1. Technical Field
This invention relates generally to electronic communications and more particularly to communicating messages securely to an intended group.
2. Discussion of the Backgound Art
Transmitting secure messages from one party over public communication channels to another party poses several problems. The message transmitter and recipient often desire that a message be transmitted to and from the intended party and not be intercepted by a third party. Cryptography, including Diffie-Helman exchanges, public/private key methodology, and other encryption techniques, provides different ways of message encryption and/or authentication which help solve this problem. Each party using a public/private key encryption technique has a public key K.sub.pu and a private key K.sub.pr. Public key K.sub.pu is made available so that any member of the public can use it to encrypt a message. Private key K.sub.pr is kept private to one party so that only he can use it to decrypt messages that were encrypted with public key K.sub.pu.
Many communication applications, such as secure multicast transmissions and secure routing protocols, involve a group of more than two communicating parties, and require establishment of a common secret key for use by the group members. Diffie-Hellman exchanges can be extended to work with a group. However, an N-member group requires each party to perform N exponentiation operations, so as N increases the communication expense increases disproportionately. Further, adding a single new member requires all parties to take part in a new multiparty exchange, making this technique unsatisfactory, for example, for dynamic multicast groups.
Harney et al. in "Group Key Management Protocol" (GKMP), September 1994, provide a solution to specifically distribute a secret key to intended group members. In Harney each party first performs an authenticated Diffie-Hellman exchange with a key holder. The key holder then uses a session key generated from the Diffie-Heilman exchange to encrypt the secret key and sends the result to the requesting party.
Harney also is expensive because it requires a complete exchange with two costly exponentiations and at least two public key operations to authenticate the communication. Additionally, the secret key is directly encrypted with the Diffie-Hellman secret key using a symmetric cipher in which an encryption key can be calculated from a corresponding decryption key and vice versa. In many cases the encryption key and decryption key are identical and each party in the communication exchange must agree on the keys before they are used. Harney thus allows a third party seeking to steal the secret key to attack only the symmetric cipher.
U.S. Pat. No. 5,729, 680 to Janson et al. discloses a method for distributing a key from a party B to a party A, which provides a basis for distributing the key in multi-party communications. However, Janson requires that parties A and B share a common key K.sub.ab prior to protocol execution. Additionally, Janson does not initially exchange identity stamps to be used in subsequent communication exchanges to provide liveness proof of each party A and party B during these communication exchanges. Liveness proof of party A proves to party B that party B received the subject information from party A, and not from a third party who could have recorded a previous communication from party A to party B and then replayed the communication to party B. Similarly, liveness proof of party B proves to party A that party A received the subject information from party B. Janson then discloses that party A, upon receiving the secret key from party B, sends receipt acknowledgement to party B. In addition, party A authenticates itself to party B, but not vice-versa. Party A thus does not have proof that party B is the actual key holder and not an imposter.
In light of the deficiencies of the prior art, what is needed is a technique to quickly, efficiently, and securely distribute a secret key to intended group members.