications/prodinf.htm

Secure authenticated group key agreement protocol in the

MANET environment

Chan Yeob Yeuna,*, Kyusuk Hanb, Duc Liem Vob, Kwangjo Kimb
a
Khalifa University of Science, Technology and Research, P.O. Box 573, Sharjah, United Arab Emirates
b
Information and Communications University, 119, Munjiro, Yuseong-gu, Daejeon, 305-732, South Korea

abstract

Keywords: Due to dynamic and infrastructure-less nature of Mobile Ad hoc Network (MANET) envi-
MANET ronment, there exist number of threats as mobile devices and nodes could freely move
Detect cheating around in MANET such as eavesdropping of communications channels, modification of
Identifying malicious insiders sensitive m-commerce transactions, Denial of Service(DoS), vulnerabilities of impersona-
Authenticated group key agreement tion by malicious insiders etc. In this paper, we propose a novel authenticated group key
agreement protocol for end-to-end security in the MANET environment without any infra-
structure that is based on Burmester and Desmedt group key agreement protocol (Burmester
M, Desmedt Y. A secure and efficient conference key distribution system. Advances in
Cryptology – EuroCrypt ’94, Lecture Notes in Computer Science 1995;950:275–86) and their
variants (Choi KY, Hwang JY, Lee DH. Efficient ID-based group key agreement with bilinear
maps. Public Key Cryptography – PKC, Lecture Notes in Computer 2004;2947:130–144)].
We also design practical enhancements of BD and Choi et al.’s protocols that not only
detect, but also identify malicious insiders by using the trusted arbiter who only involves in
the protocol if the cheating has been occurred.
Crown Copyright ª 2008 Published by Elsevier Ltd. All rights reserved.

1. Introduction number of threats as mobile devices and nodes could freely

move around in MANET such as eavesdropping of communi-
In recent year, a MANET (Mobile Ad Hoc Network) is omni- cations channels, modification of sensitive m-commerce
present emerges in our life. The mobile devices called nodes in transactions, Denial of Service(DoS), vulnerabilities of imper-
MANET. The MANET has some characteristics: infrastructure- sonation by malicious insiders and etc.
less, mobility, dynamic topology, resource constraint. In the Moreover, infrastructure-less nature of MANET, Light
MANET environment, each node can decide to join and leave weight asymmetric techniques such as ID-based crypto
the network by itself and there communicate each other systems could provide intelligent facilities for securing
without infrastructure. The communication depends on each MANET environments. ID-based systems require no explicit
node corporate to forward packet called multi-hop commu- public key available and the key is constructed from public
nication. Besides each node has mobility, it can lead to change available information. It is an asymmetric system where
topology quickly and low connectivity each other. unique name plays the role of the public key. These charac-
Due to dynamic and infrastructure-less nature of the teristics of ID-based techniques make it very suitable for the
Mobile Ad hoc Network (MANET) environment, there exist MANET security architecture and applications.

* Corresponding author.
E-mail addresses: [email protected] (C.Y. Yeun), [email protected] (K. Han), [email protected] (D.L. Vo), [email protected] (K. Kim).
1363-4127/$ – see front matter Crown Copyright ª 2008 Published by Elsevier Ltd. All rights reserved.
doi:10.1016/j.istr.2008.10.002
 information security technical report 13 (2008) 158–164 159

