Group Key Establishment...
Transcript of Group Key Establishment...
-
Group Key Establishment ProtocolsRuxandra F. Olimid
EBSIS Summer School on Distributed Event Based Systems and Related Topics 2016
July 14, 2016 Sinaia, Romania
-
2
Outline
1. Context and Motivation 2. Classifications 3. Properties 4. Constructions 5. Attacks and Security
-
3
Scenarios
Many-to-Many One-to-Many
-
4
Scenarios
Many-to-Many One-to-Many
• Similar roles for all users • “Peer-to-peer”
communication • E.g.: Virtual conference
• Different roles • No communication
between peers • E.g.: Pay TV
-
5
Goals
Many-to-Many One-to-Many
General goals for group applications / services: • Correctness • Availability • Performance • Efficiency (computation, power consumptions, etc.) • Security aspects: confidentiality, authentication, access
control, anonymity …
-
6
Authentication
1. Group Authentication e.g.: a message is authenticated as sent by someone from the group
2. User Authentication e.g.: a message is authenticated as sent by a specific user inside the group
-
7
Confidentiality
• We focus on confidentiality
Question: How can we achieve confidentiality ?
Answer: by using encryption
Question: What do we need to encrypt ?Answer: a (set of) key(s)
Question: What makes it different for groups?
Answer: ...
-
8
Group Key
• Solution 1: one single key for all users
Question: What could go wrong?
Answer: users might leave or join the group
-
9
Group Key
• Solution 2: distinct keys for all pairs of communication parties or public key crypto
Question: What could go wrong?
Answer: too many keys to store securely / slow communication
-
10
Group Key Establishment (GKE)
• GKE Protocols: protocols used for the establishment, distribution and management of keys in groups (i.e. more than 2 users)
There is no single solution suitable for all scenarios!
• Criteria: – Senders type: anyone can be a sender vs. privileged users send only – Group size and group scalability: small (e.g.: small video group) vs.
very large (e.g.: broadcast TV) – Users’ availability: always online vs. sometimes offline – Membership dynamics: static vs. dynamic groups – Others: traffic volume, performance, power capabilities, ...
-
11
GKE Classification
GKA (Group Key Agreement) GKT (Group Key Transfer)
sk
sksk
sk sk
sk
sk sk sk sk
-
12
Scenarios
GKA (Group Key Agreement)
GKT (Group Key Transfer)
• All users participate to key generation
• Multiple points of trust
• A privileged user (group manager / KGC*) selects a key and securely distributes it to the users
• Single point of trust
sk
sksk
sk sk
sk
sk sk sk sk
*KGC = Key Generation Center
-
13
GKE Requirements
• Scalability: accept group size changes (while maintaining efficiency), allowing users to leave and join the group (while maintaining security), etc.
This talk focuses on security
• Independence: maintain independency from the underlying multicast routing protocol or technology
• Reliability: ensure timely delivery of the key to intended recipients
• Others...
-
14
Security Goals
• Key confidentiality • Known key security • Forward security • Backward security • ...
• Entity authentication • Key compromise
impersonation resilience • Ephemeral key leakage
resilience • ...
• Key freshness • Key independence • Key randomness • Key indistinguishability • Key unpredictability • Key consistency • ...
• Key authentication • Key confirmation • Mutual authentication • ...
-
15
Security Goals
• Key confidentiality • Known key security • Forward security • Backward security • ...
• Entity authentication • Key compromise
impersonation resilience • Ephemeral key leakage
resilience • ...
• Key freshness • Key independence • Key randomness • Key indistinguishability • Key unpredictability • Key consistency • ...
• Key authentication • Key confirmation • Mutual authentication • ...
(also called key privacy, key secrecy or non-disclosure) guarantees that is (computationally) infeasible for an adversary to compute the group key
-
16
Security Goals
• Key confidentiality • Known key security • Forward security • Backward security • ...
• Entity authentication • Key compromise
impersonation resilience • Ephemeral key leakage
resilience • ...
• Key freshness • Key independence • Key randomness • Key indistinguishability • Key unpredictability • Key consistency • ...
• Key authentication • Key confirmation • Mutual authentication • ...
(stronger notions for key confidentiality) assure that key privacy holds regardless of the adversary’s knowledge on (session or long-term) keys from other rounds of the protocol / the adversary’s actions in future or past rounds of the protocol
-
17
Security Goals
• Key confidentiality • Known key security • Forward security • Backward security • ...
• Entity authentication • Key compromise
impersonation resilience • Ephemeral key leakage
resilience • ...
• Key freshness • Key independence • Key randomness • Key indistinguishability • Key unpredictability • Key consistency • ...
