ISO/IEC 11770-5:2020

INTERNATIONAL ISO/IEC
STANDARD 11770-5
Second edition
2020-11
Information security — Key
management —
Part 5:
Group key management
Sécurité de l'information — Gestion de clés —
Partie 5: Gestion de clés de groupe
Reference number
ISO/IEC 11770-5:2020(E)
©
ISO/IEC 2020

---------------------- Page: 1 ----------------------
ISO/IEC 11770-5:2020(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 11770-5:2020(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 4
5 Requirements . 5
6 Tree-based key establishment mechanisms . 5
6.1 General model . 5
6.2 Joining process . 6
6.3 Leaving process . 6
6.4 Rekeying process . 6
6.5 Logical key structure. 6
6.5.1 General. 6
6.5.2 Star-based structure . 6
6.5.3 d-ary tree-based structure . 7
6.5.4 General tree-based structure . 7
6.6 Symmetric key-based key establishment mechanisms . 8
6.6.1 General. 8
6.6.2 Mechanism 1 — Key establishment mechanism with individual rekeying . 8
6.6.3 Mechanism 2 — Key establishment mechanism with batch rekeying .10
7 Key chain-based group key management with limited forward key chain .12
7.1 General model .12
7.2 Calculations by the key distribution centre .13
7.2.1 Key chains .13
7.2.2 Group forward secrecy .13
7.2.3 Group backward secrecy .14
7.2.4 Forward and backward secrecy .14
7.3 Calculations by the client entity .15
Annex A (normative) Object identifiers .16
Annex B (informative) Load-balancing mechanism for a general tree-based structure .17
Bibliography .18
© ISO/IEC 2020 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 11770-5:2020(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC
list of patent declarations received (see http:// patents .iec .ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This second edition cancels and replaces the first edition (ISO/IEC 11770-5:2011) which has been
technically revised.
The main changes compared to the previous edition are as follows:
— the document has been modified to be consistent with use of the key deriviation specifications from
ISO/IEC 11770-6;
— the use of a "trapdoor" in key derivation has been removed. Consequently, unlimited forward key
chains can no longer be calculated.
A list of all parts in the ISO/IEC 11770 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO/IEC 2020 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 11770-5:2020(E)

Introduction
In some applications, it is necessary for a secret cryptographic key to be shared by a group of entities.
Moreover, in some cases the exact membership of a group of entities that share a key may change
over time.
This document is concerned with techniques that enable a secret key to be shared by all members
of a defined group with the assistance of a trusted third party known as a key distribution centre.
Provisions for adding and removing members of a group are also made.
© ISO/IEC 2020 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 11770-5:2020(E)
Information security — Key management —
Part 5:
Group key management
1 Scope
This document specifies mechanisms to establish shared symmetric keys between groups of entities. It
defines:
— symmetric key-based key establishment mechanisms for multiple entities with a key distribution
centre (KDC); and
— symmetric key establishment mechanisms based on a general tree-based logical key structure with
both individual rekeying and batch rekeying.
It also defines key establishment mechanisms based on a key chain with group forward secrecy, group
backward secrecy or both group forward and backward secrecy.
This document also describes the required content of messages which carry keying material or are
necessary to set up the conditions under which the keying material can be established.
This document does not specify information that has no relation with key establishment mechanisms,
nor does it specify other messages such as error messages. The explicit format of messages is not within
the scope of this document.
This document does not specify the means to be used to establish the initial secret keys required to be
shared between each entity and the KDC, nor key lifecycle management. This document also does not
explicitly address the issue of interdomain key management.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 19772, Information technology — Security techniques — Authenticated encryption
ISO/IEC 11770-6, Information technology — Security techniques — Key management — Part 6: Key
derivation
3 Terms and definitions
For the purpose of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
active
state of an entity in which the entity can obtain the shared secret key (3.24)
© ISO/IEC 2020 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC 11770-5:2020(E)

