Exploring Distance Bounding: Facts, Hopes, and Perspectives
Delve into the world of distance bounding with Maria Cristina Onete as she discusses the secure authentication, relay attacks, distance-bounding protocols, properties, and attacks. Learn about the challenges and implementations of mobile distance bounding, mafia and terrorist fraud resistance, and how this technology works to establish trust based on proximity.
Uploaded on Sep 28, 2024 | 0 Views
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Distance Bounding: Facts, Hopes, and Perspectives Maria Cristina Onete maria-cristina.onete@irisa.fr Paris, 27/05/2015
Meet the girl Need authentication Marie-Claire Cristina Onete || 27/05/2015 || 2
Secure Authentication 1 = Accept 1 = Accept 1 = Accept 0 = Reject 0 = Reject Secure authentication Correctness: legitimate prover always authenticates Impersonation: MIM adversary is always rejected Cristina Onete || 27/05/2015 || 3
Relay Attacks Far-away Prover helps Adversary MV MV MP MP MV MP Leech Ghost Works for Bluetooth, smartcards, Keeloq, PKES (cars) Cristina Onete || 27/05/2015 || 4
Distance-Bounding Protocols Distance-bounding idea: proximity = trust Verifier uses clock to upper-bound distance tmax tmax c t r check r check t tmax Cristina Onete || 27/05/2015 || 5
Distance-Bounding Protocols Distance-bounding idea: proximity = trust Verifier uses clock to upper-bound distance Do proximity test N times for reliability tmax tmax c c t r r check r check t tmax Cristina Onete || 27/05/2015 || 6
Contents Distance-Bounding Protocols Mafia and Terrorists Existing Protocols Distance-Bounding Implementations Main Challenges Mobile Distance-Bounding The Case of the Mifare Plus card Conclusions
Distance-Bounding Protocol Basic structure round slow fast Cristina Onete || 27/05/2015 || 8
Distance-Bounding Properties Mafia Fraud Resistance No relays! Terrorist Fraud Resistance Help is one-time Distance Fraud Resistance tmax Cristina Onete || 27/05/2015 || 9
Distance-Bounding Attacks Mafia Fraud Resistance Marie-Claire has unique e-key to gym locker Marie-Claire is at party with Leech Ghost is at gym, wants to get into the locker Terrorist Fraud Resistance Marie-Claire and Adv. are friends Marie-Claire wants to let Adv. to use her locker But Adv. shouldn t enter again without permission Distance Fraud Resistance Marie-Claire runs a red light, wants to prove she was at the gym, but she is far away Cristina Onete || 27/05/2015 || 10
How to build Distance-Bounding Protocols
Cryptographic Tools Pseudorandom functions PRFK(x) Keyed with randomly chosen key K While key remains secret, output practically random No guarantee if K known to the attacker In practice: H-MAC, Symmetric encryption Commitment schemes (Commit, Open) Envelopes meant to hide some input Hiding: given commitment value, can t guess input Binding: a commitment on x cannot open to value y Signature scheme (Sign, Vf) or MAC (MAC, Vf): Unforgeable: cannot forge signature on fresh message Cristina Onete || 27/05/2015 || 12
Brands and Chaum [BC93] sk,pk pk Choose ?1 ?? Com(?1| |??) ci N times ?? XOR ?? Recover ?? Verify rsp. & time Open(Com), Sign(?) Mafia-fraud resistance: ??hidden Distance-fraud resistance: ci chosen at random Cristina Onete || 27/05/2015 || 13
Brands and Chaum security Score sheet sk,pk pk MFR per round or Prob[forgery] Choose ?1 ?? DFR Com(?1| |??) per round TFR ci N times Terrorist forwards values of ??, then signature Middleweight ?? XOR ?? Open(Com), Sign(?) Recover ?? Verify rsp. & time Cristina Onete || 27/05/2015 || 14
Hancke and Kuhn [HK05] K NV NP Compute r0|r1 = PRFK(NP| NV) ci Check r and time N times rici Mafia-fraud resistance: responses not computable w/o K Distance-fraud resistance: if PRF secure for known K Cristina Onete || 27/05/2015 || 15
Hancke and Kuhn security Score sheet [HK05] K MFR per round NV DFR per round if no sensitive input , given K NP Compute r0|r1 = PRFK(NP| NV) TFR ci Terrorist forwards r0, r1 to adversary N times rici Lightweight Check r and time Cristina Onete || 27/05/2015 || 16
Some basic tools (recap.) Responses depend on honestly-chosen bit-challenges Random challenges => DFR if responses are random How to derive responses: Special PRF: secure even with known keys Commit to offsets, then XOR challenges and offsets Role of key (authentication) As key to PRF Key to Signature schemes (expensive) Cristina Onete || 27/05/2015 || 17
TFR & the Swiss Knife Protocol [KAK+09] (K) (K) Intuition NV Make key recoverable from r0, r1 NP r0= PRFK(NP| NV); r1= r0 XOR K Attacker needs both r0 and r1 to timely respond to c Give away both r0, r1 => give away K ci rici N times Problem: same key used for MAC and XOR! PRFK(NP| NV | c| r) Final MAC verifies trans- cript, stops tampering Check responses and times Cristina Onete || 27/05/2015 || 18
