Group Protocol Attacks

Graham Steel

The development of analysis tools for 2/3 party protocols has benefited from a common corpus of protocols to analyse, courtesy of Clark and Jacob. Group protocol analysis, where the number of parties involved in a single round is indeterminate and unbounded, presents new challenges for these tools. A corpus of problems to work on would be a great help. We have started to assemble one here. The total currently stands at 19 attacks on 15 different group key management, group key agreement, and multi-party contract signing protocols. Pointers to further attacks would be greatly appreciated (contributors will be credited in the list).

Where the attack reference is marked with a *, this indicates a previously unknown attack we discovered using the Coral system.

If you use this corpus in your work, a citation would be appreciated (just mention the URL). Last update: September 2006.

NEW! Raúl Monroy and I have written a survey of group protocol attacks that covers most of the attacks in the corpus below. Feedback welcome.

Protocol	Reference	Attack	Attack Reference	Notes
Cliques - A.GDH.2	[3]	Spy learns key when a group he is a legitimate member of tries to form a subgroup without him in	[17, p.15]	All CLIQUES prots. require Diffie-Hellman exponentiation to be modelled. It has since been shown that this operation is not sufficient to construct secure Cliques protocols, [18]
Cliques - A.GDH.2	[3]	Spy learns a session key if a long-term key is later compromised	[17, p.17]	spy must send some faked messages in the original set up of the session key in order to break it later. One agent in the group may be able to detect this.
Cliques - A.GDH.2	[3]	Spy can use one compromised session key to learn the key in a subsequent round	[17, p.20]	Spy must send one faked message in the original round, that one agent in the group may detect.
Cliques - A.GDH.2-MA	[3]	Spy can learn a group key when a group of size 3 tries to admit a new member under A.GDH.2-MA	[17, p.22]
Cliques - SA.GDH.2	[3]	Spy learns key when a group he is a legitimate member of tries to form a subgroup without him in	[17, p.24]
GDOI (early draft)	[1]	Man-in-the-middle/oracle attack by dishonest group member. Requires type confusion (and GDOI bit-length pattern would have allowed this)	[12, p.33]	Fixed in recent versions of GDOI
Asokan-Ginzboorg	[2]	Disruption by faking key contributions	[21, p.10]*	Designed to be disruption-proof in a wireless environment (so not full Dolev-Yao) - a pretty ambitious goal
Asokan-Ginzboorg	[2]	Intruder in group can force players to accept different keys, all of which he knows	[21, p.11]*
Tanaka-Sato multicast key management	[24]	Group members accept messages from outside group	[23]	Modelled without an intruder
Tanaka-Sato-Taghdiri-Jackson	[23]	Group members accept messages from outside group	[20]*	With an active intruder, Tagdhiri+Jackson's improved protocol has the same flaw as the original
Tanaka-Sato-Taghdiri-Jackson	[23]	Group members send messages an outsider can read	[20]*
Iolus	[14]	Group members accept messages from an ex-member and broadcast messages an ex-member can read	[20]*	The Iolus flaw is similar to that of the Tanaka-Sato-Taghdiri-Jackson protocol, although the key management scheme is quite different.
GDH.2	[22]	Honest group members agree on different keys	[13]	No details of the attack in the paper
Bull-Otway (early draft)	[7]	Compromise of one key can lead to compromise of all keys	[19]	Requires properties of XOR to be taken into account
Bresson-Chevassut-Essiari-Pointcheval Low Power Devices Protocol	[6]	Several attacks including compromise of perfect forward secrecy, implicit key authentication and a known-key attack	[16]	Published in Cryptology eprint Archive (so not peer-reviewed).
Boyd-Gonaález Nieto Conference Key Agreement Protocol	[5]	Unknown key share attack	[9]	Thanks to Raymond Choo for the pointer
Garay-MacKenzie Multi-Party Contract Signing Protocol	[10]	Attack on Fairness	[8]	Attack requires n >= 4 players
Chadha-Kremer-Scederov version of Garay-MacKenzie protocol	[8]	Attack on Fairness	[15]	Mukhamedov and Ryan found an attack on the revised protocol for n > 4 players
HI-KD	[11]	Attack on member promotion protocol	[4]

Bibliography

1

Gdoi specification.
Available via http://www.securemulticast.org.

2

N. Asokan and P. Ginzboorg.
Key-agreement in ad-hoc networks.
Computer Communications, 23(17):1627-1637, 2000.

3

G. Ateniese, M. Steiner, and G. Tsudik.
New multiparty authentication services and key agreement protocols.
IEEE Journal on Selected Areas in Communications, 18(4):628-639, April 2000.

4

M. S. Bouassida, N. Chridi, I. Chrisment, O. Festor, and L. Vigneron.
Automatic verification of a key management architecture for hierarchical group protocols.
In F. Cuppens and H. Debar, editors, 5th Conference on Security and Network Architectures, SAR, pages 381-397, Seignosse (France), June 2006.

5

Colin Boyd and Juan Manuel González Nieto.
Round-optimal Contributory Conference Key Agreement.
In Yvo Desmedt, editor, Public Key Cryptography - PKC 2003, pages 161-174. Springer-Verlag, 2003.
Volume 2567/2003 of Lecture Notes in Computer Science.

6

E. Bresson, O. Chevassut, A. Essiari, and D. Pointcheval.
Mutual authentication and group key agreement for low-power mobile devices.
Journal of Computer Communications, 27(17):1730-1737, July 2004.
Special Issue on Security and Performance in Wireless and Mobile Networks. Elsevier Science.

