rfid security presentation
DESCRIPTION
Smartcard-based protocols represent an increasingly large share of the wireless authentication solutions market, from contactless payments to remote car unlocking. Unfortunately, relay attacks pose a significant threat to this development. However, such attacks could be mitigated through the use of distance-bounding protocols. In this talk, we will discuss the core challenges for distance-bounding, of which some have recently been overcome, whereas others still stand prominently. We will focus mostly on the security of these wireless protocols, from devastating attacks and new, secure designs. We will finish with a vision for the future of these protocols, the possible and advisable paths towards, e.g., securing contactless payments.TRANSCRIPT
![Page 1: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/1.jpg)
Research Topics
Ioana Boureanu
Univ. of Applied Sciences Western Switzerland
ICB 2014 ICB Middlesex Uni, Feb. 2014 1 / 3
![Page 2: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/2.jpg)
ICB 2014 ICB Middlesex Uni, Feb. 2014 2 / 3
![Page 3: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/3.jpg)
ICB 2014 ICB Middlesex Uni, Feb. 2014 2 / 3
![Page 4: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/4.jpg)
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
![Page 5: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/5.jpg)
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
![Page 6: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/6.jpg)
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
![Page 7: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/7.jpg)
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
![Page 8: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/8.jpg)
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
![Page 9: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/9.jpg)
Touch and Pay: making it secure!
Ioana Boureanu
Univ. of Applied Sciences Western Switzerland
February 19, 2014
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 1 / 45
![Page 10: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/10.jpg)
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 2 / 45
![Page 11: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/11.jpg)
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 3 / 45
![Page 12: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/12.jpg)
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
![Page 13: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/13.jpg)
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
![Page 14: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/14.jpg)
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
![Page 15: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/15.jpg)
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
![Page 16: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/16.jpg)
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
![Page 17: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/17.jpg)
Playing against two chess grandmasters
✛
✲
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 5 / 45
![Page 18: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/18.jpg)
Playing against two chess grandmasters
✛
✲
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 5 / 45
![Page 19: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/19.jpg)
Relaying is real...!Attacks by Francillon, Danev, Capkun (ETHZ) against passive keylessentry and start systems used in modern cars.
10 systems tested: not one resisted!
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 6 / 45
![Page 20: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/20.jpg)
Relaying = Stealing (your money) ...!
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 7 / 45
![Page 21: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/21.jpg)
Idea: Measuring (Idealized) Communication ...(... at the Speed of Light)
10ns←→ 2×1.5m (round-trip)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 8 / 45
![Page 22: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/22.jpg)
More Ideas: Round-Trip Time to Prevent Relay AttacksIdentification Tokens, or: Solving the Chess Grandmaster Problem[Beth-Desmedt CRYPTO 1990]
basic idea: measure the communication time exactly
the reader should verify that the proving tag is no further thansome bound
later solution: use a distance-bounding (DB) protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 9 / 45
![Page 23: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/23.jpg)
More Ideas: Round-Trip Time to Prevent Relay AttacksIdentification Tokens, or: Solving the Chess Grandmaster Problem[Beth-Desmedt CRYPTO 1990]
basic idea: measure the communication time exactly
the reader should verify that the proving tag is no further thansome bound
later solution: use a distance-bounding (DB) protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 9 / 45
![Page 24: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/24.jpg)
More Ideas: Round-Trip Time to Prevent Relay AttacksIdentification Tokens, or: Solving the Chess Grandmaster Problem[Beth-Desmedt CRYPTO 1990]
basic idea: measure the communication time exactly
the reader should verify that the proving tag is no further thansome bound
later solution: use a distance-bounding (DB) protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 9 / 45
![Page 25: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/25.jpg)
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 10 / 45
![Page 26: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/26.jpg)
...2 Distance-BoundingDB IntroDB ThreatsDB Protocols (without post-authentication)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 11 / 45
![Page 27: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/27.jpg)
Distance-Bounding (DB) Protocolsintroduced in [Brands-Chaum EUROCRYPT 1993][Reid et al. ASIACCS 2007]
Verifier Proversecret: x secret: x
initialization phase
pick NVNV−−−−−−−−−−−−→ pick NP
a1 = fx (NP ,NV )NP←−−−−−−−−−−−− a1 = fx (NP ,NV )
a2 = a1⊕ x a2 = a1⊕ x
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri = a1,i , if ci = 1
ri = a2,i , if ci = 2check responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 12 / 45
![Page 28: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/28.jpg)
...2 Distance-BoundingDB IntroDB ThreatsDB Protocols (without post-authentication)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 13 / 45
![Page 29: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/29.jpg)
DB Threats: Mafia FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P←→ A ←→ V︸ ︷︷ ︸far away
an adversary A tries to prove that a prover P is close to a verifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 14 / 45
.
