Group Key Establishment Protocols

Similar documents
Modelling the Security of Key Exchange

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

A modified eck model with stronger security for tripartite authenticated key exchange

(In)security of ecient tree-based group key agreement using bilinear map

Proofs for Key Establishment Protocols

Security properties of two authenticated conference key agreement protocols

CIS 4360 Secure Computer Systems Applied Cryptography

Session key establishment protocols

Session key establishment protocols

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Secure Multiparty Computation

Efficient Compilers for Authenticated Group Key Exchange

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing

Hash Proof Systems and Password Protocols

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Anonymous Password-based Authenticated Key Exchange

Modeling Key Compromise Impersonation Attacks on Group Key Exchange Protocols

Attribute-Based Authenticated Key Exchange

Key Establishment and Authentication Protocols EECE 412

Identification Schemes

Applied Cryptography and Computer Security CSE 664 Spring 2017

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Authenticating People and Machines over Insecure Networks

CSC 774 Advanced Network Security

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

EFFECTIVE KEY GENERATION FOR MULTIMEDIA AND WEB APPLICATION

CS 494/594 Computer and Network Security

Crypto Background & Concepts SGX Software Attestation

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

One-Time-Password-Authenticated Key Exchange

Pairing-Based One-Round Tripartite Key Agreement Protocols

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Cryptographic Protocols 1

Research Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.

T Cryptography and Data Security

1. Diffie-Hellman Key Exchange

Password Based Authentication Key Exchange in the Three Party

Real-time protocol. Chapter 16: Real-Time Communication Security

Scalable Authenticated Tree Based Group Key Exchange for Ad-Hoc Groups

Auth. Key Exchange. Dan Boneh

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Formal Methods for Assuring Security of Computer Networks

Cryptographic Checksums

Robust EC-PAKA Protocol for Wireless Mobile Networks

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Generic Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Spring 2010: CS419 Computer Security

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

Key Establishment. Colin Boyd. May Department of Telematics NTNU

CS 395T. Formal Model for Secure Key Exchange

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

On the Security of a Certificateless Public-Key Encryption

Information Security CS 526

2.1 Basic Cryptography Concepts

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2011

Lecture 1: Course Introduction

Lecture 2 Applied Cryptography (Part 2)

Chapter 9: Key Management

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

UNIT - IV Cryptographic Hash Function 31.1

Pairing-Based One-Round Tripartite Key Agreement Protocols

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

CS Computer Networks 1: Authentication

Internet Research Task Force (IRTF) Category: Informational April 2017 ISSN:

Brief Introduction to Provable Security

Viber Encryption Overview

Homework 3: Solution

Public-Key Infrastructure NETS E2008

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Security Analysis of KEA Authenticated Key Exchange Protocol

Anonymity. Assumption: If we know IP address, we know identity

Part II Bellare-Rogaway Model (Active Adversaries)

Key Management and Distribution

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

CS408 Cryptography & Internet Security

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

0x1A Great Papers in Computer Security

Authentication for Paranoids: Multi-Party Secret Handshakes

Chapter 10 : Private-Key Management and the Public-Key Revolution

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Group Key Agreement Protocols for Dynamic Peer Groups

Grenzen der Kryptographie

Wide-weak Privacy Preserving RFID Mutual Authentication Protocol

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Security Analysis of Shim s Authenticated Key Agreement Protocols from Pairings

Lecture 7 - Applied Cryptography

A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS

Public-key Cryptography: Theory and Practice

Notes for Lecture 14

Authenticated Key Agreement without Subgroup Element Verification

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Distributed ID-based Signature Using Tamper-Resistant Module

Chapter 9 Public Key Cryptography. WANG YANG

Transcription:

Group Key Establishment Protocols Ruxandra F. Olimid EBSIS Summer School on Distributed Event Based Systems and Related Topics 2016 July 14, 2016 Sinaia, Romania

Outline 1. Context and Motivation 2. Classifications 3. Properties 4. Constructions 5. Attacks and Security 2

Scenarios Many-to-Many One-to-Many 3

Scenarios Many-to-Many One-to-Many Similar roles for all users Peer-to-peer communication E.g.: Virtual conference Different roles No communication between peers E.g.: Pay TV 4

Goals Many-to-Many One-to-Many General goals for group applications / services: Correctness Availability Performance Efficiency (computation, power consumptions, etc.) Security aspects: confidentiality, authentication, access control, anonymity 5

Authentication 1. Group Authentication e.g.: a message is authenticated as sent by someone from the group 2. User Authentication e.g.: a message is authenticated as sent by a specific user inside the group 6

