© UCL Crypto group Sep-15 A Security Analysis of Cliques Protocols Suites Olivier Pereira – Jean-Jacques Quisquater UCL Crypto Group

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols2 What are Cliques Protocols? Suite of Group Key Agreement Protocols We are concentrating on the A-GDH.2 suite Authenticated - Group Diffie-Hellman.2 Main Protocol: Key Generation Several subprotocols: –Member Adding (A-GDH.2-MA), Deleting –Group Splitting, Fusion of groups –...

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols3 The A-GDH.2 Protocols All protocols are based on a single problem: The Diffie-Hellman Decision Problem i.e. knowing and (mod p), it is difficult to compute (mod p) All Arithmetic is performed in a cyclic group G that is a subgroup of prime order q of  is a generator of G Each couple of users ( M i, M j ) shares a long- term key : K ij

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols4 The Key-Generation Protocol r i are random numbers M1M1 M2M2 M3M3 M4M4   r1  r1  r2  r1r2  r1r2  r1r3  r2r3  r1r2r3  r2r3r4K14  r1r3r4K24  r1r2r4K34 The shared Key is  r1r2r3r4  r1r2r3r4 = (  r1r2r3 ) r4 = (  r2r3r4K14 ) r1(1/K14) = (  r1r3r4K24 ) r2(1/K24)

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols5 Intended Security Properties Implicit Key Authentication : –A user that is not a member of the group cannot obtain the view of the key of one of the honest users Perfect Forward Secrecy : –The compromise of long-term key(s) cannot result in the discovery of past session keys Resistance to Known-Key Attacks : –The compromise of past session keys cannot result in the possibility of impersonation of honest parties in later sessions

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols6 Intended Security Properties All these properties must be fulfilled in the presence of an active attacker that is able to –intercept messages –delete messages –replay messages –substitute part of messages –… Only informal arguments are given to justify these properties

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols7 Two Approaches of Verification Cryptographic Random Oracle Paradigm Messages as strings of bits Probabilistic Security Properties Formal Use of logic, state exploration, nominal calculus, … Symbolic representation of Messages Formal Expression of Security Properties

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols8 Two Approaches of Verification The “computational” aspect of these protocols makes it perhaps closer from “cryptographic” approaches (already used for A-DH…) We are trying to adapt ideas from the “formal” community Several notions close to the Strand Space approach Intuitive...

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols9 Messages and Intruder’s Knowledge Three types of elements manipulated: –Random numbers : r i –Long-term Keys : K ij –Elements of G expressed as  raised to a power that is a product of the elements of the two first types Behaviour of honest users: –“Blind” reception of a sequence of powers of  –Exponentiation of these elements with random numbers and long-term Keys

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols10 Messages and Intruder’s Knowledge (II) The Group-Key is generated in the same way Each member of the group computes the key, but has no confirmation of its value. We use “S n (M i )” to denote M i ’s view of the Group Key No correspondence properties intended between the views of the different users

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols11 Intended Security Properties (cont.) Implicit Key Authentication –The secret is not a value –The secret is the possession of a couple of values presenting between them some connection. The relation is the secret!!! Ex: Key computation in the Key Generation Protocol M n M i :  x, then M i computes  xri(1/Kin) =S n ( M i ). The result of this computation is intended to be secret… So any pair (  x,  xri(1/Kin) ) can be used to attack M i ! M1M1 M n-1

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols12 Two interesting sets of elements: –E = the set of the long-term keys and of the random numbers –R = the set of all possible ratios between products of elements of E. The R-set will be used to model the connection between powers of  Ex: The ratio corresponding to the secret of M 1 will be r 1.(1/K 1n ) Messages and Intruder’s Knowledge (III)

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols13 We consider G as infinite –But G is very large... Our scheme does not allows the discovery of attacks that use connections between more than two elements of G. –But all secrets can be expressed as connections between two elements... We will not capture the possibility of combining two powers of  to obtain a new useful power of  –But the (generalised) DDH-problem is hard... Limitations of this Scheme

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols14 Intruder’s Capabilities Capabilities in term of elements of E, R –Let E I and R I be the subsets of elements of E and R known by the Intruder –First rule: Exponentiation (1) If e  E I and r  R I then r.e  R I and r.e -1  R I Ex: If the intruder knows  x and  xy, we will model it by y  R I. If he knows e  E I, then he can deduce  xye and  xy(1/e) so y.e  R I and y.e -1  R I

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols15 Intruder’s Capabilities (II) Other way to obtain new elements of G: Use of “Services ” Service = s: G  G : s(  x ) =  px (where p is a product of elements of E) Each Service correspond to a transformation provided by a honest user during the execution of the protocol

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols16 Intruder’s Capabilities (III) Second rule: use of Services: –Let S be the set of available services (2) If s  S : s(  x )=  p.x, and r  R I then r.p  R I or r.p -1  R I Ex: If the Intruder knows  y and  yz, we will model it by z  R I. If s  S : s(  x )=  p.x then if  y is sent to the user providing s, the intruder will obtain the couple (  yp,  yz ) and z.p -1  R I if  yz is sent to the user providing s, the intruder will obtain the couple (  y,  yzp ) and z.p  R I

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols17 Proving Security Properties The problem is: –Knowing initial sets E I, R I, S –Is it possible to derive a secret r s (  R S ) by applying in a “suitable way” the rules (1) and (2) ??? What is a “suitable way”? –The use of the (2)-rule needs some restrictions in order to respect the availability of services Solution of this problem amounts to study a linear equation system!

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols18 Implicit Key Authentication for the Key Generation Protocol 1. Expression of E I, R I, S, R S E I = , R I ={r 1 } S = {r 2, …, r n-1, r n K 1n, …, r n K n-1n } R S ={ | 1  i<n, r n } 2. Expression of the balance of the variables We will first check the secrecy of

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols19 Implicit Key Authentication (II) 3. System corresponding to Balance for r i (i<n): r 1 = 1, r 2 = 0, …, r n-1 = 0 Balance for r n : r n K 1n +r n K 2n +…+r n K n-1n = 0 Balance for K in : r n K 1n = -1, r n K 2n = 0, …, r n K n-1n = 0 Inconsistency between the last n equations: is secret! This can be easily transposed for the other secrets…

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols20 Implicit Key Authentication (III) What comes if I was member of another not disjoint group? It is possible to discover attacks…

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols21 Perfect Forward Secrecy 1. Expression of E I, R I, S, R S E I = {K 1n, …, K n-1n }, R I ={r 1 } S = {r 2, …, r n-1, r n K 1n, …, r n K n-1n } R S ={ | 1  i<n, r n } 2. Deletion of the elements of E I (due to the 1-rule) R I ={r 1 } S = {r 2, …, r n } R S ={r i | 1  i  n} 3. Resolution of the system: This system admits trivial solutions for each secret!

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols22 Perfect Forward Secrecy (II) Attack upon M 2 In this scheme, S 4 (M 2 )= But if K 24 is compromised, the Intruder is able to compute S 4 (M 2 ) since he knows  r2 ! But this is not very dangerous... M1M1 M2M2 M3M3 M4M4  r1  r2  r1r2  r1r2  r1r3  r2r3  r1r2r3  r2r3r4K14  r1r3r4K24  r1r2r4K34   r1 

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols23 Perfect Forward Secrecy (III) Attack upon M n In this scheme, S 4 (M i )= (i>1) But if K 14 is compromised, the Intruder is able to compute S 4 (M i )! This seems more dangerous! M1M1 M2M2 M3M3 M4M4  r1  r2  r1r2  r1r2  r1r3  r2r3  r1r2r3  r1r2r3r4K14  r1r3r4K24  r1r2r4K34   r1  r1r2r3

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols24 Resistance to Known-Keys Attacks Similar... The resolution of the corresponding system provides anew several attacks. –One scheme has been proposed in the paper defining the protocol (not really annoying) –We found two other schemes (more annoying!)

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols25 Addition of the A-GDH.2-MA Protocol Adding of a new member M1M1 M2M2 M3M3 M4M4  r2r3r4r’4K14  r1r3r4r’4K24  r1r2r4r’4K34  r1r2r3r’4K44  r1r2r3r4r’4 M5M5  r2r3r4r’4r5K14K15  r1r3r4r’4r5K24K25  r1r2r4r’4r5K34K35  r1r2r3r’4r5K44K45 The new key is intended to be  r1r2r3r4r’4r5

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols26 Implicit Key Authentication? Simple fusion of the sets corresponding to the E I, R I, S, R S of the two protocols A little bit longer to write… But extremely regular! Several attacks found... –Ex: the use of the value r 1 and of the services r n r’ n and K 1n r n r’ n provides the secret

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols27 Scenario Adding of a 4-th member M1M1 M2M2 M3M3 M4M4   r1  r1  r2  r1r2  r2r3r’3K13  r1r3r’3K23  r1r2r’3K33  r1r2r3r’3  r2r3r’3K13  r1r3r’3K23 I I intercepts the broadcast of the Key Gen. I convince M 3 to add a new member in the group and uses the first round of the M.A. protocol to produce a broadcast I shares a key with all members but M 3...

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols28 Eventually... KO: 1 Known-Key  1 User fooled Resistance to Known Keys Attacks KO: Compromising 1 long- term key  n-1 Users fooled Perfect Forward Secrecy KO: Up to n-1 users fooled Implicit Key Authentication ResultProperty

© UCL Crypto group Sep-15 Analysis of the A-GDH.2 Protocols29 Further Directions Incorporating our machinery in more general models Modify this protocol suite in such a way that is correct from our model point of view!