Cryptanalysis of Ateniese–Steiner–Tsudik-Authenticated Group Key Management Protocol

Abstract

We present an active attack that targets Ateniese et al.’s authenticated group key agreement, which, as a particular case, includes the well-known multiparty key exchange protocol CLIQUES that allows a group of users to build a common secret using some private values in a collaborative and distributed way, naturally extending the foundational key exchange introduced by Diffie and Hellman between two communicating parties that motivated the birth of public key cryptography. Ateniese et al.’s protocol adds some authentication information, allowing the parties to trust the exchanged information, but we show that it is possible to surpass this as well. The attack allows a malicious party to agree on a secret with the rest of the legal members of the group without their knowledge, so all the distributed information can be accessed using this secret. In addition, this is shown under a well-known cryptographic model that, in principle, requires absolute control of group communications, but, in fact, it only requires malicious control of the communications of a single arbitrary user and only for the duration of the key exchange. This means that after the attack, the malicious party does not have to take any other actions that could reveal a clue that an attack occurred and that the distributed information is being illegally accessed, contrary to a typical man-in-the-middle attack where the attacker has to continue the activity, meaning this could be detected at some point.

1. Introduction

Internet of Things is becoming more and more widespread with the use of sensor networks and the so-called wearables that allow for the exchange of information in real-time—information that is used on many occasions in order to make decisions or control any system in a remote way. Thus, the prevalence of traditional human-to-human or human-to-machine communications is being progressively substituted by the exponential increase in machine-to-machine communications [1]. Therefore, a conventional security architecture, where there exists an authority in charge of safeguarding and/or generating session keys, does not address all security issues appearing in this paradigm given that it does not take into account patterns where machines communicate directly to machines and distributed computing forms are gaining importance in the communication processes [2]. Due to the open characteristics of these systems, the privacy of the transmitted data is becoming a major concern [3,4]. Therefore, a key to solving this issue is Group Key Management using a distributed solution, i.e., users (that could be machines) collaborate to build a common session key that is used to encrypt communications among members of the group. Examples of this type of protocol can be found in [5,6,7,8] [Chapter 9] and references therein.

Probably one of the best-known protocols for distributed Group Key Management is CLIQUES. This protocol, proposed by Steiner et al. in [9], belongs to the so-called generic Group Diffie–Hellman (GDH) key agreements. In this paper, the authors introduce a series of protocols on an algebraic cyclic group G of order q that the communicating parties ${\mathcal{U}}_1,\dots ,{\mathcal{U}}_n$ agree on, as well as a generator of the group $\alpha$. Each party holds a private element $N_i\in {\mathbb{Z}}_q$, $i=1,\dots ,n$. All these protocols are based on distributively computing a subset of $\left\{{\alpha }^{\Pi \left(S\right)}:S\subset \{N_1,\dots ,N_n\}\right\}$ and each party ${\mathcal{U}}_i$, $i=1,\dots ,n$, from ${\alpha }^{\prod \left(N_p\right|p\in \left[1,n\right]),p\ne i}$ can easily obtain $K={\alpha }^{N_1\cdots N_n}$. In these protocols, one of the members, namely, ${\mathcal{U}}_n$ has a greater computing load and, in order to equalize it for every party, the authors consider a detached protocol where every party has almost the same workload. However, it is precisely the nature of this protocol that allowed Schnyder et al. in [10] to provide an active attack on it based on the well-known man-in-the-middle attack for the case of an attacker that is able to control communications of the users with a special role in the group, namely ${\mathcal{U}}_{n-1}$ and ${\mathcal{U}}_n$ during the set-up phase. The authors show that an attacker can forge ${\mathcal{U}}_{n-1}$ and ${\mathcal{U}}_n$ activity in order to make every party think that they are exchanging the necessary information to build a common key only known by themselves, but that, in fact, it is also known and constructed with the collaboration of their own attacker without knowing the existence of this malicious activity. Thus, the attacker becomes a legal member that is unknown by the other parties of the communication group, and it can obtain all the data transmitted using the common secret they have collaboratively built. They also show that it is possible to use a strategy so that the attacker can leave the group without letting the group members know about the attack.

The traditional method of avoiding an impersonation attack is to use some additional information that provides authentication. Public key infrastructure (PKI) provides the basis of authentication and access control in most networked systems. However, the use of traditional certificates in the situations described above is usually difficult to implement due to the use of very light devices with limited capacities and/or the absence of a central trust entity that builds such certificates, and security has predominantly been based on pre-shared keys, which cannot be revoked and do not provide strong authentication. The prevalence of pre-shared keys in the IoT is due primarily to a lack of lightweight protocols for accessing PKI services. Principal among these services are digital certificate enrollment and revocation, the former of which is addressed in recent research and is being pushed for standardization in IETF. However, no protocol yet exists for retrieving certificate status information on constrained devices, and revocation is not possible unless such a service is available [11].

An example of a protocol for distributed Group Key Management making use of pre-shared keys is introduced in [12]. Here, the authors propose an alternative extension of CLIQUES providing an implicit key authentication, that is, each member ${\mathcal{U}}_i\in \mathcal{U}$ is assured that no party ${\mathcal{U}}_r\notin \mathcal{U}$ can learn the key $K_n$ (unless he is aided by a dishonest ${\mathcal{U}}_j\in \mathcal{U}$). In this protocol, named A-GDH, the last user, ${\mathcal{U}}_n$, shares a distinct secret $K_{i,n}$ with every user ${\mathcal{U}}_i$, for $i=1,\dots ,n-1$. They assert that this protocol provides authentication and shows its fortress in the DDH problem, as the original CLIQUES proposal. It can be observed that CLIQUES is a particular case of this protocol, where $K_{i,n}=1$ for every $i=1,\dots ,n-1$. The starting point is an authenticated version of the Diffie–Hellman key exchange protocol [13], which the reader can find in [12] [Protocol A-DH]:

Let q and $p=2q+1$ be prime integers and G the unique subgroup of order q of the multiplicative group ${\mathbb{Z}}_p^{\ast }$, and let $\alpha$ be a generator of G.

In the first stage, let $x_1$ and $x_2$ be two integers such that $1\le x_1,x_2\le q-1$, let ${\mathcal{U}}_1$ and ${\mathcal{U}}_2$ be two parties wishing to share a key, and let $(x_1,{\alpha }^{x_1}\left(\mathrm{mod}\mathrm{p}\right))$ and $(x_2,{\alpha }^{x_2}\left(\mathrm{mod}\mathrm{p}\right))$ be the secret and public keys of ${\mathcal{U}}_1$ and ${\mathcal{U}}_2$, respectively. Thus, the public values of the system are $(p,q,\alpha ,{\alpha }^{x_1},{\alpha }^{x_2})$. The A-DH protocol is as follows:

• ${\mathcal{U}}_1$ sends ${\alpha }^{r_1}\left(\mathrm{mod}\mathrm{p}\right)$ to ${\mathcal{U}}_2$, for $r_1\in {\mathbb{Z}}_q^{\ast }$.
• ${\mathcal{U}}_2$ selects $r_2\in {\mathbb{Z}}_q^{\ast }$ and computes $K=F\left({\alpha }^{x_1{x}_2}\left(\mathrm{mod}\mathrm{p}\right)\right)$, where $F\left(x\right)$ is given by $x\left(\mathrm{mod}\mathrm{p}\right)$ in case $x\le q$ and $p-x\left(\mathrm{mod}\mathrm{p}\right)$ if $x>q$.
• ${\mathcal{U}}_2$ sends ${\alpha }^{r_{2}K}\left(\mathrm{mod}\mathrm{p}\right)$ to ${\mathcal{U}}_1$.
• ${\mathcal{U}}_1$ computes $K^{-1}\left(\mathrm{mod}\mathrm{q}\right)$ and computes

  $${\left({\alpha }^{r_{2}K}\right)}^{r_1{K}^{-1}}\left(\mathrm{mod}\mathrm{p}\right)={\alpha }^{r_1{r}_2}\left(\mathrm{mod}\mathrm{p}\right)$$

which is the shared key.