3.2
ancestor key
ancestor key of an entity x
cryptographic key in a logical key hierarchy (3.17) that is assigned to a node on the direct path from the
leaf node (3.16) corresponding to the individual key (3.11) for x and the root node (3.23)
Note 1 to entry: An ancestor key is either the shared secret key or a key encryption key.
3.3
backward secrecy with interval T
security condition in which an entity joining a set of entities at time t = t cannot obtain any secret keys
0
established between these entities at any time prior to t – T
0
3.4
batch rekeying with interval T
rekeying method in which the shared secret key (3.24) and, optionally, key encryption keys (3.15) are
updated at every time interval T (see Clause 4)
3.5
child key
child key for a node w
cryptographic key in a logical key hierarchy (3.17) assigned to a non-root node w
Note 1 to entry: A child key shall be a key encryption key or individual key.
3.6
child node
child node of a node w
node in a tree (3.25) that is adjacent to w and for which w lies on the unique path between it and the root
node (3.23)
3.7
d-ary tree
tree (3.25) where each node has d child nodes (3.6) except the leaf nodes (3.16) in the tree
3.8
forward secrecy with interval T
security condition in which an entity leaving a set of entities at time t = t cannot obtain any secret keys
0
established between these entities at any time subsequent to t + T
0
3.9
group backward secrecy
security condition in which an entity joining a set of entities cannot obtain any secret keys previously
established between these entities
3.10
group forward secrecy
security condition in which an entity leaving a set of entities cannot obtain any secret keys subsequently
established between these entities
3.11
individual key
key shared between the key distribution centre (3.14) and each entity
3.12
individual rekeying
rekeying method in which the shared secret key (3.24) and, optionally, key encryption keys (3.15) are
updated when an entity joins or leaves
2 © ISO/IEC 2020 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 11770-5:2020(E)

3.13
key chain
set of cryptographic keys which are not necessarily independent
3.14
key distribution centre
KDC
entity trusted to generate or acquire and distribute keys to entities
3.15
key encryption key
cryptographic key that is used for the encryption or decryption of other keys
[SOURCE: ISO/IEC 19790:2012, 3.62]
3.16
leaf node
node in a tree (3.25) that has no child nodes (3.6)
3.17
logical key hierarchy
tree (3.25) used for managing the shared secret key and key encryption keys (3.15)
3.18
logical key structure
logical structure to manage keys
Note 1 to entry: The choice of the logical key hierarchy is independent of the network topology.
3.19
one-way function
function with the property that it is easy to compute the output for a given input but it is computationally
infeasible to find for a given output an input which maps to this output
[SOURCE: ISO/IEC 11770-3:2015, 3.30]
3.20
one-step key derivation function
OKDF
key derivation function which operates in a single stage, in contrast to key derivation functions
involving separate key-extraction and key-expansion stages
[SOURCE: ISO/IEC 11770-6:2016, 3.9]
3.21
random number
time variant parameter whose value is unpredictable
[SOURCE: ISO/IEC 11770-1:2010, 2.39]
3.22
rekeying
process of updating and redistributing the shared secret key (3.24) and, optionally, key encryption
keys (3.15)
Note 1 to entry: This process is executed by the key distribution centre.
3.23
root node
unique identified special node in a tree (3.25)
© ISO/IEC 2020 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC 11770-5:2020(E)

3.24
shared secret key
key which is shared with all the active entities via a key establishment mechanism for multiple entities
3.25
tree
connected, acyclic graph with an identified special node, the root node (3.23)
4 Symbols and abbreviated terms
COM(X,Y) function which generates from the data items X and Y a key designed to be applied as a
key for the encryption algorithm in use
CUT(k,S) function which outputs a substring of length k equal to the least significant bits of a
string of bits S
d number of child nodes for a non-leaf node (see term d-ary tree)
e(K,Z) result of encrypting data Z with a symmetric encryption algorithm using the secret key K
h number of nodes in the direct path from a leaf node to the root node
K (x) ancestor key for entity x at the i-th layer from the root node
A,i
K backward key for the time instance i
BW,i
K child key assigned to the node w
C,w
K forward key for the time instance i
FW,i
K individual key
I
K (x) individual key shared between entity x and the key distribution centre
I
K key encryption key assigned to a node w
KE,w
K shared secret key
SS
KDC key distribution centre
m number of entities connected to the hub in a star structure
OKDF1 one-step key derivation function that takes a single input as defined in ISO/IEC 11770-6
OKDF6 one-step key derivation function that takes a key and input data as defined in ISO/
IEC 11770-6
OWF one-way function used in the calculation of a key chain
r random number to initialize the backward key chain
BW,init
r random number to initialize the forward key chain
FW,init
T length of the time interval used in batch rekeying
|| binary operator indicating the concatenation of data items
4 © ISO/IEC 2020 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 11770-5:2020(E)

