[PPT] - Distance Bounding for RFID Prof. Gildas Avoine Universit e PowerPoint Presentation

SLIDE 1

Distance Bounding for RFID

Prof. Gildas Avoine

Universit´ e catholique de Louvain, Belgium Information Security Group

SLIDE 2

SUMMARY

Relay Attacks Distance Bounding Protocols Discussion

SLIDE 3

RELAY ATTACKS

Relay Attacks Distance Bounding Protocols Discussion

SLIDE 4

Variant of ISO 9798-2 Protocol 3

Verifier (secret k) Prover (secret k) Pick Na

Na

− − − − − − − − − →

Ek(Na,Nb)

← − − − − − − − − Pick Nb

Protocol secure under common assumptions on E, k, Na, and Nb.

Gildas Avoine Distance Bounding for RFID 4

SLIDE 5

Relay Attack

Definition (Relay Attack) A relay attack is a form of man-in-the-middle where the adversary manipulates the communication by only relaying the verbatim messages between two parties.

Gildas Avoine Distance Bounding for RFID 5

SLIDE 6

Practicability

Examples

Radio link over 50 meters (G. Hancke [4]). Implementation included in libNFC (PN53x readers).

Gildas Avoine Distance Bounding for RFID 6

SLIDE 7

Practicability

Examples

Attacks by Francillon, Danev, ˇ Capkun (ETHZ) against passive keyless entry and start systems used in modern cars [6].

10 systems tested: no one resisted!

Gildas Avoine Distance Bounding for RFID 7

SLIDE 8

DISTANCE BOUNDING PROTOCOLS

Relay Attacks Distance Bounding Protocols Discussion

SLIDE 9

Protocol Aims in General Framework [5]

Definition (Distance Bounding) A distance bounding is a process whereby one party is assured:

1 Of the identity of a second party, 2 That the latter is present in the neighborhood of the verifying

party, at some point in the protocol.

Reader Tag Adversary Reader Tag

Distance bounding does not avoid relay attacks.

Gildas Avoine Distance Bounding for RFID 9

SLIDE 10

Distance Bounding Based on the Speed of Light

Measure the round-trip-time (RTT) of a given message.

Provide a bound on the distance.
Idea introduced by Beth and Desmedt [2].

Reader Neighborhood computation Accelerated Tag

Msg must be authenticated

Auth. is time-consuming

Gildas Avoine Distance Bounding for RFID 10

SLIDE 11

Hancke and Kuhn’s Protocol [3]

First RFID-focused Distance Bounding Protocol

Reader Tag (secret K) (secret K) Pick a random Na Pick a random Nb

Na

− − − − − − − →

Nb

← − − − − − − − h(K, Na, Nb) =

v0

= 1 1 1 1 1 v1 = 1 1 1 1 1 Start of fast bit exchange for i = 1 to n Pick Ci ∈R {0, 1} Start Clock

Ci

− − − − − − − → Ri = v0

i , if Ci = 0

v1

i , if Ci = 1

Stop Clock

Ri

← − − − − − − − Check: △ti ≤ tmax Check: correctness of Ri End of fast bit exchange Gildas Avoine Distance Bounding for RFID 11

SLIDE 12

Mafia and Distance Frauds

Definition (Mafia Fraud) A mafia fraud [1] is an attack where an adversary defeats a distance bounding protocol using a man-in-the-middle (MITM) between the reader and an honest tag located outside the neighborhood.

Adversary Tag Reader

Definition (Distance Fraud) Given a distance bounding protocol, a distance fraud is an attack where a dishonest and lonely prover purports to be in the neighborhood of the verifier.

Tag Reader

Gildas Avoine Distance Bounding for RFID 12

SLIDE 13

Terrorist Fraud

Definition (Terrorist Fraud) A terrorist fraud is an attack where an adversary defeats a distance bounding protocol using a man-in-the-middle (MITM) between the reader and a dishonest tag located outside

f the neighborhood, such that the latter

actively helps the adversary to maximize her attack success probability, without giving to her any advantage for future attacks.

