SAS-Based Group Authentication and Key Agreement Protocols Sven Laur 1 , 2 and Sylvain Pasini 3 2 University of Tartu 1 Helsinki University of Technology 3 Ecole Polytechnique F´ ed´ erale de Lausanne
Brief outline • User-aided data authentication ⊲ What is user-aided data authentication? ⊲ Why do we need it in practice? • Two-party protocols ⊲ The simplest protocol ⊲ More advanced techniques • Group authentication and key management ⊲ SAS-GMA protocol ⊲ How to combine SAS-GMA with key agreement protocols? The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 1
Motivation Communication in wireless networks can be altered and modified. ⊲ We need common key to bootstrap some security mechanisms. ⊲ Common key agreement protocols are secure against passive adversaries. ⊲ We cannot implement a global public-key infrastructure. Maintaining public-key infrastructure can be difficult in practice. ⊲ Missing certificate chains in web browsers. ⊲ Malicious alterations and additions of certificate chains. ⊲ Maliciously corrupted programs and computers. Can user detect malicious behaviour with high probability? The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 2
Security model Classical message authentication sk sk m, ˆ m, t ˆ t m, ˆ t ← mac sk ( m ) Ver sk ( ˆ t ) User-aided message authentication α ˆ α ˆ β β ˆ γ γ ? = sas 2 sas 1 sas 1 ← Hash ( α, ˆ sas 2 ← Hash (ˆ α, β, ˆ γ ) β, γ ) The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 3
Simplified MANA-II protocol m, t m ∈ M Acknowledge data arrival r ← R Reveal hash key k t ← h ( m, r ) ? ˆ = h ( ˆ m, r ) t Due to temporal restrictions, we end up in the classical setting m, ˆ ⊲ Secret key r is released only after the adversary has delivered ˆ t . ⊲ The protocol is secure if h is almost universal hash function Due to the classical Simmon’s lower bounds, we lose half bits: � Pr [ Successful deception ] ≥ |R| . The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 4
Quick fix pk pk m ∈ M m, c r ← R Acknowledge data arrival t ← h ( m, r ) d c, ˆ r ← Open pk (ˆ ˆ d ) ? = sas 1 sas 1 ( c, d ) ← Com pk ( m ) sas 1 ← h ( m, r ) sas 2 ← h ( ˆ m, ˆ r ) We can escape the lower bound if we use commitments to temporarily hide the hash key r until the adversary transfers ˆ m, ˆ c . ⊲ If the commitment scheme is non-malleable, the equivalence is preserved. ⊲ As we compare the hash values h ( m, r ) and h ( ˆ m, ˆ r ) over the out-of-band channel, we can achieve the new lower bound Pr [ Successful deception ] ≈ 1 |T | . The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 5
Elimination of notification messages In two-party protocols, we can use a random nonce r 2 generated by the sender to eliminate the out-of-band notification message. ⊲ In the SAS-MCA protocol, ˆ r 2 is XOR-ed to the initial SAS-message. If an adversary violates the intended temporal order, then the failure probability is guaranteed to be optimal. ⊲ The MANA IV protocol uses the hash function h ( m, r 1 , r 2 ) with two sub-keys r 1 and r 2 to force the same temporal constraint. The first approach does not generalise to the group setting and we have to construct a special hash function with many sub-keys: h : M × R × · · · × R → T . The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 6
Message authentication for groups Each participant contributes an input m i and its identity id i . At the end of a successful protocol run all participants should obtain ⊲ a list of messages m = ( m 1 , . . . , m n ) ; ⊲ a list of corresponding identities G = ( id 1 , . . . , id n ) . Some of the protocol participants might be maliciously corrupted: ⊲ An adversary succeeds in deception if two honest parties disagree on the output message m or on the group description G . All participants should obtain the same hash code. ⊲ Comparing different code pairs over the out-of-band channel makes the protocol overly complex. The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 7
SAS-GKA protocol First round. Each participant P i : 1. Generates a sub-key r i ← R ; 2. Creates a commitment ( c i , d i ) ← Com pk ( i, r i ) ; 3. Broadcasts m i , c i and receives messages ˆ m j , ˆ c j from other members. Second round. Each participant P i : 1. Releases its decommitment d i and receives ˆ d j from other members. c j , ˆ 2. Reconstructs the corresponding sub-keys ( j, ˆ r j ) ← Open pk (ˆ d j ) . m and the group description ˆ 3. Assembles the output message ˆ G . m , ˆ 4. Computes the corresponding hash code sas i ← h (( ˆ G ) , ˆ r 1 , . . . , ˆ r n ) Third round. Protocol fails if the SAS messages sas i are different. The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 8
Security guarantees Let n be the maximal size of the group G and h be ε u -almost universal w.r.t. each sub-key pair and ε r -almost regular w.r.t. each sub-key. Then for any t there exists τ = t + O(1) such that if the commitment scheme is ( τ, ε b ) -binding and ( τ, ε nm ) -non-malleable, then the SAS-GMA protocol is ( t, n · ε nm + ε b + max { ε u , ε r } ) -secure in the stand-alone model. Intuition behind the proof ⊲ Non-malleability of commitments allows us to replace the commitments with non-transparent envelopes. ⊲ Almost regularity implies that the adversary cannot be successful in impersonation attacks. The adversary fails if it substitutes a commitment. ⊲ Almost universality implies that the adversary cannot be successful in substitution attacks. The adversary fails if commitments are authentic but messages are altered. The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 9
Authentication and key management Main principle. Use a key agreement protocol that is secure against passive adversaries and detect active attacks with user-aided data authentication. It is enough to assure that all participants see the same protocol transcript. ⇒ Each participant knows that its messages have reached the target. If we combine the SAS-GKA protocol with the Burmester-Desmedt key agreement protocol, we obtain three-round key agreement protocol. Another trick. If we authenticate the public keys of group members, then we can form sub-groups without re-running the SAS-GKA protocol. The protocol in the proceedings combines both techniques. The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 10
Final comments The non-malleability requirement is essential. However, the required security level is low, as we are destined to fail with probability 10 − 4 – 10 − 6 . ⇒ Hash commitments are sufficient in practice. ⇒ The use of cryptographically secure commitments is overkill. Since the SAS-GKA does not rely on shared secrets, we can employ the protocol in any computational context as long as: ⊲ Participants can separate protocol messages from other messages. ⊲ The SAS message uniquely determines the protocol instance ⇒ All SAS-GKA instances that are active at the same time correspond to different groups. The 11th International Workshop on Practice and Theory in Public Key Cryptography Barcelona, March 5, 2008 11
Questions? Answers?
Recommend
More recommend
