The invention addresses security needs which arise when a group of network nodes communicates which each other by creating and/or joining a secure session for members of the group. The group of network nodes may, e.g., be a plurality of mobile phone users, communicating by means of a local or remote communication technology, and belonging to the same social network group who wish to share information with each other without letting anyone outside the group have access to their information or even know the real identities behind the users or the group. The group of network nodes may also be a law enforcement group, e.g., policemen, coordinating a mission, aid workers, or a collection of Machine-to-Machine (M2M) devices.
In such cases, there is a need for mechanisms that allow users to securely join, by authentication, a network group and to exchange information in this group such that any outsider, i.e., non-group member, neither can join a secure session nor eavesdrop the communication between group members, or even gain knowledge of the real identities of the group members or the group.
Many authentication and key exchange schemes rely on the presence of a trusted third party, such as a Key Distribution Centre (KDC), the Kerberos system being one example. Different from this approach, the Internet Engineering Task Force (IETF) Group Key Management Protocol (GKMP) entrusts the key distribution to the communicating entities themselves. In GKMP, one of the group members acts as controller node and uses an asymmetric encryption algorithm, which assumes the possession of a certificate of each group member, to distribute to each member in a communication session a symmetric key which is unique for each group member and which is shared between the controller node and each member in the group. In addition, the controller generates a shared session group key that is used to protect the communication between the participants of the session. Re-keying, when members are added and removed from the group, is then performed by the controller with the help of the shared symmetric keys and/or the session group key.
In GKMP, and many other similar or related schemes, the identity of nodes joining the communication session is revealed to an eavesdropping outsider, as the latter may assume that certificates certifying a node's identity as well as group membership are distributed among the members and are used to identify other group members. This is also the case for the widely used secure Peer-to-Peer (P2P) or client-server authentication and key establishment protocols, such as Transport Layer Security (TLS) and Internet Key Exchange (IKE). For instance, in the case of TLS at least the identity of one of the participating entities is revealed, and IKE in identity protection mode is sensitive to active attackers.
In order to overcome shortcomings with respect to identity privacy in authentication schemes, it has been proposed to not reveal the identity of a node in authentication and key exchange steps to an adversary, i.e., outsider, which can intercept messages sent on a public channel. Instead, the authentication and key exchange messages are protected using public keys of the participating peers. However, in order for the scheme to work, the public keys must be known prior to authentication taking place.
In order to provide privacy preserving authentication and key exchange, several schemes referred to as “secret handshakes” have been proposed. These schemes apply a much more strict security model which has the benefit that it should not only be impossible to impersonate users but it should also not be possible for an outsider who observes a secret handshake to identify who is involved in the handshake, or the group or groups the participating nodes belong to. Neither should it be possible to link several different observed handshakes to particular users or groups of users.
Secret handshake protocols are typically based on bilinear maps which can be constructed using Tate or Weil pairings on elliptic curves and which allow two parties belonging to the same secret group to calculate a shared secret in three protocol interactions. In later additions to the protocols, the feature of unlinkability has been added, thereby allowing credentials to be used for multiple sessions. Further, the issue of revocation of credentials without compromising the security expectations of a secret handshake protocol has been solved.
These schemes, which are based on bilinear maps, require efficient algorithms and implementations for computing either the Weil or the Tate pairing in order to make their application to cryptography feasible, and the time required for computing cryptographically secure bilinear pairings has been reduced from several minutes to only a few milliseconds during the past years.
However, despite some fundamental breakthroughs both with respect to secret handshake design and their implementations, such schemes are still too complex. Further, the schemes have not been under cryptanalysis for enough long time in order to be trustworthy for commercial usage. Therefore, there is a need for complementary schemes to solve the secret authentication problem in groups, relying on well proven and widely used cryptographic principles.