Member Tampering Attack on Burmester-Desmedt Group Key Exchange Protocol and Its Countermeasure

With the rapid development of cloud computing and mobile networks, more and more application scenarios require a secret group key for secure communication. Group Key Exchange (GKE) protocol provides a secret group key for three or more members. Burmester and Desmedt presented an influential GKE protocol, which has a broadcast version and a cyclic version. In this paper, we investigate the security weaknesses of the Burmester-Desmedt protocol. We report that both the broadcast version and the cyclic version of the Burmester-Desmedt protocol suffer member tampering attacks if the two members that belong to both group A and group B are corrupted. That is, two corrupted members can add some unknowing members of group A to group B and trick the legal members of group B to believe that these unknowing members share the secret group key with them after a protocol run. Furthermore, to defeat the member tampering attack, we propose digital signature-based improvements on the broadcast version and the cyclic version of the Burmester-Desmedt protocol. We hope our research results will encourage the development of more robust and effective GKE protocols that stand rigorous security analysis.