Available online at www.sciencedirect.com

SciVerse ScienceDirect

Procedía Engineering 015 (2011) 1700 - 1704

Procedía Engineering

www.elsevier.com/Iocate/procedia

Advanced in Control Engineering and Information Science

Insider attack on a password-based group key agreement

Hongtu Lia, Liang Hua, Wei Yuana, Hongwei Lia, Jianfeng Chua,a*

aCollege of computer science and technology, Jilin University, No.2699 Qianjin Street, ChangChun, 130012, China

Abstract

In 2009, Zheng et al. proposed an efficient password-based group key agreement protocol resistant to the dictionary attacks by adding password-authentication services to a non-authenticated multi-party key agreement protocol proposed by Horng. They claimed that the proposed protocol is very efficient since it only requires constant rounds to agree upon a session key, and each user broadcasts a constant number of messages and only requires four exponentiations. Under the Decisional Diffie-Hellman assumption, they shown the proposed protocol is provably secure in both the ideal-cipher model and the random-oracle model. But in this paper, we show that the protocol Zheng et al. proposed is vulnerable to an active insider attack.

© 2011 Published by Elsevier Ltd. Selection and/or peer-review under responsibility of [CEIS 2011]

Key words: password-based, authentication, group key agreement, insider attack

1. Introduction

Authenticated group key agreement (GKA) protocols enable a set of users communicating over an insecure, open network to establish a shared secret called session key and furthermore to be guaranteed that they are indeed sharing this session key with each other (i.e., with their intended partners). The session key may be subsequently used to achieve some cryptographic goals such as confidentiality or data integrity. Authenticated GKA protocols allow two or more users to agree upon session key even in the presence of active adversaries. These protocols are designed to deal with the problem to ensure users in the group setting that no other principals aside from members of the group can learn any knowledge about

* Corresponding author: Jianfeng Chu, Tel.: +86 13756492587 E-mail address: chujf@jlu.edu.cn.

1877-7058 © 2011 Published by Elsevier Ltd. doi:10.1016/j.proeng.2011.08.317

the session key. Hence, authenticated GKA protocols can provide a natural secure mechanism for achieving secure multicasting communication in numerous grouporiented scenarios, such as video conferencing, secure replicated database, collaborative applications and distributed computations.

Since the elegant two-party key agreement protocol [1] was proposed by Diffie-Hellman in 1976, many papers have extended this two-party Diffie-Hellman protocol to the group setting. These GKA protocols are classified into two kinds: non-authenticated [2 - 5,15] and authenticated [7,9,11,12,14]. Burmester and Desmedt [2, 3] proposed a well-known non-authenticated GKA protocol (BD for short) with constant number of rounds under the broadcast channel. Horng [4] focused on the computational efficiency of GKA protocols and proposed a non-authenticated GKA protocol which requires only two rounds of communication. Recently, Katz and Yung [6] proposed a scalable compiler that transforms any GKA protocol into an authenticated one. They also applied their compiler to add authentication services for the BD protocol. However, this solution needs the support provided by the Public Key Infrastructure (PKI) which leads to be more computation overhead.

Password is one of the ideal authentication approaches to agree a session key in the absence of PKI or pre-distributed symmetric keys. There are several works about how to design the PGKA protocol [8 - 12]. Zheng et al. presented an efficient and secure password-based group key agreement protocol in static group setting according to adding password-authentication services to the protocol proposed by Horng [4]. In their protocol, the legitimate users can share only a low entropy human-memorable password and communicating over an insecure channel controlled by the active adversary, to agree upon a high-entropy session key among themselves. They emphasize that their protocol is provably secure in the random-oracle and ideal-cipher models under the Decisional Diffie-Hellman (DDH) assumption. But in this paper, we point out that Zheng et al.'s password-based group key agreement protocol is not authenticated and easy to be forged or modified. And we give a method that the insider attacker can force all group members.

The remainder of this paper is organized as follows: In Section 2, we review the computational assumptions and Zheng et al.'s password-based group key agreement protocols. In Section 3, we propose the attack method in details. In Section 4, we conclude.

2. Preliminaries

2.1. Decisional Diffie-Hellman (DDH) assumption

Let G=g) be any finite cyclic group of prime order q. Informally, the DDH assumption is that it is difficult to distinguish the following real Diffie-Hellman distribution rreai and random Diffie-Hellman distribution rrand:

rreal = {g, g, g^X, y^RZq}, rrand = {gX, gy, gz | X, y, Z^RZq}

More formally, if we define the advantage function AdvfXA) as AdvGdh(/f) = |pr[ = i|j ¡=rre1]- Pr[/1 (f) = i|r c Trand ], we say that the DDH assumption holds in group G if AdvjfXA) is negligible for any probabilistic polynomial time adversary A. We denote Adv;!dh(i) the maximum value of Adv;dh(A) overall adversary A running in time at most t.