• Key authentication • Key confirmation • Mutual authentication • ...
assures that the key is new, i.e. it has not been used before
-
18
Security Goals
• Key confidentiality • Known key security • Forward security • Backward security • ...
• Entity authentication • Key compromise
impersonation resilience • Ephemeral key leakage
resilience • ...
• Key freshness • Key independence • Key randomness • Key indistinguishability • Key unpredictability • Key consistency • ...
• Key authentication • Key confirmation • Mutual authentication • ...
imposes that no correlation exists between keys from different sessions
-
19
Security Goals
• Key confidentiality • Known key security • Forward security • Backward security • ...
• Entity authentication • Key compromise
impersonation resilience • Ephemeral key leakage
resilience • ...
• Key freshness • Key independence • Key randomness • Key indistinguishability • Key unpredictability • Key consistency • ...
• Key authentication • Key confirmation • Mutual authentication • ...
key randomness warrants indistinguishability from a random number and hence unpredictability
-
20
Security Goals
• Key confidentiality • Known key security • Forward security • Backward security • ...
• Entity authentication • Key compromise
impersonation resilience • Ephemeral key leakage
resilience • ...
• Key freshness • Key independence • Key randomness • Key indistinguishability • Key unpredictability • Key consistency • ...
• Key authentication • Key confirmation • Mutual authentication • ...
prevents distinct users to accept different keys
-
21
Security Goals
• Key confidentiality • Known key security • Forward security • Backward security • ...
• Entity authentication • Key compromise
impersonation resilience • Ephemeral key leakage
resilience • ...
• Key freshness • Key independence • Key randomness • Key indistinguishability • Key unpredictability • Key consistency • ...
• Key authentication • Key confirmation • Mutual authentication • ...
confirms the identity of a user
-
22
Security Goals
• Key confidentiality • Known key security • Forward security • Backward security • ...
• Entity authentication • Key compromise
impersonation resilience • Ephemeral key leakage
resilience • ...
• Key freshness • Key independence • Key randomness • Key indistinguishability • Key unpredictability • Key consistency • ...
• Key authentication • Key confirmation • Mutual authentication • ...prevents an attacker who owns the long-term key
of a user to impersonate other parties to him (i.e. accepts honest parties as peers even if they are not)
-
23
Security Goals
• Key confidentiality • Known key security • Forward security • Backward security • ...
• Entity authentication • Key compromise
impersonation resilience • Ephemeral key leakage
resilience • ...
• Key freshness • Key independence • Key randomness • Key indistinguishability • Key unpredictability • Key consistency • ...
• Key authentication • Key confirmation • Mutual authentication • ...
avoids an adversary to recover the group key even if it discloses the long-term keys and ephemeral keys of parties involved except both these values for the participants in the test session
-
24
Security Goals
• Key confidentiality • Known key security • Forward security • Backward security • ...
• Entity authentication • Key compromise
impersonation resilience • Ephemeral key leakage
resilience • ...
• Key freshness • Key independence • Key randomness • Key indistinguishability • Key unpredictability • Key consistency • ...
• Key authentication • Key confirmation • Mutual authentication • ...
limits the possible owners of the group key to the legitimate users
-
25
Security Goals
• Key confidentiality • Known key security • Forward security • Backward security • ...
• Entity authentication • Key compromise
impersonation resilience • Ephemeral key leakage
resilience • ...
• Key freshness • Key independence • Key randomness • Key indistinguishability • Key unpredictability • Key consistency • ...
• Key authentication • Key confirmation • Mutual authentication • ...
certifies that all authorized members actually have the key
-
26
Security Goals
• Key confidentiality • Known key security • Forward security • Backward security • ...
• Entity authentication • Key compromise
impersonation resilience • Ephemeral key leakage
resilience • ...
• Key freshness • Key independence • Key randomness • Key indistinguishability • Key unpredictability • Key consistency • ...
• Key authentication • Key confirmation • Mutual authentication • ...
(also called explicit key authentication, it combines key confirmation and key authentication) ensures that all qualified users to the protocol have actually computed the group key and no one else except them has
-
27
Adversaries
• Group membership: – Insiders: users registered to the group but unauthorized for a given
session; – Outsiders: users not registered to the group
• Actions: – Passive: eavesdrop on the communication channel – Active: insert, delete, change messages on the communication
channel
• Types of attacks: – Man-in-the-middle, replay attack (we will see both later on), known
key attack, DoS, etc.
-
28
GKE
Question: How to design GKE?
Answer: the natural approach is to start from 2 parties protocols and extend to 3, 4, 5, ...
