Next: TGDHProtocols
Up: Simple and Fault-Tolerant Key
Previous: Group Membership Events
There are four important security properties encountered in group key agreement.
(Assume that a group key is changed times and the sequence of successive
group keys is ).
- Group Key Secrecy - this is the most basic property. It guarantees that
it is computationally infeasible for a passive adversary to discover any group
key.
- Forward Secrecy - (not to be confused with Perfect Forward Secrecy or
PFS) guarantees that a passive adversary who knows a contiguous subset of old
group keys cannot discover subsequent group keys.
- Backward Secrecy - guarantees that a passive adversary who knows a
contiguous subset group keys cannot discover preceding group keys.
- Key Independence - the strongest property. It guarantees that a passive
adversary who knows a proper subset of group keys
cannot discover any other group key .
The relationship among the properties is intuitive. Either of Backward or
Forward Secrecy subsumes Group Key Secrecy and Key Independence subsumes the
rest. Also, the combination of Backward and Forward Secrecy yields Key
Independence.
Our definitions of Backward and Forward Secrecy are stronger than those
typically found in the literature. The two are often defined (respectively) as
[16, 13]:
- Previously used group keys must not be discovered by new group members.
- New keys must remain out of reach of former group members.
The difference is that the adversary here is assumed to be a current or a former
group member. Our definition additionally includes the cases of inadvertently
leaked or otherwise compromised group keys. We refer to the above as Weak
Forward Secrecy and Weak Backward Secrecy, respectively.
In this paper we do not consider implicit key authentication as part of the
group key management protocols. All communication channels are public but
authentic. The latter means (as discussed later in the paper) that all
messages are digitally signed by the sender using some sufficiently strong
public key signature method such as DSA or RSA. All receivers are required to
verify signatures on all received messages. Since no other long-term secrets or
keys are used, we are not concerned with Perfect Forward Secrecy (PFS) as it is
achieved trivially.
Next: TGDHProtocols
Up: Simple and Fault-Tolerant Key
Previous: Group Membership Events
Adrian Perrig
Fri Sep 1 21:02:14 PDT 2000