prof. gildas avoine universit e catholique de louvain ... · universit e catholique de louvain,...
TRANSCRIPT
Relay Attacks and Distance Bounding Protocolsin RFID Environments
Prof. Gildas Avoine
Universite catholique de Louvain, Belgium
Information Security Group
SUMMARY
RFID Background
Relay Attacks
Distance Bounding Protocols
Conclusion
RFID BACKGROUND
RFID Background
Relay Attacks
Distance Bounding Protocols
Conclusion
Definition and Architecture
Definition (RFID (Recommandation U.E. 2009))
[RFID] means the use of electromagnetic radiating waves orreactive field coupling in the radio frequency portion of thespectrum to communicate to or from a tag through a variety ofmodulation and encoding schemes to uniquely read the identity ofa radio frequency tag or other data stored on it.
Reader
Tag
Reader
TagTag
TagBack-endSystem
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 4/27
Basic RFID
www.aeroid.co.uk
www.rfid-library.com
www.flickr.com
www.safetzone.com
Supply chain tracking.
◦ Track boxes, palettes, etc.
Libraries.
◦ Improve book borrowing and inventories.
Pet identification.
◦ Replace tattoos by electronic ones.◦ ISO11784, ISO11785.
Localisation.
◦ Children in amusement parks, Elderly people.◦ Counting cattle.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 5/27
Evolved RFID
Credit: G. Avoine Credit: G. Avoine
www.carthiefstoppers.com
www.brusselnieuws.be
blogs.e-rockford.com
Building access control.
◦ Eg. UCL, MIT.
Automobile ignition key.
◦ Eg. TI DST, Keeloq.
Public transportation.
◦ Eg. Brussels, Boston, Paris, ..., Thalys.
Payment.
◦ Eg. Visa, Baja Beach Club.
Electronic documents.
◦ Eg. ePassports.
Loyalty cards.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 6/27
Tag Characteristics
cost
power frequency
communication
standard
calculation
storage
active
passiveLF
HF
UHF
metersdm
cm
UID 1 KB 40 KB
nopwd
sym cryptoasym cryptoEPC
ISO14443
ISO15693
10 cents
50 cents
euros
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 7/27
Tag Characteristics
cost
power frequency
communication
standard
calculation
storage
Access control
active
passiveLF
HF
UHF
metersdm
cm
UID 1 KB 40 KB
nopwd
sym cryptoasym cryptoEPC
ISO14443
ISO15693
10 cents
50 cents
euros
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 7/27
Tag Characteristics
cost
power frequency
communication
standard
calculation
storage
Access controlLogistics
active
passiveLF
HF
UHF
metersdm
cm
UID 1 KB 40 KB
nopwd
sym cryptoasym cryptoEPC
ISO14443
ISO15693
10 cents
50 cents
euros
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 7/27
RELAY ATTACKS
RFID Background
Relay Attacks
Distance Bounding Protocols
Conclusion
Variant of ISO 9798-2 Protocol 3
Verifier (secret k) Prover (secret k)
Pick NaNa−−−−−−−−−→
Ek (Na,Nb)←−−−−−−−− Pick Nb
Protocol secure under common assumptions on E , k , Na, and Nb.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 9/27
Relay Attack
VerifierProver
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27
Relay Attack
VerifierProver
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27
Relay Attack
VerifierProver
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27
Relay Attack
VerifierProver
AdversaryAdversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27
Relay Attack
VerifierProver
AdversaryAdversary10000 km
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27
Relay Attack
VerifierProver
AdversaryAdversary10000 km
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27
Relay AttackDefinition and Do-Ability
Definition (Relay Attack)
A relay attack is a form of man-in-the-middle where the adversarymanipulates the communication by only relaying the verbatimmessages between two parties.
Reader starts a timer when sending a message.
◦ To avoid semi-open connections.
◦ The timer is not tight.
Example: ISO 14443 “Proximity Cards”.
◦ Used in most secure applications.
◦ Standard on the low-layers (physical, collision-avoidance).
◦ Default timer is around 5 ms.
◦ Prover can require more time, up to 4949 ms.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 11/27
Relay AttackDefinition and Do-Ability
Definition (Relay Attack)
A relay attack is a form of man-in-the-middle where the adversarymanipulates the communication by only relaying the verbatimmessages between two parties.
Reader starts a timer when sending a message.
