Algebraic Attacks on linear RFID Authentication Protocols

Size: px

Start display at page:

Download "Algebraic Attacks on linear RFID Authentication Protocols"

Clarence Perkins
5 years ago
Views:

1 Algebraic Attacks on linear RFID Authentication Protocols 1/14 Algebraic Attacks on linear RFID Authentication Protocols Matthias Krause and Dirk Stegemann University of Mannheim (Germany) 10th GI-Kryptotag March 20, 2009 Technische Universität Berlin, Germany

2 Algebraic Attacks on linear RFID Authentication Protocols 2/14 Challenge-Response Authentication Protocols Verifier Alice RFID reader accept if proof valid challenge response Prover Bob RFID tag compute proof A passive attacker collects a set O of observed challenge/response pairs cannot manipulate the communication tries to forge valid responses

3 Algebraic Attacks on linear RFID Authentication Protocols 3/14 Idea of Linear Authentication Protocols Prover and Verifier agree on L linear n-dim. subspaces of {0, 1} m. Verifier Alice RFID reader challenge Prover Bob RFID tag choose l R [L] accept if l {1,..., L} with w V l w R V l Problems: V V L too small responses w efficiently distinguishable from random values V V L too large Pr[successful faugery] too high

4 Algebraic Attacks on linear RFID Authentication Protocols 4/14 Linear (n, k, L) Authentication Protocols Prover and Verifier agree on L lin. n-dim. subspaces of {0, 1} n+k. Observation: Any linear subspace V l {0, 1} n+k can be represented by a linear mapping f l : {0, 1} n {0, 1} k and a permutation σ l S n+k such that V l = {σ l (v f l (v)), v {0, 1} n }.

5 Algebraic Attacks on linear RFID Authentication Protocols 4/14 Linear (n, k, L) Authentication Protocols Prover and Verifier agree on L lin. n-dim. subspaces of {0, 1} n+k. Observation: Any linear subspace V l {0, 1} n+k can be represented by a linear mapping f l : {0, 1} n {0, 1} k and a permutation σ l S n+k such that V l = {σ l (v f l (v)), v {0, 1} n }. Verifier Alice RFID reader challenge w := σ l (v f l (v)) for i := 1 to L (x y) := σ 1 l (w) if (y = f l (x)) accept reject Prover Bob RFID tag choose l R [L], v R {0, 1} n

6 Algebraic Attacks on linear RFID Authentication Protocols 5/14 Special Case: The CKK 2 Protocol proposed by Cichoń, Klonowski and Kuty lowski at Pervasive 2008 CKK 2 is a linear (n + k, k, 2) protocol with f 1 = f 2 = f f depends only on the first n inputs. σ 1 exchanges the last two k-bit blocks. σ 2 = id Verifier Alice RFID reader challenge w := σl(v fl(v)) for i := 1 to L (x y) := σ 1 l (w) if (y = fl(x)) accept reject Prover Bob RFID tag choose l R [L], v R {0, 1} n

7 Algebraic Attacks on linear RFID Authentication Protocols 5/14 Special Case: The CKK 2 Protocol proposed by Cichoń, Klonowski and Kuty lowski at Pervasive 2008 CKK 2 is a linear (n + k, k, 2) protocol with f 1 = f 2 = f f depends only on the first n inputs. σ 1 exchanges the last two k-bit blocks. σ 2 = id Verifier Alice RFID reader challenge w := σl(v fl(v)) for i := 1 to L (x y) := σ 1 l (w) if (y = fl(x)) accept reject Implications: V 1 = {(v a b) v {0, 1} n, a = f (v), b {0, 1} k } V 2 = {(v a b) v {0, 1} n, a {0, 1} k, b = f (v)} f (v) can be written as f (v) = c a (1 c) b with c {0, 1} = c(a b) b Prover Bob RFID tag choose l R [L], v R {0, 1} n

8 Algebraic Attacks on linear RFID Authentication Protocols 6/14 A polynomial Time Attack on CKK 2 Basic Idea Collect a set of responses O = {(v 1 a 1 b 1 ),..., (v m a m b m )}. Observations: Already for m slightly larger than n, {v 1,..., v m } contains a basis of {0, 1} n with high probability. With a basis {v 1,..., v n } of {0, 1} n, any v {0, 1} n can be written as v = d D v d with D {1,..., n}, and

9 Algebraic Attacks on linear RFID Authentication Protocols 6/14 A polynomial Time Attack on CKK 2 Basic Idea Collect a set of responses O = {(v 1 a 1 b 1 ),..., (v m a m b m )}. Observations: Already for m slightly larger than n, {v 1,..., v m } contains a basis of {0, 1} n with high probability. With a basis {v 1,..., v n } of {0, 1} n, any v {0, 1} n can be written as v = d D v d with D {1,..., n}, and d D f (v) = c(a b) b f (v d ) = c(a b) b d D (c d (a d b d ) b d )) = c(a b) b d D (c d (a d b d )) c(a b) = d D b d b yields k equations in the unknowns c 1,..., c n, c.

10 Algebraic Attacks on linear RFID Authentication Protocols 7/14 A polynomial Time Attack on CKK 2 repeat Obtain a response (v a b). until a basis {v 1,..., v n } of {0, 1} n is found. Initialize a system of linear equations LES in c 1, c 2,...

