Yet another insecure group key distribution scheme using secret sharing

Abstract

A recently proposed group key distribution scheme known as UMKESS, based on secret sharing, is shown to be insecure. Not only is it insecure, but it does not always work, and the rationale for its design is unsound. UMKESS is the latest in a long line of flawed group key distribution schemes based on secret sharing techniques.

Introduction

There is a long and sad history of insecure group (cryptographic) key establishment schemes based on secret sharing. As noted by Boyd and Mathuria, [1], the ‘idea to adapt secret sharing for key broadcasting seems to have been first proposed by Laih et al. [2]’, in a paper published over 30 years ago. However, the shortcomings of the approach, and of the many variants that have been proposed since 1989, have been widely discussed for almost as long, in particular that:

• as noted by Boyd and Mathuria, [1], a ‘malicious principal who obtains one key gains information regarding the shares of other principals’, and an outside eavesdropper can also gain this information if the old group keys are revealed;

• again as noted by Boyd and Mathuria, [1], since ‘knowledge of any of the shared secrets is sufficient to construct the session key, none of these protocols provides forward secrecy’;

• insider attacks of various attacks appear impossible to prevent, as many authors have observed (see, for example,  [3], [4], [5], and the papers cited therein).

The history of such protocols is long and tangled, but one sequence of flawed protocol proposals, breaks, proposed fixes, and breaks of the fixes is explained very carefully in Section 5 of Liu et al. [3], and we now briefly summarise part of the story. In 2010, Harn and Lin [6] proposed an ‘authenticated group key transfer protocol based on secret sharing’ (itself intended to address issues in the Laih et al. scheme [2] from 1989). Unfortunately, this was shown not only to be insecure (by Nam et al. [7], [8]) but also erroneous in that it does not always work even if all parties execute it correctly (see Nam et al. [8]). Nam et al. [8] also proposed a fixed version, but this was shown to be insecure by Liu et al. [3]. Inspired by the Harn and Lin 2010 paper, Sun et al. [9] proposed another group key transfer protocol using secret sharing, and this was shown to be insecure by both Kim et al. [10] and Olimid [11]. Olimid [11] also proposed a fix, but this was shown to be insecure by Kim et al. [12]. These are not the only examples of broken schemes of this type — one common element is the lack is a rigorous proof of security in a complexity-theoretic setting, the established state of the art for such protocols for the last decade or two.

Unfortunately, despite the extensive literature pointing out these and other problems, new and fundamentally flawed schemes of this general type keep being published. One common element in the papers published over the last 31 years is that many share one of the authors of the 1989 paper. A further common element is that each new paper cites some of the previously published schemes, but many completely fail to acknowledge any of the many attacks against the previously published and often very closely related schemes. This is most unfortunate, especially given that many of the newer schemes suffer from the same problems as older schemes. As we show below, some of the above statements are also true for UMKESS, a scheme of this general type published in a very recent paper by Hsu, Harn and Zeng [13].

The remainder of the paper is structured as follows. The UMKESS scheme is summarised in Section 2. A detailed critique is provided in Section 3. A brief discussion of why proposing arbitrary fixes to such schemes is unwise is given in Section 4, and conclusions are drawn in Section 5.