Smartcard-based protocols represent an increasingly large share of the wireless authentication solutions market, from contactless payments to remote car unlocking. Unfortunately, relay attacks pose a significant threat to this development. However, such attacks could be mitigated through the use of distance-bounding protocols. In this talk, we will discuss the core challenges for distance-bounding, of which some have recently been overcome, whereas others still stand prominently. We will focus mostly on the security of these wireless protocols, from devastating attacks and new, secure designs. We will finish with a vision for the future of these protocols, the possible and advisable paths towards, e.g., securing contactless payments.
9. Touch and Pay: making it secure!
Ioana Boureanu
Univ. of Applied Sciences Western Switzerland
February 19, 2014
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
1 / 45
17. Playing against two chess grandmasters
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
5 / 45
18. Playing against two chess grandmasters
✲
✛
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
5 / 45
19. Relaying is real...!
Attacks by Francillon, Danev, Capkun (ETHZ) against passive keyless
entry and start systems used in modern cars.
10 systems tested: not one resisted!
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
6 / 45
21. Idea: Measuring (Idealized) Communication ...
(... at the Speed of Light)
10ns ←→ 2 × 1.5m (round-trip)
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
8 / 45
22. More Ideas: Round-Trip Time to Prevent Relay Attacks
Identification Tokens, or: Solving the Chess Grandmaster Problem
[Beth-Desmedt CRYPTO 1990]
basic idea: measure the communication time exactly
the reader should verify that the proving tag is no further than
some bound
later solution: use a distance-bounding (DB) protocol
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
9 / 45
23. More Ideas: Round-Trip Time to Prevent Relay Attacks
Identification Tokens, or: Solving the Chess Grandmaster Problem
[Beth-Desmedt CRYPTO 1990]
basic idea: measure the communication time exactly
the reader should verify that the proving tag is no further than
some bound
later solution: use a distance-bounding (DB) protocol
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
9 / 45
24. More Ideas: Round-Trip Time to Prevent Relay Attacks
Identification Tokens, or: Solving the Chess Grandmaster Problem
[Beth-Desmedt CRYPTO 1990]
basic idea: measure the communication time exactly
the reader should verify that the proving tag is no further than
some bound
later solution: use a distance-bounding (DB) protocol
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
9 / 45
29. DB Threats: Mafia Fraud
Major Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity and
How to Overcome Them [Desmedt SECURICOM 1988]
.
generalised/strengthened
relaying
.
P ←→ A ←→ V
far away
an adversary A tries to prove that a prover P is close to a verifier V
.
“DB-specialised”
man-in-the-middle
attack
.
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
14 / 45
30. DB Threats: Mafia Fraud
Major Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity and
How to Overcome Them [Desmedt SECURICOM 1988]
.
generalised/strengthened
relaying
.
P ←→ A ←→ V
far away
an adversary A tries to prove that a prover P is close to a verifier V
.
“DB-specialised”
man-in-the-middle
attack
.
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
14 / 45
31. DB Threats: Mafia Fraud
Major Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity and
How to Overcome Them [Desmedt SECURICOM 1988]
.
generalised/strengthened
relaying
.
P ←→ A ←→ V
far away
an adversary A tries to prove that a prover P is close to a verifier V
.
“DB-specialised”
man-in-the-middle
attack
.
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
14 / 45
32. DB Threats: Distance Fraud
P ∗ ←→ V
.
liability and
non-repudiation issues
.
far away
a malicious, far-away prover P ∗ tries to prove that he is close to a
verifier V
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
15 / 45
33. DB Threats: Distance Fraud
P ∗ ←→ V
.
liability and
non-repudiation issues
.
far away
a malicious, far-away prover P ∗ tries to prove that he is close to a
verifier V
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
15 / 45
34. DB Threats: Terrorist Fraud
Major Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity and
How to Overcome Them [Desmedt SECURICOM 1988]
.
“gain privileges just
once”
.
P ∗ ←→ A ←→ V
far away
a malicious prover P ∗ helps an adversary A to prove that P ∗ is close
to a verifier V , without giving A another advantage
.
the toughest fraud to
protect against,
especially in presence
of
. noise
ICB 2014
.
advantage: leaking
the
. secret key
distance-bounding (DB)
Middlesex Uni, Feb. 2014
16 / 45
35. DB Threats: Terrorist Fraud
Major Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity and
How to Overcome Them [Desmedt SECURICOM 1988]
.
“gain privileges just
once”
.
