On the Need for Provably Secure Distance Bounding

Transcription

1 On the Need for Provably Secure Distance Bounding Ioane Boureanu Ecole Polytechnique Fédérale de Lausanne (EPFL) ESC2013

2 Outline 1 Topic and Aim 2 Intro to Distance-Bounding Distance-Bounding 3 DB Security Threats 4 Security Flaws PRF (unfortunate) choices Unnecessary PK & Unfortunate Encryption Choices 5 Secure DB?

3 Outline 1 Topic and Aim 2 Intro to Distance-Bounding Distance-Bounding 3 DB Security Threats 4 Security Flaws PRF (unfortunate) choices Unnecessary PK & Unfortunate Encryption Choices 5 Secure DB?

4 Message Generic Many formal and informal security results on distance-bounding (DB) are flawed. Specific The PRF assumption does NOT protect against distance fraud or MiM! PK-techniques are NOT enough against terrorist fraud! Certain instances of symmetric encryption schemes used inside DB lead to MiM attacks!

5 Outline 1 Topic and Aim 2 Intro to Distance-Bounding Distance-Bounding 3 DB Security Threats 4 Security Flaws PRF (unfortunate) choices Unnecessary PK & Unfortunate Encryption Choices 5 Secure DB?

6 Distance-Bounding Distance-Bounding (DB) Protocols DB Essentials introduced by Brands and Chaum in [2] cryptographically enhanced verification of an upper-bound distance between a prover tag P and a verifier reader V (i.e., attempting to detect delays and other frauds in the prover s responses) implemented versions of DB protocols have only proven to be efficient in preventing relay attacks [3].

7 Distance-Bounding Distance-Bounding (DB) Protocols Why do we care then? see secure remote unlocking (e.g., [5]) distance-bounding protocols should be designed to resist against more generic attacks and formal models and proofs have some shortfalls!

8 Distance-Bounding Distance-Bounding (DB) Protocols Why do we care then? see secure remote unlocking (e.g., [5]) distance-bounding protocols should be designed to resist against more generic attacks and formal models and proofs have some shortfalls!

9 Distance-Bounding Distance-Bounding (DB) Protocols An Idea of Most DB (generalising, e.g., [7, 6]) Verifier V shared secret x Prover P shared secret x Initialisation phase messages V messages P a := f x (messages P, messages V ) Distance-bounding phase for i = 1 to n Start Clock c i r i := F(c i, a i, x i ) Stop Clock r i

10 Distance-Bounding Distance-Bounding (DB) Protocols DB relies on a cryptographic exchange, part of which is timed; the round-trip-time is then used to estimate the distance between P and V DB is not a service for secure location (i.e., the verifier/reader is not assisted by base stations in his decisions) DB should be a secure proximity-identification service, using time-of-flight (ToF) measurements

11 Outline 1 Topic and Aim 2 Intro to Distance-Bounding Distance-Bounding 3 DB Security Threats 4 Security Flaws PRF (unfortunate) choices Unnecessary PK & Unfortunate Encryption Choices 5 Secure DB?

12 Attacks Distance Fraud: P V }{{} far away Distance-Bounding Protocols (Extended Abstract). [Brands and Chaum, EUROCRYPT93] the prover is dishonest and far-away, but tries to convince the verifier that he s close [2]

13 Attacks Mafia Fraud: P A V }{{} far away Major Security Problems with the Unforgeable (Feige)-Fiat-Shamir Proofs of Identity and How to Overcome Them [Desmedt SECURICOM 1988] an intruder exploits an honest prover and an honest verifier to show that the latter is close to the former, when this is not the case;

14 Attacks MiM Attack: P A V }{{} far away MiM intruder, in presence of possibly several provers and several verifiers, tries to mount an attack in which he gains the privileges of one of the provers

15 Attacks Terrorist Fraud P A V }{{} far away Major Security Problems with the Unforgeable (Feige)-Fiat-Shamir Proofs of Identity and How to Overcome Them [Desmedt SECURICOM 1988] a corrupted/coerced prover collaborates with an attacker to prove that the former is close to a far-away verifier the terrorist would not disclose his secret key

16 Other Attacks Distance Highjacking Fraud Distance Hijacking Attacks on Distance Bounding Protocols [Cremers-Rasmussen-Čapkun IEEE S&P 2012] a mixture of distance fraud and terrorist fraud a far-away dishonest prover is abusing several provers who are close to a verifier V in order to prove that he is close to V

