RUHR-UNIVERSITÄT BOCHUM

Transcription

1 RUHR-UNIVERSITÄT BOCHUM Horst Görtz Insttute for IT Securty Techncal Report TR-HGI Survey on Securty Requrements and Models for Group Key Exchange Mark Manuls Char for Network and Data Securty Ruhr-Unverstät Bochum TR-HGI Horst Görtz Insttute for IT Securty January 5, 2008 D Bochum, Germany

2 Survey on Securty Requrements and Models for Group Key Exchange Mark Manuls Abstract In ths report we provde an analytcal survey on securty ssues that are relevant for group key exchange (GKE) protocols. We start wth the descrpton of the securty requrements that have been nformally descrbed n the lterature and wdely used to analyze securty of earler GKE protocols. Most of these defntons were orgnally stated for two-party protocols and then adapted to a group settng. These nformal defntons are foundatonal for the later appeared formal securty models for GKE protocols whose development, strengths, and weaknesses are also descrbed and analyzed. Keywords: group key exchange, securty model, survey, analyss 2

3 Contents 1 Group Key Establshment Group Key Transport/Dstrbuton Group Key Exchange/Agreement Sesson Keys Survey on Informal Securty Defntons Semantc Securty and Known-Key Attacks Impersonaton Attacks Key Confrmaton and Mutual Authentcaton (Perfect) Forward Secrecy Key Control and Contrbutveness Analytcal Survey on Formal Securty Models Models by Bellare and Rogaway (BR, BR + ) BR BR Model by Bellare, Canett, and Krawczyk (BCK) Model by Bellare, Pontcheval and Rogaway (BPR) Model by Canett and Krawczyk (CK) Model by Shoup Model by Bresson, Chevassut, Pontcheval, and Qusquater (BCPQ) Models by Bresson, Chevassut, and Pontcheval (BCP, BCP + ) BCP BCP Modfcatons of the BCPQ, BCP, and BCP + Models Modfcaton by Bresson, Chevassut, and Pontcheval Modfcaton by Katz and Yung (KY) Modfcaton by Km, Lee, and Lee Modfcaton by Dutta, Barua, and Sarkar Models by Katz and Shn (KS, UC-KS) KS UC-KS Model by Bohl, Vasco, and Stenwandt (BVS) Models by Bresson, Manuls, and Schwenk (BMS, BM)

4 4 Summary and Dscusson Informal Requrements Strong Corruptons Group Dynamcs Acknowledgements 40 References 40 4

5 1 Group Key Establshment The establshment of group keys s fundamental for a varety of securty mechansms n group applcatons. For example, group keys can be utlzed by symmetrc encrypton schemes for the purpose of confdentalty whch s one of the most frequent securty requrements n group applcatons; also message authentcaton codes requre group keys for the purpose of group authentcaton and ntegrty. Thus, t s mportant to have mechansms that provde group members wth shared secret keys. We classfy possble mechansms based on the followng defntons from [MvOV96, Chapter 12] whch we adopted to a group settng. Defnton 1 (Group Key Establshment) Group key establshment s a process or protocol whereby a shared secret becomes avalable to two or more partes, for subsequent cryptographc use. Ths general defnton can further be shaped n two dfferent classes: group key transport/dstrbuton and group key exchange/agreement. Defnton 2 (Group Key Transport/Dstrbuton) A group key transport/dstrbuton protocol or mechansm s a group key establshment technque where one party creates or otherwse obtans a secret value, and securely transfers t to the other(s). The man characterstc of group key transport protocols s that the group key k s chosen by a sngle party and then securely transferred to all group members. Ths defnton leaves open whether a party whch chooses the group key must be a group member. It s also magnable to have some trusted thrd party (TTP) that chooses group keys on behalf of the group. Also the requrement on secure transfer of group keys forebodes the exstence of secret communcaton channels between the party that chooses group keys and other group members. Defnton 3 (Group Key Exchange/Agreement) A group key exchange/agreement protocol or mechansm s a group key establshment technque n whch a shared secret s derved by two or more partes as a functon of the nformaton contrbuted by, or assocated wth, each of these, (deally) such that no party can predetermne the resultng value. Obvously, n group key exchange protocols all group members have to nteract n order to compute the group key. The man dfference to group key transport technques s that no party s allowed to choose the group key on behalf of the whole group. Also, group key exchange protocols do not requre the exstence of secure channels between partcpants snce no secure transfer takes place. 5