......
generalised/strengthenedrelaying
.
......
“DB-specialised”man-in-the-middleattack
![Page 30: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/30.jpg)
DB Threats: Mafia FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P←→ A ←→ V︸ ︷︷ ︸far away
an adversary A tries to prove that a prover P is close to a verifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 14 / 45
.
......
generalised/strengthenedrelaying
.
......
“DB-specialised”man-in-the-middleattack
![Page 31: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/31.jpg)
DB Threats: Mafia FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P←→ A ←→ V︸ ︷︷ ︸far away
an adversary A tries to prove that a prover P is close to a verifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 14 / 45
.
......
generalised/strengthenedrelaying
.
......
“DB-specialised”man-in-the-middleattack
![Page 32: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/32.jpg)
DB Threats: Distance Fraud
P∗ ←→ V︸ ︷︷ ︸far away
a malicious, far-away prover P∗ tries to prove that he is close to averifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 15 / 45
.
......
liability andnon-repudiation issues
![Page 33: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/33.jpg)
DB Threats: Distance Fraud
P∗ ←→ V︸ ︷︷ ︸far away
a malicious, far-away prover P∗ tries to prove that he is close to averifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 15 / 45
.
......
liability andnon-repudiation issues
![Page 34: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/34.jpg)
DB Threats: Terrorist FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P∗ ←→ A ←→ V︸ ︷︷ ︸far away
a malicious prover P∗ helps an adversary A to prove that P∗ is closeto a verifier V , without giving A another advantage
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 16 / 45
.
......
advantage: leakingthe secret key
.
......“gain privileges justonce”
.
......
the toughest fraud toprotect against,especially in presenceof noise
![Page 35: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/35.jpg)
DB Threats: Terrorist FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P∗ ←→ A ←→ V︸ ︷︷ ︸far away
a malicious prover P∗ helps an adversary A to prove that P∗ is closeto a verifier V , without giving A another advantage
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 16 / 45
.
......
advantage: leakingthe secret key
.
......“gain privileges justonce”
.
......
the toughest fraud toprotect against,especially in presenceof noise
![Page 36: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/36.jpg)
...2 Distance-BoundingDB IntroDB ThreatsDB Protocols (without post-authentication)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 17 / 45
![Page 37: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/37.jpg)
The Reid et al. ProtocolDetecting Relay Attacks with Timing-based Protocols[Reid-Nieto-Tang-Senadji ASIACCS 2007]
Verifier Proversecret: x secret: x
initialization phase
pick NVNV−−−−−−−−−−−−→ pick NP
a1 = fx (NP ,NV )NP←−−−−−−−−−−−− a1 = fx (NP ,NV )
a2 = a1⊕ x a2 = a1⊕ x
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri = aci ,i
check responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 18 / 45
.
......
protectsagainst TF
BUT...thisand itsextensionsvulnerableto MF/MiM[Bay,Boureanu etal.INSCRIPT2012]
![Page 38: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/38.jpg)
The Reid et al. ProtocolDetecting Relay Attacks with Timing-based Protocols[Reid-Nieto-Tang-Senadji ASIACCS 2007]
Verifier Proversecret: x secret: x
initialization phase
pick NVNV−−−−−−−−−−−−→ pick NP
a1 = fx (NP ,NV )NP←−−−−−−−−−−−− a1 = fx (NP ,NV )
a2 = a1⊕ x a2 = a1⊕ x
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri = aci ,i
check responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 18 / 45
.
......
protectsagainst TF
BUT...thisand itsextensionsvulnerableto MF/MiM[Bay,Boureanu etal.INSCRIPT2012]
![Page 39: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/39.jpg)
The TDB ProtocolHow Secret-Sharing can Defeat Terrorist Fraud[Avoine-Lauradoux-Martin ACM WiSec 2011]
Verifier Proversecret: x secret: x
initialization phase
pick NVNP←−−−−−−−−−−−− pick NP
a1∥a2 = fx (NP ,NV )NV−−−−−−−−−−−−→ a1∥a2 = fx (NP ,NV )
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2xi ⊕a1,i ⊕a2,i if ci = 3
check responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 19 / 45
![Page 40: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/40.jpg)
Distance Fraud with a Programmed PRF against theTDB ProtocolOn the Pseudorandom Function Assumption in (Secure) Distance-Bounding ProtocolsPRF programming [Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012]
Verifier Malicious Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP = x
pick NVNV−−−−−−−−−−−−→
a1∥a2 = fx (NP ,NV ) a1 = a2 = x a1∥a2 = fx (NP ,NV )
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri ri = xi
..ci
.ri
stop timericheck responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 20 / 45
![Page 41: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/41.jpg)
Other Results based on Programmed PRFsOn the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols[Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012]
protocol distance fraud man-in-the-middle attackTDB Avoine-Lauradoux-Martin[ACM WiSec 2011]
√ √
Durholz-Fischlin-Kasper-Onete [ISC2011]
√–
Hancke-Kuhn [Securecomm 2005]√
–Avoine-Tchamkerten [ISC 2009]
√–
Reid-Nieto-Tang-Senadji [ASIACCS2007]
√ √
Swiss-Knife Kim-Avoine-Koeune-Standaert-Pereira [ICISC 2008]
–√
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 21 / 45
![Page 42: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/42.jpg)
Known Protocols and Security Results (Without Noise)success probability of best known attacks (θ < 1 constant)upon [Boureanu-Mitrokotsa-Vaudenay ISC 2013]
Protocol Success ProbabilityDistance-Fraud MiM Terrorist-Fraud
† Brands & Chaum (1/2)n (1/2)n 1,negl† Bussard & Bagga 1 (1/2)n 1,negl† Capkun et al. (1/2)n (1/2)n 1,negl† Hancke & Kuhn (3/4)n to 1 (3/4)n 1,negl† Reid et al. (3/4)n to 1 1 (3/4)θn,negl† Singelee & Preneel (1/2)n (1/2)n 1,negl† Tu & Piramuthu (3/4)n 1 (3/4)θn,negl† Munilla & Peinado (3/4)n (3/5)n 1,negl! Swiss-Knife (3/4)n (1/2)n to 1 (3/4)θn,negl† Kim & Avoine (7/8)n (1/2)n 1,negl† Nikov & Vauclair 1/k (1/2)n 1,negl! Avoine et al. (3/4)n to 1 (2/3)n to 1 (2/3)θn,negl" SKI (3/4)n (2/3)n γ,γ′
" Fischlin & Onete (3/4)n (3/4)n γ = γ′
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 22 / 45
![Page 43: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/43.jpg)
Known Protocols and Security Results (Noise-Tolerant)success probability of best known attacksupon [Boureanu-Mitrokotsa-Vaudenay ISC 2013]
Protocol Success ProbabilityDistance-Fraud MiM Terrorist-Fraud
† Brands & Chaum B(n,τ,1/2) B(n,τ,1/2) 1,negl† Bussard & Bagga 1 B(n,τ,1/2) 1,negl† Capkun et al. B(n,τ,1/2) B(n,τ,1/2) 1,negl† Hancke & Kuhn B(n,τ,3/4) to 1 B(n,τ,3/4) 1,negl† Reid et al. B(n,τ,3/4) to 1 1 1,negl† Singelee & Preneel B(n,τ,1/2) B(n,τ,1/2) 1,negl† Tu & Piramuthu B(n,τ,3/4) 1 1,negl† Munilla & Peinado B(n,τ,3/4) B(n,τ,3/5) 1,negl† Swiss-Knife B(n,τ,3/4) B(n,τ,1/2) to 1 1,negl† Kim & Avoine B(n,τ,7/8) B(n,τ,1/2) 1,negl† Nikov & Vauclair 1/k B(n,τ,1/2) 1,negl† Avoine et al. B(n,τ,3/4) to 1 B(n,τ,2/3) to 1 1,negl" SKI B(n,τ,3/4) B(n,τ,2/3) γ,γ′
" Fischlin & Onete B(n,τ,3/4) B(n,τ,3/4) γ = γ′
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 23 / 45
![Page 44: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/44.jpg)
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 24 / 45
![Page 45: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/45.jpg)
...3 Provable Distance Bounding SecurityMotivationModelThe SKI Protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 25 / 45
![Page 46: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/46.jpg)
Why Provable Security?
only security arguments by best attack scenarios
many insecurities recently proven (as shown above)
many “pseudo-proofs” use incorrect arguments (e.g., sufficientPRF-ness, etc.)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 26 / 45
![Page 47: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/47.jpg)
Why Provable Security?
only security arguments by best attack scenarios
many insecurities recently proven (as shown above)
many “pseudo-proofs” use incorrect arguments (e.g., sufficientPRF-ness, etc.)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 26 / 45
![Page 48: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/48.jpg)
Why Provable Security?
