On the Need for Provably Secure Distance Bounding

Similar documents
Towards Secure Distance Bounding

On the Need for Provably Secure Distance Bounding

A Prover-Anonymous and Terrorist-Fraud Resistant Distance-Bounding Protocol

Optimal Proximity Proofs

arxiv: v1 [cs.cr] 22 May 2014

MAFIA fraud is a man-in-the-middle attack against an

Efficient Public-Key Distance Bounding

On selecting the nonce length in distance-bounding protocols

Breaking and Fixing the HB+DB protocol

The Poulidor Distance-Bounding Protocol

Cryptography and Security Final Exam

CPSC 467b: Cryptography and Computer Security

Introduction to Cryptography Lecture 13

Cryptography and Security Final Exam

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability

Block Ciphers/Pseudorandom Permutations

DRAFT. Distance-Bounding Protocols: Verification without Time and Location. Sjouke Mauw CSC/SnT University of Luxembourg

Notes on Zero Knowledge

On The (In)security Of Fischlin s Paradigm

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

PAPER An Identification Scheme with Tight Reduction

Cryptographical Security in the Quantum Random Oracle Model

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

On The (In)security Of Fischlin s Paradigm

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Improved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider

CPSC 467: Cryptography and Computer Security

Lecture 14: Secure Multiparty Computation

CPA-Security. Definition: A private-key encryption scheme

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Pruning and Extending the HB + Family Tree

1 Number Theory Basics

Winter 2011 Josh Benaloh Brian LaMacchia

Fraud within Asymmetric Multi-Hop Cellular Networks

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Security Protocols and Application Final Exam

A Note on the Cramer-Damgård Identification Scheme

CRYPTANALYSIS OF COMPACT-LWE

Perfectly-Crafted Swiss Army Knives in Theory

Entity Authentication

An Identification Scheme Based on KEA1 Assumption

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Cryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures

Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

Lecture 5, CPA Secure Encryption from PRFs

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

A survey on quantum-secure cryptographic systems

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Lecture 18: Message Authentication Codes & Digital Signa

Secure and Practical Identity-Based Encryption

Lecture Notes, Week 10

CPSC 467: Cryptography and Computer Security

Identity-Based Identification Schemes

Breaking the FF3 Format Preserving Encryption

Lecture 10 - MAC s continued, hash & MAC

Round-Efficient Multi-party Computation with a Dishonest Majority

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model

From Secure MPC to Efficient Zero-Knowledge

Statistically Secure Sigma Protocols with Abort

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Interactive Zero-Knowledge with Restricted Random Oracles

Modern symmetric-key Encryption

Lectures 2+3: Provable Security

Exam Security January 19, :30 11:30

Concurrent Non-malleable Commitments from any One-way Function

6.080/6.089 GITCS Apr 15, Lecture 17

Theory of Computation Chapter 12: Cryptography

Uninstantiability of Full-Domain Hash

Distance-Bounding Protocols: Verification without Time and Location

From 5-pass MQ-based identification to MQ-based signatures

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

The odd couple: MQV and HMQV

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University

Lecture 11: Key Agreement

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

2 Message authentication codes (MACs)

A Strong Identity Based Key-Insulated Cryptosystem

An efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing

Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Cryptography and Security Final Exam

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Interactive protocols & zero-knowledge

G Advanced Cryptography April 10th, Lecture 11

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

Pairing-Based Cryptography An Introduction

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

An Introduction to Probabilistic Encryption

Transcription:

On the Need for Provably Secure Distance Bounding Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2012 distance bounding CIoT 2012 1 / 39

1 Introduction to Distance-Bounding 2 Some Insecurity Case Studies 3 On Incorrect Use of PRFs 4 Directions for Provable Security SV 2012 distance bounding CIoT 2012 2 / 39

1 Introduction to Distance-Bounding 2 Some Insecurity Case Studies 3 On Incorrect Use of PRFs 4 Directions for Provable Security SV 2012 distance bounding CIoT 2012 3 / 39

Motivation for token-based authentication: thwart man-in-the-middle wireless car locks creditcard payment (or contactless) corporate ID card for access control solution: use a distance-bounding protocol SV 2012 distance bounding CIoT 2012 4 / 39

The Brands-Chaum Protocol Distance-Bounding Protocols [Brands-Chaum EUROCRYPT 1993] Verifier public key: y Prover secret key: x initialization phase Commit(m) pick m pick c i start clock stop clock check timers check responses distance bounding phase for i = 1 to n c i r i ri = m i c i check signature termination phase open commitment Sign x (c,r) Out V SV 2012 distance bounding CIoT 2012 5 / 39

Distance Fraud P V }{{} far away a malicious prover P tries to prove that he is close to a verifier V SV 2012 distance bounding CIoT 2012 6 / 39

