Modeling insider attacks on group key-exchange protocols

Protocols for authenticated key exchange (AKE) allow parties within an insecure network to establish a common session key which can then be used to secure their future communication. It is fair to say that group AKE is currently less well understood than the case of two-party AKE; in particular, attacks by malicious insiders --- a concern specific to the group setting --- have so far been considered only in a relatively "ad-hoc" fashion. The main contribution of this work is to address this deficiency by providing a formal, comprehensive model and definition of security for group AKE which automatically encompasses insider attacks. We do so by defining an appropriate ideal functionality for group AKE within the universal composability (UC) framework. As a side benefit, any protocol secure with respect to our definition is secure even when run concurrently with other protocols, and the key generated by any such protocol may be used securely in any subsequent application.In addition to proposing this definition, we show that the resulting notion of security is strictly stronger than the one proposed by Bresson, et al. (termed "AKE-security"), and that our definition implies all previously-suggested notions of security against insider attacks. We also show a simple technique for converting any AKE-secure protocol into one secure with respect to our definition.

[1]  Marc Fischlin,et al.  Pseudorandom Function Tribe Ensembles Based on One-Way Permutations: Improvements and Applications , 1999, EUROCRYPT.

[2]  Emmanuel Bresson,et al.  Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions , 2002, EUROCRYPT.

[3]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[4]  Ying Wang,et al.  An Improved ID-based Authenticated Group Key Agreement Scheme , 2003, IACR Cryptol. ePrint Arch..

[5]  Gavin Lowe,et al.  A hierarchy of authentication specifications , 1997, Proceedings 10th Computer Security Foundations Workshop.

[6]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[7]  Hung-Min Sun,et al.  Security Analysis of Shim's Authenticated Key Agreement Protocols from Pairings , 2003, IACR Cryptol. ePrint Arch..

[8]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[9]  Birgit Pfitzmann,et al.  A Formal Model for Multiparty Group Key Agreement , 2002 .

[10]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[11]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[12]  Qiang Tang,et al.  Rethinking the security of some authenticated group key agreement schemes , 2004, IACR Cryptol. ePrint Arch..

[13]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[14]  Jonathan Katz,et al.  Scalable Protocols for Authenticated Group Key Exchange , 2003, CRYPTO.

[15]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[16]  Xiaofeng Chen,et al.  Attack on an ID-based authenticated group key agreement scheme from PKC 2004 , 2004, Inf. Process. Lett..

[17]  Ran Canetti,et al.  Universal Composition with Joint State , 2003, CRYPTO.

[18]  Emmanuel Bresson,et al.  Provably Authenticated Group Diffie-Hellman Key Exchange - The Dynamic Case , 2001, ASIACRYPT.

[19]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[20]  Moti Yung,et al.  Systematic Design of Two-Party Authentication Protocols , 1991, CRYPTO.

[21]  Jonathan Katz,et al.  Scalable Protocols for Authenticated Group Key Exchange , 2003, Journal of Cryptology.

[22]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[23]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[24]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[25]  Luminita Vasiu,et al.  Pairing-Based One-Round Tripartite Key Agreement Protocols , 2004, IACR Cryptol. ePrint Arch..

[26]  Yongdae Kim,et al.  Exploring robustness in group key agreement , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[27]  Antoine Joux A One Round Protocol for Tripartite Diffie-Hellman , 2000, ANTS.

[28]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[29]  Christian Cachin,et al.  Asynchronous group key exchange with failures , 2004, PODC '04.

[30]  Reihaneh Safavi-Naini,et al.  Efficient Identity-Based Conference Key Distribution Protocols , 1998, ACISP.

[31]  Emmanuel Bresson,et al.  Provably authenticated group Diffie-Hellman key exchange , 2001, CCS '01.

[32]  Michael Steiner,et al.  Secure group key agreement , 2002 .

[33]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[34]  Kyung-Ah Shim Cryptanalysis of Al-Riyami-Paterson's Authenticated Three Party Key Agreement Protocols , 2003, IACR Cryptol. ePrint Arch..

[35]  Hung-Yu Chien Comments: Insider attack on Cheng et al.'s pairing-based tripartite key agreement protocols , 2005, IACR Cryptol. ePrint Arch..