An Active Attack on a Multiparty Key Exchange Protocol

The multiparty key exchange introduced in Steiner et al.\@ and presented in more general form by the authors is known to be secure against passive attacks. In this paper, an active attack is presented assuming malicious control of the communications of the last two users for the duration of only the key exchange.


Introduction
The increased use of light and mobile devices has led to the study of the so called mobile ad hoc networks. These are created, operated and managed by the nodes themselves and therefore are solely dependent upon the cooperative and trusting nature of the nodes. The ad hoc property of these mobile networks implies that the network is formed in an unplanned manner to meet an immediate demand and specific goal, and that the nodes are continuously joining or leaving the network. Thus, key management in this type of networks is a very important issue and has been the aim of numerous works since then (see [1] or [5] and their references).
One of the most widely known such schemes is due to Steiner et al. and is known as Cliques (cf. [4]). Cliques is a multiparty key exchange protocol generalizing the Diffie-Hellman key exchange based on the discrete logarithm problem. It is composed of an initial key agreement (IKA) to set up a first common key and an auxiliary key agreement (AKA) in order to refresh the key at any later stage.
In [3], the authors propose a systematic way for analyzing protocol suites which extend the Diffie-Hellman key-exchange scheme to a group setting. They find interesting attacks which exploit algebraic properties of Diffie-Hellman exponentiation. However, our attack uses a different approach that exploits a weakness of a specific protocol and allows for prolonged eavesdropping.
We will consider in particular one of the proposed initial key agreements referred to (in [4]) as IKA.2. The authors generalize these schemes in [2], considering a general action on a semigroup, and this is how IKA.2 is presented below.
We will then show an active attack on this protocol that requires control of the communications of two particular parties for only the duration of the key exchange. That is, unlike in a regular man-in-the-middle attack, it is not necessary for the attacker to control the communications after the key exchange in order to translate messages, since all users are made to agree on the same key.
Although it is not possible for the attacker to keep a copy of the key after the users initiate AKA operations, we will show how she can avoid being noticed at that point.

An Initial Key Agreement protocol
The protocol below gives n users the possibility to share an initial common key built using their private keys. A proof of its correctness and security against passive attacks can be found in [2,4], assuming the Diffie-Hellman problem is hard for the given group action.
Suppose we have n users U 1 , . . . , U n who wish to agree upon a common key. Let G be an abelian group, written multiplicatively. Let S be a set, and suppose we have a group action The users publicly agree on a common element C 0 = s ∈ S, and for each i = 1, . . . , n, the user U i selects a secret group element g i ∈ G.
The protocol proceeds as follows: (1) For i = 1, . . . , n − 2, U i sends to U i+1 the message C i = g i · C i−1 .
(3) U n computes the shared key K = g n · C n−1 .
It is easy to see that for i = 1, . . . , n − 1, we have that and finally From the above, we can also observe that C n−1 is not needed by any user to recover the session key K. However, this information is disclosed for future rekeying purposes, as we will see later.
Example 1. Let F q be a finite field. Let us consider an element g of prime order p, generating the subgroup S ⊂ F * q . Then the action Φ : Example 2. Let us denote by ε the group of points of an elliptic curve of prime order p. Then the action Φ : Z * p × ε → ε defined by Φ(x, P ) = xP gives an elliptic curve version of IKA.2 cited above.

An active attack on the Initial Key Agreement
We describe an active attack on the protocol of the preceding section. Suppose that the attacker M wants the users U 1 , . . . , U n to agree on a shared key as usual, except that she is in possession of the key as well.
In order to carry out our attack, M needs to have full control over the communication of the users U n−1 and U n for the duration of the key exchange. However, unlike in a regular man-in-the-middle attack, she does not need to maintain this control after the key exchange is completed.
In the beginning, M chooses her own secret group elementĝ ∈ G. She then proceeds as follows: Step (1) is carried out as usual.
(b) M intercepts the broadcast of U n−1 during step (2) and remembers the value C n−1 . At this point, all users except for U n−1 are sitting in step (2), waiting for the broadcast that was halted.
(c) U n−1 proceeds to step (4), where he sends g −1 n−1 · C n−1 = C n−2 to U n . This is also intercepted by M. U n−1 is now waiting in step (5).
(d) M now makes U n believe that he received the broadcast of step (2), but actually sends himĝ · C n−1 . At this point, U n computes the shared key K = g nĝ · C n−1 and waits in step (4).
(e) M now sends to U n the values {m 1 , . . . , m n−3 , C n−2 , C n−1 }, pretending that they were sent by the other users in step (4). The m i are random elements of the orbit G · s.
(f) In step (5), U n sends back, among others, the values g n · C n−2 and g n · C n−1 , which M intercepts. The user U n is now finished, and M can compute the shared key K =ĝg n · C n−1 .
(g) Until now, U 1 , . . . , U n−2 have been waiting for the broadcast in step (2), which M now provides in the form of g n · C n−1 .
(i) In step (5), M broadcasts to U i , i = 1 . . . , n − 2, the message User U n−1 is sent the same message, but the last element, g n · C n−1 is substituted by C n−1 .
(j) The users U 1 , . . . , U n−2 now all compute the shared secret K = g iĝ g −1 i g n · C n−1 .
Let us make some comments on the attack introduced above. First, we can observe that at the end of this procedure, all users as well as the attacker share the same key K = n j=1 g j · (ĝ · s).
Any passive observer will still be unable to determine the key, for the same reason that the original protocol is secure against passive attacks, cf. [4, Theorem 2.1], whose proof also applies to the general setting given in Section 2 whenever the action is transitive and the Diffie-Hellman problem is hard.
The attacker's secretĝ is not strictly required for the attack to work, but without it, the users may notice that something is amiss. Namely, in step (e), if we leave outĝ, the user U n may notice that M sent the same value C n−1 as in step (d). Similarly, in step (i), the other users could notice that the attacker just returned their transmission from (h). Usingĝ, however, the users should be unable to tell the difference between a regular execution of the protocol and the attack, again as a consequence of [4, Theorem 2.1].
As in the Initial Key Agreement (IKA) protocol introduced in Section 2, the broadcast element g n · C n−1 is added at the end of the message in (i) in view of future rekeying operations and is not needed by any of the users U 1 , . . . , U n−2 to recover the shared key. Note that users U i , i = 1, . . . , n − 2, expect that the last element of the message sent in step (i) is the one broadcast in step (2) of the protocol, which the attacker substitutes precisely by g n · C n−1 . In the case of user U n−1 , who is also expecting the element sent in step (2) of the protocol, the element that M sends in step (b) is C n−1 . If this is not satisfied, the users might notice that something is wrong.