So, let’s start from the popular Diffie-Hellman key exchange
-
29
Diffie-Hellman Key Exchange
• Introduced by W.Diffie and M.Hellman (‘New directions in Cryptography’, 1976)
• Does not assure authentication
• Relies its security proof on the assumption that the mathematical underlying problem is hard
-
30
Diffie-Hellman Key Exchange
Alice Bob
-
31
Man-in-the-Middle Attack
Alice Bob
Oscar/Eve
-
32
Joux 3-Party Key Exchange
• Introduced by A. Joux (‘A One Round Protocol for Tripartite Diffie–Hellman’, 2000)
• Does not assure authentication, so it remains vulnerable to man-in-the-middle attacks
• Relies its security on the assumption that the mathematical underlying problem is hard, but works on bilinear pairs
-
33
Bilinear Pairs
-
34
Joux 3-Party Key Exchange
Alice Bob
Charlie
-
35
Joux 3-Party Key Exchange
• Secure under the bilinear Diffie-Hellman assumption:
• Constructions for bilinear maps: Weil pairing, Tate pairing
-
36
MultiParty Key Exchange
• Introduced by D.Boneh and A.Silverberg (‘Applications of Multilinear Forms to Cryptography’, 2002)
• Does not assume authentication, so it remains vulnerable to man-in-the-middle attacks
• Relies its security on the assumption that the mathematical underlying problem is hard, but works on multilinear maps
-
37
Multilinear Maps
-
38
MultiParty Key Exchange
User i
(broadcast msg)
-
39
MultiParty Key Exchange
• Secure under the multilinear Diffie-Hellman assumption:
• Secure constructions of multilinear maps is questionable
-
40
DH-Based Key Exchange
• Previous constructions are built on a generalization of the Diffie-Hellman assumption
• But GKA protocols can also use DH key exchange as building block
-
41
DH-Based Key Exchange
Ring structure
sk
sksk
sk sk
Tree structure
sk sk sk sk
sk
-
42
Ring-based DH (an example)
• I.Ingemarsson, D.T.Tang, and C. K. Wong (‘A Conference Key Distribution System’, 1982)
• Users are placed in a ring
• A user talks only to its neighbours sk
sksk
sk sk
-
43
Ring-based DH (an example)
Round 1
-
44
Ring-based DH (an example)
Round 2
-
45
Ring-based DH (an example)
Round 3
-
46
Ring-based DH (an example)
Round 4
-
47
Tree-based DH (an example)
• Y.Kim, A.Perrig, G.Tsudik (‘Tree-based Group Key Agreement’, 2004)
• Users are leaves in a (balanced) tree
• A key is agreed between children of the same node up to the root, which becomes the final group key
sk sk sk sk
sk
-
48
Tree-based DH (an example)
-
49
Tree-based DH (an example)
Round 1
-
50
Tree-based DH (an example)
Round 1
Round 2
-
51
Tree-based DH (an example)
Round 1
Round 2
Round 3
-
52
Tree-based DH (an example)
• The protocol includes support for dynamic groups: – Join: a new member is added to the group – Leave: a member is removed from the group – Merge: 2 groups are merged together – Partition: one group is split in 2 groups – Key refresh: the group key is refreshed
• We next explain Leave, as an example
sk sk sk sk
sk
-
53
Tree-based DH (an example)
-
54
Tree-based DH (an example)
-
55
Tree-based DH (an example)
Round 2: Each user refreshes its tree of keys
-
56
GKE
Question: What kind of GKE were all these examples, GKA or GKT?
Answer: GKA
So, let’s have a look at GKT and see some attacks!
-
57
GKT
GKCsk
sk
sk
sk
-
58
GKT
GKCsk
sk
sk
sk
Authorized users (registered)
Registered users (insiders)
Unregistered users (outsiders)
-
59
GKT
GKCsk
sk
sk
sk
Authorized users (registered)
Registered users (insiders)
Unregistered users (outsiders)
LLKey1
LLKey2
LLKey3
LLKey4
LLKey5
LLKey1…
LLKey5
-
60
Yuan et al. GKT
• Introduced by W. Yuan, L. Hu, H. Li, J. Chu (‘An Efficient Password-based Group Key Exchange Protocol Using Secret Sharing’, 2013)
• The long-term key is a password (split in two parts)
• Has no (real) security proof!
-
61
GKT
GKCsk
sk
sk
sk
Authorized users (registered)
Registered users (insiders)
Unregistered users (outsiders)
pw1x||pw1y
…
pw2x||pw2y
pw3x||pw3y
pw4x||pw4y
pw5x||pw5y
pw1x||pw1y
pw5x||pw5y
-
62
Yuan et al. GKT
-
63
First Attack
Insider attack & Replay attack
-
64
First Attack
GKCsk
sk
sk
sksk
Insider Attack
-
65
First Attack
GKC
Replay Attack
GKC
-
66
First Attack
Session s2Session s1
-
67
The Modified Protocol
*nonce = number used once
-
68
The Modified Protocol
-
69
Second Attack
This does not make it secure against an insider attack!