17 Other Attacks Distance Highjacking Fraud Distance Hijacking Attacks on Distance Bounding Protocols [Cremers-Rasmussen-Čapkun IEEE S&P 2012] a mixture of distance fraud and terrorist fraud a far-away dishonest prover is abusing several provers who are close to a verifier V in order to prove that he is close to V Impersonation Fraud A Formal Approach to Distance Bounding RFID Protocols [Dürholz-Fischlin-Kasper-Onete ISC 2011] one corrupted prover tries to pass as another prover

18 Outline 1 Topic and Aim 2 Intro to Distance-Bounding Distance-Bounding 3 DB Security Threats 4 Security Flaws PRF (unfortunate) choices Unnecessary PK & Unfortunate Encryption Choices 5 Secure DB?

19 DB Instability most of the (in)security results = attack strategies, NOT security proofs in security models some security models [4] contain incorrect proofs/arguments:! replacing a PRF by a random function at a place where the adversary has access to the PRF key or at a place where the PRF key is simultaneously used at other places in the protocol other problems (e.g., PK not enough to deter TF & symm. encryptions used inside may lead to MiM attacks )

20 DB Instability most of the (in)security results = attack strategies, NOT security proofs in security models some security models [4] contain incorrect proofs/arguments:! replacing a PRF by a random function at a place where the adversary has access to the PRF key or at a place where the PRF key is simultaneously used at other places in the protocol other problems (e.g., PK not enough to deter TF & symm. encryptions used inside may lead to MiM attacks )

21 DB Instability most of the (in)security results = attack strategies, NOT security proofs in security models some security models [4] contain incorrect proofs/arguments:! replacing a PRF by a random function at a place where the adversary has access to the PRF key or at a place where the PRF key is simultaneously used at other places in the protocol other problems (e.g., PK not enough to deter TF & symm. encryptions used inside may lead to MiM attacks )

22 PRF (unfortunate) choices Trapdoor PRFs in DB Idea out of a PRF G, construct another PRF F with f (trapdoor)=special_value for f F

23 PRF (unfortunate) choices Trapdoor PRFs in DB Idea to prove the PRF assumption is not enough for DB On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols [Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012] out of a PRF G, construct another PRF F with f (trapdoor)=special_value for f F

24 PRF (unfortunate) choices Trapdoor PRFs in DB Idea to prove the PRF assumption is not enough for DB On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols [Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012] out of a PRF G, construct another PRF F with f (trapdoor)=special_value for f F Result distance-frauds exhibited on several DB protocols mafia-frauds exhibited on several DB protocols

25 PRF (unfortunate) choices Trapdoor PRFs in DB Idea to prove the PRF assumption is not enough for DB On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols [Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012] out of a PRF G, construct another PRF F with f (trapdoor)=special_value for f F Formal Intuition Result f k (x) = { σ(k, x), if x correctpad(k) g k (x), otherwise. distance-frauds exhibited on several DB protocols mafia-frauds exhibited on several DB protocols

26 PRF (unfortunate) choices Trapdoor PRFs DF and MiM Attacks Example: The TDB [1] Protocol Verifier V MiM attack Prover P shared key s G m shared key s G m Initialisation phase N V {0, 1} m N P NP {0, 1} m N V DF attack For j = 1,..., m For j = 1,..., m For i = 1,..., n For j = 1,..., m compute r i,j based on f s(n P, N V ) compute r i,j based on f s(n P, N V ) Distance-bounding phase for i = 1 to m Pick c i [1, n] Start Clock c i r ci,i Stop Clock verify the responses and that t i 2 t max Out V (...)

27 PRF (unfortunate) choices Trapdoor PRFs DF and MiM Attacks Frequent Instance of TDB n = k = 3, G = F 2 the 3 m response-matrix of the form: r 1,1 r 1,m R 1 = r 2,1... r2,m s 1 r 1,1 r 2,1 s m r 1,m r 2,m

28 PRF (unfortunate) choices Trapdoor PRFs DF and MiM Attacks DF Attack on TDB Let g be a PRF from {0, 1} 2m to itself. Take the PRF f as follows: { s s, f s (N P, N V ) = g s (N P, N V ), if N P = s otherwise Let P choose N P =s the R 1 matrix has all its rows equal to s for all c i the response will be the i-th bit of the secret key s P can win a DF!!! the PRF assumption is not enough for the security of the TDB protocols against DF! TDB

29 PRF (unfortunate) choices Trapdoor PRFs DF and MiM Attacks MiM Attack on TDB Let a g s (N P, N V ) = (α, β, γ) be PRF instance. I Let f be as follows: (α, β, γ, β g s(α)), f s(n P, N V ) = s s, if N V is not of the form α (g s(α) lsb m (s)) 2 and (α, β, γ) = g s(n P, N V ) if N V = α (g s(α) lsb m (s)), 2 for some α (cnf. to previous notations, r 1 = (α, β) and r 2 = (γ, β g s (α))) TDB

30 PRF (unfortunate) choices Trapdoor PRFs DF and MiM Attacks MiM Attack on TDB STEP 1: the attacker A impersonates first V to P A sends an arbitrary N V, so P calculates some subsecret vectors (α, β, γ, ψ ) for (α, β, γ, β g s (α)) A sends many challenges equal to 1, c i = 1, e.g., for i {1,..., m 2 } A gets the first half of the first subsecret-vector r 1 =(α, β), i.e., A obtains α A sends P many challenges equal to 3, some c i = 3 responses to the latest challenges are equal to r 1 +r 2 +s = (α, β) (γ, β g s (α)) s = (α γ, g s (α)) s A knows g s (α) lsb m (s) 2 A can form N V = α (g s(α) lsb m (s)) 2 TDB II

31 PRF (unfortunate) choices Trapdoor PRFs DF and MiM Attacks MiM Attack on TDB STEP 2: the attacker A impersonates again V to P A makes this new session N V equal to N V above injecting any challenges to the prover, A knows (due to the built-in PRF) that P s responses are the bits of s A will eventually learn the whole of the secret key and he will be subsequently able to impersonate this prover in any circumstance.!! the PRF assumption is not enough for the security of the TDB protocols against MiM! III TDB

32 PRF (unfortunate) choices Other Results based on Programmed PRFs On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols [Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012] protocol distance fraud man-in-the-middle attack TDB Avoine-Lauradoux-Martin [ACM WiSec 2011] Dürholz-Fischlin-Kasper-Onete [ISC 2011] Hancke-Kuhn [Securecomm 2005] Avoine-Tchamkerten [ISC 2009] Reid-Nieto-Tang-Senadji [ASIACCS 2007] Swiss-Knife Kim-Avoine-Koeune- Standaert-Pereira [ICISC 2008]

33 Unnecessary PK & Unfortunate Encryption Choices The Bussard-Bagga (BB) Protocols [Bussard-Bagga IFIP SEC 2005] Verifier public key: y Prover secret key: x z k,ze initialization phase pick k, v, v, e = Enc k (x), e = (ux k) mod p 1 z k,i = commit(k i, v i ) z e,i = commit(e i, v i ) where commit(b, v) = g b h v mod p with g, h of Z p and z = comm((k + e) mod (p 1), v); z = i (z k,i z e,i ) 2i 1, v = i (v i + v i )2i 1 pick c i start clock stop clock check openable commitments check timers c i r i ri = distance bounding phase for i = 1 to n { ki if c i = 0 e i if c i = 1 termination { phase γ vi if c γ i = i = 0 v i if c i = 1 PoK(x)... Out V

34 Unnecessary PK & Unfortunate Encryption Choices On the Instances & Follow-ups of Bussard-Bagga BB instances to protect against terrorist fraud addition modulo p 1 DBPK-Log: Enc k (x) = x k mod p 1 modular addition with random factor DBPK-Log: Enc k (x; u) = (u, ux k mod p 1) BB s children e.g., Reid et al. protocol with Enc k (x) as per the above

35 Unnecessary PK & Unfortunate Encryption Choices On the Instances & Follow-ups of Bussard-Bagga BB instances to protect against terrorist fraud addition modulo p 1 DBPK-Log: Enc k (x) = x k mod p 1 modular addition with random factor DBPK-Log: Enc k (x; u) = (u, ux k mod p 1) BB s children e.g., Reid et al. protocol with Enc k (x) as per the above

36 Unnecessary PK & Unfortunate Encryption Choices On the Instances & Follow-ups of Bussard-Bagga BB instances to protect against terrorist fraud addition modulo p 1 DBPK-Log: Enc k (x) = x k mod p 1 modular addition with random factor DBPK-Log: Enc k (x; u) = (u, ux k mod p 1) BB s children e.g., Reid et al. protocol with Enc k (x) as per the above

