Download - RFID security presentation
![Page 1: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/1.jpg)
Research Topics
Ioana Boureanu
Univ. of Applied Sciences Western Switzerland
ICB 2014 ICB Middlesex Uni, Feb. 2014 1 / 3
![Page 2: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/2.jpg)
ICB 2014 ICB Middlesex Uni, Feb. 2014 2 / 3
![Page 3: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/3.jpg)
ICB 2014 ICB Middlesex Uni, Feb. 2014 2 / 3
![Page 4: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/4.jpg)
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
![Page 5: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/5.jpg)
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
![Page 6: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/6.jpg)
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
![Page 7: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/7.jpg)
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
![Page 8: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/8.jpg)
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
![Page 9: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/9.jpg)
Touch and Pay: making it secure!
Ioana Boureanu
Univ. of Applied Sciences Western Switzerland
February 19, 2014
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 1 / 45
![Page 10: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/10.jpg)
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 2 / 45
![Page 11: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/11.jpg)
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 3 / 45
![Page 12: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/12.jpg)
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
![Page 13: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/13.jpg)
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
![Page 14: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/14.jpg)
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
![Page 15: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/15.jpg)
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
![Page 16: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/16.jpg)
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
![Page 17: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/17.jpg)
Playing against two chess grandmasters
✛
✲
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 5 / 45
![Page 18: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/18.jpg)
Playing against two chess grandmasters
✛
✲
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 5 / 45
![Page 19: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/19.jpg)
Relaying is real...!Attacks by Francillon, Danev, Capkun (ETHZ) against passive keylessentry and start systems used in modern cars.
10 systems tested: not one resisted!
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 6 / 45
![Page 20: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/20.jpg)
Relaying = Stealing (your money) ...!
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 7 / 45
![Page 21: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/21.jpg)
Idea: Measuring (Idealized) Communication ...(... at the Speed of Light)
10ns←→ 2×1.5m (round-trip)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 8 / 45
![Page 22: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/22.jpg)
More Ideas: Round-Trip Time to Prevent Relay AttacksIdentification Tokens, or: Solving the Chess Grandmaster Problem[Beth-Desmedt CRYPTO 1990]
basic idea: measure the communication time exactly
the reader should verify that the proving tag is no further thansome bound
later solution: use a distance-bounding (DB) protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 9 / 45
![Page 23: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/23.jpg)
More Ideas: Round-Trip Time to Prevent Relay AttacksIdentification Tokens, or: Solving the Chess Grandmaster Problem[Beth-Desmedt CRYPTO 1990]
basic idea: measure the communication time exactly
the reader should verify that the proving tag is no further thansome bound
later solution: use a distance-bounding (DB) protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 9 / 45
![Page 24: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/24.jpg)
More Ideas: Round-Trip Time to Prevent Relay AttacksIdentification Tokens, or: Solving the Chess Grandmaster Problem[Beth-Desmedt CRYPTO 1990]
basic idea: measure the communication time exactly
the reader should verify that the proving tag is no further thansome bound
later solution: use a distance-bounding (DB) protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 9 / 45
![Page 25: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/25.jpg)
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 10 / 45
![Page 26: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/26.jpg)
...2 Distance-BoundingDB IntroDB ThreatsDB Protocols (without post-authentication)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 11 / 45
![Page 27: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/27.jpg)
Distance-Bounding (DB) Protocolsintroduced in [Brands-Chaum EUROCRYPT 1993][Reid et al. ASIACCS 2007]
Verifier Proversecret: x secret: x
initialization phase
pick NVNV−−−−−−−−−−−−→ pick NP
a1 = fx (NP ,NV )NP←−−−−−−−−−−−− a1 = fx (NP ,NV )
a2 = a1⊕ x a2 = a1⊕ x
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri = a1,i , if ci = 1
ri = a2,i , if ci = 2check responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 12 / 45
![Page 28: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/28.jpg)
...2 Distance-BoundingDB IntroDB ThreatsDB Protocols (without post-authentication)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 13 / 45
![Page 29: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/29.jpg)
DB Threats: Mafia FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P←→ A ←→ V︸ ︷︷ ︸far away
an adversary A tries to prove that a prover P is close to a verifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 14 / 45
.
......
generalised/strengthenedrelaying
.
......
“DB-specialised”man-in-the-middleattack
![Page 30: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/30.jpg)
DB Threats: Mafia FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P←→ A ←→ V︸ ︷︷ ︸far away
an adversary A tries to prove that a prover P is close to a verifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 14 / 45
.
