Modelling and Security Analysis of Authenticated Group Key Agreement Protocols

Authenticated Group Key Agreement Protocols are protocols allowing a group of principals to contributively generate a key by the exchange of messages on a network possibly controlled by an attacker. Furthermore, their execution also guarantees all group members that the key they obtained can only be known by the other intended protocol participants. These protocols can be exploited in many applications such as audio or videoconferencing, replicated servers (such as database, web, time servers), chat or network games for instance.

AGKAP's present several particularities that make them interesting case studies for research in the theory of security. At first, the consideration of the number of protocol participants as a parameter raises several complexity problems that are not present in the classical two or three-party frameworks. Furthermore, up to now, the security properties of group protocols have roughly been considered as direct extensions of two-party properties, what does not capture several plausible attack scenarios. A second interesting aspect of the analysis of AGKAP's is the consideration of Diffie-Hellman-type primitives, that present properties out of the scope of most classical models.

We started our study with the construction of a simple model for the analysis of a classical family of protocols: the Cliques AGKAP's. This allowed us to discover several attacks and define different flavors of group security properties. We then tried to fix these protocols, what led us to extend our model in order to prove that it is in fact impossible to build a secure AGKAP based on the same design assumptions as the Cliques protocols. Finally, we designed a new AGKAP based on different cryptographic primitives (signature and hash functions) for which we proved authentication, freshness and secrecy properties. A comparison with a similar AGKAP developed in parallel to ours is also proposed.