an optimal distance bounding protocol
play

An optimal distance-bounding protocol Rolando Trujillo-Rasua - PowerPoint PPT Presentation

Dec 24, 2023 •244 likes •926 views

An optimal distance-bounding protocol Rolando Trujillo-Rasua University of luxembourg (joint work with Sjouke Mauw and Jorge Toro-Pozo) Euro S&P and RFIDSec, 2016 Distance Bounding protocols 1 Beating a grand master: is this a relay

  1. An optimal distance-bounding protocol Rolando Trujillo-Rasua University of luxembourg (joint work with Sjouke Mauw and Jorge Toro-Pozo) Euro S&P and RFIDSec, 2016 Distance Bounding protocols 1

  2. Beating a grand master: is this a relay attack? Distance Bounding protocols 2

  3. Relay attack: is this a relay attack? Distance Bounding protocols 3

  4. Chip & Pin relay attack (Murdoch & Drimer 2007) Distance Bounding protocols 4

  5. Chip & Pin relay attack (Murdoch & Drimer 2007) Many more practical attacks, e.g. ◮ Passive keyless entry and start systems used in modern cars (Francillon 2012) ◮ Google Wallet Relay Attack (Roland 2013) Distance Bounding protocols 4

  6. Solution: distance bounding ◮ Reader sends a challenge. ◮ Tag provides correct response. ◮ Reader measures the round-trip-time and accepts if this is “fast enough”. Distance Bounding protocols 5

  7. Solution: distance bounding ◮ Reader sends a challenge. ◮ Tag provides correct response. ◮ Reader measures the round-trip-time and accepts if this is “fast enough”. ◮ RF communication at the speed of light. ◮ Need very short processing time at the tag (otherwise the adversary could overclock the tag). Distance Bounding protocols 5

  8. Solution: distance bounding ◮ Reader sends a challenge. ◮ Tag provides correct response. ◮ Reader measures the round-trip-time and accepts if this is “fast enough”. ◮ RF communication at the speed of light. ◮ Need very short processing time at the tag (otherwise the adversary could overclock the tag). ◮ Slow phase: generation of random values, exchange of parameters, preparation of data structures. ◮ Fast phase: 1-bit messages, tag performs at most lookup/and/xor/. . . ; repeat this n times. Distance Bounding protocols 5

  9. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x Distance Bounding protocols 6

  10. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase fast phase Distance Bounding protocols 6

  11. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase fast phase Distance Bounding protocols 6

  12. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V fast phase Distance Bounding protocols 6

  13. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − fast phase Distance Bounding protocols 6

  14. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) fast phase Distance Bounding protocols 6

  15. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase Distance Bounding protocols 6

  16. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase Distance Bounding protocols 6

  17. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase for i = 1 , . . . , n : Distance Bounding protocols 6

  18. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase for i = 1 , . . . , n : picks a random bit c i Distance Bounding protocols 6

  19. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase for i = 1 , . . . , n : picks a random bit c i starts timer Distance Bounding protocols 6

  20. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase for i = 1 , . . . , n : picks a random bit c i c i ← − − − − − − − − − − − − − − − − starts timer Distance Bounding protocols 6

  21. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase for i = 1 , . . . , n : picks a random bit c i c i ← − − − − − − − − − − − − − − − − starts timer r i = R c i i Distance Bounding protocols 6

  22. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase for i = 1 , . . . , n : picks a random bit c i c i ← − − − − − − − − − − − − − − − − starts timer r i r i = R c i − − − − − − − − − − − − − − − − → i Distance Bounding protocols 6

  23. Hancke and Kuhn’s proposal (2005) P (Tag) V (Reader) secret x secret x slow phase generates nonce N P generates nonce N V N P − − − − − − − − − − − − − − − − − → N V ← − − − − − − − − − − − − − − − − − H 2 n = PRF ( x , N V , N P ) H 2 n = PRF ( x , N V , N P ) ( H 2 n is pseudo random bitstring of length 2 n ) R 0 : R 0 : . . . . . . R 1 : R 1 : . . . . . . fast phase for i = 1 , . . . , n : picks a random bit c i c i ← − − − − − − − − − − − − − − − − starts timer r i r i = R c i − − − − − − − − − − − − − − − − → stops timer i Distance Bounding protocols 6

  24. Avoine and Tchamkerten’s protocol (2009) V Fast phase P r 0 r 0 0 0 0 1 0 1 r 0 r 1 r 0 r 1 1 1 1 1 0 1 0 1 0 1 0 1 r 0 r 1 r 2 r 3 r 0 r 1 r 2 r 3 2 2 2 2 2 2 2 2 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 r 0 r 1 3 r 2 r 3 3 r 4 r 5 3 r 6 r 7 r 0 r 1 3 r 2 r 3 3 r 4 r 5 3 r 6 r 7 3 3 3 3 3 3 3 3 3 3 Distance Bounding protocols 7

