RFID security presentation

Research Topics
Ioana Boureanu
Univ. of Applied Sciences Western Switzerland

ICB 2014

ICB

Middlesex Uni, Feb. 2014

1/3

ICB 2014

ICB


2/3

(automatic) veriﬁcation (of security)
mobile (Android) security
?

composable security [secure + secure = (in)secure]
(provable) RFID security
crypto design

ICB 2014

ICB


3/3

Touch and Pay: making it secure!
Ioana Boureanu
Univ. of Applied Sciences Western Switzerland

February 19, 2014

ICB 2014

distance-bounding (DB)


1 / 45

.
1

Relay Attacks

.
2

Distance-Bounding

.
3

Provable Distance Bounding Security

.
4

Distance Bounding Security vs. Efﬁciency

.
5

Challenges and Visions in Distance Bounding

ICB 2014



2 / 45

.
1

Relay Attacks

.
2

Distance-Bounding

.
3


.
4


.
5


ICB 2014



3 / 45

Payments, Remote Unlocking, Access-Control ...

ICB 2014



4 / 45

Payments, Remote Unlocking, Access-Control ...

• Keeloq for GM, Volkswagen Group, Volvo, Jaguar. ...
• TI DST

ICB 2014



4 / 45

Playing against two chess grandmasters

ICB 2014



5 / 45

Playing against two chess grandmasters

✲

✛

ICB 2014



5 / 45

Relaying is real...!
Attacks by Francillon, Danev, Capkun (ETHZ) against passive keyless
entry and start systems used in modern cars.
10 systems tested: not one resisted!

ICB 2014



6 / 45

Relaying = Stealing (your money) ...!

ICB 2014



7 / 45

Idea: Measuring (Idealized) Communication ...
(... at the Speed of Light)

10ns ←→ 2 × 1.5m (round-trip)
ICB 2014



8 / 45

More Ideas: Round-Trip Time to Prevent Relay Attacks
Identiﬁcation Tokens, or: Solving the Chess Grandmaster Problem
[Beth-Desmedt CRYPTO 1990]

basic idea: measure the communication time exactly
the reader should verify that the proving tag is no further than
some bound

later solution: use a distance-bounding (DB) protocol

ICB 2014



9 / 45

.
1

Relay Attacks

.
2

Distance-Bounding

.
3


.
4


.
5


ICB 2014



10 / 45

.
2

Distance-Bounding
DB Intro
DB Threats
DB Protocols (without post-authentication)

ICB 2014



11 / 45

Distance-Bounding (DB) Protocols
introduced in [Brands-Chaum EUROCRYPT 1993]
[Reid et al. ASIACCS 2007]
Veriﬁer
secret: x

Prover
secret: x
initialization phase

pick NV
a1 = fx (NP , NV )
a2 = a1 ⊕ x

N

−− − − − −→
− − −V − −
−

pick NP

←− − − − −−
−−−−−−

a1 = fx (NP , NV )

NP

a2 = a1 ⊕ x

distance bounding phase
for i = 1 to n
pick ci ∈ {1, 2}
start timeri
stop timeri

c

−− − − − −→
− − − i− − −
r

←− − − − −−
− − −i− − −

check responses
check timers
ICB 2014

ri = a1,i , if ci = 1
ri = a2,i , if ci = 2

Out

− − − −V− − →
−−−−−−


12 / 45

.
2

Distance-Bounding
DB Intro
DB Threats

ICB 2014



13 / 45

DB Threats: Maﬁa Fraud
Major Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity and
How to Overcome Them [Desmedt SECURICOM 1988]
.

generalised/strengthened
relaying
.

P ←→ A ←→ V
far away

an adversary A tries to prove that a prover P is close to a veriﬁer V

.
“DB-specialised”
man-in-the-middle
attack
.

ICB 2014



14 / 45

DB Threats: Distance Fraud

P ∗ ←→ V

.
liability and
non-repudiation issues
.

far away

a malicious, far-away prover P ∗ tries to prove that he is close to a
veriﬁer V

ICB 2014



15 / 45

DB Threats: Terrorist Fraud
Major Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity and
How to Overcome Them [Desmedt SECURICOM 1988]
.

“gain privileges just
once”
.

P ∗ ←→ A ←→ V
far away

a malicious prover P ∗ helps an adversary A to prove that P ∗ is close
to a veriﬁer V , without giving A another advantage
.
the toughest fraud to
protect against,
especially in presence
of
. noise

ICB 2014

.
advantage: leaking
the
. secret key



16 / 45

.
2

Distance-Bounding
DB Intro
DB Threats

ICB 2014



17 / 45

The Reid et al. Protocol
Detecting Relay Attacks with Timing-based Protocols
[Reid-Nieto-Tang-Senadji ASIACCS 2007]
Veriﬁer
secret: x

Prover
secret: x

.