37 Unnecessary PK & Unfortunate Encryption Choices On the Instances & Follow-ups of Bussard-Bagga BB instances to protect against terrorist fraud addition modulo p 1 DBPK-Log: Enc k (x) = x k mod p 1 modular addition with random factor DBPK-Log: Enc k (x; u) = (u, ux k mod p 1) BB s children e.g., Reid et al. protocol with Enc k (x) as per the above

38 Unnecessary PK & Unfortunate Encryption Choices On the Instances & Follow-ups of Bussard-Bagga BB instances to protect against terrorist fraud addition modulo p 1 DBPK-Log: Enc k (x) = x k mod p 1 modular addition with random factor DBPK-Log: Enc k (x; u) = (u, ux k mod p 1) BB s children e.g., Reid et al. protocol with Enc k (x) as per the above

39 Unnecessary PK & Unfortunate Encryption Choices A Terrorist-Fraud Attack on BB [BBMSV, Inscrypt 2012] Verifier V Adversary A Prover P Initialization phase A guesses the future value c 1 and compute the commitments: set z k,i := commit(k i, v i ), z e,i := commit(e i, v i ) for all i > 1 set z k,1 := commit(k 1, v i ) if c 1 = 0 (z e,1 is a free variable) set z e,1 := commit(e 1, v i ) if c 1 = 1 (z k,1 is a free variable) solve z = i (z k,i z e,i ) 2i 1 in the remaining free variable for i = 1 to m z := i (z k,i z e,i ) 2i 1 z k,i,z e,i Distance-bounding phase for i = 1 to m c if i i = 1 and c1 incorrect, abort { r i k ri := i if c i = 0 e i if c i = 1 Commitment opening phase for { i = 1 to m γ i γi := v i if c i = 0 v i if c i = 1 z z = g ux h v mod p Proof of knowledge phase PoK verify z prove x, v for z

40 Unnecessary PK & Unfortunate Encryption Choices TF on BB (Cont d) it succeeds with prob. 1 2 (or even 1 if the verifier allows an error in the first round) the proof-of-knowledge is zero-knowledge and x is not used anywhere else the adversary learns no information about x it is a valid terrorist fraud it can be transformed in a DF P can take k i = e i, i = 2,..., m if x is even, P can select k = e = x 2 and u = 1 and we have r i = k i = e i for every i. if x is odd, P can select k = x 1 2, e = x+1 2, and u = 1 so that r i = k i = e i for i 2.

41 Unnecessary PK & Unfortunate Encryption Choices MiM Attacks on Bussard-Bagga s Children The Bussard-Bagga and Other Distance-Bounding Protocols under Man-in-the-Middle Attacks [Bay-Boureanu-Mitrokotsa-Spulber-Vaudenay Inscrypt 2012] MiM attacks, exploiting the different instantiations of the symmetric encryption inside Bussard-Bagga s followers, e.g., in Reid et al. later

42 Outline 1 Topic and Aim 2 Intro to Distance-Bounding Distance-Bounding 3 DB Security Threats 4 Security Flaws PRF (unfortunate) choices Unnecessary PK & Unfortunate Encryption Choices 5 Secure DB?

43 Problem 1: Integrate Time in the Communication Model all communication are subject to a transmission speed limit! information is broadcast, local on a growing sphere adversary is also local (maybe several adversaries) adversary can impersonate and change the message destination honest people only see messages for which they are destinator all communication is subject to random noise with caveat: adversary sees message with no noise (better equipment) if time allows, honest participants see message with no noise (error correction)

44 Problem 1: Integrate Time in the Communication Model all communication are subject to a transmission speed limit! information is broadcast, local on a growing sphere adversary is also local (maybe several adversaries) adversary can impersonate and change the message destination honest people only see messages for which they are destinator all communication is subject to random noise with caveat: adversary sees message with no noise (better equipment) if time allows, honest participants see message with no noise (error correction)

45 Problem 1: Integrate Time in the Communication Model all communication are subject to a transmission speed limit! information is broadcast, local on a growing sphere adversary is also local (maybe several adversaries) adversary can impersonate and change the message destination honest people only see messages for which they are destinator all communication is subject to random noise with caveat: adversary sees message with no noise (better equipment) if time allows, honest participants see message with no noise (error correction)

