Project personnel:
staff - Deb Agarwal, Olivier Chevassut, Karlo Berket, Guillaume Egles, and Abdelilah Essiari

Reporting period -This report covers work completed December, 2003 - February, 2004

This quarter we completed a distributed algorithm (in the form of an I/O automaton), VW_RFIFO_ASYM that meets the InterGroup asymmetric within-view reliable FIFO specification. We also completed the proof that VW_RFIFO_ASYM fulfills the asymmetric within-view reliable FIFO specification. In order to allow our code to be accessible from multiple languages, we have worked to provide swig wrappers for the code. This quarter we designed and implementated an intermediate/internal API in order to tremendously simplify the "swigging" of the system in different languages (Java, python). We also successfully "swigged" the code to Java. In this work we were careful to recreate a Java API that makes sense in Java. Tested the "Java swig" implementation under FreeBSD. SGL can now be compiled and run sucessfully on FreeBSD/Linux/Solaris and Windows. We have also been evaluating Emulab/Planetlab as a wide-area distributed test environnement for InterGroup and SGL. We now have accounts on emulab. We have also started writing a detailed specification of SGLv2.

Publication of research results in leading security and crypographic conference

"New Security Results on Encrypted Key Exchange", E. Bresson, O. Chevassut, and d. Pointcheval, Proceedings of the International Workshop on Practice and Theory in Public Key Cryptography (PKC), Singapore, March 1-4, 2004, Abstract: Schemes for encrypted key exchange are designed to provide two entities communicating over a public network, and sharing a (short) password only, with a session key to be used to achieve data integrity and/or message confidentiality. An example of a very efficient and ``elegant'' scheme for encrypted key exchange considered for standardization by the IEEE P1363 Standard working group is AuthA. This scheme was conjectured secure when the symmetric-encryption primitive is instantiated via either a cipher that closely behaves like an ``ideal cipher'', or a mask generation function that is the product of the message with a hash of the password. While the security of this scheme in the former case has been recently proven, the latter case was still an open problem. For the first time we prove in this paper that this scheme is secure under the assumptions that the hash function closely behaves like a random oracle and that the computational Diffie-Hellman problem is difficult. Furthermore, since Denial-of-Service (DoS) attacks have become a common threat we enhance AuthA with a mechanism to protect against them.

Reporting period -This report covers work completed September, 2003 - November, 2003

This quarter we completed the formal specification of an asymmetric group communication system consisting of I/O automata specifications for:

A focus this quarter has been the major design and implementation of SGL Core. A key part of this effort has been the design and implementation of the Security API for SGL based on an extended study of the JAVA SSL security API and the differences between SSL and SGL. We have implemented and tested the three main modes of authentication to the group, Anonymous, Password and Certificate -based.

Publication of research results in leading security and cryptographic conference

"Mutual Authenication and Group Key Agreement for Low-Power Mobie devices", E. Bresson, O. Chevassut. A. Essiari, adnd D. Pointcheval, Proceedings of the 5th IFIP-TC6 International Conference on Mobile and Wireless Communications Networks, Singapore, October 27-29, 2003, pp 59-62. Abstact: Wireless networking has the power to fit the Internet with wings, however, it will not take off until the security technological hurdles have been overcome. In this paper we propose a very efficient and provably-secure group key agreement well suited for unbalanced networks consisting of devices with strict power consumption restrictions and wireless gateways with less stringent restrictions. Our method meets practicability, simplicity, and strong notions of security.

"Security Results for an Efficient Password-based Key Exchange", E. Bresson, O. Chevssut, and D. Pointcheval, Proceedings of the 10th ACM Conference on Computer and Communications Security, Washington, DC, USA, October 27-30, 2003. Abstact: Password-based key exchange schemes are designed to provide entities communicating over a public network, and sharing a (short) password only, with a session key (e.g, the key is used for data integrity and/or confidentiality). The focus of the present paper is on the analysis of very efficient schemes that have been proposed to the IEEE P1363 Standard working group on password-based authenticated key-exchange methods, but which actual security was an open problem. We analyze the AuthA key exchange scheme and give a complete proof of its security. Our analysis shows that the AuthA protocol and its multiple modes of operations are provably secure under the computational Diffie-Hellman intractability assumption, in both the random-oracle and the ideal-ciphers models.

