Authors:
(1) Moritz Jasper, Barkhausen Institut gGmbH, Wurzburger Straße 46, Dresden, Germany (moritz.jasperl@barkhauseninstitut.org);
(2) Stefan Kopsell, Barkhausen Institut gGmbH, Wurzburger Straße 46, Dresden, Germany (stefan.koepsell@barkhauseninstitut.org).
Table of Links
Attacker Model and Security Goals
APPENDIX
A. Two attacks on the Dutta-Barua group key agreement
Zhang et al. present two attacks on the DBGKA protocol [23]. To fully understand them and this section, some understanding of the Dutta-Barua protocol [17] is required. While a full review of the protocol is out of scope for this work, for the purposes of this section, the most important thing is to understand that each KeyAgree() and Join() operation is associated with an instance id d. This instance id is incremented for each of those operations and can never be reused. Note that d can be regarded as a nonce: while it is not random, it is never reused. Another example of a protocol that uses non-random nonces is Wireguard [24].
Both attacks described by Zhang et al. are carried out by one or multiple malicious users who are part of the Dutta-Barua group, that is they have successfully participated in the DuttaBarua key agreement in the past. In this sense, the premise of the DBGKA is already violated: The DBGKA protocol provides no security against malicious insiders. Nevertheless, one should take this form of attack seriously: An honest user - representing, for instance, an IoT device - might at some point be compromised and become dishonest. Alternatively, he might have been dishonest all along, but his certificate is only revoked at a later stage. We will therefore discuss both attacks and show why they pose no threat to the LCMsec protocol.
1) First Attack: The first attack is carried out by a malicious leaving user who has been part of a previous successful DuttaBarua KeyAgreement() operation during which he has made some preparation for the attack by storing some of the protocol messages. When the Leave() operation is executed to expel this user from the group, Zhang et. al. show that the attacker can compute the new session key using the values he stored earlier.
However, as we understand the DBGKA, the purpose of the Leave() operation is not to expel dishonest users, but as a way for honest users to leave. When an honest user leaves in this way, it is possible for the remaining users to efficiently agree on a new key. If an honest user, on the other hand, does not execute the Leave() operation, a new KeyAgreement() operation has to performed, which is a lot less efficient for large groups. To expel a malicious user, the remaining users instead execute the KeyAgree() operation amongst themselves – this way, the attack is bypassed entirely.
Note that in the current version of LCMsec, we do not include a mechanism for certificate revocation or expelling users from the group and make no use of the Leave() operation, so this attack does not concern us. Still, the ability to add such a feature in the future is important. As we discussed, this can be done safely by using the KeyAgree() operation whenever a certificate is revoked.
REFERENCES
[1] P. T. Eugster, P. A. Felber, R. Guerraoui, and A.-M. Kermarrec, “The many faces of publish/subscribe,” ACM Computing Surveys, vol. 35, no. 2, pp. 114–131, Jun. 2003.
[2] A. S. Huang, E. Olson, and D. C. Moore, “LCM: Lightweight Communications and Marshalling,” in 2010 IEEE/RSJ International Conference on Intelligent Robots and Systems, pp. 4057–4062.
[3] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B. Pinkas, “Multicast security: A taxonomy and some efficient constructions,” in IEEE INFOCOM ’99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future Is Now (Cat. No.99CH36320), pp. 708–716 vol.2.
[4] “Message Queuing Telemetry Transport.” [Online]. Available: https: //mqtt.org/
[5] G. Pardo-Castellote, “OMG Data-Distribution Service: Architectural overview,” in 23rd International Conference on Distributed Computing Systems Workshops, 2003. Proceedings., May 2003, pp. 200–206.
[6] S. E. Deering, “Host extensions for IP multicasting,” Internet Engineering Task Force, Request for Comments RFC 1112, Aug. 1989.
[7] E. Onica, P. Felber, H. Mercier, and E. Riviere, “Towards Scalable ` and Dependable Privacy-Preserving Publish/Subscribe Services,” in Fast Abstract in the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, M. Roy, J. A. Lopez, and A. Casimiro, Eds., Toulouse, France, Jun. 2016.
