Cryptanalysis of a group key establishment protocol

: In this paper, we analyze the security of a group key establishment scheme proposed by López-Ramos et al. This proposal aims at allowing a group of users to agree on a common key. We present several attacks against the security of the proposed protocol. In particular, an active attack is presented, and it is also proved that the protocol does not provide forward secrecy.


Introduction
Secure multiparty communication is an important concern for many current applications that work over public insecure channels, such as the Internet.Wireless sensor networks, collaborative applications, multiparty voice and video conferences, etc. need to guarantee confidentiality, integrity and authentication in their communications.
Group key establishment (GKE) protocols are fundamental in that sense.They allow a set of participants to agree on a common secret key to be used afterwards with symmetric key cryptographic primitives.
In some settings all the nodes play an equivalent role, and thus the group protocol is somewhat symmetric.Nevertheless, there are other applications where some nodes are distinguished and one can assume they may have more computational power and resources, and thus, they are required to perform more computations.
Over recent decades, group key establishment protocols were widely discussed in the literature [1][2][3][4][5][6][7], and formal security models were proposed, indicating which attacks the adversary can perform and what a secure key establishment protocol is.What is typically required is that, after completion of the protocol, the intended users agree on a common key, whereas the adversary does not learn anything about it.
A standard technique to augment the security of a scheme is the use of compilers, which allows a modular design, going from passively secure solutions to authenticated ones [8], from 2-party to group solutions [9], or adding forward secrecy [10].
However, several protocols were found to be insecure after they were published, because the proposals do not provide security proofs or the proofs are not correct [11][12][13].Other protocols were found to be insecure when considering active attacks [14].
Motivated by the works in López-Ramos et al. [14], in this paper, we analyze a group key establishment proposal by López-Ramos et al. [15] and present several attacks on the proposed protocols.In particular, we present here some active attacks against the protocols, proving they are insecure when considering active adversaries.

The Protocol of López Ramos et al.
In this section, we describe Protocol 1 in López-Ramos et al. [15], which can be seen as an extension of the classical 2-party Diffie-Hellman key exchange.Four different protocols are presented, which are modifications of this first one.In particular, Protocol 2 computes the same session key, but publishing only one public key and sending a different message in Round 2. Protocol 3 describe the extra steps to be done if some participants leave the group and Protocol 4 deals with the case where some users join the group.

Initialization
Let {U 1 , . . ., U n } be the finite set of protocol participants, including U c 1 , who will act as controller.The users agree on a multiplicative cyclic group G of prime order p and on g, a generator of G.
Each user U i , 1 ≤ i ≤ n will have two random values, r i , x i ∈ Z * p as private keys and g r i and g x i will be their public keys.Round 1

1.
Each user U i publishes his pair of public keys (g r i , g x i ) (We assume that these keys are sent to the users, hence the adversary can potentially manipulate those values).

2.
The group controller calculate , which will be the session key.

3.
The group controller will choose a new pair of elements (r c 1 , x c 1 ) that will be privately kept and will become his new private information at a later stage.

Round 2
Every user U i , using the public information, computes g ∑ j =i,c 1 r j and sends this value to U c 1 (Notice that there is no need to send this information, since this value can be computed from the published public keys).

Key Computation
Once user U i has received the second round message, he computes the common session key 1 .The protocol is summarized in Figure 1.

Remark 1.
The subindex 1 in the session key K 1 indicates here that it is the first execution of the protocol.In Protocols 3 and 4 in López-Ramos et al. [15], this subindex changes when the participants involved in the protocol change, i.e., some participants leave or join the protocol, and thus, some extra computations are needed.
Round 1 Publishes his public keys (g r i , g x i ) Publishes his public keys (g r c 1 , g x c 1 ) selects and keeps private: (r c 1 , x c 1 ) Round 2 Computes: g ∑ j =i,c 1 r j g ∑ j =i,c 1 r j -Computes:

Key Computation
Computes:

Security Model
To formalize secure group key establishment, we use the somewhat standard Bohli et al.'s [5] security model, which builds on Jonathan Katz and Moti Yung [8].

