Information Technology Reference
In-Depth Information
Phase 4. Departure of a member j
. When a member leaves the group, he should not
be able to decrypt contents anymore. Hence, a key refreshment is mandatory. This
is achieved by dividing
L
by the ticket
x
j
, and generating a new encryption key af-
terwards. In this case, the new key must be distributed to every member using the
procedure of phase 2.
Phase 5. Other refreshment
s. For security reasons, the Key server might decide to
refresh the encryption key
r
after a given period of time with no arrivals or depar-
tures. This refreshment is performed by the procedure of phase 2.
3 Main Weakness of the Scheme
In this section, the main weakness of the key refreshment scheme, described in the
previous section, is presented. This weakness allows the legal members to obtain the
parameter
L
(or a multiple of
L
), kept private by the Key server. If a user knows
L
or a
multiple of
L
, then he can impersonate the server and generate fake refreshments.
Next, we show how to recover
L
or a multiple of
L
.
Let us consider a legal member
h
which receives the key refreshment parameters
(
g
,
m
and
u
) in a regular way. He performs the distribution phase, as described in
section 2. Since the member
h
computes
=
u
-1
mod
x
h
, he can obtain a multiple of
L
δ
by the following equation
(4)
v·L
= 1 -
u
·
δ
.
The knowledge of that multiple allows the member
h
to impersonate the server.
The only thing he has to do is the following.
Step 1.
Member
h
generates a new value
δ
' <
δ
, and computes
u
' and
v
' applying the
extended Euclidean algorithm, such that
(5)
u'
·
δ
' +
v
'·(
v·L
) = 1 .
Step 2.
Member
h
sends
g
,
m
and
u
' to the other members. Those members will ob-
tain the new value
' =
u'
-1
mod
x
i
, and compute the refreshed key by equation 3. The
effect of this fake refreshment is a malfunctioning of the system, since the legal mem-
bers cannot identify legal refreshments.
δ
Although the knowledge of a multiple of
L
is enough to impersonate the server, the
member
h
could obtain the parameter
L
when a new refreshment arrive. Two cases are
considered.
Case 1
. Let us suppose that the number of members does not change in a given time
interval, and the server performs a new refreshment. This situation corresponds to
phase 5 described in section 2. In this case, the server generates
g'
,
m'
and
u'.
How-
ever, the parameter
L
is the same, as it is derived from equation 1. The member
h
applies the key recovering process, obtaining
' =
u'
-1
mod
x
h
, and a multiple of
L
by
δ
the equation
v'·L
= 1 -
u
'·
δ
'
.
(6)
Search WWH ::
Custom Search