distance bounding for rfid
play

Distance Bounding for RFID Prof. Gildas Avoine Universit e - PowerPoint PPT Presentation

Distance Bounding for RFID Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY Relay Attacks Distance Bounding Protocols Discussion RELAY ATTACKS Relay Attacks Distance Bounding Protocols


  1. Distance Bounding for RFID Prof. Gildas Avoine Universit´ e catholique de Louvain, Belgium Information Security Group

  2. SUMMARY Relay Attacks Distance Bounding Protocols Discussion

  3. RELAY ATTACKS Relay Attacks Distance Bounding Protocols Discussion

  4. Variant of ISO 9798-2 Protocol 3 Verifier (secret k ) Prover (secret k ) N a Pick N a − − − − − − − − − → E k ( N a , N b ) ← − − − − − − − − Pick N b Protocol secure under common assumptions on E , k , N a , and N b . Gildas Avoine Distance Bounding for RFID 4

  5. Relay Attack Definition (Relay Attack) A relay attack is a form of man-in-the-middle where the adversary manipulates the communication by only relaying the verbatim messages between two parties. Gildas Avoine Distance Bounding for RFID 5

  6. Practicability Examples Radio link over 50 meters (G. Hancke [4]). Implementation included in libNFC (PN53x readers). Gildas Avoine Distance Bounding for RFID 6

  7. Practicability Examples Attacks by Francillon, Danev, ˇ Capkun (ETHZ) against passive keyless entry and start systems used in modern cars [6]. ◦ 10 systems tested: no one resisted! Gildas Avoine Distance Bounding for RFID 7

  8. DISTANCE BOUNDING PROTOCOLS Relay Attacks Distance Bounding Protocols Discussion

  9. Protocol Aims in General Framework [5] Definition (Distance Bounding) A distance bounding is a process whereby one party is assured: 1 Of the identity of a second party, 2 That the latter is present in the neighborhood of the verifying party, at some point in the protocol. Reader Reader Tag Adversary Tag Distance bounding does not avoid relay attacks. Gildas Avoine Distance Bounding for RFID 9

  10. Distance Bounding Based on the Speed of Light Measure the round-trip-time (RTT) of a given message. ◦ Provide a bound on the distance. ◦ Idea introduced by Beth and Desmedt [2]. Reader Tag Msg must be authenticated Accelerated computation Auth. is time-consuming Neighborhood Gildas Avoine Distance Bounding for RFID 10

  11. Hancke and Kuhn’s Protocol [3] First RFID-focused Distance Bounding Protocol Reader Tag (secret K ) (secret K ) Pick a random N a Pick a random N b N a − − − − − − − → N b ← − − − − − − − � v 0 = 1 1 0 1 1 0 0 0 1 0 h ( K , N a , N b ) = v 1 = 0 1 1 1 1 0 0 1 0 0 Start of fast bit exchange for i = 1 to n Pick C i ∈ R { 0 , 1 } C i Start Clock − − − − − − − → � v 0 i , if C i = 0 R i = v 1 i , if C i = 1 R i Stop Clock ← − − − − − − − Check: △ t i ≤ t max Check: correctness of R i End of fast bit exchange Gildas Avoine Distance Bounding for RFID 11

  12. Mafia and Distance Frauds Definition (Mafia Fraud) A mafia fraud [1] is an attack where an Reader adversary defeats a distance bounding protocol Adversary using a man-in-the-middle (MITM) between the reader and an honest tag located outside the neighborhood. Tag Definition (Distance Fraud) Reader Given a distance bounding protocol, a distance fraud is an attack where a dishonest and lonely prover purports to be in the neighborhood of the verifier. Tag Gildas Avoine Distance Bounding for RFID 12

  13. Terrorist Fraud Definition (Terrorist Fraud) A terrorist fraud is an attack where an adversary defeats a distance bounding protocol Reader using a man-in-the-middle (MITM) between Adversary the reader and a dishonest tag located outside of the neighborhood, such that the latter actively helps the adversary to maximize her Tag attack success probability, without giving to her any advantage for future attacks. Gildas Avoine Distance Bounding for RFID 13

  14. Hancke and Kuhn’s Protocol Reader Tag (secret K ) (secret K ) Pick a random N a Pick a random N b N a − − − − − − − → N b ← − − − − − − − � v 0 = 1 1 0 1 1 0 0 0 1 0 h ( K , N a , N b ) = v 1 = 0 1 1 1 1 0 0 1 0 0 Start of fast bit exchange for i = 1 to n Pick C i ∈ R { 0 , 1 } C i Start Clock − − − − − − − → � v 0 i , if C i = 0 R i = v 1 i , if C i = 1 Question R i Stop Clock ← − − − − − − − � 3 � n 1 Mafia fraud: Check: △ t i ≤ t max 4 Check: correctness of R i 2 Terrorist fraud: 1 End of fast bit exchange � 3 � n 3 Distance fraud: 4 Gildas Avoine Distance Bounding for RFID 14