Participants:
The (potential) protocol participants are modelled as probabilistic polynomial time (ppt) Turing machines in the finite set U = {U 1 , . . ., U n }.Each participant U i in the set U is able to run a polynomial amount of protocol instances in parallel.
We will refer to instance s i of principal U i as Π and it has the following variables assigned: pid s i i : stores the identities of the parties user U i aims at establishing a session key with (including U i itself); sid s i i : is a variable storing a non-secret session identifier to the session key stored in sk s i i ; acc s i i : is a variable which indicates whether the session key in sk s i i was accepted; term s i i : is a variable which indicates whether the protocol execution has terminated; used s i i : is a variable which indicates whether this instance is taking part in a protocol run; sk s i i : this variable is initialized with a distinguished NULL value and will store the session key.

Communication network and adversarial capabilities:
We assume there exist arbitrary point to point connections among users and the network is non-private, fully asynchronous and in complete control of the adversary A, who can eavesdrop, delay, delete, modify or insert messages.The adversary's capabilities are captured by the following oracles: Send(U i , s i , M) : when querying this oracle, message M is sent to instance Π s i i of user U i ∈ U .The output will be the protocol message that the instance outputs after receiving message M.This oracle can also be used for the adversary A to initialize a protocol execution, by using the special message M = {U i 1 , . . ., U i r } to an unused instance Π s i i .This oracle initializes a protocol run among U i 1 , . . ., U i r ∈ U .After such a query, Π s i i sets pid s i i := {U i 1 , . . ., U i r }, used s i i := TRUE, and processes the first step of the protocol.
Execute(U 1 , s 1 , . . . ,U r , s r ) : if the instances s 1 , . . ., s r have not yet been used, this oracle will return a transcript of a complete execution of the protocol among the specified instances.
Reveal(U i , s i ) : this oracle returns the session key stored in sk s i i if acc s i i = TRUE and a NULL value otherwise.
Corrupt(U i ) : this query returns U i 's long term secret key.
We can distinguish two types of adversaries.An adversary with access to all the oracles described above is considered to be active.If the adversary is not granted access to any of the Send oracles, then it is considered a passive adversary.
To define semantic security, we also allow the adversary to have access to a Test oracle, which can be queried only once.The query Test(U i , s i ) can be made on input an instance Π In that case, a bit b ← {0, 1} is chosen uniformly at random; if b = 0, the oracle returns the session key stored in sk s i i .Otherwise, the oracle outputs a uniformly at random chosen element from the space of session keys.

Security notions:
For the schemes to be useful, we need the group key establishments to be correct, i.e., without adversarial interference, the protocol would allow all users to compute the same key.

Definition 1 (correctness). A group key establishment is correct if for all instances Π
To be more precise in the security definition, it is important to specify under which conditions the adversary can query the Test oracle.To do so, we first define the following notion of partnering: Definition 2 (partnering).Two terminated instances Π s i i and Π s j j are partnered if sid To avoid queries that would trivially allow the adversary to know the key, we restrict the instances that can be queried to the Test oracle, only allowing fresh instances: Definition 3 (freshness).We say an instance Π s i i is fresh if none of the following events has occurred: • the adversary queried Reveal(U j , s j ) for an instance Π s j j that is partnered with Π s i i ; • the adversary queried Corrupt(U j ) for a user U j ∈ pid s i i before a query of the form Send(U l , s l , * ); Remark 2. The previous definition for freshness allows including the desired goal of forward secrecy in our definition of security given below: an adversary A is allowed to query Corrupt for all users and obtain their long term keys without violating freshness, if he does not send any message afterwards.
Let Succ A be the event that the adversary A queries the Test oracle with a fresh instance and makes a correct guess about the random bit b used by the Test oracle, we define the advantage of an adversary A attacking protocol P as Definition 4 (semantic security).A group key establishment protocol is (semantically) secure, if Adv ke A = Adv ke A (k) is negligible for every ppt adversary A.