In this paper, we propose a novel authenticated group key (a) Each Ui selects a random integer ri, 1  ri  p  2,
agreement protocol for end-to-end security in the MANET computes zi ¼ ari mod p, and sends zi to each of the
environment without any infrastructure that is based on other t  1 group members. (Assume that Ui has been
Burmester and Desmedt group key agreement protocol notified a priori, of the indices j identifying other
(Burmester and Desmedt) and their variants (Choi et al., 2004) conference members.).
that is based on ID-based crypto system. (b) Each Ui after receiving zi1 and ziþ1, computes
An authenticated group key agreement protocol (AGKA) Xi ¼ ðziþ1 =zi1 Þri mod p (note Xi ¼ ariþ1 ri ri ri1 ), and sends
enables two or more participants who want secure commu- Xi to each of the other t  1 group members.
nication share a common secret key. After Burmester and (c) After receiving Xj, 1  j  t excluding j ¼ i, Ui computes
Desmedt (BD) proposed the conference key agreement K ¼ Ki as Ki ¼ ðzi1 Þtri $Xt1 t2 2 1
i $Xiþ1 .Xiþðt3Þ $Xiþðt2Þ mod p.
protocol in (Burmester and Desmedt), there are many studies
on the group key agreement (Just and Vadenay, 1996; Nam, Just and Vadenay (1996) shows the generalization and the
2007; Nam et al., 2006; Steiner et al., 1998). lack of key authentication feature in BD. Several attacks are
Our motivation to write this paper is to find the efficient shown in (Tang and Mitchell, 2005).
way for detecting and identifying the attackers, that enables
not only stopping the repetition of attacks, but also warning or
even terminating the attackers from the protocol in the real 2.2. Choi et al.’s ID-based AGKA scheme
MANET applications. For example, initiating the tele-confer-
ence, if the attack is detected, then the malicious insiders are Choi et al.’s ID-based authenticated group key agreement
easily identified, and the repetition of such attacks are also scheme (Choi et al., 2004) is the variation of BD protocol. The
prevented. process One-time setup in BD is modified as followings.
Therefore, we propose the practical enhancements of BD
(Burmester and Desmedt ) and Choi et al. (2004) authenticated  Setup: The Key Generation Center (KGC) sets up the group G1
group key agreement protocols that not only detect, but also and G2, where G1 is a cyclic additive group of prime order q
identify malicious insiders by using the trusted arbiter if the and G2 is a cyclic multiplicative group of same order q and
cheating has occurred in MANET. Since the malicious cheaters chooses a random number s˛Zq and sets Ppub ¼ sP. KGC
will continuously try to make the group key agreement have keeps s as the master key, which is known only by itself.
the incorrect result in MANET, the identifying and removing KGC also defines H : f0; 1g /Zq and H1 : f0; 1g /G1 , where
the cheaters are necessary for the practical use. With the H and H1 are cryptographic hash functions.
assistance of the trusted arbiter who could be a trusted mobile  Extraction: A user submits his identity information ID ˛ {0,
operator or service providers, we easily identify the cheaters 1}* to KGC. KGC computes the user’s private key SID ¼ sQID
and prevent the further attacks on the group key agreement and sends it to the user via a secure channel, here
protocol in MANET. Thus, our protocol provides any partici- QID ¼ H1(ID).
pants to detect the cheating, also identify the malicious
insiders by the trusted arbiter regardless of the number of Let {Uiji ¼ 1, 2,., n} be a set of n users who would like to
cheaters. share a session key. Suppose IDi denotes the identity infor-
mation of the user Ui. The indices are subject to modulo n. Let
Ui’s long-term public key and private key be Qi ¼ H1(IDi) and
Si ¼ sQi, respectively.
2. Group key agreement protocols
2.2.1. Round 1
In this section, we review the original BD protocol and their Each user Ui picks a random integer ai ˛Zq and computes
inherited Choi et al.’s protocol that is based on an ID-based Pi ¼ aiP, hi ¼ H(Pi) and Ti ¼ aiPpub þ hiSi. Each user Ui broadcasts
crypto system. CPi ; Ti D to all others and keeps ai secret.

2.1. BD conference key protocol 2.2.2. Round 2

Upon the receipt of CPi1 ; Ti1 D, CPiþ1 ; Tiþ1 D and CPiþ2 ; Tiþ2 D, each
Burmester–Desmedt (Burmester and Desmedt) provided user Ui verifies as follows:
! !
several conference keying protocols, in which, the protocol X X
works in the broadcast model is quite popular. The summary e Tiþk ; P ¼ e ðPiþk þ hiþk Qiþk Þ; Ppub (1)
k˛f1;1;2g k˛f1;1;2g
of the protocol follows:
If the above equation is satisfied, then Ui computes
(1) One-time setup. An appropriate prime p and generator a of Di ¼ e(ai(Piþ2  Pi1), Piþ1) and broadcasts Di to all others.
Zp are selected, and authentic copies of these are provided Otherwise Ui stops.
to each of n system users.
(2) Conference key generation. Any group of t  n users (typically 2.2.3. Key computation
t  n), derive a common conference key K as follows. Each user Ui computes the session key,
(Without loss of generality, the users are labeled U0 Ki ¼ eðai Pi1 ; Piþ1 Þn $Dn1
i $D n2
iþ1 /Di2 .
through Ut1, and all indices j indicating users are taken However the protocol above has the vulnerability that any
modulo t.) malicious users can impersonate an entity to agree some
160 information security technical report 13 (2008) 158–164