Adversary Tag Reader

Gildas Avoine Distance Bounding for RFID 13

SLIDE 14

Hancke and Kuhn’s Protocol

Reader Tag (secret K) (secret K) Pick a random Na Pick a random Nb

Na

− − − − − − − →

Nb

← − − − − − − − h(K, Na, Nb) =

v0

= 1 1 1 1 1 v1 = 1 1 1 1 1 Start of fast bit exchange for i = 1 to n Pick Ci ∈R {0, 1} Start Clock

Ci

− − − − − − − → Ri = v0

i , if Ci = 0

v1

i , if Ci = 1

Stop Clock

Ri

← − − − − − − − Check: △ti ≤ tmax Check: correctness of Ri End of fast bit exchange

Question

1 Mafia fraud:

3

4

n

2 Terrorist fraud: 1 3 Distance fraud:

3

4

n

Gildas Avoine Distance Bounding for RFID 14

SLIDE 15

DISCUSSION

Relay Attacks Distance Bounding Protocols Discussion

SLIDE 16

An Active Research Field in RFID?

Is distance bounding an active research field in RFID?

Gildas Avoine Distance Bounding for RFID 16

SLIDE 17

Relay in Other Domains?

Are relay attacks only meaningful in the RFID context?

No! But RFID increases the risk.

Chess grand master problem (Conway 1976)

Gildas Avoine Distance Bounding for RFID 17

SLIDE 18

Relay Attacks in Chess (Chess Olympiad 2010)

French player S´ ebastien Feller during the Olympiad in Russia.

Gildas Avoine Distance Bounding for RFID 18

SLIDE 19

Distance Bounding too RFID-oriented

Is research on distance bounding too RFID-oriented?

Probably yes.

No cryptographic operation performed during the fast phase. Restrictive assumption: 1-bit challenges and responses Avoid a final signature. Which is the best protocol without the 2 last assumptions?

Gildas Avoine Distance Bounding for RFID 19

SLIDE 20

Current Research Activities

Are there existing models/frameworks? Definition In a black-box model, the prover cannot observe or tamper with the execution of the algorithm. Definition In a white-box model, the prover has full access to the implementation of the algorithm and a complete control over the execution environment. Definition (Pre-ask strategy) The adversary relays the first slow phase. She then executes the fast phase with the prover before the verifier starts the fast phase. Afterward, she performs the fast phase with the legitimate verifier.

Gildas Avoine Distance Bounding for RFID 20

SLIDE 21

Theoretical model

Are there some other attack scenarios?

Gildas Avoine Distance Bounding for RFID 21

SLIDE 22

Prover Model

Computing Capabilities of the Prover

In the white-box model, restricting the computation capabilities

f the prover within one protocol execution is required.

1e-16 1e-14 1e-12 1e-10 1e-08 1e-06 0.0001 0.01 1 1 10 100 1000 10000 100000 1e+06 Adversary success probability p: Number of runs Register length: n=20 n=40 n=60 n=80 n=128

Gildas Avoine Distance Bounding for RFID 22

SLIDE 23

Hancke and Kuhn’s Protocol

Reader Tag (secret K) (secret K) Pick a random Na Pick a random Nb

Na

− − − − − − − →

Nb

← − − − − − − − h(K, Na, Nb) =

v0

= 1 1 1 1 1 v1 = 1 1 1 1 1 Start of fast bit exchange for i = 1 to n Pick Ci ∈R {0, 1} Start Clock

Ci

− − − − − − − → Ri = v0

i , if Ci = 0

v1

i , if Ci = 1

Stop Clock

Ri

← − − − − − − − Check: △ti ≤ tmax Check: correctness of Ri End of fast bit exchange

Question

1 Mafia fraud:

3

4

n

2 Terrorist fraud: 1 3 Distance fraud:

3

4

n

Gildas Avoine Distance Bounding for RFID 23

SLIDE 24

Prover Model – Circle Analysis

Distance Between Verifier and Prover

In some distance bounding protocols, each response bit depends

n some previous challenges during the fast phase.

Receiving the previous challenges depends on how far the prover is away from the verifier.

Gildas Avoine Distance Bounding for RFID 24

SLIDE 25

Pretty Poor Proofs

Proofs are “given an attack scenario”.

Gildas Avoine Distance Bounding for RFID 25

SLIDE 26

Assumptions realistic

Are there other questionable assumptions? Propagation delays are much shorter than processing times. Adversary also induces some delays. Thwarting adversaries using commercial readers. Consider a new distance?

Gildas Avoine Distance Bounding for RFID 26

SLIDE 27

Suggested Directions

Theory is not mature yet. Do not introduce tons of new protocols. Be less RFID-focused. Provide less scenario-oriented proofs. Think about a new distance.

Gildas Avoine Distance Bounding for RFID 27

SLIDE 28