Reporting period -This report covers work completed June, 2003 - August, 2003

Students - Srinivas Kuppa and Kelvin Kwong

This quarter we added a first prototype of password-based authentication to the Secure Group Layer. This implementation assumes that all of the participants will authenticate by proving that they know a shared password. This early prototype is now implemented in skeleton form for the static case. We are using our simple chat application to demonstrate and test this capability. We have also continued to develop and publish additional distributed key agreement results. Our current focus is on enabling low power devices.

The InterGroup work to model the protocols using IO Automata is progressing well. The reliable channel and FIFO mechanisms have been modeled and simulated. We have also completed simulations of these protocols (mapping the protocol to the specification and checking the protocol operation). During this quarter, we have also established ties with the MIT group building the IOA simulators. Through this collaboration we will be able to gain early access to the IOA composition capabilities which are currently under development there. This will allow us to do automated proving of a greater percentage of our protocols than has ever been accomplished before.

We have concentrated significant effort this quarter on the test and release procedures for the code. We have built unit tests for all of the shared library components and have a full nightly build system in place that compiles the current code and runs the unit tests nightly to help ensure that bugs are not introduced by updates to the code.

Reporting period -This report covers work completed March, 2003 - May, 2003

Our Secure Group Layer now contains a working anonymous key agreement implementation for the static case. This implementation includes all the mechanics of the static key agreement but does not yet include the authentication step. The chat demonstration application is working using this implementation. In addition this quarter we have spent time revising the framework and layering scheme within the implementation. As our understanding of the requirements of the system improves, we are able to design a more efficient framework. We also continue to publish papers investigating and defining the security mechanisms required for collaboratory tools and the distributed key agreement protocols required to complete the secure group layer.

Discussions with the Access Grid group have indicated that a python interface to the reliable and secure group communication is required. We have started work on a SWIG wrapping of the C++ client for this purpose. It is working on Linux but not yet on Windows. This quarter we have also begun efforts to improve the automated testing and code version tracking environment to help ensure the long term maintainability of the code.

The IO Automata work on the InterGroup theory has begun and we are beginning with modeling and using the automated provers for the first simple reliable channel and FIFO message delivery mechanisms. This quarter has mostly been spent getting familiar with the language and the automated proof tools.

Reporting period -This report covers work completed December, 2002 - February, 2003

Efforts this quarter have focussed on the implementation of the Secure Group Layer. The prototype has been fleshed out to include an initial implementation of the static key agreement protocol and initial implementations of the record layer containing the encryption and decryption algorithms.

A new model for framing the theoretical basis of a group communication protocol and new methods of proving correctness have emerged. This new method is based on framing the group communication mechanisms in terms of automata. The liveness and stability criteria avoid the standard impossibility problems by basing their criteria around situations in which there are no further failures in the system. We have begun efforts to represent the InterGroup protocols in this new model and thus prove the correctness of the InterGroup algorithms. This new model and framework will also require some subtle changes to the InterGroup implementation. We have begun these efforts. Personnel from the project regularly attend this Access Grid town hall meetings to provide information, updates, and to answer questions regarding the InterGroup protocols and the Secure Group Layer. We are also participating in the Advanced Collaborative Environments working group of the Global Grid Forum and helping to draft a document describing the requirements of peer-to-peer ad hoc computing environments such as those supported by the Secure Group Layer. We are working closely with the A Scalable and Secure Peer-to-Peer Information Sharing Tool project to help them in the use of the InterGroup protocols.