6 Note that regardless of whch group key establshment technque s used by an applcaton the resultng group key must reman secret from unauthorzed partes n order to guarantee the expected requrements from the utlzed cryptographc mechansms, lke encrypton schemes or message authentcaton codes. Both group key establshment technques can be analyzed n context of ether statc or dynamc groups. Of course t s always possble to establsh the group key for the modfed group by re-startng the protocol. However, ths may be neffcent f groups are large or the protocol s computatonally expensve. Therefore, many group key establshment protocols desgned for dynamc groups provde more effcent operatons for addton and excluson of group members. 1.1 Group Key Transport/Dstrbuton In group key transport/dstrbuton protocols the party whch chooses group keys on behalf of the group s gven enormous power and may, therefore, nfluence the securty of the protocol. Whether a group applcaton allows ths knd of trust relatonshp depends surely on ts goals and the envronment n whch t s executed. However, t seems evdent that group key transport protocols are prmarly used n group applcatons wth centralzed control over the group admsson process. In these scenaros the party actng as group authorty (GA) may also be n charge for the choce of the group key and ts dstrbuton to other members. Obvously, the most challengng task n group key transport protocols s ts protecton durng the protocol executon. The followng general mechansm s usually appled n group key transport protocols, e.g. [BD94, HY98]. After the party whch s responsble for the choce of the group key chooses the key t encrypts t va an approprate encrypton scheme and dstrbutes t to all other group members. Both, symmetrc and publc-key encrypton schemes can be used for ths purpose. In case that the appled scheme s symmetrc the exstence of shared secret keys between ths party and each group member s ndspensable. Ths means, that group members have to exchange secret keys wth that party parwse before t proceeds wth the group key dstrbuton. Another soluton s to apply publc-key encrypton schemes whch do not requre any pre-shared secrets between group members and the central party, e.g. n [MY99]. However, publc-key encrypton s usually less effcent than symmetrc encrypton. Therefore, f group keys are dstrbuted frequently, e.g. due to frequent group membershp changes, then symmetrc cryptography performs better. The core of many group key dstrbuton protocols bulds a mechansm called key herarchy [WGL98, WHA99]. It arranges group members at the leaves of a logcal tree and assgns some secret value to each node of the tree. The secret value at the root of the tree represents 6

7 the group key or a secret materal whch can be used to derve the group key va some addtonal transformatons. The goal of the dstrbuton process n key herarches s to provde each group member wth the nformaton whch t can use to compute all secret values n ts path up to the root, ncludng the group key. Key herarches are popular n dynamc group key dstrbuton protocols for multcast and broadcast encrypton, e.g. [WGL98, WHA99, Br99, WCS + 99, NNL01, SM03], snce they provde varous mechansms based on modfcaton of the logcal tree structure to enhance protocol effcency upon dynamc group changes. 1.2 Group Key Exchange/Agreement The only trust assumpton n group key exchange protocols s that members trust each other not to reveal any nformaton whch can be used to derve the group key to any thrd party whch s not a vald member of the group. Especally, group members do not trust each other durng the computaton of the group key whch should be composed of ndvdual contrbutons of all group members. Thus, n contrast to group key transport protocols the desgn of group key exchange protocols s more challengng due to the dstrbuted computaton process of the group key. Many group key exchange protocols can be seen as modfcatons of the two-party key exchange protocol proposed by Dffe and Hellman n ther semnal paper [DH76]. Ths protocol allows two partes upon exchange of nformaton over a publc channel to compute the shared key usng specfc dscrete mathematcal constructons whch prevent eavesdroppers from learnng the establshed key. 1.3 Sesson Keys Usually, group keys returned by group key establshment protocols are not used drectly n the applcaton. Instead, addtonal transformatons are appled n order to derve further keys, socalled sesson keys, whch are used by dfferent securty mechansms wthn the applcaton. For example, f an applcaton requres confdentalty and group authentcaton then one sesson key s derved for the encrypton scheme and another sesson key s derved for the message authentcaton code. Transformatons whch are used to derve sesson keys are usually one-way,.e., gven the output of the transformaton t s computatonally nfeasble to obtan the nput. Thus, even f a sesson key s leaked t s stll hard to compute the orgnal group key. The use of dfferent sesson keys provdes addtonal securty n terms of ndependence of applcatons and deployed securty mechansms snce leakage of one sesson key does not mply leakage of other sesson keys. Thus for example, f a thrd party learns the 7

8 sesson key used for group authentcaton then t can authentcate tself as a group member but s not able to decrypt encrypted group messages. Furthermore, sesson keys are ephemeral,.e., they are vald for a short perod of tme. For example, dgtal conferences should use a dfferent sesson key for each communcaton sesson. The use of ephemeral keys decreases the chance of cryptanalytc attacks. Also n dynamc groups any change of group membershp should result n new sesson keys. In case that the group s statc but applcaton executon lasts long, e.g., f groupware s used n some long-term project, t s reasonable to refresh sesson keys perodcally. 2 Survey on Informal Securty Defntons Securty propertes of cryptographc schemes are usually defned based on certan assumptons about the adversary whose goal s to break these propertes. In case of cryptographc protocols t s common to dstngush between passve and actve adversares. A passve adversary, usually, only eavesdrops the communcaton channel wthout beng able to modfy or nject messages. An actve adversary s more powerful snce t s assumed to have a complete control over the communcaton channel resultng n ts ablty to alter sent messages or nject own messages durng the executon of the protocol. In partcular, an actve adversary s able to mount so-called man-n-the-mddle attacks. Addtonally, securty of a cryptographc protocol may depend on the behavor of ts partcpants. Obvously, t s more challengng for a protocol to guarantee ts securty propertes n case where legtmate partcpants are malcous, or dshonest, and do not act accordng to the protocol specfcaton. In the followng we consder blocks of related securty notons whch we descrbe followng the chronology of ther appearance n the lterature. We also specfy whch type of the adversary s reasonable to be assumed for each noton. 2.1 Semantc Securty and Known-Key Attacks The noton of key prvacy, also called key confdentalty or key secrecy [DvOW92], was surfaced by Dffe and Hellman [DH76], and descrbed later n the context of group key establshment [SSDW90, BD94]. Accordng to the defnton of Burmester and Desmedt [BD94] a group key establshment protocol guarantees prvacy f t s computatonally nfeasble for a passve adversary to compute the group key k. Obvously, smlar defnton should hold aganst an actve adversary who s not a legtmate protocol partcpant. A stronger defnton of key prvacy requres the ndstngushablty of the computed group key from a random number. Thus, an adversary gven ether a real group key or a random strng sampled from the same space should not be able to dstngush whch value t has been gven. Ths s n 8