◦ To avoid semi-open connections.
◦ The timer is not tight.
Example: ISO 14443 “Proximity Cards”.
◦ Used in most secure applications.
◦ Standard on the low-layers (physical, collision-avoidance).
◦ Default timer is around 5 ms.
◦ Prover can require more time, up to 4949 ms.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 11/27
Relay AttackDefinition and Do-Ability
Definition (Relay Attack)
A relay attack is a form of man-in-the-middle where the adversarymanipulates the communication by only relaying the verbatimmessages between two parties.
Reader starts a timer when sending a message.
◦ To avoid semi-open connections.
◦ The timer is not tight.
Example: ISO 14443 “Proximity Cards”.
◦ Used in most secure applications.
◦ Standard on the low-layers (physical, collision-avoidance).
◦ Default timer is around 5 ms.
◦ Prover can require more time, up to 4949 ms.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 11/27
Relay AttackDefinition and Do-Ability
Definition (Relay Attack)
A relay attack is a form of man-in-the-middle where the adversarymanipulates the communication by only relaying the verbatimmessages between two parties.
Reader starts a timer when sending a message.
◦ To avoid semi-open connections.
◦ The timer is not tight.
Example: ISO 14443 “Proximity Cards”.
◦ Used in most secure applications.
◦ Standard on the low-layers (physical, collision-avoidance).
◦ Default timer is around 5 ms.
◦ Prover can require more time, up to 4949 ms.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 11/27
PracticabilityExamples
Radio link over 50 meters (G. Hancke 05).
With some ACR122 (A. Laurie 09).
With NFC cell phones or over Internet (libNFC).
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 12/27
PracticabilityExamples
Radio link over 50 meters (G. Hancke 05).
With some ACR122 (A. Laurie 09).
With NFC cell phones or over Internet (libNFC).
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 12/27
PracticabilityExamples
Attacks by Francillon, Danev, Capkun (ETHZ) against passivekeyless entry and start systems used in modern cars.
◦ 10 systems tested: no one resisted!
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 13/27
DISTANCE BOUNDING PROTOCOLS
RFID Background
Relay Attacks
Distance Bounding Protocols
Conclusion
Protocol Aims in General Framework
Definition (Distance Checking)
A distance bounding is a process whereby one party is assured:
1 Of the identity of a second party,
2 That the latter is present in the neighborhood of the verifyingparty, at some point in the protocol.
Reader
Tag
Distance bounding does not avoid relay attacks.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 15/27
Protocol Aims in General Framework
Definition (Distance Checking)
A distance bounding is a process whereby one party is assured:
1 Of the identity of a second party,
2 That the latter is present in the neighborhood of the verifyingparty, at some point in the protocol.
Reader
Tag
Distance bounding does not avoid relay attacks.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 15/27
Protocol Aims in General Framework
Definition (Distance Checking)
A distance bounding is a process whereby one party is assured:
1 Of the identity of a second party,
2 That the latter is present in the neighborhood of the verifyingparty, at some point in the protocol.
Reader
Tag
Distance bounding does not avoid relay attacks.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 15/27
No Fraud
Adversary
Reader
Tag
Reader
Tag
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 16/27
No Fraud
Adversary
Reader
Tag
Reader
Tag
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 16/27
Fraud
Adversary
Reader
Adversary
Tag
Reader
Tag
Reader
Reader
Adversary Tag
Reader
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27
Fraud
Adversary
Reader
Adversary
Tag
Reader
Tag
Reader
Reader
Adversary Tag
Reader
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27
Fraud
Adversary
Reader
Adversary
Tag
Reader
Tag
Reader
Reader
Adversary Tag
Reader
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27
Fraud
Adversary
Reader
Adversary
Tag
Reader
Tag
Reader
Reader
Adversary Tag
Reader
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27
Fraud
Adversary
Reader
Adversary
Tag
Reader
Tag
Reader
Reader
Adversary
Tag
Reader
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27
Fraud
Adversary
Reader
Adversary
Tag
Reader
Tag
Reader
Reader
Adversary Tag
Reader
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27
Distance Bounding Based on the Speed of Light
Measure the round-trip-time (RTT) of a given message.
◦ Provide a bound on the distance.
◦ Idea introduced by Beth and Desmedt [Crypto90].
TagReader
Neighborhood
Computation Msg must be authenticated
Auth. is time-consuming
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 18/27
Distance Bounding Based on the Speed of Light
Measure the round-trip-time (RTT) of a given message.
◦ Provide a bound on the distance.
◦ Idea introduced by Beth and Desmedt [Crypto90].
Reader
Neighborhood
computation
Accelerated
Tag
Msg must be authenticated
Auth. is time-consuming
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 18/27
Hancke and Kuhn’s ProtocolDescription
Reader Tag(secret K ) (secret K )
Pick a random Na Pick a random NbNa−−−−−−−→Nb←−−−−−−−
h(K ,Na,Nb) =
{v0 = 1 1 0 1 1 0 0 0 1 0
v1 = 0 1 1 1 1 0 0 1 0 0
Start of fast bit exchangefor i = 1 to n
Pick Ci ∈R {0, 1}Start Clock
Ci−−−−−−−→
Ri =
{v0i , if Ci = 0
v1i , if Ci = 1
Stop ClockRi←−−−−−−−
Check: 4ti ≤ tmax
Check: correctness of Ri
End of fast bit exchange
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 19/27
Mafia Fraud
Definition (Mafia Fraud)
A mafia fraud is an attack where an adversary defeats a distancebounding protocol using a man-in-the-middle (MITM) between thereader and an honest tag located outside the neighborhood.
Mafia fraud: Desmedt, Goutier, Bengio [Crypto87].
Shamir about Fiat-Shamir protocol [Crypto86]: “I can go to aMafia-owned store a million successive times and they still willnot be able to misrepresent themselves as me.” (The NY Times,February 17, 1987, James Gleick).
A.k.a., relay attack, chess grandmaster, wormhole problem,passive man-in-the-middle, middleman attack...
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 20/27
Mafia Fraud
Definition (Mafia Fraud)
A mafia fraud is an attack where an adversary defeats a distancebounding protocol using a man-in-the-middle (MITM) between thereader and an honest tag located outside the neighborhood.
Mafia fraud: Desmedt, Goutier, Bengio [Crypto87].
Shamir about Fiat-Shamir protocol [Crypto86]: “I can go to aMafia-owned store a million successive times and they still willnot be able to misrepresent themselves as me.” (The NY Times,February 17, 1987, James Gleick).
A.k.a., relay attack, chess grandmaster, wormhole problem,passive man-in-the-middle, middleman attack...
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 20/27
Fraud (variants)
Definition (Distance Fraud)
Given a distance bounding protocol, a distance fraud is an attackwhere a dishonest and lonely prover purports to be in theneighborhood of the verifier.
Definition (Terrorist Fraud)
A terrorist fraud is an attack where an adversary defeats a distancebounding protocol using a man-in-the-middle (MITM) between thereader and a dishonest tag located outside of the neighborhood,such that the latter actively helps the adversary to maximize herattack success probability, without giving to her any advantage forfuture attacks.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 21/27
Fraud (variants)
Definition (Distance Fraud)
Given a distance bounding protocol, a distance fraud is an attackwhere a dishonest and lonely prover purports to be in theneighborhood of the verifier.
Definition (Terrorist Fraud)
A terrorist fraud is an attack where an adversary defeats a distancebounding protocol using a man-in-the-middle (MITM) between thereader and a dishonest tag located outside of the neighborhood,such that the latter actively helps the adversary to maximize herattack success probability, without giving to her any advantage forfuture attacks.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 21/27
Hancke and Kuhn’s ProtocolDescription
Reader Tag(secret K ) (secret K )
Pick a random Na Pick a random NbNa−−−−−−−→Nb←−−−−−−−
h(K ,Na,Nb) =
{v0 = 1 1 0 1 1 0 0 0 1 0
v1 = 0 1 1 1 1 0 0 1 0 0
Start of fast bit exchangefor i = 1 to n
Pick Ci ∈R {0, 1}Start Clock
Ci−−−−−−−→
Ri =
{v0i , if Ci = 0
v1i , if Ci = 1
Stop ClockRi←−−−−−−−
Check: 4ti ≤ tmax
Check: correctness of Ri
End of fast bit exchange
Question
1 Mafia fraud:
(34
)n
2 Terrorist fraud:
1
3 Distance fraud:
(34
)n
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 22/27
Hancke and Kuhn’s ProtocolDescription
Reader Tag(secret K ) (secret K )
Pick a random Na Pick a random NbNa−−−−−−−→Nb←−−−−−−−
h(K ,Na,Nb) =
{v0 = 1 1 0 1 1 0 0 0 1 0
v1 = 0 1 1 1 1 0 0 1 0 0
Start of fast bit exchangefor i = 1 to n
Pick Ci ∈R {0, 1}Start Clock
Ci−−−−−−−→
Ri =
{v0i , if Ci = 0
v1i , if Ci = 1
Stop ClockRi←−−−−−−−
Check: 4ti ≤ tmax
Check: correctness of Ri
End of fast bit exchange
Question
1 Mafia fraud:(34
)n2 Terrorist fraud: 1
3 Distance fraud:(34
)nGildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 22/27
Current Research Activities
Analysis framework.
