Authenticated Group Key Agreement and Friends

1
Authenticated Group Key Agreement and Friends

• Giuseppe Ateniese, Michael Stiener and Gene
  Tsudik
• Presented by Jaideep Mahalati

1
2
Outline

• Introduction
• Group Key Agreement
• Goals and Definition
• Authenticated Group Key Agreement Protocols
• Complete Group Key Authentication
• Conclusions
• Future Work

3
Group Key Agreement

• Definition
• It is a key establishment technique whereby a
  shared secret is derived by two or more specified
  parties as a function of information contributed
  by each of these, such that no party can
  predetermine the resulting value.
• Goals
• Perfect Forward Secrecy (PFS)
• Resistance to Known-Key Attacks
• Key Authentication
• Key Confirmation an Key Integrity

4
Few More Definitions

• Perfect Forward Secrecy
• Compromise of a long term key(s) cannot result
  in the compromise of past session keys.
• Known Key Attacks
• Protocol is vulnerable to known key attack if
  compromise of past session keys allows 1) a
  passive adversary to compromise future session
  keys, or 2) An active adversary to impersonate
  one of the protocol parties.
• Key authentication
• Key authentication is the property obtained when
  performing a key establishment protocol and one
  entity has the assurance that only a particularly
  identified other party may possibly know the
  negotiated key.
• Key Confirmation
• If a party is assured that its peer actually has
  possession of a particular secret key
• Key Integrity
• If a party is assured that its particular secret
  key is a function of only the contributions of
  all protocol parties.

5
Authenticated Group Key Agreement

• Definition
• Key agreement protocol which provides implicit
  key authentication
• Notations Used
• n number of protocol parties (group
  members)
• i,j indices of group members
• Mi i-th group member i ? 1, n
• G unique subgroup of Zp of order q with p,
  q prime
• q order of the algebraic group
• a exponentiation base
• xi long-term secret key of Mi
• ri random (secret) exponent ? Zp generated
  by Mi
• Sn group key shared among n members
• Sn(Mi) Mis view on a group key
• Kij long-term secret shared by Mi and Mj,
  with i ? j

6
Authenticated GDH.2 protocol

• Few points to note
• Mn shares with each Mi a distinct secret Kin
• Kin F(axi. xn mod p) with i ? 1, n-1 F()
  such that
• F(x) x mod q or F(x) h(x) h hash
  function
• xi is the secret long term exponent selected by
  each Mi (1 xi q-1) and
• axi mod p is the long-term public key of Mi

7
A-GDH.2 Contd..
8
A-GDH.2 Contd..

• Key is not directly authenticated between
  arbitrary nodes
• Is a contributory authenticated key agreement
  protocol
• Provides perfect forward secrecy
• Resistant to passive known key attacks
• Weak form of key authentication
• Key is not arbitrarily authenticated between Mi
  and Mj, where i ? j
• Instead, all key authentication is performed
  through Mn
• Assumes that Mn is trusted , which may not be the
  case always.

9
Complete Group Key Authentication

• Let R be an n-party key agreement protocol and M
  be a set of protocol parties. We say that R is a
  complete group key authentication protocol if,
  for every i, j (0 lt i ? j n) Mi and Mj compute
  the same key Si,j, only if Si,j has been
  contributed to by every MP ? M.
• A-GDH.2 can be extended to provide complete group
  key authentication.

10
SA-GDH.2 (with complete group key authentication)

• Most significant change is the requirement for
  the prior availability of all members long-term
  credentials
• Each Mi must have two shared keys with every
  other Mj
• For every ordered pair (i,j) (0 lt i ? j n)
• Keys for each direction.

11
SA-GDH.2 (with complete group key authentication)
12
SA-GDH.2 Contd..

• Advantages
• Provides complete key authentication, resistance
  to known-key attacks.
• Each member can be aware of the exact group
  membership
• Protocol is computationally symmetric
• Each member does the same sequence of
  computational steps and exponentiations

13
SA-GDH.2 Contd..

• Drawbacks
• More expensive than AGDH.2
• Needs n-1 exponentiations from every member
  during stage 1
• If paired keys are not pre-computed as many as
  n-1 additional exponentiations may be required

14
Conclusions

• Analyzes the requirements and issues in
  authenticated, contributory key agreement.
• Presents extension of security services and
  protocols for Dynamic Peer Groups.
• Incorporates services like key authentication,
  key confirmation and entity authentication into
  group key agreement.

15
Future Work

• Develop a general-purpose toolkit for key
  agreement and related security services in
  Dynamic Peer Groups.
• Implementing these security protocols for voice
  conferencing over IP, replicated Web servers and
  private mailing lists.

16

• THANK YOU