session keys in a new group if these malicious users have the detect cheating and identify cheaters. The following is our
previous authentication transcripts of this entity. So, an active proposed additional requirements for the key agreement
adversary can collude these malicious users to masquerade protocol.
the victim without being detected in the MANET environment.
More details can be found in Zhang and Chen (2004). An 2.3.2.1. Extended insider different key attack. We extend the
improved scheme using synchronous counter is shown in Du concept of insider different key attack to the key agreement
et al. (2003). In spite of such improvements, Shim (2007) protocol in which the attacker may deliberately contribute the
showed the verification of all the messages from all partici- incorrect value making all other participants compute the
pants is required to prevent the insider impersonation attack. incorrect session key. The ultimate purpose of the attacker is
making protocol not be completed.
2.3. Security requirements
2.3.2.2. Detection of cheating. If there is an attack to the key
In this section, we describe security requirements for the agreement protocol, it should be detected, regardless the
AGKA protocols that consist of two parts. The first part is source of the attack is from outside or inside.
previous requirements, and the other is our additional
requirements which enhance the security of the AGKA 2.3.2.3. Identifying cheaters. Whenever the attack is detected,
protocols. the malicious insider, if exists, should be identified.
With these above additional requirements, the key agree-
2.3.1. Previous requirements ment protocol is more secure and even able to prevent further
Following security requirements are shown in Shim (2007), attacks happened again. In order to detect and identify the
Katz and Shin (2005), Pereira and Quisquater (2003). malicious cheaters, we propose the trusted arbiter as
the entity in the protocol. We define a trusted third party who
2.3.1.1. Implicit key authentication. When a participant only involves in the protocol only when the cheating has been
completed his role in a protocol session, each Mi ˛ M is occurred. We will describe more details in the following
assured that no party Mqj ˛ M can learn the key Sn(Mi) (i.e. Mis section.
view of the key) unless helped by a dishonest Mj ˛ M.

2.3.1.2. Resistance to known-key attacks. A protocol is said to

3. How to detect and identify cheaters in
be vulnerable to a known-key attack if compromise of past
AGKA protocols in MANET
session keys allows either a passive adversary to compromise
future session keys, or impersonation by an active adversary
We would like to propose new methods for how to detect and
in the future.
identity cheaters in the AGKA protocols in the MANET envi-
The above three requirements are essential for the group
ronment and introduce the new entity, the trusted arbiter (TA)
key agreement protocol, which are similarly defined in
that can be a trusted mobile operator or services providers in
Saeednia and Safavi-Naini (1998). Also, following require-
MANET.
ments are also defined.
Our TA works as follows. TA involves in the protocol only
when the cheating is found. In this situation, TA needs to
2.3.1.3. Prevent insider impersonation attack. The malicious
collect the broadcasted messages from every participant
insiders should not be able to impersonate other users in
during the communication.
order to participate key agreement protocol.
We let TA act as the judge or the key escrow agent. For
instance, in case of TA whose role as the judge, if the cheating
2.3.1.4. Prevent insider different key attack. This type of attack
is found, every participant is required to send their secret
is shown in Tang and Mitchell (2005). Any active malicious
parameters used during the key agreement protocol to TA. On
participants should not be able to manipulate the communi-
the other hand, if TA’s role as the key escrow agent, partici-
cation, who make any other participants compute the session
pants send the secret parameters when the protocol begins.
key to be any value K0 ˛ G.
With the secret parameters, TA is able to identify the mali-
Katz and Shin showed the formal model of the security
cious insiders. Practical application of these two cases are
against insider impersonation attacks in Katz and Shin (2005).
described below:
And, Shim (2007) showed that each user should authenticate
all participating entities. The security model in Katz and Shin
(2005) is claimed to be impractical because the UC-compiler in 3.1. TA as a judge
their design requires additional round and OðnÞ signature
verifications. We assume that a business group who wishes to have a secure
tele-conference with each other. Some malicious participants
2.3.2. Proposed new additional requirements deliberately sabotage the tele-conference. Consequently,
In the practical implementation, even though the attack is other participants fail to make such conference. In such
failed, the malicious insiders might repeat the attack to conflict, they detect the failure and request TA for help. With
obstruct the key agreement protocol. In this case, the partic- the submitted data provided by all participants, TA is able to
ipants may never complete the protocol with a common key. identify the malicious participants regardless of their
Therefore, it is necessary for the key agreement protocol to numbers.
 information security technical report 13 (2008) 158–164 161