[8] S. Bernard, M. G. Potop-Butucaru, and S. Tixeuil, “A Framework for Secure and Private P2P Publish/Subscribe,” in Stabilization, Safety, and Security of Distributed Systems, ser. Lecture Notes in Computer Science, S. Dolev, J. Cobb, M. Fischer, and M. Yung, Eds., pp. 531–545.
[9] L. Malina, G. Srivastava, P. Dzurenda, J. Hajny, and R. Fujdiak, “A Secure Publish/Subscribe Protocol for Internet of Things,” in Proceedings of the 14th International Conference on Availability, Reliability and Security, ser. ARES ’19, pp. 1–10.
[10] M. Ion, G. Russello, and B. Crispo, “Supporting Publication and Subscription Confidentiality in Pub/Sub Networks,” in Security and Privacy in Communication Networks, ser. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, S. Jajodia and J. Zhou, Eds., pp. 272–289.
[11] M. Hamad, E. Regnath, J. Lauinger, V. Prevelakis, and S. Steinhorst, “SPPS: Secure Policy-based Publish/Subscribe System for V2C Communication,” in 2021 Design, Automation & Test in Europe Conference & Exhibition (DATE), Feb. 2021, pp. 529–534.
[12] M. Dahlmanns, J. Pennekamp, I. B. Fink, B. Schoolmann, K. Wehrle, and M. Henze, “Transparent End-to-End Security for Publish/Subscribe Communication in Cyber-Physical Systems,” in Proceedings of the 2021 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems, ser. SAT-CPS ’21, pp. 78–87.
[13] iMatix Corporation, “ZeroMQ Broker vs . Brokerless Messaging - Whitepaper.” [Online]. Available: http://wiki.zeromq.org/whitepapers: brokerless
[14] iMatix Corporation, “CurveZMQ - a protocol for secure messaging across the Internet,” Jan. 2023. [Online]. Available: http://rfc.zeromq. org/spec/26/
[15] Object Management Group, “DDS Security Specification,” Jun. 2018. [Online]. Available: https://www.omg.org/spec/DDS-SECURITY/1.1/ PDF
[16] J. Kim, J. M. Smereka, C. Cheung, S. Nepal, and M. Grobler, “Security and Performance Considerations in ROS 2: A Balancing Act,” Sep. 2018. [Online]. Available: http://arxiv.org/abs/1809.09566
[17] R. Dutta and R. Barua, “Provably Secure Constant Round Contributory Group Key Agreement in Dynamic Setting,” IEEE Transactions on Information Theory, vol. 54, no. 5, pp. 2007–2025, May 2008.
[18] D. Ongaro and J. Ousterhout, “In search of an understandable consensus algorithm,” in Proceedings of the 2014 USENIX Conference on USENIX Annual Technical Conference, ser. USENIX ATC’14, pp. 305–320.
[19] M. J. Dworkin, “Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC,” NIST, Nov. 2007.
[20] R. Atkinson and S. Kent, “Security Architecture for the Internet Protocol,” Internet Engineering Task Force, Request for Comments RFC 2401, Nov. 1998.
[21] T. T. T. ZOU) and X. Zhang, “IPsec Anti-Replay Algorithm without Bit Shifting,” Internet Engineering Task Force, Request for Comments RFC 6479, Jan. 2012.
[22] S. Boeyen, S. Santesson, T. Polk, R. Housley, S. Farrell, and D. Cooper, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” Internet Engineering Task Force, Request for Comments RFC 5280, May 2008.
[23] H. Zhang, C. Xu, C. Li, and A. R. Sangi, “Two Attacks on Dutta’s Dynamic Group Key Agreement Protocol,” in Wireless Communications and Applications, ser. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, P. Senac, M. Ott, and A. Seneviratne, Eds., pp. 419–425. ´
[24] J. A. Donenfeld, “WireGuard: Next Generation Kernel Network Tunnel,” in Proceedings 2017 Network and Distributed System Security Symposium.
This paper is available on arxiv under CC BY 4.0 DEED license.