However, it is easily observable that this protocol does not avoid a classical man-in-the-middle attack that allows an attacker to share two keys with ${\mathcal{U}}_1$ and ${\mathcal{U}}_2$.

Our aim in this work is to show that the authenticated Group Key Management protocol that extends the preceding A-DH protocol fails against an active attack and allows an adversary to share a common key with all the group members, without letting them know about the attack. In [10], the attack is developed under the assumption that the attacker controls the communications of the users ${\mathcal{U}}_{n-1}$ and ${\mathcal{U}}_n$. Now, we introduce a general attack where the attacker requires communications control of a single member of the group, which extends the attack introduced in [10] on CLIQUES. Moreover, the attack given in that paper is only described from an algebraic point of view by giving the operations and actions that the attacker should follow. Now, in this paper, we are providing a proof using a widely-known cryptographic model that better describes the algebraic computations and the algorithms or oracles that the attacker has to access.

Moreover, very recently, in [14] [Section 1.1], NIST warns of the vulnerability of cryptographic protocols whose security lies on algebraic problems based on integer factorization or the discrete logarithm problem against an adversary in possession of a large-scale fault-tolerant quantum computer. The protocol introduced in [12] bases its security precisely on the difficulty of the discrete logarithm problem in the chosen group. However, in [15], the authors introduce a new algebraic setting to extend all these key management protocols, as is later shown in [16] for the case of the protocols introduced in [9], and there is no known algorithm that solves the underlying algebraic problem even with the use of a quantum computer. Using similar developments to those in [16], we could also use the protocols introduced in [12] for the new algebraic setting, but, as we will show, our attack proves the vulnerability of the authenticated Group Key Management given that it uses the nature of its own protocol and not the algebraic setting.

The structure of the paper is as follows. In Section 2 , we provide all the methods and terminology that are used throughout the paper. We start by recalling the authenticated initial group key agreement, as it is introduced in [12], where the underlying security is based on the so-called decisional DDH. Then, we establish the security model that will be followed to cryptanalyze the protocol and recall a well-known and widespread setting to use this protocol, i.e., the case of elliptic curves, which allows us to analyze a case study. In Section 3, the reader can find a detailed explanation of the active attack, which shows that Ateniese et al.’s proposal for GDH2 [12] (denoted by A-GDH2) fails against it, and, as a particular case, Steiner et al.’s original CLIQUES IKA.2 implementation introduced in [9]. In Section 4, we provide a case study using elliptic curves and propose strategies in the auxiliary key agreement, i.e., in the rekeying protocol, in order to take total control of the group or the possibility for the attacker to leave the group without letting the users know that the attacker was listening to all communications for a period of time. We conclude the paper with some final considerations.

2. Material and Methods

Throughout this section, we will review all the cryptographic notions and methods that we have used in our research. Firstly, we will recall the general group key agreement that was introduced in [12]. This protocol describes a way for a group of users to agree on a common secret that allows the building of a common session key in a distributed way, i.e., all users contribute to obtaining such a secret by means of some private personal information that everyone holds and that allow the recovery of such a secret from a broadcast message. This particular method is a natural extension of the foundational work by Diffie and Hellman [13], and it is a generalization of the proposal [9] that uses a pre-distributed set of secrets that allow the participants to authenticate the key that is recovered after the protocol.

The second part of this section describes the security model that is used in order to analyze the security of the protocol. We introduce the notation and the oracles used by an adversary that successfully attacks the protocol and can join the group, without letting the participants know it, as another illegal member of the communication group that also contributes to building the common key.

Finally, in the last subsection, we will recall the mathematical concepts related to elliptic curves that allow for applying these structures to cryptography and, in particular, to the cryptanalyzed protocol. The use of elliptic curves is nowadays very extended given the light storage and computing requirements, which make them very appropriate for physically limited devices as is the case of those used in the Internet of Things and the high level of security offered. In the discussion section, we will give an example of how an adversary can access the system that uses the cryptanalyzed protocol in the case of elliptic curves.

2.1. The Group Key Agreement

The following protocol describes the A-GDH2 Key Agreement protocol introduced in [12]. When the keys $K_{i,n}$ shared by ${\mathcal{U}}_i$ and ${\mathcal{U}}_n$ equal 1, then we obtain the Initial Key Agreement of CLIQUES, named IKA.2 in [9].

Suppose we have n users ${\mathcal{U}}_1,\dots ,{\mathcal{U}}_n$ who wish to agree upon a common key. Let p be a prime and q a prime divisor of $p-1$. Let G be the unique cyclic subgroup of ${\mathbb{Z}}_p^{\ast }$ of order q and let $\alpha$ be a generator of G. Then, for each $i=1,\dots ,n$, the user ${\mathcal{U}}_i$ selects a secret element $r_i\in {\mathbb{Z}}_q^{\ast }$. Let $K_{i,n}\in {\mathbb{Z}}_q^{\ast }$ be a common key shared in advanced by $U_i$ and $U_n$ for every $i=1,\dots n$.

The protocol proceeds as follows:

• For $i=1,\dots ,n-2,{\mathcal{U}}_i$ sends to ${\mathcal{U}}_{i+1}$ the message $C_i=C_{i-1}^{r_i}$, where $C_0=\alpha$.
• ${\mathcal{U}}_{n-1}$ broadcasts $C_{n-1}=C_{n-2}^{r_{n-1}}$ to the other users ${\mathcal{U}}_1,\dots ,{\mathcal{U}}_{n-2},{\mathcal{U}}_n$.
• ${\mathcal{U}}_n$ computes the shared key $K=C_{n-1}^{r_n}$.
• For $i=1,\dots ,n-1$, ${\mathcal{U}}_i$ sends $D_i=C_{n-1}^{r_i^{-1}}$ to ${\mathcal{U}}_n$.
• ${\mathcal{U}}_n$ broadcasts $\{D_1^{r_n·K_{1,n}},D_2^{r_n·K_{2,n}},\dots ,D_{n-1}^{r_n·K_{n-1,n}},C_{n-1}\}$ to ${\mathcal{U}}_i$, $i=1,\dots ,n-1$.
• For $i=1,\dots ,n-1$, ${\mathcal{U}}_i$ computes the shared key $K=D_i^{r_n·K_{i,n}·r_i·K_{i,n}^{-1}}$.

2.2. The Security Model

We will use the security model of [17], developed from [18] in order to formalize the cryptanalysis that we are introducing in the next section. These models are widely known and used to show the security of a group key exchange. To this end, we fix the notation and definitions necessary to such a formalization.