3.2. TA as a key escrow agent 3.3.1.6. Key confirmation. Ui broadcasts si ¼ h(UIDijjKijjG) and
signi(si), where jj denotes the concatenation. Each user Ui
Consider several government offices join to work on some compares h(UIDjjjKijjG) with sj, where 0  j < t, j s i. If the result
serious project with the supervision of an arbiter. Sometimes, is correct, then the group succeeds in the group key genera-
malicious officers deliberately sabotage the key agreement tion, and shares the key K. Otherwise, the key confirmation is
process for some purposes. Due to confidential requirement in failed. Fig. 1 depicts this process. If the key confirmation is
the government offices, the secret data during the key agree- failed, each user Ui sends his/her ri and the signature sigi(ri) to
ment process may not be given to any outside. Therefore, TA TA, who can identify the cheaters as shown in Fig. 2. We
as a key escrow agent, if exists, easily detects and identifies describe more details in Section 3.3.
malicious officers regardless of their numbers.
We apply our approaches to improve (Burmester and 3.3.2. Enhancement of Choi et al.’s protocol
Desmedt ) and (Choi et al., 2004) for detecting and identifying In this section, we improve Choi et al.’s scheme. At first, we
the malicious insiders in the MANET environment. proceed following steps.

 Setup: The Key Generation Center (KGC) chooses a random

3.3. Trusted arbiter as a judge number s˛Zq and sets Ppub ¼ sP. KGC keeps s as the master
key, which is known only by itself.
When TA acts as the judge, he involves only when the  Extraction: A user submits his identity information ID ˛ {0, 1}*
cheating is reported in MANET. We assume that, in the key to KGC. KGC computes the user’s private key SID ¼ sQID and
agreement protocol, each user Ui has their own identity UIDi, sends it to the user via a secure channel, here QID ¼ H1(ID).
public key pairs (pki, ski), where pki is Ui’s public key, which is
known to public including participants in G and ski is Ui’s Let {Uiji ¼ 0, 1,., t  1} be a set of t users who would like to
private key, kept in secret. With ski, Ui can generate a signa- share a session key. Suppose IDi denotes the identity infor-
ture using any secure signature schemes. mation of the user Ui. The indices are subject to modulo t. Let
Ui’s long-term public key and private key be Qi ¼ H1(IDi) and
3.3.1. Enhancement of Brumester–Desmedt protocol Si ¼ sQi, respectively. We denote the timestamp of user as TSi,
We assume a group of t  n users (typically t  n), derive the signature of each user as sigi. Let G be a group of partici-
a common conference key K in MANET. Without loss of pated users, where G ¼ {U0,., Ut1}.
generality, the users are labeled from U0 through Ut1, and all
indices i indicating users are taken modulo t. We denote the 3.3.2.1. Round 1. Each user Ui picks a random integer ai ˛Zq and
timestamp of user Ui as TSi, the signature generated by each computes Pi ¼ aiP, hi ¼ H(PijjGjjTSi) and Ti ¼ aiPpub þ hiSi. Each user
user as sigi. Let G be a group of participated users, where Ui broadcasts {UIDi, G, TSi, CPi ; Ti D} to all others and keeps ai secret.
G ¼ {U0,., Ut1}.
3.3.2.2. Round 2. Upon the receipt of {UIDi1, G, TSi1,
3.3.1.1. One-time setup. An appropriate prime p and a gener- CPi1 ; Ti1 D}, {UIDiþ1, G, TSiþ1, CPiþ1 ; Tiþ1 D} and {UIDiþ2, G, TSiþ2,
ator a of Zp are selected, and published to all group of users. CPiþ2 ; Tiþ2 D}, each user Ui verifies as Eq. (1), where
hiþk ¼ H(PiþkjjGjj TSiþk).
If the above equation is satisfied, then Ui computes
3.3.1.2. Group setup. Each user Ui agrees to generate the group
Di ¼ e(ai(Piþ2  Pi1), Piþ1), sigDi ¼ signSi ðUIDi jDi jGjTS0i Þ and
key, and shares the group information G, which G ¼ {U0,., 0
broadcasts fDi ; UIDi ; G; TSi ; sigDi g to all others, where TSj0 is
Ut1jSession}. Session defines the times start, time expiration,
a new timestamp that is generated by Ui. Otherwise Ui stops.
for each run of the key agreement process. We use the time-
stamp for the freshness checking.
3.3.2.3. Key computation. Each user Ui verifies Dj with UIDj, G,
After the G is known to participants Ui, 0  i < t, proceed
TS0 j, sigDj , 0  j  t  1 where j s i and computes the session
followings.
key as follows.