Reporting period -This report covers work completed September, 2002 - November, 2002

This quarter we are finishing up development of the C++ implementation of the InterGroup client. The Access Grid development team has indicated that they would like to use the C++ interface to InterGroup to implement some of the functionality of the AG 2.0 toolkit so it is relatively urgent that we finish the interface quickly. Thus, we have made completion of this interface a priority and will be releasing it in mid- December, 2002. Work on the implementation of the shared library for C++ has been progressing and an alpha version of this library is expected to be available next quarter. Concurrent with this work we have updated the protocol used between the InterGroup node and client to reflect a change in how we handle process identifiers.

An initial implementation of the framework of the Secure Group Layer (SGL) has been completed. This implementation contains the framework only and does not yet have implementations of any of the crypto algorithms. Olivier completed, defended, and published his PhD. thesis this quarter without problem. Work on SGL this quarter has focused on two activities: password-based authentication and group authorization policy mechanisms. The password-based authentication work is designed to support situations where the participants have a means of disseminating a shared password and would like to use this password to establish a secure communication channel.

Presentations

We have spent significant effort this quarter publicizing the work we are doing on this project. We attended several conferences and meetings. A list of the presentations given this quarter is below. For copies of the presentations and papers from this project, please check our project home page.

References

Workshops

Reporting period -This report covers work completed June, 2002 - August, 2002

This quarter we have concentrated on design and development of the C++ implementation of the InterGroup client. This interface was requested by some of the Access Grid development team for use with an XML-based communication tool. As part of the implementation of the C++ interface we also decided to work on the design of a generic framework for the group communication implementation components. This framework will make it easier to include the Secure Group Layer in the implementation. As part of this effort we began planning the design of the Secure Group Layer to make sure that it fit within the framework we are developing.

In discussions with the Akenti project, we realized that there was a shared need for a C++ library that would provide implementations of modern object-oriented programming abstractions such as smart pointers, sockets, and a thread class. Development of this shared library will allow us to hide most of the platform specific customizations within the library and ease porting of our C++ code to different platforms. This quarter we worked on the design of the shared library and began implementation.

During this quarter we have made improvements to the implementation of the InterGroup membership protocols. As part of this work, we have resumed efforts to write a paper describing the theoretical foundations of the InterGroup protocols. Since these protocols introduce relatively radical changes compared to existing protocols, this effort is expected to last over several more quarters.

We published a paper [1] that is the result of studying the generalization of the Diffie-Hellman problems recently used to construct cryptographic schemes for practical purposes. The Group Computational and the Group Decisional Diffie-Hellman assumptions not only enable one to construct efficient pseudo-random functions but also to naturally extend the Diffie-Hellman protocol to allow more than two parties to agree on a secret key. In this paper we provide results that add to our confidence in the GCDH problem. We reached this aim by showing exact relations among the GCDH, GDDH, CDH and DDH problems.

Authenticated Diffie-Hellman key exchange allows two principals communicating over a public network, and each holding public/private keys, to agree on a shared secret value. We published a paper [2] studying the natural extension of this cryptographic problem to a group of principals. We began from existing formal security models and refined them to incorporate major missing details (e.g., strong-corruption and concurrent sessions). Within this model we defined the execution of a protocol for authenticated dynamic group Diffie-Hellman and showed that it is provably secure under the decisional Diffie-Hellman assumption. Our security result holds in the standard model and thus provides better security guarantees than previously published results in the random oracle model.

We also published a paper [3] describing our view of how to utilize the existing security mechanisms to build secure applications that are reasonable. The security mechanisms need to provide a variety of means to authenticate and authorize users so that the application users can choose the appropriate mechanisms for use with a particular application.

Presentations

We have spent significant effort this quarter publicizing the work we are doing on this project. We attended several conferences and meetings. A list of the presentations given this quarter is below. For copies of the presentations and papers from this project, please check our project home page.

"Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange", Cryptographic Protocols in Complex Environments, DIMACS Workshop, May 15 - 17, 2002.

"The Group Diffie-Hellman Problems", Proceedings of Selected Areas in Cryptography (SAC'02), St John's, Newfoundland, Canada, August 15 - 16, 2002. Also, LBNL report number LBNL-50775.