  25. Avoine and Tchamkerten’s protocol (2009) V P Fast phase 0 r 0 r 0 0 0 0 1 0 1 r 0 r 1 r 0 r 1 1 1 1 1 0 1 0 1 0 1 0 1 r 0 r 1 r 2 r 3 r 0 r 1 r 2 r 3 2 2 2 2 2 2 2 2 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 r 0 r 1 3 r 2 r 3 3 r 4 r 5 3 r 6 r 7 r 0 r 1 3 r 2 r 3 3 r 4 r 5 3 r 6 r 7 3 3 3 3 3 3 3 3 3 3 Distance Bounding protocols 7

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and Memory Requirement Gildas Avoine 1 and Aslan Tchamkerten 2 1 Universit e catholique de Louvain, Louvain-la-Neuve, Belgium 2 Telecom ParisTech,

335 views • 31 slides
On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2012 distance bounding CIoT 2012 1 / 39 Introduction to Distance-Bounding 1 Some Insecurity Case

600 views • 39 slides
Towards Secure Distance Bounding Ioana Boureanu, Katerina Mitrokotsa, Serge Vaudenay COLE

Towards Secure Distance Bounding Ioana Boureanu, Katerina Mitrokotsa, Serge Vaudenay COLE

Towards Secure Distance Bounding Ioana Boureanu, Katerina Mitrokotsa, Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2013 distance bounding FSE 2013 1 / 48 1 Why Distance-Bounding? Towards a Secure

663 views • 48 slides
Distance Bounding for RFID Prof. Gildas Avoine Universit e catholique de Louvain, Belgium

Distance Bounding for RFID Prof. Gildas Avoine Universit e catholique de Louvain, Belgium

Distance Bounding for RFID Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY Relay Attacks Distance Bounding Protocols Discussion RELAY ATTACKS Relay Attacks Distance Bounding Protocols

330 views • 28 slides
Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY RFID Background Relay Attacks Distance Bounding Protocols Conclusion

666 views • 53 slides
Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain,

Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain,

Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain, Belgium Workshop on Cryptography for the Internet of Things November 20 21, 2012, Antwerp, Belgium SUMMARY Relay Attacks Distance Bounding

349 views • 21 slides
Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work

Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work

Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work with: Joint work with: Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Distance Bounding 2

370 views • 16 slides
Security Analysis of Distance Bounding Protocols Agnes BRELURUT, Pascal LAFOURCADE, David GERAULT

Security Analysis of Distance Bounding Protocols Agnes BRELURUT, Pascal LAFOURCADE, David GERAULT

Security Analysis of Distance Bounding Protocols Agnes BRELURUT, Pascal LAFOURCADE, David GERAULT LIMOS, Universit dAuvergne, France September 17th 2015 BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding

704 views • 42 slides
A class of precomputation-based distance-bounding protocols Jorge Toro-Pozo University of

A class of precomputation-based distance-bounding protocols Jorge Toro-Pozo University of

Introduction Lookup-based protocols Properties and security analysis Conclusions A class of precomputation-based distance-bounding protocols Jorge Toro-Pozo University of Luxembourg (joint work with Sjouke Mauw and Rolando Trujillo-Rasua,

685 views • 54 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY RFID Background Relay Attacks Countermeasures and Evolved Frauds

633 views • 40 slides
The Least Spanning Area of a Knot and the Optimal Bounding Chain Problem Nathan M. Dunfield

The Least Spanning Area of a Knot and the Optimal Bounding Chain Problem Nathan M. Dunfield

The Least Spanning Area of a Knot and the Optimal Bounding Chain Problem Nathan M. Dunfield University of Illinois, Mathematics Anil N. Hirani University of Illinois, Computer Science SoCG 2011, Paris Knot in R 3 : Smooth embedding of S 1 in R

585 views • 13 slides
Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE

Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE

Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2014 distance-bounding SDTA 14 1 / 42 Relay Attacks 1 Distance-Bounding Protocols 2 3 Asymmetric DB Protocols

1.02k views • 42 slides
Design and Evaluation of a new MAC Protocol for Long- Distance 802.11 Mesh Networks by

Design and Evaluation of a new MAC Protocol for Long- Distance 802.11 Mesh Networks by

Design and Evaluation of a new MAC Protocol for Long- Distance 802.11 Mesh Networks by Bhaskaran Raman & Kameswari Chebrolu ACM Mobicom 2005 Reviewed by Anupama Guha Thakurta CS525M - Mobile and Ubiquitous Computing Seminar, Spring

