Information security -- Key management

This document specifies mechanisms to establish shared symmetric keys between groups of entities. It defines: — symmetric key-based key establishment mechanisms for multiple entities with a key distribution centre (KDC); and — symmetric key establishment mechanisms based on a general tree-based logical key structure with both individual rekeying and batch rekeying. It also defines key establishment mechanisms based on a key chain with group forward secrecy, group backward secrecy or both group forward and backward secrecy. This document also describes the required content of messages which carry keying material or are necessary to set up the conditions under which the keying material can be established. This document does not specify information that has no relation with key establishment mechanisms, nor does it specify other messages such as error messages. The explicit format of messages is not within the scope of this document. This document does not specify the means to be used to establish the initial secret keys required to be shared between each entity and the KDC, nor key lifecycle management. This document also does not explicitly address the issue of interdomain key management.

Sécurité de l'information -- Gestion de clés

General Information

Status
Published
Publication Date
09-Nov-2020
Current Stage
5060 - Close of voting Proof returned by Secretariat
Start Date
24-Oct-2020
Completion Date
23-Oct-2020
Ref Project

RELATIONS

Buy Standard

Standard
ISO/IEC 11770-5:2020 - Information security -- Key management
English language
18 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/IEC FDIS 11770-5:Version 13-okt-2020 - Information security -- Key management
English language
18 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 11770-5
Second edition
2020-11
Information security — Key
management —
Part 5:
Group key management
Sécurité de l'information — Gestion de clés —
Partie 5: Gestion de clés de groupe
Reference number
ISO/IEC 11770-5:2020(E)
ISO/IEC 2020
---------------------- Page: 1 ----------------------
ISO/IEC 11770-5:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 11770-5:2020(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Symbols and abbreviated terms ........................................................................................................................................................... 4

5 Requirements .......................................................................................................................................................................................................... 5

6 Tree-based key establishment mechanisms ........................................................................................................................... 5

6.1 General model .......................................................................................................................................................................................... 5

6.2 Joining process ........................................................................................................................................................................................ 6

6.3 Leaving process ...................................................................................................................................................................................... 6

6.4 Rekeying process ................................................................................................................................................................................... 6

6.5 Logical key structure.......................................................................................................................................................................... 6

6.5.1 General...................................................................................................................................................................................... 6

6.5.2 Star-based structure ..................................................................................................................................................... 6

6.5.3 d-ary tree-based structure ...................................................................................................................................... 7

6.5.4 General tree-based structure ................................................................................................................................ 7

6.6 Symmetric key-based key establishment mechanisms ........................................................................................ 8

6.6.1 General...................................................................................................................................................................................... 8

6.6.2 Mechanism 1 — Key establishment mechanism with individual rekeying .................. 8

6.6.3 Mechanism 2 — Key establishment mechanism with batch rekeying ...........................10

7 Key chain-based group key management with limited forward key chain ..........................................12

7.1 General model .......................................................................................................................................................................................12

7.2 Calculations by the key distribution centre ................................................................................................................13

7.2.1 Key chains ...........................................................................................................................................................................13

7.2.2 Group forward secrecy ............................................................................................................................................13

7.2.3 Group backward secrecy ........................................................................................................................................14

7.2.4 Forward and backward secrecy .......................................................................................................................14

7.3 Calculations by the client entity ............................................................................................................................................15

Annex A (normative) Object identifiers .........................................................................................................................................................16

Annex B (informative) Load-balancing mechanism for a general tree-based structure .............................17

Bibliography .............................................................................................................................................................................................................................18

© ISO/IEC 2020 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 11770-5:2020(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that

are members of ISO or IEC participate in the development of International Standards through

technical committees established by the respective organization to deal with particular fields of

technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other

international organizations, governmental and non-governmental, in liaison with ISO and IEC, also

take part in the work.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC

list of patent declarations received (see http:// patents .iec .ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, Information security, cybersecurity and privacy protection.

This second edition cancels and replaces the first edition (ISO/IEC 11770-5:2011) which has been

technically revised.
The main changes compared to the previous edition are as follows:

— the document has been modified to be consistent with use of the key deriviation specifications from

ISO/IEC 11770-6;

— the use of a "trapdoor" in key derivation has been removed. Consequently, unlimited forward key

chains can no longer be calculated.
A list of all parts in the ISO/IEC 11770 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO/IEC 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 11770-5:2020(E)
Introduction

In some applications, it is necessary for a secret cryptographic key to be shared by a group of entities.

Moreover, in some cases the exact membership of a group of entities that share a key may change

over time.

This document is concerned with techniques that enable a secret key to be shared by all members

of a defined group with the assistance of a trusted third party known as a key distribution centre.

Provisions for adding and removing members of a group are also made.
© ISO/IEC 2020 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 11770-5:2020(E)
Information security — Key management —
Part 5:
Group key management
1 Scope

This document specifies mechanisms to establish shared symmetric keys between groups of entities. It

defines:

— symmetric key-based key establishment mechanisms for multiple entities with a key distribution

centre (KDC); and

— symmetric key establishment mechanisms based on a general tree-based logical key structure with

both individual rekeying and batch rekeying.