only security arguments by best attack scenarios
many insecurities recently proven (as shown above)
many “pseudo-proofs” use incorrect arguments (e.g., sufficientPRF-ness, etc.)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 26 / 45
![Page 49: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/49.jpg)
...3 Provable Distance Bounding SecurityMotivationModelThe SKI Protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 27 / 45
![Page 50: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/50.jpg)
DB Formalism[Boureanu-Mitrokotsa-Vaudenay ISC 2013]
formal communication model, integrating time
formal security model and threat model based on interactiveproofscryptographic assumptions/tools for the design/proofs
PRF-maskingcircular-keyingleakage scheme
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 28 / 45
![Page 51: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/51.jpg)
DB Formalism[Boureanu-Mitrokotsa-Vaudenay ISC 2013]
formal communication model, integrating time
formal security model and threat model based on interactiveproofscryptographic assumptions/tools for the design/proofs
PRF-maskingcircular-keyingleakage scheme
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 28 / 45
![Page 52: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/52.jpg)
DB Formalism[Boureanu-Mitrokotsa-Vaudenay ISC 2013]
formal communication model, integrating time
formal security model and threat model based on interactiveproofscryptographic assumptions/tools for the design/proofs
PRF-maskingcircular-keyingleakage scheme
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 28 / 45
![Page 53: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/53.jpg)
..
...3 Provable Distance Bounding SecurityMotivationModelThe SKI Protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 29 / 45
![Page 54: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/54.jpg)
..
The SKI Protocol[Boureanu-Mitrokotsa-Vaudenay Lightsec 2013, BMV ISC 2013]
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 30 / 45
![Page 55: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/55.jpg)
..
The SKI Protocol: F -Scheme
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 31 / 45
.
......
secret sharing schemeto prevent from MiM[ALM WISEC 2011]
![Page 56: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/56.jpg)
..
The SKI Protocol: Leakage Scheme
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 32 / 45
.
......
leak L(x) in the caseof a terrorist fraud[BMV, ISC 2013]
![Page 57: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/57.jpg)
..
The SKI Protocol: PRF Masking
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 33 / 45
.
......
P has no influence onthe distribution of a[BMV LATINCRYPT 2012]
![Page 58: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/58.jpg)
..
The SKI Protocol: Circular-Keying PRF
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 34 / 45
.
......
PRF secure with areuse of the key[BMV ISC 2013]
![Page 59: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/59.jpg)
..
SKI Security
.Theorem..
......
If f is a circular-keying secure PRF,
there is no DF with Pr[success]≥ B(n,τ, 34)−negl(s)
there is no MiM with Pr[success]≥ B(n,τ, 23)−negl(s)
s-soundness for Pr[success]≥ 1negl(s)B( n
2 ,τ−n2 ,
23)
where s is the length of x and
B(n,τ,ρ) =n
∑i=τ
(ni
)ρi(1−ρ)n−i
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 35 / 45
![Page 60: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/60.jpg)
..
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 36 / 45
![Page 61: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/61.jpg)
..
Bitlength-Equivalent Security / the Number of Rounds
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 37 / 45
![Page 62: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/62.jpg)
..
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 38 / 45
![Page 63: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/63.jpg)
..
...5 Challenges and Visions in Distance BoundingPartial ConclusionsWhere to?
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 39 / 45
![Page 64: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/64.jpg)
..
Some Partial Conclusions
problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols
SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45
![Page 65: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/65.jpg)
..
Some Partial Conclusions
problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols
SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45
![Page 66: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/66.jpg)
..
Some Partial Conclusions
problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols
SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45
![Page 67: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/67.jpg)
..
Some Partial Conclusions
problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols
SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45
![Page 68: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/68.jpg)
..
...5 Challenges and Visions in Distance BoundingPartial ConclusionsWhere to?
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 41 / 45
![Page 69: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/69.jpg)
..
Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
implement DB
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45
![Page 70: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/70.jpg)
..
Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
implement DB
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45
![Page 71: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/71.jpg)
..
Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
implement DB
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45
![Page 72: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/72.jpg)
..
Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
implement DB
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45
![Page 73: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/73.jpg)
..
Efficient and Optimal Protocols
make protocols efficient and security-tightdrop, e.g., TF-resistance (and DF)?consider just MiM?
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 43 / 45
![Page 74: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/74.jpg)
..
Efficient and Optimal Protocols
make protocols efficient and security-tightdrop, e.g., TF-resistance (and DF)?consider just MiM?
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 43 / 45
![Page 75: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/75.jpg)
..
DB Implementation
one existing wired implementation
propagation delays are much shorter (ns) than processing times(ms)
some promising wireless experiments exist (e.g., ETHZ, CEALeti, EPFL)
Mifare Plus contains a kind of distance bounding protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 44 / 45
![Page 76: RFID security presentation](https://reader033.vdocument.in/reader033/viewer/2022052507/558cbfb3d8b42a7f788b4572/html5/thumbnails/76.jpg)
..
Conclusions
relays are real...
and ... we still some way to go beyond the first provably secureDB designs
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 45 / 45