Confidentiality We focus on confidentiality Question: How can we achieve confidentiality? Answer: by using encryption Question: What do we need to encrypt? Answer: a (set of) key(s) Question: What makes it different for groups? Answer:... 7

Group Key Solution 1: one single key for all users Question: What could go wrong? Answer: users might leave or join the group 8

Group Key Solution 2: distinct keys for all pairs of communication parties or public key crypto Question: What could go wrong? Answer: too many keys to store securely / slow communication 9

Group Key Establishment (GKE) GKE Protocols: protocols used for the establishment, distribution and management of keys in groups (i.e. more than 2 users) There is no single solution suitable for all scenarios! Criteria: Senders type: anyone can be a sender vs. privileged users send only Group size and group scalability: small (e.g.: small video group) vs. very large (e.g.: broadcast TV) Users availability: always online vs. sometimes offline Membership dynamics: static vs. dynamic groups Others: traffic volume, performance, power capabilities,... 10

GKE Classification GKA (Group Key Agreement) GKT (Group Key Transfer) 11

Scenarios GKA (Group Key Agreement) GKT (Group Key Transfer) All users participate to key generation Multiple points of trust A privileged user (group manager / KGC*) selects a key and securely distributes it to the users Single point of trust *KGC = Key Generation Center 12

GKE Requirements Scalability: accept group size changes (while maintaining efficiency), allowing users to leave and join the group (while maintaining security), etc. Independence: maintain independency from the underlying multicast routing protocol or technology Reliability: ensure timely delivery of the key to intended recipients Others... This talk focuses on security 13

Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency Key authentication Key confirmation Mutual authentication 14

Security Goals Key freshness Key independence Key confidentiality Key randomness Known key (also security called key privacy, key Key secrecy indistinguishability or non-disclosure) Forward guarantees security that is (computationally) Key unpredictability infeasible for an Backward adversary security to compute the Key group consistency key Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key authentication Key confirmation Mutual authentication 15

Security Goals Key freshness Key independence Key confidentiality Key randomness Known key security Key indistinguishability Forward security Key unpredictability Backward security Key consistency (stronger notions for key confidentiality) assure that key privacy holds regardless of the Entity authentication Key authentication adversary s knowledge on (session or long-term) Key compromise keys from other rounds of Key the confirmation protocol / the impersonation adversary s resilience actions in future Mutual or past authentication rounds of the Ephemeral protocol key leakage resilience 16

Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key assures independence that the key is new, Key i.e. randomness it has not been used before Key indistinguishability Key unpredictability Key consistency Key authentication Key confirmation Mutual authentication 17

Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key imposes randomness that no correlation Key exists indistinguishability between keys from Key different unpredictability sessions Key consistency Key authentication Key confirmation Mutual authentication 18

Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency key randomness warrants indistinguishability from a random number and hence Key authentication unpredictability Key confirmation Mutual authentication 19

Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency prevents distinct users to accept different keys Key authentication Key confirmation Mutual authentication 20

Security Goals Key confidentiality Known key security Forward security Backward security Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency Entity authentication Key authentication Key compromise confirms the identity Key confirmation of a user impersonation resilience Mutual authentication Ephemeral key leakage resilience 21

Security Goals Key confidentiality Known key security Forward security Backward security Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency Entity authentication Key compromise impersonation resilience Key authentication Key confirmation Mutual authentication Ephemeral key prevents leakage an attacker who owns the long-term key resilience of a user to impersonate other parties to him (i.e. accepts honest parties as peers even if they are not) 22

Security Goals Key confidentiality Known key security Forward security Backward security Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency avoids an adversary to recover the group key even Entity authentication if it discloses the Key long-term authentication keys and ephemeral Key compromise keys of parties involved Key confirmation except both these values impersonation resilience for the participants Mutual in the authentication test session Ephemeral key leakage resilience 23

Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency Key authentication Key confirmation limits the possible owners of the Mutual group authentication key to legitimate users 24

Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency Key authentication Key confirmation Mutual authentication certifies that all authorized members actually have the key 25

Security Goals Key freshness Key independence Key confidentiality Key randomness Known key security Key indistinguishability Forward security Key unpredictability Backward security Key consistency (also... called explicit key authentication, it combines key confirmation and key authentication) ensures Entity that authentication all qualified users to the Key protocol authentication have actually computed the group key and no one else except them has Key compromise Key confirmation impersonation resilience Mutual authentication Ephemeral key leakage resilience 26

