rfid security presentation

Post on 26-Jun-2015

211 Views

Category:

Technology

1 Downloads

Preview:

Click to see full reader

DESCRIPTION

Smartcard-based protocols represent an increasingly large share of the wireless authentication solutions market, from contactless payments to remote car unlocking. Unfortunately, relay attacks pose a significant threat to this development. However, such attacks could be mitigated through the use of distance-bounding protocols. In this talk, we will discuss the core challenges for distance-bounding, of which some have recently been overcome, whereas others still stand prominently. We will focus mostly on the security of these wireless protocols, from devastating attacks and new, secure designs. We will finish with a vision for the future of these protocols, the possible and advisable paths towards, e.g., securing contactless payments.

TRANSCRIPT

Research Topics

Ioana Boureanu

Univ. of Applied Sciences Western Switzerland

ICB 2014 ICB Middlesex Uni, Feb. 2014 1 / 3

ICB 2014 ICB Middlesex Uni, Feb. 2014 2 / 3

ICB 2014 ICB Middlesex Uni, Feb. 2014 2 / 3

(automatic) verification (of security)

mobile (Android) security

composable security [secure + secure ?= (in)secure]

(provable) RFID security

crypto design

ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3

(automatic) verification (of security)

mobile (Android) security

composable security [secure + secure ?= (in)secure]

(provable) RFID security

crypto design

ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3

(automatic) verification (of security)

mobile (Android) security

composable security [secure + secure ?= (in)secure]

(provable) RFID security

crypto design

ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3

(automatic) verification (of security)

mobile (Android) security

composable security [secure + secure ?= (in)secure]

(provable) RFID security

crypto design

ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3

(automatic) verification (of security)

mobile (Android) security

composable security [secure + secure ?= (in)secure]

(provable) RFID security

crypto design

ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3

Touch and Pay: making it secure!

Ioana Boureanu

Univ. of Applied Sciences Western Switzerland

February 19, 2014

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 1 / 45

...1 Relay Attacks

...2 Distance-Bounding

...3 Provable Distance Bounding Security

...4 Distance Bounding Security vs. Efficiency

...5 Challenges and Visions in Distance Bounding

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 2 / 45

...1 Relay Attacks

...2 Distance-Bounding

...3 Provable Distance Bounding Security

...4 Distance Bounding Security vs. Efficiency

...5 Challenges and Visions in Distance Bounding

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 3 / 45

Payments, Remote Unlocking, Access-Control ...

• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45

Payments, Remote Unlocking, Access-Control ...

• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45

Payments, Remote Unlocking, Access-Control ...

• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45

Payments, Remote Unlocking, Access-Control ...

• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45

Payments, Remote Unlocking, Access-Control ...

• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45

Playing against two chess grandmasters

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 5 / 45

Playing against two chess grandmasters

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 5 / 45

Relaying is real...!Attacks by Francillon, Danev, Capkun (ETHZ) against passive keylessentry and start systems used in modern cars.

10 systems tested: not one resisted!

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 6 / 45

Relaying = Stealing (your money) ...!

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 7 / 45

Idea: Measuring (Idealized) Communication ...(... at the Speed of Light)

10ns←→ 2×1.5m (round-trip)

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 8 / 45

More Ideas: Round-Trip Time to Prevent Relay AttacksIdentification Tokens, or: Solving the Chess Grandmaster Problem[Beth-Desmedt CRYPTO 1990]

basic idea: measure the communication time exactly

the reader should verify that the proving tag is no further thansome bound

later solution: use a distance-bounding (DB) protocol

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 9 / 45

More Ideas: Round-Trip Time to Prevent Relay AttacksIdentification Tokens, or: Solving the Chess Grandmaster Problem[Beth-Desmedt CRYPTO 1990]

basic idea: measure the communication time exactly

the reader should verify that the proving tag is no further thansome bound

later solution: use a distance-bounding (DB) protocol

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 9 / 45

More Ideas: Round-Trip Time to Prevent Relay AttacksIdentification Tokens, or: Solving the Chess Grandmaster Problem[Beth-Desmedt CRYPTO 1990]

basic idea: measure the communication time exactly

the reader should verify that the proving tag is no further thansome bound

later solution: use a distance-bounding (DB) protocol

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 9 / 45

...1 Relay Attacks

...2 Distance-Bounding

...3 Provable Distance Bounding Security

...4 Distance Bounding Security vs. Efficiency

...5 Challenges and Visions in Distance Bounding

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 10 / 45

...2 Distance-BoundingDB IntroDB ThreatsDB Protocols (without post-authentication)

