© UCL Crypto group Sep-15 A Security Analysis of Cliques Protocols Suites Olivier Pereira – Jean-Jacques Quisquater UCL Crypto Group

© UCL Crypto group 19/04/23

A Security Analysis of Cliques Protocols Suites

Olivier Pereira – Jean-Jacques QuisquaterUCL Crypto Group

© UCL Crypto group 19/04/23 Analysis of the A-GDH.2 Protocols 2

What are Cliques Protocols?• Suite of Group Key Agreement Protocols

http://www.isi.edu/~gts/CLIQUES/

• We are concentrating on the A-GDH.2 suiteAuthenticated - Group Diffie-Hellman.2

• Main Protocol: Key Generation• Several subprotocols:

– Member Adding (A-GDH.2-MA), Deleting– Group Splitting, Fusion of groups – ...


The A-GDH.2 Protocols

• All protocols are based on a single problem:

The Diffie-Hellman Decision Problemi.e. knowing and (mod p),

it is difficult to compute (mod p)• All Arithmetic is performed in a cyclic group

G that is a subgroup of prime order q of is a generator of G

• Each couple of users (Mi, Mj) shares a long-term key: Kij

*p

x yxy


The Key-Generation Protocol

• ri are random numbers

M1 M2 M3

M4

r1 r1 r2 r1r2

r1r2 r1r3 r2r3

r1r2r3

r2r3r4K14 r1r3r4K24 r1r2r4K34

•The shared Key is r1r2r3r4

• r1r2r3r4 = (r1r2r3)r4

= (r2r3r4K14)r1(1/K14)

= (r1r3r4K24)r2(1/K24)


Intended Security Properties• Implicit Key Authentication :

– A user that is not a member of the group cannot obtain the view of the key of one of the honest users

• Perfect Forward Secrecy :– The compromise of long-term key(s) cannot result in the

discovery of past session keys

• Resistance to Known-Key Attacks :– The compromise of past session keys cannot result in

the possibility of impersonation of honest parties in later sessions


Intended Security Properties• All these properties must be fulfilled in the

presence of an active attacker that is able to– intercept messages– delete messages– replay messages– substitute part of messages– …

• Only informal arguments are given to justify these properties


Two Approaches of Verification

Cryptographic

Random Oracle Paradigm

Messages as strings of bits

Probabilistic Security Properties

Formal

Use of logic, state exploration, nominal

calculus, …

Symbolic representation of Messages

Formal Expression of Security Properties


Two Approaches of Verification

• The “computational” aspect of these protocols makes it perhaps closer from “cryptographic” approaches (already used for A-DH…)

• We are trying to adapt ideas from the “formal” community

• Several notions close to the Strand Space approach• Intuitive...


Messages and Intruder’s Knowledge

• Three types of elements manipulated:– Random numbers : ri

– Long-term Keys : Kij

– Elements of G expressed as raised to a power that is a product of the elements of the two first types

• Behaviour of honest users:– “Blind” reception of a sequence of powers of – Exponentiation of these elements with random numbers and

long-term Keys


Messages and Intruder’s Knowledge (II)

• The Group-Key is generated in the same way

• Each member of the group computes the key, but has no confirmation of its value. We use “Sn(Mi)” to denote Mi’s view of the Group Key

• No correspondence properties intended between the views of the different users


Intended Security Properties (cont.)• Implicit Key Authentication

– The secret is not a value– The secret is the possession of a couple of values

presenting between them some connection. The relation is the secret!!!

Ex: Key computation in the Key Generation Protocol

Mn Mi: x , then Mi computes xri(1/Kin)=Sn(Mi).

The result of this computation is intended to be secret…

So any pair (x, xri(1/Kin)) can be used to attack Mi!

M1

Mn-1


• Two interesting sets of elements:– E = the set of the long-term keys and of the

random numbers– R = the set of all possible ratios between

products of elements of E.

The R-set will be used to model the connection between powers of

Ex: The ratio corresponding to the secret of M1 will be r1.(1/K1n)

Messages and Intruder’s Knowledge (III)


• We consider G as infinite – But G is very large...

• Our scheme does not allows the discovery of attacks that use connections between more than two elements of G.– But all secrets can be expressed as connections between

two elements...

• We will not capture the possibility of combining two powers of to obtain a new useful power of – But the (generalised) DDH-problem is hard...

Limitations of this Scheme


Intruder’s Capabilities• Capabilities in term of elements of E, R

– Let EI and RI be the subsets of elements of E and R known by the Intruder

– First rule: Exponentiation

(1) If e EI and r RI then r.e RI and r.e-1 RI

Ex: If the intruder knows x and xy, we will model it by y RI .

