Secure Group Key Agreement on Cyber-Physical System Buses

Cyber-Physical Systems (CPSs) rely on distributed embedded devices that often must communicate securely over buses. Ensuring message integrity and authenticity on these buses typically requires group-shared keys for Message Authentication Codes (MACs). To avoid insecure fixed pre-shared keys and trust-on-first-use concepts, a Group Key Agreement (GKA) protocol is needed to dynamically agree on a key amongst the devices. Yet existing GKA protocols lack adaptability to constrained CPS buses. This paper targets authenticated, fully distributed GKA suitable for bus topologies under constraints of industrial and cyber-physical systems, including broadcast-only links, half-duplex operation, resource limits, dynamic membership (including unannounced leaves), a long device lifetime, and a strong Dolev-Yao adversary capable of partitioning the bus. We first systematise existing protocols, then derive the requirements necessary for an authenticated and fully distributed GKA on bus systems. Finally, we design, implement, and evaluate a custom GKA protocol based on TreeKEM.

💡 Research Summary

The paper addresses the need for a secure, fully distributed group key agreement (GKA) protocol tailored to the constraints of cyber‑physical system (CPS) buses such as CAN, PROFIBUS, and industrial Ethernet. These buses are typically broadcast‑only, half‑duplex, and have limited payload sizes (e.g., 64 bytes for CAN‑FD). Existing solutions that rely on fixed pre‑shared keys or trust‑on‑first‑use are unsuitable for long‑lived industrial deployments where devices may join, leave, or be powered off unpredictably.

System Model and Threat Assumptions
The authors assume a broadcast bus where every node receives all messages, devices share a common PKI‑based trust anchor, and only a single asymmetric operation (e.g., a signature) is permitted during initial setup or key renewal. No central key distribution entity is available; the protocol must operate independently of any external service. The adversary follows the Dolev‑Yao model, capable of reading, modifying, replaying, injecting, dropping, and reordering messages, but cannot break underlying cryptographic primitives.

Deriving Requirements
From the operational characteristics and threat model, twelve concrete requirements (R01‑R12) are extracted:

• R01 Authentication, R02 Fully Distributed, R03 Independent Operation, R04 Bus‑Agnostic, R05 Dynamic Membership, R06 Scalability, R07 Robustness to Dolev‑Yao, R08 Post‑Compromise Security, R09 Forward Secrecy, R10 Cryptographic Agility, R11 Resource Constraints, and R12 Support for Group Merge/Split.

Survey of Existing GKA Protocols
Using the taxonomies of Prandtl et al. and Xiong et al., the authors filter out centralized, leader‑based, imbalanced, and cluster‑based schemes because they violate R02 and R03. They also discard protocols lacking dynamic membership (R05) or forward‑secrecy/post‑compromise guarantees (R08‑R09). Performance analysis shows that TGDH, D‑OFT, and TreeKEM achieve O(log² n) computational and message complexity, making them suitable for resource‑constrained environments.

Choosing TreeKEM and Needed Adaptations
TreeKEM, the core of the Messaging Layer Security (MLS) standard, is selected as the foundation due to its contributory, tree‑based design and proven implementations. However, MLS requires an Authentication Service and a Delivery Service, which conflict with the fully distributed, bus‑centric goals (R02, R03). Moreover, MLS does not embed authentication within the bus messages themselves. Consequently, the authors redesign TreeKEM to create GRA​CYBUS (Group key Agreement on Cyber‑Physical System Buses).

GRA​CYBUS Design

• Tree Structure: Each device occupies a leaf in a binary tree; internal nodes store intermediate secret values used for key derivation.
• Epoch‑Key Schedule: At each epoch a new group key is derived via a key‑derivation function (KDF). Old epoch keys are securely erased, providing forward secrecy (R09) and enabling post‑compromise recovery (R08).
• Messaging: Protocol messages are limited to the bus payload (≤64 bytes). A full group‑key update requires only 3‑4 broadcast messages, fitting within real‑time control cycles.
• Dynamic Membership: Join operations insert a new leaf and recompute the co‑path keys; leave operations remove a leaf and update affected sub‑trees. Both operations incur O(log n) messages, satisfying scalability (R06) and dynamicity (R05).
• Authentication: Devices sign their initial join request using the PKI‑based trust anchor; subsequent messages are authenticated with MACs derived from the current group key, fulfilling R01 without needing a separate authentication service.
• Merge/Split: Two independent trees can be merged by concatenating their roots and performing a single epoch transition; splitting follows the inverse process, meeting R12.
• Resource Efficiency: Asymmetric cryptography is limited to the initial setup; all later operations use symmetric primitives, keeping CPU cycles, RAM, and bandwidth within the limits of typical microcontrollers (e.g., ARM Cortex‑M4).

Implementation and Evaluation
The protocol was implemented on an ARM Cortex‑M4 MCU and evaluated using a CAN‑FD simulator with up to 100 participants. Results show memory consumption below 12 KB, per‑epoch computation under 1 ms, and total protocol latency of less than 5 ms per key update. Security analysis confirms resistance to Dolev‑Yao attacks, guarantees forward secrecy, and demonstrates rapid recovery after a node compromise through periodic epoch changes.

Conclusion and Future Work
GRA​CYBUS is presented as the first GKA protocol that simultaneously satisfies all twelve CPS‑bus requirements, offering a practical, secure, and resource‑aware solution for industrial environments with long device lifetimes. Future research directions include integrating post‑quantum cryptographic primitives, extending the design to multi‑bus topologies, and coupling the protocol with real‑time safety‑critical authentication services.