The (potential) participants in the protocol are modeled as probabilistic polynomial time (ppt) Turing machines (basically, a model of computation consisting of a finite state machine controller, a read-write head, and an unbounded sequential tape. Depending on the current state and symbol read on the tape, the machine can change its state and move the head to the left or right. This is said to be probabilistic when transitions are random choices among a finite number of alternatives. cf. [19]) in the finite set $\mathcal{U}=\{{\mathcal{U}}_1,\dots ,{\mathcal{U}}_n\}$ and every participant ${\mathcal{U}}_i$, $i=1,\dots ,n$ in the set $\mathcal{U}$ can run a polynomial amount of protocol instances in parallel.

The instance $s_i$ of participant ${\mathcal{U}}_i$ will be denoted as ${\Pi }_i^{s_i}$, and we assign it the following variables:

• ${\mathrm{pid}}_i^{s_i}$: stores the identities of the party users ${\mathcal{U}}_i$ (including ${\mathcal{U}}_i$) and aims at establishing a session key with variables assigned.
• ${\mathrm{sk}}_i^{s_i}$: is a variable that is initialized with a distinguished NULL value and will store the session key.
• ${\mathrm{sid}}_i^{s_i}$: is a variable that stores a non-secret session identifier to the session key stored in ${\mathrm{sk}}_i^{s_i}$.
• ${\mathrm{acc}}_i^{s_i}$: is a variable that indicates whether the session key in ${\mathrm{sk}}_i^{s_i}$ was accepted or not.
• ${\mathrm{term}}_i^{s_i}$: is a variable that indicates whether the protocol execution has finished.
• ${\mathrm{used}}_i^{s_i}$: is a variable that indicates whether this instance is taking part in a protocol run.

Concerning the communication network and the adversarial capabilities, we fix the following conditions. We will assume that there exist arbitrary point-to-point connections among users and that the network is non-private, fully asynchronous and that the adversary $\mathcal{A}$ has absolute control. This can eavesdrop, delay, delete, modify or insert messages. Thus the adversary’s capabilities are given by the following oracles (basically, a system that can be viewed in terms of its inputs and outputs, without any knowledge of its internal functioning and that produces a solution for any instance of a given computational problem. cf [19]).

• Send(${\mathcal{U}}_i,s_i,M$): by querying this oracle, the message M is sent to instance ${\Pi }_i^{s_i}$ of user ${\mathcal{U}}_i$ of $\mathcal{U}$. The output will be the protocol message that the instance outputs after receiving message M. The adversary $\mathcal{A}$ can use this protocol to initialize a protocol execution by using the special message $M=\{{\mathcal{U}}_{i1},\dots ,{\mathcal{U}}_{ik}\}$ to an unused instance ${\Pi }_i^{s_i}$. This oracle initializes a protocol run among users $\{{\mathcal{U}}_{i1},\dots ,{\mathcal{U}}_{ir}\}\subseteq \mathcal{U}$. After such a query, ${\Pi }_i^{s_i}$ sets ${\mathrm{pid}}_i^{s_i}:=\{{\mathcal{U}}_{i1},\dots ,{\mathcal{U}}_{ik}\}$, ${\mathrm{uses}}_i^{s_i}$:=TRUE, and processes the first step of the protocol.
• Execute(${\mathcal{U}}_1,s_1,\dots ,{\mathcal{U}}_k,s_k$): in case the instances $s_1,\dots ,s_r$ have not yet been used, this oracle will return a transcript of complete execution of the protocol among the specified instances.
• Reveal(${\mathcal{U}}_i,s_i$): this oracle returns the session key stored in ${\mathrm{sk}}_i^{s_i}$ if ${\mathrm{acc}}_i^{s_i}$ =TRUE and, otherwise, a NULL value.
• Corrupt(${\mathcal{U}}_i$): this query returns ${\mathcal{U}}_i$’s long-term secret key.

If the adversary $\mathcal{A}$ can access all of the preceding oracles, then it is called an active adversary and, in the case that $\mathcal{A}$ is not granted access to any of the Send oracles, it is referred to as a passive adversary. Thus, the attack we are introducing through this work is developed by an active adversary.

2.3. Elliptic Curves

As previously noted, we are going to show an example of how the attack is developed in a specific and very extended case through cryptography on elliptic curves. Thus, let us briefly reiterate some mathematical and cryptographic topics regarding elliptic curves. The reader is referred to [20] for an extended study on the structure and cryptographic applications of this important mathematical concept.

Let $\mathbb{F}$ be a field. Let us consider the set of points $(x,y)\in {\mathbb{F}}^2$, verifying the equation with coefficients in $\mathbb{F}$

$$y^2+a_{1}xy+a_{3}y=x^3+a_2{x}^2+a_{4}x+a_6$$

that when the characteristic of the field, Char($\mathbb{F}$)$\ne 2,3$, then it can be simplified to

$$y^2=x^3+ax+b,a,b\in \mathbb{F}$$

which is the classical formula widely extended. In this case, we say that $y^2=x^3+ax+b$ defines an elliptic curve if and only if $4a^3+27b^2\ne 0$.

The set of points of an elliptic curve over $\mathbb{F}$, $E\left(\mathbb{F}\right)$ can be endowed with an internal operation, usually known as point addition and, given a point $P(x,y)$ of an elliptic curve, we denote the multiple $kP$ as the point that is the result of adding P with itself k times.

In [21,22], the authors suggested that the group of points of an elliptic curve is suitable for developing secure cryptographic methods. The so-called Elliptic Logarithm Problem or Elliptic Curve Discrete Logarithm Problem is of such complexity that we could reduce the requirements on the key length significantly, offering high levels of security. This problem is defined in the following way. Given two points P and Q of an elliptic curve and such that $Q=xP$, the problem is finding the integer x. Therefore, it is necessary to immediately define a Diffie–Hellman key exchange using this problem as support:

• Two users ${\mathcal{U}}_1$ and ${\mathcal{U}}_2$ agree on a point of an elliptic curve with n points, say G.
• Both users choose, respectively, $x_1$ and $x_2$ as private integer values in the rank $[2,n-1]$.
• They both exchange the values $P_1=x_{1}G$ and $P_2=x_{2}G$.
• ${\mathcal{U}}_1$ recovers $x_1{P}_2$ while ${\mathcal{U}}_2$ computes $x_2{P}_1$, and both values result in the same point $x_1{x}_{2}G$.

This is exactly a special case of the protocol introduced in [12] and described in Section 2.1 for the case of the group of points of an elliptic curve, with only two users, ${\mathcal{U}}_1$ and ${\mathcal{U}}_2$ and where $K_{1,2}=1$.

3. Results

The aim of the attack that we are introducing in this section is that the adversary, $\mathcal{A}$, and the users ${\mathcal{U}}_1,\dots ,{\mathcal{U}}_n$ agree on a shared key, as it is obtained after running the protocol, but $\mathcal{A}$ will know the key as well and can listen and send messages using that common key, exactly the same as another group member. However, ${\mathcal{U}}_i$, $i=1,\dots ,n$ will not know anything about the existence of $\mathcal{A}$. Contrary to other attacks of this type, the adversary does not share a specific key with the attacked group member in order to decrypt the information sent among the other group members and then, using this second special key, encrypt the information for the hacked group member and vice versa when it wants to send a message to the rest of the group members.

