A Prover-Anonymous and Terrorist-Fraud Resistant Distance-Bounding Protocol

Size: px

Start display at page:

Download "A Prover-Anonymous and Terrorist-Fraud Resistant Distance-Bounding Protocol"

Laura Thomas
5 years ago
Views:

1 A Prover-Anonymous and Terrorist-Fraud Resistant Distance-Bounding Protocol Xavier Bultel 1 Sébastien Gambs 2 David Gerault 1 Pascal Lafourcade 1 Cristina Onete 3 Jean-Marc Robert 4 1 University Clermont Auvergne, 2 UQAM, Montréal, 3 INSA/IRISA Rennes, 4 ÉTS, Montréal 1 / 1

2 The Future : Convergence Security Privacy What features do we want? 2 / 1

3 Security : Relay Attacks (Mafia Fraud) A B 3/1

4 Security : Relay Attacks (Mafia Fraud) A B A A B B 3/1

5 Security : Relay Attacks (Mafia Fraud) A B A A B B Solution : distance bounding (Brands and Chaum, 1991) 3/1

6 Outline 4 / 1

7 Threats against honest provers Mafia Fraud (MF) A P V 5/1

8 Threats against honest provers Mafia Fraud (MF) A P V User tracking P V 5/1

9 Threats : malicious Provers Distance Fraud (DF) P V 6/1

10 Threats : malicious Provers Distance Fraud (DF) P Terrorist Fraud(TF) V T0 P V T1 V 6/1

11 Motivation TF resistance : classical trick (Bussard and Bagga, 2004) Shared secret : x Agree on a bit string a ci ci {0, 1} ri0 = ai rici ri1 = ai xi ri0 ri1 = xi Hard to prove 7/1

12 Motivation TF resistance : classical trick (Bussard and Bagga, 2004) Shared secret : x Agree on a bit string a ci ci {0, 1} ri0 = ai rici ri1 = ai xi ri0 ri1 = xi Hard to prove Swiss Knife (Kim, Avoine, Koeune, Standaert, Pereira, 2008) No security proofs! GOR (Gambs, Onete, Robert, 2014), PrivDB (Vaudenay, 2015) No TF resistance! 7/1

13 Motivation TF resistance : classical trick (Bussard and Bagga, 2004) Shared secret : x Agree on a bit string a ci ci {0, 1} ri0 = ai rici ri1 = ai xi ri0 ri1 = xi Hard to prove Swiss Knife (Kim, Avoine, Koeune, Standaert, Pereira, 2008) No security proofs! GOR (Gambs, Onete, Robert, 2014), PrivDB (Vaudenay, 2015) No TF resistance! Both at the same time? PDB (Ahmadi and Safavi-Naini, 2014) No revocation! 7/1

14 Contribution SPADE Secure Prover Anonymous Distance-bounding Exchange Prover anonymous with revocability New approach for TF resistance Provably secure 8 / 1

15 Outline 9 / 1

16 SPADE : The intuition If P exposes his secret key, then V can identify him! What can he expose then? The prover picks a random, one time session key N P Authentication by group signature σ p on this key The prover sends {N P,σ p } pkv He exposes N P during the protocol 10 / 1

17 SPADE, building blocks A public key encryption scheme PKE IND-CCA2 A pseudorandom function PRF Unforgeable In the ROM, PRF sk (M) H(sk,M) A revocable group signature scheme PKE Anonymous signature on behalf of the group 11 / 1

18 SPADE pkv, sskp skv, svk 12 / 1

19 SPADE pkv, sskp skv, svk Initialisation NP {0, 1}n, σp = G.sigsskP (NP ) {NP,σp }pk V m,n V NV {0, 1}n m {0, 1}n 12 / 1

20 SPADE pkv, sskp skv, svk Initialisation NP {0, 1}n, σp = G.sigsskP (NP ) {NP,σp }pk V m,n V NV {0, 1}n m {0, 1}n a = PRFNP (NV ) 12 / 1

21 SPADE pkv, sskp skv, svk Initialisation NP {0, 1}n, σp = G.sigsskP (NP ) {NP,σp }pk V m,n V NV {0, 1}n m {0, 1}n a = PRFNP (NV ) Distance Bounding for i = 1 to n ri = ai ai NP i mi if ci = 0 if ci = 1 c i r i Pick ci {0, 1} Start clock Stop clock 12 / 1

ri = ai ai NP i mi if ci = 0 if ci = 1 c i r i Pick ci {0, 1} Start clock Stop clock Verification T =

22 SPADE pkv, sskp skv, svk Initialisation NP {0, 1}n, σp = G.sigsskP (NP ) {NP,σp }pk V m,n V NV {0, 1}n m {0, 1}n a = PRFNP (NV ) Distance Bounding for i = 1 to n ri = ai ai NP i mi if ci = 0 if ci = 1 c i r i Pick ci {0, 1} Start clock Stop clock Verification T = PRFNP (transcript) T Check timers ti Check that T = PRFNP (transcript) If #{i : ri and ti correct} = n then Out V OutV := 1 ; else OutV := 0 12 / 1

23 Outline 13 / 1

24 Security : Main Theorem Theorem If (i) PKE is IND-CCA2 secure, (ii) G-SIG is unforgeable, unlinkable and revocable and (iii) the challenges are random and independent then SPADE is MF, DF and TF resistant, as well as anonymous and revocable, in the random oracle model. 14 / 1

25 User tracking P pkv, sskp V skv, svk Initialisation NP {0, 1}n, σp = G.sigsskP (NP ) {NP,σp }pk V m,n V NV {0, 1}n m {0, 1}n a = PRFNP (NV ) If V can track users, then he can break the unlinkability of the group signature scheme 15 / 1

26 Security : TF T0 P V T1 V NP {0, 1}n {NP,σp }pk V m,nv NV {0, 1}n m {0, 1}n a = PRFNP (NV ) for i = 1 to n ri = ai ai NP i mi if ci = 0 if ci = 1 c i r i Pick ci {0, 1} Start clock Stop clock The accomplice can replay {NP, σp }pkv later : he knows NP 16 / 1

27 The Backdoor The backdoor helps the accomplice recover the missing bits {N P,σ p } pkv,n P if d H (N P,N P ) > t then abort N P Trick for the proof Slightly lowers MF resistance Can adjust t 17 / 1

28 Security : MF A P V for i = 1 to n ri = ai ai NP i mi if ci = 0 if ci = 1 c i r i Pick ci {0, 1} Start clock Stop clock Check timers ti Verification T = PRFNP (transcript) T Check that T = PRFNP (transcript) A wrong challenge guess is detected! 18 / 1

29 Security : DF P V Initialisation NP {0, 1}n {NP,σp }pk V m,n V NV {0, 1}n m {0, 1}n a = PRFNP (NV ) Distance Bounding for i = 1 to n ri = ai ai NP i mi if ci = 0 if ci = 1 c i r i Pick ci {0, 1} Start clock Stop clock The mask m ensures that ri0 6= ri1 for half the rounds 19 / 1

30 Conclusion Anonymity is compatible with TF resistance Leaking a session key instead of a long term key is a promising direction! Getting rid of the backdoor? Multiple/Malicious Verifiers? Privacy/security tradeoff? 20 / 1

31 Thank you for your attention! 21 / 1

On the Need for Provably Secure Distance Bounding

On the Need for Provably Secure Distance Bounding Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2012 distance bounding CIoT 2012 1 / 39 1 Introduction to Distance-Bounding