Group Key Establishment...

Group Key Establishment ProtocolsRuxandra F. Olimid

EBSIS Summer School on Distributed Event Based Systems and Related Topics 2016

July 14, 2016 Sinaia, Romania

2

Outline

1. Context and Motivation 2. Classifications 3. Properties 4. Constructions 5. Attacks and Security

3

Scenarios

Many-to-Many One-to-Many

4

Scenarios


• Similar roles for all users • “Peer-to-peer”

communication • E.g.: Virtual conference

• Different roles • No communication

between peers • E.g.: Pay TV

5

Goals


General goals for group applications / services: • Correctness • Availability • Performance • Efficiency (computation, power consumptions, etc.) • Security aspects: confidentiality, authentication, access

control, anonymity …

6

Authentication

1. Group Authentication e.g.: a message is authenticated as sent by someone from the group

2. User Authentication e.g.: a message is authenticated as sent by a specific user inside the group

7

Confidentiality

• We focus on confidentiality

Question: How can we achieve confidentiality ?

Answer: by using encryption

Question: What do we need to encrypt ?Answer: a (set of) key(s)

Question: What makes it different for groups?

Answer: ...

8

Group Key

• Solution 1: one single key for all users

Question: What could go wrong?

Answer: users might leave or join the group

9

Group Key

• Solution 2: distinct keys for all pairs of communication parties or public key crypto

Question: What could go wrong?

Answer: too many keys to store securely / slow communication

10

Group Key Establishment (GKE)

• GKE Protocols: protocols used for the establishment, distribution and management of keys in groups (i.e. more than 2 users)

There is no single solution suitable for all scenarios!

• Criteria: – Senders type: anyone can be a sender vs. privileged users send only – Group size and group scalability: small (e.g.: small video group) vs.

very large (e.g.: broadcast TV) – Users’ availability: always online vs. sometimes offline – Membership dynamics: static vs. dynamic groups – Others: traffic volume, performance, power capabilities, ...

11

GKE Classification

GKA (Group Key Agreement) GKT (Group Key Transfer)

sk

sksk

sk sk

sk

sk sk sk sk

12

Scenarios

GKA (Group Key Agreement)

GKT (Group Key Transfer)

• All users participate to key generation

• Multiple points of trust

• A privileged user (group manager / KGC*) selects a key and securely distributes it to the users

• Single point of trust

sk

sksk

sk sk

sk

sk sk sk sk

*KGC = Key Generation Center

13

GKE Requirements

• Scalability: accept group size changes (while maintaining efficiency), allowing users to leave and join the group (while maintaining security), etc.

This talk focuses on security

• Independence: maintain independency from the underlying multicast routing protocol or technology

• Reliability: ensure timely delivery of the key to intended recipients

• Others...

14

Security Goals

• Key confidentiality • Known key security • Forward security • Backward security • ...

• Entity authentication • Key compromise

impersonation resilience • Ephemeral key leakage

resilience • ...

• Key freshness • Key independence • Key randomness • Key indistinguishability • Key unpredictability • Key consistency • ...

• Key authentication • Key confirmation • Mutual authentication • ...

15

Security Goals




resilience • ...



(also called key privacy, key secrecy or non-disclosure) guarantees that is (computationally) infeasible for an adversary to compute the group key

16

Security Goals




resilience • ...



(stronger notions for key confidentiality) assure that key privacy holds regardless of the adversary’s knowledge on (session or long-term) keys from other rounds of the protocol / the adversary’s actions in future or past rounds of the protocol

17

Security Goals




resilience • ...



assures that the key is new, i.e. it has not been used before

18

Security Goals




resilience • ...



imposes that no correlation exists between keys from different sessions

19

Security Goals




resilience • ...



key randomness warrants indistinguishability from a random number and hence unpredictability

20

Security Goals




resilience • ...



prevents distinct users to accept different keys

21

Security Goals




resilience • ...



confirms the identity of a user

22

Security Goals




resilience • ...


• Key authentication • Key confirmation • Mutual authentication • ...prevents an attacker who owns the long-term key

of a user to impersonate other parties to him (i.e. accepts honest parties as peers even if they are not)

23

Security Goals




resilience • ...



avoids an adversary to recover the group key even if it discloses the long-term keys and ephemeral keys of parties involved except both these values for the participants in the test session

24

Security Goals




resilience • ...



limits the possible owners of the group key to the legitimate users

25

Security Goals




resilience • ...



certifies that all authorized members actually have the key

26

Security Goals




resilience • ...



