On the Need for Provably Secure Distance Bounding Serge Vaudenay - PowerPoint PPT Presentation

On the Need for Provably Secure Distance Bounding Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2012 distance bounding CIoT 2012 1 / 39

Introduction to Distance-Bounding 1 Some Insecurity Case Studies 2 On Incorrect Use of PRFs 3 Directions for Provable Security 4 SV 2012 distance bounding CIoT 2012 2 / 39

Introduction to Distance-Bounding 1 Some Insecurity Case Studies 2 On Incorrect Use of PRFs 3 Directions for Provable Security 4 SV 2012 distance bounding CIoT 2012 3 / 39

Motivation for token-based authentication: thwart man-in-the-middle wireless car locks creditcard payment (or contactless) corporate ID card for access control solution: use a distance-bounding protocol SV 2012 distance bounding CIoT 2012 4 / 39

The Brands-Chaum Protocol Distance-Bounding Protocols [Brands-Chaum EUROCRYPT 1993] Verifier Prover public key: y secret key: x initialization phase Commit ( m ) ← − − − − − − − − − − − − pick m distance bounding phase for i = 1 to n pick c i c i start clock − − − − − − − − − − − − → r i ← − − − − − − − − − − − − r i = m i ⊕ c i stop clock check timers check responses termination phase open commitment ← − − − − − − − − − − − − Sign x ( c , r ) check signature ← − − − − − − − − − − − − Out V − − − − − − − − − − − − → SV 2012 distance bounding CIoT 2012 5 / 39

Distance Fraud P ∗ ← → V � �� � far away a malicious prover P ∗ tries to prove that he is close to a verifier V SV 2012 distance bounding CIoT 2012 6 / 39

Mafia Fraud Major Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity and How to Overcome Them [Desmedt SECURICOM 1988] P ← → A ← → V � �� � far away an adversary A tries to prove that a prover P is close to a verifier V SV 2012 distance bounding CIoT 2012 7 / 39

Terrorist Fraud Major Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity and How to Overcome Them [Desmedt SECURICOM 1988] P ∗ ← → A ← → V � �� � far away a malicious prover P ∗ helps an adversary A to prove that P ∗ is close to a verifier V without giving A another advantage SV 2012 distance bounding CIoT 2012 8 / 39

Impersonation Fraud A Formal Approach to Distance Bounding RFID Protocols [D¨ urholz-Fischlin-Kasper-Onete ISC 2011] A ← → V an adversary A tries to prove that a prover P is close to a verifier V SV 2012 distance bounding CIoT 2012 9 / 39

Distance Hijacking Distance Hijacking Attacks on Distance Bounding Protocols [Cremers-Rasmussen- ˇ Capkun IEEE S&P 2012] P ∗ ← → P ′ ← → V � �� � far away a malicious prover P ∗ tries to prove that he is close to a verifier V by taking advantage of other provers P ′ SV 2012 distance bounding CIoT 2012 10 / 39

Techniques Verifier Prover secret: x secret: x initialization phase − − − − − − − − − − − − → ← − − − − − − − − − − − − distance bounding phase for i = 1 to n i th challenge − − − − − − − − − − − − → start clock i th response ← − − − − − − − − − − − − stop clock check responses Out V − − − − − − − − − − − − → check timers caveat: the rapid bit-exchange is subject to noise, so the verifier may require at least τ correct sessions to accept SV 2012 distance bounding CIoT 2012 11 / 39

Introduction to Distance-Bounding 1 Some Insecurity Case Studies 2 On Incorrect Use of PRFs 3 Directions for Provable Security 4 SV 2012 distance bounding CIoT 2012 12 / 39

Some Insecurity Case Studies 2 The RC Protocol The Bussard-Bagga Protocol and Children SV 2012 distance bounding CIoT 2012 13 / 39

The RC Protocol Location Privacy of Distance Bounding [Rassmussen- ˇ Capkun ACM CCS 2008] integrate location-privacy based on the exchange of a continuous bitstream SV 2012 distance bounding CIoT 2012 14 / 39

The RC Protocol Verifier Prover secret: K secret: K initialization phase secure K ( N P ) ← − − − − − − − − − − − − receive N P pick N P secure K ( M , N P ) pick M , N V − − − − − − − − − − − − → receive M , check N P distance-bounding phase stream V stream V = Rand 1 V � M � N V � Rand 2 − − − − − − − − − − − − → parse until M V stream P stream P = Rand 1 P � N V ⊕ N P � Rand 2 parse until N V ⊕ N P ← − − − − − − − − − − − − P Out V check time between N V and N V ⊕ N P − − − − − − − − − − − − → SV 2012 distance bounding CIoT 2012 15 / 39