If he knows e EI, then he can deduce xye and xy(1/e) so y.e RI and y.e-1 RI


Intruder’s Capabilities (II)

• Other way to obtain new elements of G: Use of “Services”

• Service = s: G G : s(x) = px (where p is a product of elements of E)

• Each Service correspond to a transformation provided by a honest user during the execution of the protocol


Intruder’s Capabilities (III)• Second rule: use of Services:

– Let S be the set of available services

(2) If s S : s(x)= p.x, and r RI then r.p RI or r.p-1 RI

Ex: If the Intruder knows y and yz, we will model it by z RI . If s S : s(x)= p.x then

• if y is sent to the user providing s, the intruder will obtain the couple ( yp, yz) and z.p-1 RI

• if yz is sent to the user providing s, the intruder will obtain the couple ( y, yzp) and z.p RI


Proving Security Properties• The problem is:

– Knowing initial sets EI, RI, S

– Is it possible to derive a secret rs ( RS) by applying in a “suitable way” the rules (1) and (2) ???

• What is a “suitable way”?– The use of the (2)-rule needs some restrictions in

order to respect the availability of services

• Solution of this problem amounts to study a linear equation system!


Implicit Key Authentication for the Key Generation Protocol

1. Expression of EI, RI, S, RS

EI = , RI={r1}

S = {r2, …, rn-1, rnK1n, …, rnKn-1n}

RS={ | 1 i<n, rn}

2. Expression of the balance of the variables

We will first check the secrecy of

1ini Kr

111nKr


Implicit Key Authentication (II)3. System corresponding to

Balance for ri (i<n): r1= 1, r2= 0, …, rn-1= 0

Balance for rn: rnK1n+rnK2n+…+rnKn-1n= 0

Balance for Kin: rnK1n = -1, rnK2n = 0, …, rnKn-1n= 0

Inconsistency between the last n equations: is secret!

This can be easily transposed for the other secrets…

111nKr

111nKr


Implicit Key Authentication (III)

• What comes if I was member of another not disjoint group?

• It is possible to discover attacks…


Perfect Forward Secrecy1. Expression of EI, RI, S, RS

EI = {K1n, …, Kn-1n}, RI={r1}

S = {r2, …, rn-1, rnK1n, …, rnKn-1n}

RS={ | 1 i<n, rn}

2. Deletion of the elements of EI (due to the 1-rule)

RI={r1}

S = {r2, …, rn}

RS={ri | 1 i n}

3. Resolution of the system: This system admits trivial solutions for each secret!

1ini Kr


Perfect Forward Secrecy (II)• Attack upon M2

• In this scheme, S4(M2)=

• But if K24 is compromised, the Intruder is able to compute S4(M2) since he knows r2 !• But this is not very dangerous...

M1 M2 M3

M4

r1 r2 r1r2

r1r2 r1r3 r2r3

r1r2r3

r2r3r4K14 r1r3r4K24 r1r2r4K34

r1

1

22nKr


Perfect Forward Secrecy (III)• Attack upon Mn

• In this scheme, S4(M i)= (i>1)• But if K14 is compromised, the Intruder is able to compute S4(M i)!• This seems more dangerous!

M1 M2 M3

M4

r1 r2 r1r2

r1r2 r1r3 r2r3

r1r2r3

r1r2r3r4K14 r1r3r4K24 r1r2r4K34

r1 r1r2r3

nrrr ...21


Resistance to Known-Keys Attacks

• Similar...

• The resolution of the corresponding system provides anew several attacks. – One scheme has been proposed in the paper defining

the protocol (not really annoying)– We found two other schemes (more annoying!)


Addition of the A-GDH.2-MA Protocol

• Adding of a new memberM1 M2 M3

M4

r2r3r4r’4K14 r1r3r4r’4K24

r1r2r4r’4K34 r1r2r3r’4K44

r1r2r3r4r’4

M5

r2r3r4r’4r5K14K15

r1r3r4r’4r5K24K25

r1r2r4r’4r5K34K35

r1r2r3r’4r5K44K45

• The new key is intended to be r1r2r3r4r’4r5


Implicit Key Authentication?

• Simple fusion of the sets corresponding to the EI, RI, S, RS of the two protocols

• A little bit longer to write… But extremely regular!

• Several attacks found...– Ex: the use of the value r1 and of the services

rnr’n and K1nrnr’n provides the secret 1

1 1nr K


Scenario• Adding of a 4-th member

M1 M2 M3

M4

r1 r1 r2 r1r2

r2r3r’3K13 r1r3r’3K23

r1r2r’3K33 r1r2r3r’3

r2r3r’3K13 r1r3r’3K23 I

• I intercepts the broadcast of the Key Gen.

• I convince M3 to add a new member in the group and uses the first round of the M.A. protocol to produce a broadcast

• I shares a key with all members but M3...


Eventually...

KO: 1 Known-Key

1 User fooled

Resistance to Known Keys Attacks

KO: Compromising 1 long-

term key n-1 Users fooled Perfect Forward Secrecy

KO: Up to n-1 users fooledImplicit Key

Authentication

ResultProperty


Further Directions

• Incorporating our machinery in more general models

• Modify this protocol suite in such a way that is correct from our model point of view!

Documents

© UCL Crypto group Sep-15 A Security Analysis of Cliques Protocols Suites Olivier Pereira – Jean-Jacques Quisquater UCL Crypto Group