Modeling and detecting attacks against key agreement protocols

Abstract

Key agreement protocols establish a shared secret key between two or more communicating parties willing to exchange data over insecure channels using symmetric key cryptography. Based on the number of members involved in the communication these protocols can be classied as a two party or group key agreement protocols. Various formal methods are available in the literature to analyze the security of such protocols. This helps in establishing the validity of any attacks, if found, or to prove the security of the protocols under given adversarial assumptions. In this thesis we analyze the security of several existing two party and group key agreement protocols. We used provable security models like eCK'08 and enhanced eCK and the DS model given as an algebraic approach by Delicata and Schneider to analyze a class of DH based key agreement protocols. The distinguishing feature of key agreement protocols from key transport protocols is that the former aims to ensure the contribution of all the honest participants so that no one can predetermine the key. In a poorly designed protocol, an insider adversary can control the key in different forms as dened by Pieprzyk and Wang. This type of attack is termed as key control. We also dene ephemeral key control w.r.t. dishonest insider where it is assumed that the adversary also knows the ephemeral secret of the victim honest participants. This assumption is based on several advanced attributes that assume ephemeral leakage. We analyze this attack on MTI protocols using DS model. We have shown weakness in some provably secure two party implicitly authenticated protocols and modeled the attacks in provable security model. We also analyzed key control in some group key agreement protocols. We have used the DS model to formally derive an attack shown by Pieprzyk on Burmester-Desmedt protocol and have also proposed attacks on static version of the group key agreement protocol proposed by Dutta and Barua.