9 sprt of the semantc securty requrement proposed by Goldwasser and Mcal [GM84] n the context of dgtal encrypton schemes. Note, however, that ths requrement can only hold under the assumpton that the adversary does not obtan any addtonal nformaton that would allow t to verfy the gven value, e.g., f the adversary obtans a cpher text computed usng the real group key then t can easly dstngush between the real group key and some random value by comparng the correspondng cpher text. The noton of known-key securty [YS90, Bur94], strengthens the above requrements by assumng a stronger adversary who knows the group keys of past sessons. For example, members excluded from the group should not be able to compute or dstngush the updated group keys. The related noton of key freshness [MvOV96] requres that the protocol guarantees that the key s new, that s partcpants compute group keys whch have not been used n the past. Stener et al. [STW98] ntroduced the noton of key ndependence n the context of dynamc group key exchange protocols meanng that prevously used group keys must not be dscovered by joned group members and that former group members must not be able to compute the group keys used n the future. Obvously, ths defnton consders that the adversary was a legtmate protocol partcpant or may become one n the future. Km et al. [KPT00, KPT01] summarzed the above requrements as follows: weak backward secrecy guarantees that prevously used group keys must not be dscovered by new group members; weak forward secrecy guarantees that new keys must reman out of reach of former group members; computatonal group key secrecy guarantees that t s computatonally nfeasble for a passve adversary to dscover any group key; forward secrecy guarantees that a passve adversary who knows a contguous subset of old group keys cannot dscover subsequent group keys; backward secrecy guarantees that a passve adversary who knows a contguous set of group keys cannot dscover any precedng group keys; key ndependence guarantees that a passve adversary who knows any proper subset of group keys cannot dscover any other group key. Note that the last four requrements do not make any assumptons about the group membershp of the adversary. In ther subsequent work, Km et al. [KPT04] ntroduced the decsonal group key secrecy whereby a passve adversary must not be able to dstngush the group key from a random number. Although [KPT00, KPT01] use passve adversares n ther defntons, t s mentoned that the same securty requrements should also hold n the presence of actve adversares. Remark 1 Unfortunately, Km et al. s defntons concernng (weak) forward secrecy are n conflct wth the commonly used meanng of the term forward secrecy (see Secton 2.4 for further detals). 9

10 2.2 Impersonaton Attacks Securty aganst mpersonaton attacks n the context of group key establshment was addressed by Burmester and Desmedt [BD94] and defned as a property of the protocol where an mpersonator together wth actve or passve adversares should be prevented from the computaton of the group key. By an mpersonator [BD94] denotes an adversary whose goal s to replace a legtmate partcpant n the executon of the protocol (thus mpersonator s not consdered to be a malcous partcpant but rather some external party). Further, [Bur94, BD93] extend the noton of known-key attacks by requrng that an actve adversary who knows past sesson keys must not be able to mpersonate one of the protocol partcpants. The noton of entty authentcaton [BR93a], ntroduced by Bellare and Rogaway n the context of two-party authentcaton protocols, specfes a process whereby one party s assured of the dentty of the second party nvolved n the protocol, and of the actual protocol partcpaton of the latter. Ths requrement s equvalent to the requrement on resstance aganst mpersonaton attacks n the context of group key exchange protocols. The related noton called (mplct) key authentcaton [MvOV96] requres that each legtmate protocol partcpant s assured that no other party except for other legtmate partcpants learns the establshed group key. Accordng to ths defnton a group key exchange protocol s authentcated f t provdes (mplct) key authentcaton. Atenese et al. [AST98] proposed a requrement on group ntegrty meanng that each protocol partcpant must be assured of every other party s partcpaton n the protocol. Obvously, ths noton s smlar to the requrement of the entty authentcaton appled to a group settng. All of these mpersonaton/authentcaton requrements consder an adversary that represents some external party and not a legtmate protocol partcpant. Therefore, these requrements are smlar to those of the prevous secton assumng that the adversary s actve,.e., that the ndstngushablty of the real group keys and the random numbers sampled from the same space remans preserved wth respect to the attacks of an actve adversary whch s allowed to modfy and nject messages durng the protocol executon. Another related requrement called unknown key-share reslence surfaced n [DvOW92] means that an actve adversary must not be able to make one protocol partcpant beleve that the key s shared wth one party when t s n fact shared wth another party. Note that n ths attack the adversary may be a malcous partcpant and does not need necessarly to learn the establshed group key [BM03]. Fnally, we menton key-compromse mpersonaton reslence [BWJM97]. Ths securty property prevents the adversary who obtans a long-term key of a user from beng able to mpersonate other users to that one. Note that long-term (a.k.a. long-lved) keys are usually 10

