an optimal distance bounding protocol
play

An optimal distance-bounding protocol Rolando Trujillo-Rasua - PowerPoint PPT Presentation

Dec 24, 2023 •244 likes •926 views

An optimal distance-bounding protocol Rolando Trujillo-Rasua University of luxembourg (joint work with Sjouke Mauw and Jorge Toro-Pozo) Euro S&P and RFIDSec, 2016 Distance Bounding protocols 1 Beating a grand master: is this a relay

  1. An optimal distance-bounding protocol Rolando Trujillo-Rasua University of luxembourg (joint work with Sjouke Mauw and Jorge Toro-Pozo) Euro S&P and RFIDSec, 2016 Distance Bounding protocols 1

  2. Beating a grand master: is this a relay attack? Distance Bounding protocols 2

  3. Relay attack: is this a relay attack? Distance Bounding protocols 3

  4. Chip & Pin relay attack (Murdoch & Drimer 2007) Distance Bounding protocols 4

  5. Chip & Pin relay attack (Murdoch & Drimer 2007) Many more practical attacks, e.g. ◮ Passive keyless entry and start systems used in modern cars (Francillon 2012) ◮ Google Wallet Relay Attack (Roland 2013) Distance Bounding protocols 4

  6. Solution: distance bounding ◮ Reader sends a challenge. ◮ Tag provides correct response. ◮ Reader measures the round-trip-time and accepts if this is “fast enough”. Distance Bounding protocols 5

  7. Solution: distance bounding ◮ Reader sends a challenge. ◮ Tag provides correct response. ◮ Reader measures the round-trip-time and accepts if this is “fast enough”. ◮ RF communication at the speed of light. ◮ Need very short processing time at the tag (otherwise the adversary could overclock the tag). Distance Bounding protocols 5

  8. Solution: distance bounding ◮ Reader sends a challenge. ◮ Tag provides correct response. ◮ Reader measures the round-trip-time and accepts if this is “fast enough”. ◮ RF communication at the speed of light. ◮ Need very short processing time at the tag (otherwise the adversary could overclock the tag). ◮ Slow phase: generation of random values, exchange of parameters, preparation of data structures. ◮ Fast phase: 1-bit messages, tag performs at most lookup/and/xor/. . . ; repeat this n times. Distance Bounding protocols 5

  9. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x Distance Bounding protocols 6

  10. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase fast phase Distance Bounding protocols 6

  11. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase fast phase Distance Bounding protocols 6

  12. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V fast phase Distance Bounding protocols 6

  13. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − fast phase Distance Bounding protocols 6

  14. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) fast phase Distance Bounding protocols 6

  15. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase Distance Bounding protocols 6

  16. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase Distance Bounding protocols 6

  17. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase for i = 1 , . . . , n : Distance Bounding protocols 6

  18. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase for i = 1 , . . . , n : picks a random bit c i Distance Bounding protocols 6

  19. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase for i = 1 , . . . , n : picks a random bit c i starts timer Distance Bounding protocols 6

  20. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase for i = 1 , . . . , n : picks a random bit c i c i ← − − − − − − − − − − − − − − − − starts timer Distance Bounding protocols 6

  21. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase for i = 1 , . . . , n : picks a random bit c i c i ← − − − − − − − − − − − − − − − − starts timer r i = R c i i Distance Bounding protocols 6

  22. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase for i = 1 , . . . , n : picks a random bit c i c i ← − − − − − − − − − − − − − − − − starts timer r i r i = R c i − − − − − − − − − − − − − − − − → i Distance Bounding protocols 6

  23. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase for i = 1 , . . . , n : picks a random bit c i c i ← − − − − − − − − − − − − − − − − starts timer r i r i = R c i − − − − − − − − − − − − − − − − → stops timer i Distance Bounding protocols 6

  24. Avoine and Tchamkerten’s protocol (2009) V Fast phase P r 0 r 0 0 0 0 1 0 1 r 0 r 1 r 0 r 1 1 1 1 1 0 1 0 1 0 1 0 1 r 0 r 1 r 2 r 3 r 0 r 1 r 2 r 3 2 2 2 2 2 2 2 2 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 r 0 r 1 3 r 2 r 3 3 r 4 r 5 3 r 6 r 7 r 0 r 1 3 r 2 r 3 3 r 4 r 5 3 r 6 r 7 3 3 3 3 3 3 3 3 3 3 Distance Bounding protocols 7

