Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE - PowerPoint PPT Presentation

Defeating Relay Attacks in NFC Payments Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2014 distance-bounding SDTA 14 1 / 42

Relay Attacks 1 Distance-Bounding Protocols 2 3 Asymmetric DB Protocols SV 2014 distance-bounding SDTA 14 2 / 42

Relay Attacks 1 Distance-Bounding Protocols 2 3 Asymmetric DB Protocols SV 2014 distance-bounding SDTA 14 3 / 42

Playing against two Chess Grandmasters ✲ ✛ SV 2014 distance-bounding SDTA 14 4 / 42

Relay Attacks a a a ✲ ✲ ✲ honest ✛ b b ✛ b honest ✛ prover verifier c c c ✲ ✲ ✲ adversary SV 2014 distance-bounding SDTA 14 5 / 42

A Nice Playground for Relay Attacks SV 2014 distance-bounding SDTA 14 6 / 42

NFC Payment Systems ✛ ✲ ✛ ✲ now widely spread 1 payment device: creditcard or smartphone 2 (creditcard) no action by the holder on the creditcard 3 for small amounts: no action by the holder on the terminal 4 larger amounts may need a PIN 5 SV 2014 distance-bounding SDTA 14 7 / 42

Using Round-Trip Time Identification Tokens, or: Solving the Chess Grandmaster Problem [Beth-Desmedt CRYPTO 1990] basic idea: use time to detect relay attacks assume that relaying a message takes time > 0 use exact time measurement SV 2014 distance-bounding SDTA 14 8 / 42

The Speed of Light 10ns = round-trip of 2 × 1 . 5m SV 2014 distance-bounding SDTA 14 9 / 42

Relay Attacks 1 Distance-Bounding Protocols 2 3 Asymmetric DB Protocols SV 2014 distance-bounding SDTA 14 10 / 42

The Brands-Chaum Protocol Distance-Bounding Protocols [Brands-Chaum EUROCRYPT 1993] Verifier Prover secret key: x public key: y initialization phase Commit ( m ) ← − − − − − − − − − − − − pick m distance bounding phase for i = 1 to n pick c i c i start timer i − − − − − − − − − − − − → r i ← − − − − − − − − − − − − r i = m i ⊕ c i stop timer i check timers termination phase open commitment check responses ← − − − − − − − − − − − − Sign x ( c , r ) check signature ← − − − − − − − − − − − − Out V − − − − − − − − − − − − → SV 2014 distance-bounding SDTA 14 11 / 42

The Implementation Challenge to answer r i on challenge c i should take a few nanoseconds almost no time to do computation no time to receive several bits (period in microseconds) nearly no time to digitize an analog signal we need an ad-hoc chip for transmission and computation SV 2014 distance-bounding SDTA 14 12 / 42

Distance Fraud P ∗ ← → V � �� � far away a malicious prover P ∗ tries to prove that he is close to a verifier V SV 2014 distance-bounding SDTA 14 13 / 42

Why Distance Fraud? for some applications, a malicious prover could be a threat cars want to have the key holder inside the car doors do not want to open for someone who is not here payment booths want remote payment to be impossible SV 2014 distance-bounding SDTA 14 14 / 42

Distance Hijacking Distance Hijacking Attacks on Distance Bounding Protocols [Cremers-Rasmussen-Schmidt- ˇ Capkun IEEE S&P 2012] P ∗ ← → P ′ ← → V � �� � far away a malicious prover P ∗ tries to prove that he is close to a verifier V by taking advantage of other provers P ′ SV 2014 distance-bounding SDTA 14 15 / 42

Mafia Fraud Major Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity and How to Overcome Them [Desmedt SECURICOM 1988] P ← → A ← → V � �� � far away an adversary A tries to prove that a prover P is close to a verifier V SV 2014 distance-bounding SDTA 14 16 / 42

Impersonation Fraud An Efficient Distance Bounding RFID Authentication Protocol [Avoine-Tchamkerten ISC 2009] A ← → V an adversary A tries to prove that a prover P is close to a verifier V SV 2014 distance-bounding SDTA 14 17 / 42

Terrorist Fraud Major Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity and How to Overcome Them [Desmedt SECURICOM 1988] P ∗ ← → A ← → V � �� � far away a malicious prover P ∗ helps an adversary A to prove that P ∗ is close to a verifier V without giving A another advantage SV 2014 distance-bounding SDTA 14 18 / 42

The Easy Way to Defeat Terrorist Fraud Identification Tokens, or: Solving the Chess Grandmaster Problem [Beth-Desmedt CRYPTO 1990] embed provers in tamper-resistant devices = assume that provers are honest! SV 2014 distance-bounding SDTA 14 19 / 42

DB Protocols without post-authentication Hancke-Kuhn DBENC TDB SKI with post-authentication Swiss-Knife Fischlin-Onete DB1-DB2-DB3 asymmetric Brands-Chaum DBPK-Log ProProx privDB SV 2014 distance-bounding SDTA 14 20 / 42

DB Design Issues some have no security proofs → some are broken some have “semi-formal” security proofs → some have instances which could be broken some have wrong security proofs → some are broken SV 2014 distance-bounding SDTA 14 21 / 42

