Cryptography in Radio Frequency Identification and Fair Exchange - PowerPoint PPT Presentation

PhD Private Defense, November 23rd, 2005 Cryptography in Radio Frequency Identification and Fair Exchange Protocols Gildas Avoine EPFL, Lausanne, Switzerland ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE

Presentation Outline Fair Exchange Brief Recall and Contributions Optimistic Fair Exchange Without Centralized TTP Radio Frequency Identification Brief Recall and Contributions Attack on Henrici and M¨ uller’s RFID Protocol Attack on Molnar and Wagner’s Technique Time-Memory Trade-Off in RFID 2 / 46

Fair Exchange 3 / 46

Fair Exchange Definition Two-Party Fair Exchange Protocol An exchange protocol between two parties P o and P r is a protocol in which P o and P r possess some items m o and m r respectively and aim at exchanging them. We say that the protocol ensures fairness if it terminates so that either P o gets m r and P r gets m o , or nobody gets information about the expected items. 4 / 46

Thesis Contributions in Fair Exchange ⊲ Probabilistic 2-FE and n -FE ◮ No centralized trusted third party. ◮ Each participant has a guardian angel to prevent misbehavior. ◮ Fairness is probabilistic. ◮ Probability of unfairness can be made arbitrarily low. ◮ Deterministic fairness if majority of honest participants ( n -FE). ⊲ Optimistic 2-FE relying on neighbors ◮ No centralized trusted third party. ◮ Fairness relies on the neighbors in the network. ◮ Neighbors are involved only in case of conflict. ◮ Neighbors learn nothing about the expected items. 5 / 46

Towards a New Approach P o P r ⊲ We know that some neighbors are honest. ⊲ We don’t know who is honest. ⊲ Even honest neighbors are curious. 6 / 46

Optimistic Fair Exchange Within a Network Optimistic 2-FE protocol based on a publicly verifiable secret sharing P o P r E 1 ( a 1 ) ,..., E n ( a n ) , ∆ , Ω , b Share − − − − − − − − − − − − − − − − − → m r ← − − − − − − − − − − − − − − − − − Verify m o Check − − − − − − − − − − − − − − − − − → Check 7 / 46

Initial Agreement Before Exchange P o and P r agree on the mathematical description of the items they want to exchange (e.g. descr( m ) = g m ). m − → − → true or false Check descr( m ) − → P o and P r establish the contract: Ω = S o ( P o � P r � descr( m o ) � descr( m r ) � D � k ) . 8 / 46

Publicly Verifiable Secret Sharing A PVSS is a protocol that is used to share a secret m among several participants such that only some specific subsets of participants can recover m by collusion and anybody can check the shares. ⊲ Distribution: m − → − → E 1 ( m 1 ) , ..., E n ( m n ) Share P 1 , ..., P n − → − → ∆ ⊲ Verification: E 1 ( m 1 ) , ..., E n ( m n ) − → P 1 , ..., P n − → − → true or false Verify ∆ − → descr( m ) − → ⊲ Reconstruction: m i 1 , ..., m i k − → − → m Recover P i 1 , ..., P i k − → 9 / 46

Additional Primitives − → m − → true or false Check descr( m ) − → E o ( m ) − → ∆ ′ − → − → true or false CheckEnc descr( m ) − → − → E o ( m ) − → m Enc − → ∆ ′ E o ( m ) − → Dec − → m 10 / 46

Main Protocol P o P r E 1 ( a 1 ) ,..., E n ( a n ) , ∆ , Ω , b Share − − − − − − − − − − − − − − − − − → m r ← − − − − − − − − − − − − − − − − − Verify m o Check − − − − − − − − − − − − − − − − − → Check ⊲ P o picks a random a and computes b such that m o = a + b . 11 / 46

Recovery Protocol P i P o P r (1 ≤ i ≤ n ) E i ( a i ) , E o ( m r ) , ∆ ′ , Ω ← − − − − − − − − − − Enc E o ( m r ) a i Dec ← − − − − − − − − − − CheckEnc − − − − − − − − − − → Recover ⊲ if CheckEnc( E o ( m r ) , descr( m r ) , ∆ ′ ) is true and D has not ex- pired, P i sends a i to P r and E o ( m r ) to P o . ⊲ After having received k shares, P r runs Recover. ⊲ From a , P r computes m o = a + b . 12 / 46

Assumptions on Channels ⊲ P r knows a constant T max < + ∞ such that messages from P r to any neighbor are always delivered within T max . ⊲ Recovery protocol is started before D − T max by P r . ⊲ All messages from honest neighbors are eventually delivered. 13 / 46

Assumptions on Neighbors ⊲ P or : neighbors who honestly collaborate with both P o and P r . ⊲ P r : neighbors who may harm P o by colluding with P r . ⊲ P o : neighbors who may harm P r by colluding with P o . ⊲ P ¯ or : neighbors who do not collaborate at all. Theorem If |P r | < k ≤ |P r | + |P or | then fairness is ensured. ⊲ If P r is dishonest, P r should not be able to recover m o with his colluders only: |P r | < k . ⊲ If P o is dishonest, we must ensure that P r can recover m o : k ≤ |P r | + |P or | . 14 / 46

