Security Analysis of Distance Bounding Protocols Agnes BRELURUT, - PowerPoint PPT Presentation

Security Analysis of Distance Bounding Protocols Agnes BRELURUT, Pascal LAFOURCADE, David GERAULT LIMOS, Université d’Auvergne, France September 17th 2015 BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 1 / 25

Context BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 2 / 25

Relay Attacks a a ← − − − − − − − − − ← − − − − − − − − − b b − − − − − − − − − → − − − − − − − − − → c c ← − − − − − − − − − ← − − − − − − − − − Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars, A. Francillon, 2011 BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 3 / 25

Counter measure : RTT check Far away prover Close prover Verifier Prover Verifier Prover Ci Ci ∆ ∆ (t) (t) treshold Ri Ri ∆ ∆ (t) < treshold => Accept (t) > treshold => Reject BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 4 / 25

Brands & Chaum : Protocol Verifier V Prover P public key : y secret key : x Initialisation phase commit(m) m $ − { 0 , 1 } n ← − − − − − − − − − − − − − − − − − − − − − ← Distance Bounding phase for i = 1 to n Pick c i ∈ { 0 , 1 } c i Start clock − − − − − − − − − − − − − − − − − − − − − → r i Stop clock ← − − − − − − − − − − − − − − − − − − − − − r i := m i ⊕ c i Check timers ∆ t i Verification phase open commitment Check responses ← − − − − − − − − − − − − − − − − − − − − − Sign x ( S ) Check signature ← − − − − − − − − − − − − − − − − − − − − − S := c 1 || r 1 || ... || c n || r n Out V − − − − − − − − − − − − − − − − − − − − − → BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 5 / 25

Distance Bounding Protocol Verifier V Prover P shared key : x shared key : x Initialisation phase Messages V − − − − − − − − − − − − − − − − − − − − − − − − − − → Messages P ← − − − − − − − − − − − − − − − − − − − − − − − − − − a = f x ( Messages V , Messages P ) Distance Bounding phase for i = 1 to n c i Start clock − − − − − − − − − − − − − − − − − − − − − − − − − − → r i Stop clock ← − − − − − − − − − − − − − − − − − − − − − − − − − − r i = F ( c i , a i , x i ) Verification phase S Check ∆ t i , r i and S ← − − − − − − − − − − − − − − − − − − − − − − − − − − S = sign x ( transcript ) BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 6 / 25

Honest Prover Mafia Fraud (MF) : an adversary A tries to prove that a prover P is close to a verifier V . P ↔ A ↔ V � �� � far away BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 7 / 25

Honest Prover Mafia Fraud (MF) : an adversary A tries to prove that a prover P is close to a verifier V . P ↔ A ↔ V � �� � far away Impersonation Fraud (IF) : an adversary tries to im- personate the prover to the verifier. A ↔ V BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 7 / 25

Dishonest Prover Distance Fraud : a far-away prover P ∗ tries to prove that he is close to a verifier V . P ∗ ↔ V BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 8 / 25

Dishonest Prover Distance Fraud : a far-away prover P ∗ tries to prove that he is close to a verifier V . P ∗ ↔ V Distance Hijacking (DH) : a far-away prover P ∗ tries to prove that he is close to a verifier V by taking ad- vantage of others provers P 1 ,.., P n . P ∗ ↔ P 1 ,.., P n ↔ V BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 8 / 25

Dishonest Prover Distance Fraud : a far-away prover P ∗ tries to prove that he is close to a verifier V . P ∗ ↔ V Distance Hijacking (DH) : a far-away prover P ∗ tries to prove that he is close to a verifier V by taking ad- vantage of others provers P 1 ,.., P n . P ∗ ↔ P 1 ,.., P n ↔ V Terrorist Fraud (TF) : a far-away prover P ∗ helps an adversary A to prove that P ∗ is close to a verifier V without giving A another advantage. P ∗ ↔ A ↔ V BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 8 / 25

Motivations No exhaustive list of DB protocols. No compared or classified. No relationship between threat models. BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 9 / 25

Plan Relations between Model of Threat 1 Attack and defence strategies 2 Conclusion and Perspective 3 BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 10 / 25

Plan Relations between Model of Threat 1 Attack and defence strategies 2 Conclusion and Perspective 3 BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 11 / 25

The BMV Model(2013) Distance Fraud (DF) : P ∗ ( x ) ↔ ( P 1 ( x ′ ) ,..., P ′ m ( x ′ ) ↔ V 1 ( y ′ ) ,..., V m ( y ′ ) ↔ ) V ( y ; r V ) Man-In-the-Middle (MiM) : P 1 ( x ) ,..., P m ( x ) ↔ A 1 ↔ V 1 ( y ) ,..., V z ( y ) P m +1 ( x ) ,..., P l ( x ) ↔ A 2 ( View A 1 ) ↔ V ( y ) Collusion Fraud (CF) : P ∗ ( x ) ↔ A CF ↔ V 0 ( y ) X → Y denotes that if the property X is satisfied then Y is also satisfied, an attack on the property Y implies an attack on the property X . DF MiM DH CF TF MF IF BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 12 / 25

The BMV Model(2013) Distance Fraud (DF) : P ∗ ( x ) ↔ ( P 1 ( x ′ ) ,..., P ′ m ( x ′ ) ↔ V 1 ( y ′ ) ,..., V m ( y ′ ) ↔ ) V ( y ; r V ) Man-In-the-Middle (MiM) : P 1 ( x ) ,..., P m ( x ) ↔ A 1 ↔ V 1 ( y ) ,..., V z ( y ) P m +1 ( x ) ,..., P l ( x ) ↔ A 2 ( View A 1 ) ↔ V ( y ) Collusion Fraud (CF) : P ∗ ( x ) ↔ A CF ↔ V 0 ( y ) X → Y denotes that if the property X is satisfied then Y is also satisfied, an attack on the property Y implies an attack on the property X . DF MiM DH CF TF MF IF BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 12 / 25

The BMV Model(2013) Distance Fraud (DF) : P ∗ ( x ) ↔ ( P 1 ( x ′ ) ,..., P ′ m ( x ′ ) ↔ V 1 ( y ′ ) ,..., V m ( y ′ ) ↔ ) V ( y ; r V ) Man-In-the-Middle (MiM) : P 1 ( x ) ,..., P m ( x ) ↔ A 1 ↔ V 1 ( y ) ,..., V z ( y ) P m +1 ( x ) ,..., P l ( x ) ↔ A 2 ( View A 1 ) ↔ V ( y ) Collusion Fraud (CF) : P ∗ ( x ) ↔ A CF ↔ V 0 ( y ) X → Y denotes that if the property X is satisfied then Y is also satisfied, an attack on the property Y implies an attack on the property X . DF MiM DH CF TF MF IF BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 12 / 25

The BMV Model(2013) Distance Fraud (DF) : P ∗ ( x ) ↔ ( P 1 ( x ′ ) ,..., P ′ m ( x ′ ) ↔ V 1 ( y ′ ) ,..., V m ( y ′ ) ↔ ) V ( y ; r V ) Man-In-the-Middle (MiM) : P 1 ( x ) ,..., P m ( x ) ↔ A 1 ↔ V 1 ( y ) ,..., V z ( y ) P m +1 ( x ) ,..., P l ( x ) ↔ A 2 ( View A 1 ) ↔ V ( y ) Collusion Fraud (CF) : P ∗ ( x ) ↔ A CF ↔ V 0 ( y ) X → Y denotes that if the property X is satisfied then Y is also satisfied, an attack on the property Y implies an attack on the property X . DF MiM DH CF TF MF IF BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding Protocols September 17th 2015 12 / 25