Adversaries Group membership: Insiders: users registered to the group but unauthorized for a given session; Outsiders: users not registered to the group Actions: Passive: eavesdrop on the communication channel Active: insert, delete, change messages on the communication channel Types of attacks: Man-in-the-middle, replay attack (we will see both later on), known key attack, DoS, etc. 27

GKE Question: How to design GKE? Answer: the natural approach is to start from 2 parties protocols and extend to 3, 4, 5,... So, let s start from the popular Diffie-Hellman key exchange 28

Diffie-Hellman Key Exchange Introduced by W.Diffie and M.Hellman ( New directions in Cryptography, 1976) Does not assure authentication Relies its security proof on the assumption that the mathematical underlying problem is hard 29

Diffie-Hellman Key Exchange Alice Bob 30

Man-in-the-Middle Attack Alice Oscar/Eve Bob 31

Joux 3-Party Key Exchange Introduced by A. Joux ( A One Round Protocol for Tripartite Diffie Hellman, 2000) Does not assure authentication, so it remains vulnerable to man-in-the-middle attacks Relies its security on the assumption that the mathematical underlying problem is hard, but works on bilinear pairs 32

33 Bilinear Pairs

Joux 3-Party Key Exchange Alice Bob Charlie 34

Joux 3-Party Key Exchange Secure under the bilinear Diffie-Hellman assumption: Constructions for bilinear maps: Weil pairing, Tate pairing 35

MultiParty Key Exchange Introduced by D.Boneh and A.Silverberg ( Applications of Multilinear Forms to Cryptography, 2002) Does not assume authentication, so it remains vulnerable to man-in-the-middle attacks Relies its security on the assumption that the mathematical underlying problem is hard, but works on multilinear maps 36

37 Multilinear Maps

MultiParty Key Exchange (broadcast msg) User i 38

MultiParty Key Exchange Secure under the multilinear Diffie-Hellman assumption: Secure constructions of multilinear maps is questionable 39

DH-Based Key Exchange Previous constructions are built on a generalization of the Diffie-Hellman assumption But GKA protocols can also use DH key exchange as building block 40

DH-Based Key Exchange Ring structure Tree structure 41

Ring-based DH (an example) I.Ingemarsson, D.T.Tang, and C. K. Wong ( A Conference Key Distribution System, 1982) Users are placed in a ring A user talks only to its neighbours 42

Ring-based DH (an example) Round 1 43

Ring-based DH (an example) Round 2 44

Ring-based DH (an example) Round 3 45

Ring-based DH (an example) Round 4 46

Tree-based DH (an example) Y.Kim, A.Perrig, G.Tsudik ( Tree-based Group Key Agreement, 2004) Users are leaves in a (balanced) tree A key is agreed between children of the same node up to the root, which becomes the final group key 47

48 Tree-based DH (an example)

Tree-based DH (an example) Round 1 49

Tree-based DH (an example) Round 2 Round 1 50

Tree-based DH (an example) Round 3 Round 2 Round 1 51

Tree-based DH (an example) The protocol includes support for dynamic groups: Join: a new member is added to the group Leave: a member is removed from the group Merge: 2 groups are merged together Partition: one group is split in 2 groups Key refresh: the group key is refreshed We next explain Leave, as an example 52

53 Tree-based DH (an example)

54 Tree-based DH (an example)

Tree-based DH (an example) Round 2: Each user refreshes its tree of keys 55

GKE Question: What kind of GKE were all these examples, GKA or GKT? Answer: GKA So, let s have a look at GKT and see some attacks! 56

GKT GKC 57

GKT GKC Registered users (insiders) Authorized users (registered) Unregistered users (outsiders) 58

GKT LLKey 1 LLKey 1 LLKey 5 LLKey 4 GKC LLKey 2 LLKey 5 LLKey 3 Registered users (insiders) Authorized users (registered) Unregistered users (outsiders) 59

Yuan et al. GKT Introduced by W. Yuan, L. Hu, H. Li, J. Chu ( An Efficient Password-based Group Key Exchange Protocol Using Secret Sharing, 2013) The long-term key is a password (split in two parts) Has no (real) security proof! 60

GKT pw 4x pw 4y pw 1x pw 1y pw 2x pw 2y GKC pw 1x pw 1y pw 5x pw 5y pw 5x pw 5y pw 3x pw 3y Registered users (insiders) Authorized users (registered) Unregistered users (outsiders) 61