As assumed in the security model [17], $\mathcal{A}$ has absolute control of the whole group’s communications. However, in practice, $\mathcal{A}$ needs to have full control over the communication of a single user ${\mathcal{U}}_i$, $i\in \{1,\dots ,n\}$ only during the pre-setup stage, when this user exchanges a key with ${\mathcal{U}}_n$, $K_{i,n}$, and during the key exchange protocol, i.e., the cryptographic model is more restrictive than is actually necessary to develop the attack in a real situation. Moreover, unlike in a regular man-in-the-middle attack, $\mathcal{A}$ does not need to maintain this control after the key exchange is completed. We are assuming that $i<n-1$. The case where $\mathcal{A}$ controls the communications of ${\mathcal{U}}_{n-1}$ or ${\mathcal{U}}_n$ will be followed in an analogous way as is given in [10], as we will explain later. As we can observe below, unlike what it is assumed in that case, the attacker just needs to execute control over the communications of a single user and not necessarily these two detached users simultaneously.

Given that the protocol requires that both users ${\mathcal{U}}_i$ and ${\mathcal{U}}_n$ to have shared a key previously, let us assume that the attack starts by executing a typical man-in-the-middle attack on the key exchange among ${\mathcal{U}}_i$ and ${\mathcal{U}}_n$ by means of a query Send(${\mathcal{U}}_i,s_i,{\mathcal{U}}_n,s_n$), which provokes the Diffie–Hellman key-exchange among these two users, and then both users’ public keys are obtained and used by $\mathcal{A}$ to share a common key with ${\mathcal{U}}_i$, say $K_{x,i}$ and a second common key with ${\mathcal{U}}_n$, say $K_{x,n}$. After that, the authenticated group key exchange $A-GDH2$ starts. In our security model, we are assuming that the adversary has access to the oracles Reveal and Corrupt, so we can even consider the case where this previous exchange among ${\mathcal{U}}_i$ and ${\mathcal{U}}_n$ is made through a secure channel that avoids the man-in-the-middle attack. In those cases, an instance Reveal(${\mathcal{U}}_i,s_{i-1}$), where $s_{i-1}$ denotes the previous session to the session $s_i$ where the group key is to be built by all users, outputs the session key agreed by ${\mathcal{U}}_i$ and ${\mathcal{U}}_n$, and even Corrupt(${\mathcal{U}}_i$) would reveal the secret key used by $U_i$, which simplifies clearly the attack.

Thus, let us start explaining the attack once $\mathcal{A}$ shares two keys with both ${\mathcal{U}}_i$ and ${\mathcal{U}}_n$: $K_{x,i}$ and $K_{x,n}$.

In the beginning, $\mathcal{A}$ chooses a secret group element $r_{\mathcal{A}}\in {\mathbb{Z}}_q^{\ast }$. Then, $\mathcal{A}$ proceeds as follows:

a

The adversary $\mathcal{A}$ queries Send(${\mathcal{U}}_1,s_1,\dots ,{\mathcal{U}}_n,s_n$) to initiate a protocol instance. After this query, the first step of the protocol is executed.

b

Step (1) is carried out as usual until ${\mathcal{U}}_i$ sends $C_i=C_{i-1}^{r_i}$ to ${\mathcal{U}}_{i+1}$. At this point, ${\mathcal{U}}_i$ is sitting in step (1) waiting for the broadcast of ${\mathcal{U}}_{n-1}$.

c

$\mathcal{A}$ stops this message, deletes $C_i$ and queries Send(${\mathcal{U}}_{i+1},s_{i+1},C_i^{\prime }=C_{i-1}^{r_{\mathcal{A}}})$.

d

${\mathcal{U}}_{n-1}$ broadcasts $C_{n-1}=C_{n-2}^{r_{n-1}}$ to the other users ${\mathcal{U}}_1,\dots ,{\mathcal{U}}_{n-2},{\mathcal{U}}_n$. At this point ${\mathcal{U}}_n$ computes the key $K=C_{n-1}^{r_n}$.

e

$\mathcal{A}$ stops this message for ${\mathcal{U}}_i$ and queries Send(${\mathcal{U}}_n,s_n,D_i=C_{n-1}^{r_{\mathcal{A}}^{-1}}$).

f

${\mathcal{U}}_n$ broadcasts

$$\{D_1^{r_n·K_{1,n}},D_2^{r_n·K_{2,n}},\dots ,D_i^{r_n·K_{x,n}},\dots ,D_{n-1}^{r_n·K_{n-1,n}},C_{n-1}\}$$

to ${\mathcal{U}}_i$, $i=1,\dots ,n-1$. $\mathcal{A}$ stops this message for ${\mathcal{U}}_i$.

g

$\mathcal{A}$ computes $K=D_i^{r_n·K_{x,n}·r_{\mathcal{A}}·K_{x,n}^{-1}}$, which is the common key computed by all the remaining users.

h

$\mathcal{A}$ chooses $b\in {\mathbb{Z}}_q^{\ast }$ and queries Send(${\mathcal{U}}_i,s_i,K^b$) as if it was the message that ${\mathcal{U}}_{n-1}$ broadcasts in (2).

i

${\mathcal{U}}_i$ sends $K^{b·r_i^{-1}}$ to ${\mathcal{U}}_n$.

j

$\mathcal{A}$ stops this message, deletes it and computes $K^{r_i^{-1}}$ using $b^{-1}$. Then $\mathcal{A}$ queries

$$\mathrm{Send}({\mathcal{U}}_{\mathrm{i}},{\mathrm{s}}_{\mathrm{i}},\{{\mathrm{D}}_1^{{\mathrm{r}}_{\mathrm{n}}·{\mathrm{K}}_{1,\mathrm{n}}},{\mathrm{D}}_2^{{\mathrm{r}}_{\mathrm{n}}·{\mathrm{K}}_{2,\mathrm{n}}},\dots ,{\mathrm{K}}^{{\mathrm{r}}_{\mathrm{i}}^{-1}·{\mathrm{K}}_{\mathrm{x},\mathrm{i}}},\dots ,{\mathrm{D}}_{\mathrm{n}-1}^{{\mathrm{r}}_{\mathrm{n}}·{\mathrm{K}}_{\mathrm{n}-1,\mathrm{n}}},{\mathrm{C}}_{\mathrm{n}-1}\})$$

k

${\mathcal{U}}_i$ recovers $K^{r_i^{-1}·K_{x,i}·r_i·K_{x,i}^{-1}}=K$.

The remaining case, i.e., $\mathcal{A}$ controls communications of ${\mathcal{U}}_{n-1}$ and ${\mathcal{U}}_n$, will require that $\mathcal{A}$ exchanges private $n-1$ values $K_{x,i}$ with each ${\mathcal{U}}_i$, for $i=1,\dots n-1$ and $n-1$ values $D_j$, $j=1,\dots ,n-1$ with user ${\mathcal{U}}_n$.

Analogously to the previous case, in the beginning, $\mathcal{A}$ is a secret group element, and $r_{\mathcal{A}}\in {\mathbb{Z}}_q^{\ast }$. Then, $\mathcal{A}$ proceeds as follows:

a

Step (1) is carried out as usual.

b

$\mathcal{A}$ intercepts the broadcast of ${\mathcal{U}}_{n-1}$ during step (2) and remembers the value $C_{n-1}$. At this point, all users except for ${\mathcal{U}}_{n-1}$ are sitting in step (2), waiting for the broadcast that was halted.

c

${\mathcal{U}}_{n-1}$ proceeds to step (4), where he sends $C_{n-1}^{r_{n-1}^{-1}}=C_{n-2}$ to ${\mathcal{U}}_n$. This is also intercepted by $\mathcal{A}$. ${\mathcal{U}}_{n-1}$ is now waiting in step (5).

d

$\mathcal{A}$ makes ${\mathcal{U}}_n$ believe that he received the broadcast of step (2), but $\mathcal{A}$ actually queries Send(${\mathcal{U}}_n,s_n,C_{n-1}^{r_{\mathcal{A}}}$). At this point, ${\mathcal{U}}_n$ computes the shared key $K=C_{n-1}^{r_{\mathcal{A}}·r_n}$ and waits in step (4).

e

$\mathcal{A}$ now queries Send(${\mathcal{U}}_n,s_n,D_i$) for $i=1,\cdots ,n-1$, superseding the others users in step (4). The $D_i$ are random elements of the subgroup generated by $\alpha$ for $i=1,\dots ,n-3$, whereas $D_{n-2}=C_{n-2}$ and $D_{n-1}=C_{n-1}^{r_{\mathcal{A}}}$.

f

In step (5), ${\mathcal{U}}_n$ broadcasts, among others, the value $C_{n-1}^{r_{\mathcal{A}}·r_n·K_{x,n}}$, which $\mathcal{A}$ intercepts. The user ${\mathcal{U}}_n$ is now finished, and $\mathcal{A}$ can compute the shared key $K=C_{n-1}^{r_{\mathcal{A}}·r_n}$.

g

Until now, ${\mathcal{U}}_1,\dots ,{\mathcal{U}}_{n-2}$ have been waiting for the broadcast in step (2), which $\mathcal{A}$ now provides by making the queries Send(${\mathcal{U}}_i,s_i,C_{n-1}^{r_n}$), $i=1,\dots ,n-2$.

h

${\mathcal{U}}_i$, $i=1,\dots ,n-2$, go to step (4) and sends back $C_{n-1}^{r_n·r_i^{-1}}$, which $\mathcal{A}$ intercepts.

i

In step (5), $\mathcal{A}$ queries Send(${\mathcal{U}}_1,s_1,\dots ,{\mathcal{U}}_{n-2},s_{n-2},M$), being

$$M=\left\{C_{n-1}^{r_n·r_1^{-1}·K_{x,1}·r_{\mathcal{A}}},C_{n-1}^{r_n·r_2^{-1}·K_{x,2}·r_{\mathcal{A}}},\dots ,C_{n-1}^{r_n·r_{n-1}^{-1}·K_{x,n-1}·r_{\mathcal{A}}},C_{n-1}^{r_n}\right\}.$$

(1)

j

$\mathcal{A}$ queries Send(${\mathcal{U}}_{n-1},s_{n-1},M^{\prime }$) with

$$M^{\prime }=\left\{C_{n-1}^{r_n·r_1^{-1}·K_{x,1}·r_{\mathcal{A}}},C_{n-1}^{r_n·r_2^{-1}·K_{x,2}·r_{\mathcal{A}}},\dots ,C_{n-1}^{r_n·r_{n-1}^{-1}·K_{x,n-1}·r_{\mathcal{A}}},C_{n-1}\right\}.$$

(2)

k

The users ${\mathcal{U}}_1,\dots ,{\mathcal{U}}_{n-1}$ now all compute the shared key $K=C_{n-1}^{r_n·r_i^{-1}·K_{x,i}·r_{\mathcal{A}}·r_i·K_{x,i}^{-1}}$.

We also note that the case $K_{x,n}=K_{x,i}=1$ and $K_{j,n}=1$ as well for every $j=1,\dots ,n-1$, $j\ne i$ is exactly the CLIQUES protocol in the case of IKA.2 introduced in [9]. Thus, the preceding attack covers all the cases that were not considered in [10].

4. Discussion

We now give a detailed explanation in a particular case on how the attack can be developed. As we previously pointed out, cryptography on elliptic curves is highly recommended for group key management, especially in those cases where the communication system is composed of light devices with limited computing and storage capabilities. Although actual recommendations suggest the use of elliptic curves over a field whose elements have a 256-bit length, we will use much shorter elements in order to make the explanation easy to read. At the end of this section, we will make some considerations concerning aspects that are not considered in the original work on the rekeying process.

Let us start by recreating the group key exchange without any external intervention. Therefore, let $\mathcal{U}=\{{\mathcal{U}}_1,{\mathcal{U}}_2,{\mathcal{U}}_3,{\mathcal{U}}_4\}$, and assume that every user has made a secure exchange with ${\mathcal{U}}_4$, so the shared keys used for authentication are $K_{1,4}=3$, $K_{2,4}=38$ and $K_{3,4}=11$, and that they agree on the curve $y^2=x^3+46x+78$ over ${\mathbb{Z}}_{97}$, which is a curve that contains exactly 103 points, and on $\alpha =(21,35)$, a point of this curve.

Now, every user chooses a private key in the rank $\{2,102\}$, so let $r_1=23$, $r_2=71$, $r_3=89$ and $r_4=59$. They start a protocol execution and thus:

1.

${\mathcal{U}}_1$ computes $C_1=r_1·\alpha =23·(31,35)=(29,75)$ and sends it to ${\mathcal{U}}_2$. After receiving $C_1$, ${\mathcal{U}}_2$ computes $C_2=r_2·C_1=71·(29,75)=(39,88)$, which is sent to ${\mathcal{U}}_3$. Then, ${\mathcal{U}}_3$ computes $C_3=r_3·C_2=89·(39,88)=(71,30)$.

2.

${\mathcal{U}}_3$ broadcasts the point $C_3=(71,30)$.

3.

Now ${\mathcal{U}}_4$ is able to compute what will be the group-shared secret $K=r_4·C_3=59·(71,30)=(83,52)$ and from which the group-shared key might be derived somehow, for instance, considering the result of applying some pre-agreed function to the coordinates of the shared point.

4.

Every user computes $D_i=\left(r_i^{-1}mod103\right)·C_3$, $i=1,2,3$, which is sent to ${\mathcal{U}}_4$. Thus, ${\mathcal{U}}_1$, ${\mathcal{U}}_2$ and ${\mathcal{U}}_3$ send, respectively, $D_1=9·(71,30)=(56,88)$, $D_2=74·(71,30)=(6,52)$ and $D_3=22·(71,30)=(39,88)$ to ${\mathcal{U}}_4$.

5.

After receiving these messages, ${\mathcal{U}}_4$ makes use of the private information $r_4$ and the corresponding shared keys with the other users $K_{i,4}$, $i=1,2,3$ to broadcast the following message:

$$\{r_4·K_{1,4}·D_1,r_4·K_{2,4}·D_2,r_4·K_{3,4}·D_3,C_3\}=$$

$$\{59·3·(56,88),59·38·(6,52),59·11·(39,88),(71,30\left)\right\}=$$

$$\left\{\right(33,73),(81,75),(57,2),(71,30\left)\right\}$$

6.

Finally, every user recovers the shared secret by computing $r_i·K_{i,4}^{-1}·(r_4·K_{i,4}{D}_i)$$i=1,2,3$. Thus, ${\mathcal{U}}_1$ computes $r_1·\left(K_{1,4}^{-1}mod103\right)·(33,73)=23·69·(33,73)=(83,52)$. Analogously, ${\mathcal{U}}_2$ computes $r_2·\left(K_{2,4}^{-1}mod103\right)·(81,75)=71·19·(81,75)=(83,52)$ and ${\mathcal{U}}_3$ recovers $r_3·\left(K_{3,4}^{-1}mod103\right)·(57,2)=89·75·(57,2)=(83,52)$.

Let us now observe how an adversary $\mathcal{A}$ with the capabilities described in Section 2.2 affects the result of the protocol and the consequences. We are going to show an example where the attacked participant is ${\mathcal{U}}_2$. Therefore, the first task that $\mathcal{A}$ has to carry out is to share a secret with this user as if $\mathcal{A}$ was ${\mathcal{U}}_4$ in order to properly run the attack we are introducing. Therefore, we will start by showing a classical man-in-the-middle attack during a classical Diffie–Hellman key exchange, as depicted in Section 2.3 among users ${\mathcal{U}}_2$ and ${\mathcal{U}}_4$ through an insecure channel in order to establish a secret shared value $K_{2,4}$. At this point, we again note that even if this exchange is developed through a secure channel, we are considering that $\mathcal{A}$ has access to the oracle Reveal, which would provide $\mathcal{A}$ with this secret value, and the attack can be developed in the same way.

1.

Let us assume, without loss of generality, that both users ${\mathcal{U}}_2$ and ${\mathcal{U}}_4$ are using the same elliptic curve and the same point $\alpha =(31,35)$.

2.

Then ${\mathcal{U}}_2$ and ${\mathcal{U}}_4$ choose $r_2^{\prime }=16$ and $r_4^{\prime }=47$ as private values.

3.

Both users exchange $P_2=16·(31,35)=(80,3)$ and $P_4=47·(31,35)=(54,59)$. At this point, $\mathcal{A}$ stops these messages and accesses the exchanged values by means of the oracle $Send$ and substitutes them by the message $P_{\mathcal{A}}=75·(31,35)=(58,50)$.

4.

Finally, ${\mathcal{U}}_1$ recovers $16·P_{\mathcal{A}}=16·(58,50)=(56,9)$ and ${\mathcal{U}}_4$ computes $47·P_{\mathcal{A}}=47·(58,50)=(29,75)$, obtaining what they think is a point from they can derive $K_{2,4}$, but they are, in fact, two points that will give them, respectively, $K_{x,2}$ and $K_{x,4}$.

5.

On the other hand $\mathcal{A}$ computes $r_{\mathcal{A}}·P_2=75·(80,3)=(56,9)$ and $r_{\mathcal{A}}·P_4=75·(54,49)=(29,75)$

If we assume, for simplicity, that the function used on a point to derive a secret value is the projection on the first coordinate, we thus obtain that $K_{x,2}=56$ and $K_{x,4}=29$.

Therefore, let us start with the attack on the group key agreement protocol. At this point, we have to recall that the secret keys of every user ${\mathcal{U}}_i$, i=1,2,3,4, are, respectively, $r_1=23$, $r_2=71$, $r_3=89$ and $r_4=59$. On his side, $\mathcal{A}$ chooses $r_{\mathcal{A}}=39$. Let us recall as well that ${\mathcal{U}}_1$ and ${\mathcal{U}}_3$ could successfully exchange a secret with ${\mathcal{U}}_4$, namely, $K_{1,4}=3$ and $K_{3,4}=11$. Then, we have the following steps:

a

${\mathcal{U}}_1$ sends $C_1=23·\alpha =23·(31,35)=(29,75)$ to ${\mathcal{U}}_2$, who computes $C_2=71·C_1=(39,88)$.

b

$\mathcal{A}$ stops $C_2$ when this is sent to ${\mathcal{U}}_3$

c

$\mathcal{A}$ replaces $C_2$ by $C_2^{\prime }=r_{\mathcal{A}}·C_1=39·(29,75)=(83,45)$.

d

${\mathcal{U}}_3$ computes $C_3=r_3·C_2^{\prime }=89·(83,45)=(53,49)$, which is broadcasted to every participant, and ${\mathcal{U}}_4$ computes the point $K=r_4·C_3=59·(53,49)=(4,36)$.

e

Now $\mathcal{A}$ stops the broadcasted message for ${\mathcal{U}}_2$ and gives ${\mathcal{U}}_4$, $D_2=\left(r_{\mathcal{A}}^{-1}mod103\right)·C_3=37·(53,49)=(6,52)$. In the meantime, ${\mathcal{U}}_4$ receives the points $D_1=\left(r_1^{-1}mod103\right)·C_3=9·(53,49)=(64,29)$ and $D_3=\left(r_3^{-1}mod103\right)·C_3=22·(53,49)=(83,45)$ from the other users.

f

Thus, ${\mathcal{U}}_4$ broadcasts the message

$$\{r_4·K_{1,4}·D_1,r_4·K_{x,4}·K,r_4·K_{3,4}·D_3,C_3\}=$$

$$=\{59·3·(64,29),37·29·(60,54),59·11·(83,45),(53,49\left)\right\}=$$

$$=\left\{\right(58,50),(26,41),(81,22),(53,49\left)\right\}$$

g

$\mathcal{A}$ computes $K=r_{\mathcal{A}}·\left(K_{x,4}^{-1}mod103\right)·r_4·K_{x,4}·D_2=39·\left({29}^{-1}mod103\right)·59·29·(6,52)=(4,36)$, which results in the same point computed by ${\mathcal{U}}_4$ in step d.

At this step, ${\mathcal{U}}_1$ computes $K=r_1·\left(K_{1,4}^{-1}mod103\right)·(58,50)=23·\left(3^{-1}mod103\right)·(58,50)=23·69·(58,50)=(4,36)$, which is the same point previously computed by ${\mathcal{U}}_4$ and $\mathcal{A}$. In the same way, ${\mathcal{U}}_3$ computes $K=r_3·\left(K_{3,4}^{-1}mod103\right)·(81,22)=89·\left({11}^{-1}mod103\right)·(81,22)=89·75·(81,22)=(4,36)$, which also coincides with the previously computed points, and thus, ${\mathcal{U}}_1$, ${\mathcal{U}}_3$, ${\mathcal{U}}_4$ and $\mathcal{A}$ are sharing the same point, so $\mathcal{A}$ needs to provide the corresponding information to ${\mathcal{U}}_2$ in so that this participant also obtains the same value.

h

$\mathcal{A}$ chooses $b=8$ and provides ${\mathcal{U}}_2$, $b·K=8·(4,36)=(37,76)$, which was the message that ${\mathcal{U}}_3$ broadcasted in step d.

i

${\mathcal{U}}_2$ sends ${\mathcal{U}}_4$$\left(r_2^{-1}mod103\right)·(37,76)=\left({71}^{-1}mod103\right)·(37,76)=74·(37,76)=(39,88)$.

j

$\mathcal{A}$ stops this message and computes $\left(b^{-1}mod103\right)·(39,88)=(96,15)$ and forges the message that was broadcasted by ${\mathcal{U}}_4$ in step f, but only ${\mathcal{U}}_2$ receives this message:

$$\{(58,50),K_{x,2}·(96,15),(81,22),(53,49)\}=\{(58,50),(17,70),(81,22),(53,49)\}$$

k

Finally, to recover the common point, ${\mathcal{U}}_2$ computes $r_2·\left(K_{x,2}^{-1}mod103\right)·(17,70)=71·\left({56}^{-1}mod103\right)·(17,70)=(4,36)$.