11 ether prvate keys used for sgnature generaton or dgtal decrypton, or shared secret (small entropy) passwords that reman unchanged for a long perod of tme. In both cases longlved keys are used prmarly for the purpose of authentcaton rather than for the actual computaton of the group key. Obvously, ths attack concerns only protocols whose goal s to establsh a sesson key whch s then used for the purpose of authentcaton. Therefore, t s arguable (e.g. [KS05]) whether ths requrement s general for all group key exchange protocols. Note that f an adversary obtans long-lved keys of partcpants then t can usually act on behalf of these partcpants n subsequent protocol executons. 2.3 Key Confrmaton and Mutual Authentcaton The requrement called key confrmaton [MvOV96] means that each protocol partcpant must be assured that every other protocol partcpant actually has possesson of the computed group key. Accordng to [MvOV96] key confrmaton n conjuncton wth (mplct) key authentcaton results n explct key authentcaton,.e., each dentfed protocol partcpant s known to actually possess the establshed group key. The same goal states the requrement of mutual authentcaton ntroduced n [BR93b] when consdered for group key exchange protocols. As noted n [AST98] key confrmaton makes a group key exchange protocol a more robust and a more autonomous operaton. Accordng to [BM03] key confrmaton mechansms can be used to provde resstance aganst unknown key-share attacks mentoned n the prevous secton. We stress that the requrements on key confrmaton and mutual authentcaton should also be consdered from the perspectve of the attacks by malcous protocol partcpants who try to prevent honest partcpants from computng dentcal group keys. 2.4 (Perfect) Forward Secrecy The noton of (perfect) forward secrecy (sometmes called break-backward protecton [MvOV96]) was surfaced by Günter [Gün90] and rephrased by Dffe et al. [DvOW92] as a property of an authentcated key agreement protocol requrng that the dsclosure of long-term keyng materal does not compromse the secrecy of the establshed keys from earler protocol sessons. The dea behnd ths noton s to mantan the protecton of the secure traffc n the future. Note that the compromsed long-term keys make future protocol sessons nonetheless susceptble to mpersonaton attacks. A weaker form of (perfect) forward secrecy s partal forward secrecy [BM03] whch consders the case where one (or more but not all) prncpals long-term keys become compromsed. 11

12 2.5 Key Control and Contrbutveness The ssue of key control descrbed by Mtchel et al. [MWW98] n the context of two-party group key exchange protocols consders malcous protocol partcpants who wsh to nfluence the computaton of the group key. Atenese et al. [AST98] ntroduced a noton of contrbutory group key agreement meanng such protocols where each party equally contrbutes to the establshed group key and guarantees ts freshness (see also [Ste02]). Ths noton also subsumes the requrement of unpredctablty of the computed group keys. Ths s also n sprt of the later ntroduced reslence aganst key replcaton attacks [Kra05] by whch the adversary should not be able to enforce the same value of the group key n two dfferent sessons. Note that all these requrements clearly exclude group key dstrbuton protocols (see Secton 1.1) where some trusted party s responsble for the generaton of the group keys. Atenese et al. defned addtonally complete group key authentcaton as a property of a group key exchange protocol whereby all partes compute the same group key only f each of the partes have contrbuted to ts computaton. Ths noton can be seen as a combnaton of contrbutveness and mutual (or explct key) authentcaton. Atenese et al. [AST98] proposed further a more stronger noton of verfable contrbutory group key agreement meanng protocols where each partcpant s assured of every other partcpant s contrbuton to the group key. We stress that these requrements should also hold n the presence of malcous protocol partcpants. Another related requrement that s stated from the perspectve of an adversary that s not a malcous partcpant s key ntegrty [JT93] whch requres that the establshed group key has not been modfed by the adversary, or equvalently only has nputs from legtmate protocol partcpants. Atenese et al. [AST98] extended the defnton of key ntegrty by requrng that the establshed group key s a functon of only the ndvdual contrbutons of legtmate protocol partcpants such that extraneous contrbuton(s) to the group key must not be tolerated even f t does not afford the adversary wth any addtonal knowledge. Obvously, ths can be acheved f the protocol s contrbutory and provdes mutual authentcaton. Stll t s arguable whether key ntegrty or ts stronger defnton s useful snce t would suffce to requre that the key s fresh as long as at least one contrbuton s fresh, ndependent of whether the adversary s able to nject own contrbutons or not. Ths s because we are not dealng wth the secrecy of the key (ths s already done n Sectons 2.1 and 2.2) but wth ts freshness. 12