Extensive (fair) survey.
White−box model
Terrorist fraud Terrorist fraud
Mafia fraud Mafia fraud
Distance fraudDistance fraud
Black−box model
1e-16
1e-14
1e-12
1e-10
1e-08
1e-06
0.0001
0.01
1
1 10 100 1000 10000 100000 1e+06
Adv
ersa
ry s
ucce
ss p
roba
bilit
y
p: Number of runs
Register length: n=20n=40n=60n=80
n=128
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 23/27
Current Research Activities
Analysis framework.
Extensive (fair) survey.
White−box model
Terrorist fraud Terrorist fraud
Mafia fraud Mafia fraud
Distance fraudDistance fraud
Black−box model
1e-16
1e-14
1e-12
1e-10
1e-08
1e-06
0.0001
0.01
1
1 10 100 1000 10000 100000 1e+06
Adv
ersa
ry s
ucce
ss p
roba
bilit
y
p: Number of runs
Register length: n=20n=40n=60n=80
n=128
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 23/27
Current Research Activities
Analysis framework.
Extensive (fair) survey.
White−box model
Terrorist fraud Terrorist fraud
Mafia fraud Mafia fraud
Distance fraudDistance fraud
Black−box model
1e-16
1e-14
1e-12
1e-10
1e-08
1e-06
0.0001
0.01
1
1 10 100 1000 10000 100000 1e+06
Adv
ersa
ry s
ucce
ss p
roba
bilit
y
p: Number of runs
Register length: n=20n=40n=60n=80
n=128
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 23/27
Current Research Activities
Analysis framework.
Extensive (fair) survey.
White−box model
Terrorist fraud Terrorist fraud
Mafia fraud Mafia fraud
Distance fraudDistance fraud
Black−box model
1e-16
1e-14
1e-12
1e-10
1e-08
1e-06
0.0001
0.01
1
1 10 100 1000 10000 100000 1e+06
Adv
ersa
ry s
ucce
ss p
roba
bilit
y
p: Number of runs
Register length: n=20n=40n=60n=80
n=128
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 23/27
CONCLUSION
RFID Background
Relay Attacks
Distance Bounding Protocols
Conclusion
Conclusion
Theory is mature.
◦ First protocols analyzed with a pedestrian approach.
◦ Models nowadays exist.
Practice is still young.
◦ Propagation delays are much shorter than processing times.
◦ Considered time are nanoseconds.
◦ Some experiments succeeded (eg. ETHZ, CEA Leti).
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 25/27
Conclusion
Relay attacks are practicable.
Mifare Plus contains a kind of distance bounding protocol.
Mitigating the problem is perhaps enough.
◦ Adversary also induces some delays.
◦ Thwarting adversaries using commercial readers.
◦ Avoiding long-distance attacks.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 26/27
Further Reading
Y. Desmedt, C. Goutier, and S. Bengio. Special Uses andAbuses of the Fiat-Shamir Passport Protocol. In CRYPTO’87,vol. 293 of LNCS, pp 21–39, Aug. 1988. Springer.
S. Brands and D. Chaum. Distance-Bounding Protocols. InEUROCRYPT’93, vol. 765 of LNCS, pp 344–359, May 1993.Springer.
G. Hancke and M. Kuhn. An RFID Distance Bounding Protocol.In SecureComm 2005, Sep. 2005. IEEE.
G. Avoine, M. Bingol, S. Kardas, C. Lauradoux, and B. Martin.A Framework for Analyzing RFID Distance Bounding Protocols.Journal of Computer Security, 2010.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 27/27