Document Open Access Logo

Out-Of-Band Authenticated Group Key Exchange: From Strong Authentication to Immediate Key Delivery

Authors Moni Naor, Lior Rotem, Gil Segev

PDF
Thumbnail PDF

File

LIPIcs.ITC.2020.9.pdf
  • Filesize: 0.67 MB
  • 25 pages

Document Identifiers

Author Details

Moni Naor
  • Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot 76100, Israel
Lior Rotem
  • School of Computer Science and Engineering, Hebrew University of Jerusalem, Jerusalem 91904, Israel
Gil Segev
  • School of Computer Science and Engineering, Hebrew University of Jerusalem, Jerusalem 91904, Israel

Funding

  • Naor, Moni: Supported in part by a grant from the Israel Science Foundation (no. 950/16). Incumbent of the Judith Kleeman Professorial Chair.
  • Rotem, Lior: Supported by the Adams Fellowship Program of the Israel Academy of Sciences and Humanities and by the European Union’s Horizon 2020 Framework Program (H2020) via an ERC Grant (Grant No. 714253).
  • Segev, Gil: Supported by the European Union’s Horizon 2020 Framework Program (H2020) via an ERC Grant (Grant No. 714253).

Cite AsGet BibTex

Moni Naor, Lior Rotem, and Gil Segev. Out-Of-Band Authenticated Group Key Exchange: From Strong Authentication to Immediate Key Delivery. In 1st Conference on Information-Theoretic Cryptography (ITC 2020). Leibniz International Proceedings in Informatics (LIPIcs), Volume 163, pp. 9:1-9:25, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2020)
https://doi.org/10.4230/LIPIcs.ITC.2020.9

Abstract

Given the inherent ad-hoc nature of popular communication platforms, out-of-band authenticated key-exchange protocols are becoming widely deployed: Key exchange protocols that enable users to detect man-in-the-middle attacks by manually authenticating one short value. In this work we put forward the notion of immediate key delivery for such protocols, requiring that even if some users participate in the protocol but do not complete it (e.g., due to losing data connectivity or to other common synchronicity issues), then the remaining users should still agree on a shared secret. A property of a similar flavor was introduced by Alwen, Coretti and Dodis (EUROCRYPT '19) asking for immediate decryption of messages in user-to-user messaging while assuming that a shared secret has already been established - but the underlying issue is crucial already during the initial key exchange and goes far beyond the context of messaging. Equipped with our immediate key delivery property, we formalize strong notions of security for out-of-band authenticated group key exchange, and demonstrate that the existing protocols either do not satisfy our notions of security or are impractical (these include, in particular, the protocols deployed by Telegram, Signal and WhatsApp). Then, based on the existence of any passively-secure key-exchange protocol (e.g., the Diffie-Hellman protocol), we construct an out-of-band authenticated group key-exchange protocol satisfying our notions of security. Our protocol is inspired by techniques that have been developed in the context of fair string sampling in order to minimize the effect of adversarial aborts, and offers the optimal tradeoff between the length of its out-of-band value and its security.

Subject Classification

ACM Subject Classification
  • Security and privacy → Cryptography
  • Theory of computation → Cryptographic protocols
  • Theory of computation → Cryptographic primitives
Keywords
  • End-to-end encryption
  • out-of-band authentication
  • key exchange

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads
    0
    Metadata Views

