rfid security presentation
Post on 26-Jun-2015
211 Views
Preview:
DESCRIPTION
TRANSCRIPT
Research Topics
Ioana Boureanu
Univ. of Applied Sciences Western Switzerland
ICB 2014 ICB Middlesex Uni, Feb. 2014 1 / 3
ICB 2014 ICB Middlesex Uni, Feb. 2014 2 / 3
ICB 2014 ICB Middlesex Uni, Feb. 2014 2 / 3
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
Touch and Pay: making it secure!
Ioana Boureanu
Univ. of Applied Sciences Western Switzerland
February 19, 2014
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 1 / 45
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 2 / 45
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 3 / 45
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
Playing against two chess grandmasters
✛
✲
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 5 / 45
Playing against two chess grandmasters
✛
✲
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 5 / 45
Relaying is real...!Attacks by Francillon, Danev, Capkun (ETHZ) against passive keylessentry and start systems used in modern cars.
10 systems tested: not one resisted!
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 6 / 45
Relaying = Stealing (your money) ...!
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 7 / 45
Idea: Measuring (Idealized) Communication ...(... at the Speed of Light)
10ns←→ 2×1.5m (round-trip)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 8 / 45
More Ideas: Round-Trip Time to Prevent Relay AttacksIdentification Tokens, or: Solving the Chess Grandmaster Problem[Beth-Desmedt CRYPTO 1990]
basic idea: measure the communication time exactly
the reader should verify that the proving tag is no further thansome bound
later solution: use a distance-bounding (DB) protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 9 / 45
More Ideas: Round-Trip Time to Prevent Relay AttacksIdentification Tokens, or: Solving the Chess Grandmaster Problem[Beth-Desmedt CRYPTO 1990]
basic idea: measure the communication time exactly
the reader should verify that the proving tag is no further thansome bound
later solution: use a distance-bounding (DB) protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 9 / 45
More Ideas: Round-Trip Time to Prevent Relay AttacksIdentification Tokens, or: Solving the Chess Grandmaster Problem[Beth-Desmedt CRYPTO 1990]
basic idea: measure the communication time exactly
the reader should verify that the proving tag is no further thansome bound
later solution: use a distance-bounding (DB) protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 9 / 45
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 10 / 45
...2 Distance-BoundingDB IntroDB ThreatsDB Protocols (without post-authentication)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 11 / 45
Distance-Bounding (DB) Protocolsintroduced in [Brands-Chaum EUROCRYPT 1993][Reid et al. ASIACCS 2007]
Verifier Proversecret: x secret: x
initialization phase
pick NVNV−−−−−−−−−−−−→ pick NP
a1 = fx (NP ,NV )NP←−−−−−−−−−−−− a1 = fx (NP ,NV )
a2 = a1⊕ x a2 = a1⊕ x
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri = a1,i , if ci = 1
ri = a2,i , if ci = 2check responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 12 / 45
...2 Distance-BoundingDB IntroDB ThreatsDB Protocols (without post-authentication)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 13 / 45
DB Threats: Mafia FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P←→ A ←→ V︸ ︷︷ ︸far away
an adversary A tries to prove that a prover P is close to a verifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 14 / 45
.
......
generalised/strengthenedrelaying
.
......
“DB-specialised”man-in-the-middleattack
DB Threats: Mafia FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P←→ A ←→ V︸ ︷︷ ︸far away
an adversary A tries to prove that a prover P is close to a verifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 14 / 45
.
......
generalised/strengthenedrelaying
.
......
“DB-specialised”man-in-the-middleattack
DB Threats: Mafia FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P←→ A ←→ V︸ ︷︷ ︸far away
an adversary A tries to prove that a prover P is close to a verifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 14 / 45
.
......
generalised/strengthenedrelaying
.
......
“DB-specialised”man-in-the-middleattack
DB Threats: Distance Fraud
P∗ ←→ V︸ ︷︷ ︸far away
a malicious, far-away prover P∗ tries to prove that he is close to averifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 15 / 45
.
......
liability andnon-repudiation issues
DB Threats: Distance Fraud
P∗ ←→ V︸ ︷︷ ︸far away
a malicious, far-away prover P∗ tries to prove that he is close to averifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 15 / 45
.
......
liability andnon-repudiation issues
DB Threats: Terrorist FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P∗ ←→ A ←→ V︸ ︷︷ ︸far away
a malicious prover P∗ helps an adversary A to prove that P∗ is closeto a verifier V , without giving A another advantage
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 16 / 45
.
......
advantage: leakingthe secret key
.
......“gain privileges justonce”
.
......
the toughest fraud toprotect against,especially in presenceof noise
DB Threats: Terrorist FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P∗ ←→ A ←→ V︸ ︷︷ ︸far away
a malicious prover P∗ helps an adversary A to prove that P∗ is closeto a verifier V , without giving A another advantage
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 16 / 45
.
......
advantage: leakingthe secret key
.
......“gain privileges justonce”
.