3.3.1.3. Round 1 broadcasts zi. Each user Ui generates Ki ¼ eðai Pi1 ; Piþ1 Þn Dn1
i Dn2
iþ1 .Di2

a random integer ri and computes zi ¼ ari . Ui generates sigzi ¼

signi ðUIDi jzi jGjTSi Þ and broadcasts fZi ; sigzi g.

3.3.1.4. Round 2 broadcasts Xi. Each user Ui receives

fZi1 ; sigzi1 g and fZiþ1 ; sigziþ1 g. And then, Ui verifies sigi1 and
sigiþ1. If the verification is correct, Ui generates Xi ¼
ðziþ1 =zi1 Þri mod p and the signature sigXi ¼ signi ðUIDi jXi jGjTSi Þ.
Ui broadcasts fXi ; sigXi g.

3.3.1.5. Round 3 compute the group key. After receiving

fXi ; sigXj g, Ui verifies sigXj and 0  j < t excluding j ¼ i, Ui
computes K ¼ Ki as Ki ¼ ðzi1 Þtri $Xt1 t2 2 1
i $Xiþ1 .Xiþðt3Þ $Xiþðt2Þ $
mod p. Fig. 1 – Each Ui confirms the generated key.
162 information security technical report 13 (2008) 158–164

Fig. 2 – All participants send their ri to TA to identify cheaters.

3.3.2.4. Key confirmation. Ui broadcasts si ¼ h(UIDijjKijj G) and Moreover, when TA acts as the key escrow agent and
signi(h(si)). Every user compares h(UIDjjj KijjG) with sj, where follows the protocol steps, the cheating can be detected earlier
0  j < t, j s i. If the result is correct, then the group succeeds in without waiting for the key confirmation. To do this, TA
the group key generation, and shares the key K. Otherwise, the collects the broadcast information from each users during the
key confirmation is failed. Fig. 1 depicts this process. If the key protocol execution. Using the random integers sent by users
confirmation is failed, each user Ui sends his/her ai and the before, TA can verify if those broadcast values are correct or
signature sigi(ai) to TA, who can identify the cheaters. We not. If he finds something is going wrong, he can know the
describe more details in Section 3.3. owner of the original data. Cheaters cannot deny since there
exists signatures on data sent by them. By this way, whenever
the cheating occurs, TA can take an action as soon as possible.
3.4. Trusted arbiter as a key escrow agent

When TA acts as the key escrow agent, protocols are slightly

4. Security analysis
different. Before the protocol begins, participants notify the
group of users G to TA. At the Round 1, all participants send
In this section, we conduct the security analysis for our
their random integer ri (BD protocol) or ai (Choi et al.’s
enhanced design against various attacks such as implicit key
protocol) to TA. With these secret information, TA can detect
authentication, forward security, replay attacks, insider
and identify the cheaters if the cheating happens. Remained
impersonation attack, insider different key attack, and how to
steps follow the previous section.
detect and identify cheaters in MANET.