P ∗ ←→ A ←→ V
far away
a malicious prover P ∗ helps an adversary A to prove that P ∗ is close
to a verifier V , without giving A another advantage
.
the toughest fraud to
protect against,
especially in presence
of
. noise
ICB 2014
.
advantage: leaking
the
. secret key
distance-bounding (DB)
Middlesex Uni, Feb. 2014
16 / 45
50. DB Formalism
[Boureanu-Mitrokotsa-Vaudenay ISC 2013]
formal communication model, integrating time
formal security model and threat model based on interactive
proofs
cryptographic assumptions/tools for the design/proofs
PRF-masking
circular-keying
leakage scheme
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
28 / 45
51. DB Formalism
[Boureanu-Mitrokotsa-Vaudenay ISC 2013]
formal communication model, integrating time
formal security model and threat model based on interactive
proofs
cryptographic assumptions/tools for the design/proofs
PRF-masking
circular-keying
leakage scheme
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
28 / 45
52. DB Formalism
[Boureanu-Mitrokotsa-Vaudenay ISC 2013]
formal communication model, integrating time
formal security model and threat model based on interactive
proofs
cryptographic assumptions/tools for the design/proofs
PRF-masking
circular-keying
leakage scheme
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
28 / 45
54. The SKI Protocol
[Boureanu-Mitrokotsa-Vaudenay Lightsec 2013, BMV ISC 2013]
Verifier
secret: x
Prover
secret: x
initialization phase
N
←− − − − −−
− − − P− − −
pick NP
M ,Lµ ,NV
pick a, Lµ , NV
M = a ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )
−− − − − −→
−−−−−−
.
a = M ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )
distance bounding phase
for i = 1 to n
pick ci ∈ {1, 2, 3}
start timeri
stop timeri
check #{i : ri and timeri correct} ≥ τ
c
−− − − − −→
− − − i− − −
ri
←− − − − −−
−−−−−−
Out
− − − −V− − →
−−−−−−
ri =
⎧
⎨ a1,i
a2,i
⎩ ′
xi ⊕ a1,i ⊕ a2,i
f is a circular-keying secure PRF, Lµ (x ) = (µ · x , . . . , µ · x )
ICB 2014
distance-bounding (DB)
if ci = 1
if ci = 2
if ci = 3
Middlesex Uni, Feb. 2014
30 / 45
55. The SKI Protocol: F -Scheme
Verifier
secret: x
Prover
secret: x
initialization phase
N
←− − − − −−
− − − P− − −
pick NP
M ,Lµ ,NV
pick a, Lµ , NV
M = a ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )
−− − − − −→
−−−−−−
a = M ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )
.
distance bounding phase
for i = 1 to n
pick ci ∈ {1, 2, 3}
[ALM WISEC 2011]
.
c
start timeri
−− − − − −→
− − − i− − −
stop timeri
←− − − − −−
− − −i− − −
check #{i : ri and timeri correct} ≥ τ
r
Out
− − − −V− − →
−−−−−−
.
secret sharing scheme
to prevent from MiM
ri =
⎧
⎨ a1,i
a2,i
⎩ ′
xi ⊕ a1,i ⊕ a2,i
if ci = 1
if ci = 2
if ci = 3
f is a circular-keying secure PRF, Lµ (x ) = (µ · x , . . . , µ · x )
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
31 / 45
56. The SKI Protocol: Leakage Scheme
Verifier
secret: x
Prover
secret: x
initialization phase
N
←− − − − −−
− − − P− − −
pick NP
M ,Lµ ,NV
pick a, Lµ , NV
M = a ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )
−− − − − −→
−−−−−−
a = M ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )
.
distance bounding phase
for i = 1 to n
pick ci ∈ {1, 2, 3}
[BMV, ISC 2013]
.
c
start timeri
−− − − − −→
− − − i− − −
stop timeri
←− − − − −−
− − −i− − −
check #{i : ri and timeri correct} ≥ τ
r
Out
− − − −V− − →
−−−−−−
.
leak L(x ) in the case
of a terrorist fraud
ri =
⎧
⎨ a1,i
a2,i
⎩ ′
xi ⊕ a1,i ⊕ a2,i
if ci = 1
if ci = 2
if ci = 3
f is a circular-keying secure PRF, Lµ (x ) = (µ · x , . . . , µ · x )
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
32 / 45
57. The SKI Protocol: PRF Masking
Verifier
secret: x
Prover
secret: x
initialization phase
N
←− − − − −−
− − − P− − −
pick NP
M ,Lµ ,NV
pick a, Lµ , NV
M = a ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )
−− − − − −→
−−−−−−
a = M ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )
.
distance bounding phase
for i = 1 to n
pick ci ∈ {1, 2, 3}
[BMV LATINCRYPT 2012]
.
c
start timeri
−− − − − −→
− − − i− − −
stop timeri
←− − − − −−
− − −i− − −
check #{i : ri and timeri correct} ≥ τ
r
Out
− − − −V− − →
−−−−−−
.