13 3 Analytcal Survey on Formal Securty Models As already noted n the ntroducton provable securty of cryptographc protocols can be acheved usng an approprate securty model that consders protocol partcpants, ther trust relatonshp, communcaton envronment, and further relevant aspects, and contans defntons of requred securty goals. Unfortunately, there exst no common goodness crtera for the evaluaton of such securty models. In our opnon a securty model should be abstract meanng that t should not depend on any mplementaton-specfc defntons or assumptons. Further, a model should be self-contaned,.e., there should be no parameters whose specfcaton s not defned wthn the model or depends on certan assumptons beyond t. Ths property allows desgn of autonomous protocols. A model should be precse,.e., t should dsallow any ambguous nterpretatons for ts defntons and requrements. A securty model should be modular,.e., allow securty proofs for protocols that provde only a subset of specfed securty goals. Ths property allows desgn of protocols wth respect to ther practcal deployment n applcatons that do not requre the full range of securty; on the other hand t allows constructon of generc solutons. Another advantage of modular securty models s a possble ntegraton of addtonal securty defntons whch may become essental n the future. In the followng we provde an analytcal survey of securty models proposed for group key exchange protocols. In addton to the descrpton we specfy whch of the most mportant nformal securty requrements have been consdered by the defntons of a model, thereby focusng on semantc securty or ndstngushablty of the computed group keys from random numbers consderng known-key attacks and actve adversares, key confrmaton and mutual authentcaton wth respect to malcous protocol partcpants, (perfect) forward secrecy, and the ssues related to key control and contrbutveness. Addtonally, we judge each model wth respect to the specfed goodness crtera. Some of the models descrbed n ths secton were proposed n the context of two- or three-party key exchange protocols. However, they provde some nterestng defntons and constructons that became foundatonal for a varety of the later appeared securty models desgned for the group settng. 3.1 Models by Bellare and Rogaway (BR, BR + ) BR Bellare and Rogaway [BR93a] proposed the frst computatonal securty model for authentcaton and securty goals of two-party key exchange protocols whch we refer to as the BR model. Ths model allows reductonst proofs of securty. Each protocol partcpant s assumed to have an dentty and a long-lved key. The adversary can ntate dfferent sessons 13

14 between the same partcpants. It has an nfnte collecton of oracles Π s,j such that each oracle represents partcpant tryng to authentcate partcpant j n sesson s. The adversary communcates wth the oracles va queres whch contan sender and recever denttes, the sesson d, and the actual message. Hence, the adversary s consdered to be actve. However, the model assumes a bengn adversary whch fathfully forwards all message flows between the oracles, and s, therefore, not allowed to modfy the messages. It can nvoke any oracle to start the protocol executon. A varable κ s,j keeps track of the conversaton between and j n sesson s. The securty goal of mutual authentcaton s defned based on the noton of matchng conversatons between the partcpants. Roughly, ths means that all messages sent by one partcpant have been subsequently delvered to another partcpant wthout modfcaton, and vce versa. Accordng to the BR model a protocol provdes mutual authentcaton f for any polynomal tme adversary the oracles Π s,j and Πs j, have matchng conversatons and f one of the oracles, say Π s,j, accepts (does not fal) then there s always another oracle Π s j, wth the engaged matchng conversaton. Note that from ths defnton mutual authentcaton also results n key confrmaton snce the exchanged message flows, and thus computed keys, must be equal. The authors also show the unqueness of matchng partners. Addtonally, the adversary s allowed to ask Reveal queres to obtan sesson keys computed by Π s,j. In order to model known-key attacks the BR model specfes the noton of fresh oracles,.e., an oracle Π s,j s fresh f t has accepted (computed the sesson key) and no Reveal query was asked to Π s,j or to ts matchng partner Πs j,. Further, the adversary s allowed to ask exactly one Test query to any oracle whch s fresh. In response to ths query t receves ether the real sesson key computed by the oracle or a random number of the same range and has to decde whch value t has receved. The BR model calls an authentcated key exchange protocol secure f n the presence of the bengn adversary both oracles, Π s,j and Πs j,, accept wth the equal sesson keys whch are randomly dstrbuted over the key space, and the success probablty of the adversary to decde correctly n response to the value obtaned from ts Test query s non-neglgbly greater that 1/2. The man weakness of the BR model s that t dsallows the adversary to modfy messages, or to corrupt partcpants obtanng ther long-lved keys. Hence, the model does not consder the noton of (perfect) forward secrecy. Further, the model does not deal wth attacks of malcous partcpants. Thus, defnton of mutual authentcaton s defned only for honest protocol partcpants, and no defntons concernng ssues related to key control and contrbutveness are avalable n the BR model. 14