TFR & the Swiss Knife Protocol [KAK+09] (K, K ) (K, K ) Score sheet NV MFR NP per round r0= PRFK(NP| NV); r1= r0 XOR K DFR per round, usual PRF TFR ci rici N times Intuitively, yes Harder to make it provable (but possible) PRFK(NP| NV | c| r) Check responses and times Lightweight Cristina Onete || 27/05/2015 || 19
Tools of our trade Responses depend on honestly-chosen bit-challenges Random challenges => DFR if responses are random How to derive responses: Special PRF: secure even with known keys Commit to offsets, then XOR challenges and offsets Regular PRF & XOR with honestly-chosen key K Authentication PRF authentication (in fast rounds) Key to Signature schemes (expensive) or to MAC Final authentication improves MFR, prevents tampering Cristina Onete || 27/05/2015 || 20
Sticky Point: Implementation of Distance-Bounding
DB and Implementations Attacks in practice Exploit: prover automatically responds when queried Regardless of verifier authentication or encryption Attacks work in: Bluetooth Contactless and contact smartcards and RFID Including passports! Against cars: KeeLoq, PKES Implementations: Modified hardware (UWB, RFID++) Mifare Plus Cristina Onete || 27/05/2015 || 22
Challenges in Implementations [HK05] Sticky Points K Processing time: Theory: prover needs no processing time NV NP Practice: processing time necessary Compute r0|r1 = PRFK(NP| NV) Mitigation: send only bits, minimize online operations ci N times rici Check r and time Cristina Onete || 27/05/2015 || 23
Challenges in Implementations [HK05] Sticky Points K Time measurement Theory: perfect clock; no unnecessary proces- sing/transmissions Practice: communication follows standard, usually extra encoding etc. Mitigation: expensive bypass higher layers (go analog); cheap include error NV NP Compute r0|r1 = PRFK(NP| NV) ci N times rici Check r and time Cristina Onete || 27/05/2015 || 24
Mobile Distance-Bounding Ongoing work with C.E.R.K. Lassance & S. Gambs Question: how far can we go with DB? Setup: prover, verifier are smartphones (Android) default protocol: Swiss Knife Cristina Onete || 27/05/2015 || 25
Mobile Distance-Bounding Mobile phones multitask & tasks get priorities short-circuit layers: processing/timing are quick Tag emulation and verification works in ISO 14443 Encapsulation of message => extra processing, extra transmission (1 byte instead of 1 bit) Hard to tell verifier when to stop timing (don t time transmission of extra information) Cristina Onete || 27/05/2015 || 26
Mobile Distance-Bounding Phones and Processors: Delay: Processing of phone s messages Theory: what you measure is 2 ? + ?? ? ?? ? Cristina Onete || 27/05/2015 || 27
Mobile Distance-Bounding Phones and Processors: Delay: Processing of phone s messages Theory: what you measure is 2 ? + ?? Practice: what you measure is a lot more complex ?? ?2 ?2 ?1 ?1 ??? ??? ??? ??? ? Processor P Processor VF ? Cristina Onete || 27/05/2015 || 28
Mobile Distance-Bounding What we know so far: Total time around 7ms; ??is around 100 us Minimal bound on 2?1+ 2?2around 3 ms (ISO 14443) ???,???not yet known, but they vary (delay req.?) ?? ?2 ?2 ?1 ?1 ??? ??? ??? ??? ? Processor P Processor VF ? Cristina Onete || 27/05/2015 || 29
Mobile Distance-Bounding Impact on attacks: Extra 2?1+ 2?2and processing also in relay attacks So far: measure within 1200 km (Paris-Vienna) Cannot remove processing bias (don t know it) ?? ?2 ?2 ?1 ?1 ??? ??? ??? ??? ? Processor P Processor VF ? Cristina Onete || 27/05/2015 || 30
Mobile distance bounding Perspectives: Processing time for the phone not very varied: can we use bigger challenges/responses? Attacker has to process input/output twice (not the case for honest sessions): is this significant? We are now sending 1 byte. What is the delay per byte per direction? How many rounds can we support? Timeout so-far indicates around 32 rounds Promising for the future! Particularly if ballpark is significant! Cristina Onete || 27/05/2015 || 31
RFID Distance Bounding Mifare Plus has option for distance-bounding protocol! Protocol is unlike any protocol in the literature Previous work with G. Avoine and S. Capmarti shows possible weak points Ongoing work with G. Avoine and R. Lamrani-Alaoui explores real-world security of this protocol w.r.t. relays using off-the-shelf tools Encouraging that Mifare wants to implement DB and we are eager to find how their countermeasure works in practice Cristina Onete || 27/05/2015 || 32
Conclusions Relay attacks are real and applicable They beat any crypto used in authentication They exploit the wish to communicate of prover Distance-bounding protocol: possible countermeasures Plethora of protocols for every occasion Many papers analyse and compare protocol security Implementations: So far: custom options (expensive) & Mifare Plus Mobile implementations: not so far from viable Future: promising track & you should try it! Cristina Onete || 27/05/2015 || 33