46 Problem 1: Integrate Time in the Communication Model all communication are subject to a transmission speed limit! information is broadcast, local on a growing sphere adversary is also local (maybe several adversaries) adversary can impersonate and change the message destination honest people only see messages for which they are destinator all communication is subject to random noise with caveat: adversary sees message with no noise (better equipment) if time allows, honest participants see message with no noise (error correction)

47 Problem 1: Integrate Time in the Communication Model all communication are subject to a transmission speed limit! information is broadcast, local on a growing sphere adversary is also local (maybe several adversaries) adversary can impersonate and change the message destination honest people only see messages for which they are destinator all communication is subject to random noise with caveat: adversary sees message with no noise (better equipment) if time allows, honest participants see message with no noise (error correction)

48 Problem 1: Integrate Time in the Communication Model all communication are subject to a transmission speed limit! information is broadcast, local on a growing sphere adversary is also local (maybe several adversaries) adversary can impersonate and change the message destination honest people only see messages for which they are destinator all communication is subject to random noise with caveat: adversary sees message with no noise (better equipment) if time allows, honest participants see message with no noise (error correction)

49 Problem 2: Find a General Threat Model distance fraud: P(x) far from all V (x) s want to make one V (x) accept (interaction with other P(x ) and V (x ) possible anywhere) also captures distance hijacking man-in-the-middle: learning phase: A interacts with many P s and V s attack phase: P(x) s far away from V (x) s, A interacts with them and possible P(x ) s and V (x ) s A wants to make one V (x) accept also captures impersonation collusion fraud: P(x) far from all V (x) s interacts with A and makes one V (x) accept, but View(A) does not give any advantage to mount a man-in-the-middle attack

50 Problem 2: Find a General Threat Model distance fraud: P(x) far from all V (x) s want to make one V (x) accept (interaction with other P(x ) and V (x ) possible anywhere) also captures distance hijacking man-in-the-middle: learning phase: A interacts with many P s and V s attack phase: P(x) s far away from V (x) s, A interacts with them and possible P(x ) s and V (x ) s A wants to make one V (x) accept also captures impersonation collusion fraud: P(x) far from all V (x) s interacts with A and makes one V (x) accept, but View(A) does not give any advantage to mount a man-in-the-middle attack

51 Problem 2: Find a General Threat Model distance fraud: P(x) far from all V (x) s want to make one V (x) accept (interaction with other P(x ) and V (x ) possible anywhere) also captures distance hijacking man-in-the-middle: learning phase: A interacts with many P s and V s attack phase: P(x) s far away from V (x) s, A interacts with them and possible P(x ) s and V (x ) s A wants to make one V (x) accept also captures impersonation collusion fraud: P(x) far from all V (x) s interacts with A and makes one V (x) accept, but View(A) does not give any advantage to mount a man-in-the-middle attack

52 Problem 2: Find a General Threat Model distance fraud: P(x) far from all V (x) s want to make one V (x) accept (interaction with other P(x ) and V (x ) possible anywhere) also captures distance hijacking man-in-the-middle: learning phase: A interacts with many P s and V s attack phase: P(x) s far away from V (x) s, A interacts with them and possible P(x ) s and V (x ) s A wants to make one V (x) accept also captures impersonation collusion fraud: P(x) far from all V (x) s interacts with A and makes one V (x) accept, but View(A) does not give any advantage to mount a man-in-the-middle attack

53 Problem 2: Find a General Threat Model distance fraud: P(x) far from all V (x) s want to make one V (x) accept (interaction with other P(x ) and V (x ) possible anywhere) also captures distance hijacking man-in-the-middle: learning phase: A interacts with many P s and V s attack phase: P(x) s far away from V (x) s, A interacts with them and possible P(x ) s and V (x ) s A wants to make one V (x) accept also captures impersonation collusion fraud: P(x) far from all V (x) s interacts with A and makes one V (x) accept, but View(A) does not give any advantage to mount a man-in-the-middle attack

54 Problem 2: Find a General Threat Model distance fraud: P(x) far from all V (x) s want to make one V (x) accept (interaction with other P(x ) and V (x ) possible anywhere) also captures distance hijacking man-in-the-middle: learning phase: A interacts with many P s and V s attack phase: P(x) s far away from V (x) s, A interacts with them and possible P(x ) s and V (x ) s A wants to make one V (x) accept also captures impersonation collusion fraud: P(x) far from all V (x) s interacts with A and makes one V (x) accept, but View(A) does not give any advantage to mount a man-in-the-middle attack