Known Protocols and Security Results (Without Noise) success probability of best known attacks ( θ < 1 s.t. 2 − θ n = negl) Protocol Success Probability DF MF TF ( 1 / 2 ) n ( 1 / 2 ) n † Brands & Chaum 1 ( 1 / 2 ) n Bussard & Bagga † 1 1 ˇ ( 1 / 2 ) n ( 1 / 2 ) n † Capkun et al. 1 ( 3 / 4 ) n to 1 ( 3 / 4 ) n † Hancke & Kuhn 1 ( 3 / 4 ) n to 1 ( 3 / 4 ) θ n † Reid et al. 1 ( 1 / 2 ) n ( 1 / 2 ) n † Singel´ ee & Preneel 1 ( 3 / 4 ) n ( 3 / 4 ) θ n † Tu & Piramuthu 1 ( 3 / 4 ) n ( 3 / 5 ) n Munilla & Peinado † 1 ( 1 / 2 ) n to 1 � ( 3 / 4 ) θ n ( 3 / 4 ) n Swiss-Knife ( 7 / 8 ) n ( 1 / 2 ) n † Kim & Avoine 1 ( 3 / 4 ) n to 1 ( 2 / 3 ) n to 1 � ( 5 / 6 ) θ n Avoine et al. � ( 5 / 6 ) θ n ( 3 / 4 ) n ( 2 / 3 ) n SKI � ( 3 / 4 ) n ( 3 / 4 ) n γ = γ ′ Fischlin & Onete � ( 2 / 3 ) θ n ( 1 / 3 ) n ( 1 / 3 ) n DB1 √ √ � 2 ) θ n 2 ) n ( 1 / 2 ) n ( 1 / ( 1 / DB2 SV 2014 distance-bounding SDTA 14 22 / 42

Known Protocols and Security Results (Noise-Tolerant) success probability of best known attacks Protocol Success Probability DF MF TF tl ( n , τ , 1 / 2 ) tl ( n , τ , 1 / 2 ) † Brands & Chaum 1 tl ( n , τ , 1 / 2 ) † Bussard & Bagga 1 1 ˇ Capkun et al. tl ( n , τ , 1 / 2 ) tl ( n , τ , 1 / 2 ) † 1 tl ( n , τ , 3 / 4 ) to 1 tl ( n , τ , 3 / 4 ) † Hancke & Kuhn 1 tl ( n , τ , 3 / 4 ) to 1 † Reid et al. 1 1 † Singel´ ee & Preneel tl ( n , τ , 1 / 2 ) tl ( n , τ , 1 / 2 ) 1 tl ( n , τ , 3 / 4 ) † Tu & Piramuthu 1 1 tl ( n , τ , 3 / 4 ) tl ( n , τ , 3 / 5 ) † Munilla & Peinado 1 † Swiss-Knife tl ( n , τ , 3 / 4 ) tl ( n , τ , 1 / 2 ) to 1 1 tl ( n , τ , 7 / 8 ) tl ( n , τ , 1 / 2 ) † Kim & Avoine 1 † Avoine et al. tl ( n , τ , 3 / 4 ) to 1 tl ( n , τ , 2 / 3 ) to 1 1 � tl ( n , τ , 3 / 4 ) tl ( n , τ , 2 / 3 ) tl ( n , τ , 5 / 6 ) SKI � γ = γ ′ Fischlin & Onete tl ( n , τ , 3 / 4 ) tl ( n , τ , 3 / 4 ) � tl ( n , τ , 1 / 3 ) tl ( n , τ , 1 / 3 ) tl ( n , τ , 2 / 3 ) DB1 � tl ( n 2 , τ − n tl ( n 2 , τ − n DB2 2 , 1 / 2 ) tl ( n , τ , 1 / 2 ) 2 , 1 / 2 ) SV 2014 distance-bounding SDTA 14 23 / 42

The SKI Protocol Serge Katerina Ioana SV 2014 distance-bounding SDTA 14 24 / 42

The Survivors SKI non-binary challenges Fischlin-Onete different TF-resistance model DB1 and DB2 (combine both) optimized SV 2014 distance-bounding SDTA 14 25 / 42

Bitlength-Equiv Security / #Rounds DF MF 80 80 70 70 60 DB1 q = 3 60 DB1 q = 3 50 50 DB3 DB2 and DB3 DB1 q = 4 DB1 q = 4 40 40 30 30 DB2 SKI 20 20 10 10 SKI and FO FO 0 0 0 20 40 60 80 100 120 140 0 20 40 60 80 100 120 140 TF 25 DB1 q = 3 DB2 20 15 DB1 q = 4 10 5 SKI 0 0 20 40 60 80 100 120 140 SV 2014 distance-bounding SDTA 14 26 / 42

DB2 (Noiseless Variant) ( b fixed of weight n Verifier 2 ) Prover secret: x secret: x initialization phase N P pick µ ∈ Z s 2 , N V ∈ { 0 , 1 } ℓ nonce pick N P ∈ { 0 , 1 } ℓ nonce ← − − − − − − − − − − − − − N V , µ a = f x ( N P , N V , µ ) − − − − − − − − − − − − − → a = f x ( N P , N V , µ ) x ′ = µ · x x ′ = µ · x distance bounding phase for i = 1 to n pick c i ∈ { 0 , 1 } c i receive c ′ − − − − − − − − − − − − − → start timer i i r ′ i ( x ′ ⊕ b i ) i r ′ i = a i ⊕ c ′ ← − − − − − − − − − − − − − receive r i , stop timer i verification phase c ′ , tag receive c ′′ tag = f x ( N P , N V , µ , c ′ ) ← − − − − − − − − − − − − − check tag = f x ( N P , N V , µ , c ′′ ) , Out V c i = c ′′ − − − − − − − − − − − − − → i , r i , and timer i correct SV 2014 distance-bounding SDTA 14 27 / 42