Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David Pointcheval Département d’Informatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche Overview Overview ◆ Provable Security ◆ Key Agreement and Mutual Authentication ● Definitions ● Security Model ● Example ◆ Group Key Agreement ● Security Model ● Example (security result) ◆ Conclusion David Pointcheval Group Key Exchange and Provable Security - 2 ENS-CNRS
Overview Overview ◆ Provable Security ◆ Key Agreement and Mutual Authentication ◆ Group Key Agreement ◆ Conclusion David Pointcheval Group Key Exchange and Provable Security - 3 ENS-CNRS Provably Secure Scheme Provably Secure Scheme To prove the security of a cryptographic scheme, one has to make precise ◆ the algorithmic assumptions ◆ the security notions to be guaranteed ◆ a reduction: an adversary can help to break the assumption David Pointcheval Group Key Exchange and Provable Security - 4 ENS-CNRS
Proof by Reduction Proof by Reduction Reduction of a problem �� to an attack Atk : Let � be an adversary that breaks the scheme then � can be used to solve � Instance � of � � Solution of � � intractable ⇒ scheme unbreakable David Pointcheval Group Key Exchange and Provable Security - 5 ENS-CNRS Practical Security Practical Security Algorithm Adversary against � within t within t’ = T ( t ) ◆ Complexity theory: T polynomial ◆ Exact Security: T explicit ◆ Practical Security: T small (linear) Eg : t’ = 4 t � intractable within less than 2 80 operations ⇒ scheme unbreakable within less than 2 78 operations David Pointcheval Group Key Exchange and Provable Security - 6 ENS-CNRS
Security Notions Security Notions According to the needs, one defines ◆ the goals of an adversary ◆ the means of an adversary, i.e. the available information David Pointcheval Group Key Exchange and Provable Security - 7 ENS-CNRS Overview Overview ◆ Provable Security ◆ Key Agreement and Mutual Authentication ● Definitions ● Security Model ● Example ◆ Group Key Agreement ◆ Conclusion David Pointcheval Group Key Exchange and Provable Security - 8 ENS-CNRS
Overview Overview ◆ Provable Security ◆ Key Agreement and Mutual Authentication ● Definitions ● Security Model ● Example ◆ Group Key Agreement ◆ Conclusion David Pointcheval Group Key Exchange and Provable Security - 9 ENS-CNRS Authenticated Key Exchange Authenticated Key Exchange ◆ Implicit authentication Implicit authentication ◆ ● only the intended partners can compute the session key ◆ Semantic security Semantic security ◆ ● the session key is indistinguishable from a random string ● modeled via a Test -query David Pointcheval Group Key Exchange and Provable Security - 10 ENS-CNRS
Security Definitions (AKE) Security Definitions (AKE) Public data PROTOCOL . . . « Test » a key sk Flip a coin b sk if b =0, random if b =1 . . . Outputs b’ ( guess for b ) David Pointcheval Group Key Exchange and Provable Security - 11 ENS-CNRS Further Properties Further Properties ◆ Mutual authentication they are both sure to share the secret with the people they think they do ◆ Forward secrecy even if a long-term secret data is corrupted, previous shared secrets are still semantically secure David Pointcheval Group Key Exchange and Provable Security - 12 ENS-CNRS
Overview Overview ◆ Provable Security ◆ Key Agreement and Mutual Authentication ● Definitions ● Security Model ● Example ◆ Group Key Agreement ◆ Conclusion David Pointcheval Group Key Exchange and Provable Security - 13 ENS-CNRS Formal Model Formal Model Bellare-Rogaway model revisited by Shoup � can ask history ● send -queries A 1 B 1 ● reveal -queries � ● execute -queries A i B i ● test -query ● corrupt -queries A a B b 0/1 David Pointcheval Group Key Exchange and Provable Security - 14 ENS-CNRS
Semantic Security Semantic Security ◆ A misuse of the secret data is modeled by the reveal -query, which is answered by this secret data ◆ For the semantic security, the adversary asks one test -query which is answered, according to a bit b , by ● b =0 : the actual secret data ● b =1 : a random string ⇒ the adversary has to guess this bit b David Pointcheval Group Key Exchange and Provable Security - 15 ENS-CNRS Passive/Active Adversaries Adversaries Passive/Active ◆ Passive adversary: history built using the execute -queries → transcripts ◆ Active adversary: entire control of the network with send -queries: ● to send message to Alice or Bob (in place of Bob or Alice respectively) ● to intercept, forward and/or modify messages David Pointcheval Group Key Exchange and Provable Security - 16 ENS-CNRS
