Group Key Establishment Protocols

Transcription

1 Group Key Establishment Protocols Ruxandra F. Olimid EBSIS Summer School on Distributed Event Based Systems and Related Topics 2016 July 14, 2016 Sinaia, Romania

2 Outline 1. Context and Motivation 2. Classifications 3. Properties 4. Constructions 5. Attacks and Security 2

3 Scenarios Many-to-Many One-to-Many 3

4 Scenarios Many-to-Many One-to-Many Similar roles for all users Peer-to-peer communication E.g.: Virtual conference Different roles No communication between peers E.g.: Pay TV 4

5 Goals Many-to-Many One-to-Many General goals for group applications / services: Correctness Availability Performance Efficiency (computation, power consumptions, etc.) Security aspects: confidentiality, authentication, access control, anonymity 5

6 Authentication 1. Group Authentication e.g.: a message is authenticated as sent by someone from the group 2. User Authentication e.g.: a message is authenticated as sent by a specific user inside the group 6

7 Confidentiality We focus on confidentiality Question: How can we achieve confidentiality? Answer: by using encryption Question: What do we need to encrypt? Answer: a (set of) key(s) Question: What makes it different for groups? Answer:... 7

8 Group Key Solution 1: one single key for all users Question: What could go wrong? Answer: users might leave or join the group 8

9 Group Key Solution 2: distinct keys for all pairs of communication parties or public key crypto Question: What could go wrong? Answer: too many keys to store securely / slow communication 9

10 Group Key Establishment (GKE) GKE Protocols: protocols used for the establishment, distribution and management of keys in groups (i.e. more than 2 users) There is no single solution suitable for all scenarios! Criteria: Senders type: anyone can be a sender vs. privileged users send only Group size and group scalability: small (e.g.: small video group) vs. very large (e.g.: broadcast TV) Users availability: always online vs. sometimes offline Membership dynamics: static vs. dynamic groups Others: traffic volume, performance, power capabilities,... 10

11 GKE Classification GKA (Group Key Agreement) GKT (Group Key Transfer) 11

12 Scenarios GKA (Group Key Agreement) GKT (Group Key Transfer) All users participate to key generation Multiple points of trust A privileged user (group manager / KGC*) selects a key and securely distributes it to the users Single point of trust *KGC = Key Generation Center 12

13 GKE Requirements Scalability: accept group size changes (while maintaining efficiency), allowing users to leave and join the group (while maintaining security), etc. Independence: maintain independency from the underlying multicast routing protocol or technology Reliability: ensure timely delivery of the key to intended recipients Others... This talk focuses on security 13

14 Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency Key authentication Key confirmation Mutual authentication 14

15 Security Goals Key freshness Key independence Key confidentiality Key randomness Known key (also security called key privacy, key Key secrecy indistinguishability or non-disclosure) Forward guarantees security that is (computationally) Key unpredictability infeasible for an Backward adversary security to compute the Key group consistency key Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key authentication Key confirmation Mutual authentication 15

16 Security Goals Key freshness Key independence Key confidentiality Key randomness Known key security Key indistinguishability Forward security Key unpredictability Backward security Key consistency (stronger notions for key confidentiality) assure that key privacy holds regardless of the Entity authentication Key authentication adversary s knowledge on (session or long-term) Key compromise keys from other rounds of Key the confirmation protocol / the impersonation adversary s resilience actions in future Mutual or past authentication rounds of the Ephemeral protocol key leakage resilience 16

17 Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key assures independence that the key is new, Key i.e. randomness it has not been used before Key indistinguishability Key unpredictability Key consistency Key authentication Key confirmation Mutual authentication 17

18 Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key imposes randomness that no correlation Key exists indistinguishability between keys from Key different unpredictability sessions Key consistency Key authentication Key confirmation Mutual authentication 18

19 Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency key randomness warrants indistinguishability from a random number and hence Key authentication unpredictability Key confirmation Mutual authentication 19

20 Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency prevents distinct users to accept different keys Key authentication Key confirmation Mutual authentication 20

21 Security Goals Key confidentiality Known key security Forward security Backward security Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency Entity authentication Key authentication Key compromise confirms the identity Key confirmation of a user impersonation resilience Mutual authentication Ephemeral key leakage resilience 21

22 Security Goals Key confidentiality Known key security Forward security Backward security Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency Entity authentication Key compromise impersonation resilience Key authentication Key confirmation Mutual authentication Ephemeral key prevents leakage an attacker who owns the long-term key resilience of a user to impersonate other parties to him (i.e. accepts honest parties as peers even if they are not) 22

23 Security Goals Key confidentiality Known key security Forward security Backward security Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency avoids an adversary to recover the group key even Entity authentication if it discloses the Key long-term authentication keys and ephemeral Key compromise keys of parties involved Key confirmation except both these values impersonation resilience for the participants Mutual in the authentication test session Ephemeral key leakage resilience 23