Related Versions

References

  1. Michel Abdalla, Pierre-Alain Fouque, and David Pointcheval. Password-based authenticated key exchange in the three-party setting. In Proceedings of the 8th International Conference on Practice and Theory in Public-Key Cryptography, pages 65-84, 2005. Google Scholar
  2. Joël Alwen, Sandro Coretti, and Yevgeniy Dodis. The double ratchet: Security notions, proofs, and modularization for the signal protocol. In Advances in Cryptology - EUROCRYPT '19, pages 129-158, 2019. Google Scholar
  3. Hagit Attiya and Jennifer Welch. Distributed computing: fundamentals, simulations, and advanced topics. John Wiley & Sons, 2004. Google Scholar
  4. Baruch Awerbuch, Manuel Blum, Benny Chor, Shafi Goldwasser, and Silvio Micali. How to implement Bracha’s O(log n) byzantine agreement algorithm. Unpublished manuscript, 1985. Google Scholar
  5. Richard Barnes, Jon Millican, Emad Omara, Katriel Cohn-Gordon, and Raphael Robert. The messaging layer security protocol, 2019. Available at https://datatracker.ietf.org/doc/draft-ietf-mls-protocol/ (accessed 11-Dec-2019). URL: https://datatracker.ietf.org/doc/draft-ietf-mls-protocol/.
  6. Mihir Bellare, Ran Canetti, and Hugo Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols. In Proceedings of the 30th annual ACM Symposium on Theory of Computing, pages 419-428, 1998. Google Scholar
  7. Mihir Bellare, David Pointcheval, and Phillip Rogaway. Authenticated key exchange secure against dictionary attacks. In Advances in Cryptology - EUROCRYPT '00, pages 139-155, 2000. Google Scholar
  8. Mihir Bellare and Phillip Rogaway. Entity authentication and key distribution. In Advances in Cryptology - CRYPTO '93, pages 232-249, 1993. Google Scholar
  9. Mihir Bellare and Phillip Rogaway. Provably secure session key distribution: the three party case. In Proceedings of the 27th annual ACM Symposium on Theory of Computing, pages 57-66, 1995. Google Scholar
  10. Mihir Bellare, Asha Camper Singh, Joseph Jaeger, Maya Nyayapati, and Igors Stepanovs. Ratcheted encryption and key exchange: The security of messaging. In Advances in Cryptology - CRYPTO '17, pages 619-650, 2017. Google Scholar
  11. Bluetooth Special Interest Group. Bluetooth core specification v. 5.1, 2019. Available at https://www.bluetooth.com/specifications/bluetooth-core-specification/ (accessed 11-Dec-2019). URL: https://www.bluetooth.com/specifications/bluetooth-core-specification/.
  12. Victor Boyko, Philip MacKenzie, and Sarvar Patel. Provably secure password-authenticated key exchange using Diffie-Hellman. In Advances in Cryptology - EUROCRYPT '00, pages 156-171, 2000. Google Scholar
  13. Emmanuel Bresson, Olivier Chevassut, and David Pointcheval. Provably authenticated group Diffie-Hellman key exchange - the dynamic case. In Advances in Cryptology - ASIACRYPT '01, pages 290-309, 2001. Google Scholar
  14. Emmanuel Bresson, Olivier Chevassut, and David Pointcheval. Dynamic group Diffie-Hellman key exchange under standard assumptions. In Advances in Cryptology - EUROCRYPT '02, pages 321-336, 2002. Google Scholar
  15. Emmanuel Bresson, Olivier Chevassut, David Pointcheval, and Jean Jacques Quisquater. Provably authenticated group Diffie-Hellman key exchange. In Proceedings of the 8th ACM conference on Computer and Communications Security, pages 255-264, 2001. Google Scholar
  16. Ran Canetti and Hugo Krawczyk. Analysis of key-exchange protocols and their use for building secure channels. In Advances in Cryptology - EUROCRYPT '01, pages 453-474, 2001. Google Scholar
  17. Michele Ciampi, Rafail Ostrovsky, Luisa Siniscalchi, and Ivan Visconti. Four-round concurrent non-malleable commitments from one-way functions. In Advances in Cryptology - CRYPTO '17, pages 127-157, 2017. Google Scholar
  18. Richard Cleve. Limits on the security of coin flips when half the processors are faulty. In Proceedings of the 18th Annual ACM Symposium on Theory of Computing, pages 364-369, 1986. Google Scholar
  19. Katriel Cohn-Gordon, Cas Cremers, Luke Garratt, Jon Millican, and Kevin Milner. On ends-to-ends encryption: Asynchronous group messaging with strong security guarantees. In Proceedings of the 25th ACM conference on Computer and Communications Security, pages 1802-1819, 2018. Google Scholar