Forward Secrecy Forward Secrecy Forward secrecy means that the adversary cannot distinguish a session key established before any corruption of the long-term private keys: ◆ the corrupt -query is answered by the long-term private key of the corrupted party ◆ then the test -query must be asked on a session key established before any corrupt -query David Pointcheval Group Key Exchange and Provable Security - 17 ENS-CNRS Overview Overview ◆ Provable Security ◆ Key Agreement and Mutual Authentication ● Definitions ● Security Model ● Example ◆ Group Key Agreement ◆ Conclusion David Pointcheval Group Key Exchange and Provable Security - 18 ENS-CNRS
Diffie- -Hellman Hellman Key Exchange Key Exchange Diffie The most classical key exchange scheme has been proposed by Diffie-Hellman: � = <g> , cyclic group of prime order q ◆ Alice chooses a random x ∈ � q , computes and sends X=g x ◆ Bob chooses a random y ∈ � q , computes and sends Y=g y ◆ They each can compute the session key K = Y x = X y David Pointcheval Group Key Exchange and Provable Security - 19 ENS-CNRS Properties Properties ◆ If flows are authenticated, it is well-known to provide the semantic security of the session key under the Decisional Diffie-Hellman Problem ◆ If one derives the session key as k = H( K ) , where H is assumed to behave like a random oracle, semantic security is relative to the Computational Diffie-Hellman Problem David Pointcheval Group Key Exchange and Provable Security - 20 ENS-CNRS
Further Features Further Features ◆ But there is no explicit authentication (Replay attacks) ◆ Adding key confirmation rounds: mutual authentication [BPR00] Alice ( S a , P a ) Bob ( S b , P b ) Bob, X , � ( S a ,X ) x ∈ � q , X=g x y ∈ � q , Y=g y K=X y Alice, Y , � ( S b ,X,Y ), k 1 k 1 =H ( K ||1) k 1 correct? k 2 k 2 =H ( K ||2) k 2 correct? k=H ( K ||0) David Pointcheval Group Key Exchange and Provable Security - 21 ENS-CNRS Overview Overview ◆ Provable Security ◆ Key Agreement and Mutual Authentication ◆ Group Key Agreement ● Security Model ● Example (security result) ◆ Conclusion David Pointcheval Group Key Exchange and Provable Security - 22 ENS-CNRS
Overview Overview ◆ Provable Security ◆ Key Agreement and Mutual Authentication ◆ Group Key Agreement ● Security Model ● Example (security result) ◆ Conclusion David Pointcheval Group Key Exchange and Provable Security - 23 ENS-CNRS Model of Communication Model of Communication n players A set of n ◆ A set of players, , modeled modeled by oracle by oracles s ◆ ◆ A multicast group consisting of a set of players A multicast group consisting of a set of players ◆ pk C , sk C pk A , sk A Multicast group with sk pk B , sk B pk D , sk D David Pointcheval Group Key Exchange and Provable Security - 24 ENS-CNRS
Modeling the Adversary Modeling the Adversary ● send : send messages to instances ● execute : obtain honest executions of the protocol ● reveal : obtain an instance’s session key ● corrupt : obtain the value of the password reveal send pk C , sk C pk A , sk A execute corrupt pk D , sk D pk B , sk B David Pointcheval Group Key Exchange and Provable Security - 25 ENS-CNRS Freshness Freshness sk is fresh if it is known by the players but not the adversary (LL) reveal (sk) corrupt • after a reveal -query, sk is known • after a corrupt -query, any future key is known David Pointcheval Group Key Exchange and Provable Security - 26 ENS-CNRS
Overview Overview ◆ Provable Security ◆ Key Agreement and Mutual Authentication ◆ Group Key Agreement ● Security Model ● Example (security result) ◆ Conclusion David Pointcheval Group Key Exchange and Provable Security - 27 ENS-CNRS A Group Key Exchange A Group Key Exchange ◆ Generalization Generalization of of the the 2- 2-party party DH, DH, ◆ he session key is sk = H ( g x 1 x 2… xn ) the session key is t ◆ Ring-based algorithm Ring-based algorithm ◆ ● up-flow : the contributions of each instance are gathered ● down-flow : the last instance broadcasts the result ● end : instances compute the session key from the broadcast David Pointcheval Group Key Exchange and Provable Security - 28 ENS-CNRS
Recommend
More recommend
