Out-of-Band Authenticated Group Key Exchange: From Strong Authentication to Immediate Key Delivery

Given the inherent ad-hoc nature of popular communication platforms, out-of-band authenticated key-exchange protocols are becoming widely deployed: Key exchange protocols that enable users to detect man-in-the-middle attacks by manually authenticating one short value. In this work we put forward the notion of immediate key delivery for such protocols, requiring that even if some users participate in the protocol but do not complete it (e.g., due to losing data connectivity or to other common synchronicity issues), then the remaining users should still agree on a shared secret. A property of a similar flavor was introduced by Alwen, Correti and Dodis (EUROCRYPT ’19) asking for immediate decryption of messages in user-to-user messaging while assuming that a shared secret has already been established – but the underlying issue is crucial already during the initial key exchange and goes far beyond the context of messaging. Equipped with our immediate key delivery property, we formalize strong notions of security for out-of-band authenticated group key exchange, and demonstrate that the existing protocols either do not satisfy our notions of security or are impractical (these include, in particular, the protocols deployed by Telegram, Signal and WhatsApp). Then, based on the existence of any passively-secure key-exchange protocol (e.g., the Diffie-Hellman protocol), we construct an out-of-band authenticated group key-exchange protocol satisfying our notions of security. Our protocol is inspired by techniques that have been developed in the context of fair string sampling in order to minimize the effect of adversarial aborts, and offers the optimal tradeoff between the length of its out-of-band value and its security. ∗Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot 76100, Israel. Email: moni.naor@weizmann.ac.il. †School of Computer Science and Engineering, Hebrew University of Jerusalem, Jerusalem 91904, Israel. Email: {lior.rotem,segev}@cs.huji.ac.il.

[1]  Richard Cleve,et al.  Limits on the security of coin flips when half the processors are faulty , 1986, STOC '86.

[2]  Andrew Y. Lindell Comparison-Based Key Exchange and the Security of the Numeric Comparison Mode in Bluetooth v2.1 , 2009, CT-RSA.

[3]  Rafail Ostrovsky,et al.  Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords , 2001, EUROCRYPT.

[4]  Jonathan Katz,et al.  Scalable Protocols for Authenticated Group Key Exchange , 2003, CRYPTO.

[5]  Serge Vaudenay,et al.  SAS-Based Authenticated Key Agreement , 2006, Public Key Cryptography.

[6]  René Mayrhofer,et al.  Shake Well Before Use: Authentication Based on Accelerometer Data , 2007, Pervasive.

[7]  Rafael Pass,et al.  Concurrent Non-malleable Commitments from Any One-Way Function , 2008, TCC.

[8]  Igors Stepanovs,et al.  Optimal Channel Security Against Fine-Grained State Compromise: The Safety of Messaging , 2018, IACR Cryptol. ePrint Arch..

[9]  Serge Vaudenay,et al.  Bidirectional Asynchronous Ratcheted Key Agreement without Key-Update Primitives , 2018, IACR Cryptol. ePrint Arch..

[10]  Adi Shamir,et al.  How to expose an eavesdropper , 1984, CACM.

[11]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange in the Three-Party Setting , 2005, Public Key Cryptography.

[12]  Vipul Goyal,et al.  Constant round non-malleable protocols using one way functions , 2011, STOC '11.

[13]  Rafael Pass,et al.  New and Improved Constructions of Nonmalleable Cryptographic Protocols , 2008, SIAM J. Comput..

[14]  Douglas Stebila,et al.  A Formal Security Analysis of the Signal Messaging Protocol , 2017, Journal of Cryptology.

[15]  Michael Sirivianos,et al.  Loud and Clear: Human-Verifiable Authentication Based on Audio , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[16]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[17]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[18]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[19]  Michael K. Reiter,et al.  Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[20]  Michael Schliep,et al.  End-to-End Secure Mobile Group Messaging with Conversation Integrity and Deniability , 2018, IACR Cryptol. ePrint Arch..

[21]  Serge Vaudenay,et al.  Secure Communications over Insecure Channels Based on Short Authenticated Strings , 2005, CRYPTO.

