利用共享金鑰推導之群組金鑰管理協定

Abstract

在很多網路的應用中，包括遠距教學，網路廣播電台，視訊串流，線上遊戲等等，資料發送者往往都會需要用到將訊息傳送給多個接收者，IP多點傳播和應用層多點傳播提供了有效率且高擴展性的一對多或多對多傳輸機制。由數個使用者利組成的群組，可以使用共用的金鑰(稱之為群組金鑰)來加密多點傳播的傳輸資料，以保護他們之通訊的安全性。我們設計了一個新的以金鑰樹為基礎的群組金鑰管理協定，利用共享金鑰推導法以達成安全且有效率的群組金鑰管理。利用共享金鑰推導法，讓部分群組成員可以自行演算所需要的更新金鑰，伺服器不需加密並傳播這些金鑰給可以自行推算的成員，可達成節省傳輸頻寬及運算量的目的，並改進這個新的協定所支援同步與非同步金鑰更新運算的效能，包括單一成員加入運算，單一成員離開運算，與多成員異動批次更新運算等等。金鑰推導函數可以使用安全雜湊函數，安全亂數產生器，或是單向後門函數等合成，當金鑰推導函數與選用的金鑰加解密函數是安全的，我們可以證明惡意的使用者無法在可接受的時間內共謀而成功計算出依協定他們不應取得的金鑰，也因此本協定滿足背向及正向群組金鑰保密性。這個協定可以有效地降低系統的通訊量及運算量，而且不論就分析或模擬的結果，這個新協定都較其他數種類似性質的群組金鑰管理協定為優異。這個協定在使用二元金鑰樹時，配合非同步金鑰更新運算，可達到最佳的系統效能。本協定只要稍加修改，即可支援縮短金鑰更新延遲時間或變更金鑰長度，以符合實際的應用上的需要。

In many network applications, including distance learning, audio webcasting, video streaming, and online gaming, often a source has to send data to many receivers. IP multicasts and application-layer multicasts provide efficient and scalable one-to-many or many-to-many communications. A common secret key, the group key, shared by multiple users can be used to secure the information transmitted in the multicast communication channel. A new key-tree-based group key management protocol with shared key derivation is proposed to securely and efficiently manage the group key. With shared key derivation, new keys derivable by members themselves do not have to be encrypted or delivered by the server, and the performance of synchronous and asynchronous rekeying operations, including single join, single leave, and batch update, is thus improved. The key derivation function can be easily constructed with secure hash functions, secure pseudo-random number generators, or one-way trapdoor functions. When the key derivation function and the key encryption function are secure, it is computationally infeasible for malicious users to collude to compute a key which is not granted by the protocol, and both backward group key secrecy and forward group key secrecy are guaranteed. The protocol reduces the computation and communication costs of group key rekeying, outperforms the other comparable protocols from our analysis and simulation, and is particularly efficient with binary key trees and asynchronous rekeying. With minor modification, the rekeying delay and the key size of the protocol can be tuned to meet different system needs.