7

J. Bull and D. Otway.
The authentication protocol.
Technical Report DRA/CIS3/PROJ/CORBA/SC/1/CSM/436-04/0.5b, DERA, Malvern, UK, 1997.

8

R. Chadha, S. Kremer, and A. Scedrov.
Formal analysis of multi-party fair exchange protocols.
In R. Focardi, editor, 17th IEEE Computer Security Foundations Workshop, pages 266-279, Asilomar, CA, USA., 2004. IEEE Computer Society Press.

9

Kim-Kwang Raymond Choo, Colin Boyd, and Yvonne Hitchcock.
Errors in Computational Complexity Proofs for Protocols (Available from http://eprint.iacr.org/2005/351).
In Bimal Roy, editor, (Accepted to appear in) Advances in Cryptology - Asiacrypt 2005, pages 624-643. Springer-Verlag, 2005.
Volume 3788/2005 of Lecture Notes in Computer Science.

10

J. Gara and P. MacKenzie.
Abuse-free multi-party contract signing.
In P. Jayanti, editor, International Symposium on Distributed Computing, number 1693 in LNCS, pages 151-165. Springer-Verlag, September 1999.

11

H. Hassan, A. Bouabdallah, H. Bettahar, and Y. Challal.
Hi-kd: Hash-based hierarchical key distribution for group communication.
Poster at IEEE INFOCOM '05, 2005.

12

C. Meadows and P. Syverson.
Formal specification and analysis of the group domain of interpretation protocol using npatrl and the nrl protocol analyzer.
Journal of Computer Security, 2003.
To Appear.

13

J. Millen and G. Denker.
MuCAPSL.
In DISCEX III, DARPA Information Survivability Conference and Exposition, pages 238-249. EEE Computer Society, 2003.

14

S. Mittra.
Iolus: A framework for scalable secure multicasting.
In Proceedings of the ACM SIGCOMM '97 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, pages 277-288, Cannes, France, September 1997.

15

A. Mukhamedov and M. Ryan.
Resolve-impossibility for a contract-signing protocol.
In J. Guttman, editor, 19th IEEE Computer Security Foundations Workshop, pages 167-173. IEEE Computer Society Press, July 2006.

16

Junghyun Nam, Seungjoo Kim, and Dongho Won.
Attacks on bresson-chevassut-essiari-pointcheval's group key agreement scheme for low-power mobile devices.
Cryptology ePrint Archive, Report 2004/251, 2004.
http://eprint.iacr.org/.

17

O. Pereira and J.-J. Quisquater.
Some attacks upon authenticated group key agreement protocols.
Journal of Computer Security, 11(4):555-580, 2003.
Special Issue: 14th Computer Security Foundations Workshop (CSFW14).

18

Olivier Pereira and Jean-Jacques Quisquater.
Generic Insecurity of Cliques-Type Authenticated Group Key Agreement Protocols.
In Proceedings of the 17-th IEEE Computer Security Foundations Workshop - CSFW-17, pages 16-29. IEEE Computer Society Press, 2004.

19

P. Ryan and S. Schneider.
An attack on a recursive authentication protocol: A cautionary tale.
Information Processing Letters, (65):7-10, 1998.

20

G. Steel and A. Bundy.
Attacking group multicast key management protocols using CORAL.
Electronic Notes in Theoretical Computer Science (ENTCS), 125(1):125-144, 2004.
Also available as Informatics Research Report EDI-INF-RR-0241. Presented at the ARSPA workshop 2004.

21

G. Steel, A. Bundy, and M. Maidl.
Attacking a protocol for group key agreement by refuting incorrect inductive conjectures.
In D. Basin and M. Rusinowitch, editors, Proceedings of the International Joint Conference on Automated Reasoning, number 3097 in Lecture Notes in Artificial Intelligence, pages 137-151, Cork, Ireland, July 2004. Springer-Verlag Heidelberg.

22

M. Steiner, G. Tsudik, and M. Waidner.
Diffie-hellman key distribution extended to group communication.
In Proc. 3rd ACM Conference on Computer and Communications Security (CCS' 96), pages 31-37, 1996.

23

M. Taghdiri and D. Jackson.
A lightweight formal analysis of a multicast key management scheme.
In Proceedings of Formal Techniques of Networked and Distributed Systems - FORTE 2003, LNCS, pages 240-256, Berlin, 2003. Springer.

24

S. Tanaka and F. Sato.
A key distribution and rekeying framework with totally ordered multicast protocols.
In Proceedings of the 15th International Conference on Information Networking, pages 831-838, 2001.

Standard 2/3 party corpora:

SPORE at ENS-Cachan - Clark-Jacob and a few others

CAPSL library - The Clark-Jacob corpus

The original Clark/-Jacob corpus

Alex Yasinac's transcription of the Clark-Jacob corpus to Needham-Schroeder notation

The Provably-Secure Key Establishment and Mutual Authentication Protocols Lounge

About this document ...

This document was generated using the LaTeX2HTML translator Version 2K.1beta (1.47)

Copyright © 1993, 1994, 1995, 1996, Nikos Drakos, Computer Based Learning Unit, University of Leeds.
Copyright © 1997, 1998, 1999, Ross Moore, Mathematics Department, Macquarie University, Sydney.