......
generalised/strengthenedrelaying
.
......
“DB-specialised”man-in-the-middleattack
![Page 31: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/31.jpg)
DB Threats: Mafia FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P←→ A ←→ V︸ ︷︷ ︸far away
an adversary A tries to prove that a prover P is close to a verifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 14 / 45
.
......
generalised/strengthenedrelaying
.
......
“DB-specialised”man-in-the-middleattack
![Page 32: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/32.jpg)
DB Threats: Distance Fraud
P∗ ←→ V︸ ︷︷ ︸far away
a malicious, far-away prover P∗ tries to prove that he is close to averifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 15 / 45
.
......
liability andnon-repudiation issues
![Page 33: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/33.jpg)
DB Threats: Distance Fraud
P∗ ←→ V︸ ︷︷ ︸far away
a malicious, far-away prover P∗ tries to prove that he is close to averifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 15 / 45
.
......
liability andnon-repudiation issues
![Page 34: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/34.jpg)
DB Threats: Terrorist FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P∗ ←→ A ←→ V︸ ︷︷ ︸far away
a malicious prover P∗ helps an adversary A to prove that P∗ is closeto a verifier V , without giving A another advantage
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 16 / 45
.
......
advantage: leakingthe secret key
.
......“gain privileges justonce”
.
......
the toughest fraud toprotect against,especially in presenceof noise
![Page 35: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/35.jpg)
DB Threats: Terrorist FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P∗ ←→ A ←→ V︸ ︷︷ ︸far away
a malicious prover P∗ helps an adversary A to prove that P∗ is closeto a verifier V , without giving A another advantage
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 16 / 45
.
......
advantage: leakingthe secret key
.
......“gain privileges justonce”
.
......
the toughest fraud toprotect against,especially in presenceof noise
![Page 36: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/36.jpg)
...2 Distance-BoundingDB IntroDB ThreatsDB Protocols (without post-authentication)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 17 / 45
![Page 37: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/37.jpg)
The Reid et al. ProtocolDetecting Relay Attacks with Timing-based Protocols[Reid-Nieto-Tang-Senadji ASIACCS 2007]
Verifier Proversecret: x secret: x
initialization phase
pick NVNV−−−−−−−−−−−−→ pick NP
a1 = fx (NP ,NV )NP←−−−−−−−−−−−− a1 = fx (NP ,NV )
a2 = a1⊕ x a2 = a1⊕ x
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri = aci ,i
check responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 18 / 45
.
......
protectsagainst TF
BUT...thisand itsextensionsvulnerableto MF/MiM[Bay,Boureanu etal.INSCRIPT2012]
![Page 38: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/38.jpg)
The Reid et al. ProtocolDetecting Relay Attacks with Timing-based Protocols[Reid-Nieto-Tang-Senadji ASIACCS 2007]
Verifier Proversecret: x secret: x
initialization phase
pick NVNV−−−−−−−−−−−−→ pick NP
a1 = fx (NP ,NV )NP←−−−−−−−−−−−− a1 = fx (NP ,NV )
a2 = a1⊕ x a2 = a1⊕ x
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri = aci ,i
check responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 18 / 45
.
......
protectsagainst TF
BUT...thisand itsextensionsvulnerableto MF/MiM[Bay,Boureanu etal.INSCRIPT2012]
![Page 39: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/39.jpg)
The TDB ProtocolHow Secret-Sharing can Defeat Terrorist Fraud[Avoine-Lauradoux-Martin ACM WiSec 2011]
Verifier Proversecret: x secret: x
initialization phase
pick NVNP←−−−−−−−−−−−− pick NP
a1∥a2 = fx (NP ,NV )NV−−−−−−−−−−−−→ a1∥a2 = fx (NP ,NV )
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2xi ⊕a1,i ⊕a2,i if ci = 3
check responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 19 / 45
![Page 40: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/40.jpg)