.

protects
against TF
BUT...this
and its
extensions
vulnerable
to MF/MiM
[Bay,
Boureanu et
al.
INSCRIPT
2012]
ICB 2014

pick NV
a1 = fx (NP , NV )
a2 = a1 ⊕ x

N

−− − − − −→
− − −V − −
−
N

←− − − − −−
− − − P− − −

pick NP
a1 = fx (NP , NV )
a2 = a1 ⊕ x

for i = 1 to n
pick ci ∈ {1, 2}
start timeri
stop timeri
check responses
check timers

c

−− − − − −→
− − − i− − −
r

←− − − − −−
− − −i− − −

ri = aci ,i

Out

− − − −V− − →
−−−−−−



18 / 45

The TDB Protocol
How Secret-Sharing can Defeat Terrorist Fraud
[Avoine-Lauradoux-Martin ACM WiSec 2011]
Veriﬁer
secret: x

Prover
secret: x
N

←− − − − −−
− − − P− − −

pick NV
a1 ∥a2 = fx (NP , NV )

pick NP

−− − − − −→
−−−−−−

a1 ∥a2 = fx (NP , NV )

NV

for i = 1 to n
pick ci ∈ {1, 2, 3}
start timeri
stop timeri

c

−− − − − −→
− − − i− − −
ri

←− − − − −−
−−−−−−

check responses
check timers

ICB 2014

Out

− − − −V− − →
−−−−−−


ri =

⎧
⎨ a1,i

a2,i
⎩
xi ⊕ a1,i ⊕ a2,i

if ci = 1
if ci = 2
if ci = 3


19 / 45

Distance Fraud with a Programmed PRF against the
TDB Protocol
On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols
PRF programming [Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012]
Veriﬁer
secret: x

Malicious Prover
secret: x
N

←− − − − −−
− − − P− − −
pick NV
a1 ∥a2 = fx (NP , NV )

pick NP = x

NV

−− − − − −→
−−−−−−
a1 = a2 = x

a1 ∥a2 = fx (NP , NV )

for i = 1 to n
pick ci ∈ {1, 2, 3}
start timeri

ci

ri

ri = xi

.
stop timeri
check responses
check timers

ICB 2014

Out

− − − −V− − →
−−−−−−


20 / 45

Other Results based on Programmed PRFs
On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols
[Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012]

protocol
TDB Avoine-Lauradoux-Martin
[ACM WiSec 2011]
Durholz-Fischlin-Kasper-Onete [ISC
¨
2011]
Hancke-Kuhn [Securecomm 2005]
Avoine-Tchamkerten [ISC 2009]
Reid-Nieto-Tang-Senadji [ASIACCS
2007]
Swiss-Knife
Kim-Avoine-KoeuneStandaert-Pereira [ICISC 2008]

ICB 2014

distance fraud

man-in-the-middle attack

√

–

√
√
√

–
–

√

–

√


√

√


21 / 45

Known Protocols and Security Results (Without Noise)
success probability of best known attacks (θ < 1 constant)
upon [Boureanu-Mitrokotsa-Vaudenay ISC 2013]
Protocol

†
†
†
†
†
†
†
†

Brands & Chaum
Bussard & Bagga
ˇ
Capkun et al.
Hancke & Kuhn
Reid et al.
´
Singelee & Preneel
Tu & Piramuthu
Munilla & Peinado

†
†

Swiss-Knife
Kim & Avoine
Nikov & Vauclair
Avoine et al.
SKI
Fischlin & Onete
ICB 2014

Success Probability
Distance-Fraud
MiM
Terrorist-Fraud

(1/2)n
1
(1/2)n
(3/4)n to 1
(3/4)n to 1
(1/2)n
(3/4)n
(3/4)n

(3/4)n
(7/8)n
1/k
(3/4)n to 1
(3/4)n
(3/4)n

(1/2)n
(1/2)n
(1/2)n
(3/4)n
1

(1/2)n
1

(3/5)n
(1/2)n to 1
(1/2)n
(1/2)n
(2/3)n to 1
(2/3)n
(3/4)n

1, negl
1, negl
1, negl
1, negl
(3/4)θn , negl
1, negl
(3/4)θn , negl
1, negl

(3/4)θn , negl
1, negl
1, negl
(2/3)θn , negl
γ, γ′
γ = γ′

22 / 45

Known Protocols and Security Results (Noise-Tolerant)
success probability of best known attacks
upon [Boureanu-Mitrokotsa-Vaudenay ISC 2013]
Protocol
Distance-Fraud