  15. DISCUSSION Relay Attacks Distance Bounding Protocols Discussion

  16. An Active Research Field in RFID? Is distance bounding an active research field in RFID? Gildas Avoine Distance Bounding for RFID 16

  17. Relay in Other Domains? Are relay attacks only meaningful in the RFID context? ◦ No! But RFID increases the risk. Chess grand master problem (Conway 1976) Gildas Avoine Distance Bounding for RFID 17

  18. Relay Attacks in Chess (Chess Olympiad 2010) French player S´ ebastien Feller during the Olympiad in Russia. Gildas Avoine Distance Bounding for RFID 18

  19. Distance Bounding too RFID-oriented Is research on distance bounding too RFID-oriented? ◦ Probably yes. No cryptographic operation performed during the fast phase. Restrictive assumption: 1-bit challenges and responses Avoid a final signature. Which is the best protocol without the 2 last assumptions? Gildas Avoine Distance Bounding for RFID 19

  20. Current Research Activities Are there existing models/frameworks? Definition Definition In a white-box model, the In a black-box model, the prover has full access to the prover cannot observe or implementation of the tamper with the execution of algorithm and a complete the algorithm. control over the execution environment. Definition (Pre-ask strategy) The adversary relays the first slow phase. She then executes the fast phase with the prover before the verifier starts the fast phase. Afterward, she performs the fast phase with the legitimate verifier. Gildas Avoine Distance Bounding for RFID 20

  21. Theoretical model Are there some other attack scenarios? Gildas Avoine Distance Bounding for RFID 21

  22. Prover Model Computing Capabilities of the Prover In the white-box model, restricting the computation capabilities of the prover within one protocol execution is required. 1 0.01 0.0001 Adversary success probability 1e-06 1e-08 1e-10 1e-12 Register length: n=20 1e-14 n=40 n=60 n=80 n=128 1e-16 1 10 100 1000 10000 100000 1e+06 p: Number of runs Gildas Avoine Distance Bounding for RFID 22

  23. Hancke and Kuhn’s Protocol Reader Tag (secret K ) (secret K ) Pick a random N a Pick a random N b N a − − − − − − − → N b ← − − − − − − − � v 0 = 1 1 0 1 1 0 0 0 1 0 h ( K , N a , N b ) = v 1 = 0 1 1 1 1 0 0 1 0 0 Start of fast bit exchange for i = 1 to n Pick C i ∈ R { 0 , 1 } C i Start Clock − − − − − − − → � v 0 i , if C i = 0 R i = v 1 i , if C i = 1 Question R i Stop Clock ← − − − − − − − � 3 � n 1 Mafia fraud: Check: △ t i ≤ t max 4 Check: correctness of R i 2 Terrorist fraud: 1 End of fast bit exchange � 3 � n 3 Distance fraud: 4 Gildas Avoine Distance Bounding for RFID 23

  24. Prover Model – Circle Analysis Distance Between Verifier and Prover In some distance bounding protocols, each response bit depends on some previous challenges during the fast phase. Receiving the previous challenges depends on how far the prover is away from the verifier. Gildas Avoine Distance Bounding for RFID 24

  25. Pretty Poor Proofs Proofs are “given an attack scenario”. Gildas Avoine Distance Bounding for RFID 25

  26. Assumptions realistic Are there other questionable assumptions? Propagation delays are much shorter than processing times. Adversary also induces some delays. Thwarting adversaries using commercial readers. Consider a new distance? Gildas Avoine Distance Bounding for RFID 26

  27. Suggested Directions Theory is not mature yet. Do not introduce tons of new protocols. Be less RFID-focused. Provide less scenario-oriented proofs. Think about a new distance. Gildas Avoine Distance Bounding for RFID 27

  28. Further Reading [1] Y. Desmedt, C. Goutier, and S. Bengio. Special Uses and Abuses of the Fiat-Shamir Passport Protocol. CRYPTO’87. [2] T. Beth and Y. Desmedt. Identification Tokens - or: Solving the Chess Grandmaster Problem. CRYPTO ’90. [3] G. Hancke and M. Kuhn. An RFID Distance Bounding Protocol. SecureComm 2005. [4] G. Hancke. Practical Attacks on Proximity Identification Systems. IEEE Symposium on Security and Privacy, 2006. [5] G. Avoine, M. Bing¨ ol, S. Kardas, C. Lauradoux, and B. Martin. A Framework for Analyzing RFID Distance Bounding Protocols. Journal of Computer Security, 2010. [6] A. Francillon, B. Danev, and S. ˇ Capkun. Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars. Network and Distributed System Security Symposium, 2011. Gildas Avoine Distance Bounding for RFID 28

Recommend


More recommend