It also defines key establishment mechanisms based on a key chain with group forward secrecy, group

backward secrecy or both group forward and backward secrecy.

This document also describes the required content of messages which carry keying material or are

necessary to set up the conditions under which the keying material can be established.

This document does not specify information that has no relation with key establishment mechanisms,

nor does it specify other messages such as error messages. The explicit format of messages is not within

the scope of this document.

This document does not specify the means to be used to establish the initial secret keys required to be

shared between each entity and the KDC, nor key lifecycle management. This document also does not

explicitly address the issue of interdomain key management.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 19772, Information technology — Security techniques — Authenticated encryption

ISO/IEC 11770-6, Information technology — Security techniques — Key management — Part 6: Key

derivation
3 Terms and definitions
For the purpose of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
active
state of an entity in which the entity can obtain the shared secret key (3.24)
© ISO/IEC 2020 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC 11770-5:2020(E)
3.2
ancestor key
ancestor key of an entity x

cryptographic key in a logical key hierarchy (3.17) that is assigned to a node on the direct path from the

leaf node (3.16) corresponding to the individual key (3.11) for x and the root node (3.23)

Note 1 to entry: An ancestor key is either the shared secret key or a key encryption key.

3.3
backward secrecy with interval T

security condition in which an entity joining a set of entities at time t = t cannot obtain any secret keys

established between these entities at any time prior to t – T
3.4
batch rekeying with interval T

rekeying method in which the shared secret key (3.24) and, optionally, key encryption keys (3.15) are

updated at every time interval T (see Clause 4)
3.5
child key
child key for a node w

cryptographic key in a logical key hierarchy (3.17) assigned to a non-root node w

Note 1 to entry: A child key shall be a key encryption key or individual key.
3.6
child node
child node of a node w

node in a tree (3.25) that is adjacent to w and for which w lies on the unique path between it and the root

node (3.23)
3.7
d-ary tree

tree (3.25) where each node has d child nodes (3.6) except the leaf nodes (3.16) in the tree

3.8
forward secrecy with interval T

security condition in which an entity leaving a set of entities at time t = t cannot obtain any secret keys

established between these entities at any time subsequent to t + T
3.9
group backward secrecy

security condition in which an entity joining a set of entities cannot obtain any secret keys previously

established between these entities
3.10
group forward secrecy

security condition in which an entity leaving a set of entities cannot obtain any secret keys subsequently

established between these entities
3.11
individual key
key shared between the key distribution centre (3.14) and each entity
3.12
individual rekeying

rekeying method in which the shared secret key (3.24) and, optionally, key encryption keys (3.15) are

updated when an entity joins or leaves
2 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 11770-5:2020(E)
3.13
key chain
set of cryptographic keys which are not necessarily independent
3.14
key distribution centre
KDC
entity trusted to generate or acquire and distribute keys to entities
3.15
key encryption key
cryptographic key that is used for the encryption or decryption of other keys
[SOURCE: ISO/IEC 19790:2012, 3.62]
3.16
leaf node
node in a tree (3.25) that has no child nodes (3.6)
3.17
logical key hierarchy

tree (3.25) used for managing the shared secret key and key encryption keys (3.15)

3.18
logical key structure
logical structure to manage keys

Note 1 to entry: The choice of the logical key hierarchy is independent of the network topology.

3.19
one-way function

function with the property that it is easy to compute the output for a given input but it is computationally

infeasible to find for a given output an input which maps to this output
[SOURCE: ISO/IEC 11770-3:2015, 3.30]
3.20
one-step key derivation function
OKDF

key derivation function which operates in a single stage, in contrast to key derivation functions

involving separate key-extraction and key-expansion stages
[SOURCE: ISO/IEC 11770-6:2016, 3.9]
3.21
random number
time variant parameter whose value is unpredictable
[SOURCE: ISO/IEC 11770-1:2010, 2.39]
3.22
rekeying

process of updating and redistributing the shared secret key (3.24) and, optionally, key encryption

keys (3.15)
Note 1 to entry: This process is executed by the key distribution centre.
3.23
root node
unique identified special node in a tree (3.25)
© ISO/IEC 2020 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC 11770-5:2020(E)
3.24
shared secret key

key which is shared with all the active entities via a key establishment mechanism for multiple entities

3.25
tree
connected, acyclic graph with an identified special node, the root node (3.23)
4 Symbols and abbreviated terms

