© ucl crypto group nov-15 two formal views of authenticated group diffie-hellman key exchange e....
TRANSCRIPT
![Page 1: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/1.jpg)
© UCL Crypto group 20/04/23
Two Formal Views of Two Formal Views of Authenticated Group Authenticated Group
Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange
E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL) D. Pointcheval (ENS), J.-J. Quisquater (UCL)
![Page 2: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/2.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 2
Outline of the TalkOutline of the Talk
• Introduction to the problem• A logical approach• A computational approach• Discussion and Conclusions…
![Page 3: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/3.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 3
Key ExchangeKey Exchange• It is one of the fundamental problems in computer
security• One of the most widespread solutions:
The Diffie-Hellman protocol
• We consider extensions of this protocol enabling a pool of principals to share a key
• The constitution of this pool can dynamically change• We require authentication properties
xA By
the secret key is xy
![Page 4: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/4.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 4
Group D.-H. Key ExchangeGroup D.-H. Key Exchange
M1 M2 M3
M4
r1 r2 r1 r1r2
r2r3 r1r3
r1r2 r1r2r3
r2r3r4 r1r3r4 r1r2r4
A possible extension… (Steiner, Tsudik, Waidner, 1996)
α is a generator of a publicly known groupri are random fresh contributions
The secret key is r1r2r3r4
![Page 5: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/5.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 5
Group D.-H. Key ExchangeGroup D.-H. Key ExchangeBenefits:• Hardness of the Group Decisional Diffie-Hellman
(G-DDH) problem is implied by the one of the DDH problem (Steiner, Tsudik, Waidner, 1996)
• No need of a centralized server• This scheme allows to dynamically change the group
constitution at low-cost…
N.B.: Several other methods for building the key have been proposed (trees, other ways of computing, …)
A Problem remains:• We need authentication…
![Page 6: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/6.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 6
Authenticated Key ExchangeAuthenticated Key Exchange• Problem:
Transformation of the Diffie-Hellman Key Exchange• We assume that A and B are sharing a secret KAB
We are not able to obtain any key be it computed by A or B
the secret key is xyx
A B yKAB
xA B
zZ
zy
Computes xz Computes
yz
![Page 7: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/7.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 7
A-GDH.2 ProtocolA-GDH.2 Protocol
• First authenticated group key exchange protocol based on the previous ring scheme (Ateniese, Steiner, Tsudik, 1998)
• Kij is a secret key shared by Mi and Mj
• M1 computes its key as r1r2r3r4 = ( r2r3r4K14 )(r1/K14)
M1 M2 M3
M4
r1 r1 r2 r1r2
r1r2 r1r3 r2r3
r1r2r3
r2r3r4K14 r1r3r4K24 r1r2r4K34
![Page 8: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/8.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 8
Security PropertiesSecurity Properties
• (Implicit) Key Authentication : – Each group member is assured that no party external
to the group can obtain (or distinguish) the key he computed
• Perfect Forward Secrecy : – Compromise of long-term secrets does not imply
compromise of past session keys• Resistance to Known-Keys Attacks :
– Compromise of past session secrets cannot imply compromise of new session keys
![Page 9: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/9.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 9
A model for A-GDH ProtocolsA model for A-GDH Protocols
• We adopted a « logical » (rather than « computational ») point of view
Computational View
Random Oracle Paradigm, Standard Model, …
Messages considered as strings of bits
Probabilistic Security Properties
Logical View
Use of logic, state exploration, nominal calculus, …
Symbolic Representation of Messages
Formal Expression of Security Properties
![Page 10: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/10.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 10
A model for A-GDH ProtocolsA model for A-GDH Protocols
• Observation:
– In this family of protocols, the secret key is always computed in the same way:Mi receives x and computes ( x)ri Kij
M1 M2 M3
M4
r1 r1 r2 r1r2
r1r2 r1r3 r2r3
r1r2r3
r2r3r4K14 r1r3r4K24 r1r2r4K34
![Page 11: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/11.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 11
A model for A-GDH ProtocolsA model for A-GDH Protocols
• So, for instance, if an active attacker can obtain (or compute) a pair of elements of the group like ( x, x r2/K24), he can fool M2:
M1 M2 M3
M4
r1 r1 r2 r1r2
r1r2 r1r3 r2r3
r1r2r3
r2r3r4K14 r1r3r4K24 r1r2r4K34
x
since M2 will compute the secret key as x r2/K24
![Page 12: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/12.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 12
Intruder’s KnowledgeIntruder’s Knowledge
• How can the intruder obtain such pairs?