15 3.1.2 BR + In ther subsequent work, Bellare and Rogaway [BR95] extended the BR model to deal wth key dstrbuton scenaros n a three-party settng whch nvolves two partcpants wshng to establsh a shared key and a key dstrbuton center (key server). Nonetheless, ths model, denoted BR +, s of partcular nterest for us snce t provdes some nterestng defntons whch are also relevant for the models dealng wth key exchange protocols. The actons of the adversary are specfed by a number of queres whch t may ask to the nstances of partes partcpatng n the protocol. Each party may have a multple number of nstances and so partcpate n dfferent sessons of the protocol. Usng a SendPlayer or a SendS query the adversary can send messages to one of the partcpants or to the key dstrbuton center, respectvely, that reply accordng to the protocol specfcaton or do not reply f the receved message s unexpected. So the adversary s actve. Wth a Reveal query to a specfed nstance the adversary may obtan the fnal key computed by that nstance. Addtonally, the adversary s allowed to ask Corrupt queres whch return the complete nternal state of the nstance to the adversary together wth the long-lved key of the party and allows the adversary to replace ths long-lved key wth any value of ts choce. Note that ths knd of corruptons became later known as strong corruptons. After an adversary asks a Corrupt query for some party all nstances of ths party use the changed value for the long-lved key n all subsequent protocol executons. Although the adversary s allowed to corrupt partes and reveal ther sesson keys the securty of the protocol may also depend on nstances of other partes who partcpate n the same sesson. To consder all protocol partcpants the BR + model specfes an abstractly defned partner functon whch roughly speakng means that two nstances are partnered f they partcpate n the same sesson and compute the shared key. Further, at the end of ts executon the adversary asks a Test query to an nstance whch holds a fresh sesson key,.e., a key computed durng the sesson such that no Reveal or Corrupt queres have been prevously asked to the nstance or any of ts partners. The adversary receves ether the sesson key computed by that nstance or a random number of the same range, and smlar to the BR model must decde whch value t has receved. Ths securty defnton subsumes the nformal requrement on ndstngushablty of computed group keys from random numbers whle also consderng actve adversares. The BR + model has some weaknesses descrbed n the followng. Although the adversary s allowed to reveal long-lved keys of partcpants through Corrupt queres t s allowed to ask ts Test query only at the end of ts executon. Obvously, the adversary may not use the knowledge of corrupted long-term keys to make ts guess because of the freshness requrement. Therefore, the model does not capture the requrement of (perfect) forward 15

16 secrecy. Second, the BR + model does not deal wth the attacks concernng key confrmaton or mutual authentcaton, nether wth respect to honest partcpants nor to malcous. Ths observaton has also been mentoned n [CBH05a, CBH05b]. Thrd, the BR + model does not consder attacks related to the ssue of key control. Ths, however, s reasonable snce the model has been proposed for key dstrbuton protocols for whch such requrements are not relevant because of the trust assumpton concernng the key server. The partnerng functon n the BR + model s not concretely specfed. Ths contradcts to our goodness crtera for the securty models. 3.2 Model by Bellare, Canett, and Krawczyk (BCK) Bellare, Canett, and Krawczyk [BCK98] proposed a computatonal securty model for authentcaton and key exchange, whch we denote as the BCK model. Ths model allows securty proofs based on the smulatablty approach. The BCK model supports modular constructons and deals wth message-drven protocols,.e., after beng nvoked by a party the protocol wats for an actvaton whch may ether be caused by the arrval of a certan message or by an external request (whch may come from other processes executed by the party). The authors essentally defne two dfferent adversaral models: authentcated-lnks model (AM) and unauthentcated-lnks model (UM). The AM model consders a passve adversary who has a full control over the communcaton channel but s assumed to delver messages fathfully wthout modfyng any of them, however, s allowed to change ther delvery order. Further the adversary s allowed to actvate any party usng external requests, but not own protocol messages. The UM model assumes that the adversary s actve,.e., can actvate partes wth arbtrary ncomng messages. Further, the BCK model specfes the noton of emulaton of protocols n UM usng a so-called authentcator whch s consdered to be a compler translatng the executon of a protocol n AM nto UM whle preservng ts securty requrements. Smlar to the BR + model the BCK model consders several executons of the protocols, and calls each executon a sesson. In order to dstngush dfferent sessons the model uses sesson ds whch should be unque for the sender and the recever (recall that the model was defned for two partes). The adversary n the AM and UM models s allowed to corrupt sessons such that t learns the nternal state assocated wth a partcular sesson dentfed va unque sesson IDs for whch the model does not provde any concrete constructon. Although the BCK model was proposed n the context of two-party key exchange protocols, the authors tred to provde defntons whch also hold n a mult-party settng. They defned the noton of the deal key exchange and the deal adversary. The deal adversary s allowed to nvoke any party to establsh the sesson key wth any other party such that the adversary learns the transcrpt of the exchanged protocol messages and the sesson 16