COM(X,Y) function which generates from the data items X and Y a key designed to be applied as a

key for the encryption algorithm in use

CUT(k,S) function which outputs a substring of length k equal to the least significant bits of a

string of bits S
d number of child nodes for a non-leaf node (see term d-ary tree)

e(K,Z) result of encrypting data Z with a symmetric encryption algorithm using the secret key K

h number of nodes in the direct path from a leaf node to the root node
K (x) ancestor key for entity x at the i-th layer from the root node
A,i
K backward key for the time instance i
BW,i
K child key assigned to the node w
C,w
K forward key for the time instance i
FW,i
K individual key
K (x) individual key shared between entity x and the key distribution centre
K key encryption key assigned to a node w
KE,w
K shared secret key
KDC key distribution centre
m number of entities connected to the hub in a star structure

OKDF1 one-step key derivation function that takes a single input as defined in ISO/IEC 11770-6

OKDF6 one-step key derivation function that takes a key and input data as defined in ISO/

IEC 11770-6
OWF one-way function used in the calculation of a key chain
r random number to initialize the backward key chain
BW,init
r random number to initialize the forward key chain
FW,init
T length of the time interval used in batch rekeying
|| binary operator indicating the concatenation of data items
4 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 11770-5:2020(E)
5 Requirements

The key establishment mechanisms specified in this document enable the establishment of shared

secret keys within a defined group of entities using multicast communication. In order to maintain

security, the mechanisms incorporate a key updating process to be used when a new entity joins or an

existing entity leaves the group.

a) The mechanisms specified in this document provide either group backward secrecy and group

forward secrecy, or backward and forward secrecy with intervals. The type of group backward/

forward secrecy should be chosen depending on the security requirements of the particular

application. The type of group backward/forward security property is determined by the choice

of rekeying method: individual rekeying provides group backward/forward secrecy, and batch

rekeying provides backward/forward secrecy with intervals. The use of batch rekeying requires

the choice of a time interval parameter T. The rekeying method and parameter setting have a strong

influence on the security requirements. Thus, they shall be determined according to the security

policy of the application.

b) Symmetric encryption techniques, as required for the mechanisms specified in Clause 6, shall be

chosen from amongst those standardized in ISO/IEC 19772.

c) The shared secret key is established using either a secure or an insecure communication channel.

Each individual key shall be exchanged between the KDC and each entity using a secure channel in

order to allow secure communication. A secure communication channel is one where an attacker

cannot eavesdrop or tamper with messages in the channel.

d) The key establishment mechanisms in this document require the use of random numbers to

generate the shared secret key, and optionally, key encryption keys. For means of generating

random numbers, see ISO/IEC 18031.

e) Annex A defines object identifiers in accordance with ISO/IEC 9834 (all parts) that shall be used

to identify the mechanisms specified in this document. Any change to the specification of the

mechanisms resulting in a change of functional behaviour results in a change of the object identifier

assigned to the mechanisms.
6 Tree-based key establishment mechanisms
6.1 General model

Use of the mechanisms specified in this document enables the establishment of a secret key shared by

all the entities in a defined group. This enables any member of the group to send an encrypted message

to all the other group members such that only group members (and the key distribution centre) can

decrypt it. The mechanisms also enable the key distribution centre to update the established secret key

to ensure that an encrypted message can only be decrypted by entities who are group members at that

time the message was encrypted.

Figure 1 shows the general model of key establishment for multiple entities, in which the key distribution

centre can communicate with all the entities. The communication between the key distribution centre

and entities does not need to be secure. The key distribution centre and each entity shall share a distinct

individual key. The key distribution centre is responsible for distributing the shared secret key to all

the active entities. A join/leave request is shown as (1) and the distribution of keys to the entities as (2),

(3), ..., (n + 1). From (2) onward, the order in which the updates take place is not important.

NOTE If one of the entities that knows the shared secret key cannot be contacted for a period of time, that

entity can miss a key update message, and as a result will not be able to compute the updated shared secret key.

© ISO/IEC 2020 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC 11770-5:2020(E)
Figure 1 — General model of key establishment for multiple entities
6.2 Joining process

An entity sends a join request to the key distribution centre in order to start the process of obtaining

the shared secret key. If individual rekeying is in use, as necessary to support group backward/forward

secrecy, then the key distribution centre shall execute the rekeying process after the joining request

has been accepted. However, if batch rekeying is in use, supporting backward/forward secrecy with

intervals, then the rekeying process is not automatically executed at this point.

6.3 Leaving process

An entity sends a leave request to the key distribution centre in order to stop obtaining the shared

secret key. If individual rekeying is in use, then the key distribution centre shall execute the rekeying

processes after an entity has left. However, if batch rekeying is in use, then the key distribution centre

shall record the leaving entities for the next rekeying interval.