P has no influence on
the distribution of a
ri =
⎧
⎨ a1,i
a2,i
⎩ ′
xi ⊕ a1,i ⊕ a2,i
if ci = 1
if ci = 2
if ci = 3
f is a circular-keying secure PRF, Lµ (x ) = (µ · x , . . . , µ · x )
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
33 / 45
58. The SKI Protocol: Circular-Keying PRF
Verifier
secret: x
Prover
secret: x
initialization phase
N
←− − − − −−
− − − P− − −
pick NP
M ,Lµ ,NV
pick a, Lµ , NV
M = a ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )
−− − − − −→
−−−−−−
a = M ⊕ fx (NP , NV , Lµ )
x ′ = Lµ (x )
.
distance bounding phase
for i = 1 to n
pick ci ∈ {1, 2, 3}
[BMV ISC 2013]
.
c
start timeri
−− − − − −→
− − − i− − −
stop timeri
←− − − − −−
− − −i− − −
check #{i : ri and timeri correct} ≥ τ
r
Out
− − − −V− − →
−−−−−−
.
PRF secure with a
reuse of the key
ri =
⎧
⎨ a1,i
a2,i
⎩ ′
xi ⊕ a1,i ⊕ a2,i
if ci = 1
if ci = 2
if ci = 3
f is a circular-keying secure PRF, Lµ (x ) = (µ · x , . . . , µ · x )
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
34 / 45
59. SKI Security
.
Theorem
.
If f is a circular-keying secure PRF,
there is no DF with Pr[success] ≥ B (n, τ, 3 ) − negl(s)
4
there is no MiM with Pr[success] ≥ B (n, τ, 2 ) − negl(s)
3
1
s-soundness for Pr[success] ≥. negl(s) B ( n , τ − n , 2 )
2
2 3
where s is the length of x and
B (n, τ, ρ) =
.
n
∑
i =τ
ICB 2014
n
i
ρi (1 − ρ)n−i
distance-bounding (DB)
Middlesex Uni, Feb. 2014
35 / 45
63. .
5
Challenges and Visions in Distance Bounding
Partial Conclusions
Where to?
.
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
39 / 45
64. Some Partial Conclusions
.
problems with security proofs based on PRF
problems when introducing noise-tolerance
some new, good models for DB protocols
provably secure, noise tolerant
SKI
non-binary challenges
non-standard PRF
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
40 / 45
65. Some Partial Conclusions
.
problems with security proofs based on PRF
problems when introducing noise-tolerance
some new, good models for DB protocols
provably secure, noise tolerant
SKI
non-binary challenges
non-standard PRF
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
40 / 45
66. Some Partial Conclusions
.
problems with security proofs based on PRF
problems when introducing noise-tolerance
some new, good models for DB protocols
provably secure, noise tolerant
SKI
non-binary challenges
non-standard PRF
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
40 / 45
67. Some Partial Conclusions
.
problems with security proofs based on PRF
problems when introducing noise-tolerance
some new, good models for DB protocols
provably secure, noise tolerant
SKI
non-binary challenges
non-standard PRF
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
40 / 45
68. .
5
Challenges and Visions in Distance Bounding
Partial Conclusions
Where to?
.
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
41 / 45
69. Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
.
implement DB
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
42 / 45
70. Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
.
implement DB
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
42 / 45
71. Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
.
implement DB
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
42 / 45
72. Open Problems ... or Commercial DB
make protocols efficient
tight/optimal DB security
build up public-key DB protocols
.
implement DB
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
42 / 45
73. Efficient and Optimal Protocols
make protocols efficient and security-tight
drop, e.g., TF-resistance (and DF)?
.
consider just MiM?
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
43 / 45
74. Efficient and Optimal Protocols
make protocols efficient and security-tight
drop, e.g., TF-resistance (and DF)?
.
consider just MiM?
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
43 / 45
75. DB Implementation
one existing wired implementation
propagation delays are much shorter (ns ) than processing times
(ms )
.
some promising wireless experiments exist (e.g., ETHZ, CEA
Leti, EPFL)
Mifare Plus contains a kind of distance bounding protocol
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
44 / 45
76. Conclusions
.
relays are real...
and ... we still some way to go beyond the first provably secure
DB designs
ICB 2014
distance-bounding (DB)
Middlesex Uni, Feb. 2014
45 / 45