  20. Katriel Cohn-Gordon, Cas J.~F. Cremers, Benjamin Dowling, Luke Garratt, and Douglas Stebila. A formal security analysis of the Signal messaging protocol. In Proceedings of the 2nd IEEE European Symposium on Security and Privacy (EuroS&P), pages 451-466, 2017. Google Scholar
  21. Danny Dolev, Cynthia Dwork, and Moni Naor. Non-malleable cryptography. SIAM Journal on Computing, 30(2):391-437, 2000. Google Scholar
  22. Alexis Duque. Deep dive into Bluetooth LE security. Medium. Available at https://medium.com/rtone-iot-security/deep-dive-into-bluetooth-le-security-d2301d640bfc, 2018. URL: https://medium.com/rtone-iot-security/deep-dive-into-bluetooth-le-security-d2301d640bfc.
  23. F. Betül Durak and Serge Vaudenay. Bidirectional asynchronous ratcheted key agreement without key-update primitives. In Advances in Information and Computer Security - IWSEC '19, pages 343-362, 2019. Google Scholar
  24. Dario Fiore, Maria Isabel Gonzalez Vasco, and Claudio Soriente. Partitioned group password-based authenticated key exchange. The Computer Journal, 60(12):1912-1922, 2017. Google Scholar
  25. Tilman Frosch, Christian Mainka, Christoph Bader, Florian Bergsma, Jörg Schwenk, and Thorsten Holz. How secure is TextSecure? In Proceedings of the 1st IEEE European Symposium on Security and Privacy (EuroS&P), pages 457-472, 2016. Google Scholar
  26. Rosario Gennaro and Yehuda Lindell. A framework for password-based authenticated key exchange. In Advances in Cryptology - EUROCRYPT '03, pages 524-543, 2003. Google Scholar
  27. Michael T. Goodrich, Michael Sirivianos, John Solis, Gene Tsudik, and Ersin Uzun. Loud and clear: Human-verifiable authentication based on audio. In 26th IEEE International Conference on Distributed Computing Systems, page 10, 2006. Google Scholar
  28. Vipul Goyal. Constant round non-malleable protocols using one way functions. In Proceedings of the 43rd Annual ACM Symposium on Theory of Computing, pages 695-704, 2011. Google Scholar
  29. David Jablon. Strong password-only authenticated key exchange. ACM SIGCOMM Computer Communication Review, 26(5):5-26, 1996. Google Scholar
  30. Joseph Jaeger and Igors Stepanovs. Optimal channel security against fine-grained state compromise: The safety of messaging. In Advances in Cryptology - CRYPTO '18, pages 33-62, 2018. Google Scholar
  31. Daniel Jost, Ueli Maurer, and Marta Mularczyk. Efficient ratcheting: Almost-optimal guarantees for secure messaging. In Advances in Cryptology - EUROCRYPT '19, pages 159-188, 2019. Google Scholar
  32. Ronald Kainda, Ivan Flechais, and AW Roscoe. Usability and security of out-of-band channels in secure device pairing protocols. In Symposium on usable privacy and security (SOUPS), pages 11:1-11:12, 2009. Google Scholar
  33. Jonathan Katz, Rafail Ostrovsky, and Moti Yung. Efficient password-authenticated key exchange using human-memorable passwords. In Advances in Cryptology - EUROCRYPT '01, pages 475-494, 2001. Google Scholar
  34. Jonathan Katz and Moti Yung. Scalable protocols for authenticated group key exchange. In Advances in Cryptology - CRYPTO '03, pages 110-125, 2003. Google Scholar
  35. Nadim Kobeissi, Karthikeyan Bhargavan, and Bruno Blanchet. Automated verification for secure messaging protocols and their implementations: A symbolic and computational approach. In Proceedings of the 2nd IEEE European Symposium on Security and Privacy (EuroS&P), pages 435-450, 2017. Google Scholar
  36. Brian LaMacchia, Kristin Lauter, and Anton Mityagin. Stronger security of authenticated key exchange. In International Conference on Provable Security '07, pages 1-16, 2007. Google Scholar
  37. Sampsa Latvala, Mohit Sethi, and Tuomas Aura. Evaluation of out-of-band channels for IoT security. SN Computer Science, 1(1):1-18, 2019. Google Scholar
  38. Sven Laur and Kaisa Nyberg. Efficient mutual data authentication using manually authenticated strings. In International Conference on Cryptology and Network Security, pages 90-107, 2006. Google Scholar
  39. Huijia Lin and Rafael Pass. Constant-round non-malleable commitments from any one-way function. In Proceedings of the 43rd annual ACM symposium on Theory of computing, pages 705-714, 2011. Google Scholar
  40. Yehuda Lindell. Comparison-based key exchange and the security of the numeric comparison mode in bluetooth v2.1. In CT-RSA '09, pages 66-83, 2009. Google Scholar
