1 / 33

The Enemy at home: Malicious insiders in group key exchange protocols

The Enemy at home: Malicious insiders in group key exchange protocols. María Isabel González Vasco. Universidad Rey Juan Carlos. joint work with Jens-Matthias Bohli and Rainer Steinwandt. Motivation. (Group) Key Establishment Protocols. Practical Aspects of Cryptography.

bin
Download Presentation

The Enemy at home: Malicious insiders in group key exchange protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Enemy at home:Malicious insiders in group key exchange protocols María Isabel González Vasco Universidad Rey Juan Carlos joint work with Jens-Matthias Bohli and Rainer Steinwandt

  2. Motivation

  3. (Group) Key Establishment Protocols Practical Aspects of Cryptography • Allow parties within an insecure network to establish a common session key which can then be used to secure their future communication. • If the number of parties in the network, n ≥ 2, assuming all of them are honest can be a rather strong assumption

  4. An insider… • Can allways: • Learn the value of the session key computed by a group of which he is a valid member • May be prevented from: • Provoking that two honest adversaries involved in a session end up with different session keys • Provoking that an honest user ends up obliviously sharing a session key with certain parties • Determining completely a session key computed in a group of which he is a valid member.

  5. Model and formal security goals (E. Bresson, O. Chevassut, D. Pointcheval, J.J. Quisquartier. Provably authenticated Group Diffie-Hellman Key Exchange, ACM CCS-8, 2001.)

  6. Setting • Communication network: arbitrary point-to-point connections among participants. Non-private and fully asynchronous. • Participants: • Users : U1,…, U_n - identified via (Pki, Ski) • Instances: Ui~ i1 ... isi • Variables: iji~ sid: session identifier, pid: intended partners, sk: session key, acc: success of the protocol instance

  7. Send Reveal (Ui, si, Mi) (Ui, si) M ski Adversary • Controls the network fully: may delay, eavesdrop, suppress, alter and insert messages at will. • Control via Oracles:

  8. Corrupt (Ui) Ski Adversary (II) ski 1/2Test 1/2 (Ui, si)

  9. Security • The Test oracle defines a Game:it behaves like Reveal or returns a random key. The adversary has to guess which case occured • Test is only allowed to oracles\Pi_i^{j_i} which are fresh, i.e. there is no revealed or corrupted oracle partnered with \Pi_i^{j_i} • The scheme is secure if the adversary cannot do better than random guessing to win the Test game.

  10. Some Attacks motivating our extension of the model

  11. Katz – Yung, CRYPTO 03 • Based upon Burmester and Desmedt’s EUROCRYPT 94 protocol • Diffie- Hellman setting: G finite cyclic group of prime order q, public generator g so that DDH holds. • Users {U1,…, Un} arranged in a cycle • Authentication via a strongly unforgeable signature scheme

  12. Katz – Yung, CRYPTO 03 Ui Round 1 Ui-1 Mi Mi Ui+1 Mi:= (Ui||ti) ti t:=t1||…||tn

  13. Katz – Yung, CRYPTO 03 Ui Round 2 Ui-1 (Mi,i) (Mi,i) Ui+1 riZq zi = gri Mi:= (1||zi||pid||t) Users check incoming signatures

  14. Katz – Yung, CRYPTO 03 Ui Round 3 (Ui||2||Xi||,i) Ui-1 (Ui||2||Xi||,i) Ui+1 Xi = (zi+1/zi-1)ri Mi:= (2||Xi||pid ||t) Users check incoming signatures Users compute common secret key: sk:= (zi-1)nriXin-1Xi+1n-2···Xi+n-2 = gr1r2+ r2r3 + r3r4+…+ rnr1

  15. Attack • Say n>3 and ord(g) are coprime • The adversarial goal is to force some participants to obliviously compute a different session key (with the same session identifier) • To do so, he corrups two non consecutive users (U1 and U3) . The first two rounds, these users follow the protocol description honestly…

  16. However, in Round 3.. (think of n=4) U1 U3 X1 = (z2/z4)r1 X3 = (z4/z2)r3 M3:= (2||X1||pid ||t) M1:= (2||X3||pid ||t) It is easy to check that in this case, honest users U2 and U4 end up with different session keys (with overwhelming probability)

  17. Kim, Lee, Lee - ASIACRYPT 2004 • 2-round scheme claimed to “take precautions against illegal members or system faults” • Similar setting as Katz-Yung: G finite cyclic group of prime order q, public generator g so that CDH holds + random oracle model • Users {U1,…, Un} arranged in a cycle

  18. Kim, Lee, Lee - ASIACRYPT 2004 Round 1 Ui Un kn {0, 1}k ki {0, 1}k xnZq yn = gxi xiZq yi = gxi H(kn ||0) Mi:= (yi||pid||0) Mn:= (H(kn||0)||yn||pid||0) Each user broadcasts: (Mi,i)

  19. Kim, Lee, Lee - ASIACRYPT 2004 Un Ui Round 2 tnL= H(yi-1xi||pid||0) tiL= H(yi-1xi||pid||0) tnR= H(yi+1xi||pid||0) tiR= H(yi+1xi||pid||0) Tn = tnL  tnR Ti = tiL  tiR kn tnR Mi :=(ki||Ti ||pid||0) Mn:= (kn tnR||Tn||pid||0) Each user broadcasts: (Mi,i) Each user checks signatures of incoming messanges, Each user checks T1 T2  … Tn=0 Users U_i, i≠n check the commitment H(kn||0) for kn All users compute the session key sk= H(k1||…||kn||0)

  20. Attacks • If session identifiers are constructed as concatenation of messages exchanged, and adversary may (without corrupting anyone) provoke a situation where two participants end up with different session identifiers but same session key. • The attack carried over to Katz-Yung protocol also applies here in an analogous way. • Corrupting only one participant, an adversary may carry over a successfull impersonation attack, namely, get participants U1, U3 ..,Un, n>2 to accept a common secret key among U1,U2,U3,..,Un, though U2 never took part in the protocol!