Distance Fraud with a Programmed PRF against theTDB ProtocolOn the Pseudorandom Function Assumption in (Secure) Distance-Bounding ProtocolsPRF programming [Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012]
Verifier Malicious Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP = x
pick NVNV−−−−−−−−−−−−→
a1∥a2 = fx (NP ,NV ) a1 = a2 = x a1∥a2 = fx (NP ,NV )
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri ri = xi
..ci
.ri
stop timericheck responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 20 / 45
![Page 41: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/41.jpg)
Other Results based on Programmed PRFsOn the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols[Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012]
protocol distance fraud man-in-the-middle attackTDB Avoine-Lauradoux-Martin[ACM WiSec 2011]
√ √
Durholz-Fischlin-Kasper-Onete [ISC2011]
√–
Hancke-Kuhn [Securecomm 2005]√
–Avoine-Tchamkerten [ISC 2009]
√–
Reid-Nieto-Tang-Senadji [ASIACCS2007]
√ √
Swiss-Knife Kim-Avoine-Koeune-Standaert-Pereira [ICISC 2008]
–√
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 21 / 45
![Page 42: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/42.jpg)
Known Protocols and Security Results (Without Noise)success probability of best known attacks (θ < 1 constant)upon [Boureanu-Mitrokotsa-Vaudenay ISC 2013]
Protocol Success ProbabilityDistance-Fraud MiM Terrorist-Fraud
† Brands & Chaum (1/2)n (1/2)n 1,negl† Bussard & Bagga 1 (1/2)n 1,negl† Capkun et al. (1/2)n (1/2)n 1,negl† Hancke & Kuhn (3/4)n to 1 (3/4)n 1,negl† Reid et al. (3/4)n to 1 1 (3/4)θn,negl† Singelee & Preneel (1/2)n (1/2)n 1,negl† Tu & Piramuthu (3/4)n 1 (3/4)θn,negl† Munilla & Peinado (3/4)n (3/5)n 1,negl! Swiss-Knife (3/4)n (1/2)n to 1 (3/4)θn,negl† Kim & Avoine (7/8)n (1/2)n 1,negl† Nikov & Vauclair 1/k (1/2)n 1,negl! Avoine et al. (3/4)n to 1 (2/3)n to 1 (2/3)θn,negl" SKI (3/4)n (2/3)n γ,γ′
" Fischlin & Onete (3/4)n (3/4)n γ = γ′
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 22 / 45
![Page 43: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/43.jpg)
Known Protocols and Security Results (Noise-Tolerant)success probability of best known attacksupon [Boureanu-Mitrokotsa-Vaudenay ISC 2013]
Protocol Success ProbabilityDistance-Fraud MiM Terrorist-Fraud
† Brands & Chaum B(n,τ,1/2) B(n,τ,1/2) 1,negl† Bussard & Bagga 1 B(n,τ,1/2) 1,negl† Capkun et al. B(n,τ,1/2) B(n,τ,1/2) 1,negl† Hancke & Kuhn B(n,τ,3/4) to 1 B(n,τ,3/4) 1,negl† Reid et al. B(n,τ,3/4) to 1 1 1,negl† Singelee & Preneel B(n,τ,1/2) B(n,τ,1/2) 1,negl† Tu & Piramuthu B(n,τ,3/4) 1 1,negl† Munilla & Peinado B(n,τ,3/4) B(n,τ,3/5) 1,negl† Swiss-Knife B(n,τ,3/4) B(n,τ,1/2) to 1 1,negl† Kim & Avoine B(n,τ,7/8) B(n,τ,1/2) 1,negl† Nikov & Vauclair 1/k B(n,τ,1/2) 1,negl† Avoine et al. B(n,τ,3/4) to 1 B(n,τ,2/3) to 1 1,negl" SKI B(n,τ,3/4) B(n,τ,2/3) γ,γ′
" Fischlin & Onete B(n,τ,3/4) B(n,τ,3/4) γ = γ′
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 23 / 45
![Page 44: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/44.jpg)
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 24 / 45
![Page 45: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/45.jpg)
...3 Provable Distance Bounding SecurityMotivationModelThe SKI Protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 25 / 45
![Page 46: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/46.jpg)
Why Provable Security?
only security arguments by best attack scenarios
many insecurities recently proven (as shown above)
many “pseudo-proofs” use incorrect arguments (e.g., sufficientPRF-ness, etc.)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 26 / 45
![Page 47: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/47.jpg)
Why Provable Security?
only security arguments by best attack scenarios
many insecurities recently proven (as shown above)
many “pseudo-proofs” use incorrect arguments (e.g., sufficientPRF-ness, etc.)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 26 / 45
![Page 48: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/48.jpg)
Why Provable Security?