NOTE When batch rekeying is in use, the entity leaving the group can still decrypt communications sent

within the group until the next batch rekeying takes place.
6.4 Rekeying process

This process involves the key distribution centre updating the secret key shared with the entities in

a group; it can also involve updating key encryption keys. If individual rekeying is in use, then this

process shall be performed as part of the joining and leaving processes. If batch rekeying is in use, it

shall be performed at regular time intervals.
6.5 Logical key structure
6.5.1 General

Key establishment mechanisms can be classified according to the logical structure defined by the

means used to distribute the shared secret key from the key distribution centre to the active entities in

the group. Three specific logical key structures are defined in 6.5.2 to 6.5.4.
6.5.2 Star-based structure

In a star-based structure, the shared secret key is directly encrypted for distribution using the

individual keys assigned to the entities. An example of a star-based structure with six key encryption

keys is shown in Figure 2, where the double circle denotes the key distribution centre.

6 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 11770-5:2020(E)
Figure 2 — Star-based structure
6.5.3 d-ary tree-based structure

A tree-based structure can reduce the number of key encryption keys held by individual entities.

Figure 3 shows the binary tree structure where d = 2. A shared secret key is assigned to the root node

of the tree. Each individual key is assigned to the leaf nodes of the tree. Additionally, key encryption

keys are assigned to the other nodes. The key encryption keys are shared by multiple entities whose

individual keys are assigned to the descendant of the node to which the key encryption key is assigned.

The communication cost of the leaving process may be reduced by using key encryption keys. Each

entity has all the keys assigned to the nodes on the path from the root node to the leaf node, to which

the individual key of the entity is assigned. Thus, the number of keys an entity has is proportional to the

logarithm of the total number of active entities.
Figure 3 — d-ary tree-based structure
6.5.4 General tree-based structure

A general tree-based structure can be used as the logical key structure. The general tree-based structure

makes use of a d-ary tree-based structure where m entities construct a cluster. This structure can be

considered as a hybrid of the star-based structure with m clients and the d-ary tree-based structure.

© ISO/IEC 2020 – All rights reserved 7
---------------------- Page: 12 ----------------------
ISO/IEC 11770-5:2020(E)

This structure can be used to optimize the efficiency of key establishment mechanisms (see Annex B).

Figure 4 shows the tree-based structure where d = 2 and m = 4. The general tree-based structure

contains a d-ary tree-based structure, however, the opposite does not hold. For example, the tree-based

structure in Figure 4 is not a d-ary tree-based structure.
Figure 4 — General tree-based structure
6.6 Symmetric key-based key establishment mechanisms
6.6.1 General

This document defines two symmetric key-based key establishment mechanisms for multiple entities

based on a general tree-based structure: 1) a mechanism with individual rekeying and 2) a mechanism

with batch rekeying. In the mechanism with individual rekeying, the rekeying process is executed

whenever an entity joins or leaves.
6.6.2 Mechanism 1 — Key establishment mechanism with individual rekeying
This mechanism is based on a tree-based structure with individual rekeying.
a) Joining process

It is assumed that there is a set of n active entities {u , u , ..., u }, and the entity u joins. Let K (u )

1 2 n n+1 A,l i

be the ancestor key of entity u that is assigned to the l-th layer from the root node of the logical key

hierarchy. Let h denote the height of the logical key hierarchy.
1) The entity u sends a join request to the key distribution centre.
n+1

2) The key distribution centre assigns the individual key of u (i.e. K (u )) to a leaf node of the

n+1 I n+1
logical key hierarchy.

3) The key distribution centre generates random numbers and updates the ancestor keys of the

individual key of u using these numbers. K , K (u ), K (u ), ..., K (u ) are updated

n+1 SS A,1 n+1 A,2 n+1 A,h n+1
to K' , K' (u ), K' (u ), ..., K' (u ), respectively.
SS A,1 n+1 A,2 n+1 A,h n+1

4) The key distribution centre encrypts each updated key with the old key, and broadcasts it. That

is, e(K , K' ), e(K (u ), K' (u )), e(K (u ), K' (u )), ..., and e(K (u ), K' (u ))

SS SS A,1 n+1 A,1 n+1 A,2 n+1 A,2 n+1 A,h n+1 A,h n+1
are broadcast.
5) Each entity obtains the updated keys using the old keys.
8 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 13 ----------------------
ISO/IEC 11770-5:2020(E)

6) The key distribution centre encrypts the updated keys K' || K' (u )|| K' (u )||...||

SS A,1 n+1 A,2 n+1

K' (u ) by the individual key of u , and sends e(K (u ), K' || K' (u )|| K' (u )||...||

A,h n+1 n+1 I n+1 SS A,1 n+1 A,2 n+1
K' (u )) to u .
A,h n+1 n+1
7) The entity u obtains the keys.
n+1
b) Leaving process

It is assumed that there are n active entities {u , u , ..., u }, and the entity u (1 ≤ j ≤ n) leaves.

1 2 n j

1) The key distribution centre generates random numbers and updates the ancestor keys of the

individual key of u using these numbers. K , K (u ), K (u ), ..., K (u ) are updated to K' ,

j SS A,1 j A,2 j A,h j SS
K' (u ), K' (u ), ..., K' (u ), respectively.
A,1 j A,2 j A,h j

2) The key distribution centre encrypts each updated key with all the child keys except the

individual key of u and broadcasts them. For example, the K' is encrypted with the child keys

j SS
K , K , ..., K , and e(K , K' ), e(K , K' ), ..., and e(K , K' ) are broadcast.
C,1 C,2 C,d C,1 SS C,2 SS C,d SS

NOTE 1 In the case that child keys have been updated, the updated child keys are used.