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 11 / 45

Distance-Bounding (DB) Protocolsintroduced in [Brands-Chaum EUROCRYPT 1993][Reid et al. ASIACCS 2007]

Verifier Proversecret: x secret: x

initialization phase

pick NVNV−−−−−−−−−−−−→ pick NP

a1 = fx (NP ,NV )NP←−−−−−−−−−−−− a1 = fx (NP ,NV )

a2 = a1⊕ x a2 = a1⊕ x

distance bounding phasefor i = 1 to n

pick ci ∈ {1,2}start timeri

ci−−−−−−−−−−−−→

stop timeriri←−−−−−−−−−−−− ri = a1,i , if ci = 1

ri = a2,i , if ci = 2check responses

check timersOutV−−−−−−−−−−−−→

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 12 / 45

...2 Distance-BoundingDB IntroDB ThreatsDB Protocols (without post-authentication)

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 13 / 45

DB Threats: Mafia FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]

P←→ A ←→ V︸ ︷︷ ︸far away

an adversary A tries to prove that a prover P is close to a verifier V

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 14 / 45

.

......

generalised/strengthenedrelaying

.

......

“DB-specialised”man-in-the-middleattack

DB Threats: Mafia FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]

P←→ A ←→ V︸ ︷︷ ︸far away

an adversary A tries to prove that a prover P is close to a verifier V

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 14 / 45

.

......

generalised/strengthenedrelaying

.

......

“DB-specialised”man-in-the-middleattack

DB Threats: Mafia FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]

P←→ A ←→ V︸ ︷︷ ︸far away

an adversary A tries to prove that a prover P is close to a verifier V

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 14 / 45

.

......

generalised/strengthenedrelaying

.

......

“DB-specialised”man-in-the-middleattack

DB Threats: Distance Fraud

P∗ ←→ V︸ ︷︷ ︸far away

a malicious, far-away prover P∗ tries to prove that he is close to averifier V

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 15 / 45

.

......

liability andnon-repudiation issues

DB Threats: Distance Fraud

P∗ ←→ V︸ ︷︷ ︸far away

a malicious, far-away prover P∗ tries to prove that he is close to averifier V

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 15 / 45

.

......

liability andnon-repudiation issues

DB Threats: Terrorist FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]

P∗ ←→ A ←→ V︸ ︷︷ ︸far away

a malicious prover P∗ helps an adversary A to prove that P∗ is closeto a verifier V , without giving A another advantage

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 16 / 45

.

......

advantage: leakingthe secret key

.

......“gain privileges justonce”

.

......

the toughest fraud toprotect against,especially in presenceof noise

DB Threats: Terrorist FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]

P∗ ←→ A ←→ V︸ ︷︷ ︸far away

a malicious prover P∗ helps an adversary A to prove that P∗ is closeto a verifier V , without giving A another advantage

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 16 / 45

.

......

advantage: leakingthe secret key

.

......“gain privileges justonce”

.

......

the toughest fraud toprotect against,especially in presenceof noise

...2 Distance-BoundingDB IntroDB ThreatsDB Protocols (without post-authentication)

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 17 / 45

The Reid et al. ProtocolDetecting Relay Attacks with Timing-based Protocols[Reid-Nieto-Tang-Senadji ASIACCS 2007]

Verifier Proversecret: x secret: x

initialization phase

pick NVNV−−−−−−−−−−−−→ pick NP

a1 = fx (NP ,NV )NP←−−−−−−−−−−−− a1 = fx (NP ,NV )

a2 = a1⊕ x a2 = a1⊕ x

distance bounding phasefor i = 1 to n

pick ci ∈ {1,2}start timeri

ci−−−−−−−−−−−−→

stop timeriri←−−−−−−−−−−−− ri = aci ,i

check responses

check timersOutV−−−−−−−−−−−−→

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 18 / 45

.

