Insider attacks and RFID Privacy models Ton van Deursen and Saa - PowerPoint PPT Presentation

Insider attacks and RFID Privacy models Ton van Deursen and Saša Radomirovi´ c {ton.vandeursen, sasa.radomirovic}@uni.lu University of Luxembourg Financial support received from the Fonds National de la Recherche (Luxembourg) Ton van Deursen (1/12)

Overview In an insider attack the adversary uses a tag that is fully under his control. His goal is to break the privacy/security of some other tag. Insider attacks are relevant in public-key based proto- cols. Ton van Deursen (2/12)

Randomized Schnorr protocol y, P, xP x, P, yP R T c ∈ R Z a, b ∈ R Z aP, byP c r = a + b + x · c find xP xP = ( rP − aP − byP · y − 1 ) c − 1 Ton van Deursen (3/12)

Man-in-the-middle attack y, P, xP x, P, yP R E T c ∈ R Z a, b ∈ R Z aP, byP aP + M a , byP + M b c c r = a + b + x · c r = a + b + x · c + M r find xP Ton van Deursen (4/12)

Man-in-the-middle attack Adversarial strategy: ■ Observe two runs of a protocol for tags x and x ′ : aP, byP, c, r and a ′ P, b ′ yP, c ′ , r ′ . ■ Compute M a , M b and M r . ■ Perform man-in-the-middle attack: if the reader accepts the tag x = x ′ otherwise x � = x ′ . M a , M b and M r need to satisfy: ■ M a = ca ′ P + c ′ aP ■ M b = c ′ byP + cb ′ yP ■ M r = c ′ r − cr ′ = ( c ′ a − ca ′ ) + ( c ′ b − cb ′ ) + ( xcc ′ − x ′ c ′ c ) Ton van Deursen (5/12)

Why does this work? RFID security requires that the reader accepts a legit- imate tag only if the reader and tag have a matching conversation. The randomized Schnorr protocol does not satisfy se- curity. Ton van Deursen (6/12)

Randomized Schnorr protocol (hardened) y, P, xP x, P, yP R T c ∈ R Z a, b ∈ R Z aP byP c r = a + b + x · c h ( aP, byP, c, r, xyP ) find xP Ton van Deursen (7/12)

Randomized Schnorr protocol (hardened) The hardened randomized Schnorr protocol satisfies security due to the hash function. The man-in-the-middle attack is no longer possible since the attacker does not know xyP . An insider can compute the hash and can therefore still perform the attack. Ton van Deursen (8/12)

Implications Vaudenay’s adversary classes: w-strong ⇒ w-destructive ⇒ w-forward ⇒ w-weak ⇓ ⇓ ⇓ ⇓ n-strong n-destructive n-forward n-weak ⇒ ⇒ ⇒ A wide attacker can observe whether a protocol run ended successfully. Ton van Deursen (9/12)

Implications Vaudenay’s lemma (2007) still holds: ■ Narrow-weak privacy + security ⇒ wide-weak. ■ Narrow-forward privacy + security ⇒ wide-forward. Ng et al’s theorems (2008) no longer hold: ■ Narrow-destructive privacy + security ⇒ wide-destructive. ■ Narrow-strong privacy + security ⇒ wide-strong. Ton van Deursen (10/12)

Conclusions Conclusions: ■ There exist protocols that are vulnerable to insider attacks. ■ Insider attacks are only relevant for public-key protocols. Future work: ■ Adapt privacy models for insider attacks. ■ Find minimal conditions for absence of insider attacks. Ton van Deursen (11/12)

Thank you! http://satoss.uni.lu/ton/ Ton van Deursen (12/12)