3) Each entity obtains the updated keys using the child keys.
Usage example 1

This example demonstrates the joining process of Mechanism 1 in the scenario illustrated in Figure 5.

It is assumed that the key distribution centre uses the logical key hierarchy in Figure 6 and the entity H

is joining. Recall that each active entity has all the keys assigned to the nodes on the path of the logical

key hierarchy from the leaf node corresponding to the individual key of the entity to the root n

...

FINAL
INTERNATIONAL ISO/IEC
DRAFT
STANDARD FDIS
11770-5
ISO/IEC JTC 1/SC 27
Information security — Key
Secretariat: DIN
management —
Voting begins on:
2020-08-28
Part 5:
Voting terminates on:
Group key management
2020-10-23
Sécurité de l'information — Gestion de clés —
Partie 5: Gestion de clés de groupe
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/IEC FDIS 11770-5:2020(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. ISO/IEC 2020
---------------------- Page: 1 ----------------------
ISO/IEC FDIS 11770-5:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC FDIS 11770-5:2020(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Symbols and abbreviated terms ........................................................................................................................................................... 4

5 Requirements .......................................................................................................................................................................................................... 4

6 Tree-based key establishment mechanisms ........................................................................................................................... 5

6.1 General model .......................................................................................................................................................................................... 5

6.2 Joining process ........................................................................................................................................................................................ 6

6.3 Leaving process ...................................................................................................................................................................................... 6

6.4 Rekeying process ................................................................................................................................................................................... 6

6.5 Logical key structure.......................................................................................................................................................................... 6

6.5.1 General...................................................................................................................................................................................... 6

6.5.2 Star-based structure ..................................................................................................................................................... 6

6.5.3 d-ary tree-based structure ...................................................................................................................................... 7

6.5.4 General tree-based structure ................................................................................................................................ 7

6.6 Symmetric key-based key establishment mechanisms ........................................................................................ 8

6.6.1 General...................................................................................................................................................................................... 8

6.6.2 Mechanism 1 — Key establishment mechanism with individual rekeying .................. 8

6.6.3 Mechanism 2 — Key establishment mechanism with batch rekeying ...........................10

7 Key chain-based group key management with limited forward key chain ..........................................12

7.1 General model .......................................................................................................................................................................................12

7.2 Calculations by the key distribution centre ................................................................................................................13

7.2.1 Key chains ...........................................................................................................................................................................13

7.2.2 Group forward secrecy ............................................................................................................................................13

7.2.3 Group backward secrecy ........................................................................................................................................14

7.2.4 Forward and backward secrecy .......................................................................................................................14

7.3 Calculations by the client entity ............................................................................................................................................15

Annex A (normative) Object identifiers .........................................................................................................................................................16

Annex B (informative) Load-balancing mechanism for a general tree-based structure .............................17

Bibliography .............................................................................................................................................................................................................................18

© ISO/IEC 2020 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC FDIS 11770-5:2020(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that

are members of ISO or IEC participate in the development of International Standards through

technical committees established by the respective organization to deal with particular fields of

technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other

international organizations, governmental and non-governmental, in liaison with ISO and IEC, also

take part in the work.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC

list of patent declarations received (see http:// patents .iec .ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, Information security, cybersecurity and privacy protection.

This second edition cancels and replaces the first edition (ISO/IEC 11770-5:2011) which has been

technically revised.
The main changes compared to the previous edition are as follows:

— the document has been modified to be consistent with use of the key deriviation specifications from

ISO/IEC 11770-6;

— the use of a "trapdoor" in key derivation has been removed. Consequently, unlimited forward key

chains can no longer be calculated.
A list of all parts in the ISO/IEC 11770 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO/IEC 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC FDIS 11770-5:2020(E)
Introduction

In some applications, it is necessary for a secret cryptographic key to be shared by a group of entities.

Moreover, in some cases the exact membership of a group of entities that share a key may change

over time.

This document is concerned with techniques that enable a secret key to be shared by all members

of a defined group with the assistance of a trusted third party known as a key distribution centre.

Provisions for adding and removing members of a group are also made.
© ISO/IEC 2020 – All rights reserved v
---------------------- Page: 5 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/IEC FDIS 11770-5:2020(E)
Information security — Key management —
Part 5:
Group key management
1 Scope

This document specifies mechanisms to establish shared symmetric keys between groups of entities. It

defines:

— symmetric key-based key establishment mechanisms for multiple entities with a key distribution

centre (KDC); and

— symmetric key establishment mechanisms based on a general tree-based logical key structure with

both individual rekeying and batch rekeying.