5 Requirements
The key establishment mechanisms specified in this document enable the establishment of shared
secret keys within a defined group of entities using multicast communication. In order to maintain
security, the mechanisms incorporate a key updating process to be used when a new entity joins or an
existing entity leaves the group.
a) The mechanisms specified in this document provide either group backward secrecy and group
forward secrecy, or backward and forward secrecy with intervals. The type of group backward/
forward secrecy should be chosen depending on the security requirements of the particular
application. The type of group backward/forward security property is determined by the choice
of rekeying method: individual rekeying provides group backward/forward secrecy, and batch
rekeying provides backward/forward secrecy with intervals. The use of batch rekeying requires
the choice of a time interval parameter T. The rekeying method and parameter setting have a strong
influence on the security requirements. Thus, they shall be determined according to the security
policy of the application.
b) Symmetric encryption techniques, as required for the mechanisms specified in Clause 6, shall be
chosen from amongst those standardized in ISO/IEC 19772.
c) The shared secret key is established using either a secure or an insecure communication channel.
Each individual key shall be exchanged between the KDC and each entity using a secure channel in
order to allow secure communication. A secure communication channel is one where an attacker
cannot eavesdrop or tamper with messages in the channel.
d) The key establishment mechanisms in this document require the use of random numbers to
generate the shared secret key, and optionally, key encryption keys. For means of generating
random numbers, see ISO/IEC 18031.
e) Annex A defines object identifiers in accordance with ISO/IEC 9834 (all parts) that shall be used
to identify the mechanisms specified in this document. Any change to the specification of the
mechanisms resulting in a change of functional behaviour results in a change of the object identifier
assigned to the mechanisms.
6 Tree-based key establishment mechanisms
6.1 General model
Use of the mechanisms specified in this document enables the establishment of a secret key shared by
all the entities in a defined group. This enables any member of the group to send an encrypted message
to all the other group members such that only group members (and the key distribution centre) can
decrypt it. The mechanisms also enable the key distribution centre to update the established secret key
to ensure that an encrypted message can only be decrypted by entities who are group members at that
time the message was encrypted.
Figure 1 shows the general model of key establishment for multiple entities, in which the key distribution
centre can communicate with all the entities. The communication between the key distribution centre
and entities does not need to be secure. The key distribution centre and each entity shall share a distinct
individual key. The key distribution centre is responsible for distributing the shared secret key to all
the active entities. A join/leave request is shown as (1) and the distribution of keys to the entities as (2),
(3), ., (n + 1). From (2) onward, the order in which the updates take place is not important.
NOTE If one of the entities that knows the shared secret key cannot be contacted for a period of time, that
entity can miss a key update message, and as a result will not be able to compute the updated shared secret key.
© ISO/IEC 2020 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/IEC 11770-5:2020(E)

Figure 1 — General model of key establishment for multiple entities
6.2 Joining process
An entity sends a join request to the key distribution centre in order to start the process of obtaining
the shared secret key. If individual rekeying is in use, as necessary to support group backward/forward
secrecy, then the key distribution centre shall execute the rekeying process after the joining request
has been accepted. However, if batch rekeying is in use, supporting backward/forward secrecy with
intervals, then the rekeying process is not automatically executed at this point.
6.3 Leaving process
An entity sends a leave request to the key distribution centre in order to stop obtaining the shared
secret key. If individual rekeying is in use, then the key distribution centre shall execute the rekeying
processes after an entity has left. However, if batch rekeying is in use, then the key distribution centre
shall record the leaving entities for the next rekeying interval.
NOTE When batch rekeying is in use, the entity leaving the group can still decrypt communications sent
within the group until the next batch rekeying takes place.
6.4 Rekeying process
This process involves the key distribution centre updating the secret key shared with the entities in
a group; it can also involve updating key encryption keys. If individual rekeying is in use, then this
process shall be performed as part of the joining and leaving processes. If batch rekeying is in use, it
shall be performed at regular time intervals.
6.5 Logical key structure
6.5.1 General
Key establishment mechanisms can be classified according to the logical structure defined by the
means used to distribute the shared secret key from the key distribution centre to the active entities in
the group. Three specific logical key structures are defined in 6.5.2 to 6.5.4.
6.5.2 Star-based structure
In a star-based structure, the shared secret key is directly encrypted for distribution using the
individual keys assigned to the entities. An example of a star-based structure with six key encryption
keys is shown in Figure 2, where the double circle denotes the key distribution centre.
6 © ISO/IEC 2020 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 11770-5:2020(E)

Figure 2 — Star-based structure
6.5.3 d-ary tree-based structure
A tree-based structure can reduce the number of key encryption keys held by individual entities.
Figure 3 shows the binary tree structure where d = 2. A shared secret key is assigned to the root node
of the tree. Each individual key is assigned to the leaf nodes of the tree. Additionally, key encryption
keys are assigned to the other nodes. The key encryption keys are shared by multiple entities whose
individual keys are assigned to the descendant of the node to which the key encryption key is assigned.
The communication cost of the leaving process may be reduced by using key encryption keys. Each
entity has all the keys assigned to the nodes on the path from the root node to the leaf node, to which
the individual key of the entity is assigned. Thus, the number of keys an entity has is proportional to the
logarithm of the total number of active entities.
Figure 3 — d-ary tree-based structure
6.5.4 General tree-based structure
A general tree-based structure can be used as the logical key structure. The general tree-based structure
makes use of a d-ary tree-based structure where m entities construct a cluster. This structure can be
considered as a hybrid of the star-based structure with m clients and the d-ary tree-based structure.
© ISO/IEC 2020 – All rights reserved 7