  25. Avoine and Tchamkerten’s protocol (2009) V P Fast phase 0 r 0 r 0 0 0 0 1 0 1 r 0 r 1 r 0 r 1 1 1 1 1 0 1 0 1 0 1 0 1 r 0 r 1 r 2 r 3 r 0 r 1 r 2 r 3 2 2 2 2 2 2 2 2 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 r 0 r 1 3 r 2 r 3 3 r 4 r 5 3 r 6 r 7 r 0 r 1 3 r 2 r 3 3 r 4 r 5 3 r 6 r 7 3 3 3 3 3 3 3 3 3 3 Distance Bounding protocols 7

Recommend

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and Memory Requirement Gildas Avoine 1 and Aslan Tchamkerten 2 1 Universit e catholique de Louvain, Louvain-la-Neuve, Belgium 2 Telecom ParisTech,

335 views • 31 slides
On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2012 distance bounding CIoT 2012 1 / 39 Introduction to Distance-Bounding 1 Some Insecurity Case

600 views • 39 slides
Towards Secure Distance Bounding Ioana Boureanu, Katerina Mitrokotsa, Serge Vaudenay COLE

Towards Secure Distance Bounding Ioana Boureanu, Katerina Mitrokotsa, Serge Vaudenay COLE

Towards Secure Distance Bounding Ioana Boureanu, Katerina Mitrokotsa, Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2013 distance bounding FSE 2013 1 / 48 1 Why Distance-Bounding? Towards a Secure

663 views • 48 slides
Distance Bounding for RFID Prof. Gildas Avoine Universit e catholique de Louvain, Belgium

Distance Bounding for RFID Prof. Gildas Avoine Universit e catholique de Louvain, Belgium

Distance Bounding for RFID Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY Relay Attacks Distance Bounding Protocols Discussion RELAY ATTACKS Relay Attacks Distance Bounding Protocols

330 views • 28 slides
Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY RFID Background Relay Attacks Distance Bounding Protocols Conclusion

666 views • 53 slides
Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain,

Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain,

Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain, Belgium Workshop on Cryptography for the Internet of Things November 20 21, 2012, Antwerp, Belgium SUMMARY Relay Attacks Distance Bounding

349 views • 21 slides
Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work

Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work

Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work with: Joint work with: Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Distance Bounding 2

370 views • 16 slides
Security Analysis of Distance Bounding Protocols Agnes BRELURUT, Pascal LAFOURCADE, David GERAULT

Security Analysis of Distance Bounding Protocols Agnes BRELURUT, Pascal LAFOURCADE, David GERAULT

Security Analysis of Distance Bounding Protocols Agnes BRELURUT, Pascal LAFOURCADE, David GERAULT LIMOS, Universit dAuvergne, France September 17th 2015 BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding

704 views • 42 slides
A class of precomputation-based distance-bounding protocols Jorge Toro-Pozo University of

A class of precomputation-based distance-bounding protocols Jorge Toro-Pozo University of

Introduction Lookup-based protocols Properties and security analysis Conclusions A class of precomputation-based distance-bounding protocols Jorge Toro-Pozo University of Luxembourg (joint work with Sjouke Mauw and Rolando Trujillo-Rasua,

685 views • 54 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY RFID Background Relay Attacks Countermeasures and Evolved Frauds

633 views • 40 slides
The Least Spanning Area of a Knot and the Optimal Bounding Chain Problem Nathan M. Dunfield

The Least Spanning Area of a Knot and the Optimal Bounding Chain Problem Nathan M. Dunfield

The Least Spanning Area of a Knot and the Optimal Bounding Chain Problem Nathan M. Dunfield University of Illinois, Mathematics Anil N. Hirani University of Illinois, Computer Science SoCG 2011, Paris Knot in R 3 : Smooth embedding of S 1 in R

585 views • 13 slides
Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE

Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE

Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2014 distance-bounding SDTA 14 1 / 42 Relay Attacks 1 Distance-Bounding Protocols 2 3 Asymmetric DB Protocols

1.02k views • 42 slides
Design and Evaluation of a new MAC Protocol for Long- Distance 802.11 Mesh Networks by

Design and Evaluation of a new MAC Protocol for Long- Distance 802.11 Mesh Networks by

Design and Evaluation of a new MAC Protocol for Long- Distance 802.11 Mesh Networks by Bhaskaran Raman & Kameswari Chebrolu ACM Mobicom 2005 Reviewed by Anupama Guha Thakurta CS525M - Mobile and Ubiquitous Computing Seminar, Spring