It also defines key establishment mechanisms based on a key chain with group forward secrecy, group

backward secrecy or both group forward and backward secrecy.

This document also describes the required content of messages which carry keying material or are

necessary to set up the conditions under which the keying material can be established.

This document does not specify information that has no relation with key establishment mechanisms,

nor does it specify other messages such as error messages. The explicit format of messages is not within

the scope of this document.

This document does not specify the means to be used to establish the initial secret keys required to be

shared between each entity and the KDC, nor key lifecycle management. This document also does not

explicitly address the issue of interdomain key management.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 19772, Information technology — Security techniques — Authenticated encryption

ISO/IEC 11770-6, Information technology — Security techniques — Key management — Part 6: Key

derivation
3 Terms and definitions
For the purpose of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
active
state of an entity in which the entity can obtain the shared secret key (3.24)
© ISO/IEC 2020 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC FDIS 11770-5:2020(E)
3.2
ancestor key
ancestor key (of an entity x)

cryptographic key in a logical key hierarchy (3.17) that is assigned to a node on the direct path from the

leaf node (3.16 ) corresponding to the individual key (3.11) for x and the root node (3.23)

Note 1 to entry: An ancestor key is either the shared secret key or a key encryption key.

3.3
backward secrecy with interval T

security condition in which an entity joining a set of entities at time t = t cannot obtain any secret keys

established between these entities at any time prior to t – T
3.4
batch rekeying with interval T

rekeying method in which the shared secret key (3.24) and, optionally, key encryption keys (3.15) are

updated at every time interval T (4)
3.5
child key

cryptographic key in a logical key hierarchy (3.17) assigned to a non-root node w

Note 1 to entry: A child key shall be a key encryption key or individual key.
3.6
child node

node in a tree (3.25) that is adjacent to w and for which w lies on the unique path between

it and the root node (3.23)
3.7
d-ary tree

tree (3.25) where each node has d child nodes (3.6) except the leaf nodes (3.16) in the tree

3.8
forward secrecy with interval T

security condition in which an entity leaving a set of entities at time t = t cannot obtain any secret keys

established between these entities at any time subsequent to t + T
3.9
group backward secrecy

security condition in which an entity joining a set of entities cannot obtain any secret keys previously

established between these entities
3.10
group forward secrecy

security condition in which an entity leaving at set of entities cannot obtain any secret keys subsequently

established between these entities
3.11
individual key
key shared between the key distribution centre (3.14) and each entity
3.12
individual rekeying

rekeying method in which the shared secret key (3.24) and, optionally, key encryption keys (3.15) are

updated when an entity joins or leaves
3.13
key chain
set of cryptographic keys which are not necessarily independent
2 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC FDIS 11770-5:2020(E)
3.14
key distribution centre
KDC
entity trusted to generate or acquire and distribute keys to entities
3.15
key encryption key
cryptographic key that is used for the encryption or decryption of other keys
[SOURCE: ISO/IEC 19790:2012, 3.62]
3.16
leaf node
node in a tree (3.25) that has no child nodes (3.6)
3.17
logical key hierarchy

tree (3.25) used for managing the shared secret key and key encryption keys (3.15)

3.18
logical key structure
logical structure to manage keys

Note 1 to entry: The choice of the logical key hierarchy is independent of the network topology.

3.19
one-way function

function with the property that it is easy to compute the output for a given input but it is computationally

infeasible to find for a given output an input which maps to this output
[SOURCE: ISO/IEC 11770-3:2015, 3.30]
3.20
one-step key derivation function
OKDF

key derivation function which operates in a single stage, in contrast to key derivation functions

involving separate key-extraction and key-expansion stages
[SOURCE: ISO/IEC 11770-6:2016, 3.9]
3.21
random number
time variant parameter whose value is unpredictable
[SOURCE: ISO/IEC 11770-1:2010, 2.39]
3.22
rekeying

process of updating and redistributing the shared secret key (3.24) and, optionally, key encryption

keys (3.15)
Note 1 to entry: This process is executed by the key distribution centre.
3.23
root node
unique identified special node in a tree (3.25)
3.24
shared secret key

key which is shared with all the active entities via a key establishment mechanism for multiple entities

© ISO/IEC 2020 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC FDIS 11770-5:2020(E)
3.25
tree
connected, acyclic graph with an identified special node, the root node (3.23)
4 Symbols and abbreviated terms

COM(X,Y) function which generates from the data items X and Y a key designed to be applied as a

key for the encryption algorithm in use

CUT(k,S) function which outputs a substring of length k equal to the least significant bits of a

string of bits S
d number of child nodes for a non-leaf node (see term d-ary tree)

e(K,Z) result of encrypting data Z with a symmetric encryption algorithm using the secret key K

h number of nodes in the direct path from a leaf node to the root node
K (x) ancestor key for entity x at the i-th layer from the root node
A,i
K backward key for the time instance i
BW,i
K child key assigned to the node w
C,w
K forward key for the time instance i
FW,i
K individual key
K (x) individual key shared between entity x and the key distribution centre
K key encryption key assigned to a node w
KE,w
K shared secret key
KDC key distribution centre
m number of entities connected to the hub in a star structure