24 Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency Key authentication Key confirmation limits the possible owners of the Mutual group authentication key to legitimate users 24

25 Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency Key authentication Key confirmation Mutual authentication certifies that all authorized members actually have the key 25

26 Security Goals Key freshness Key independence Key confidentiality Key randomness Known key security Key indistinguishability Forward security Key unpredictability Backward security Key consistency (also... called explicit key authentication, it combines key confirmation and key authentication) ensures Entity that authentication all qualified users to the Key protocol authentication have actually computed the group key and no one else except them has Key compromise Key confirmation impersonation resilience Mutual authentication Ephemeral key leakage resilience 26

27 Adversaries Group membership: Insiders: users registered to the group but unauthorized for a given session; Outsiders: users not registered to the group Actions: Passive: eavesdrop on the communication channel Active: insert, delete, change messages on the communication channel Types of attacks: Man-in-the-middle, replay attack (we will see both later on), known key attack, DoS, etc. 27

28 GKE Question: How to design GKE? Answer: the natural approach is to start from 2 parties protocols and extend to 3, 4, 5,... So, let s start from the popular Diffie-Hellman key exchange 28

29 Diffie-Hellman Key Exchange Introduced by W.Diffie and M.Hellman ( New directions in Cryptography, 1976) Does not assure authentication Relies its security proof on the assumption that the mathematical underlying problem is hard 29

30 Diffie-Hellman Key Exchange Alice Bob 30

31 Man-in-the-Middle Attack Alice Oscar/Eve Bob 31

32 Joux 3-Party Key Exchange Introduced by A. Joux ( A One Round Protocol for Tripartite Diffie Hellman, 2000) Does not assure authentication, so it remains vulnerable to man-in-the-middle attacks Relies its security on the assumption that the mathematical underlying problem is hard, but works on bilinear pairs 32

33 33 Bilinear Pairs

34 Joux 3-Party Key Exchange Alice Bob Charlie 34

35 Joux 3-Party Key Exchange Secure under the bilinear Diffie-Hellman assumption: Constructions for bilinear maps: Weil pairing, Tate pairing 35

36 MultiParty Key Exchange Introduced by D.Boneh and A.Silverberg ( Applications of Multilinear Forms to Cryptography, 2002) Does not assume authentication, so it remains vulnerable to man-in-the-middle attacks Relies its security on the assumption that the mathematical underlying problem is hard, but works on multilinear maps 36

37 37 Multilinear Maps

38 MultiParty Key Exchange (broadcast msg) User i 38

39 MultiParty Key Exchange Secure under the multilinear Diffie-Hellman assumption: Secure constructions of multilinear maps is questionable 39

40 DH-Based Key Exchange Previous constructions are built on a generalization of the Diffie-Hellman assumption But GKA protocols can also use DH key exchange as building block 40

41 DH-Based Key Exchange Ring structure Tree structure 41

42 Ring-based DH (an example) I.Ingemarsson, D.T.Tang, and C. K. Wong ( A Conference Key Distribution System, 1982) Users are placed in a ring A user talks only to its neighbours 42

43 Ring-based DH (an example) Round 1 43

44 Ring-based DH (an example) Round 2 44

45 Ring-based DH (an example) Round 3 45

46 Ring-based DH (an example) Round 4 46

47 Tree-based DH (an example) Y.Kim, A.Perrig, G.Tsudik ( Tree-based Group Key Agreement, 2004) Users are leaves in a (balanced) tree A key is agreed between children of the same node up to the root, which becomes the final group key 47

48 48 Tree-based DH (an example)

49 Tree-based DH (an example) Round 1 49

50 Tree-based DH (an example) Round 2 Round 1 50

51 Tree-based DH (an example) Round 3 Round 2 Round 1 51

52 Tree-based DH (an example) The protocol includes support for dynamic groups: Join: a new member is added to the group Leave: a member is removed from the group Merge: 2 groups are merged together Partition: one group is split in 2 groups Key refresh: the group key is refreshed We next explain Leave, as an example 52

53 53 Tree-based DH (an example)

54 54 Tree-based DH (an example)

55 Tree-based DH (an example) Round 2: Each user refreshes its tree of keys 55

56 GKE Question: What kind of GKE were all these examples, GKA or GKT? Answer: GKA So, let s have a look at GKT and see some attacks! 56

57 GKT GKC 57

58 GKT GKC Registered users (insiders) Authorized users (registered) Unregistered users (outsiders) 58

59 GKT LLKey 1 LLKey 1 LLKey 5 LLKey 4 GKC LLKey 2 LLKey 5 LLKey 3 Registered users (insiders) Authorized users (registered) Unregistered users (outsiders) 59

60 Yuan et al. GKT Introduced by W. Yuan, L. Hu, H. Li, J. Chu ( An Efficient Password-based Group Key Exchange Protocol Using Secret Sharing, 2013) The long-term key is a password (split in two parts) Has no (real) security proof! 60

61 GKT pw 4x pw 4y pw 1x pw 1y pw 2x pw 2y GKC pw 1x pw 1y pw 5x pw 5y pw 5x pw 5y pw 3x pw 3y Registered users (insiders) Authorized users (registered) Unregistered users (outsiders) 61

62 62 Yuan et al. GKT

63 First Attack Insider attack & Replay attack 63

64 First Attack GKC Insider Attack 64

65 First Attack GKC GKC Replay Attack 65

66 First Attack Session s1 Session s2 66

67 The Modified Protocol *nonce = number used once 67

68 68 The Modified Protocol

69 Second Attack This does not make it secure against an insider attack! Both attacks were introduced by R.F.Olimid ( A Chain of Attacks and Countermeasures Applied to a Group Key Transfer Protocol, 2014) 69

70 Second Attack GKC Insider Attack 70

71 Second Attack Session s1 Session s2 71

72 Formal Security Models Security models formalize the security goals within a precise environment, specifying the trust assumptions, the relations between participants, the adversarial power, the communication medium Security proofs prove a protocol is secure under a specific model 72

73 Formal Security Models Year Name Info 2001 BCPQ [1] first security model (generalizes existing models for two or three party protocols) 2001 BCP [2] + dynamic groups 2002 BCP+ [3] + strong corruption (i.e. the attacker reveals the ephemeral internal state information of the users instances) 2005 KS [4] security against insider attacks (UC framework) 2009 GBG [5] + KCI (Key Compromise Impersonation) 2011 egbg [6] + EKL (Ephemeral Keys Leakage) 2013 g-eck [7] + EKL in test session (GKE version of eck) More info: [8], [9] Some of the proposed security models: 73

74 Formal Security Models [1] Bresson, E., Chevassut, O., Pointcheval, D. and Quisquater, J.J., 2001, November. Provably authenticated group Diffie-Hellman key exchange. InProceedings of the 8th ACM conference on Computer and Communications Security (pp ). [2] Bresson, E., Chevassut, O. and Pointcheval, D., 2001, December. Provably authenticated group Diffie-Hellman key exchange the dynamic case. In International Conference on the Theory and Application of Cryptology and Information Security (pp ). [3] Bresson, E., Chevassut, O. and Pointcheval, D., 2002, April. Dynamic group Diffie-Hellman key exchange under standard assumptions. In International Conference on the Theory and Applications of Cryptographic Techniques (pp ). [4] Katz, J. and Shin, J.S., 2005, November. Modeling insider attacks on group key-exchange protocols. In Proceedings of the 12th ACM conference on Computer and communications security (pp ). [5] Gorantla, M.C., Boyd, C. and Nieto, J.M.G., 2009, March. Modeling key compromise impersonation attacks on group key exchange protocols. In International Workshop on Public Key Cryptography (pp ). [6] Zhao, J., Gu, D. and Gorantla, M.C., 2011, March. Stronger security model of group key agreement. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (pp ). [7] Manulis, M., Suzuki, K. and Ustaoglu, B., Modeling leakage of ephemeral secrets in tripartite/group key exchange. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences,96(1), pp [8] Manulis, M. "Survey on Security Requirements and Models for Group Key Exchange." IACR Cryptology eprint Archive 2006 (2006): 388. [9] Manulis, M., Provably secure group key exchange. Europ. Univ.-Verlag 74

75 Security Model (an example) M.C. Gorantla, C. Boyd, and J.M.G. Nieto ( Modeling key compromise impersonation attacks on group key exchange protocols, 1982) We talk about AKE (Authenticated Key Exchange) security only 75

76 Security Model (an example) upper bound for no. (concurrent) sessions ephemeral Correctness: information A GKE (for protocol the current is correct session) if: instance all instances OR of user U have in session accepted; s all instances AND are partnered; terminates long-term all instances key without (certified have a session by computed an key authority) the same session group session keyid (identifies session s) partner id (set of identities U wishes to establish a key with) 76 * index for user and session is distinct, but we have used the same notation i, respectively j

77 Security Model (an example) Stage 1 Stage 2 Adversary Adversary Adversary A protocol is AKE-secure if the winning probability is negligible close to 1/2. 77

78 Security Model (an example) Some informal security goals modeled by GBG: Key confidentiality: unauthorized parties cannot recover the key Forward secrecy: the adversary can learn the long-term private keys of the users, but this has no impact on the confidentiality of the keys established in previous sessions of the protocol Known key security: the adversary can learn keys from previous sessions, but this has no impact on the confidentiality of the current session key KCI resilience: the adversary can corrupt the user from the Test query, but it is not able to impersonate any of its partners to him; otherwise freshness fails. 78

79 Security Model (an example) Game based proofs: Game 0 Game 1 Game n the initial game (w.r.t crypto protocol that will be proven secure) infeasible to win (by a PPT adversary) 79

80 Thank you! Q&A 80