†
†
†
†
†
†
†
†
†
†
†
†

Success Probability
MiM
Terrorist-Fraud

B (n, τ, 1/2)
1
B (n, τ, 1/2)
B (n, τ, 3/4) to 1
B (n, τ, 3/4) to 1
B (n, τ, 1/2)
B (n, τ, 3/4)
B (n, τ, 3/4)
B (n, τ, 3/4)
B (n, τ, 7/8)
1/k
B (n, τ, 3/4) to 1

B (n, τ, 1/2)
B (n, τ, 1/2)
B (n, τ, 1/2)
B (n, τ, 3/4)
1
B (n, τ, 1/2)
1
B (n, τ, 3/5)
B (n, τ, 1/2) to 1
B (n, τ, 1/2)
B (n, τ, 1/2)
B (n, τ, 2/3) to 1

1, negl
1, negl
1, negl
1, negl
1, negl
1, negl
1, negl
1, negl
1, negl
1, negl
1, negl
1, negl

SKI

B (n, τ, 3/4)

B (n, τ, 2/3)

Fischlin & Onete

B (n, τ, 3/4)

B (n, τ, 3/4)

γ, γ′
γ = γ′

Brands & Chaum
Bussard & Bagga
ˇ
Capkun et al.
Hancke & Kuhn
Reid et al.
´
Singelee & Preneel
Tu & Piramuthu
Munilla & Peinado
Swiss-Knife
Kim & Avoine
Nikov & Vauclair
Avoine et al.

ICB 2014



23 / 45

.
1

Relay Attacks

.
2

Distance-Bounding

.
3


.
4


.
5


ICB 2014



24 / 45

.
3

Motivation
Model
The SKI Protocol

ICB 2014



25 / 45

Why Provable Security?

only security arguments by best attack scenarios
many insecurities recently proven (as shown above)
many “pseudo-proofs” use incorrect arguments (e.g., sufﬁcient
PRF-ness, etc.)

ICB 2014



26 / 45

.
3

Motivation
Model
The SKI Protocol

ICB 2014



27 / 45

DB Formalism
[Boureanu-Mitrokotsa-Vaudenay ISC 2013]

formal communication model, integrating time
formal security model and threat model based on interactive
proofs
cryptographic assumptions/tools for the design/proofs
PRF-masking
circular-keying
leakage scheme

ICB 2014



28 / 45

.
3

Motivation
Model
The SKI Protocol
.

ICB 2014



29 / 45

The SKI Protocol
[Boureanu-Mitrokotsa-Vaudenay Lightsec 2013, BMV ISC 2013]
Veriﬁer
secret: x

Prover
secret: x
N

←− − − − −−
− − − P− − −

pick NP

M ,Lµ ,NV

pick a, Lµ , NV
M = a ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )

−− − − − −→
−−−−−−

.

a = M ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )

for i = 1 to n
pick ci ∈ {1, 2, 3}
start timeri
stop timeri
check #{i : ri and timeri correct} ≥ τ

c

−− − − − −→
− − − i− − −
ri

←− − − − −−
−−−−−−
Out

− − − −V− − →
−−−−−−

ri =

⎧
⎨ a1,i

a2,i
⎩ ′
xi ⊕ a1,i ⊕ a2,i

f is a circular-keying secure PRF, Lµ (x ) = (µ · x , . . . , µ · x )
ICB 2014


if ci = 1
if ci = 2
if ci = 3


30 / 45

The SKI Protocol: F -Scheme
Veriﬁer
secret: x

Prover
secret: x
N

←− − − − −−
− − − P− − −

pick NP

M ,Lµ ,NV

pick a, Lµ , NV
M = a ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )

−− − − − −→
−−−−−−

a = M ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )

.
for i = 1 to n
pick ci ∈ {1, 2, 3}

[ALM WISEC 2011]
.

c

start timeri

−− − − − −→
− − − i− − −

stop timeri

←− − − − −−
− − −i− − −


r

Out

− − − −V− − →
−−−−−−

.
secret sharing scheme
to prevent from MiM

ri =

⎧
⎨ a1,i

a2,i
⎩ ′
xi ⊕ a1,i ⊕ a2,i

if ci = 1
if ci = 2
if ci = 3

ICB 2014



31 / 45

The SKI Protocol: Leakage Scheme
Veriﬁer
secret: x

Prover
secret: x
N

←− − − − −−
− − − P− − −

pick NP

M ,Lµ ,NV

pick a, Lµ , NV
M = a ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )

−− − − − −→
−−−−−−

a = M ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )

.
for i = 1 to n
pick ci ∈ {1, 2, 3}

[BMV, ISC 2013]
.

c

start timeri

−− − − − −→
− − − i− − −

stop timeri

←− − − − −−
− − −i− − −


r

Out

− − − −V− − →
−−−−−−

.
leak L(x ) in the case
of a terrorist fraud

ri =

⎧
⎨ a1,i

a2,i
⎩ ′
xi ⊕ a1,i ⊕ a2,i

if ci = 1
if ci = 2
if ci = 3

ICB 2014



32 / 45

The SKI Protocol: PRF Masking
Veriﬁer
secret: x

Prover
secret: x
N

←− − − − −−
− − − P− − −

pick NP

M ,Lµ ,NV

pick a, Lµ , NV
M = a ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )

−− − − − −→
−−−−−−

a = M ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )

.
for i = 1 to n
pick ci ∈ {1, 2, 3}

[BMV LATINCRYPT 2012]
.

c

start timeri

−− − − − −→
− − − i− − −

stop timeri

←− − − − −−
− − −i− − −


r

Out

− − − −V− − →
−−−−−−

.
P has no inﬂuence on
the distribution of a

ri =

⎧
⎨ a1,i

a2,i
⎩ ′
xi ⊕ a1,i ⊕ a2,i

if ci = 1
if ci = 2
if ci = 3

ICB 2014



33 / 45

The SKI Protocol: Circular-Keying PRF
Veriﬁer
secret: x

Prover
secret: x
N

←− − − − −−
− − − P− − −

pick NP

M ,Lµ ,NV

pick a, Lµ , NV
M = a ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )

−− − − − −→
−−−−−−

a = M ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )

.
for i = 1 to n
pick ci ∈ {1, 2, 3}

[BMV ISC 2013]
.

c

start timeri

−− − − − −→
− − − i− − −

stop timeri

←− − − − −−
− − −i− − −


r

Out

− − − −V− − →
−−−−−−

.
PRF secure with a
reuse of the key

ri =

⎧
⎨ a1,i

a2,i
⎩ ′
xi ⊕ a1,i ⊕ a2,i

if ci = 1
if ci = 2
if ci = 3

ICB 2014



34 / 45

SKI Security

.
Theorem
.
If f is a circular-keying secure PRF,
there is no DF with Pr[success] ≥ B (n, τ, 3 ) − negl(s)
4

there is no MiM with Pr[success] ≥ B (n, τ, 2 ) − negl(s)
3
1
s-soundness for Pr[success] ≥. negl(s) B ( n , τ − n , 2 )
2
2 3

where s is the length of x and

B (n, τ, ρ) =
.

n

∑

i =τ

ICB 2014

n
i

ρi (1 − ρ)n−i



35 / 45

.
1

Relay Attacks

.
2

Distance-Bounding

.
3


.
4

.

.
5


ICB 2014



36 / 45

Bitlength-Equivalent Security / the Number of Rounds

.

ICB 2014



37 / 45

.
1

Relay Attacks

.
2

Distance-Bounding

.
3


.
4

.

.
5


ICB 2014



38 / 45

.
5

Partial Conclusions
Where to?
.

ICB 2014



39 / 45

Some Partial Conclusions

.

problems with security proofs based on PRF
problems when introducing noise-tolerance
some new, good models for DB protocols
provably secure, noise tolerant

SKI

non-binary challenges
non-standard PRF

ICB 2014



40 / 45

.
5

Partial Conclusions
Where to?
.

ICB 2014



41 / 45

Open Problems ... or Commercial DB

make protocols efﬁcient
tight/optimal DB security
build up public-key DB protocols
.
implement DB

ICB 2014



42 / 45

Efﬁcient and Optimal Protocols

make protocols efﬁcient and security-tight
drop, e.g., TF-resistance (and DF)?
.
consider just MiM?

ICB 2014



43 / 45

DB Implementation

one existing wired implementation
propagation delays are much shorter (ns ) than processing times
(ms )
.
some promising wireless experiments exist (e.g., ETHZ, CEA
Leti, EPFL)
Mifare Plus contains a kind of distance bounding protocol

ICB 2014



44 / 45

Conclusions

.

relays are real...
and ... we still some way to go beyond the ﬁrst provably secure
DB designs
ICB 2014



45 / 45

RFID security presentation

Recommended

Recommended

More Related Content

Similar to RFID security presentation

Similar to RFID security presentation (11)

Recently uploaded

Recently uploaded (20)

RFID security presentation