Cryptanalysis of the Proposal of López-Ramos et al.
In this section, we describe several concrete attacks refuting the security results of López-Ramos et al. [15], where four different, but related, GKE protocols are described.The four protocols will be considered in this section.However, we will only explicitly attack Protocol 1, being the attacks to the others straightforwardly adapted.

Active Attack
Informally, since the protocol is not authenticated, we will describe here how an adversary can attack the protocol by mounting a Man-In-The-Middle attack.Users will end up sharing a key with the adversary, instead of with all the intended communication partners.We formalize the attack below.
Let us fix {U 1 , ..., U n } the set of communication parties and let A be an active attacker able to supersede some parties in the set.We will distinguish two different cases: A shares a key with the group controller U c 1 and other with the rest of the users and A shares a key with any other party U i , i = c 1 , and a different key with the rest, including the controller.
If A tries to share a different key with the group controller U c 1 the adversary can build an attack by following the next steps: 1.
The attacker A queries Send(U 1 , s 1 , . . ., U n , s n ), to initiate a protocol instance.After this query, the first step of the protocol is executed.In particular, the adversary obtains every users' pairs of public keys (g r i , g x i ), with r i , x i ∈ Z * p .

2.
The adversary A will delete the message (g r c 1 , g x c 1 ) sent by the controller U c 1 to the rest of the users and delete the public keys (g r 1 , g x 1 ) sent by user U 1 to U c 1 .

3.
The adversary A generates its private keys a c 1 , b c 1 ∈ Z * p and public keys (g a c 1 , g b c 1 ) and queries Send(U i , s i , (g a c 1 , g b c 1 )), for all i ∈ {1, ..., n} \ {c 1 }. the adversary A generates its private keys a 1 , b 1 ∈ Z * p and public keys (g a 1 , g b 1 ) and queries Send(U c 1 , s c 1 , (g a 1 , g b 1 )).
Notice that every user U i , i = 1, c 1 , after receiving that message, will compute and send the value g n ∑ j=1,j =c 1 r j and therefore this value will be output by the Send oracle.The controller U c 1 , after receiving that message, will compute and send the value and therefore this value will be output by the Send oracle.

4.
The adversary A will compute the session key and the values T 1 = g a c 1 and V 1 = g b c 1 , along with the keying values

6.
The adversary A will compute the session key and the values R 1 = g r c 1 and S 1 = g x c 1 , along with the keying values
Please note that after receiving this last message, users {U 1 , . . ., On the other hand, the group controller U c 1 will compute 1 .Therefore, after this attack, the adversary has established a shared key Q 1 with the set of parties {U 1 , . . ., U n } \ {U c 1 } and the key K 1 with the group controller U c 1 , where . Consequently, all the users will believe they are establishing a common key when they are not.Moreover, the adversary can decrypt the messages sent encrypted with both keys and forward the communication between the users that do not share a key.
This attack is outlined in Figure 2.
If A tries to compute a different key with any user different from the group controller, we can assume without loss of generality that A is sharing it with U 1 .The adversary A can build an attack following the subsequent steps: 1.
The attacker A queries Send(U 1 , s 1 , . . ., U n , s n ), to initiate a protocol instance.After this query, the first step of the protocol is executed.In particular, the users send their public keys and thus, the adversary obtains (g r i , g x i ), with r i , x i ∈ Z p * for all the participants {U 1 , ..., U n }.

2.
The adversary A will delete the message (g r c 1 , g x c 1 ) sent by the controller U c 1 to user U 1 and the message (g r 1 , g x 1 ) sent by user U 1 to the rest of the participants.