  21. Attacks (II) More precisely: • The adversary gets herself a protocol transcript of a successful run among U1,…, Un. Next, she corrupts U1. • The adversary initializes unused instances of U3,…,Un with pid ={U1,…,Un} • In Round 1 she replies the message U2 sent in the eavesdropped run (and participates honestly for U1) • In Round 2, again she replies the message U2 sent in the eavesdropped run, but now on behalf of U2 she computes T1:= T2 … Tn

  22. Extended security goals

  23. Session Integrity • Intuition: extend the notion of correctness to the case of active adversaries and malicious insiders. • Definition: A correct group key establishment protocol fulfills integrity if with overwhelming probability all instances of honest parties that have accepted a session with the same session identifier sid hold identical session keys and associate this key with the same set of parties pid.

  24. Strong entity authentication • Intuition: if an user accepts a key, indeed the honest parties in his pid where involved in the corresponding session. • Definition: strong entity authentication to an instance ij is provided if both acc=true and for all honest Uk pidij with overwhelming probability there exists an instance kh with the same sid and such that Ui pidkh .

  25. T-contributory • Intuition: protocol-external communication may be prevented by the environment, thus, insiders may want to have control on the session key to force it into a certain subset of the key space. • We say a scheme is t-contributory if an adversary corrupting t-1 parties is not allowed to do so. (n-1)-contributory key establishment schemes are called key agreement schemes.

  26. Putting it all together… • We say a group key establishment protocol is secure against t malicious participants if it is a correct (t+1)-contributory protocol, secure, and provides integrity and strong entity authenticationto all participating instances.

  27. Some results in the new model

  28. About Katz-Yung CRYPTO 2003 • Suppose in Katz-Yung protocol all participants check whether X_1 ··· X_n = 1 before accepting the key. Then, defining sid:= pid|| t, we obtain a key establishment protocol secure against one malicious participant. • Idea: • correctness and security follow from the original proof. • Strong entity authentication comes from the new definition of sid, and 2-contributory from the fact that the choices of a user cannot force the key into a predefined negligible fraction of the key space. • Integrity: as sid contains pid, his only chance is to provoke participants end up with same sid but different session key. However, unless the adversary forges signatures, all honest users share the same Xi values (for the n-1 honest ones determine the corrupt value), and thus end up with the same session key sk:= (zi-1)nriXin-1Xi+1n-2···Xi+n-2

  29. A secure group key agreement variant of Kim, Lee, Lee, ASIACRYPT 2004. • All participants but Un send their contribution to the session key ki in the first round • The second round is actually a confirmation round in which participants verify they are constructing the same key • Un may carry over a rushing attack: choosing his contribution to the key after seeing k1…kn-1.

  30. Modified Kim, Lee, Lee Round 1 Ui Un kn {0, 1}k ki {0, 1}k xnZq yn = gxi xiZq yi = gxi H(ki) H(kn) Mi:= (k_i||yi||pid) Mn:= (H(kn)||yn||pid) Each user broadcasts: (Mi,i) Each user checks signatures of incoming messages

  31. Modified Kim, Lee, Lee Un Ui Round 2 tnL= H(yi-1xi||pid||0) tiL= H(yi-1xi||pid||0) tnR= H(yi+1xi||pid||0) tiR= H(yi+1xi||pid||0) Tn = tnL  tnR Ti = tiL  tiR kn tnR Sid := H(pid||k1||…||kn-1||H(kn)) Sid := H(pid||k1||…||kn-1||H(kn)) Mi :=(sid||Ti ) Mn:= (kn tnR|| sid||Tn) Each user broadcasts: (Mi,i) Each user checks signatures of incoming messanges, Each user checks T1 T2  … Tn=0 and all sids coincide Users U_i, i≠n check the commitment H(kn) for kn All users compute the session key sk= H(pid||k1||…||kn)

  32. Analysis • Hypothesis: CDH + random oracle + existential unforgeability under adaptive chosen message attacks of the signature scheme • Proof ideas: • Correctnes: obvious. • Security: CDH + random oracle + sec. Signatures • Integrity: if two honest adversaries accept with the same sid, H(pid||k1||…||kn-1||H(kn)), due to the collision freeness of H, they hold the same pid and k1,…kn-1, H(kn), and so the same kn and key. • Agreement: the random oracles output is uniformly distributed over the key space even with one only random input. • Strong entity authentication: the sid is unique and thus messages cannot be replied from a past session.

  33. The Enemy at home:Malicious insiders in group key exchange protocols María Isabel González Vasco Universidad Rey Juan Carlos joint work with Jens-Matthias Bohli and Rainer Steinwandt

More Related