Cryptographic Properties

 

There are four important security properties encountered in group key agreement. (Assume that a group key is changed $m$ times and the sequence of successive group keys is $K=\{K$₀,&ldots;,K_m}).

1. Group Key Secrecy - this is the most basic property. It guarantees that it is computationally infeasible for a passive adversary to discover any group key.
2. Forward Secrecy - (not to be confused with Perfect Forward Secrecy or PFS) guarantees that a passive adversary who knows a contiguous subset of old group keys cannot discover subsequent group keys.
3. Backward Secrecy - guarantees that a passive adversary who knows a contiguous subset group keys cannot discover preceding group keys.
4. Key Independence - the strongest property. It guarantees that a passive adversary who knows a proper subset of group keys $K\subset K$ cannot discover any other group key $K\in (K-K)$.

The relationship among the properties is intuitive. Either of Backward or Forward Secrecy subsumes Group Key Secrecy and Key Independence subsumes the rest. Also, the combination of Backward and Forward Secrecy yields Key Independence.

Our definitions of Backward and Forward Secrecy are stronger than those typically found in the literature. The two are often defined (respectively) as [16, 13]:

• Previously used group keys must not be discovered by new group members.
• New keys must remain out of reach of former group members.

The difference is that the adversary here is assumed to be a current or a former group member. Our definition additionally includes the cases of inadvertently leaked or otherwise compromised group keys. We refer to the above as Weak Forward Secrecy and Weak Backward Secrecy, respectively.

In this paper we do not consider implicit key authentication as part of the group key management protocols. All communication channels are public but authentic. The latter means (as discussed later in the paper) that all messages are digitally signed by the sender using some sufficiently strong public key signature method such as DSA or RSA. All receivers are required to verify signatures on all received messages. Since no other long-term secrets or keys are used, we are not concerned with Perfect Forward Secrecy (PFS) as it is achieved trivially.