Many distributed applications require a secure reliable group communication system to provide coordination among the application components. This paper describes a secure group layer (SGL) which bundles a reliable group communication system, a group authorization and access control mechanism, and a group key agreement protocol to provide a comprehensive and practical secure group communication platform. SGL also encapsulates the standard message security services (i.e, confidentiality, authenticity and integrity). A number of challenging issues encountered in the design of SGL are brought to light and experimental results obtained with a prototype implementation are discussed.

Multicasting is an efficient way to deliver data to a large group of users in applications such as Internet stock quotes, audio and music delivery, file and video distribution, etc. Many of these applications require the security feature of data confidentiality, which is not readily offered by the “open ” nature of multicast. In order to offer such confidentiality, the encryption and decryption keys must be constantly changed upon a membership change. In this article, after discussing some performance criteria to offer secure multicast, we present a number of the proposed key management schemes for data confidentiality. We categorize these schemes into four groups: key tree-based approaches, contributory key agreement schemes supported by the Diffie-Hellman algorithm, computational number theoretic approaches, and secure multicast framework approaches. Through examples, we describe the operation of the schemes and compare their performances.

1 Introduction Key agreement is one of the fundamental cryptographic primitives. This is required in situations where two or more parties want to communicate securely among themselves. The situation where three or more parties share a secret key is often called conference keying. In this situation, the parties can securely send and receive messages from each other. An adversary not having access to the secret key will not be able to decrypt the message. Key agreement protocols fall naturally into two classes- authenticated and unauthenticated. The first two party key agreement protocol was introduced by Diffie-Hellman in their seminal paper [14]. This is an unauthenticated protocol in the sense that an adversary who has control over the channel can use the man-in-the-middle attack to agree upon two separate keys with the two users without the users being aware of this. This situation is usually tackled by adding some form of authentication mechanism to the protocol.

During the last few years, a number of authenticated group key agreement protocols have been proposed in the literature. We observed that the efforts in this domain were mostly dedicated to the improvement of their performance in term of bandwidth or computational requirements, but that there were very few systematic studies on their security properties. In this paper, we tried to develop a systematic way to analyse protocol suites extending the Diffie-Hellman key-exchange scheme to a group setting and presented in the context of the Cliques project. This led us to propose a very simple machinery that allowed us to manually pinpoint several unpublished attacks against the main security properties claimed in the definition of these protocols (implicit key agreement, perfect forward secrecy, resistance to known-key attacks).

In this paper, we present a mechanism for securing group communications in Wireless Sensor Networks (WSN). First, we derive an extension of Logical Key Hierarchy (LKH). Then we merge the extension with directed diffusion. The resulting protocol, LKHW, combines the advantages of both LKH and directed diffusion: robustness in routing, and security from the tried and tested concepts of secure multicast. In particular, LKHW enforces both backward and forward secrecy, while incurring an energy cost that scales roughly logarithmically with the group size. This is the first security protocol that leverages directed diffusion, and we show how directed diffusion can be extended to incorporate security in an efficient manner.

It is now commonplace for a person to use lightweight wireless computing devices, and to make his/her data available to other people 's devices using todays various networking capabilities (infrastructurebased WLAN, ad hoc WLAN, GSM, etc.). Middleware platforms initially developed for stationary distributed systems cannot be directly applied in such a mobile environment. They must adapt their functionalities so as to best cope with possible resource constraints (energy, storage) of mobile terminals as well as with the various types of wireless networks that are now available. In this paper, we present a middleware service that allows collaborative data sharing among ad hoc groups that are dynamically formed according to the connectivity achieved by the ad hoc WLAN. Our service enhances, in particular, data availability within mobile ad hoc collaborative groups, and integrates a new adaptive data replication protocol for mobile terminals, combining both optimistic and conservative schemes. Our service has been designed so as to minimize energy consumption and optimize data availability and storage consump- tion.

Key management is an essential cryptographic primitive upon which other security primitives are built. However, none of the existing key management schemes are suitable for ad hoc networks. They are either too inefficient, not functional on an arbitrary or unknown network topology, or not tolerant to a changing network topology or link failures. Recent research on distributed sensor networks suggests that key pre-distribution schemes (KPS) are the only practical option for scenarios where the network topology is not known prior to deployment. However, all of the existing KPS schemes rely on trusted third parties (TTP) rendering them inapplicable in many ad hoc networking scenarios and thus restricting them from wide-spread use in ad hoc networks. To eliminate this reliance on TTP, we introduce distributed key pre-distribution scheme (DKPS) and construct the first DKPS prototype to realize fully distributed and selforganized key pre-distribution without relying on any infrastructure support. DKPS overcomes the main limitations of the previous schemes, namely the needs of TTP and an established routing infrastructure. It minimizes the requirements posed on the underlying networks and can be easily applied to the ad hoc networking scenarios where key pre-distribution schemes were previously inapplicable. Finally, DKPS is robust to changing topology and broken links and can work before any routing infrastructure has been established, thus facilitating the widespread deployment of secure ad hoc networks.

We present a provably secure authenticated tree based key agreement protocol. The protocol is obtained by combining Boneh et al.'s aggregate signature with an unauthenticated ternary tree based multi-party extension of Joux's key agreement protocol. The security is in the standard model as formalized by Bresson et al.. The proof is based on the techniques used by Katz and Yung in proving the security of their key agreement protocol.

The A-GDH.2 and SA-GDH.2 authenticated group key agreement protocols showed to be flawed at CSFW 2001. Even though the corresponding attacks (or some variants of them) have been rediscovered in several different frameworks, no fixed version of these protocols has been proposed until now.

Group key exchange protocols allow a group of servers communicating over an asynchronous network of point-to-point links to establish a common key, such that an adversary which fully controls the network links (but not the group members) cannot learn the key. Currently known group key exchange protocols rely on the assumption that all group members participate in the protocol and if a single server crashes, then no server may terminate the protocol. In this paper, we propose the first purely asynchronous group key exchange protocol that tolerates a minority of servers to crash. Our solution uses a constant number of rounds, which makes it suitable for use in practice. Furthermore, we also investigate how to provide forward secrecy with respect to an adversary that may break into some servers and observe their internal state. We show that any group key exchange protocol among n servers that tolerates tc > 0 servers to crash can only provide forward secrecy if the adversary breaks into less than n 2tc servers, and propose a group key exchange protocol that achieves this bound.