only security arguments by best attack scenarios
many insecurities recently proven (as shown above)
many “pseudo-proofs” use incorrect arguments (e.g., sufficientPRF-ness, etc.)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 26 / 45
![Page 49: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/49.jpg)
...3 Provable Distance Bounding SecurityMotivationModelThe SKI Protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 27 / 45
![Page 50: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/50.jpg)
DB Formalism[Boureanu-Mitrokotsa-Vaudenay ISC 2013]
formal communication model, integrating time
formal security model and threat model based on interactiveproofscryptographic assumptions/tools for the design/proofs
PRF-maskingcircular-keyingleakage scheme
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 28 / 45
![Page 51: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/51.jpg)
DB Formalism[Boureanu-Mitrokotsa-Vaudenay ISC 2013]
formal communication model, integrating time
formal security model and threat model based on interactiveproofscryptographic assumptions/tools for the design/proofs
PRF-maskingcircular-keyingleakage scheme
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 28 / 45
![Page 52: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/52.jpg)
DB Formalism[Boureanu-Mitrokotsa-Vaudenay ISC 2013]
formal communication model, integrating time
formal security model and threat model based on interactiveproofscryptographic assumptions/tools for the design/proofs
PRF-maskingcircular-keyingleakage scheme
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 28 / 45
![Page 53: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/53.jpg)
..
...3 Provable Distance Bounding SecurityMotivationModelThe SKI Protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 29 / 45
![Page 54: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/54.jpg)
..
The SKI Protocol[Boureanu-Mitrokotsa-Vaudenay Lightsec 2013, BMV ISC 2013]
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 30 / 45
![Page 55: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/55.jpg)
..
The SKI Protocol: F -Scheme
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 31 / 45
.
......
secret sharing schemeto prevent from MiM[ALM WISEC 2011]
![Page 56: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/56.jpg)
..
The SKI Protocol: Leakage Scheme
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 32 / 45
.
......
leak L(x) in the caseof a terrorist fraud[BMV, ISC 2013]
![Page 57: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/57.jpg)
..
The SKI Protocol: PRF Masking
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 33 / 45
.
......
P has no influence onthe distribution of a[BMV LATINCRYPT 2012]
![Page 58: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/58.jpg)
..
The SKI Protocol: Circular-Keying PRF
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 34 / 45
.
......
PRF secure with areuse of the key[BMV ISC 2013]
![Page 59: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/59.jpg)
..
SKI Security
.Theorem..
......
If f is a circular-keying secure PRF,
there is no DF with Pr[success]≥ B(n,τ, 34)−negl(s)
there is no MiM with Pr[success]≥ B(n,τ, 23)−negl(s)
s-soundness for Pr[success]≥ 1negl(s)B( n
2 ,τ−n2 ,
23)
where s is the length of x and
B(n,τ,ρ) =n
∑i=τ
(ni
)ρi(1−ρ)n−i
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 35 / 45
![Page 60: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/60.jpg)
..
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 36 / 45
![Page 61: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/61.jpg)
..
Bitlength-Equivalent Security / the Number of Rounds
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 37 / 45
![Page 62: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/62.jpg)
..
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 38 / 45
![Page 63: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/63.jpg)
..
...5 Challenges and Visions in Distance BoundingPartial ConclusionsWhere to?
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 39 / 45
![Page 64: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/64.jpg)
..
Some Partial Conclusions
problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols
SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45
![Page 65: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/65.jpg)
..
Some Partial Conclusions
problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols
SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45
![Page 66: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/66.jpg)
..
Some Partial Conclusions
problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols
SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45
![Page 67: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/67.jpg)
..
Some Partial Conclusions
problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols
SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45
![Page 68: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/68.jpg)
..
...5 Challenges and Visions in Distance BoundingPartial ConclusionsWhere to?
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 41 / 45
![Page 69: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/69.jpg)
..
Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
implement DB
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45
![Page 70: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/70.jpg)
..
Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
implement DB
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45
![Page 71: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/71.jpg)
..
Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
implement DB
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45
![Page 72: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/72.jpg)
..
Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
implement DB
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45
![Page 73: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/73.jpg)
..
Efficient and Optimal Protocols
make protocols efficient and security-tightdrop, e.g., TF-resistance (and DF)?consider just MiM?
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 43 / 45
![Page 74: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/74.jpg)
..
Efficient and Optimal Protocols
make protocols efficient and security-tightdrop, e.g., TF-resistance (and DF)?consider just MiM?
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 43 / 45
![Page 75: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/75.jpg)
..
DB Implementation
one existing wired implementation
propagation delays are much shorter (ns) than processing times(ms)
some promising wireless experiments exist (e.g., ETHZ, CEALeti, EPFL)
Mifare Plus contains a kind of distance bounding protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 44 / 45
![Page 76: RFID security presentation](https://reader033.vdocuments.site/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/76.jpg)
..
Conclusions
relays are real...
and ... we still some way to go beyond the first provably secureDB designs
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 45 / 45