OKDF1 one-step key derivation function that takes a single input as defined in ISO/IEC 11770-6

OKDF6 one-step key derivation function that takes a key and input data as defined in ISO/

IEC 11770-6
OWF one-way function used in the calculation of a key chain
r random number to initialize the backward key chain
BW,init
r random number to initialize the forward key chain
FW,init
T length of the time interval used in batch rekeying
|| binary operator indicating the concatenation of data items
5 Requirements

The key establishment mechanisms specified in this document enable the establishment of shared

secret keys within a defined group of entities using multicast communication. In order to maintain

4 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC FDIS 11770-5:2020(E)

security, the mechanisms incorporate a key updating process to be used when a new entity joins or an

existing entity leaves the group.

a) The mechanisms specified in this document provide either group backward secrecy and group

forward secrecy, or backward and forward secrecy with intervals. The type of group backward/

forward secrecy should be chosen depending on the security requirements of the particular

application. The type of group backward/forward security property is determined by the choice

of rekeying method: individual rekeying provides group backward/forward secrecy, and batch

rekeying provides backward/forward secrecy with intervals. The use of batch rekeying requires

the choice of a time interval parameter T. The rekeying method and parameter setting have a strong

influence on the security requirements. Thus, they shall be determined according to the security

policy of the application.

b) Symmetric encryption techniques, as required for the mechanisms specified in Clause 6, shall be

chosen from amongst those standardized in ISO/IEC 19772.

c) The shared secret key is established using either a secure or an insecure communication channel.

Each individual key shall be exchanged between the KDC and each entity using a secure channel in

order to allow secure communication. A secure communication channel is one where an attacker

cannot eavesdrop or tamper with messages in the channel.

d) The key establishment mechanisms in this document require the use of random numbers to

generate the shared secret key, and optionally, key encryption keys. For means of generating

random numbers, see ISO/IEC 18031.

e) Annex A defines object identifiers in accordance with ISO/IEC 9834 that shall be used to identify

the mechanisms specified in this document. Any change to the specification of the mechanisms

resulting in a change of functional behaviour results in a change of the object identifier assigned to

the mechanisms.
6 Tree-based key establishment mechanisms
6.1 General model

Use of the mechanisms specified in this document enables the establishment of a secret key shared by

all the entities in a defined group. This enables any member of the group to send an encrypted message

to all the other group members such that only group members (and the key distribution centre) can

decrypt it. The mechanisms also enable the key distribution centre to update the established secret key

to ensure that an encrypted message can only be decrypted by entities who are group members at that

time the message was encrypted.

Figure 1 shows the general model of key establishment for multiple entities, in which the key distribution

centre can communicate with all the entities. The communication between the key distribution centre

and entities does not need to be secure. The key distribution centre and each entity shall share a distinct

individual key. The key distribution centre is responsible for distributing the shared secret key to all

the active entities. A join/leave request is shown as (1) and the distribution of keys to the entities as (2),

(3), ..., (n + 1). From (2) onward, the order in which the updates take place is not important.

NOTE If one of the entities that knows the shared secret key cannot be contacted for a period of time, that

entity can miss a key update message, and as a result will not be able to compute the updated shared secret key.

© ISO/IEC 2020 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC FDIS 11770-5:2020(E)
Figure 1 — General model of key establishment for multiple entities
6.2 Joining process

An entity sends a join request to the key distribution centre in order to start the process of obtaining

the shared secret key. If individual rekeying is in use, as necessary to support group backward/forward

secrecy, then the key distribution centre shall execute the rekeying process after the joining request

has been accepted. However, if batch rekeying is in use, supporting backward/forward secrecy with

intervals, then the rekeying process is not automatically executed at this point.

6.3 Leaving process

An entity sends a leave request to the key distribution centre in order to stop obtaining the shared

secret key. If individual rekeying is in use, then the key distribution centre shall execute the rekeying

processes after an entity has left. However, if batch rekeying is in use, then the key distribution centre

shall record the leaving entities for the next rekeying interval.

NOTE When batch rekeying is in use, the entity leaving the group can still decrypt communications sent

within the group until the next batch rekeying takes place.
6.4 Rekeying process

This process involves the key distribution centre updating the secret key shared with the entities in

a group; it can also involve updating key encryption keys. If individual rekeying is in use, then this

process shall be performed as part of the joining and leaving processes. If batch rekeying is in use, it

shall be performed at regular time intervals.
6.5 Logical key structure
6.5.1 General

Key establishment mechanisms can be classified according to the logical structure defined by the

means used to distribute the shared secret key from the key distribution centre to the active entities in

the group. Three specific logical key structures are defined in 6.5.2 to 6.5.4.
6.5.2 Star-based structure

In a star-based structure, the shared secret key is directly encrypted for distribution using the

individual keys assigned to the entities. An example of a star-based structure with six key encryption

keys is shown in Figure 2, where the double circle denotes the key distribution centre.

