Security Improvement on Wu and Zhu's Protocol for Password-Authenticated Group Key Exchange

Abstract

A group key exchange (GKE) protocol allows a group of parties communicating over a public network to establish a common secret key. As group-oriented applications gain popularity over the Internet, a number of GKE protocols have been suggested to provide those applications with a secure multicast channel. In this work, we investigate the security of Wu and Zhu's password-authenticated GKE protocol presented recently in FC'08. Wu and Zhu's protocol is efficient, supports dynamic groups, and can be constructed generically from any password-authenticated 2-party key exchange protocol. However, despite its attractive features, the Wu-Zhu protocol should not be adopted in its present form. Due to a flaw in its design, the Wu-Zhu protocol fails to achieve authenticated key exchange. We here report this security problem with the Wu-Zhu protocol and show how to solve it.