---------------------- Page: 12 ----------------------
ISO/IEC 11770-5:2020(E)

This structure can be used to optimize the efficiency of key establishment mechanisms (see Annex B).
Figure 4 shows the tree-based structure where d = 2 and m = 4. The general tree-based structure
contains a d-ary tree-based structure, however, the opposite does not hold. For example, the tree-based
structure in Figure 4 is not a d-ary tree-based structure.
Figure 4 — General tree-based structure
6.6 Symmetric key-based key establishment mechanisms
6.6.1 General
This document defines two symmetric key-based key establishment mechanisms for multiple entities
based on a general tree-based structure: 1) a mechanism with individual rekeying and 2) a mechanism
with batch rekeying. In the mechanism with individual rekeying, the rekeying process is executed
whenever an entity joins or leaves.
6.6.2 Mechanism 1 — Key establishment mechanism with individual rekeying
This mechanism is based on a tree-based structure with individual rekeying.
a) Joining process
It is assumed that there is a set of n active entities {u , u , ., u }, and the entity u joins. Let K (u )
1 2 n n+1 A,l i
be the ancestor key of entity u that is assigned to the l-th layer from the root node of the logical key
i
hierarchy. Let h denote the height of the logical key hierarchy.
1) The entity u sends a join request to the key distribution centre.
n+1
2) The key distribution centre assigns the individual key of u (i.e. K (u )) to a leaf node of the
n+1 I n+1
logical key hierarchy.
3) The key distribution centre generates random numbers and updates the ancestor keys of the
individual key of u using these numbers. K , K (u ), K (u ), ., K (u ) are updated
n+1 SS A,1 n+1 A,2 n+1 A,h n+1
to K' , K' (u ), K' (u ), ., K' (u ), respectively.
SS A,1 n+1 A,2 n+1 A,h n+1
4) The key distribution centre encrypts each updated key with the old key, and broadcasts it. That
is, e(K , K' ), e(K (u ), K' (u )), e(K (u ), K' (u )), ., and e(K (u ), K' (u ))
SS SS A,1 n+1 A,1 n+1 A,2 n+1 A,2 n+1 A,h n+1 A,h n+1
are broadcast.
5) Each entity obtains the updated keys using the old keys.
8 © ISO/IEC 2020 – All rights reserved

---------------------- Page: 13 ----------------------
ISO/IEC 11770-5:2020(E)

6) The key distribution centre encrypts the updated keys K' || K' (u )|| K' (u )||.||
SS A,1 n+1 A,2 n+1
K' (u ) by the individual key of u , and sends e(K (u ), K' || K' (u )|| K' (u )||.||
A,h n+1 n+1 I n+1 SS A,1 n+1 A,2 n+1
K' (u )) to u .
A,h n+1 n+1
7) The entity u obtains the keys.
n+1
b) Leaving process
It is assumed that there are n active entities {u , u , ., u }, and the entity u (1 ≤ j ≤ n) leaves.
1 2 n j
1) The key distribution centre generates random numbers and updates the ancestor keys of the
individual key of u using these numbers. K , K (u ), K (u ), ., K (u ) are updated to K' ,
j SS A,1 j A,2 j A,h j SS
K' (u ), K' (u ), ., K' (u ), respectively.
A,1 j A,2 j A,h j
2) The key distribution centre encrypts each updated key with all the child keys except the
individual key of u and broadcasts them. For example, the K' is encrypted with the child keys
j SS
K , K , ., K , and e(K , K' ), e(K , K' ), ., and e(K , K' ) are broadcast.
C,1 C,2 C,d C,1 SS C,2 SS C,d SS
NOTE 1 In the case that child keys have been updated, the updated child keys are used.
3) Each entity obtains the updated keys using the child keys.
Usage example 1
This example demonstrates the joining process of Mechanism 1 in the scenario illustrated in Figure 5.
It is assumed that the key distribution centre uses the logical key hierarchy in Figure 6 and the entity H
is joining. Recall that each active entity has all the keys assigned to the nodes on the path of the logical
key hierarchy from the leaf node corresponding to the individual key of the entity to the root n
...