(also called explicit key authentication, it combines key confirmation and key authentication) ensures that all qualified users to the protocol have actually computed the group key and no one else except them has

27

Adversaries

• Group membership: – Insiders: users registered to the group but unauthorized for a given

session; – Outsiders: users not registered to the group

• Actions: – Passive: eavesdrop on the communication channel – Active: insert, delete, change messages on the communication

channel

• Types of attacks: – Man-in-the-middle, replay attack (we will see both later on), known

key attack, DoS, etc.

28

GKE

Question: How to design GKE?

Answer: the natural approach is to start from 2 parties protocols and extend to 3, 4, 5, ...

So, let’s start from the popular Diffie-Hellman key exchange

29

Diffie-Hellman Key Exchange

• Introduced by W.Diffie and M.Hellman (‘New directions in Cryptography’, 1976)

• Does not assure authentication

• Relies its security proof on the assumption that the mathematical underlying problem is hard

30

Diffie-Hellman Key Exchange

Alice Bob

31

Man-in-the-Middle Attack

Alice Bob

Oscar/Eve

32

Joux 3-Party Key Exchange

• Introduced by A. Joux (‘A One Round Protocol for Tripartite Diffie–Hellman’, 2000)

• Does not assure authentication, so it remains vulnerable to man-in-the-middle attacks

• Relies its security on the assumption that the mathematical underlying problem is hard, but works on bilinear pairs

33

Bilinear Pairs

34


Alice Bob

Charlie

35


• Secure under the bilinear Diffie-Hellman assumption:

• Constructions for bilinear maps: Weil pairing, Tate pairing

36

MultiParty Key Exchange

• Introduced by D.Boneh and A.Silverberg (‘Applications of Multilinear Forms to Cryptography’, 2002)

• Does not assume authentication, so it remains vulnerable to man-in-the-middle attacks

• Relies its security on the assumption that the mathematical underlying problem is hard, but works on multilinear maps

37

Multilinear Maps

38


User i

(broadcast msg)

39


• Secure under the multilinear Diffie-Hellman assumption:

• Secure constructions of multilinear maps is questionable

40

DH-Based Key Exchange

• Previous constructions are built on a generalization of the Diffie-Hellman assumption

• But GKA protocols can also use DH key exchange as building block

41

DH-Based Key Exchange

Ring structure

sk

sksk

sk sk

Tree structure

sk sk sk sk

sk

42

Ring-based DH (an example)

• I.Ingemarsson, D.T.Tang, and C. K. Wong (‘A Conference Key Distribution System’, 1982)

• Users are placed in a ring

• A user talks only to its neighbours sk

sksk

sk sk

43


Round 1

44


Round 2

45


Round 3

46


Round 4

47

Tree-based DH (an example)

• Y.Kim, A.Perrig, G.Tsudik (‘Tree-based Group Key Agreement’, 2004)

• Users are leaves in a (balanced) tree

• A key is agreed between children of the same node up to the root, which becomes the final group key

sk sk sk sk

sk

48


49


Round 1

50


Round 1

Round 2

51


Round 1

Round 2

Round 3

52


• The protocol includes support for dynamic groups: – Join: a new member is added to the group – Leave: a member is removed from the group – Merge: 2 groups are merged together – Partition: one group is split in 2 groups – Key refresh: the group key is refreshed

• We next explain Leave, as an example

sk sk sk sk

sk

53


54


55


Round 2: Each user refreshes its tree of keys

56

GKE

Question: What kind of GKE were all these examples, GKA or GKT?

Answer: GKA

So, let’s have a look at GKT and see some attacks!

57

GKT

GKCsk

sk

sk

sk

58

GKT

GKCsk

sk

sk

sk

Authorized users (registered)

Registered users (insiders)

Unregistered users (outsiders)

59

GKT

GKCsk

sk

sk

sk




LLKey1

LLKey2

LLKey3

LLKey4

LLKey5

LLKey1…

LLKey5

60

Yuan et al. GKT

• Introduced by W. Yuan, L. Hu, H. Li, J. Chu (‘An Efficient Password-based Group Key Exchange Protocol Using Secret Sharing’, 2013)

• The long-term key is a password (split in two parts)

• Has no (real) security proof!

61

GKT

GKCsk

sk

sk

sk




pw1x||pw1y

…

pw2x||pw2y

pw3x||pw3y

pw4x||pw4y

pw5x||pw5y

pw1x||pw1y

pw5x||pw5y

62

Yuan et al. GKT

63

First Attack

Insider attack & Replay attack

64

First Attack

GKCsk

sk

sk

sksk

Insider Attack

65

First Attack

GKC

Replay Attack

GKC

66

First Attack

Session s2Session s1

67

The Modified Protocol

*nonce = number used once

68

The Modified Protocol

69

Second Attack

This does not make it secure against an insider attack!

