In many network applications, including distance learning, audio webcasting, video streaming, and online gaming, often a source has to send data to many receivers. IP multicasts and application-layer multicasts provide efficient and scalable one-to-many or many-to-many communications. A common secret key, the group key, shared by multiple users can be used to secure the information transmitted in the multicast communication channel. A new key-tree-based group key management protocol with shared key derivation is proposed to securely and efficiently manage the group key. With shared key derivation, new keys derivable by members themselves do not have to be encrypted or delivered by the server, and the performance of synchronous and asynchronous rekeying operations, including single join, single leave, and batch update, is thus improved. The key derivation function can be easily constructed with secure hash functions, secure pseudo-random number generators, or one-way trapdoor functions. When the key derivation function and the key encryption function are secure, it is computationally infeasible for malicious users to collude to compute a key which is not granted by the protocol, and both backward group key secrecy and forward group key secrecy are guaranteed. The protocol reduces the computation and communication costs of group key rekeying, outperforms the other comparable protocols from our analysis and simulation, and is particularly efficient with binary key trees and asynchronous rekeying. With minor modification, the rekeying delay and the key size of the protocol can be tuned to meet different system needs.