11 Algebraic Attacks on linear RFID Authentication Protocols 7/14 A polynomial Time Attack on CKK 2 repeat Obtain a response (v a b). until a basis {v 1,..., v n } of {0, 1} n is found. Initialize a system of linear equations LES in c 1, c 2,... repeat Obtain a response (v a b) with v {v 1,..., v n }. Add the k equations given by (c d (a d b d )) c(a b) = b d b d D d D to LES. until LES has full rank.

12 Algebraic Attacks on linear RFID Authentication Protocols 7/14 A polynomial Time Attack on CKK 2 repeat Obtain a response (v a b). until a basis {v 1,..., v n } of {0, 1} n is found. Initialize a system of linear equations LES in c 1, c 2,... repeat Obtain a response (v a b) with v {v 1,..., v n }. Add the k equations given by (c d (a d b d )) c(a b) = b d b d D d D to LES. until LES has full rank. Compute the images of the basis vectors as f (v i ) = c i (a i b i ) b i for i {1,..., n}. Recover f w.r.t. the standard basis of {0, 1} n.

13 Algebraic Attacks on linear RFID Authentication Protocols 8/14 Another polynomial Time Attack on CKK 2 Let f be defined by the component functions f r : {0, 1} n {0, 1}, r {1,..., k}, i.e., f (v) = (f 1 (v),..., f k (v)). Observation: If a response (v (a 1,..., a k ) (b 1,..., b k )) satisfies a r = b r for some r, then we know that f r (v) = a r = b r.

14 Algebraic Attacks on linear RFID Authentication Protocols 8/14 Another polynomial Time Attack on CKK 2 Let f be defined by the component functions f r : {0, 1} n {0, 1}, r {1,..., k}, i.e., f (v) = (f 1 (v),..., f k (v)). Observation: If a response (v (a 1,..., a k ) (b 1,..., b k )) satisfies a r = b r for some r, then we know that f r (v) = a r = b r. Idea: Recover the component functions separately. for r {1,..., k} do repeat Obtain a response (v (a 1,..., a k ) (b 1,..., b k )) with a r = b r until a basis of {0, 1} n is found. Recover f r w.r.t. the standard basis. end for

15 Algebraic Attacks on linear RFID Authentication Protocols 9/14 Performance of the CKK 2 Attacks Main observations: The most costly operations are Gaussian eliminations. Rather few responses are needed to recover the secret function f A straightforward Magma implementation shows (n, k) #responses attack time first attack (128, 30) s (1024, 256) s second attack (128, 30) s (1024, 256) s (n, k) = (128, 30) was suggested for practical application. Don t use CKK 2 in practice.

16 Algebraic Attacks on linear RFID Authentication Protocols 10/14 Attacks on general (n, k, 2) Protocols Verifier Alice RFID reader challenge w := σ l (v f l (v)) for i := 1 to L (x y) := σ 1 l (w) if (y = f l (x)) accept reject Prover Bob RFID tag choose l R [L], v R {0, 1} n Problems of the general (n, k, 2) case: A single response σ 1 (v f 1 (v)) does not say anything about σ 2 (v f 2 (v)) and vice versa. The positions of dependent bits (=bits that belong to v) and independent bits (=bits that belong to f (v)) in a single response are unknown.

17 Algebraic Attacks on linear RFID Authentication Protocols 11/14 First Step: Attack on linear (n, 1, 2) Protocols Assume that σ 1 = σ 2 = id and consider a set of responses O = {(v 1 w 1 ),..., (v m w m )} with w i {0, 1}. For x i := f 1 (v i ) and y i := f 2 (v i ) it holds that (w i x i )(w i y i ) = 0 for all i {1,..., n}, which leads to quadratic equations in the unknowns x i, y i.

18 Algebraic Attacks on linear RFID Authentication Protocols 11/14 First Step: Attack on linear (n, 1, 2) Protocols Assume that σ 1 = σ 2 = id and consider a set of responses O = {(v 1 w 1 ),..., (v m w m )} with w i {0, 1}. For x i := f 1 (v i ) and y i := f 2 (v i ) it holds that (w i x i )(w i y i ) = 0 for all i {1,..., n}, which leads to quadratic equations in the unknowns x i, y i. Observation: A symmetry-avoiding linearization allows to recover the secret functions f 1 and f 2 efficiently. Performance for n = 128: Approx responses and 4 minutes of computation

19 Algebraic Attacks on linear RFID Authentication Protocols 12/14 Extension to linear (n, k, 2) Protocols Basic ideas: repeat Guess a dependent position w.r.t. V 1 and V 2 and apply the (n + k 1, 1, 2) attack. until (n + k 1, 1, 2) attack successful Use the result to distinguish responses from V 1 and V 2. Recover specifications for V 1 and V 2 from the respective responses. More details in M. Krause and D. Stegemann: Algebraic Attacks against Linear RFID Authentication Protocols, Workshop Record of the Dagstuhl Seminar on Symmetric Cryptogaphy, 2009.

20 Algebraic Attacks on linear RFID Authentication Protocols 13/14 Future Work How to extend the attack ideas to efficient attacks for L > 2? What about active attacks against linear (n, k, L) protocols? How do linear (n, k, L) protocols (and their security properties) relate to the HB family of authentication protocols?...

21 Algebraic Attacks on linear RFID Authentication Protocols 14/14 The End.

Performance Evaluation of an Advanced Man-in-the-Middle Attack Against Certain HB Authentication Protocols

Performance Evaluation of an Advanced Man-in-the-Middle Attack Against Certain HB Authentication Protocols Miodrag Mihaljević, Siniša Tomović and Milica Knežević Mathematical Institute of Serbian Academy