• Both attacks were introduced by R.F.Olimid (‘A Chain of Attacks and Countermeasures Applied to a Group Key Transfer Protocol’, 2014)
-
70
Second Attack
GKCsk
sk
sk
sksk
Insider Attack
-
71
Second Attack
Session s2Session s1
-
72
Formal Security Models• Security models formalize the security goals …
… within a precise environment, specifying… … the trust assumptions, … … the relations between participants, … … the adversarial power, … … the communication medium …
• Security proofs … … prove a protocol is secure under a specific model
-
73
Formal Security Models
Year Name Info2001 BCPQ [1] first security model (generalizes existing
models for two or three party protocols)2001 BCP [2] + dynamic groups2002 BCP+ [3] + strong corruption (i.e. the attacker reveals
the ephemeral internal state information of the users’ instances)
2005 KS [4] security against insider attacks (UC framework)
2009 GBG [5] + KCI (Key Compromise Impersonation)
2011 eGBG [6] + EKL (Ephemeral Keys Leakage)2013 g-eCK [7] + EKL in test session (GKE version of eCK)
More info: [8], [9]
Some of the proposed security models:
-
74
Formal Security Models[1] Bresson, E., Chevassut, O., Pointcheval, D. and Quisquater, J.J., 2001, November. Provably authenticated group Diffie-Hellman key exchange. InProceedings of the 8th ACM conference on Computer and Communications Security (pp. 255-264). [2] Bresson, E., Chevassut, O. and Pointcheval, D., 2001, December. Provably authenticated group Diffie-Hellman key exchange—the dynamic case. In International Conference on the Theory and Application of Cryptology and Information Security (pp. 290-309). [3] Bresson, E., Chevassut, O. and Pointcheval, D., 2002, April. Dynamic group Diffie-Hellman key exchange under standard assumptions. In International Conference on the Theory and Applications of Cryptographic Techniques (pp. 321-336). [4] Katz, J. and Shin, J.S., 2005, November. Modeling insider attacks on group key-exchange protocols. In Proceedings of the 12th ACM conference on Computer and communications security (pp. 180-189). [5] Gorantla, M.C., Boyd, C. and Nieto, J.M.G., 2009, March. Modeling key compromise impersonation attacks on group key exchange protocols. In International Workshop on Public Key Cryptography (pp. 105-123). [6] Zhao, J., Gu, D. and Gorantla, M.C., 2011, March. Stronger security model of group key agreement. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (pp. 435-440). [7] Manulis, M., Suzuki, K. and Ustaoglu, B., 2013. Modeling leakage of ephemeral secrets in tripartite/group key exchange. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences,96(1), pp.101-110. [8] Manulis, M. "Survey on Security Requirements and Models for Group Key Exchange." IACR Cryptology ePrint Archive 2006 (2006): 388. [9] Manulis, M., 2007. Provably secure group key exchange. Europ. Univ.-Verlag
-
75
Security Model (an example)
• M.C. Gorantla, C. Boyd, and J.M.G. Nieto (‘Modeling key compromise impersonation attacks on group key exchange protocols’, 1982)
• We talk about AKE (Authenticated Key Exchange) security only
-
76
upper bound for no. (concurrent) sessions
instance of user U in session s
session id (identifies session s)
partner id (set of identities U wishes to establish a key with)
terminates without a session keyOR
ephemeral information (for the current session)
long-term key (certified by an authority)AND
Correctness: A GKE protocol is correct if: • all instances have accepted; • all instances are partnered; • all instances have computed the same session group
key
Security Model (an example)
* index for user and session is distinct, but we have used the same notation i, respectively j
-
77
Security Model (an example)Stage 1
Adversary
Adversary
A protocol is AKE-secure if the winning probability is negligible close to 1/2.
Stage 2
Adversary
-
78
Security Model (an example)
• Key confidentiality: unauthorized parties cannot recover the key
• Forward secrecy: the adversary can learn the long-term private keys of the users, but this has no impact on the confidentiality of the keys established in previous sessions of the protocol
• Known key security: the adversary can learn keys from previous sessions, but this has no impact on the confidentiality of the current session key
• KCI resilience: the adversary can corrupt the user from the Test query, but it is not able to impersonate any of its partners to him; otherwise freshness fails.
Some informal security goals modeled by GBG:
-
79
Security Model (an example)
Game based proofs:
Game 0…
Game 1 Game n
the initial game (w.r.t crypto protocol that
will be proven secure)
infeasible to win (by a PPT adversary)
-
80
Thank you!
Q&A