Mafia Fraud Major Security Problems with the Unforgeable (Feige)-Fiat-Shamir Proofs of Identity and How to Overcome Them [Desmedt SECURICOM 1988] P A V }{{} far away an adversary A tries to prove that a prover P is close to a verifier V SV 2012 distance bounding CIoT 2012 7 / 39

Terrorist Fraud Major Security Problems with the Unforgeable (Feige)-Fiat-Shamir Proofs of Identity and How to Overcome Them [Desmedt SECURICOM 1988] P A V }{{} far away a malicious prover P helps an adversary A to prove that P is close to a verifier V without giving A another advantage SV 2012 distance bounding CIoT 2012 8 / 39

Impersonation Fraud A Formal Approach to Distance Bounding RFID Protocols [Dürholz-Fischlin-Kasper-Onete ISC 2011] A V an adversary A tries to prove that a prover P is close to a verifier V SV 2012 distance bounding CIoT 2012 9 / 39

Distance Hijacking Distance Hijacking Attacks on Distance Bounding Protocols [Cremers-Rasmussen-Čapkun IEEE S&P 2012] P P V }{{} far away a malicious prover P tries to prove that he is close to a verifier V by taking advantage of other provers P SV 2012 distance bounding CIoT 2012 10 / 39

Techniques Verifier secret: x Prover secret: x initialization phase distance bounding phase for i = 1 to n ith challenge start clock ith response stop clock check responses Out V check timers caveat: the rapid bit-exchange is subject to noise, so the verifier may require at least τ correct sessions to accept SV 2012 distance bounding CIoT 2012 11 / 39

1 Introduction to Distance-Bounding 2 Some Insecurity Case Studies 3 On Incorrect Use of PRFs 4 Directions for Provable Security SV 2012 distance bounding CIoT 2012 12 / 39

2 Some Insecurity Case Studies The RC Protocol The Bussard-Bagga Protocol and Children SV 2012 distance bounding CIoT 2012 13 / 39

The RC Protocol Location Privacy of Distance Bounding [Rassmussen-Čapkun ACM CCS 2008] integrate location-privacy based on the exchange of a continuous bitstream SV 2012 distance bounding CIoT 2012 14 / 39

The RC Protocol Verifier secret: K Prover secret: K initialization phase receive N P secure K (N P ) pick M,N V secure K (M,N P ) pick N P receive M, check N P distance-bounding phase stream V = Rand 1 V M N V Rand 2 V stream V parse until M parse until N V N P stream P streamp = Rand 1 P N V N P Rand 2 P check time between N V and N V N P Out V SV 2012 distance bounding CIoT 2012 15 / 39

Attack Principles Mafia Fraud Attack against the RC Distance-Bounding Protocol [Mitrokotsa-Vaudenay IEEE RFID-TA 2012] the adversary intercepts a complete session between P and V the adversary guesses the position of N V in stream V assume the adversary knows the locations of P and V he can deduce the position of N V N P, thus the value of N P the adversary can now impersonate P by replaying secure K (N P ) he replies by stream V (offset N P N P ) if the offset length modulo N V is correct, the verifier accepts success probability: 1 stream V 1 N V SV 2012 distance bounding CIoT 2012 16 / 39

2 Some Insecurity Case Studies The RC Protocol The Bussard-Bagga Protocol and Children SV 2012 distance bounding CIoT 2012 17 / 39

The BB Protocol Distance-Bounding Proof of Knowledge Protocols to Avoid Real-Time Attacks [Bussard-Bagga IFIP SEC 2005] protection against terrorist fraud based on public-key cryptography generic: several DBPK possible instantiations SV 2012 distance bounding CIoT 2012 18 / 39

The Generic DBPK Protocol Verifier public key: y Prover secret key: x pick c i start clock stop clock initialization phase pick k,v,v, e = Enc k (x) z k,i = commit(k i,v i ) z k,z e ze,i = commit(e i,v i ) distance bounding phase for i = 1 to n c i r i ri = { ki if c i = 0 e i if c i = 1 check openable commitments check timers termination phase { γ vi if c γ i = i = 0 v i if c i = 1 PoK(x)... Out V SV 2012 distance bounding CIoT 2012 19 / 39

Proposed Instances one-time pad DBPK: Enc k (x) = x k addition modulo q DBPK-Log: Enc k (x) = x k mod q modular addition with random factor DBPK-Log: Enc k (x;u) = (u,ux k mod q) SV 2012 distance bounding CIoT 2012 20 / 39