62 Yuan et al. GKT

First Attack Insider attack & Replay attack 63

First Attack GKC Insider Attack 64

First Attack GKC GKC Replay Attack 65

First Attack Session s1 Session s2 66

The Modified Protocol *nonce = number used once 67

68 The Modified Protocol

Second Attack This does not make it secure against an insider attack! Both attacks were introduced by R.F.Olimid ( A Chain of Attacks and Countermeasures Applied to a Group Key Transfer Protocol, 2014) 69

Second Attack GKC Insider Attack 70

Second Attack Session s1 Session s2 71

Formal Security Models Security models formalize the security goals within a precise environment, specifying the trust assumptions, the relations between participants, the adversarial power, the communication medium Security proofs prove a protocol is secure under a specific model 72

Formal Security Models Year Name Info 2001 BCPQ [1] first security model (generalizes existing models for two or three party protocols) 2001 BCP [2] + dynamic groups 2002 BCP+ [3] + strong corruption (i.e. the attacker reveals the ephemeral internal state information of the users instances) 2005 KS [4] security against insider attacks (UC framework) 2009 GBG [5] + KCI (Key Compromise Impersonation) 2011 egbg [6] + EKL (Ephemeral Keys Leakage) 2013 g-eck [7] + EKL in test session (GKE version of eck) More info: [8], [9] Some of the proposed security models: 73

Formal Security Models [1] Bresson, E., Chevassut, O., Pointcheval, D. and Quisquater, J.J., 2001, November. Provably authenticated group Diffie-Hellman key exchange. InProceedings of the 8th ACM conference on Computer and Communications Security (pp. 255-264). [2] Bresson, E., Chevassut, O. and Pointcheval, D., 2001, December. Provably authenticated group Diffie-Hellman key exchange the dynamic case. In International Conference on the Theory and Application of Cryptology and Information Security (pp. 290-309). [3] Bresson, E., Chevassut, O. and Pointcheval, D., 2002, April. Dynamic group Diffie-Hellman key exchange under standard assumptions. In International Conference on the Theory and Applications of Cryptographic Techniques (pp. 321-336). [4] Katz, J. and Shin, J.S., 2005, November. Modeling insider attacks on group key-exchange protocols. In Proceedings of the 12th ACM conference on Computer and communications security (pp. 180-189). [5] Gorantla, M.C., Boyd, C. and Nieto, J.M.G., 2009, March. Modeling key compromise impersonation attacks on group key exchange protocols. In International Workshop on Public Key Cryptography (pp. 105-123). [6] Zhao, J., Gu, D. and Gorantla, M.C., 2011, March. Stronger security model of group key agreement. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (pp. 435-440). [7] Manulis, M., Suzuki, K. and Ustaoglu, B., 2013. Modeling leakage of ephemeral secrets in tripartite/group key exchange. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences,96(1), pp.101-110. [8] Manulis, M. "Survey on Security Requirements and Models for Group Key Exchange." IACR Cryptology eprint Archive 2006 (2006): 388. [9] Manulis, M., 2007. Provably secure group key exchange. Europ. Univ.-Verlag 74

Security Model (an example) M.C. Gorantla, C. Boyd, and J.M.G. Nieto ( Modeling key compromise impersonation attacks on group key exchange protocols, 1982) We talk about AKE (Authenticated Key Exchange) security only 75

Security Model (an example) upper bound for no. (concurrent) sessions ephemeral Correctness: information A GKE (for protocol the current is correct session) if: instance all instances OR of user U have in session accepted; s all instances AND are partnered; terminates long-term all instances key without (certified have a session by computed an key authority) the same session group session keyid (identifies session s) partner id (set of identities U wishes to establish a key with) 76 * index for user and session is distinct, but we have used the same notation i, respectively j

Security Model (an example) Stage 1 Stage 2 Adversary Adversary Adversary A protocol is AKE-secure if the winning probability is negligible close to 1/2. 77

Security Model (an example) Some informal security goals modeled by GBG: Key confidentiality: unauthorized parties cannot recover the key Forward secrecy: the adversary can learn the long-term private keys of the users, but this has no impact on the confidentiality of the keys established in previous sessions of the protocol Known key security: the adversary can learn keys from previous sessions, but this has no impact on the confidentiality of the current session key KCI resilience: the adversary can corrupt the user from the Test query, but it is not able to impersonate any of its partners to him; otherwise freshness fails. 78

Security Model (an example) Game based proofs: Game 0 Game 1 Game n the initial game (w.r.t crypto protocol that will be proven secure) infeasible to win (by a PPT adversary) 79

Thank you! Q&A 80

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback