rfid security presentation
DESCRIPTION
Smartcard-based protocols represent an increasingly large share of the wireless authentication solutions market, from contactless payments to remote car unlocking. Unfortunately, relay attacks pose a significant threat to this development. However, such attacks could be mitigated through the use of distance-bounding protocols. In this talk, we will discuss the core challenges for distance-bounding, of which some have recently been overcome, whereas others still stand prominently. We will focus mostly on the security of these wireless protocols, from devastating attacks and new, secure designs. We will finish with a vision for the future of these protocols, the possible and advisable paths towards, e.g., securing contactless payments.TRANSCRIPT
Research Topics
Ioana Boureanu
Univ. of Applied Sciences Western Switzerland
ICB 2014 ICB Middlesex Uni, Feb. 2014 1 / 3
ICB 2014 ICB Middlesex Uni, Feb. 2014 2 / 3
ICB 2014 ICB Middlesex Uni, Feb. 2014 2 / 3
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
(automatic) verification (of security)
mobile (Android) security
composable security [secure + secure ?= (in)secure]
(provable) RFID security
crypto design
ICB 2014 ICB Middlesex Uni, Feb. 2014 3 / 3
Touch and Pay: making it secure!
Ioana Boureanu
Univ. of Applied Sciences Western Switzerland
February 19, 2014
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 1 / 45
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 2 / 45
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 3 / 45
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
Payments, Remote Unlocking, Access-Control ...
• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...• TI DST
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 4 / 45
Playing against two chess grandmasters
✛
✲
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 5 / 45
Playing against two chess grandmasters
✛
✲
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 5 / 45
Relaying is real...!Attacks by Francillon, Danev, Capkun (ETHZ) against passive keylessentry and start systems used in modern cars.
10 systems tested: not one resisted!
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 6 / 45
Relaying = Stealing (your money) ...!
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 7 / 45
Idea: Measuring (Idealized) Communication ...(... at the Speed of Light)
10ns←→ 2×1.5m (round-trip)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 8 / 45
More Ideas: Round-Trip Time to Prevent Relay AttacksIdentification Tokens, or: Solving the Chess Grandmaster Problem[Beth-Desmedt CRYPTO 1990]
basic idea: measure the communication time exactly
the reader should verify that the proving tag is no further thansome bound
later solution: use a distance-bounding (DB) protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 9 / 45
More Ideas: Round-Trip Time to Prevent Relay AttacksIdentification Tokens, or: Solving the Chess Grandmaster Problem[Beth-Desmedt CRYPTO 1990]
basic idea: measure the communication time exactly
the reader should verify that the proving tag is no further thansome bound
later solution: use a distance-bounding (DB) protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 9 / 45
More Ideas: Round-Trip Time to Prevent Relay AttacksIdentification Tokens, or: Solving the Chess Grandmaster Problem[Beth-Desmedt CRYPTO 1990]
basic idea: measure the communication time exactly
the reader should verify that the proving tag is no further thansome bound
later solution: use a distance-bounding (DB) protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 9 / 45
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 10 / 45
...2 Distance-BoundingDB IntroDB ThreatsDB Protocols (without post-authentication)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 11 / 45
Distance-Bounding (DB) Protocolsintroduced in [Brands-Chaum EUROCRYPT 1993][Reid et al. ASIACCS 2007]
Verifier Proversecret: x secret: x
initialization phase
pick NVNV−−−−−−−−−−−−→ pick NP
a1 = fx (NP ,NV )NP←−−−−−−−−−−−− a1 = fx (NP ,NV )
a2 = a1⊕ x a2 = a1⊕ x
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri = a1,i , if ci = 1
ri = a2,i , if ci = 2check responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 12 / 45
...2 Distance-BoundingDB IntroDB ThreatsDB Protocols (without post-authentication)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 13 / 45
DB Threats: Mafia FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P←→ A ←→ V︸ ︷︷ ︸far away
an adversary A tries to prove that a prover P is close to a verifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 14 / 45
.
......
generalised/strengthenedrelaying
.
......
“DB-specialised”man-in-the-middleattack
DB Threats: Mafia FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P←→ A ←→ V︸ ︷︷ ︸far away
an adversary A tries to prove that a prover P is close to a verifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 14 / 45
.
......
generalised/strengthenedrelaying
.
......
“DB-specialised”man-in-the-middleattack
DB Threats: Mafia FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P←→ A ←→ V︸ ︷︷ ︸far away
an adversary A tries to prove that a prover P is close to a verifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 14 / 45
.
......
generalised/strengthenedrelaying
.
......
“DB-specialised”man-in-the-middleattack
DB Threats: Distance Fraud
P∗ ←→ V︸ ︷︷ ︸far away
a malicious, far-away prover P∗ tries to prove that he is close to averifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 15 / 45
.
......
liability andnon-repudiation issues
DB Threats: Distance Fraud
P∗ ←→ V︸ ︷︷ ︸far away
a malicious, far-away prover P∗ tries to prove that he is close to averifier V
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 15 / 45
.
......
liability andnon-repudiation issues
DB Threats: Terrorist FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P∗ ←→ A ←→ V︸ ︷︷ ︸far away
a malicious prover P∗ helps an adversary A to prove that P∗ is closeto a verifier V , without giving A another advantage
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 16 / 45
.
......
advantage: leakingthe secret key
.
......“gain privileges justonce”
.
......
the toughest fraud toprotect against,especially in presenceof noise
DB Threats: Terrorist FraudMajor Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity andHow to Overcome Them [Desmedt SECURICOM 1988]
P∗ ←→ A ←→ V︸ ︷︷ ︸far away
a malicious prover P∗ helps an adversary A to prove that P∗ is closeto a verifier V , without giving A another advantage
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 16 / 45
.
......
advantage: leakingthe secret key
.
......“gain privileges justonce”
.
......
the toughest fraud toprotect against,especially in presenceof noise
...2 Distance-BoundingDB IntroDB ThreatsDB Protocols (without post-authentication)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 17 / 45
The Reid et al. ProtocolDetecting Relay Attacks with Timing-based Protocols[Reid-Nieto-Tang-Senadji ASIACCS 2007]
Verifier Proversecret: x secret: x
initialization phase
pick NVNV−−−−−−−−−−−−→ pick NP
a1 = fx (NP ,NV )NP←−−−−−−−−−−−− a1 = fx (NP ,NV )
a2 = a1⊕ x a2 = a1⊕ x
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri = aci ,i
check responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 18 / 45
.
......
protectsagainst TF
BUT...thisand itsextensionsvulnerableto MF/MiM[Bay,Boureanu etal.INSCRIPT2012]
The Reid et al. ProtocolDetecting Relay Attacks with Timing-based Protocols[Reid-Nieto-Tang-Senadji ASIACCS 2007]
Verifier Proversecret: x secret: x
initialization phase
pick NVNV−−−−−−−−−−−−→ pick NP
a1 = fx (NP ,NV )NP←−−−−−−−−−−−− a1 = fx (NP ,NV )
a2 = a1⊕ x a2 = a1⊕ x
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri = aci ,i
check responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 18 / 45
.
......
protectsagainst TF
BUT...thisand itsextensionsvulnerableto MF/MiM[Bay,Boureanu etal.INSCRIPT2012]
The TDB ProtocolHow Secret-Sharing can Defeat Terrorist Fraud[Avoine-Lauradoux-Martin ACM WiSec 2011]
Verifier Proversecret: x secret: x
initialization phase
pick NVNP←−−−−−−−−−−−− pick NP
a1∥a2 = fx (NP ,NV )NV−−−−−−−−−−−−→ a1∥a2 = fx (NP ,NV )
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2xi ⊕a1,i ⊕a2,i if ci = 3
check responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 19 / 45
Distance Fraud with a Programmed PRF against theTDB ProtocolOn the Pseudorandom Function Assumption in (Secure) Distance-Bounding ProtocolsPRF programming [Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012]
Verifier Malicious Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP = x
pick NVNV−−−−−−−−−−−−→
a1∥a2 = fx (NP ,NV ) a1 = a2 = x a1∥a2 = fx (NP ,NV )
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri ri = xi
..ci
.ri
stop timericheck responses
check timersOutV−−−−−−−−−−−−→
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 20 / 45
Other Results based on Programmed PRFsOn the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols[Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012]
protocol distance fraud man-in-the-middle attackTDB Avoine-Lauradoux-Martin[ACM WiSec 2011]
√ √
Durholz-Fischlin-Kasper-Onete [ISC2011]
√–
Hancke-Kuhn [Securecomm 2005]√
–Avoine-Tchamkerten [ISC 2009]
√–
Reid-Nieto-Tang-Senadji [ASIACCS2007]
√ √
Swiss-Knife Kim-Avoine-Koeune-Standaert-Pereira [ICISC 2008]
–√
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 21 / 45
Known Protocols and Security Results (Without Noise)success probability of best known attacks (θ < 1 constant)upon [Boureanu-Mitrokotsa-Vaudenay ISC 2013]
Protocol Success ProbabilityDistance-Fraud MiM Terrorist-Fraud
† Brands & Chaum (1/2)n (1/2)n 1,negl† Bussard & Bagga 1 (1/2)n 1,negl† Capkun et al. (1/2)n (1/2)n 1,negl† Hancke & Kuhn (3/4)n to 1 (3/4)n 1,negl† Reid et al. (3/4)n to 1 1 (3/4)θn,negl† Singelee & Preneel (1/2)n (1/2)n 1,negl† Tu & Piramuthu (3/4)n 1 (3/4)θn,negl† Munilla & Peinado (3/4)n (3/5)n 1,negl! Swiss-Knife (3/4)n (1/2)n to 1 (3/4)θn,negl† Kim & Avoine (7/8)n (1/2)n 1,negl† Nikov & Vauclair 1/k (1/2)n 1,negl! Avoine et al. (3/4)n to 1 (2/3)n to 1 (2/3)θn,negl" SKI (3/4)n (2/3)n γ,γ′
" Fischlin & Onete (3/4)n (3/4)n γ = γ′
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 22 / 45
Known Protocols and Security Results (Noise-Tolerant)success probability of best known attacksupon [Boureanu-Mitrokotsa-Vaudenay ISC 2013]
Protocol Success ProbabilityDistance-Fraud MiM Terrorist-Fraud
† Brands & Chaum B(n,τ,1/2) B(n,τ,1/2) 1,negl† Bussard & Bagga 1 B(n,τ,1/2) 1,negl† Capkun et al. B(n,τ,1/2) B(n,τ,1/2) 1,negl† Hancke & Kuhn B(n,τ,3/4) to 1 B(n,τ,3/4) 1,negl† Reid et al. B(n,τ,3/4) to 1 1 1,negl† Singelee & Preneel B(n,τ,1/2) B(n,τ,1/2) 1,negl† Tu & Piramuthu B(n,τ,3/4) 1 1,negl† Munilla & Peinado B(n,τ,3/4) B(n,τ,3/5) 1,negl† Swiss-Knife B(n,τ,3/4) B(n,τ,1/2) to 1 1,negl† Kim & Avoine B(n,τ,7/8) B(n,τ,1/2) 1,negl† Nikov & Vauclair 1/k B(n,τ,1/2) 1,negl† Avoine et al. B(n,τ,3/4) to 1 B(n,τ,2/3) to 1 1,negl" SKI B(n,τ,3/4) B(n,τ,2/3) γ,γ′
" Fischlin & Onete B(n,τ,3/4) B(n,τ,3/4) γ = γ′
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 23 / 45
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 24 / 45
...3 Provable Distance Bounding SecurityMotivationModelThe SKI Protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 25 / 45
Why Provable Security?
only security arguments by best attack scenarios
many insecurities recently proven (as shown above)
many “pseudo-proofs” use incorrect arguments (e.g., sufficientPRF-ness, etc.)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 26 / 45
Why Provable Security?
only security arguments by best attack scenarios
many insecurities recently proven (as shown above)
many “pseudo-proofs” use incorrect arguments (e.g., sufficientPRF-ness, etc.)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 26 / 45
Why Provable Security?
only security arguments by best attack scenarios
many insecurities recently proven (as shown above)
many “pseudo-proofs” use incorrect arguments (e.g., sufficientPRF-ness, etc.)
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 26 / 45
...3 Provable Distance Bounding SecurityMotivationModelThe SKI Protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 27 / 45
DB Formalism[Boureanu-Mitrokotsa-Vaudenay ISC 2013]
formal communication model, integrating time
formal security model and threat model based on interactiveproofscryptographic assumptions/tools for the design/proofs
PRF-maskingcircular-keyingleakage scheme
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 28 / 45
DB Formalism[Boureanu-Mitrokotsa-Vaudenay ISC 2013]
formal communication model, integrating time
formal security model and threat model based on interactiveproofscryptographic assumptions/tools for the design/proofs
PRF-maskingcircular-keyingleakage scheme
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 28 / 45
DB Formalism[Boureanu-Mitrokotsa-Vaudenay ISC 2013]
formal communication model, integrating time
formal security model and threat model based on interactiveproofscryptographic assumptions/tools for the design/proofs
PRF-maskingcircular-keyingleakage scheme
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 28 / 45
..
...3 Provable Distance Bounding SecurityMotivationModelThe SKI Protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 29 / 45
..
The SKI Protocol[Boureanu-Mitrokotsa-Vaudenay Lightsec 2013, BMV ISC 2013]
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 30 / 45
..
The SKI Protocol: F -Scheme
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 31 / 45
.
......
secret sharing schemeto prevent from MiM[ALM WISEC 2011]
..
The SKI Protocol: Leakage Scheme
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 32 / 45
.
......
leak L(x) in the caseof a terrorist fraud[BMV, ISC 2013]
..
The SKI Protocol: PRF Masking
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 33 / 45
.
......
P has no influence onthe distribution of a[BMV LATINCRYPT 2012]
..
The SKI Protocol: Circular-Keying PRF
Verifier Proversecret: x secret: x
initialization phaseNP←−−−−−−−−−−−− pick NP
pick a,Lµ,NVM,Lµ ,NV−−−−−−−−−−−−→
M = a⊕ fx (NP ,NV ,Lµ) a = M⊕ fx (NP ,NV ,Lµ)x ′ = Lµ(x) x ′ = Lµ(x)
distance bounding phasefor i = 1 to n
pick ci ∈ {1,2,3}start timeri
ci−−−−−−−−−−−−→
stop timeriri←−−−−−−−−−−−− ri =
⎧⎨
⎩
a1,i if ci = 1a2,i if ci = 2x ′i ⊕a1,i ⊕a2,i if ci = 3
check #{i : ri and timeri correct}≥ τOutV−−−−−−−−−−−−→
f is a circular-keying secure PRF, Lµ(x) = (µ · x , . . . ,µ · x)ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 34 / 45
.
......
PRF secure with areuse of the key[BMV ISC 2013]
..
SKI Security
.Theorem..
......
If f is a circular-keying secure PRF,
there is no DF with Pr[success]≥ B(n,τ, 34)−negl(s)
there is no MiM with Pr[success]≥ B(n,τ, 23)−negl(s)
s-soundness for Pr[success]≥ 1negl(s)B( n
2 ,τ−n2 ,
23)
where s is the length of x and
B(n,τ,ρ) =n
∑i=τ
(ni
)ρi(1−ρ)n−i
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 35 / 45
..
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 36 / 45
..
Bitlength-Equivalent Security / the Number of Rounds
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 37 / 45
..
...1 Relay Attacks
...2 Distance-Bounding
...3 Provable Distance Bounding Security
...4 Distance Bounding Security vs. Efficiency
...5 Challenges and Visions in Distance Bounding
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 38 / 45
..
...5 Challenges and Visions in Distance BoundingPartial ConclusionsWhere to?
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 39 / 45
..
Some Partial Conclusions
problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols
SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45
..
Some Partial Conclusions
problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols
SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45
..
Some Partial Conclusions
problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols
SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45
..
Some Partial Conclusions
problems with security proofs based on PRFproblems when introducing noise-tolerancesome new, good models for DB protocols
SKI" provably secure, noise tolerant! non-binary challenges! non-standard PRF
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 40 / 45
..
...5 Challenges and Visions in Distance BoundingPartial ConclusionsWhere to?
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 41 / 45
..
Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
implement DB
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45
..
Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
implement DB
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45
..
Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
implement DB
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45
..
Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
implement DB
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 42 / 45
..
Efficient and Optimal Protocols
make protocols efficient and security-tightdrop, e.g., TF-resistance (and DF)?consider just MiM?
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 43 / 45
..
Efficient and Optimal Protocols
make protocols efficient and security-tightdrop, e.g., TF-resistance (and DF)?consider just MiM?
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 43 / 45
..
DB Implementation
one existing wired implementation
propagation delays are much shorter (ns) than processing times(ms)
some promising wireless experiments exist (e.g., ETHZ, CEALeti, EPFL)
Mifare Plus contains a kind of distance bounding protocol
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 44 / 45
..
Conclusions
relays are real...
and ... we still some way to go beyond the first provably secureDB designs
ICB 2014 distance-bounding (DB) Middlesex Uni, Feb. 2014 45 / 45