Anshu Yadav and Anish Mathuria - pdfs.semanticscholar.org€¦ · Anshu Yadav and Anish Mathuria...
Transcript of Anshu Yadav and Anish Mathuria - pdfs.semanticscholar.org€¦ · Anshu Yadav and Anish Mathuria...
1
Towards formal analysis of key control in group key
agreement protocols
Nov 2, 2012 SPACE’12, Chennai
Anshu Yadav and Anish MathuriaDA‐IICT, Gandhinagar
2
Outline• Burmester-Desmedt key agreement
– Pieprzyk-Wang attack
• Delicata-Schneider (DS) proof model [FAST’05], [Int. J. Inf. Secur. ’07]
• Using DS model to find/model key control attacks
3
Group key agreement
• Basic techniques– 2-party Diffie-Hellman– Public but authentic channels
• Contributory property– the final value of the key is dependent on
the ephemeral inputs of all parties
4
Key Control Attacks: Pieprzyk-Wang’04
• Insiders: Actual members of the group which are agreeing on a key
• Two types of attack – Strong key control: the malicious insiders force
the key to be a pre-defined value of their choosing – Selective key control: the malicious insiders
remove the contributions of some, but not all, honest parties
5
M1
M2
M3M4
M5
z 1= gr1
z 5= gr5
z1 = g r1
z2 = g r2
z 2= gr
2
z 3= gr
3
z5 = g r5
z4 = g r4
z4 = gr4
z3 = gr3
Burmester-Desmedt Protocol [Eurocrypt’94]
Example:
Suppose n members, M1, M2, …, Mn, are arranged in a ring. Every member Mi chooses its private ephemeral value ri randomly.
Phase 1 uses only communication between adjacent members
6
M1
M2
M3M4
M5
X 1
X 1
X1
X 1
X 5
X 4 X3X 2
Example (contd.):
5443322115
))()()()((
)(
)(
54321
4
4
2
3
3
3
2
2
4
1
151
423
32
41
511
rrrrrrrrrr
LLLLL
L
R
L
R
L
R
L
RL
L
g
KKKKK
KK
KK
KK
KKK
XXXXKGK
++++=
=
⎟⎟⎠
⎞⎜⎜⎝
⎛⎟⎟⎠
⎞⎜⎜⎝
⎛⎟⎟⎠
⎞⎜⎜⎝
⎛⎟⎟⎠
⎞⎜⎜⎝
⎛=
=
Li
Rii
ri
Li
ri
Ri
KKXzKzK ii
/; 11
=== −+
32
23
145)( +++= iiii
Lii XXXXKGK
LR
rLrR
KKXzKzK
111
5121
/; 11
===
Phase 2 uses broadcast communications
7
Pieprzyk-Wang Attack: Strong Key Control
M2
M3M1
X1
X2
X3
Bad value computed
X’4
X’4
X’4
Key computed
M4
Assume M4 is dishonest and M2 is the intended victim. Goal: Fix the key computed by M2 to be the desired value K’ = gr4.
M4 broadcasts a corrupted message derived from other received messages
4
21324343243213221 2223344
23
32
422 ')(
r
rrrrrrrrrrrrrrrrr
L
gg
XXXKGK
=
=
=−−−+−+−+
2132434
4
2
41
32
23
414 )/(''
rrrrrrr
r
gXXXzKX
−−−==
8
Attacker model• Initial knowledge of adversary modeled using
two sets
Set E: x ϵ E attacker knows xSet P: y ϵ P attacker knows gy, but not y
• Attacker deduction– Given m1, m2 ϵ P, add m1+m2 to P– Given m ϵ P and n ϵ E, add mn to P and (mn-1) to P– Given m ϵ P, add (-m) to P
9
Message-template example• E = {x, y}; P = {1, a, b}. Note: ‘1’ is identity element
• Consider how the value can be expressed. Let
F = {{x→1, y→1}, {x→1, y→2}}h({x→1, y→1}) = {1 →2, a →1, b→-1}h({x→1, y→2}) = {1 →1, a →1, b→0}
• Then
2
,
)1()2(
.),(
xyaxyba
phFvFf Ee
f
Pppf eh e
++−+=
⎟⎟⎠
⎞⎜⎜⎝
⎛⎟⎟⎠
⎞⎜⎜⎝
⎛= ∑ ∏∑
∈ ∈∈
2)1()2( xyaxybag ++−+
10
Proving secrecy
• The message-template v(F, h) represents any message generable by an attacker
• A value m is realisable if there exists functions F and h such that v(F, h) = m
∑ ∏∑∈ ∈∈
⎟⎟⎠
⎞⎜⎜⎝
⎛⎟⎟⎠
⎞⎜⎜⎝
⎛=
Ff Ee
f
Pppf eh ephFv .),( ,
11
Using DS to find Pieprzyk-Wang attack
• We consider whether there exist realisable values z1 and z2 such that
(K2L)4 X2
3 X32 X’4 = gr1r2+r2r3+2r3r4+z1 = gz2