3.5. Detecting and identifying cheaters 4.1. Implicit key authentication

If no attacks have been occurred, every user will share the If there is no dishonest insider who leaks the key generation
same group key K. However, if the attacks are found, users information, then outsiders of the group should be able to find
may have different keys, so the key confirmation is failed and at least one random integer ri in the BD protocol, or ai in the
the cheating is detected. Choi et al.’s protocol to succeed to the attack. However, finding
In order to identify the cheaters, as we mentioned in the ri given zi or ai given Pi is equivalent to solve discrete logarithm
previous section, TA involves in the protocol. Firstly, TA problem (DLP) (Koblitz, 1987; Odlyzko, 1984; Smart, 1999).
collects all the protocol transcripts. For instance, TA as the Therefore, our enhanced design provides implicit key
judge, the random integers used during the protocol will be authentication due to the hardness of DLP.
sent to TA by every user after the key confirmation is failed.
When acting as the key escrow agent, TA already has all the 4.2. Forward and backward security
random integers at the beginning of the protocol session.
From the random integers, TA identifies the cheaters as In each group setup session, a participant picks a fresh random
follows. We assume that TA has the valid transcripts verified integer which differs from that in other session, which results
by all the users. TA re-generates the protocol messages with in the shared group key is different in each time. Therefore, even
the received random integers and checks against the collected a group key in a session is compromised, it does not provide
messages. If there is inconsistency between two sets of the any useful information to compute previous or future session
protocol messages, TA easily identifies the malicious insiders. keys. It also provides the resistance to known-key attacks.
 information security technical report 13 (2008) 158–164 163

4.3. Insider impersonation attack The first attack is able to be applied to the original BD
scheme. A malicious participant, say Uj (1  j < t), who can
The trial of impersonation may be happened twice; one in manipulate the communications in the network, is able to
Round 1, the other in Round 2. We utilize the digital make any other participant, say Ui (0  i < t, i s j ), compute the
signature in both rounds to ensure the integrity of the session key to be any value K* ˛ G chosen by Uj. To achieve this,
protocol messages. If an adversary tries to impersonate Ui in Round 2, Uj intercepts the message Xitþ2 and prevents it
by sending forged zi0 and Xi0 , the adversary should be able from reaching Ui. Uj then waits until all the other messages have
to generate the signature for successfully passing the veri- been received and computes the session key K in the normal
fication step performed by each participant. Thus, our way. Uj now sends X0iþt2 ¼ Xiþt2 $K =K to Ui pretending that it
enhanced BD protocol is secure against the insider imper- comes from Uiþt2. Finally, Ui generates the incorrect key K*.
sonation attack. However, in our enhanced BD protocol, Uj has to generate
Consider the impersonation attack on Choi et al.’s protocol the signature to convince Ui that X0 iþt2 is actually from Uiþt2.
shown in Zhang and Chen (2004). Two malicious insiders Ui1 Even Uj is Uiþt2 so that Uiþt2 can generate the incorrect X0 iþt2
and Uiþ2 can co-work to generate Ui’s Di from the known along with the valid signature, Ui can detect the cheating in
values Pi, Piþ1 as follows: the key confirmation step by comparing other h(UIDkjjKijjG),
where 0  k < t, k s i. This type of attack is also applicable to
Di ¼ eðai ðPiþ2  Pi1 Þ; Piþ1 Þ ¼ eðP; PÞai ðaiþ2 ai1 Þaiþ1
¼ eðai P; aiþ1 PÞai1 þaiþ2 ¼ eðPi ; Piþ1 Þai1 þaiþ2 Choi et al.’s original protocol, while our enhanced protocol
overcomes this attack by the same principle.
The similar attack still happens as shown in Shim (2007) even As we mentioned extended insider different key attack in
though Round 1 of Choi et al.’s protocol utilizes timestamp Section 2.3.2, we describe our attack as follows. In this type of
technique as suggested in Zhang and Chen (2004). Malicious attack, the malicious insider can make all other users in the
users Ui2, Ui1, and Uiþ1 collude to impersonate Ui in the group compute the different key from each other. Therefore
group G. In Round 1, colluding members broadcast CPi ; Ti ¼ RD the group user never agrees upon the common group key.
impersonating Ui. Suppose that Uj wants to perform this type of attack. Uj first
In Round 2, Uj ( j s i) verifies CPj1 ; Tj1 D, CPjþ1 ; Tjþ1 D, and sends the initial information in the Round 1, however he
CPjþ2 ; Tjþ2 D. At that time nobody only knows the invalidity of sends the different information in the Round 2. For example,
CPi ; Ti D except Ui2, Ui1, Uiþ1. In Round 2, when Uj ( j s i) in the BD protocol, Uj generates zj, where zj ¼ arj , but generates
0
broadcasts Dj, those colluding users broadcast 0 rj
X j, where Xj ¼ ðzjþ1 =zj1 Þ for some r0 s r. Then, every user
0

