On The Logical Verification of a Group Key Agreement Protocol for Resource Constrained Mobile Devices Yue Li Department of Electronic and Computer Engineering University of Limerick, Limerick, Ireland. Yue.Li@ul.ie Thomas Newe Department of Electronic and Computer Engineering University of Limerick, Limerick, Ireland. Thomas.Newe@ul.ie Abstract— Due to the rapid growth of mobile networks, many advanced applications have been deployed. However, security of data will be an important factor for their full adoption. Most of these applications will be utilized on resource constrained devices, which makes security protocols currently used in wired networks not fully applicable to mobile networks. Recently, a number of key agreement protocols have been proposed for use with wireless networks involving resource-limited devices. These include the DDH-based group key agreement protocol [1], the protocol proposed by Bresson et al. [2] and Tseng’s protocol [3]. In order to provide assurance that these protocols are verifiably secure and trustworthy it is necessary to perform a formal verification on their design specifications. In this paper Tseng’s protocol is discussed and a formal verification is performed using the Coffey-Saidha-Newe (CSN) modal logic[4]. As a result of this verification some potential problems with the protocol are presented. keywords: network securtiy, group key agreement, formal method, modal logic, wireless communication. I. INTRODUCTION In recent years, mobile applications have gained in popularity such as wireless internet services, mobile access services and mobile e-commerce. Obviously, most of those mobile applications carry important data, which is in high privacy; it is clear that building up a secure communication system for those applications is essential and important. However, it is difficult to provide strong protection for wireless communications in a mobile application where devices are resource constrained. Although mobile computing technology has become more powerful and accessible than ever before, mobile devices are still typically characterized by low processing capability and limited power supply. Considering the low-power computing capability of mobile devices, the design of security protocols well suited for wireless mobile networks is a significant challenge because most cryptographic algorithms require many expensive computations. The design of secure group key agreement protocols is one of many important security issues. A group key establishment protocol allows participants to construct a group key that is used to encrypt/decrypt transmitted messages among the participants over an open channel. Recently, Bresson et al.[2] and Tseng[3] proposed two group key agreement protocols suitable for asymmetric wireless networks which consists of a high performance stationary computer with no power constraint and a cluster of low-performance mobile devices with battery power. However, the security of these protocols has not yet been formally verified. To provide this formal verification the Coffey-Saidha-Newe (CSN) modal logic [4] is used. In this paper, Tseng’s group key agreement protocol is discussed. The Coffey-Saidha-Newe (CSN) logic is then presented and a formal analysis of Tseng’s protocol is given. As a result of this formal verification a weakness in the protocol is suggested. II. TSENG’S AUTHENTICATED KEY AGREEMENT PROTOCOL A group key agreement protocol relies on shared long-term keys between participants and servers in order to allow participants to construct a group key. This means that once a shared group session key is established among the group, symmetric encryption algorithms can be used to encrypt/decrypt the mission-critical messages and control information [5]. Symmetric key algorithms are generally used due to the computational limitations of current mobile devices. Recently, Bresson et al. proposed an authenticated key agreement protocol [2] for resource-limited wireless nodes. Because the protocol employs an online/offline signature scheme [6] and shifts much of the total amount of computation to the high-performance server. Bresson et al. claimed that their authenticated protocol offers partial forward secrecy and secure against some attacks. However Nam et al. [7] pointed out that the Bresson key argreement protocol had security flaws. Tseng [2] proposed another authenticated key agreement protocol aimed at providing implicit key authentication and forward secrecy. This protocol is discussed in this section and will be formally verified in section 4. 2007 Australasian Telecommunication Networks and Applications Conference December 2nd – 5th 2007, Christchurch, New Zealand 277