1. If he knows ( x, y) and z thenthe intruder can compute ( x, yz) and ( xz, y)
2. If he knows ( x, y) andif a honest user provides a service wherehe transforms z into zt thenthe intruder can obtain ( xt, y) or ( x, yt)
![Page 13: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/13.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 13
Protocol AnalysisProtocol Analysis
• Having defined our model, we obtained a polynomial algorithm allowing us to check the security of a protocol– The verification amounts to solve a linear equation
system• We discovered independent flaws against each
security properties in the A-GDH.2 protocol as well as in the SA-GDH.2 protocol
• We also better understood these security properties, that are not simply the transposition of 2-parties properties
![Page 14: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/14.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 14
Example of AttackExample of Attack• Against Implicit Key Authentication
M1 M2 I
M3
r1 r1 r2 r1r2
r2rI r1rI r1r2
r1r2rI
M1 M2
M3
r’1 r1r2r3 r’2 r1r2r3r’2
r’2r’3K13 r1r2r3r’3K23
r2rIr3K13 r1r2r3K23 r1r2r3KI3
r1r2
r1r2r3K23
r1r2r3
M2 finally computesK= r1r2r3r’2
![Page 15: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/15.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 15
ConclusionsConclusions
• We defined a logical model for the analysis of a family of protocols
• We discovered several new attacks independently of any computational assumption
• We conjecture that our model could be used to prove that it is impossible to build a protocol using these “constituting blocks” and providing the intended security properties
![Page 16: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/16.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 16
Another SolutionAnother Solution
Obtain Authentication via a Signature Algorithm
M1 M2 M3
M4
{Mr1}S1 {Mr1r2r1r2}S2{Mr1r2 r1r3
r2r3 r1r2r3}S3
{M r2r3r4 r1r3r4 r1r2r4}S4
M = M1 M2 M3 M4
{m}Si is the signature of m through Mi’s Long-Lived KeyThe key K = H(M||Fl4|| r1r2r3r4) where H is a universal hash function and Fl4 is the last flow of the protocol
![Page 17: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/17.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 17
Another ModelAnother Model
Standard Assumptions:
• Group Decisional Diffie-Hellman• Multi-Decisional Diffie-Hellman• Message Authentication Codes (MAC)• Entropy-smoothing functions
![Page 18: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/18.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 18
Diffie-Hellman-type Diffie-Hellman-type AssumptionsAssumptions
• Group Decisional Diffie-Hellman ProblemGiven a, b, c, ab, ac, bc, Distinguish abc from a random value r.
• Multi-Decisional Diffie-Hellman ProblemGiven a, b, c, Distinguish ab, ac, bc from three random values r, s, t
• These two problems can be reduced to the Decisional Diffie-Hellman Problem…
![Page 19: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/19.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 19
Other AssumptionsOther Assumptions
• Existence of Message Authentication CodesMAC’s are used to authenticate (sign) the flows between playersMACs exist if OW-functions exist.
• Entropy-Smoothing PropertyThe distribution provided by universal hash functions is statistically undistinguishable from a uniform distribution
![Page 20: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/20.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 20
Security PropertySecurity Property
PROTOCOL« Test » a fresh sk
Flip a coin b sk if b=1, random if b=0
Outputs b’= guess for b
Public data
INTRUDER
• Security is measured as the adversary’s advantage in guessing the bit b involved in the Test-query
![Page 21: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/21.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 21
Security TheoremSecurity Theorem
• This advantage is a function of – the adversary’s advantage in breaking the Group DDH– the adversary’s advantage in breaking the MAC
scheme– the adversary’s advantage in breaking the Multi-DDH
• Theorem
Advake(T,Q) 2nQ·Advgddh(T’) + n(n-1)·Succcma(T)
+ 2·Advmddh(T’) + « negligible terms »
T’ T + nQ·Texp(k)
![Page 22: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/22.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 22
DiscussionDiscussion
• This theorem has been proved– in the presence of concurrent sessions of the
protocol– in a dynamic context (i.e. together with Join and
Leave protocols in addition to the Setup protocol that we presented)
• We also analysed this protocol using a “logical” approach
![Page 23: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/23.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 23
Discussion Discussion (cont.)(cont.)
• The computational approach was useful– to determine the part of the complexity of the hard
problems (Group Decisional Diffie-Hellman, …) injected in the protocol.
In the logical approaches we used, the size of the security parameters is not taken into account…
![Page 24: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/24.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 24
Discussion Discussion (cont.)(cont.)• The logical approach was useful
– to understand how to construct the messages– to understand the causal relations between messages
(and so avoid redundancies…)– to « measure » the recency of the exchanged terms
Ex: The “computational” security theorem remains correct for the following protocol:
M1 M2 M3
M4
M{r1}S1 M{r1r2r1r2}S2M{r1r2 r1r3
r2r3 r1r2r3}S3
M{ r2r3r4 r1r3r4 r1r2r4}S4
![Page 25: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/25.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 25
Discussion Discussion (cont.)(cont.)• Ex (2): The logical approach is suitable to check
freshness properties and the consequences of compromises
I(M1) M2 M3
M4
{Mr1}S1 {Mr1r’2r1r’2}S2{Mr1r’2 r1r’3
r’2r’3 r1r’2r’3}S3
{M r’2r’3r’4 r1r’3r’4 r1r’2r’4}S4
If we assume that an old r1 can be compromised, replay attacks are possible (resulting in new keys compromise…)Solution to this problem: add nonces or timestamps to identify the sessions…
![Page 26: © UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f145503460f94c28e76/html5/thumbnails/26.jpg)
© UCL Crypto group 20/04/23 Two Views of Authenticated Group Diffie-Hellman Key Exchange 26
ConclusionConclusion
• Both approaches are providing specific and complementary information…
• First attempts to combine their benefits have been presented:– Abadi and Rogaway (2000)– Pfitzmann, Schunter and Waider (2000)– Guttman, Thayer, Zuck (2001)
• This remains a research in progress…