17 d value, but not the establshed key. Further, f the deal adversary corrupts a sesson usng the correspondng sesson d then t obtans the establshed key for ths sesson, and f the adversary corrupts a party then t obtans all keys (ncludng long-lved key) known to ths party. Corrupted partes may contnue partcpatng n the protocol. However, n ths case the model allows the adversary to choose the establshed keys. Therefore, no securty defntons related to the requrement on (perfect) forward secrecy are consdered. For the same reason, the BCK model does not provde any securty defntons for the case n whch honest partcpants nteractng wth the adversary represented as a (subset of) malcous partcpant(s) try to contrbute to the resultng group key. Hence, the BCK model does not consder attacks concernng key control and unpredctablty. Also, the BCK model does not capture possble attacks of malcous partcpants aganst key confrmaton and mutual authentcaton. Note that the corrupt query reveals nternal state nformaton together wth the long-lved key of a party. Ths, however, dsallows consderaton of scenaros where long-lved keys are revealed wthout revealng the nternal state nformaton (note that long-lved keys may have a dfferent protecton mechansm). In order to defne securty goals the BCK model specfes the noton of a global output of the protocol executon n the presence of the adversary. It conssts of cumulatve concatenatons of the outputs (sent messages) of all partes and ther random nputs, together wth the output of the adversary whch s a functon of ts random nput and all nformaton seen by the adversary throughout ts executon. A key exchange protocol s called secure n the BCK model f the global output of the deal protocol executon s ndstngushable from the global output of the protocol executon n ether the AM or UM model. Note that ths s the typcal approach for securty models that allow securty proofs based on smulatablty/ndstngushablty. Interestng about the BCK model s that ts modular constructon allows to prove protocol securty n the AM model and then apply the descrbed authentcator to obtan a protocol whch s secure n the UM model. 3.3 Model by Bellare, Pontcheval and Rogaway (BPR) The followng model proposed by Bellare, Pontcheval, and Rogaway n [BPR00], whch we denote BPR, s based on the prevously descrbed BR + model, and consders two-party key exchange protocols. The BPR model s descrbed w.r.t. the communcaton between a clent and a server. Smlar to the BR + model each partcpant may have dfferent nstances, called oracles. In addton to the queres Reveal and Test whch return the computed key of the nstance respectvely the computed sesson key or a random number of the same range (n contrast to the BR + model the adversary n the BPR model may ask the Test query at any tme durng ts executon and not only at the end), the BPR model specfes Execute and 17

18 Send queres. Execute queres can be used by the adversary to nvoke an honest executon of the protocol and obtan a transcrpt of exchanged messages. The Send query allows the adversary to send messages to the nstances,.e., behave actvely. Send queres can also be used to acheve honest executon (as Execute queres) smply by nvokng the protocol executon at nstances of adversary s choce and then forwardng messages between these nstances wthout any modfcaton. However, Execute query allows on the one hand a better handlng of dctonary attacks n case where long-lved keys are shared passwords, because the adversary can be granted access to plenty of honest executons, and on the other hand t allows to treat passve adversares separately though the BPR model does not take use of ths second advantage. Addtonally, the BPR model allows the adversary to ask Oracle queres n order to deal wth non-standard models, lke the Random Oracle Model (ROM) [BR93b] or the Ideal Cpher Model (ICM) [Sha49, Bla05]. In case when the protocol s desgned to acheve securty n the standard model the Oracle query can be omtted. The BPR model specfes two forms of a Corrupt query (unlke the prevously descrbed models): a strong form (called strong corrupton model) means that the adversary obtans the long-lved key of the party and ts nternal state (excludng the sesson key), and a weak form (called weak corrupton model) means that the adversary obtans only the long-lved key of the party. The model assumes the exstence of unque sesson ds and specfes partner ds. The partner d of an nstance s a publc value and conssts of the denttes of all partes wth whch the oracle beleves t has just exchanged the sesson key wth. Accordng to the BPR model two oracles are partnered f they compute (accept wth) equal sesson keys, equal sesson ds, have each other s dentty as part of the computed partner ds, and there s no other oracle who accepts wth the same partner d. The BPR model defnes two flavors of sesson key freshness: a sesson key s fresh f there have been no Reveal queres to the oracle or any of ts partners, and no Corrupt queres at all; a sesson key s fs-fresh (fs for forward secrecy) f there have been no Reveal queres to the oracle or any of ts partners, and f there have been no Corrupt queres pror to the Test query such that further Send queres have been asked to the tested oracle. The latter means that the adversary can corrupt partcpants before the test sesson but s then not allowed to send any messages to the oracle whose key (or a random value nstead) t later receves n response to ts Test query. Based on these two flavors the model provdes two defntons of securty aganst known-key attacks: (1) securty wthout forward-secrecy meanng that the adversary asks a Test query to an oracle whch holds a fresh sesson key, and (2) securty wth forward-secrecy meanng that the adversary asks a Test query to an oracle whch holds a fs-fresh sesson key. Smlar to the BR and BR + models the goal of the adversary s to dstngush whether t obtans a sesson key or a random number. Obvously, ths securty defnton subsumes the nformal requrements 18