An exit strategy
After the attack of Section 3, the attacker M shares the key with the users U 1 , . . . , U n and can listen in on their conversation without any further active measures. However, at some point after that, the users may wish to execute an AKA operation, which is to say a key refreshment, the addition of a new member to the group, etc. as described in [4,Section 5]. After this point, the attacker can certainly no longer listen to the conversation. Even worse, the values the users remember from step (5) of the protocol are substantially different from normal, and any key refresh operation will thus fail completely, alerting the users about the attack.
In what follows, we will describe how the attacker can avoid being noticed by forging key refresh operations herself, assuming that any user may initiate a key refreshment at any time.
First, we recall the key refresh operation after a regular execution of IKA.2, adapted from [4, Section 5.6]. Suppose user U c wishes to initiate a key refreshment. He remembers from step (5) of the key agreement protocol the values {E 1 , . . . , E n }, where E k = n j=1,j =k g j · s, k = 1, . . . , n. He picks a new secret g ′ c ∈ G and broadcasts Now, all users can compute the new key g ′ c · C n = g ′ c · n j=1 g j · s. User U c also replaces his own secret with g ′ c g c , and everyone replaces the information remembered from step (5) with this new broadcast.
Remark 4.1. One important detail to note is that when U c initiates the key refreshment, the value E c he sends in position c is unchanged and already known to the other users. Hence, if M wishes to forge a key refreshment coming from U c , she has to make sure that each user receives in position c the value he previously held there. Otherwise, the attack could be discovered.
Evidently, if some user tries to initiate a key refreshment with these values, the operation will fail. However, M can bring the users into a consistent state by forging two key refresh operations herself. For this, she needs to still have control over the communications of U n−1 and U n , as in the original attack.
After this, the users will agree on the shared keyĥĝ · C n , which is also known to M. As remarked above, if a user is made to believe that he received a key refreshment from U c , he must receive in position c the value he already held there. Now, the values held by the users are still inconsistent, so M has to forge a second key refreshment: • To U i , i = 1, . . . , n − 2, she sends {fĥĝ · E 1 , . . . ,fĥĝ · E n }, pretending it came from U n .
• To U n−1 and U n , she sends {fĥĝ · E 1 , . . . ,fĥĝ · E n }, pretending it came from U 1 . Now, all users and the attacker agree on the shared keyfĥĝ·C n . Furthermore, all users remember the same consistent values for key refreshment. If in the future any user initiates a key refreshment or other AKA operation, the attacker will lose access to the key, but the operation itself will work out without problem and without the users noticing anything wrong.
Remark 4.2. An alternative course of action for M is to convert the attack into a regular man-in-the-middle attack on U n at the time of the first key refreshment. For this, note that given the values each user remembers, a key refreshment initiated by U c , c ≤ n − 2, works well for all users but U n . The attacker can then intercept the broadcast arriving at U n and replace it with random values, except that at position n she sendsĥ · E n for some randomĥ ∈ G, and at position c she sends g n · m c , which she knows from step (f) of the attack. Then, M will have the keyĝg ′ c · C n in common with U i , i ≤ n − 1, as well asĥ · C n with U n . From then on, she can run a regular man-in-the-middle attack. A similar attack can be carried out if U n initiates a key refreshment, but not if U n−1 does so. In this case, the attacker can intercept and applyĝ to the message for U n so that all users agree on a common key without noticing the previous attack.