Di ¼ e(ai(Piþ2  Pi1), Piþ1) with ai is chosen by Ui previously and including Uj generates all distinct keys. Similar attack can be
impersonate Ui successfully. applied to the Choi et al.’s protocol.
However, in our enhanced design, Di is sent along with Whereas, in our enhanced protocols, any user Ui will detect
sigDi , the signature generated by Ui. If colluded users want to this attack with key confirmation process. Once the attack is
succeed in the above impersonation attack, they have to be detected, with the help from TA, the malicious insiders can be
able to generate sigDi . With the assumption that Ui uses identified and may be excluded from participating group key
a secure digital signature scheme, it is hard for the colluded agreement process.
users to generate the fake signature of Ui. Hence, our schemes
can prevent such attacks (Zhang and Chen, 2004; Shim, 2007). 4.6. Analysis for detecting and identifying cheaters in
MANET
4.4. Replay attacks
As mentioned in Section 2.3.2, a secure group key agreement
protocol should be not only secure against various attacks, but
In the replay attack, the attacker tries to participate to the
also able to detect if there is a cheating and identify all
group key agreement by re-sending the old message. The
cheaters. Supported by these functionalities, the group key
replay attack can happen in the same group or in other group
agreement can stop attacks from outside as well as cheating
of users. The attack is already shown in Nam et al. (2006). In
from inside in the MANET environment. Moreover, by identi-
our enhanced protocols, key generating parameters in each
fying cheaters, the protocol prevents malicious users from
round are sent along with user’s identity UIDi, group identity
sabotage group key agreement process. Our approach using TA
G, and a timestamp TSi. G prevents the message’s malicious
enables the group key agreement protocol to provide detecting
usage in other group impersonating the Ui. Also, timestamp
and identifying cheaters features. We analyze these features
TSi keeps the freshness of the message. Alternatively, we can
in our enhancement versions of BD and Choi’s protocols. In
use the sequence number or nonce instead of timestamp, if
order to detect cheating, we use key confirmation process.
time synchronization is infeasible within the key exchange
From receiving the hash value h(UIDjjjKijjG) and the
environments. With these techniques, our enhanced proto-
accompanied signature signi (h(UIDjjjKijjG)) from other user,
cols are secure against the replay attack.
where 0  j < t, j s i, Ui can check whether his computed key is
identical to that of others. If the incorrect group key is detec-
4.5. Insider different key attack ted, the cheating has been occurred in MANET. Then, the
process of identifying cheaters should be carried out with
Insider different key attacks consist of two types. The first involvement of TA. TA should have all ri (or ai) which are used
type is mentioned in Tang and Mitchell (2005). We will in the protocol session sent by all participants in the MANET
describe the second type later on. environment.
164 information security technical report 13 (2008) 158–164