19 related to the ndstngushablty of group keys from random numbers wth respect to actve adversares. Furthermore, securty proofs n whch the Test query s asked to an oracle holds a fs-fresh sesson key consder attacks related to (perfect) forward secrecy. Addtonally, the BPR model gves a defnton of server-to-clent and clent-to-server authentcaton whch are volated n case where a server respectvely a clent accepts wth a sesson key but does not have any partner. Mutual authentcaton s, therefore, volated f ether a server-to-clent or clent-to-server authentcaton s volated (recall that the BPR model was proposed for the two-party key exchange protocols). In the BPR model partnerng s defned usng sesson ds. However, the authors do not provde further detals wthn the model concernng the constructon of the unque sesson ds. In the proposed protocol, however, they are constructed as a concatenaton of all flows exchanged between both partcpants. Note that ths s an approprate method n case of two partes, however, cannot be generally appled to the mult-party case where partcpants do not generally need to send each message to every other partcpant. Smlar to the BR + model the BPR model does not consder attacks related to the ssues of key control and contrbutveness. 3.4 Model by Canett and Krawczyk (CK) Canett and Krawczyk [CK01] proposed a formal model, whch we refer to as CK, based on the methodology of the BR and BCK models. Smlar to the BCK model the CK model deals wth message-drven protocols that nvolve only two partes. Dfferent executons of a protocol are called sessons whch are dentfed by unque sesson ds. The CK model descrbes the noton of matchng sessons (related to the matchng conversatons n the BR model), and treats partcpants of matchng sessons as partners. As the BCK model the CK model specfes an unauthentcated-lnks (UM) and an authentcatedlnks (AM) adversaral models. In the UM model the adversary passes messages from one partcpant to another, but has control over ther schedulng (ncludng ntaton of the protocol), and s allowed to ask Reveal queres to obtan the computed sesson keys and Corrupt queres to obtan all the nternal memory of the party ncludng ts long-lved key and specfc sesson-nternal nformaton (such as nternal state of ncomplete sessons and sesson-keys of already completed sessons). From the moment a party s corrupted t s fully controlled by the adversary. Ths models attacks aganst (perfect) forward secrecy. Addtonally, n the CK model the adversary s allowed to reveal nternal state of a party for an ncomplete sesson wthout necessarly corruptng that party (we call ths RevealState queres). In the CK model a sesson becomes locally exposed f any of these three queres (Reveal, RevealState, or Corrupt) have been asked to a party durng that sesson, and the sesson becomes exposed 19

20 f t or any of ts matchng sessons are locally exposed. Further, the CK model specfes sesson expraton whch can be performed by a party causng the erasure of that sesson key and any sesson-specfc nformaton from the party s memory, and used n the model for the defnton of securty wthout (perfect) forward secrecy. In the AM model the adversary has the same capabltes as n the UM model, but s requred to pass messages between the partes truly,.e., wthout modfyng them (ths s comparable to a passve adversary who only eavesdrops the communcaton). The UM and AM models are lnked together over the emulaton paradgm based on authentcators as n the BCK model. The CK model ntroduces the noton of sesson-key securty as a securty goal for the key exchange protocols. The defnton n the UM model allows the adversary to ask a Test query (wth smlar response as n the BR, BR +, and BPR models) to a party durng the sesson whch s completed, unexpred and unexposed at that tme. Havng asked ths Test query the adversary s allowed to contnue wth regular actons accordng to the UM model but s not allowed to expose the test-sesson. At the end of ts executon the adversary has to output a guess concernng the response of the Test query. A protocol s called sesson-key secure f for any UM-adversary holds that f any two partes complete matchng sessons then they compute the same sesson key, and that the probablty of the adversary s correct guess s no more than 1/2 plus a neglgble fracton. Ths defnton also captures nformal requrements on ndstngushablty notons consderng known-key attacks and actve adversares. Addtonally, the CK model provdes a weaker defnton of securty for protocols n whch no (perfect) forward secrecy s avalable or desrable. For ths purpose the model dsallows sesson expratons. A protocol s called sesson-key secure wthout (perfect) forward secrecy f t s sesson-key secure and the UM-adversary s not allowed to corrupt any partner from the test-sesson,.e., the securty of the sesson key can be no more guaranteed f any partner who computes ths key gets corrupted. The authors menton that smlar defntons are applcable for the AM model. Compared to the BCK and BR models, the CK model provdes a stronger adversaral settng snce t allows RevealState queres. Interestng s that sesson-key securty n the CK model mples the known-key securty of the protocol n the BR + and BPR models. For the proof of ths fact and further analyss of the relatons between the securty defntons n the BR, BR +, BPR and CK models we refer to the work of Choo, Boyd and Htchcock [CBH05b]. Note that one drawback of the CK model n the context of key exchange s that t leaves the constructon of the sesson ds open, and ths mght have an mpact on the securty of the protocols desgned based on ths model. Also the CK model does not deal wth the ssues of key confrmaton and mutual authentcaton as well as key control and contrbutveness. 20