......
the toughest fraud toprotect against,especially in presenceof noise
...2 Distance-BoundingDB IntroDB ThreatsDB Protocols (without post-authentication)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 17 / 45
The Reid et al. ProtocolDetecting Relay Attacks with Timing-based Protocols[Reid-Nieto-Tang-Senadji ASIACCS 2007]
Verifier Proversecret: x secret: x
initialization phase
pick NVNV−−−−−−−−−−−−→ pick NP
a1 = fx (NP ,NV )NP←−−−−−−−−−−−− a1 = fx (NP ,NV )
a2 = a1⊕ x a2 = a1⊕ x
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri = aci ,i
check responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 18 / 45
.
......
protectsagainst TF
BUT...thisand itsextensionsvulnerableto MF/MiM[Bay,Boureanu etal.INSCRIPT2012]
The Reid et al. ProtocolDetecting Relay Attacks with Timing-based Protocols[Reid-Nieto-Tang-Senadji ASIACCS 2007]
Verifier Proversecret: x secret: x
initialization phase
pick NVNV−−−−−−−−−−−−→ pick NP
a1 = fx (NP ,NV )NP←−−−−−−−−−−−− a1 = fx (NP ,NV )
a2 = a1⊕ x a2 = a1⊕ x
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri = aci ,i
check responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 18 / 45
.
......
protectsagainst TF
BUT...thisand itsextensionsvulnerableto MF/MiM[Bay,Boureanu etal.INSCRIPT2012]
The TDB ProtocolHow Secret-Sharing can Defeat Terrorist Fraud[Avoine-Lauradoux-Martin ACM WiSec 2011]
Verifier Proversecret: x secret: x
initialization phase
pick NVNP←−−−−−−−−−−−− pick NP
a1∥a2 = fx (NP ,NV )NV−−−−−−−−−−−−→ a1∥a2 = fx (NP ,NV )
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2xi ⊕a1,i ⊕a2,i if ci = 3
check responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 19 / 45
Distance Fraud with a Programmed PRF against theTDB ProtocolOn the Pseudorandom Function Assumption in (Secure) Distance-Bounding ProtocolsPRF programming [Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012]
Verifier Malicious Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP = x
pick NVNV−−−−−−−−−−−−→
a1∥a2 = fx (NP ,NV ) a1 = a2 = x a1∥a2 = fx (NP ,NV )
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri ri = xi
..ci
.ri
stop timericheck responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 20 / 45
Other Results based on Programmed PRFsOn the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols[Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012]
protocol distance fraud man-in-the-middle attackTDB Avoine-Lauradoux-Martin[ACM WiSec 2011]
√ √
Durholz-Fischlin-Kasper-Onete [ISC2011]
√–
Hancke-Kuhn [Securecomm 2005]√
–Avoine-Tchamkerten [ISC 2009]
√–
Reid-Nieto-Tang-Senadji [ASIACCS2007]
√ √
Swiss-Knife Kim-Avoine-Koeune-Standaert-Pereira [ICISC 2008]
–√
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 21 / 45
Known Protocols and Security Results (Without Noise)success probability of best known attacks (θ < 1 constant)upon [Boureanu-Mitrokotsa-Vaudenay ISC 2013]
Protocol Success ProbabilityDistance-Fraud MiM Terrorist-Fraud
† Brands & Chaum (1/2)n (1/2)n 1,negl† Bussard & Bagga 1 (1/2)n 1,negl† Capkun et al. (1/2)n (1/2)n 1,negl† Hancke & Kuhn (3/4)n to 1 (3/4)n 1,negl† Reid et al. (3/4)n to 1 1 (3/4)θn,negl† Singelee & Preneel (1/2)n (1/2)n 1,negl† Tu & Piramuthu (3/4)n 1 (3/4)θn,negl† Munilla & Peinado (3/4)n (3/5)n 1,negl! Swiss-Knife (3/4)n (1/2)n to 1 (3/4)θn,negl† Kim & Avoine (7/8)n (1/2)n 1,negl† Nikov & Vauclair 1/k (1/2)n 1,negl! Avoine et al. (3/4)n to 1 (2/3)n to 1 (2/3)θn,negl" SKI (3/4)n (2/3)n γ,γ′
" Fischlin & Onete (3/4)n (3/4)n γ = γ′
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 22 / 45
Known Protocols and Security Results (Noise-Tolerant)success probability of best known attacksupon [Boureanu-Mitrokotsa-Vaudenay ISC 2013]
Protocol Success ProbabilityDistance-Fraud MiM Terrorist-Fraud
† Brands & Chaum B(n,τ,1/2) B(n,τ,1/2) 1,negl† Bussard & Bagga 1 B(n,τ,1/2) 1,negl† Capkun et al. B(n,τ,1/2) B(n,τ,1/2) 1,negl† Hancke & Kuhn B(n,τ,3/4) to 1 B(n,τ,3/4) 1,negl† Reid et al. B(n,τ,3/4) to 1 1 1,negl† Singelee & Preneel B(n,τ,1/2) B(n,τ,1/2) 1,negl† Tu & Piramuthu B(n,τ,3/4) 1 1,negl† Munilla & Peinado B(n,τ,3/4) B(n,τ,3/5) 1,negl† Swiss-Knife B(n,τ,3/4) B(n,τ,1/2) to 1 1,negl† Kim & Avoine B(n,τ,7/8) B(n,τ,1/2) 1,negl† Nikov & Vauclair 1/k B(n,τ,1/2) 1,negl† Avoine et al. B(n,τ,3/4) to 1 B(n,τ,2/3) to 1 1,negl" SKI B(n,τ,3/4) B(n,τ,2/3) γ,γ′
" Fischlin & Onete B(n,τ,3/4) B(n,τ,3/4) γ = γ′
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 23 / 45
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 24 / 45
...3 Provable Distance Bounding SecurityMotivationModelThe SKI Protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 25 / 45
Why Provable Security?