TA identifies the cheaters as follows: We describe in BD references

scheme as an example. TA re-generates the protocol messages
with ri, where 0  i < t, and compares the re-generated messages
with the collected messages from Round 1 and Round 2. If there Burmester M, Desmedt Y. A secure and efficient conference key
is discrepancy between two sets of the messages in each round, distribution system. Advances in Cryptology – EuroCrypt ’94,
TA can easily identify the malicious insiders. For example, in the Lecture Notes in Computer Science 1995;950:275–86.
enhanced BD protocol, TA computes zi ¼ ari and Choi KY, Hwang JY, Lee DH. Efficient id-based group key
agreement with bilinear maps. Public Key Cryptography – PKC,
Xi ¼ ðziþ1 =zi1 Þri with ri, and compares them with the collected zi
Lecture Notes in Computer Science 2004;2947:130–44.
and Xi. If TA finds the discrepancy between zi and z*i , or Xi and Du X, Wang Y, Ge J. An improved id-based authenticated group
X*i , then Ui must be the cheater who contributed the incorrect key agreement schemes. Cryptology ePrint Archive 2003;260.
values. With the signatures on zi and Xi, the malicious partici- Report.
pants cannot deny their cheating in MANET. Just M, Vadenay S. Authenticated multi-party key agreement.
Advances in Crytopology-AsiaCrypt ’96, Lecture Notes in
Computer Science 1996;1163:36–49.
5. Conclusion Katz J, Shin JS. Modeling insider attacks on group key-exchange
protocols. Proceedings of the 12th ACM conference on
computer and communications security; 2005. p. 180–9.
Dynamic, heterogeneous and distributed MANET environ- Koblitz N. Elliptic curve cryptosystems. Mathematics of
ment will create new opportunities, through the convergence Computation 1987;48:203–9.
of communications technologies and creation of highly Nam J, Kim S, Won D. Weakness in jung, et al.’s ID-based
adaptive reconfigurable devices. Increased mobility results in conference key distribution scheme. IEICE Transactions on
interesting new security challenges. Fundamentals of Electronics, Communications and Computer
Sciences 2006;E89-A(1):213–7.
Due to infrastructure-less nature of the MANET environ-
Nam J. Enhancing security of a group key exchange protocol for
ment, Light weight asymmetric techniques such as ID-based
users with individual passwords. Cryptology ePrint Archive
crypto systems could provide intelligent facilities for securing 2007;166. Report.
MANET environments. ID-based systems require no explicit Odlyzko A. Discrete logarithms in finite fields and their
public key available and the key is constructed from public cryptographic significance. In: Advances in cryptology –
available information. It is an asymmetric system where Eurocrypt ’84. Springer-Verlag; 1984. p. 224–314.
unique name plays the role of the public key. These charac- Pereira O, Quisquater J-J. Some attacks upon authenticated group
key agreement protocols. Journal of Computer Security 2003;
teristics of ID-based techniques make it very suitable for the
11(4):555–80.
MANET security architecture and applications.
Saeednia S, Safavi-Naini R. Efficient identity-based conference
Thus, we propose a novel authenticated group key agree- key distribution protocols, ACISP’98. Lecture Notes in
ment protocol for end-to-end security in the MANET envi- Computer 1998;1438:320–31.
ronment without any infrastructure that is based on Shim K-A. Further analysis of id-based authenticated group key
Burmester and Desmedt group key agreement protocol agreement protocol from bilinear maps. IEICE Transactions on
(Burmester and Desmedt ) and their variants (Choi et al., 2004) Fundamentals of Electronics, Communications and Computer
Sciences 2007;E90-A(1):295–8.
that is based on ID-based crypto system.
Smart N. The discrete logarithm problem on elliptic curves of
We also showed our new requirements such as the trace on. Journal of Cryptology 1999;12.
extended insider different key attack, detecting and identifying Steiner M, Tsudik G, Waidner M. Cliques: a new approach to
cheaters in the group key agreement in the MANET environ- group key agreement. Proceedings of the 18th International
ment, and proposed the novel enhanced protocols with intro- Conference on Distributed Computing Systems (ICDCS’98);
ducing the trusted arbiter for identifying cheaters in MANET. 1998. p. 380–7. Available from: citeseer.ist.psu.edu/
steiner98cliques.html.
With signing the communication of each user and con-
Tang Q, Mitchell CJ. Security properties of two authenticated
firming the key, our novel design provides not only the func-
conference key agreement protocols. Cryptology ePrint
tionality of detecting malicious insiders, but also, with Archive 2005;185. Report.
involving the trusted arbiter, identifying all the cheaters in the Zhang F, Chen X. Attack on an id-based authenticated group key
protocol regardless of the number of cheaters in the MANET agreement scheme from pkc 2004. Information Processing
environment. Letters 2004;91:191–2.