863 views • 41 slides
UC UC b Overview Leader Election Protocol Dynamic Voltage Scaling Optimal

UC UC b Overview Leader Election Protocol Dynamic Voltage Scaling Optimal

APPLICATIONS UC UC b Overview Leader Election Protocol Dynamic Voltage Scaling Optimal Reconfiguration of FPGA Memory Interface UC UCb Leader Election Protocol UC UC b Leader Election 2 1 0 3 Protocol by Leslie

917 views • 62 slides
Markov Chains and Coupling In this class we will consider the problem of bounding the time taken

Markov Chains and Coupling In this class we will consider the problem of bounding the time taken

Markov Chains and Coupling In this class we will consider the problem of bounding the time taken by a Markov chain to reach the stationary distribution. We will do so using the coupling technique , which helps bound the distance between two

315 views • 4 slides
Parking in trees Marie-Louise Bruner Ongoing work with Alois Panholzer CanaDAM 2013, June 10th

Parking in trees Marie-Louise Bruner Ongoing work with Alois Panholzer CanaDAM 2013, June 10th

Parking in trees Marie-Louise Bruner Ongoing work with Alois Panholzer CanaDAM 2013, June 10th Marie-Louise Bruner Parking in trees June 10th, 2013 1 Table of Contents Parking functions 1 Generalization to trees 2 Enumeration 3

927 views • 70 slides
On non-normal 4-valent arc transitive dihedrants Aleksander Malni c University of Ljubljana

On non-normal 4-valent arc transitive dihedrants Aleksander Malni c University of Ljubljana

On non-normal 4-valent arc transitive dihedrants Aleksander Malni c University of Ljubljana Joint work with Istv an Kov acs and Bo stjan Kuzman Banff, Canada November, 2008 1 / 19 Dihedrants and Bicirculants An n-dihedrant is a

1.12k views • 56 slides
Pentavalent symmetric graphs of order twice a prime power Yan-Quan Feng Mathematics, Beijing

Pentavalent symmetric graphs of order twice a prime power Yan-Quan Feng Mathematics, Beijing

Notations Motivation Main Theorem Reduction Theorem Proof of the Reduction Theorem Applications Pentavalent symmetric graphs of order twice a prime power Yan-Quan Feng Mathematics, Beijing Jiaotong University Beijing 100044, P .R. China

348 views • 32 slides
New Results Concerning the Gasca-Maeztu Conjecture Kurt Jetter Universit at Hohenheim New

New Results Concerning the Gasca-Maeztu Conjecture Kurt Jetter Universit at Hohenheim New

New Results Concerning the Gasca-Maeztu Conjecture Kurt Jetter Universit at Hohenheim New Results Concerning the Gasca-Maeztu Conjecture p. 1/36 Synopsis Introduction and Notation The Gasca-Maeztu Conjecture Maximal Lines and Maximal

781 views • 36 slides
Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of

Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of

Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arXiv:1012.4019 For ordinary isogenous elliptic curves of equal endomorphism ring, we show (under

657 views • 36 slides
Blockage and Voltage Island-Aware Dual-VDD Blockage and Voltage Island-Aware Dual-VDD Buffered

Blockage and Voltage Island-Aware Dual-VDD Blockage and Voltage Island-Aware Dual-VDD Buffered

Blockage and Voltage Island-Aware Dual-VDD Blockage and Voltage Island-Aware Dual-VDD Buffered Tree Construction Buffered Tree Construction Hung-Ming Chen Bruce Tseng Dept of EE Faraday Technology Cor. National Chiao Tung U. Hsinchu, Taiwan

484 views • 26 slides
Probing the Intergalactic Magnetic Field Using Intensity Fluctuations in the Extragalactic

Probing the Intergalactic Magnetic Field Using Intensity Fluctuations in the Extragalactic

Probing the Intergalactic Magnetic Field Using Intensity Fluctuations in the Extragalactic Gamma-ray Background* Tonia Venters Astrophysics Science Division NASA Goddard Space Flight Center *based on Venters & Pavlidou 2013, MNRAS, 432,

331 views • 22 slides
CENG4480 Lecture 09: Memory 2 Bei Yu byu@cse.cuhk.edu.hk (Latest update: November 26, 2020)

CENG4480 Lecture 09: Memory 2 Bei Yu byu@cse.cuhk.edu.hk (Latest update: November 26, 2020)

CENG4480 Lecture 09: Memory 2 Bei Yu byu@cse.cuhk.edu.hk (Latest update: November 26, 2020) Fall 2020 1 / 44 CENG4480 v.s. CENG3420 CENG3420: architecture perspective memory coherent data address CENG4480: more details on

616 views • 44 slides

More recommend