The Reid et al. Protocol Detecting Relay Attacks with Timing-based Protocols [Reid-Nieto-Tang-Senadji ASIACCS 2007] Verifier secret: x pick N V k = f x (P V N V N P ) e = Enc k (x) Prover secret: x initialization phase V,N V pick N P P,N P k = fx (P V N V N P ) e = Enc k (x) pick c i start clock stop clock check responses check timers distance bounding phase for i = 1 to n c i r i ri = Out V { ki if c i = 0 e i if c i = 1 SV 2012 distance bounding CIoT 2012 21 / 39

Attack Principles for the Reid et al. Protocol The Swiss-Knife RFID Distance Bounding Protocol [Kim-Avoine-Koeune-Standaert-Pereira ICISC 2008] select i let a protocol run between P and V except replace c i by 1 c i and r i by bit U {0,1} observation 1: the response to 1 c i is r i (given by P) observation 2: the response to c i is bit 1 V does not accept the adversary deduces k i and e i, thus x i = k i e i iterate with another i and reconstruct the secret x the adversary can impersonate P to V! SV 2012 distance bounding CIoT 2012 22 / 39

Attack Principles for One-Time Pad DBPK The Bussard-Bagga and Other Distance-Bounding Protocols under Man-in-the-Middle Attacks [Bay-Boureanu-Mitrokotsa-Spulber-Vaudenay Inscrypt 2012] select i let a protocol run between P and V except replace c i by 1 c i and r i by r i U {0,1}!! tricky things with PoK and commitments (requires to guess c i ) observation 1: the response to 1 c i is r i (given by P) observation 2: the response to c i is r i 1 V does not accept the adversary deduces k i and e i, thus x i = k i e i iterate with another i and reconstruct the secret x the adversary can impersonate P to V! SV 2012 distance bounding CIoT 2012 23 / 39

Attack Principles for Other Instances The Bussard-Bagga and Other Distance-Bounding Protocols under Man-in-the-Middle Attacks [Bay-Boureanu-Mitrokotsa-Spulber-Vaudenay Inscrypt 2012] for addition modulo q DBPK-Log: guess the most significant bit x n of x set c n = 0, get r n from P and deduce k n if x n = k n, start again until x n k n since e = x k + k n q, we deduce some relations B x i = B i (e i k i,e mod 2 i 1,k mod 2 i 1 ) apply the previous attack with i = 1,2,... for addition with random factor DBPK-Log: more complicated (involves lattice reduction techniques) SV 2012 distance bounding CIoT 2012 24 / 39

Terrorist Fraud Attacks for Stronger Encryption Distance-Bounding for RFID: Effectiveness of Terrorist Fraud in the Presence of Bit Errors [Hancke IEEE RFID-TA 2012] P helps A for the initialization phase P provides A with all (k i,e i ) pairs with n τ of them flipped A answers to challenges using these pairs P helps A for the termination phase since there are τ correct responses, V accepts A cannot reconstruct x based on the noisy (k i,e i ) pairs caveat: previous argument does not apply to simple encryptions such as one-time-pad and other variants SV 2012 distance bounding CIoT 2012 25 / 39

1 Introduction to Distance-Bounding 2 Some Insecurity Case Studies 3 On Incorrect Use of PRFs 4 Directions for Provable Security SV 2012 distance bounding CIoT 2012 26 / 39

Security Proofs Based on PRF if the adversary can break the scheme with a PRF, then he can break an idealized scheme with the PRF replaced by a truly random function this argument is valid when both these conditions are met: 1 the adversary does not have access to the PRF key 2 the PRF key is only used by the PRF as far as distance fraud is concerned, condition 1 is not met! for most of terrorist fraud protections, condition 2 is not met! SV 2012 distance bounding CIoT 2012 27 / 39

The TDB Protocol How Secret-Sharing can Defeat Terrorist Fraud [Avoine-Lauradoux-Martin ACM WiSec 2011] Verifier secret: x Prover secret: x initialization phase N P pick NP N V pick N V a 1 a 2 = f x (N P,N V ) a 1 a 2 = f x (N P,N V ) distance bounding phase for i = 1 to n pick c i {1,2,3} c i start clock r i stop clock ri = check responses check timers Out V a 1,i if c i = 1 a 2,i if c i = 2 x i a 1,i a 2,i if c i = 3 SV 2012 distance bounding CIoT 2012 28 / 39

Distance Fraud with a Programmed PRF On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols [Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012] given a PRF g, let { x x if NP = x f x (N P,N V ) = g x (N P,N V ) otherwise f is a PRF! a malicious prover selects N P = x to make a 1 = a 2 = x whatever c i, we have r i = x i the malicious prover can send r i before receiving c i! SV 2012 distance bounding CIoT 2012 29 / 39

