Presentation is loading. Please wait.

Presentation is loading. Please wait.

© UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)

Published byJoy Horn Modified over 9 years ago

Similar presentations

Presentation on theme: "© UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)"— Presentation transcript:

1 © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL) D. Pointcheval (ENS), J.-J. Quisquater (UCL)

2 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange2 Outline of the Talk Introduction to the problem A logical approach A computational approach Discussion and Conclusions…

3 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange3 Key Exchange It is one of the fundamental problems in computer security One of the most widespread solutions: The Diffie-Hellman protocol We consider extensions of this protocol enabling a pool of principals to share a key The constitution of this pool can dynamically change We require authentication properties AB the secret key is

4 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange4 Group D.-H. Key Exchange M1M1 M2M2 M3M3 M4M4   r1  r2  r1  r1r2  r2r3  r1r3  r1r2  r1r2r3  r2r3r4  r1r3r4  r1r2r4 A possible extension… (Steiner, Tsudik, Waidner, 1996) α is a generator of a publicly known group r i are random fresh contributions The secret key is  r1r2r3r4

5 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange5 Group D.-H. Key Exchange Benefits: Hardness of the Group Decisional Diffie-Hellman (G-DDH) problem is implied by the one of the DDH problem (Steiner, Tsudik, Waidner, 1996) No need of a centralized server This scheme allows to dynamically change the group constitution at low-cost… N.B.: Several other methods for building the key have been proposed (trees, other ways of computing, …) A Problem remains: We need authentication…

6 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange6 Authenticated Key Exchange Problem: Transformation of the Diffie-Hellman Key Exchange We assume that A and B are sharing a secret K AB We are not able to obtain any key be it computed by A or B the secret key is AB  yKAB ABZ Computes

7 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange7 A-GDH.2 Protocol First authenticated group key exchange protocol based on the previous ring scheme (Ateniese, Steiner, Tsudik, 1998) K ij is a secret key shared by M i and M j M 1 computes its key as  r1r2r3r4 = (  r2r3r4K14 ) (r1/K14) M1M1 M2M2 M3M3 M4M4   r1  r1  r2  r1r2  r1r2  r1r3  r2r3  r1r2r3  r2r3r4K14  r1r3r4K24  r1r2r4K34

8 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange8 Security Properties (Implicit) Key Authentication : –Each group member is assured that no party external to the group can obtain (or distinguish) the key he computed Perfect Forward Secrecy : – Compromise of long-term secrets does not imply compromise of past session keys Resistance to Known-Keys Attacks : –Compromise of past session secrets cannot imply compromise of new session keys

9 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange9 A model for A-GDH Protocols We adopted a « logical » (rather than « computational ») point of view Computational View Random Oracle Paradigm, Standard Model, … Messages considered as strings of bits Probabilistic Security Properties Logical View Use of logic, state exploration, nominal calculus, … Symbolic Representation of Messages Formal Expression of Security Properties

10 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange10 A model for A-GDH Protocols Observation : –In this family of protocols, the secret key is always computed in the same way: M i receives  x and computes (  x )  ri  Kij M1M1 M2M2 M3M3 M4M4   r1  r1  r2  r1r2  r1r2  r1r3  r2r3  r1r2r3  r2r3r4K14  r1r3r4K24  r1r2r4K34

11 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange11 A model for A-GDH Protocols So, for instance, if an active attacker can obtain (or compute) a pair of elements of the group like (  x,  x r2/K24 ), he can fool M 2 : M1M1 M2M2 M3M3 M4M4   r1  r1  r2  r1r2  r1r2  r1r3  r2r3  r1r2r3  r2r3r4K14  r1r3r4K24  r1r2r4K34 xx since M 2 will compute the secret key as  x r2/K24

12 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange12 Intruder’s Knowledge How can the intruder obtain such pairs? 1.If he knows (  x,  y ) and z then the intruder can compute (  x,  yz ) and (  xz,  y ) 2.If he knows (  x,  y ) and if a honest user provides a service where he transforms  z into  zt then the intruder can obtain (  xt,  y ) or (  x,  yt )

13 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange13 Protocol Analysis Having defined our model, we obtained a polynomial algorithm allowing us to check the security of a protocol –The verification amounts to solve a linear equation system We discovered independent flaws against each security properties in the A-GDH.2 protocol as well as in the SA-GDH.2 protocol We also better understood these security properties, that are not simply the transposition of 2-parties properties

14 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange14 Example of Attack Against Implicit Key Authentication M1M1 M2M2 I M3M3   r1  r1  r2  r1r2  r2rI  r1rI  r1r2  r1r2rI M1M1 M2M2 M3M3   r’1  r1r2r3  r’2  r1r2r3r’2  r’2r’3K13  r1r2r3r’3K23  r2rIr3K13  r1r2r3K23  r1r2r3KI3  r1r2  r1r2r3K23  r1r2r3 M 2 finally computes K=  r1r2r3r’2