"Securing Collaborative Environments," Workshop on Advanced Collaborative Environments, Edinburgh, Scotland, July 26, 2002.

"Group Communication:Changing the Paradigm on the Internet," Invited talk by Deb Agarwal at the Universite Catholique de Louvain, Belgium, July 6, 2002.

References

[1] E. Bresson, O.Chevassut and D. Pointcheval, "The Group Diffie-Hellman Problems", Proceedings of Selected Areas in Cryptography (SAC'02), St John's, Newfoundland, Canada, August 15 - 16, 2002. Also, LBNL report number LBNL-50775.

[2] E. Bresson, O. Chevassut and D. Pointcheval, "Group Diffie-Hellman Key Exchange under Standard Assumptions", Proceedings of Eurocrypt'02, Amsterdam, Netherlands, April 28-May 2, 2002, pp 321-336. Also, LBNL report number LBNL-49087.

[3] D. Agarwal, K. Jackson, M. Thompson, "Securing Collaborative Environments," Accepted for publication in the proceedings of the Workshop on Advanced Collaborative Environments, Edinburgh, Scotland, July 26, 2002.

Workshops

Reporting period -This report covers work completed May, 2002 - March, 2002

InterGroup Reliable Multicast:

This quarter we published a journal article describing the InterGroup protocols[2]. Version 1.0 alpha of the InterGroup protocols was also released this quarter. This release features a redesigned API to provide both an easy to use and powerful interface to the application developer. This release contains the API in Java; a C++ API will be released next quarter. This release also allows the InterGroup protocols to be run as a daemon. Thus, the user API can be run as a separate process that may be located on a machine separate from the daemon. We use TCP for communication between the API and the daemon. In addition, a chat application has been bundled with the release of InterGroup as an example application. We also continue work on the theoretical aspects of the membership protocols.

Authenticated Group Diffie-Hellman Key Exchange:

Group Diffie-Hellman schemes for password-based key exchange are designed to provide a pool of players communicating over a public network, and sharing just a human-memorable password, with a session key (e.g, the key is used for multicast data integrity and confidentiality). The fundamental security goal to achieve in this scenario is security against dictionary attacks. While solutions have been proposed to solve this problem no formal treatment has ever been suggested. In [1], we have defined a security model and then presented a protocol with its security proof. Our security reduction is of particular interest since it is also the first complete reduction to appear for a two-party password-based key exchange protocol. We are also working on an implementation of the Secure Group Layer.

Presentations

We have spent significant effort this quarter publicizing the work we are doing on this project. We attended several conferences and meetings. A list of the presentations given this quarter is below. For copies of the presentations and papers from this project, please check our project home page.

" Reliable and Secure Group Communication", Presented by D. Agarwal at the CITRIS NorCal Networking Research Meeting, Berkeley, CA, March 1, 2002.

" Efficient and Secure Coordination Channels in the Access Grid", Presented by D. Agarwal at the Access Grid Retreat, San Diego, CA, March 4-5, 2002.

"Group Diffie-Hellman Key Exchange under Standard Assumptions", Presented by O. Chevassut at Eurocrypt'02, Amsterdam, Netherlands, April 28-May 2, 2002

References

[1] E. Bresson, O. Chevassut and D. Pointcheval, "Group Diffie-Hellman Key Exchange Secure Against Dictionary Attacks", submitted for publication. Also LBNL report number LBNL-49479

[2] K. Berket, D. A. Agarwal,O. Chevassut, "A Practical Approach to the InterGroup Protocols," Future Generation Computer Systems, volume 18, number 5 (April 2002), pp. 709-719.

[3] D. Agarwal, K. Jackson, M. Thompson, "Securing Collaborative Environments," Accepted for publication in the proceedings of the Workshop on Advanced Collaborative Environments, Edinburgh, Scotland, July 26, 2002.

Reporting period - This report covers work completed December, 2001 - February, 2002

Work on the reliable and secure group communication project this quarter focused on three primary areas: implementation of the InterGroup reliable multicast protocols, cryptographic foundations for the group security algorithms, and presentations describing the project and progress. We have made significant progress in each of these areas in the last quarter.