......

protectsagainst TF

BUT...thisand itsextensionsvulnerableto MF/MiM[Bay,Boureanu etal.INSCRIPT2012]

The Reid et al. ProtocolDetecting Relay Attacks with Timing-based Protocols[Reid-Nieto-Tang-Senadji ASIACCS 2007]

Verifier Proversecret: x secret: x

initialization phase

pick NVNV−−−−−−−−−−−−→ pick NP

a1 = fx (NP ,NV )NP←−−−−−−−−−−−− a1 = fx (NP ,NV )

a2 = a1⊕ x a2 = a1⊕ x

distance bounding phasefor i = 1 to n

pick ci ∈ {1,2}start timeri

ci−−−−−−−−−−−−→

stop timeriri←−−−−−−−−−−−− ri = aci ,i

check responses

check timersOutV−−−−−−−−−−−−→

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 18 / 45

.

......

protectsagainst TF

BUT...thisand itsextensionsvulnerableto MF/MiM[Bay,Boureanu etal.INSCRIPT2012]

The TDB ProtocolHow Secret-Sharing can Defeat Terrorist Fraud[Avoine-Lauradoux-Martin ACM WiSec 2011]

Verifier Proversecret: x secret: x

initialization phase

pick NVNP←−−−−−−−−−−−− pick NP

a1∥a2 = fx (NP ,NV )NV−−−−−−−−−−−−→ a1∥a2 = fx (NP ,NV )

distance bounding phasefor i = 1 to n

pick ci ∈ {1,2,3}start timeri

ci−−−−−−−−−−−−→

stop timeriri←−−−−−−−−−−−− ri =

⎧⎨

a1,i if ci = 1a2,i if ci = 2xi ⊕a1,i ⊕a2,i if ci = 3

check responses

check timersOutV−−−−−−−−−−−−→

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 19 / 45

Distance Fraud with a Programmed PRF against theTDB ProtocolOn the Pseudorandom Function Assumption in (Secure) Distance-Bounding ProtocolsPRF programming [Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012]

Verifier Malicious Proversecret: x secret: x

initialization phaseNP←−−−−−−−−−−−− pick NP = x

pick NVNV−−−−−−−−−−−−→

a1∥a2 = fx (NP ,NV ) a1 = a2 = x a1∥a2 = fx (NP ,NV )

distance bounding phasefor i = 1 to n

pick ci ∈ {1,2,3}start timeri ri = xi

..ci

.ri

stop timericheck responses

check timersOutV−−−−−−−−−−−−→

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 20 / 45

Other Results based on Programmed PRFsOn the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols[Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012]

protocol distance fraud man-in-the-middle attackTDB Avoine-Lauradoux-Martin[ACM WiSec 2011]

√ √

Durholz-Fischlin-Kasper-Onete [ISC2011]

√–

Hancke-Kuhn [Securecomm 2005]√

–Avoine-Tchamkerten [ISC 2009]

√–

Reid-Nieto-Tang-Senadji [ASIACCS2007]

√ √

Swiss-Knife Kim-Avoine-Koeune-Standaert-Pereira [ICISC 2008]

–√

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 21 / 45

Known Protocols and Security Results (Without Noise)success probability of best known attacks (θ < 1 constant)upon [Boureanu-Mitrokotsa-Vaudenay ISC 2013]

Protocol Success ProbabilityDistance-Fraud MiM Terrorist-Fraud

† Brands & Chaum (1/2)n (1/2)n 1,negl† Bussard & Bagga 1 (1/2)n 1,negl† Capkun et al. (1/2)n (1/2)n 1,negl† Hancke & Kuhn (3/4)n to 1 (3/4)n 1,negl† Reid et al. (3/4)n to 1 1 (3/4)θn,negl† Singelee & Preneel (1/2)n (1/2)n 1,negl† Tu & Piramuthu (3/4)n 1 (3/4)θn,negl† Munilla & Peinado (3/4)n (3/5)n 1,negl! Swiss-Knife (3/4)n (1/2)n to 1 (3/4)θn,negl† Kim & Avoine (7/8)n (1/2)n 1,negl† Nikov & Vauclair 1/k (1/2)n 1,negl! Avoine et al. (3/4)n to 1 (2/3)n to 1 (2/3)θn,negl" SKI (3/4)n (2/3)n γ,γ′

" Fischlin & Onete (3/4)n (3/4)n γ = γ′

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 22 / 45

Known Protocols and Security Results (Noise-Tolerant)success probability of best known attacksupon [Boureanu-Mitrokotsa-Vaudenay ISC 2013]

Protocol Success ProbabilityDistance-Fraud MiM Terrorist-Fraud

† Brands & Chaum B(n,τ,1/2) B(n,τ,1/2) 1,negl† Bussard & Bagga 1 B(n,τ,1/2) 1,negl† Capkun et al. B(n,τ,1/2) B(n,τ,1/2) 1,negl† Hancke & Kuhn B(n,τ,3/4) to 1 B(n,τ,3/4) 1,negl† Reid et al. B(n,τ,3/4) to 1 1 1,negl† Singelee & Preneel B(n,τ,1/2) B(n,τ,1/2) 1,negl† Tu & Piramuthu B(n,τ,3/4) 1 1,negl† Munilla & Peinado B(n,τ,3/4) B(n,τ,3/5) 1,negl† Swiss-Knife B(n,τ,3/4) B(n,τ,1/2) to 1 1,negl† Kim & Avoine B(n,τ,7/8) B(n,τ,1/2) 1,negl† Nikov & Vauclair 1/k B(n,τ,1/2) 1,negl† Avoine et al. B(n,τ,3/4) to 1 B(n,τ,2/3) to 1 1,negl" SKI B(n,τ,3/4) B(n,τ,2/3) γ,γ′

" Fischlin & Onete B(n,τ,3/4) B(n,τ,3/4) γ = γ′

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 23 / 45

...1 Relay Attacks

...2 Distance-Bounding

...3 Provable Distance Bounding Security

...4 Distance Bounding Security vs. Efficiency

...5 Challenges and Visions in Distance Bounding

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 24 / 45

...3 Provable Distance Bounding SecurityMotivationModelThe SKI Protocol

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 25 / 45

Why Provable Security?

only security arguments by best attack scenarios

many insecurities recently proven (as shown above)

many “pseudo-proofs” use incorrect arguments (e.g., sufficientPRF-ness, etc.)

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 26 / 45

Why Provable Security?

only security arguments by best attack scenarios

many insecurities recently proven (as shown above)

many “pseudo-proofs” use incorrect arguments (e.g., sufficientPRF-ness, etc.)

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 26 / 45

Why Provable Security?

only security arguments by best attack scenarios

many insecurities recently proven (as shown above)

many “pseudo-proofs” use incorrect arguments (e.g., sufficientPRF-ness, etc.)

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 26 / 45

...3 Provable Distance Bounding SecurityMotivationModelThe SKI Protocol

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 27 / 45

DB Formalism[Boureanu-Mitrokotsa-Vaudenay ISC 2013]

formal communication model, integrating time

formal security model and threat model based on interactiveproofscryptographic assumptions/tools for the design/proofs

PRF-maskingcircular-keyingleakage scheme

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 28 / 45

DB Formalism[Boureanu-Mitrokotsa-Vaudenay ISC 2013]

formal communication model, integrating time

formal security model and threat model based on interactiveproofscryptographic assumptions/tools for the design/proofs

PRF-maskingcircular-keyingleakage scheme

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 28 / 45

DB Formalism[Boureanu-Mitrokotsa-Vaudenay ISC 2013]

formal communication model, integrating time

formal security model and threat model based on interactiveproofscryptographic assumptions/tools for the design/proofs

PRF-maskingcircular-keyingleakage scheme

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 28 / 45

..

...3 Provable Distance Bounding SecurityMotivationModelThe SKI Protocol

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 29 / 45

..

The SKI Protocol[Boureanu-Mitrokotsa-Vaudenay Lightsec 2013, BMV ISC 2013]

Verifier Proversecret: x secret: x

initialization phaseNP←−−−−−−−−−−−− pick NP

pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→

M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)

distance bounding phasefor i = 1 to n

pick ci ∈ {1,2,3}start timeri

ci−−−−−−−−−−−−→

stop timeriri←−−−−−−−−−−−− ri =

⎧⎨

a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3

check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→

f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 30 / 45

..

The SKI Protocol: F -Scheme

Verifier Proversecret: x secret: x

initialization phaseNP←−−−−−−−−−−−− pick NP

pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→

M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)

distance bounding phasefor i = 1 to n

pick ci ∈ {1,2,3}start timeri

ci−−−−−−−−−−−−→

stop timeriri←−−−−−−−−−−−− ri =

⎧⎨

a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3

check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→

f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 31 / 45

.

......

secret sharing schemeto prevent from MiM[ALM WISEC 2011]

..

The SKI Protocol: Leakage Scheme

Verifier Proversecret: x secret: x

initialization phaseNP←−−−−−−−−−−−− pick NP

pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→

M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)

distance bounding phasefor i = 1 to n

pick ci ∈ {1,2,3}start timeri

ci−−−−−−−−−−−−→

stop timeriri←−−−−−−−−−−−− ri =

⎧⎨

a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3

check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→

f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 32 / 45

.

......

leak L(x) in the caseof a terrorist fraud[BMV, ISC 2013]

..

The SKI Protocol: PRF Masking

Verifier Proversecret: x secret: x

initialization phaseNP←−−−−−−−−−−−− pick NP

pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→

M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)

distance bounding phasefor i = 1 to n

pick ci ∈ {1,2,3}start timeri

ci−−−−−−−−−−−−→

stop timeriri←−−−−−−−−−−−− ri =

⎧⎨

a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3

check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→

f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 33 / 45

.

......

P has no influence onthe distribution of a[BMV LATINCRYPT 2012]

..

The SKI Protocol: Circular-Keying PRF

Verifier Proversecret: x secret: x

initialization phaseNP←−−−−−−−−−−−− pick NP

pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→

M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)

distance bounding phasefor i = 1 to n

pick ci ∈ {1,2,3}start timeri

ci−−−−−−−−−−−−→

stop timeriri←−−−−−−−−−−−− ri =

⎧⎨

a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3

check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→

f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 34 / 45

.

......

PRF secure with areuse of the key[BMV ISC 2013]

..

SKI Security

.Theorem..

......

If f is a circular-keying secure PRF,

there is no DF with Pr[success]≥ B(n,τ, 34)−negl(s)

there is no MiM with Pr[success]≥ B(n,τ, 23)−negl(s)

s-soundness for Pr[success]≥ 1negl(s)B( n

2 ,τ−n2 ,

23)

where s is the length of x and

B(n,τ,ρ) =n

∑i=τ

(ni

)ρi(1−ρ)n−i

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 35 / 45

..

...1 Relay Attacks

...2 Distance-Bounding

...3 Provable Distance Bounding Security

...4 Distance Bounding Security vs. Efficiency

...5 Challenges and Visions in Distance Bounding

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 36 / 45

..

Bitlength-Equivalent Security / the Number of Rounds

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 37 / 45

..

...1 Relay Attacks

...2 Distance-Bounding

...3 Provable Distance Bounding Security

...4 Distance Bounding Security vs. Efficiency

...5 Challenges and Visions in Distance Bounding

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 38 / 45

..

...5 Challenges and Visions in Distance BoundingPartial ConclusionsWhere to?

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 39 / 45

..

Some Partial Conclusions

problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols

SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45

..

Some Partial Conclusions

problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols

SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45

..

Some Partial Conclusions

problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols

SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45

..

Some Partial Conclusions

problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols

SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45

..

...5 Challenges and Visions in Distance BoundingPartial ConclusionsWhere to?

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 41 / 45

..

Open Problems ... or Commercial DB

make protocols efficient

tight/optimal DB security

build up public-key DB protocols

implement DB

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45

..

Open Problems ... or Commercial DB

make protocols efficient

tight/optimal DB security

build up public-key DB protocols

implement DB

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45

..

Open Problems ... or Commercial DB

make protocols efficient

tight/optimal DB security

build up public-key DB protocols

implement DB

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45

..

Open Problems ... or Commercial DB

make protocols efficient

tight/optimal DB security

build up public-key DB protocols

implement DB

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45

..

Efficient and Optimal Protocols

make protocols efficient and security-tightdrop, e.g., TF-resistance (and DF)?consider just MiM?

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 43 / 45

..

Efficient and Optimal Protocols

make protocols efficient and security-tightdrop, e.g., TF-resistance (and DF)?consider just MiM?

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 43 / 45

..

DB Implementation

one existing wired implementation

propagation delays are much shorter (ns) than processing times(ms)

some promising wireless experiments exist (e.g., ETHZ, CEALeti, EPFL)

Mifare Plus contains a kind of distance bounding protocol

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 44 / 45

..

Conclusions

relays are real...

and ... we still some way to go beyond the first provably secureDB designs

ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 45 / 45

top related