Attack Principles Mafia Fraud Attack against the RC Distance-Bounding Protocol [Mitrokotsa-Vaudenay IEEE RFID-TA 2012] the adversary intercepts a complete session between P and V the adversary guesses the position of N V in stream V assume the adversary knows the locations of P and V he can deduce the position of N V ⊕ N P , thus the value of N P the adversary can now impersonate P by replaying secure K ( N P ) he replies by stream V ⊕ ( offset � N P �···� N P ) if the offset length modulo | N V | is correct, the verifier accepts 1 1 | stream V | × success probability: | N V | SV 2012 distance bounding CIoT 2012 16 / 39

Some Insecurity Case Studies 2 The RC Protocol The Bussard-Bagga Protocol and Children SV 2012 distance bounding CIoT 2012 17 / 39

The BB Protocol Distance-Bounding Proof of Knowledge Protocols to Avoid Real-Time Attacks [Bussard-Bagga IFIP SEC 2005] protection against terrorist fraud based on public-key cryptography generic: several DBPK possible instantiations SV 2012 distance bounding CIoT 2012 18 / 39

The Generic DBPK Protocol Verifier Prover public key: y secret key: x initialization phase pick k , v , v ′ , e = Enc k ( x ) z k , i = commit ( k i , v i ) z k , z e z e , i = commit ( e i , v ′ ← − − − − − − − − − − − − i ) distance bounding phase for i = 1 to n pick c i c i start clock − − − − − − − − − − − − → � if c i = 0 k i r i ← − − − − − − − − − − − − r i = stop clock e i if c i = 1 termination phase � if c i = 0 γ v i ← − − − − − − − − − − − − γ i = check openable commitments v ′ if c i = 1 i check timers PoK ( x ) ... ← − − − − − − − − − − − − − − − − − − − − − − − − → Out V − − − − − − − − − − − − → SV 2012 distance bounding CIoT 2012 19 / 39

Proposed Instances one-time pad DBPK : Enc k ( x ) = x ⊕ k addition modulo q DBPK-Log : Enc k ( x ) = x − k mod q modular addition with random factor DBPK-Log : Enc k ( x ; u ) = ( u , ux − k mod q ) SV 2012 distance bounding CIoT 2012 20 / 39

The Reid et al. Protocol Detecting Relay Attacks with Timing-based Protocols [Reid-Nieto-Tang-Senadji ASIACCS 2007] Verifier Prover secret: x secret: x initialization phase V , N V − − − − − − − − − − − − → pick N V pick N P P , N P k = f x ( P � V � N V � N P ) ← − − − − − − − − − − − − k = f x ( P � V � N V � N P ) e = Enc k ( x ) e = Enc k ( x ) distance bounding phase for i = 1 to n pick c i c i − − − − − − − − − − − − → start clock � if c i = 0 k i r i stop clock ← − − − − − − − − − − − − r i = if c i = 1 e i check responses Out V − − − − − − − − − − − − → check timers SV 2012 distance bounding CIoT 2012 21 / 39

Attack Principles for the Reid et al. Protocol The Swiss-Knife RFID Distance Bounding Protocol [Kim-Avoine-Koeune-Standaert-Pereira ICISC 2008] select i let a protocol run between P and V except replace c i by 1 − c i and r i by bit ∈ U { 0 , 1 } observation 1: the response to 1 − c i is r i (given by P ) observation 2: the response to c i is bit ⊕ 1 V does not accept the adversary deduces k i and e i , thus x i = k i ⊕ e i iterate with another i and reconstruct the secret x the adversary can impersonate P to V ! SV 2012 distance bounding CIoT 2012 22 / 39

Attack Principles for One-Time Pad DBPK The Bussard-Bagga and Other Distance-Bounding Protocols under Man-in-the-Middle Attacks [Bay-Boureanu-Mitrokotsa-Spulber-Vaudenay Inscrypt 2012] select i let a protocol run between P and V except replace c i by 1 − c i and r i by r ∗ i ∈ U { 0 , 1 } !! tricky things with PoK and commitments (requires to guess c i ) observation 1: the response to 1 − c i is r i (given by P ) observation 2: the response to c i is r ∗ i ⊕ 1 V does not accept the adversary deduces k i and e i , thus x i = k i ⊕ e i iterate with another i and reconstruct the secret x the adversary can impersonate P to V ! SV 2012 distance bounding CIoT 2012 23 / 39