Man-in-the-Middle Attack with a Programmed PRF On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols [Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012] given a PRF g: trapdoor x (ᾱ t) t = g x (ᾱ) right half(x), (a 1 = α β, a 2 = γ β g x (α)) if trapdoor x (N V ) f x (N P,N V ) = where (α,β,γ) = g x (N P,N V ) a 1 = a 2 = x otherwise f is a PRF! the adversary plays with P and sends c = (1,...,1,3,...,3) to obtain from the responses left half(a 1 ) = ᾱ and right half(x a 1 a 2 ) = g x (ᾱ) right half(x) = t so, he can form N V = ᾱ t satisfying trapdoor x (N V ) the adversary plays with P again with the lastly constructed N V and gets r = x the adversary can now impersonate P to V! SV 2012 distance bounding CIoT 2012 30 / 39

Other Results based on Programmed PRFs On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols [Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012] protocol distance fraud man-in-the-middle attack TDB Avoine-Lauradoux-Martin [ACM WiSec 2011] Dürholz-Fischlin-Kasper-Onete [ISC 2011] Hancke-Kuhn [Securecomm 2005] Avoine-Tchamkerten [ISC 2009] Reid-Nieto-Tang-Senadji [ASIACCS 2007] Swiss-Knife Kim-Avoine-Koeune-Standaert- Pereira [ICISC 2008] SV 2012 distance bounding CIoT 2012 31 / 39

1 Introduction to Distance-Bounding 2 Some Insecurity Case Studies 3 On Incorrect Use of PRFs 4 Directions for Provable Security SV 2012 distance bounding CIoT 2012 32 / 39

Problem 1: Integrate Time in the Communication Model all communication are subject to a transmission speed limit! information is broadcast, local on a growing sphere adversary is also local (maybe several adversaries) adversary can impersonate and change the message destination honest people only see messages for which they are destinator all communication is subject to random noise with caveat: adversary sees message with no noise (better equipment) if time allows, honest participants see message with no noise (error correction) SV 2012 distance bounding CIoT 2012 33 / 39

Lemma > bound B A V c View A View B w 2 bound 3 r 3 If the B-V distance is larger than bound but the response r to c is received within at most 2.bound time, then r is a function of View A, c, and w, where w is a function from View B, independent from c. SV 2012 distance bounding CIoT 2012 34 / 39

Problem 2: Find a General Threat Model distance fraud: P(x) far from all V(x) s want to make one V(x) accept (interaction with other P(x ) and V(x ) possible anywhere) also captures distance hijacking man-in-the-middle: learning phase: A interacts with many P s and V s attack phase: P(x) s far away from V(x) s, A interacts with them and possible P(x ) s and V(x ) s A wants to make one V(x) accept also captures impersonation collusion fraud: P(x) far from all V(x) s interacts with A and makes one V(x) accept, but View(A) does not give any advantage to mount a man-in-the-middle attack SV 2012 distance bounding CIoT 2012 35 / 39

Problem 3: Crypto Assumptions to Make Proofs Correct PRF masking: a string is chosen by the verifier and sent encrypted using the PRF a = M PRF x ( ) circular keying: if A makes a query (y i,a i,b i ), the oracle answers (a i x ) + (b i f x (y i )) A cannot distinguish if x = x or x and x are independent caveat: for all c 1,...,c q s.t. c 1 b 1 + + c q b q = 0, we must have c 1 a 1 + + c q a q = 0 SV 2012 distance bounding CIoT 2012 36 / 39

The SKI Protocol [Serge-Katerina-Ioana] Verifier secret: x Prover secret: x initialization phase N P pick NP M,N V pick M,N V a 1 a 2 = M f x (N P,N V ) a 1 a 2 = M f x (N P,N V ) distance bounding phase for i = 1 to n pick c i {1,2,3} c i start clock r i stop clock ri = check τ responses check timers f is a circular-keying secure PRF many variants possible Out V a 1,i if c i = 1 a 2,i if c i = 2 x i a 1,i a 2,i if c i = 3 SV 2012 distance bounding CIoT 2012 37 / 39

SKI Security Theorem If f is a circular-keying secure PRF and V requires at least τ correct rounds, there is no DF with Pr[success] B(n,τ, 3 4 ) there is no MiM with Pr[success] B(n,τ, 2 3 ) for all CF such that Pr[CF succeeds] p there is an assosiated MiM such that p Pr[MiM(View A ) succeeds CF succeeds] (1+ 1 p) 2 n n B(n,τ,ρ) = i=τ( i ) ρ i (1 ρ) n i SV 2012 distance bounding CIoT 2012 38 / 39

Conclusion several proposed protocols from the literature are insecure several security proofs from the literature are incorrect SKI offers provable security SV 2012 distance bounding CIoT 2012 39 / 39

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback