| As an important research domain of cryptography, key agreement protocols allow two or more parties to exchange information over an adversarially controlled insecure network and agree upon a common session key which could ensure later secure communication among the parties. Thus, secure key agreement protocols serve as basic building block for constructing secure, complex and high-level protocols.Since the MQV and HMQV protocols are possibly the most efficient of all known two parties Diffie-Hellman protocols that use public-key authentication, and they have been widely standardized, the authenticated group key agreement (AGKA) protocols standards are under discussion. Therefore, significant research efforts are currently devoted to the exploration of AGKA protocols.The thesis firstly provides a number of examples of widely deployed group applications, then we describe the state-of-the-art of the theoretical research on security requirements and currently available security models for group key agreement protocols. According to the authenticated approach, we classify the group key agreement protocols into three categories: certificated-based, ID-based and password-based. This study aims to analyze and improve current AGKA protocols, and to design some new provable secure AGKA protocols. The contributions are summarized as follows:As regards to certificated-based AGKA protocols, their resistance to the disclosure of the secret exponent x corresponding to an ephemeral (session-specific) DH value X = g~x is an important security consideration. This is a prime concern for any Diffie-Hellman protocols since many applications will boost protocol performance by pre-computing ephemeral pairs (x,X = g~x) for later use in the protocol (this may apply to low-power devices as well as to high-volume servers). In this case, however, these stored pairs are more vulnerable to leakage than long-term static secrets (the latter may be stored in a hardware-protected area while the ephemeral pairs will be typically stored on disk and hence more available to a temporary break or to a malicious user of the system). To overcome the weakness of the existing common AGKA protocols, a novel constant-round AGKA protocol is proposed that combines the dual exponential challenge-response (DCR) signature and BD structure, and can resist the leakage of ephemeral secret DH exponent attack while retaining the security of relative AGKA protocols, and is more efficient in terms of both communication and computation. An impersonation attack against an existing protocol compiler reveals that two malicious users can impersonate an entity to agree upon some session keys in a new group if they have previous commitment transcripts of the entity. In view of this, an improvement of the protocol is proposed.In terms of the ID-based AGKA protocols, according to various authentication by using asymmetric techniques, the current AGKA protocols are sorted into certificated-based ones that are mainly implemented by modular exponentiation (or dot multiplication), and ID-based ones by pairing. Compared with Certificated-based AGKA, ID-based authenticated AGKA simplifies the key agreement (management) procedures, whereas it is more time-consuming than PKI/CA-based AGKA protocol. Aiming to overcome the weaknesses of these two kinds of AGKA protocols, a novel ID-based AGKA protocol is proposed that is implemented by dot multiplication. More detailed security analysis of the existing ED-based AGKA protocol is given and it is found that the ID-based AGKA protocol doesn't resist outsider attack, that is, an adversary can make inconsistent a group session key, which can not be detected by the users in the group however. Thus we achieve an obvious improvement of the AGKA protocol. We analyze security of an existing ID-based AGKA protocol in different security domains, and show that an adversary can make group members share different keys, while deceiving other group members into believing that they have shared a common session key; What's more, an adversary can compute the session key if the adversary has the transcripts of this ID-based AGKA protocol. This is a further improvement of the protocol. Compared with the ID-based protocols, PKI/CA-based protocols, the password-based protocols are just required to remember a low entropy password shared between the participants, and are therefore suitable for implementation in many scenarios, especially those where no device is capable of securely storing high-entropy long-term secret key. Thus, we design two password-based tripartite key agreement protocols (3-PAKE-1 and 3-PAKE-2) from weil pairing respectively. The security of the two protocols is provable in the standard model. The 3-PAKE-l and 3-PAKE-2 are suitable for the user who has no place to store the high-entropy long-term secret key or has not support from public key infrastructure.
|
PDF Full Text Request