only security arguments by best attack scenarios
many insecurities recently proven (as shown above)
many “pseudo-proofs” use incorrect arguments (e.g., sufficientPRF-ness, etc.)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 26 / 45
Why Provable Security?
only security arguments by best attack scenarios
many insecurities recently proven (as shown above)
many “pseudo-proofs” use incorrect arguments (e.g., sufficientPRF-ness, etc.)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 26 / 45
Why Provable Security?
only security arguments by best attack scenarios
many insecurities recently proven (as shown above)
many “pseudo-proofs” use incorrect arguments (e.g., sufficientPRF-ness, etc.)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 26 / 45
...3 Provable Distance Bounding SecurityMotivationModelThe SKI Protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 27 / 45
DB Formalism[Boureanu-Mitrokotsa-Vaudenay ISC 2013]
formal communication model, integrating time
formal security model and threat model based on interactiveproofscryptographic assumptions/tools for the design/proofs
PRF-maskingcircular-keyingleakage scheme
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 28 / 45
DB Formalism[Boureanu-Mitrokotsa-Vaudenay ISC 2013]
formal communication model, integrating time
formal security model and threat model based on interactiveproofscryptographic assumptions/tools for the design/proofs
PRF-maskingcircular-keyingleakage scheme
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 28 / 45
DB Formalism[Boureanu-Mitrokotsa-Vaudenay ISC 2013]
formal communication model, integrating time
formal security model and threat model based on interactiveproofscryptographic assumptions/tools for the design/proofs
PRF-maskingcircular-keyingleakage scheme
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 28 / 45
..
...3 Provable Distance Bounding SecurityMotivationModelThe SKI Protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 29 / 45
..
The SKI Protocol[Boureanu-Mitrokotsa-Vaudenay Lightsec 2013, BMV ISC 2013]
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 30 / 45
..
The SKI Protocol: F -Scheme
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 31 / 45
.
......
secret sharing schemeto prevent from MiM[ALM WISEC 2011]
..
The SKI Protocol: Leakage Scheme
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 32 / 45
.
......
leak L(x) in the caseof a terrorist fraud[BMV, ISC 2013]
..
The SKI Protocol: PRF Masking
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 33 / 45
.
......
P has no influence onthe distribution of a[BMV LATINCRYPT 2012]
..
The SKI Protocol: Circular-Keying PRF
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 34 / 45
.
......
PRF secure with areuse of the key[BMV ISC 2013]
..
SKI Security
.Theorem..
......
If f is a circular-keying secure PRF,
there is no DF with Pr[success]≥ B(n,τ, 34)−negl(s)
there is no MiM with Pr[success]≥ B(n,τ, 23)−negl(s)
s-soundness for Pr[success]≥ 1negl(s)B( n
2 ,τ−n2 ,
23)
where s is the length of x and
B(n,τ,ρ) =n
∑i=τ
(ni
)ρi(1−ρ)n−i
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 35 / 45
..
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 36 / 45
..
Bitlength-Equivalent Security / the Number of Rounds
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 37 / 45
..
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 38 / 45
..
...5 Challenges and Visions in Distance BoundingPartial ConclusionsWhere to?
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 39 / 45
..
Some Partial Conclusions
problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols
SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45
..
Some Partial Conclusions
problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols
SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45
..
Some Partial Conclusions
problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols
SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45
..
Some Partial Conclusions
problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols
SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45
..
...5 Challenges and Visions in Distance BoundingPartial ConclusionsWhere to?
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 41 / 45
..
Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
implement DB
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45
..
Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
implement DB
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45
..
Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
implement DB
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45
..
Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
implement DB
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45
..
Efficient and Optimal Protocols
make protocols efficient and security-tightdrop, e.g., TF-resistance (and DF)?consider just MiM?
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 43 / 45
..
Efficient and Optimal Protocols
make protocols efficient and security-tightdrop, e.g., TF-resistance (and DF)?consider just MiM?
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 43 / 45
..
DB Implementation
one existing wired implementation
propagation delays are much shorter (ns) than processing times(ms)
some promising wireless experiments exist (e.g., ETHZ, CEALeti, EPFL)
Mifare Plus contains a kind of distance bounding protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 44 / 45
..
Conclusions
relays are real...
and ... we still some way to go beyond the first provably secureDB designs
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 45 / 45
top related