• For secrecy to fail, the following equality must holdr1r2 + r2r3 + 2r3r4 + z1 = z2
• z1 = v(F1, h1) is defined overP1 = {1, r1, r2, r3, x1, x2, x3}, E1 = {r4} (Xi = gxi)F1 = {f11 , f12}; f11 = {r4 →p1}, f12 = {r4 →s1}h1 (f11) = {1 →n0, r1 →n1, r2 →n2, r3 →n3, x1 →n4, x2 →n5, x3→n6}h1 (f12) = {1 →l0, r1 →l1, r2 →l2, r3 →l3, x1 →l4, x2 →l5, x3→l6}z1 = (n0 + n1r1 + n2r2 + n3r3 + n4x1 + n5x2 + n6x3)r4
p1 + (l0 + l1r1 + l2r2 + l3r3 + l4x1 + l5x2 + l6x3)r4
s1
12
Using DS to find Pieprzyk-Wang attack
• z2 = v(F2, h2) is defined overP2 = {1}, E2 = {r4} F2 = {f21}; f21 = {r4 →q1}; h2 (f21) = {1 →m0}z2 = m0r4
q1
• r1r2 + r2r3 + 2r3r4 + (n0 + n1r1 + n2r2 + n3r3 + n4x1 + n5x2 + n6x3)r4p1 +
(l0 + l1r1 + l2r2 + l3r3 + l4x1 + l5x2 + l6x3)r4s1 = m0r4
q1
• Solution:Putting x1 = r1r2 – r1r4 ; x2 = r2r3 – r1r2 ; x3 = r3r4 – r2r3and then solvingn0 = p1 = m0 = q1 = 1; n1 = -4; l4 = -4 ; l5 = -3; l6 = -2; rest are 0.
• z1 = r4 – 4r1r4 -2x3 -3x2 – 4x1 and z2 = r4
• This gives X’4 = gr4/(z14r4X3
2X23X1
4) and the resulting key as gr4
13
Dutta-Barua (DB) Protocol [IEEE Trans. Inf. Theory, 08]
• The final key is the same as BD protocol but the key computation is different
• Session key = K1R K2
R …KnR =
)( 1433221 rrrrrrrr ng L+++
121
11
1
121
212
11
−−−
−
−−−
+++
++
=
=
=
=
=
=
iRi
Ri
Rn
Rn
Rn
Rn
nRn
Rn
iRi
Ri
iRi
Ri
XKK
XKK
XKK
XKK
XKK
XKK
M
M
14
• Additional step: Mi checks if to detect presence of dishonest insider
• Example: M4 sends bad value X’4 to M2
M2
M3M1
X1
X2
X3X’4
X’4
X’4
M4
RL
rrL
rrrrrrr
rrrrrrrrrrrrrrrrr
RR
KK
gKg
g
XXXKK
12
2
)2(1
'4321
21
1432434
14212132434324332
≠
=
=
=
=
−+−
−+−−−+−+
2132434
4
2
41
32
23
414 )/(''
rrrrrrr
r
g
XXXzKX−−−=
=
So M2 will abort
Li
Ri KK =−1
Bad value computed:
15
Analysis results for DB
• Single dishonest insider – misbehaving in 1st phase -> selective control– misbehaving only in 2nd phase -> no key
control• Two adjacent dishonest insiders
– misbehaving in 2nd phase -> strong control
16
Attack on DB: Strong key control
M1 M2
M5 M3
M4
X5
X4
X3
M1 and M2 are dishonest and all other participants are the intended victims.Goal: Fix the computed key to be the desired value K’ = gr.
In the second phase, M1 and M2 broadcast corrupted X’1 and X’2, derived from other messages.
)'/(')/(''
12
21
5132
15544332
XggXgKX
rrrr
rrrrrrrr
== +++
M1 and M2 compute:
21215132'' : thatNote XXgXX rrrr == −
17
M1 M2
M5 M3
M4
X5
X4
X3
LrrR
R
RR
KgK
XXXXK
XXXXKK
32
21543
215432
32
''
===
=
=
Verification by M3 succeeds
Verification step by honest members
18
Key computation by honest members
M1 M2
M5 M3
M4
X5
X4
X3
( ) '/'
)'(155443323215155443 2
215543
215433
KgKg
KXKKKK
KKKKKGK
rrrrrrrrrrrrrrrrrr
RRRRR
RRRRR
==
=
=
+++++++
• Key computation by M3
19
Conclusions
• Novel application of DS model– Detecting key control attacks– Proving security against key control attacks
• Key control attacks against Dutta-Baruaprotocol
20
Thank you … Questions
21
Remarks• Consider the following equation
r1r2 + r2r3 + 2r3r4
+ (n0 + n1r1 + n2r2 + n3r3 + n4x1 + n5x2 + n6x3)r4p1
+ (l0 + l1r1 + l2r2 + l3r3 + l4x1 + l5x2 + l6x3)r4s1 = m0r4
q1
• To balance 2r3r4 and m0r4q1, r4 must be mapped to 1 (p1 = 1)
• r1r2 + r2r3 is independent of r4 so to cancel it, r4 must be mapped to 0 (s1 = 0)
• Different mappings for set E1 require different functions in F1. For the above case, 2 functions are enough.