Disclosed are methods for a client, having established one set of security keys, to establish a new set without having to communicate with an authentication server. When the client joins a group, master session security keys are derived and made known to the client and to the group's access server. From the master session security keys, the access server and client each derive transient session security keys, used for authentication and encryption. To change the transient session security keys, the access server creates “liveness” information and sends it to the client. New master session security keys are derived from the liveness information and the current set of transient session security keys. From these new master session security keys are derived new transient session security keys. This process limits the amount of data sent using one set of transient session security keys and thus limits the effectiveness of any statistical attacker.