Security of Tseng–Jan’s conference key distribution system

doi:10.1016/j.amc.2004.06.131

Applied Mathematics and Computation

Volume 167, Issue 2, 15 August 2005, Pages 833-839

https://doi.org/10.1016/j.amc.2004.06.131 Get rights and content

Abstract

Recently, Tseng and Jan presented anonymous conference key distribution systems that make use of the interpolating properties of polynomials. However, their protocol has some limitations in that users are not able to check the correctness of the distributed conference key but also verify if they take part in any particular protocol run. This leads to the possibility of an active attack. In this article, we show that Tseng and Jan’s protocol does not work properly because of its incompleteness. We also describe a simple and promising remedy to such a problem.

Introduction

A conference key distribution system (CKDS) is a mechanism in which a shared secret key, called conference key is generated and then it is distributed to all attending principals of the conference. The distributed conference key is subsequently used to encrypt or decrypt communicating messages during the conference, while no useful knowledge about the conference key is revealed to the unattending ones. Thus, secure communications can be achieved.

Many CKDS schemes have been developed since the concept of the conference key distribution was first proposed by Ingemarrsson et al. [1]. Specially, CKDS with user anonymity has been the subject of much recent interest because the discussions of the conference is often concerned with personal confidential or highly sensitive topics. Therefore, the user anonymity should be equipped with CKDS scheme in such environments.

In 1997, Wu [2] proposed a conference key distribution system that is intended to provide user anonymity. Wu’s CKDS scheme can be considered as a practical one in application domains with less computing power. Since Wu’s scheme uses only one-way hash functions and simple algebraic operations, while most previous conference key distribution systems require expensive modular exponentiations.

Later, Tseng and Jan [3] presented two variants of the Wu’s scheme by using the interpolating properties of polynomials instead of the algebraic approach to reduce the computational complexity. However, Tseng and Jan’s protocol has some limitations in that users are not able to check the correctness of the distributed conference key but also to verify if they take part in any particular protocol run. In this article, we show that Tseng and Jan’s protocol does not work properly because of its incompleteness. We also describe a promising remedy to such a problem.

This article is organized as follows. In Section 2, we briefly review the Tseng–Jan’s conference key distribution system. In Section 3, we demonstrate the incompleteness of the protocol. In Section 4, we describe an enhanced version to eliminate the problem. Conclusion is given in Section 5.

Section snippets

Review of Tseng–Jan’s protocol

Tseng–Jan’s conference key distribution protocol is divided into three phases: system setup phase, conference key distribution phase and conference key recovery phase. We briefly review each phase as follows:
System setup: System chooses and publishes a large prime number p such that p − 1 has a large prime factor. Let q be a prime divisor of p − 1 and g be a generator with order q in GF(p). Let m be the number of principals in the system and ID_i be the identity of the principal U_i. By using the

The incompleteness of the Tseng–Jan’s protocol

A conference chairperson in Tseng and Jan’s scheme broadcasts the messages M = {A, B, T, c_n−1, c_n−2, …, c₁, c₀} to all users at the last step of the conference key distribution phase. Once receiving the messages, all users perform the conference key recovery phase in which attending users authenticate the conference chairperson by verifying the signature (A, B) of the chairperson in the received message M at step 2. Then derive the conference key CK through the steps 3 and 4. However, Tseng–Jan’s

The enhanced protocol

The problem of Tseng and Jan’s protocol is due to the lack of the verification procedure for the distributed conference key CK. Therefore, we suggest a slight modification of their protocol to eliminate such a security flaw. The enhanced protocol consists of four phases: system setup phase, conference key distribution phase, conference key recovery phase and conference key verification phase. The system set up phase is same as the one of Tseng-Jan’s protocol. Each phase of the other is as

Security analysis

In this section, we discuss the security of the proposed scheme that is based on the well-known cryptographic assumption, the Discrete Logarithm (DL) assumption.

Theorem 1

An adversary cannot derive the conference key CK from the broadcast message M = {A, B, T, c_n−1, c_n−2, …, c₁, c₀}.

Proof

To derive the conference key CK from the message M, there are two possibilities as follows: (1) Compute CK from the signature (A, B) of the conference chairperson. In this case the adversary should know the random value r and the

Conclusion

In this article, we showed that Tseng and Jan’s protocol does not work properly because of its incompleteness. We also described a simple and promising remedy to such a problem by adding the verification phase of the distributed conference key in which any adversary cannot impersonate the chairperson through a replay attack or forging a signature of the chairperson.

Acknowledgement

This work was supported by the Brain Korea 21 Project in 2004.

References (3)

Y.M. Tseng et al.
Anonymous conference key distribution systems based on discrete logarithm problem
Computer Communications
(1999)

There are more references available in the full text version of this article.

Cited by (0)

View full text