We remark that in the classical man-in-the-middle attack of the Diffie–Hellman key exchange for two participants, $\mathcal{A}$ shares two different keys for both users, and when some information is sent from one of them to the other one, $\mathcal{A}$ has to decrypt it using one of these keys and then, if the attacker decides to allow the information to reach the destination, then $\mathcal{A}$ has to encrypt the information with the corresponding second key before sending it. In this case, the adversary $\mathcal{A}$ forms part of the communication group as a legal participant and shares the same key with the rest of the participants, so $\mathcal{A}$ can forge a message from one party to another without the intermediate encryption–decryption process mentioned above in the classical case.

We end this section by introducing a strategy for $\mathcal{A}$ to leave the group without the attack being noticed. We first point out that there is not any explanation on how rekeying operations are developed using the key authentication mode in [12]. Let us suppose that any member of the group can send a rekeying message similarly to in the CLIQUES protocol [9]. We can distinguish two different cases:

Case 1.

The private values $K_{j,n}$ are not used in the rekeying messages. In this case, ${\mathcal{U}}_n$ does not obtain authentication of any rekeying message. ${\mathcal{U}}_j$ for any $j=1,\dots ,n$ chooses $r_j^{\prime }$ and computes a new key $K^{r_j^{\prime }}$ and queries

$$\mathrm{Send}({\mathcal{U}}_{\mathrm{i}},{\mathrm{s}}_{\mathrm{i}}^{\prime },\{{\mathrm{D}}_1^{{\mathrm{r}}_{\mathrm{n}}·{\mathrm{K}}_{1,\mathrm{n}}·{\mathrm{r}}_{\mathrm{j}}^{\prime }},\dots ,{\mathrm{D}}_{\mathrm{j}}^{{\mathrm{r}}_{\mathrm{n}}·{\mathrm{K}}_{\mathrm{j},\mathrm{n}}},\dots ,{\mathrm{D}}_{\mathrm{n}-1}^{{\mathrm{r}}_{\mathrm{n}}·{\mathrm{K}}_{\mathrm{n}-1,\mathrm{n}}·{\mathrm{r}}_{\mathrm{j}}^{\prime }},{\mathrm{C}}_{\mathrm{n}-1}^{{\mathrm{r}}_{\mathrm{j}}^{\prime }}\})\mathrm{i}=1,\cdots \mathrm{n}$$

In this situation, $\mathcal{A}$, after carrying out the attack on ${\mathcal{U}}_i$, can choose $r_{\mathcal{A}}^{\prime }$ and compute a new key $K^{r_{\mathcal{A}}^{\prime }}$. Then, $\mathcal{A}$ will query

$$\mathrm{Send}({\mathcal{U}}_{\mathrm{i}},{\mathrm{s}}_{\mathrm{i}}^{″},\{{\mathrm{D}}_1^{{\mathrm{r}}_{\mathrm{n}}·{\mathrm{K}}_{1,\mathrm{n}}·{\mathrm{r}}_{\mathcal{A}}^{\prime }},\dots ,{\mathrm{K}}^{{\mathrm{r}}_{\mathrm{i}}^{-1}·{\mathrm{K}}_{\mathrm{x},\mathrm{i}}·{\mathrm{r}}_{\mathcal{A}}^{\prime }},\dots ,{\mathrm{D}}_{\mathrm{n}-1}^{{\mathrm{r}}_{\mathrm{n}}·{\mathrm{K}}_{\mathrm{n}-1,\mathrm{n}}·{\mathrm{r}}_{\mathcal{A}}^{\prime }},{\mathrm{C}}_{\mathrm{n}-1}^{{\mathrm{r}}_{\mathcal{A}}^{\prime }}\})\mathrm{i}=1,\dots \mathrm{n}$$

Thus, $\mathcal{A}$ could repeat this as long as desired, taking control of the group, and leave it at any time without letting the users notice the attack.

Case 2.

The private values $K_{j,n}$ are used in the rekeying messages. In this case, ${\mathcal{U}}_n$ can use these values to obtain authentication as in [12] for the initial key agreement. Then, ${\mathcal{U}}_j$ for any $j=1,\dots ,n-1$ chooses $r_j^{\prime }$ and computes a new key $K^{r_j^{\prime }}$ and queries

$$\mathrm{Send}({\mathcal{U}}_{\mathrm{i}},{\mathrm{s}}_{\mathrm{i}}^{\prime },\{{\mathrm{D}}_1^{{\mathrm{r}}_{\mathrm{n}}·{\mathrm{K}}_{1,\mathrm{n}}·{\mathrm{r}}_{\mathrm{j}}^{\prime }},\dots ,{\mathrm{D}}_{\mathrm{j}}^{{\mathrm{r}}_{\mathrm{n}}·{\mathrm{K}}_{\mathrm{j},\mathrm{n}}},\dots ,{\mathrm{D}}_{\mathrm{n}-1}^{{\mathrm{r}}_{\mathrm{n}}·{\mathrm{K}}_{\mathrm{n}-1,\mathrm{n}}·{\mathrm{r}}_{\mathrm{j}}^{\prime }},{\mathrm{C}}_{\mathrm{n}-1}^{{\mathrm{K}}_{\mathrm{j},\mathrm{n}}·{\mathrm{r}}_{\mathrm{j}}^{\prime }}\})\mathrm{i}=1,\dots \mathrm{n}$$

In this situation $\mathcal{A}$, after carrying out the attack on ${\mathcal{U}}_i$, can choose $r_{\mathcal{A}}^{\prime }$ and compute a new key $K^{r_{\mathcal{A}}^{\prime }}$. Then, $\mathcal{A}$ will query

$$\mathrm{Send}({\mathcal{U}}_{\mathrm{i}},{\mathrm{s}}_{\mathrm{i}}^{\prime },\{{\mathrm{D}}_1^{{\mathrm{r}}_{\mathrm{n}}·{\mathrm{K}}_{1,\mathrm{n}}·{\mathrm{r}}_{\mathcal{A}}^{\prime }},\dots ,{\mathrm{K}}^{{\mathrm{r}}_{\mathrm{i}}^{-1}·{\mathrm{K}}_{\mathrm{x},\mathrm{i}}·{\mathrm{r}}_{\mathcal{A}}^{\prime }},\dots ,{\mathrm{C}}_{\mathrm{n}-1}^{{\mathrm{K}}_{\mathrm{x},\mathrm{n}}·{\mathrm{r}}_{\mathcal{A}}^{\prime }}\})\mathrm{i}=1,\dots \mathrm{n}$$

$\mathcal{A}$ can repeat this strategy, taking control of the group as previously done or stay as another group member until any other user ${\mathcal{U}}_j$, $j\ne i,n$ rekeys the group. In that case, the attack will not be discovered until either ${\mathcal{U}}_i$ or ${\mathcal{U}}_n$ send a rekeying message, since they will use $K_{x,i}$ or $K_{x,n}$, respectively, which are not shared by ${\mathcal{U}}_i$ and ${\mathcal{U}}_n$.

Remark 1.

In the case of CLIQUES, as was noted above, the values $K_{i,n}=1$ for every $i=1,\dots ,n-1$, and there is no possibility of discovering the attack since only Case 1 is applied.

Remark 2.

In [12], a strongly authenticated protocol, SA-GDH is proposed too. In this case, any two users ${\mathcal{U}}_i$ and ${\mathcal{U}}_j$ share a private value $K_{i,j}$. Then, the above arguments are also applicable for attacking the SA-GDH protocol in the previously considered case of GDH2 ([9]).