• Both attacks were introduced by R.F.Olimid (‘A Chain of Attacks and Countermeasures Applied to a Group Key Transfer Protocol’, 2014)

70

Second Attack

GKCsk

sk

sk

sksk

Insider Attack

71

Second Attack

Session s2Session s1

72

Formal Security Models• Security models formalize the security goals …

… within a precise environment, specifying… … the trust assumptions, … … the relations between participants, … … the adversarial power, … … the communication medium …

• Security proofs … … prove a protocol is secure under a specific model

73

Formal Security Models

Year Name Info2001 BCPQ [1] first security model (generalizes existing

models for two or three party protocols)2001 BCP [2] + dynamic groups2002 BCP+ [3] + strong corruption (i.e. the attacker reveals

the ephemeral internal state information of the users’ instances)

2005 KS [4] security against insider attacks (UC framework)

2009 GBG [5] + KCI (Key Compromise Impersonation)

2011 eGBG [6] + EKL (Ephemeral Keys Leakage)2013 g-eCK [7] + EKL in test session (GKE version of eCK)

More info: [8], [9]

Some of the proposed security models:

74

Formal Security Models[1] Bresson, E., Chevassut, O., Pointcheval, D. and Quisquater, J.J., 2001, November. Provably authenticated group Diffie-Hellman key exchange. InProceedings of the 8th ACM conference on Computer and Communications Security (pp. 255-264). [2] Bresson, E., Chevassut, O. and Pointcheval, D., 2001, December. Provably authenticated group Diffie-Hellman key exchange—the dynamic case. In International Conference on the Theory and Application of Cryptology and Information Security (pp. 290-309). [3] Bresson, E., Chevassut, O. and Pointcheval, D., 2002, April. Dynamic group Diffie-Hellman key exchange under standard assumptions. In International Conference on the Theory and Applications of Cryptographic Techniques (pp. 321-336). [4] Katz, J. and Shin, J.S., 2005, November. Modeling insider attacks on group key-exchange protocols. In Proceedings of the 12th ACM conference on Computer and communications security (pp. 180-189). [5] Gorantla, M.C., Boyd, C. and Nieto, J.M.G., 2009, March. Modeling key compromise impersonation attacks on group key exchange protocols. In International Workshop on Public Key Cryptography (pp. 105-123). [6] Zhao, J., Gu, D. and Gorantla, M.C., 2011, March. Stronger security model of group key agreement. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (pp. 435-440). [7] Manulis, M., Suzuki, K. and Ustaoglu, B., 2013. Modeling leakage of ephemeral secrets in tripartite/group key exchange. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences,96(1), pp.101-110. [8] Manulis, M. "Survey on Security Requirements and Models for Group Key Exchange." IACR Cryptology ePrint Archive 2006 (2006): 388. [9] Manulis, M., 2007. Provably secure group key exchange. Europ. Univ.-Verlag

75

Security Model (an example)

• M.C. Gorantla, C. Boyd, and J.M.G. Nieto (‘Modeling key compromise impersonation attacks on group key exchange protocols’, 1982)

• We talk about AKE (Authenticated Key Exchange) security only

76

upper bound for no. (concurrent) sessions

instance of user U in session s

session id (identifies session s)

partner id (set of identities U wishes to establish a key with)

terminates without a session keyOR

ephemeral information (for the current session)

long-term key (certified by an authority)AND

Correctness: A GKE protocol is correct if: • all instances have accepted; • all instances are partnered; • all instances have computed the same session group

key


* index for user and session is distinct, but we have used the same notation i, respectively j

77

Security Model (an example)Stage 1

Adversary

Adversary

A protocol is AKE-secure if the winning probability is negligible close to 1/2.

Stage 2

Adversary

78


• Key confidentiality: unauthorized parties cannot recover the key

• Forward secrecy: the adversary can learn the long-term private keys of the users, but this has no impact on the confidentiality of the keys established in previous sessions of the protocol

• Known key security: the adversary can learn keys from previous sessions, but this has no impact on the confidentiality of the current session key

• KCI resilience: the adversary can corrupt the user from the Test query, but it is not able to impersonate any of its partners to him; otherwise freshness fails.

Some informal security goals modeled by GBG:

79


Game based proofs:

Game 0…

Game 1 Game n

the initial game (w.r.t crypto protocol that

will be proven secure)

infeasible to win (by a PPT adversary)

80

Thank you!

Q&A

Group Key Establishment...

Documents

Transcript of Group Key Establishment...