IEEE COMMUNICATIONS LETTERS, VOL. 12, NO. 2, FEBRUARY 2008 127 Security Enhancement to a Password-Authenticated Group Key Exchange Protocol for Mobile Ad-hoc Networks Junghyun Nam, Juryon Paik, Ung Mo Kim, and Dongho Won Abstract— Group key exchange protocols allow a group of parties communicating over a public network to come up with a common secret key called a session key. Due to their critical role in building secure multicast channels, a number of group key exchange protocols have been suggested over the years for a variety of settings. Among these is the so-called NEKED protocol proposed by Byun et al. for password-authenticated group key exchange in mobile ad-hoc networks overseen by unmanned aerial vehicles. In the current work, we are concerned with improving the security of the NEKED protocol. We first show that the NEKED protocol is vulnerable not only to an attack against backward secrecy but also to an attack against password security. We then figure out how to eliminate the security vulnerabilities of NEKED. Index Terms— Group key exchange, password security, mobile ad-hoc network, backward secrecy, undetectable on-line dictio- nary attack. I. I NTRODUCTION W ITH the broad range of wirelessly connected mobile devices being used today, it is clear that integrating such network-enabled devices into secure communication sys- tems is of essential and increasing importance. However, it still remains a difficult task to provide strong protection for wireless communications in a mobile application where users may be resource constrained. Although mobile computing technology has become more powerful and accessible than ever before, mobile devices are typically characterized by low processing capability and limited power supply [12] which are inherent to the mobility nature. It is thus necessary that the cost due to security-related operations should be minimized for mobile devices in such a way that the required security goals are not compromised. This necessity significantly adds to the challenge of securing communications in mobile wireless networks. In fact despite all the work conducted over many decades, security is still a major limiting factor for the full adoption of mobile devices [3], [9], [11], [10], [6]. Over the past several years, mobile ad-hoc networks (MANETs) overseen by unmanned aerial vehicles (UAVs) have been increasingly considered [7], [8], [13] to meet the communication demands in future digital battlefields. From the standpoint of communication layers, the whole nodes in a UAV-MANET can be divided into a single control group and Manuscript received August 20, 2007. The associate editor coordinating the review of this letter and approving it for publication was D. Kundur. This work was supported by the university IT Research Center (ITRC) support program funded by the Korean Ministry of Information and Communication. J. Nam is with the Department of Computer Science, Konkuk University, Republic of Korea (e-mail: jhnam@kku.ac.kr). D. Won (corresponding author), J. Paik, and U. M. Kim are with the Department of Computer Engineering, Sungkyunkwan University, Republic of Korea (e-mail: dhwon@security.re.kr; {wise96, umkim}@ece.skku.ac.kr). Digital Object Identifier 10.1109/LCOMM.2008.071384. multiple cell groups. The control group is composed of mobile backbone network (MBN) nodes. MBN nodes are special fighting units like tanks and trucks with sufficient computing power. While being a member of the control group, an MBN node also constitutes a cell group together with a cluster of regular ground (RG) nodes and acts as the controller in the cell group. In contrast with MBN nodes, RG nodes are typically soldiers/agents equipped with small low-performance devices. Recently in [5], Byun et al. proposed the so-called N- party EKE-D (in short, NEKED) protocol for password- authenticated group key exchange among nodes within a cell group in the UAV-MANET architecture. To capture dynamic aspects of cell groups in the UAV-MANET architecture, the NEKED protocol consists of three sub-protocols: Setup, Join and Remove. The Setup sub-protocol deals with initial key establishment which occurs at the time of group genesis. The other sub-protocols focus on session key updates subsequent to group membership changes. Byun et al. made several claims to address the security concerns with the NEKED protocol. Among these are claims about backward secrecy and about security against unde- tectable on-line dictionary (UNOLD) attacks. But unlike the claims, we found that the NEKED protocol neither provides backward secrecy nor resists an UNOLD attack. What we do in this work is to report these security vulnerabilities of NEKED and to show how to eliminate them. II. DESCRIPTION OF NEKED This section reviews the NEKED protocol proposed by Byun et al. [5]. The protocol participants include a single MBN node (called the server) and multiple RG nodes (called clients). For simplicity, we denote the server by S and the clients by C 1 ,C 2 ,C 3 ,.... The protocol assumes that each client C i has shared a password pw i with the server S via a secure channel. The public system parameters used for the protocol are as follows: • A cyclic group G of prime order q and a generator g of G. • A pair of symmetric encryption/decryption algorithms (E , D). • Four one-way hash functions H 1 , H 2 , H 3 and H 4 . A. The Setup Protocol The Setup protocol runs to provide a session key for the initial cell group CG consisting of the server S and the clients C 1 ,...,C n . It works in two communication rounds as follows: Round 1: The server S establishes a pairwise key pk i with each client C i . 1089-7798/08$25.00 c  2008 IEEE