2.2. Multi-Decisignal Diffie-Hellman (MDDH) assumption

We present another computational assumption based on the Diffie-Hellman assumption. Let us define real Multi Diffie-Hellman distribution nreal and random Multi Diffie-Hellman distribution nmnd of size n as follows:

nreal, = \g'',\<1<„,S<.gX-'X-"\<j<„\X1' ■■■•Xn ^ q} .

= \gX,\<,i<,„>{gy'\<,jn\xv ■■■'Xn> yv->y„-1 ^R ZQ}

We define the advantage function Advmddh(A) as

Advfh(/D = |PrM J) = 1 | AT e TlreJ- Pr[A(Y) = 1 | Y e n^] .

The MDDH assumption holds if Adv^A) is negligible for any probabilistic polynomial time adversary A. Similar; we denote Advmddh(() the maximum value of Advmddh(A) overall adversary A running in time at most t.

2.3. Review of Zheng et al. 's protocol

At first, we present the following notations are used throughout this paper:

Nomenclature

a secure large prime.

P: a large prime such that p=2q+1.

Gq. a subgroup of quadratic residues in zp, that is gq = \i2 \ i & z*p}.

g: a generator for the subgroup Gq.

{E k Dk): an ideal-cipher system. Ek is a keyed permutation over Gq and Dk is inverse of Ek. k is the

symmetric key.

H: |o,i}* ^ |o,i}, a hash function for generating the symmetric key.

G: |o,i}* ^ |o,i} , a hash function for generating the session key.

F: |o,i}* ^ } , a hash function for key confirmations.

lH, lG and lF denote outputted bit-length of H, G and F, respectively. Without loss of generality, let U={u1,u2,-",un} be the initial set of users that want to generate a session key. Each user ui has a specific index i. Note that in the following, the indices are taken in a cycle, e.g.: ui-1, ui+1 are the left and right neighbors of ut for l^i^n (un+1=u1,u0=un). x^RX means that element x is chosen uniformly random in set X.

Suppose n users share a low-entropy password pw which is uniformly drawn from a small dictionary of size N, and wish to agree a high-entropy common session key among themselves. Their PGKA protocol is obtained by modifying the non-authenticated GKA protocol of Horng [4] by using password encrypted authentication mechanism. The protocol was described as follows:

Step1: Each user ut (1 ^i ^n) chooses a random nonce N and broadcasts (ui, N). Upon receiving all (uj, N) (1 ^j' ^n, j ^i), u sets session S={(u„ N)|1 ^i ^n}.

Step2: Each user ut chooses Xi^RZq, computes and broadcasts y, = Ek(y.), where y, = gx- mo dp, k,=H(S, i, pw).

Step3: Each user u decrypts y1_1 = Dk_ (yi _1), y ^ = Dt+(~1+1), and ul computes left key zj = ^, right key zR = yX1 mod p , where RlŒRGq.

Ui (l<i<n) computes left key zj = yR-^ mod p , right key zR = yR+1 mod p . un computes left key zj = yR-_1 mo dp , right key zR = Rn, where Rn ŒRGq. Then eache user ui(l ^i^n) computes and broadcasts z. = zRzR mod p . Notes that zR = zj+1. Step4: Each user ui computes Ki = mod p exactly using the same approach in the Step3

of Horng's protocol, then computes and broadcasts his key confirmation Fi = F(s,i,a,K,), where

a = {({ zj) | 1 < j < n}.

Step5: After receiving and checking all key confirmations, user u computes session key as

ski = G(S, j, J.) , j = {({ Zj, Fj) I 1 < J < n}.

3. Attack on Zheng et al.'s protocol

Although Zheng et al.'s declared their protocol provide security. In our analysis, we point out the flaw of Zheng et al.'s protocol in insider attack. The attack process is described as follows:

Let U={ul,u2,^,un} be the initial set of users that want to generate a session key. As description in section 2.3, the n users share a low-entropy passwordpw. ui-l, ui+l are the left and right neighbors of ui for l^i^n (un+l=ul,u0=un). We suppose that user u* œu had participated in a previous session to make a group key. We assume u* can control the network of urŒUwho he/she want to impersonate.

Stepl: Each user u (l ^i^n) chooses a random nonce Ni and broadcasts (U, N). Upon receiving all (uj, Nj) (l <j j ^i), Ui sets session S={(u„ N,)\l ^i ^T}.

Step2: Each user u chooses xt œRZq, computes and broadcasts ~, = Ek{y^ , where y i = gx- mo dp , ki=H(S, i, pw). Then u* œu who want to want to impersonate urŒU to the other users intercept and capture the message ur broadcasted and forge the message as follows:

u* picks x* g, q, computes ~* = Ek{y**), where j* = g22' mod p , kr=H(S, r, pw); u* broadcasts y*r as he/she was ur.