Remark 3.

In [15], the authors introduced a Diffie–Hellman key exchange in a more general setting, i.e., using semigroup actions on an arbitrary set, and later, López-Ramos et al. extended the protocol from two users to an arbitrary finite group of users [16], following the ideas of [9]. Ateniese et al.’s protocol [12] can also be extended to this setting, but instead of using semigroups, given that we need the existence of inverses, these actions have to be defined by groups. In [12], we have a group acting on a second group, so the setting considered by Maze et al. is much more general. However, under the same cryptographic model, the same attack runs as well, so this could be used only in an authenticated links mode, i.e., there must exist some kind of public key infrastructure or any other method to allow participants to authenticate both information and the source of such information.

Let us now explain some implications of this attack in a real situation. When this attack is developed on a traditional model of human-to-human or human-to-machine communication, the essential implication is the lack of confidentiality, which in some cases, is a crucial point. In the case of a multiconference among humans in a group, the attacker could stay in the meeting, receiving the transmitted information at the exact same time as the legal group members, and if the attacker, as assumed in the cryptographic model, has control ove the communications not only during the key exchange, then this could send false information to some (or perhaps the rest of the group members), possibly causing misunderstandings in the communication. If the communication is human-to-machines, the consequences can be even worse. Let us assume that, in a medical situation, several machines are sending the vital signs of one or more patients to a medical doctor who has to control the values and decide the appropriate treatment. Firstly, this information must be kept confidential by law, but the real serious situation is when the attacker can, as before, manipulate the transmitted data and cause the doctor to make wrong decisions that could seriously affect the patient’s health condition.

Therefore, this absence of privacy affects the confidentiality and integrity of the transmitted data. However, in a machine-to-machine communication case, as is the case of an IoT network, there is another important property that can be affected: availability.

Let us consider a basic IoT network that is formed by a server, a channel, and a set of devices that send petitions and receive orders. A very common attack is the so-called Denial of Service (DoS), which consists of the impossibility, for instance, of the server to process and attend to the devices’ requests. Given that the communication in this case is among machines, every determined request is given by a different code. Thus, the device encrypts the corresponding code by determining its request and sends it to the server. Then, the server decrypts the received message, and if the code is correct, the request is attended. Otherwise, the message is simply discarded in order to maintain efficiency. Thus, knowing the appropriate session key is crucial in order to correctly encrypt and decrypt the information. In the case of an IoT network, launching a DoS attack from a single malicious device is very difficult due to the very low capacity of the devices and the high quantity of energy that this attack would use. However, in this setting, what is more common are the so-called DDoS attacks, where a set of devices sends this malicious traffic. It is very often that these devices are part of a botnet, i.e., a set of devices that have been infected with malware and that can be controlled by a specific attacker. Thus, if the attacker knows the session key of an IoT network, then it is possible to create a botnet and make them send false requests, which are encrypted properly with the corresponding code and make the server collapse due to the impossibility of meeting so many requests.

However, we can also attack the devices from the infected server in the following manner, producing a different type of attack. The server often sends commands to make the devices in its network execute some code. Then, the attacker could make the servers execute, for instance, ransomware that hijacks the information stored in the devices, making it impossible to access it when this ransomware, or any other type of malware that produces a harmful effect on the devices, is sent to the server.

Other consequences of a lack of privacy in IoT environments can be found in [3] or [4] and references therein.

One of the key issues nowadays in cybersecurity is authentication, which is the underlying problem in the protocol we are introducing in this paper. If there is a system that makes it possible to authenticate the source of the received messages, then an attacker will fail in this aim given that, when the incoming messages cannot be certified to be received from a trusted source, then they are simply discarded and so, this attack cannot be developed. In a network where the actors dispose of devices with enough computing and storage resources, the natural solution is to use the standard protocols for authentication. This means deploying a PKI in our network that uses certificates issued by a trusted entity that allows the receiver of any message to authenticate its source. Thus, the source will add some additional authenticating information to the message that can be verified by using the certificate issued by the trusted entity. However, this is not the case for environments such as an IoT network. As we have previously noted, these are composed mostly of light devices with very limited capabilities and that may even be powered by a battery [1]. Regarding computational capabilities, public key cryptography algorithms consume a lot of resources, and thus, this constitutes a challenge for this type of network [23]. Concerning storage capabilities, authentication protocols also require storing a list of revoked certificates and this is, again, a challenge given that the RAM is often in the order of tens of kilobytes in these light devices [11]. Alternatives to classical public key cryptography in IoT can be found in [4,23,24], both from a technology and algorithmic point of view. Thus, the use of the cryptanalyzed protocol would require a joint deployment of one of these emerging technologies (or others) in order to obtain authentication. Another alternative is the use of other group Key Management Protocols that have been shown to be secure in this cryptographic model, cf. [8].

From the cryptographic point of view, it has been noted previously in this paper that the emergence of quantum computers represents a major challenge for most cryptographic algorithms that nowadays are mainly based on mathematical problems that are difficult to solve from a computational point of view. However, this new generation of computers increases the computational power exponentially and represents one of the major challenges in cybersecurity, given that they overcome all these mathematical problems that underlie the security of the most-used cryptographic algorithms. To address this challenge, in 2017, the NIST called for a contest to select new cryptographic primitives that allowed to obtain secure algorithms against the attack of a quantum computer. In 2023, four algorithms were selected, one for key encapsulation and three others for digital signature. Very recently, two digital signatures and a key encapsulation method were officially standardized [14]. These algorithms address, on the one hand, the problem of authentication and, on the other hand, the problem of sending a secret through an insecure channel, but as of yet, there is no algorithm showing an alternative to quantum computers that allows establishing a secret collaboratively among two or more parties through such insecure channels. This does not mean, in principle, that Diffie–Hellman [13] or Group Key Management protocols, such as [5] or [9], will be obsolete in the next few years. The problem is finding algebraic structures that can offer a mathematical problem that is difficult to solve even for quantum computers. In [15,16], it is shown that we can extend these protocols to more general mathematical settings, so one current challenge is finding a suitable mathematical environment to apply these Group Key Exchange protocols. At the same time, it is also crucial to continue studying methods that test the security of these protocols in determined cryptographic models in order to know the requirements that have to be fulfilled and to keep using them in a secure manner. The discussion in this paper is proof of that.

5. Conclusions

In [12], the authors introduced a group key management protocol that allows the participants to exchange a common secret through an insecure channel that could later let them communicate confidentially. We have provided a protocol that allows an active adversary with certain capabilities to become a legal member of the group without the knowledge of the rest of the participants in the communication group of n members. The adversary can share a common key with the group members, being the real number of participants $n+1$, whereas the group members think that they are simply n entities communicating. We have also provided a real case of study using elliptic curves, a widespread setting for these types of communications, especially in the Internet of Things environment, where the light capabilities of the devices make this setting very appropriate, offering a high level of security against passive attacks. We also show how possible strategies for the rekeying protocol not cited in the original work also fail against our proposal, and even an extension of the group key exchange protocol to a more general algebraic setting is also vulnerable to the attack we are introducing. We conclude this paper by pointing out the necessity of continuous research not only to find new mathematical settings that will allow us to adapt to new challenges arising from the advances in quantum computing but also to test existing protocols in different cryptographic models in order to continue using them in mathematical environments that can resist attacks from this new generation of computers.