[22]  Rafail Ostrovsky,et al.  Non-interactive and non-malleable commitment , 1998, STOC '98.

[23]  Marc Fischlin,et al.  Efficient Non-Malleable Commitment Schemes , 2000, Annual International Cryptology Conference.

[24]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[25]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[26]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[27]  Paul Rösler,et al.  Towards Bidirectional Ratcheted Key Exchange , 2018, CRYPTO.

[28]  N. Asokan,et al.  Secure device pairing based on a visual channel , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[29]  Rafail Ostrovsky,et al.  Edinburgh Research Explorer Four-Round Concurrent Non-Malleable Commitments from One-Way Functions , 2016 .

[30]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[31]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[32]  Marcin Paprzycki,et al.  Distributed Computing: Fundamentals, Simulations and Advanced Topics , 2001, Scalable Comput. Pract. Exp..

[33]  Jörg Schwenk,et al.  How Secure is TextSecure? , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[34]  Ueli Maurer,et al.  Efficient Ratcheting: Almost-Optimal Guarantees for Secure Messaging , 2019, IACR Cryptol. ePrint Arch..

[35]  Cas J. F. Cremers,et al.  On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees , 2018, IACR Cryptol. ePrint Arch..

[36]  Karthikeyan Bhargavan,et al.  Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[37]  Rafael Pass,et al.  Constant-round non-malleable commitments from any one-way function , 2011, STOC '11.

[38]  Emmanuel Bresson,et al.  Provably authenticated group Diffie-Hellman key exchange , 2001, CCS '01.

[39]  Sven Laur,et al.  Efficient Mutual Data Authentication Using Manually Authenticated Strings , 2006, CANS.

[40]  A. W. Roscoe,et al.  Usability and security of out-of-band channels in secure device pairing protocols , 2009, SOUPS.

[41]  Mihir Bellare,et al.  Ratcheted Encryption and Key Exchange: The Security of Messaging , 2017, CRYPTO.

[42]  Elizaveta Sergeevna Mazunina,et al.  End-to-end encryption , 2016 .

[43]  Tuomas Aura,et al.  Evaluation of Out-of-Band Channels for IoT Security , 2020, SN Comput. Sci..

[44]  Bertram Poettering,et al.  Asynchronous ratcheted key exchange , 2018 .

[45]  Gil Segev,et al.  Out-of-Band Authentication in Group Messaging: Computational, Statistical, Optimal , 2018, IACR Cryptol. ePrint Arch..

[46]  Moni Naor,et al.  Tight Bounds for Unconditional Authentication Protocols in the Manual Channel and Shared Key Models , 2006, IEEE Transactions on Information Theory.

[47]  Hagit Attiya,et al.  Distributed Computing: Fundamentals, Simulations and Advanced Topics , 1998 .

[48]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 1: Basic Techniques , 2001 .

[49]  Rafael Pass,et al.  Concurrent non-malleable commitments , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[50]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[51]  Serge Vaudenay,et al.  An Optimal Non-interactive Message Authentication Protocol , 2006, CT-RSA.

[52]  Seif Haridi,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[53]  H. Robbins A Remark on Stirling’s Formula , 1955 .

[54]  Moni Naor,et al.  The Security of Lazy Users in Out-of-Band Authentication , 2018, IACR Cryptol. ePrint Arch..

[55]  Claudio Soriente,et al.  Partitioned Group Password-Based Authenticated Key Exchange , 2017, Comput. J..

[56]  Yevgeniy Dodis,et al.  The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol , 2019, IACR Cryptol. ePrint Arch..

[57]  Emmanuel Bresson,et al.  Provably Authenticated Group Die-Hellman Key Exchange { The Dynamic Case (Full version) , 2001 .

[58]  Emmanuel Bresson,et al.  Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions , 2002, EUROCRYPT.

[59]  Yehuda Lindell,et al.  A Framework for Password-Based Authenticated Key Exchange , 2003, EUROCRYPT.

[60]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[61]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[62]  David P. Jablon Strong password-only authenticated key exchange , 1996, CCRV.