  41. Nancy A. Lynch. Distributed algorithms. Elsevier, 1996. Google Scholar
  42. Rene Mayrhofer and Hans Gellersen. Shake well before use: Authentication based on accelerometer data. In International Conference on Pervasive Computing, pages 144-161, 2007. Google Scholar
  43. Jonathan M. McCune, Adrian Perrig, and Michael K. Reiter. Seeing-is-believing: using camera phones for human-verifiable authentication. In IEEE Symposium on Security and Privacy, pages 110-124, 2005. Google Scholar
  44. Moni Naor, Lior Rotem, and Gil Segev. The security of lazy users in out-of-band authentication. In Proceedings of the 16th Theory of Cryptography Conference, pages 575-599, 2018. Google Scholar
  45. Moni Naor, Lior Rotem, and Gil Segev. Out-of-band authenticated group key exchange: From strong authentication to immediate key delivery. Cryptology ePrint Archive, Report 2019/1458, 2019. Google Scholar
  46. Moni Naor, Gil Segev, and Adam Smith. Tight bounds for unconditional authentication protocols in the manual channel and shared key models. In Advances in Cryptology - CRYPTO'06, pages 214-231, 2006. Google Scholar
  47. Moni Naor, Gil Segev, and Adam D. Smith. Tight bounds for unconditional authentication protocols in the manual channel and shared key models. IEEE Transactions on Information Theory, 54(6):2408-2425, 2008. Google Scholar
  48. Sylvain Pasini and Serge Vaudenay. An optimal non-interactive message authentication protocol. In CT-RSA '06, pages 280-294, 2006. Google Scholar
  49. Sylvain Pasini and Serge Vaudenay. SAS-based authenticated key agreement. In Proceedings on the 9th International Conference on Theory and Practice of Public-Key Cryptography, pages 395-409, 2006. Google Scholar
  50. Trevor Perrin and Moxie Marlinspike. The double ratchet algorithm, 2016. Available at https://signal.org/docs/specifications/doubleratchet/doubleratchet.pdf (accessed 11-Dec-2019). URL: https://signal.org/docs/specifications/doubleratchet/doubleratchet.pdf.
  51. Bertram Poettering and Paul Rösler. Towards bidirectional ratcheted key exchange. In Advances in Cryptology - CRYPTO '18, pages 3-32, 2018. Google Scholar
  52. Bertram Poettering and Paul Rösler. Asynchronous ratcheted key exchange. Cryptology ePrint Archive, Report 2018/296, 2018. Google Scholar
  53. Ronald L. Rivest and Adi Shamir. How to expose an eavesdropper. Communications of the ACM, 27(4):393-395, 1984. Google Scholar
  54. Lior Rotem and Gil Segev. Out-of-band authentication in group messaging: Computational, statistical, optimal. In Advances in Cryptology - CRYPTO '18, pages 63-89, 2018. Google Scholar
  55. Lior Rotem and Gil Segev. Out-of-band authentication in group messaging: Computational, statistical, optimal. Cryptology ePrint Archive, Report 2018/493, 2018. Google Scholar
  56. Nitesh Saxena, Jan-Erik Ekberg, Kari Kostiainen, and N. Asokan. Secure device pairing based on a visual channel. In IEEE Symposium on Security and Privacy, pages 306-313, 2006. Google Scholar
  57. Michael Schliep and Nicholas Hopper. End-to-end secure mobile group messaging with conversation integrity and deniability. In Proceedings of the 18th ACM Workshop on Privacy in the Electronic Society, pages 55-73, 2019. Google Scholar
  58. Victor Shoup. On formal models for secure key exchange. Theory of Cryptography Library (available at https://www.shoup.net/papers/skey.pdf), 1999. URL: https://www.shoup.net/papers/skey.pdf.
  59. Telegram. End-to-end encrypted voice calls - key verification. Available at https://core.telegram.org/api/end-to-end/voice-calls#key-verification (accessed 11-Dec-2019). URL: https://core.telegram.org/api/end-to-end/voice-calls#key-verification.
  60. Telegram. End-to-end encryption. Available at https://core.telegram.org/api/end-to-end (accessed 11-Dec-2019). URL: https://core.telegram.org/api/end-to-end.
  61. Serge Vaudenay. Secure communications over insecure channels based on short authenticated strings. In Advances in Cryptology - CRYPTO '05, pages 309-326, 2005. Google Scholar
  62. Viber encryption overview. Available at URL: https://www.viber.com/app/uploads/Viber-Encryption-Overview.pdf.
  63. WhatsApp encryption overview. Available at URL: https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf.
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail
© 2023-2024 Schloss Dagstuhl – LZI GmbH Imprint Privacy Contact