SAS-Based Group Authentication and Key Agreement Protocols Sven Laur - - PowerPoint PPT Presentation

SAS-Based Group Authentication and Key Agreement Protocols

Sven Laur1,2 and Sylvain Pasini3

2University of Tartu 1Helsinki University of Technology 3Ecole Polytechnique F´

ed´ erale de Lausanne

Brief outline

• User-aided data authentication

⊲ What is user-aided data authentication? ⊲ Why do we need it in practice?

• Two-party protocols

⊲ The simplest protocol ⊲ More advanced techniques

• Group authentication and key management

⊲ SAS-GMA protocol ⊲ How to combine SAS-GMA with key agreement protocols?

The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 1

Motivation

Communication in wireless networks can be altered and modified. ⊲ We need common key to bootstrap some security mechanisms. ⊲ Common key agreement protocols are secure against passive adversaries. ⊲ We cannot implement a global public-key infrastructure. Maintaining public-key infrastructure can be difficult in practice. ⊲ Missing certificate chains in web browsers. ⊲ Malicious alterations and additions of certificate chains. ⊲ Maliciously corrupted programs and computers. Can user detect malicious behaviour with high probability?

The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 2

Security model

sk sk Versk( ˆ m, ˆ t) m, t ˆ m, ˆ t t ← macsk(m) Classical message authentication User-aided message authentication α ˆ α ˆ β ˆ γ γ β sas1 ← Hash(α, ˆ β, γ) sas2 ← Hash(ˆ α, β, ˆ γ) sas1

?

= sas2

The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 3

Simplified MANA-II protocol

m ∈ M r ← R Acknowledge data arrival t ← h(m, r) m, t Reveal hash key k ˆ t

?

= h( ˆ m, r)

Due to temporal restrictions, we end up in the classical setting ⊲ Secret key r is released only after the adversary has delivered ˆ m, ˆ t. ⊲ The protocol is secure if h is almost universal hash function Due to the classical Simmon’s lower bounds, we lose half bits: Pr [Successful deception] ≥

• |R| .

The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 4

Quick fix

m ∈ M r ← R Acknowledge data arrival t ← h(m, r) pk pk (c, d) ← Compk(m) m, c sas2 ← h( ˆ m, ˆ r) sas1 ← h(m, r) sas1

?

= sas1 d ˆ r ← Openpk(ˆ c, ˆ d)

We can escape the lower bound if we use commitments to temporarily hide the hash key r until the adversary transfers ˆ m, ˆ c. ⊲ If the commitment scheme is non-malleable, the equivalence is preserved. ⊲ As we compare the hash values h(m, r) and h( ˆ m, ˆ r) over the out-of-band channel, we can achieve the new lower bound Pr [Successful deception] ≈ 1 |T | .

The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 5

Elimination of notification messages

In two-party protocols, we can use a random nonce r2 generated by the sender to eliminate the out-of-band notification message. ⊲ In the SAS-MCA protocol, ˆ r2 is XOR-ed to the initial SAS-message. If an adversary violates the intended temporal order, then the failure probability is guaranteed to be optimal. ⊲ The MANA IV protocol uses the hash function h(m, r1, r2) with two sub-keys r1 and r2 to force the same temporal constraint. The first approach does not generalise to the group setting and we have to construct a special hash function with many sub-keys: h : M × R × · · · × R → T .

The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 6

Message authentication for groups

Each participant contributes an input mi and its identity idi. At the end of a successful protocol run all participants should obtain ⊲ a list of messages m = (m1, . . . , mn); ⊲ a list of corresponding identities G = (id1, . . . , idn). Some of the protocol participants might be maliciously corrupted: ⊲ An adversary succeeds in deception if two honest parties disagree on the

• utput message m or on the group description G.

All participants should obtain the same hash code. ⊲ Comparing different code pairs over the out-of-band channel makes the protocol overly complex.

The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 7

SAS-GKA protocol

First round. Each participant Pi:

• 1. Generates a sub-key ri ← R;
• 2. Creates a commitment (ci, di) ← Compk(i, ri);
• 3. Broadcasts mi, ci and receives messages ˆ

mj, ˆ cj from other members. Second round. Each participant Pi:

• 1. Releases its decommitment di and receives ˆ

dj from other members.

• 2. Reconstructs the corresponding sub-keys (j, ˆ

rj) ← Openpk(ˆ cj, ˆ dj).

• 3. Assembles the output message ˆ

m and the group description ˆ G.

• 4. Computes the corresponding hash code sasi ← h(( ˆ

m, ˆ G), ˆ r1, . . . , ˆ rn) Third round. Protocol fails if the SAS messages sasi are different.

The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 8

Security guarantees

Let n be the maximal size of the group G and h be εu-almost universal w.r.t. each sub-key pair and εr-almost regular w.r.t. each sub-key. Then for any t there exists τ = t + O(1) such that if the commitment scheme is (τ, εb)-binding and (τ, εnm)-non-malleable, then the SAS-GMA protocol is (t, n · εnm + εb + max {εu, εr})-secure in the stand-alone model. Intuition behind the proof ⊲ Non-malleability of commitments allows us to replace the commitments with non-transparent envelopes. ⊲ Almost regularity implies that the adversary cannot be successful in impersonation attacks. The adversary fails if it substitutes a commitment. ⊲ Almost universality implies that the adversary cannot be successful in substitution attacks. The adversary fails if commitments are authentic but messages are altered.

The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 9

Authentication and key management

Main principle. Use a key agreement protocol that is secure against passive adversaries and detect active attacks with user-aided data authentication. It is enough to assure that all participants see the same protocol transcript. ⇒ Each participant knows that its messages have reached the target. If we combine the SAS-GKA protocol with the Burmester-Desmedt key agreement protocol, we obtain three-round key agreement protocol. Another trick. If we authenticate the public keys of group members, then we can form sub-groups without re-running the SAS-GKA protocol. The protocol in the proceedings combines both techniques.

The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 10

Final comments

The non-malleability requirement is essential. However, the required security level is low, as we are destined to fail with probability 10−4–10−6. ⇒ Hash commitments are sufficient in practice. ⇒ The use of cryptographically secure commitments is overkill. Since the SAS-GKA does not rely on shared secrets, we can employ the protocol in any computational context as long as: ⊲ Participants can separate protocol messages from other messages. ⊲ The SAS message uniquely determines the protocol instance ⇒ All SAS-GKA instances that are active at the same time correspond to different groups.

The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 11

Questions? Answers?