3.
The adversary A, will choose random values
Notice that every user U i , i = 1, c 1 and the adversary A, after receiving that message, will compute g and therefore this value will be output by the Send oracle.
Moreover, the group controller U c 1 will calculate the session key and he will send R 1 = g r c 1 and S 1 = g x c 1 , along with the keying values These values will also be part of the output of the Send oracle.Please note that after receiving this message every user U i , i = 1, can compute the key 1 that will be shared with the adversary A.
Please note that user U 1 , after receiving these last messages, can compute the key 1 which is shared with the adversary A.

5.
With the information received, the users, following the protocol, will compute the subsequent keys: (a) The superseded user U 1 will compute 1 .Therefore, the adversary A has established a shared key Q 1 with the set of parties {U 2 , ..., U n }.On the other hand, both U 1 and the adversary A share the common key K 1 .
Remark 3.While in López-Ramos et al. [15] four different protocols were described, in the previous lines only Protocol 1 was attacked.
In Protocol 2, authors try to share the computational requirements in a more even way among the parties by slightly modifying which values every participant sends to the group controller and the computations that this user has to perform.However, the only private information for every user is the tuple (r i , x i ) as in Protocol 1.Thus, an attack can be built analogously by following the steps described above.
In Protocol 3, authors assume that the group controller has changed.The new group controller, by using two private elements (r c t , x c t ) makes a transformation of the key.The next steps of Protocol 3 follows the description of Protocol 1.Therefore, an attack can be built following the previous description.
In Protocol 4, new users take part in the round with new private elements (r t , x t ).Therefore a new key has to be computed by the group controller using those new elements.Once more, subsequent steps of Protocol 4 follows the description of Protocol 1 and an attack can be constructed analogously.

Forward Secrecy
We will informally describe how a passive adversary who corrupts a participant U i ∈ {U 1 , . . ., U n } involved in a protocol run will be able to compute the shared session key.Therefore, the protocol does not provide forward secrecy.
Let A be a probabilistic polynomial time adversary (modelled as a Turing machine).He may perform an attack by following the next steps: 1.
The attacker A queries Corrupt(U i ), obtaining the private keys r i and x i .2.
Afterwards, he queries, Execute(U 1 , s 1 , . . ., U r , s r ), obtaining a protocol transcript.In particular, he gets the values Y 1,i , R 1 and S 1 .

3.
The adversary now can compute the key as user U i would do according to the protocol description: The adversary now queries Test(U j , s j ) on any user instance involved in the above execution.Since he knows the key established, he wins the game with probability one.
Please note that session s j of user U j remains fresh, since, the adversary has not made any Send or Reveal query, so the attack is legitimate.Remark 4. In Protocols 3 and 4 in López-Ramos et al. [15], it is described how to proceed when participants may join or leave the group.However, when a participant leaves, the only user changing his private and public keys is the new controller.This means that the rest of the users will have the same private and public key used for previous instances.Therefore, when corrupting any user that is not the new controller, one will obtain their private keys and mount the attack described above.Protocol 2, can also be attacked in the same way, just changing the computations to obtain the session key according to the protocol description.Remark 5.As observed in Theorem 2.4 in López-Ramos et al. [15], the keying messages sent to establish the key can be seen as ElGamal-like encryptions of the key K 1 under a different key for each user.In that sense, the protocol can be interpreted as a key transport protocol, which cannot be forward secret.Remark 6. Countermeasures: If a security proof of the protocols in López-Ramos et al. [15] is provided for passive adversaries, and one consider the private keys as random nonces to be used only in one instance of the protocol, one could then apply the compiler in Katz and Yung [8] to avoid active attacks, generating long term keys for each user to compute digital signatures on all the exchanged messages to guarantee authentication.In that case, if the keys are nonces, Corrupt oracle queries would return the signing private keys, thus, corrupted users would not be able to compute the session keys and forward secrecy would also be granted.

Conclusions
As demonstrated above, the protocol proposed by López Ramos et al. [15] does not offer security guarantees.The paper does not provide a rigorous security proof in any standard security model using provable security techniques.The proofs provided are too schematic.If a compiler for authentication is used and the private keys are ephemeral, some attacks could not be applicable.Nevertheless, a security proof should be provided.