6 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC FDIS 11770-5:2020(E)
Figure 2 — Star-based structure
6.5.3 d-ary tree-based structure

A tree-based structure can reduce the number of key encryption keys held by individual entities.

Figure 3 shows the binary tree structure where d = 2. A shared secret key is assigned to the root node

of the tree. Each individual key is assigned to the leaf nodes of the tree. Additionally, key encryption

keys are assigned to the other nodes. The key encryption keys are shared by multiple entities whose

individual keys are assigned to the descendant of the node to which the key encryption key is assigned.

The communication cost of the leaving process may be reduced by using key encryption keys. Each

entity has all the keys assigned to the nodes on the path from the root node to the leaf node, to which

the individual key of the entity is assigned. Thus, the number of keys an entity has is proportional to the

logarithm of the total number of active entities.
Figure 3 — d-ary tree-based structure
6.5.4 General tree-based structure

A general tree-based structure can be used as the logical key structure. The general tree-based structure

makes use of a d-ary tree-based structure where m entities construct a cluster. This structure can be

considered as a hybrid of the star-based structure with m clients and the d-ary tree-based structure.

© ISO/IEC 2020 – All rights reserved 7
---------------------- Page: 12 ----------------------
ISO/IEC FDIS 11770-5:2020(E)

This structure can be used to optimize the efficiency of key establishment mechanisms (see Annex B).

Figure 4 shows the tree-based structure where d = 2 and m = 4. The general tree-based structure

contains a d-ary tree-based structure, however, the opposite does not hold. For example, the tree-based

structure in Figure 4 is not a d-ary tree-based structure.
Figure 4 — General tree-based structure
6.6 Symmetric key-based key establishment mechanisms
6.6.1 General

This document defines two symmetric key-based key establishment mechanisms for multiple entities

based on a general tree-based structure: 1) a mechanism with individual rekeying and 2) a mechanism

with batch rekeying. In the mechanism with individual rekeying, the rekeying process is executed

whenever an entity joins or leaves.
6.6.2 Mechanism 1 — Key establishment mechanism with individual rekeying
This mechanism is based on a tree-based structure with individual rekeying.
a) Joining process

It is assumed that there is a set of n active entities {u , u , ..., u }, and the entity u joins. Let K (u )

1 2 n n+1 A,l i

be the ancestor key of entity u that is assigned to the l-th layer from the root node of the logical key

hierarchy. Let h denote the height of the logical key hierarchy.
1) The entity u sends a join request to the key distribution centre.
n+1

2) The key distribution centre assigns the individual key of u (i.e., K (u )) to a leaf node of the

n+1 I n+1
logical key hierarchy.

3) The key distribution centre generates random numbers and updates the ancestor keys of the

individual key of u using these numbers. K , K (u ), K (u ), ..., K (u ) are updated

n+1 SS A,1 n+1 A,2 n+1 A,h n+1
to K' , K' (u ), K' (u ), ..., K' (u ), respectively.
SS A,1 n+1 A,2 n+1 A,h n+1

4) The key distribution centre encrypts each updated key with the old key, and broadcasts it. That

is, e(K , K' ), e(K (u ), K' (u )), e(K (u ), K' (u )), ..., and e(K (u ), K' (u ))

SS SS A,1 n+1 A,1 n+1 A,2 n+1 A,2 n+1 A,h n+1 A,h n+1
are broadcast.
5) Each entity obtains the updated keys using the old keys.
8 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 13 ----------------------
ISO/IEC FDIS 11770-5:2020(E)

6) The key distribution centre encrypts the updated keys K' || K' (u )|| K' (u )||...||

SS A,1 n+1 A,2 n+1

K' (u ) by the individual key of u , and sends e(K (u ), K' || K' (u )|| K' (u )||...||

A,h n+1 n+1 I n+1 SS A,1 n+1 A,2 n+1
K' (u )) to u .
A,h n+1 n+1
7) The entity u obtains the keys.
n+1
b) Leaving process

It is assumed that there are n active entities {u , u , ..., u }, and the entity u (1 ≤ j ≤ n) leaves.

1 2 n j

1) The key distribution centre generates random numbers and updates the ancestor keys of the

individual key of u using these numbers. K , K (u ), K (u ), ..., K (u ) are updated to K' ,

j SS A,1 j A,2 j A,h j SS
K' (u ), K' (u ), ..., K' (u ), respectively.
A,1 j A,2 j A,h j

2) The key distribution centre encrypts each updated key with all the child keys except the

individual key of u and broadcasts them. For example, the K' is encrypted with the child keys

j SS
K , K , ..., K , and e(K , K' ), e(K , K' ), ..., and e(K , K' ) are broad
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.