15 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange15Conclusions We defined a logical model for the analysis of a family of protocols We discovered several new attacks independently of any computational assumption We conjecture that our model could be used to prove that it is impossible to build a protocol using these “constituting blocks” and providing the intended security properties

16 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange16 Another Solution Obtain Authentication via a Signature Algorithm M1M1 M2M2 M3M3 M4M4 {M  r1 } S1 {M  r1  r2  r1r2 } S2 {M  r1r2  r1r3  r2r3  r1r2r3 } S3 {M  r2r3r4  r1r3r4  r1r2r4 } S4 M = M 1 M 2 M 3 M 4 {m} Si is the signature of m through M i ’s Long-Lived Key The key K = H(M||Fl 4 ||  r1r2r3r4 ) where H is a universal hash function and Fl 4 is the last flow of the protocol

17 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange17 Another Model Standard Assumptions: Group Decisional Diffie-Hellman Multi-Decisional Diffie-Hellman Message Authentication Codes (MAC) Entropy-smoothing functions

18 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange18 Diffie-Hellman-type Assumptions Group Decisional Diffie-Hellman Problem Given  a,  b,  c,  ab,  ac,  bc, Distinguish  abc from a random value  r. Multi-Decisional Diffie-Hellman Problem Given  a,  b,  c, Distinguish  ab,  ac,  bc from three random values  r,  s,  t These two problems can be reduced to the Decisional Diffie-Hellman Problem…

19 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange19 Other Assumptions Existence of Message Authentication Codes MAC’s are used to authenticate (sign) the flows between players MACs exist if OW-functions exist. Entropy-Smoothing Property The distribution provided by universal hash functions is statistically undistinguishable from a uniform distribution

20 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange20 Security Property PROTOCOL « Test » a fresh sk Flip a coin b sk if b=1, random if b=0 Outputs b’= guess for b Public data INTRUDER Security is measured as the adversary’s advantage in guessing the bit b involved in the Test-query

21 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange21 Security Theorem This advantage is a function of –the adversary’s advantage in breaking the Group DDH –the adversary’s advantage in breaking the MAC scheme –the adversary’s advantage in breaking the Multi-DDH Theorem Adv ake (T,Q)  2nQ·Adv gddh (T’) + n(n-1)·Succ cma (T) + 2·Adv mddh (T’) + « negligible terms » T’  T + nQ·T exp (k)

22 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange22Discussion This theorem has been proved –in the presence of concurrent sessions of the protocol –in a dynamic context (i.e. together with Join and Leave protocols in addition to the Setup protocol that we presented) We also analysed this protocol using a “logical” approach

23 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange23 Discussion (cont.) The computational approach was useful –to determine the part of the complexity of the hard problems (Group Decisional Diffie-Hellman, …) injected in the protocol. In the logical approaches we used, the size of the security parameters is not taken into account…

24 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange24 Discussion (cont.) The logical approach was useful –to understand how to construct the messages –to understand the causal relations between messages (and so avoid redundancies…) –to « measure » the recency of the exchanged terms Ex: The “computational” security theorem remains correct for the following protocol: M1M1 M2M2 M3M3 M4M4 M{  r1 } S1 M{  r1  r2  r1r2 } S2 M{  r1r2  r1r3  r2r3  r1r2r3 } S3 M{  r2r3r4  r1r3r4  r1r2r4 } S4

25 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange25 Discussion (cont.) Ex (2): The logical approach is suitable to check freshness properties and the consequences of compromises I(M1)I(M1)M2M2 M3M3 M4M4 {M  r1 } S1 {M  r1  r’2  r1r’2 } S2 {M  r1r’2  r1r’3  r’2r’3  r1r’2r’3 } S3 {M  r’2r’3r’4  r1r’3r’4  r1r’2r’4 } S4 If we assume that an old r 1 can be compromised, replay attacks are possible (resulting in new keys compromise…) Solution to this problem: add nonces or timestamps to identify the sessions…

26 © UCL Crypto group Nov-15 Two Views of Authenticated Group Diffie-Hellman Key Exchange26Conclusion Both approaches are providing specific and complementary information… First attempts to combine their benefits have been presented: –Abadi and Rogaway (2000) –Pfitzmann, Schunter and Waider (2000) –Guttman, Thayer, Zuck (2001) This remains a research in progress…

Download ppt "© UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)"

Similar presentations

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.

Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
From: Cryptographers’ Track of the RSA Conference 2008 Date:2011-11-29 Reporter: Yi-Chun Shih 1.

From: Cryptographers’ Track of the RSA Conference 2008 Date: Reporter: Yi-Chun Shih 1.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Similar presentations

Ads by Google