A Weakness in the Bresson-Chevassut-Essiari-Pointcheval

1

• A Weakness in the Bresson-Chevassut-Essiari-Pointc
  hevals Group Key Agreement Scheme for Low-Power
  Mobile Devices
• Authors Junghyun Nam, Seungjoo Kim, and Dongho
  Won
• Source IEEE Communications Letters, vol.9, no.5,
  pp. 429431, May 2005
• speaker Hao-Chuan Tsai
• Date 2005/10/06

2
Outline

• Review of Bresson et al.s scheme
• Security Analysis
• implicit key authentication
• forward secrecy
• known key security
• An Improved version
• Conclusion

3
Modeling unbalanced wireless networks

• Wireless nodes
• our model is a set C, of N wireless-capable
  mobile devices (clients), and a wireless gateway
  (server).
• we call the wireless client group gc that
  consists of the clients communicating with the
  server.
• the server S has the special role of adding and
  removing clients from the group gc .
• each mobile U holds a long-lived key LLU, which
  is a pair of matching public/private key.

4
Key Agreement

• Protocol preliminaries
• each client Ui holds a pair of signing
  private/public key (Ski, PKi).
• three hash functions
• H 0, 1 ? 0, 1l
• H0 0, 1 ? 0, 1l0
• H1 0, 1l1 G ? 0, 1l0, where l1 is the
  maximal bit-length of a counter c used to prevent
  replay attack

5
Bresson et al. s scheme ? Setup (1/2)

• Setup
• Ui chooses at random a value xi Zq and
  precomputes yi gxi, ai PKSxi as well as a
  signature si of yi under the private key SKi. And
  Ui sends (yi, si) to S.
• the server S checks the signature si using PKi,
  and if they are all correct, computes the values
  ai yix.
• the server initializes the counter c 0, as a
  bit-string of length l1 and computes the shared
  value K H0(cai), and sends to each client
  Ui the value c and Ki K ?H1 (cai).
• each client Ui (and S) recovers the shared secret
  value K and the session key sk as described
  below, and accepts
• K Ki ?H1 (cai) and sk
  H(KgcS).

6
Bresson et al. s scheme ? Setup (2/2)
7
Security Analysis ? Implicit Key Authentication
(1/2)

• Two runs attack scenario
• first run
• adversary A, who is a legal client, computes the
  shared secret value K
• He then obtains H1 (cai) for all i by computing
• H1 (cai) K ? K ? H1 (cai) K ? Ki,
• which can be done without knowing ai
• A records H1 (cai) and (yi, si) for all i

8
Security Analysis ? Implicit Key Authentication
(2/2)

• second run
• for some Uj, who participated in the first run, A
  replaces the message (y'j, s'j) with (yj, sj)
• since (yj, sj) was a legal pair, the server will
  compute the shared secret value K' as per
  protocol and will send to client Uj the value c
  0 and
• Kj' K' ? H1 (cai)
• A can recover the shared secret value K by
  computing
• K' Kj' ? H1 (cai)
• finally, A can share the same session key sk'
  H(K' gcS).

9
Security Analysis ? Forward Secrecy

• Assume A wants to recover the session key
  established in the first run of the protocol in
  which he has not participated.
• Assume that the private signing key SKj of the
  some other client Uj is exposed to A.

10
Security Analysis ? Forward Secrecy

• first run
• Record the transmitted messages (yi, si) and
• Ki K ? H1 (cai)
• second run
• A is a normal client and sends (yA, sA) to the
  server. Next, he replaces (y'j, s'j) sent by Uj
  with (yi, s"j), where s"j is the signature of yi