863 views • 41 slides
UC UC b Overview Leader Election Protocol Dynamic Voltage Scaling Optimal

UC UC b Overview Leader Election Protocol Dynamic Voltage Scaling Optimal

APPLICATIONS UC UC b Overview Leader Election Protocol Dynamic Voltage Scaling Optimal Reconfiguration of FPGA Memory Interface UC UCb Leader Election Protocol UC UC b Leader Election 2 1 0 3 Protocol by Leslie

917 views • 62 slides
Markov Chains and Coupling In this class we will consider the problem of bounding the time taken

Markov Chains and Coupling In this class we will consider the problem of bounding the time taken

Markov Chains and Coupling In this class we will consider the problem of bounding the time taken by a Markov chain to reach the stationary distribution. We will do so using the coupling technique , which helps bound the distance between two

315 views • 4 slides
On the construction of minimax-distance (sub-)optimal designs Luc Pronzato Universit Cte

On the construction of minimax-distance (sub-)optimal designs Luc Pronzato Universit Cte

On the construction of minimax-distance (sub-)optimal designs Luc Pronzato Universit Cte dAzur, CNRS, I3S, France 1) Introduction 1) Introduction & motivation Objective: Approximation/interpolation of a function f : x X R d

1.14k views • 87 slides
Lightweight Ad hoc On-Demand Next Genera7on (LOADng) distance

Lightweight Ad hoc On-Demand Next Genera7on (LOADng) distance

Lightweight Ad hoc On-Demand Next Genera7on (LOADng) distance vector rou7ng protocol A reac7ve rou7ng protocol intended for use in MANETs Large and

304 views • 7 slides
Optimal mass transport as a distance measure between images Axel Ringh 1 1 Department of

Optimal mass transport as a distance measure between images Axel Ringh 1 1 Department of

Optimal mass transport as a distance measure between images Axel Ringh 1 1 Department of Mathematics, KTH Royal Institute of Technology, Stockholm, Sweden. 21 st of June 2018 INRIA, Sophia-Antipolis, France Acknowledgements This is based on joint

648 views • 63 slides
The 2-distance coloring of the Cartesian product of cycles using optimal Lee codes Jon-Lark Kim

The 2-distance coloring of the Cartesian product of cycles using optimal Lee codes Jon-Lark Kim

The 2-distance coloring of the Cartesian product of cycles using optimal Lee codes Jon-Lark Kim Department of Mathematics University of Louisville Joint work with Seog-Jin Kim Konkuk University, Korea 24th Cumberland Conference on

430 views • 25 slides
Optimal arrangements of unit vectors in Hilbert spaces I: New constructions of few-distance sets

Optimal arrangements of unit vectors in Hilbert spaces I: New constructions of few-distance sets

Optimal arrangements of unit vectors in Hilbert spaces I: New constructions of few-distance sets and biangular lines Ferenc Szll osi szoferi@gmail.com This research has been carried out while the speaker was with the Department of

689 views • 34 slides
Hierarchical Bounding Volume October 11, 2005 () Hierarchical Bounding Volume October 11, 2005

Hierarchical Bounding Volume October 11, 2005 () Hierarchical Bounding Volume October 11, 2005

Hierarchical Bounding Volume October 11, 2005 () Hierarchical Bounding Volume October 11, 2005 1 / 15 Outline Introduction to hierarchical bounding volume (HBV) Tree generation Other optimization issues () Hierarchical Bounding Volume

350 views • 16 slides
An application Protocol for Fast Long Distance Network Katsushi Kobayashi ikob@ni.aist.go.jp

An application Protocol for Fast Long Distance Network Katsushi Kobayashi ikob@ni.aist.go.jp

An application Protocol for Fast Long Distance Network Katsushi Kobayashi ikob@ni.aist.go.jp National Institute of Advanced Industrial Science and Technology Off topic In 1st day panel, Injong Rhee presented high-speed TCP variant issue

504 views • 9 slides
Computer Graphics MTAT.03.015 Raimond Tunnel The Road So Far... Bounding Box With bounding

Computer Graphics MTAT.03.015 Raimond Tunnel The Road So Far... Bounding Box With bounding

Computer Graphics MTAT.03.015 Raimond Tunnel The Road So Far... Bounding Box With bounding boxes you can detect collisions between boxes. Our hangar just happens to be a box. The chopper is not a box, but the collision

718 views • 25 slides

More recommend