55 Problem 3: Crypto Assumptions to Make Proofs Correct PRF masking: a bitstring a is chosen by the verifier and sent encrypted using the PRF [M = a PRF x ( )] circular keying: if A makes a query (y i, a i, b i ), the oracle answers (a i x ) + (b i f x (y i )) A cannot distinguish if x = x or x and x are independent caveat: for all c 1,..., c q s.t. c 1 b c q b q = 0, we must have c 1 a c q a q = 0

56 Problem 3: Crypto Assumptions to Make Proofs Correct PRF masking: a bitstring a is chosen by the verifier and sent encrypted using the PRF [M = a PRF x ( )] circular keying: if A makes a query (y i, a i, b i ), the oracle answers (a i x ) + (b i f x (y i )) A cannot distinguish if x = x or x and x are independent caveat: for all c 1,..., c q s.t. c 1 b c q b q = 0, we must have c 1 a c q a q = 0

57 The SKI Protocol Verifier secret: x Prover secret: x initialization phase N P pick NP M,N pick M, N V V a 1 a 2 = M f x (N P, N V ) a 1 a 2 = M f x (N P, N V ) pick c i {1, 2, 3} start clock stop clock check τ responses check timers f is a circular-keying secure PRF distance bounding phase for i = 1 to n c i r i ri = Out V a 1,i if c i = 1 a 2,i if c i = 2 x i a 1,i a 2,i if c i = 3

58 SKI Security Theorem If f is a circular-keying secure PRF and V requires at least τ correct rounds, there is no DF with Pr[success] B(n, τ, 3 4 ) there is no MiM with Pr[success] B(n, τ, 2 3 ) for all CF such that Pr[CF succeeds] p there is an assosiated MiM such that p Pr[MiM(View A ) succeeds CF succeeds] B(n, τ, ρ) = n ( n i i=τ ) ρ i (1 ρ) n i ( 1+ 1 p ) 2

59 SKI Security Theorem If f is a circular-keying secure PRF and V requires at least τ correct rounds, there is no DF with Pr[success] B(n, τ, 3 4 ) there is no MiM with Pr[success] B(n, τ, 2 3 ) for all CF such that Pr[CF succeeds] p there is an assosiated MiM such that p Pr[MiM(View A ) succeeds CF succeeds] B(n, τ, ρ) = n ( n i i=τ ) ρ i (1 ρ) n i ( 1+ 1 p ) 2

60 SKI Security Theorem If f is a circular-keying secure PRF and V requires at least τ correct rounds, there is no DF with Pr[success] B(n, τ, 3 4 ) there is no MiM with Pr[success] B(n, τ, 2 3 ) for all CF such that Pr[CF succeeds] p there is an assosiated MiM such that p Pr[MiM(View A ) succeeds CF succeeds] B(n, τ, ρ) = n ( n i i=τ ) ρ i (1 ρ) n i ( 1+ 1 p ) 2

61 Conclusion several proposed protocols from the literature are insecure several security proofs from the literature are incorrect SKI offers provable security

62 Conclusion several proposed protocols from the literature are insecure several security proofs from the literature are incorrect SKI offers provable security

63 Conclusion several proposed protocols from the literature are insecure several security proofs from the literature are incorrect SKI offers provable security

64 Thank you!

65 A Generic MiM Attack [7, 6] Non-Narrow DB Attacker Verifier V Adversary A Prover P shared key x Initialisation phase shared key x flaws V and P establish the session key a a := f x(c, N V, N P ) a := f x(c, N V, N P ) Distance bounding phase for i = 1 to m I Pick c i U {0, 1} Start Clock Stop Clock verify responses, check t i 2 t max i i,..., m c i r i to c i Out V (...) c i =c i δ i r i to c i Out V (...)

66 A Generic MiM Attack [7, 6] Non-Narrow DB Attacker this non-narrow attacker A can find the jth bit of the key x, i.e., : x j = r j r j Out V II depending on the protocol, this A can be more or less succesful

67 A Generic MiM Attack [7, 6] Reid et al. Encryption Failure DBPK enc Reid s. consider E k (x) = x k mod n in Reid et al., with x Z n, k U Z n, n fixed with m bits (i.e., e = x k mod n) e = x k + cn, (1) where c = 1 k>x For e 0 = lsb(e), we have { x 0 k 0, if x k, e 0 = x 0 k 0 n 0, if x < k. or, e 0 = x 0 k 0 c n 0.

68 A Generic MiM Attack [7, 6] Ex.: n odd, lsb(x) I n 0 = 1 (2) e 0 = x 0 k 0 c where c = 1 k>x MiM attack (x + 1) p = Pr[c = 1] = Pr[k > x] = 1 n x > n/2 most of c s are 0 x 0 is the majority of the obtained e 0 k 0 A tries N sessions, i.e.,: Bit i = e 0 k 0 = x 0 c i, i {1,..., N}, A uses a majority function to find x 0 such as { x 0, if x > n Majority(Bit 1,..., Bit N ) 2, n

69 A Generic MiM Attack [7, 6] Ex.: n odd, lsb(x) II MiM attack so, Pr[Bit i = x 0 1 x<n/2 ] = 1/2 + p 1/2. so, by the Chernoff bound bound, Pr [ Maj(Bit 1,..., Bit N ) = x 0 1 x<n/2 ] 1 e 2N(p 1/2) 2. take N (1/2 (x + 1)/n) 2 to deduce x 0 by the guess 1 x<n/2.

70 A Generic MiM Attack [7, 6] MiM Attacks on DB Cont d the other cases for the attack for other encryption functions are similar! other protocols can be attacked in this fashion MiM attack!! secure encryption functions may not be enough for the security of the DB protocols against MiM!

71 The Reid et al. Protocol MiM attack Verifier secret: x pick N V k = f x (P V N V N P ) e = Enc k (x) Prover secret: x initialization phase V,N V pick NP P,N P k = fx (P V N V N P ) e = Enc k (x) pick c i start clock stop clock check responses check timers distance bounding phase for i = 1 to n c i r i ri = Out V { ki if c i = 0 e i if c i = 1

72 PRFs D O : Black-Box Oracle Queries to Distinguish Let F be a family of functions from D R, b be a bit. 1: Parameters: sec. param. s; poly; a ppt. alg. D; l := l(s), L := L(s), l, L > 1; D = {0, 1} l, R = {0, 1} L ; 2: view D := 3: while (no special end-query) 4: x D(view D ; r D ); x D 5: y O(x); y R 6: view D := view D {y} 7: end while trapdoor PRFs

73 PRFs The PRF Game PRF b F,D 1: Parameters: sec. param. s; l := l(s), L := L(s), l, L > 1; D = {0, 1} l, R = {0, 1} L ; a family F := F(s) of fct. in D R ; a ppt. alg. D, a bit b. 2: f 0 U [D R] // pick a random function from D to R 3: f 1 U F //sample a function from the family 4: b D O f b 5: return b trapdoor PRFs

74 PRFs The PRF assumption Consider the parameters before. We say that the family F is a PRF or that the family F respects the PRF assumption if for any ppt. algorithm D, Pr[Out(PRF F,D 0 ) = 1] Pr[Out(PRF F,D) 1 = 1] < negl(s), where negl is a function over natural numbers eventually lower than the inverse of any polynomial and the probability is taken over the random coins of D. trapdoor PRFs

75 G. Avoine, C. Lauradoux, and B. Martin. How Secret-sharing can Defeat Terrorist Fraud. In Proceedings of the 4th ACM Conference on Wireless Network Security WiSec 11, Hamburg, Germany, June ACM, ACM Press. S. Brands and D. Chaum. Distance-Bounding Protocols (Extended Abstract). In Proceedings of EUROCRYPT 93, pages , Lofthus, Norway, May S. Drimer and S. J. Murdoch. Keep your enemies close: distance bounding against smartcard relay attacks. In Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, pages 7:1 7:16, Berkeley, CA, USA, USENIX Association. U. Dürholz, M. Fischlin, M. Kasper, and C. Onete.

76 A Formal Approach to Distance Bounding RFID Protocols. In Proceedings of the 14 th Information Security Conference ISC 2011, LNCS, pages SPRINGER, Ford. Safe and Secure SecuriCode TM Keyless Entry J. Reid, J. M. Gonzalez Nieto, T. Tang, and B. Senadji. Detecting Relay Attacks with Timing-based Protocols. In Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS 07, pages ACM, Y.-J. Tu and S. Piramuthu. RFID Distance Bounding Protocols. In Proceedings of the First International EURASIP Workshop on RFID Technology, 2007.