Numerical Examples Example If P o and P r know that there is a majority of honest neighbors in � n the network i.e. |P or | > n � 2 then we take k = . 2 Example Let’s take n=100. If P o knows that at least 40% of the network is honest with him (i.e. |P or | + |P o | ≥ 2 n 5 ) and P r knows that at least 70% of the network is honest with him (i.e. |P or | + |P r | ≥ 7 n 10 ) then we can take k such that 60 < k ≤ 70. 15 / 46

Protocol Properties ⊲ First optimistic fair exchange protocol which does not rely on a centralized trusted third party. ⊲ Our protocol ensures fairness. ⊲ Our protocol ensures privacy. 16 / 46

Radio Frequency Identification 17 / 46

RFID Primer Definition RFID Radio Frequency IDentification (RFID) is a method of remotely identifying objects or subjects using transponders (tags) queried through a radio frequency channel. tag tag reader tag tag tag database Applications: Barcodes, identification of livestock, access control, e-passports, etc. 18 / 46

Avoiding Malicious Traceability in Radio Frequency Identification Problem An adversary should not be able to track people thanks to the RFID tags they carry. Goal Design an RFID protocol that ensures untraceability and which relies only on symmetric cryptography. 19 / 46

Thesis Contributions in Radio Frequency Identification ⊲ Link between traceability and communication model. ⊲ Attacks on existing protocols (JuelsP, HenriciM, SaitoRS, etc.). ⊲ Attack on Molnar and Wagner’s technique. ⊲ Technique based on a Time-Memory Trade-Off. 20 / 46

Protocols Protocol Weaknesses pointed out by [JuelsP03] [Avoine04], [ZhangK05] [VadjaB03] [VadjaB03] [GolleJJS04] [Avoine05], [SaitoRS04] [Juels04] [Juels04] [HenriciM04] [AvoineO05] [SaitoRS04] [Avoine05] [JuelsW05] [GilbertRS05] [WeisSRE02] [OhkuboSK03] [FeldhoferDW04] [MolnarW04] [RheeKKW05] 21 / 46

Henrici and M¨ uller’s Protocol System (ID, k last ) Tag (ID, k , k last ) request − − − − − − − − − − − − − − − − − → k ← k + 1, h (ID) , h ( k ⊕ ID) , ∆ k recover ID from ← − − − − − − − − − − − − − − − − − ∆ k ← k − k last h (ID), k from ∆ k , check h ( k ⊕ ID), pick r , k last ← k , send the message, r , h ( r ⊕ k ⊕ ID) ID ← r ⊕ ID − − − − − − − − − − − − − − − − − → Check h ( r ⊕ k ⊕ ID) ID ← r ⊕ ID, k last ← k 22 / 46

Attacks on Henrici and M¨ uller’s Protocol ⊲ Attack based on lack of randomness. ◮ Taking advantage of the information supplied by ∆ k . ⊲ Attack based on desynchronization. ◮ Desynchronizing the counters shared by tag and system. 23 / 46

Protocols Protocol Weaknesses pointed out by [JuelsP03] [Avoine04], [ZhangK05] [VadjaB03] [VadjaB03] [GolleJJS04] [Avoine05], [SaitoRS04] [Juels04] [Juels04] [HenriciM04] [AvoineO05] [SaitoRS04] [Avoine05] [JuelsW05] [GilbertRS05] [WeisSRE02] [OhkuboSK03] [FeldhoferDW04] [MolnarW04] [RheeKKW05] 24 / 46

Feldhofer, Dominikus, and Wolkerstorfer’s Protocol System (ID, s ) Tag ( s ) a pick a − − − − − − − − − − − − − − − − − → pick b compute σ find s in its ← − − − − − − − − − − − − − − − − − σ = AES s ( a , b ) database s.t. AES − 1 s ( σ ) is valid 25 / 46

Computation Complexity of Challenge-Response Protocols ⊲ An exhaustive search in the system’s database is required to identify one tag. ⊲ Complexity too high in particular in case of inventory. ⊲ Is it possible to design an RFID protocol with a complexity better than linear? ⊲ Molnar and Wagner proposed a solution that reduces the complexity of any challenge-response from O ( n ) to O (log n ). 26 / 46

Molnar and Wagner’s Tree-Based Technique ⊲ Each tag stores log δ ( n ) keys. K 1 K 2 K 3 K 4 K 5 K 6 K 7 K 8 K 9 K 10 K 11 K 12 K 13 K 14 K 15 K 16 K 17 K 18 K 19 K 20 T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 T 11 T 12 T 13 T 14 T 15 T 16 ⊲ A challenge-response is applied at each level of the tree. ⊲ Instead of carrying out 1 exhaustive search in a set of size n , log δ ( n ) exhaustive searches are performed in sets of size δ . 27 / 46