InterGroup Reliable Multicast:

We are continuing our work on the design, implementation, testing and debugging of the InterGroup protocols. We have redesigned the API of the InterGroup protocols to provide both an easy to use and powerful interface to the application developer. We have designed this API in C++ and Java. In the design, we have separated the bulk of the InterGroup protocols from the user interface. This allows the InterGroup protocols to be run as a deamon and the user API can be run as a separate process that may be located on a machine seperate from the deamon. We use TCP for communication between these components. We also continued work on the theoretical aspects of the membership protocols and incorporated the updated protocols into the implementation. We are in the process of implementing and testing the InterGroup design changes. We expect to have a release with all these enhancements available in the upcoming quarter. In addition, the example chat application has been tested with the help of users at LBL and UCSB. These tests have led to refinement of the applcation. This application will be bundled as an example application in the upcoming release of the InterGroup software.

Authenticated Group Diffie-Hellman Key Exchange:

Authenticated Diffie-Hellman key exchange allows two principals communicating over a public network, and each holding public/private keys, to agree on a shared secret value. In [1] we studied the natural extension of this cryptographic problem to a group of principals. We began from existing formal security models [2,3] and refined them to incorporate major missing details (e.g., strong-corruption and concurrent sessions). Within this model we defined the execution of a protocol for authenticated dynamic group Diffie-Hellman and showed that it is provably secure under the decisional Diffie-Hellman assumption. Our security result holds in the standard model and thus provides better security guarantees than our previous results in the random oracle model [2,3].

Presentations

We have spent significant effort this quarter publicizing the work we are doing on this project. We attended several conferences and meetings. A list of the presentations given this quarter is below. For copies of the presentations and papers from this project, please check our project home page.

"Securing Collaborative Environments," Presented by D. Agarwal at the Global Grid Forum Advanced Collaborative Environments Research Group Meeting, Toronto, Canada, February 17-20, 2002.

"Reliable and Secure Group Communication," Presented by D. Agarwal at the Annual Meeting of the DOE National Collaboratories Projects, Reston, VA, January 17, 2002.

"Provably Authenticated Group Diffie-Hellman Key Exchange - The Dynamic Case," Presented by Olivier Chevassut at the Asiacrypt Conference, Queensland, Australia, Dec 9-13, 2001.

References

[1] E. Bresson, O. Chevassut and D. Pointcheval, "Group Diffie-Hellman Key Exchange under Standard Assumptions", Proceedings of Eurocrypt'02, Amsterdam, Netherlands, April 28-May 2, 2002, pp ??. Also, LBNL report number LBNL-49087.

[2] E. Bresson, O. Chevassut and D. Pointcheval, "Provably Authenticated Group Diffie-Hellman Key Exchange - The Dynamic Case", Proceedings of Asiacrypt'01, Dec 9-13, Gold Coast, Queensland, Australia, pp 290-309. Also, LBNL report number LBNL-48202.

[3] E. Bresson, O. Chevassut, D. Pointcheval and J. J. Quisquater, "Provably Authenticated Group Diffie-Hellman Key Exchange",Proceedings of the 8th ACM Conference on Computer and Communications Security, Philadelphia, Pennsylvania, USA, Nov 6-8, 2001, pp 255-264. Also, LBNL report number LBNL-47585.

Reporting period - This report covers work completed November, 2001

Work on the reliable and secure group communication project this quarter can be broken into three areas: implementation of the InterGroup reliable multicast protocols, building a cryptographic foundation for the group security algorithms, and implementation of the group security capability. We have mde significant progress in each of these areas during the last quarter.

InterGroup Reliable Multicast:

During this quarter we have continued our work on the design, implementation, testing and debugging of the InterGroup protocols. Some of the improvements include the enhancement of the control group implementation and the added ability for the application to request its own process name. The current alpha release of the InterGroup protocol implementation is available on the project website. An alpha release of the software was also included on the grid tools CD which was distributed at SC 2001.