Step3: Each user u decrypts yr _1 = ^GR_1), yi+1 = dt+(~1+1). So user url and ur+l decrypt.^ = dk(y*r). User u* as ur decryptsyr_1 = £>Kt(yr_1), yr+1 = ^4r i(~+1). And ul computes left key zj = r1 , right key zR = j2X mod p , where Rl ŒRGq.

ui (l<i<n, i ^r) computes left key zj = yR^ mo dp , right key zR = yR+1 mod p . So u* as ur computes left

key zR! = yRr_1 mod p , right key z*R = yf+1madp .

un computes left key zj = yR-_1 mod p , right key zR = Rn, where Rn ŒRGq.

Then each user u (l ^i^n, i #r) computes and broadcasts z. = zRzR mod p . Notes that zR = zj+1. Here

* *! *R i

zr = zr zr mod p .

Step4: Each user u (l^i^n, i^r) computes k* = g2**+xmod p exactly using the same approach in the Step3 of Horng's protocol, then computes and broadcasts his/her key confirmation

fR = f{s, i, a, kR), where a = {({ Zj) i < j < n,j * r} U (r z*)}.

Step5: After receiving and checking all key confirmations, user u computes session key as

skR = G(S, j}*, KR) , P* = {j, Zj, Fj) 1 < j < n,j ï r} u Z^, F?)}.

As in the above attack, any user can be an attacker who can impersonate any one of the users set to the others. As an insider user in Zheng et al.'s password-based group key agreement protocol, the others can't authenticate him/her, because the n users share a common password.

4. Conclusion

In this paper, we have shown that Zheng et al.'s password-based key agreement is not as secure as stated by the authors. Our proposed attack compromised Zheng et al.'s protocol, causing the user of the

group to fail to agree upon a common communication key. Thus, the group members cannot communicate together security.

References

[1] Diffie W, Hellman ME. New directions in cryptography. IEEE Transaction on Information Theory, 1976; 22(6): 644 - 54.

[2] Burmester M, Desmedt Y. A secure and efficient conference key distribution system. Proc. Eurocrypt'94, Lecture Not/s in Computer Science, Berlin, 1994; 950: 275 - 86.

[3] Burmester M, Desmedt Y. A secure and scalable group key exchange system. Information Processing Letters, 2005; 94 (3): 137- 43.

[4] Horng G. An efficient and secure protocol for multi-party key establishment. The Computer Journal, 2001; 44(5):464 - 70.

[5] Tseng Y.M. A robust multi-party key agreement protocol resistant to malicious participants. The Computer Journal, 2005; 48(4): 480 - 86.

[6] Katz J, Yung M. Scalable protocols for authenticated group key exchange. Proc. Crypto'03, Lecture Notes in Computer Science, Berlin, 2003; 2729: 110 - 25.

[7] Bellare M, Pointcheval D, Rogaway P. Authenticated key agreement secure against dictionary attacks, Proc. EUROCRYT'77, Lecture Notes in Computer Science, Berlin, 2000; 1807: 139 - 55.

[8] Asokan N, Ginzboorg P. Key agreement in ad-hoc networks. Journal of Computer Communications, 2000;23(17): 1627 - 37.

[9] Bresson E, Chevassut O, Pointcheval D. Group Diffie-Hellman key exchange secure against dictionary attack. Proc. ASIACRYPT'02, Lecture Notes in Computer Science, Berlin, 2002; 2501: 497 - 514.

[10] Dutta R, Barua R. Password-based encrypted group key agreement. International Journal of Network Security, 2006;3(1): 30-41.

[11] Abdalla M, Bresson E, Chevassut O, Pointcheval D. Password-based group key exchange in a constant number of rounds. Proc. PKC'06, Lecture Notes in Computer Science, Berlin, 2006; 3958: 427 - 42.

[12] Lee S, Hwang J.Y, Lee D.H. Efficient password-based group key exchange, Proc. TrustBus'04, Lecture Notes in Computer Science, Berlin, 2004; 3184: 191 - 9.

[13] Abdalla M, Fouque P.A, Pointcheval D. Password-based authenticated key exchange in the three-party setting, Proc. PKC'05, Lecture Notes in Computer Science, Berlin, 2005; 3386: 65 - 84.

[14] Bresson E, Chevassut O, Pointcheval D, Quisquater J. Provably authenticated group Diffie-Hellman key exchange. Proc. CCS'01, Philadelphia, 2001; 255 - 64.

[15] Steiner M, Tsudik G, Waidner M. Diffie-Hellman key distribution extended to group communication. Proc. CCS'96, New Dehli, 1996; 31 -7.

[16] Byun J.W, Lee D.H, Lim J.I. EC2C-PAKA: an efficient client-to-client password authenticated key agreement, Information Sciences, 2007; 177(19): 3995 - 4013.

[17] Zheng MH, Zhou HH, Li J, Cui GH.Efficient and provably secure password-based group key agreement protocol. Computer Standards & Interfaces, 2009;31(5): 948-53.