We also published a journal article describing the InterGroup protocols . The article, "A Practical Approach to the InterGroup Protocols," will appear in a special issue of the Future Generation Computer Systems journal[2].

In addition, an example application based on the InterGroup protocols was developed. It is a simplistic chat application. This chat application uses the InterGroup protocols for membership and communication, instead of a server. It provides an example of how to use the protocols and the power of the group communication paradigm. This application will be bundled in the next release of the InterGroup software.

Authenticated Group Diffie-Hellman Key Exchange:

Group Diffie-Hellman protocols for authenticated key exchange are designed to provide a pool of players with a shared session key which they later use to achieve multicast message confidentiality and multicast message integrity. Over the years, several protocols have been offered however no formal treatment for this cryptographic problem has ever been suggested. In [3,4], we provided the first formal treatment to this protocol problem for a scenario in which the membership is static - members join the group at startup - and a scenario wherein the group membership is dynamic - members can join and leave the group at any time. We also presented a security model and used it to precisely define implicit authentication as the fundamental goal and the entity-authentication goal as well. We define in this model the execution of an authenticated group Diffie-Hellman protocol and showed that under well-defined intractability assumptions the protocol achieves strong security requirements.

Secure Group Layer:

One challenge in building a multicast protocol for use over a wide-area network is security. When communication is conducted on the global Internet, security is crucial since the messages traverse many links which are prone to attacks. Consequently, it is desirable to construct a comprehensive secure, efficient and reliable group communication system. We published in [1] a description of SGL; a group communication platform that applications can rely on to provide secure and reliable coordination among their components spread accross the Internet. We also brought to light a number of challenging issues encountered when designing and implementating a prototype for secure and reliable group communication. The prototype of a Secure Group Layer (SGL) bundles the reliable multicast group communication system (Totem), an authorization server (Akenti), and a group Diffie-Hellman protocol to establish a session key. SGL also encapsulates the standard message security services (i.e, confidentiality, authenticity and integrity).

Standards Efforts:

We have been tracking work by the IETF and IRTF. The IRTF Reliable Multicast Research Group is currently dormant. The IETF Reliable Multicast Transport working group is focused on single-source multicast. We are awaiting the first draft of a TCP-Friendly Multicast Congestion Control protocol specification that will be submitted in that working group soon.

References

[1] "An Integrated Solution for Secure Group Communication in Wide-Area Networks," D. A. Agarwal, O. Chevassut, M. R. Thompson and G. Tsudik, Proceedings of the 6th IEEE Symposium on Computers and Communications, Hammamet, Tunisia, July 3-5, 2001, pp 22-28. Also, LBNL report number LBNL-47158.

[2] "A Practical Approach to the InterGroup Protocols," K. Berket, D. A. Agarwal, O.Chevassut, To appear in Future Generation Computer Systems. Also, LBNL report number LBNL-49126.

[3] " Provably Authenticated Group Diffie-Hellman Key Exchange - The Dynamic Case," E. Bresson, O.Chevassut, D. Pointcheval. to appear in the Proceedings of Asiacrypt 2001, Dec 9-13, Gold Coast, Queensland, Australia, Also, LBNL report number LBNL-48202.

[4] " Provably Authenticated Group Diffie-Hellman Key Exchange," E. Bresson, O. Chevassut, D. Pointcheval, and J. J. Quisquater. Proceedings of the 8th ACM Conference on Computer and Communications Security,Philadelphia, Pennsylvania, USA, Nov 6-8, 2001. Also, LBNL report number LBNL-47585.

LBNL home page | DSD Research | Notice to Users

Page last modified: Wednesday, 03-Mar-2004 18:28:07 PST
Contact: Webmaster <webmaster@george.lbl.gov>
Credits: Secure and Reliable Group Communications research and development is funded by the U.S. Dept. of Energy, Office of Science, Office of Advanced Scientific Computing Research, Mathematical, Information, and Computational Sciences Division; Support Credits identify the funding sources and the organizational context of the work described in this document.
Privacy and site security notice to Users