distance bounding for rfid
play

Distance Bounding for RFID Prof. Gildas Avoine Universit e - PowerPoint PPT Presentation

Feb 23, 2024 •50 likes •330 views

Distance Bounding for RFID Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY Relay Attacks Distance Bounding Protocols Discussion RELAY ATTACKS Relay Attacks Distance Bounding Protocols

  1. Distance Bounding for RFID Prof. Gildas Avoine Universit´ e catholique de Louvain, Belgium Information Security Group

  2. SUMMARY Relay Attacks Distance Bounding Protocols Discussion

  3. RELAY ATTACKS Relay Attacks Distance Bounding Protocols Discussion

  4. Variant of ISO 9798-2 Protocol 3 Verifier (secret k ) Prover (secret k ) N a Pick N a − − − − − − − − − → E k ( N a , N b ) ← − − − − − − − − Pick N b Protocol secure under common assumptions on E , k , N a , and N b . Gildas Avoine Distance Bounding for RFID 4

  5. Relay Attack Definition (Relay Attack) A relay attack is a form of man-in-the-middle where the adversary manipulates the communication by only relaying the verbatim messages between two parties. Gildas Avoine Distance Bounding for RFID 5

  6. Practicability Examples Radio link over 50 meters (G. Hancke [4]). Implementation included in libNFC (PN53x readers). Gildas Avoine Distance Bounding for RFID 6

  7. Practicability Examples Attacks by Francillon, Danev, ˇ Capkun (ETHZ) against passive keyless entry and start systems used in modern cars [6]. ◦ 10 systems tested: no one resisted! Gildas Avoine Distance Bounding for RFID 7

  8. DISTANCE BOUNDING PROTOCOLS Relay Attacks Distance Bounding Protocols Discussion

  9. Protocol Aims in General Framework [5] Definition (Distance Bounding) A distance bounding is a process whereby one party is assured: 1 Of the identity of a second party, 2 That the latter is present in the neighborhood of the verifying party, at some point in the protocol. Reader Reader Tag Adversary Tag Distance bounding does not avoid relay attacks. Gildas Avoine Distance Bounding for RFID 9

  10. Distance Bounding Based on the Speed of Light Measure the round-trip-time (RTT) of a given message. ◦ Provide a bound on the distance. ◦ Idea introduced by Beth and Desmedt [2]. Reader Tag Msg must be authenticated Accelerated computation Auth. is time-consuming Neighborhood Gildas Avoine Distance Bounding for RFID 10

  11. Hancke and Kuhn’s Protocol [3] First RFID-focused Distance Bounding Protocol Reader Tag (secret K ) (secret K ) Pick a random N a Pick a random N b N a − − − − − − − → N b ← − − − − − − − � v 0 = 1 1 0 1 1 0 0 0 1 0 h ( K , N a , N b ) = v 1 = 0 1 1 1 1 0 0 1 0 0 Start of fast bit exchange for i = 1 to n Pick C i ∈ R { 0 , 1 } C i Start Clock − − − − − − − → � v 0 i , if C i = 0 R i = v 1 i , if C i = 1 R i Stop Clock ← − − − − − − − Check: △ t i ≤ t max Check: correctness of R i End of fast bit exchange Gildas Avoine Distance Bounding for RFID 11

  12. Mafia and Distance Frauds Definition (Mafia Fraud) A mafia fraud [1] is an attack where an Reader adversary defeats a distance bounding protocol Adversary using a man-in-the-middle (MITM) between the reader and an honest tag located outside the neighborhood. Tag Definition (Distance Fraud) Reader Given a distance bounding protocol, a distance fraud is an attack where a dishonest and lonely prover purports to be in the neighborhood of the verifier. Tag Gildas Avoine Distance Bounding for RFID 12

  13. Terrorist Fraud Definition (Terrorist Fraud) A terrorist fraud is an attack where an adversary defeats a distance bounding protocol Reader using a man-in-the-middle (MITM) between Adversary the reader and a dishonest tag located outside of the neighborhood, such that the latter actively helps the adversary to maximize her Tag attack success probability, without giving to her any advantage for future attacks. Gildas Avoine Distance Bounding for RFID 13

  14. Hancke and Kuhn’s Protocol Reader Tag (secret K ) (secret K ) Pick a random N a Pick a random N b N a − − − − − − − → N b ← − − − − − − − � v 0 = 1 1 0 1 1 0 0 0 1 0 h ( K , N a , N b ) = v 1 = 0 1 1 1 1 0 0 1 0 0 Start of fast bit exchange for i = 1 to n Pick C i ∈ R { 0 , 1 } C i Start Clock − − − − − − − → � v 0 i , if C i = 0 R i = v 1 i , if C i = 1 Question R i Stop Clock ← − − − − − − − � 3 � n 1 Mafia fraud: Check: △ t i ≤ t max 4 Check: correctness of R i 2 Terrorist fraud: 1 End of fast bit exchange � 3 � n 3 Distance fraud: 4 Gildas Avoine Distance Bounding for RFID 14

  15. DISCUSSION Relay Attacks Distance Bounding Protocols Discussion

  16. An Active Research Field in RFID? Is distance bounding an active research field in RFID? Gildas Avoine Distance Bounding for RFID 16

  17. Relay in Other Domains? Are relay attacks only meaningful in the RFID context? ◦ No! But RFID increases the risk. Chess grand master problem (Conway 1976) Gildas Avoine Distance Bounding for RFID 17

  18. Relay Attacks in Chess (Chess Olympiad 2010) French player S´ ebastien Feller during the Olympiad in Russia. Gildas Avoine Distance Bounding for RFID 18

  19. Distance Bounding too RFID-oriented Is research on distance bounding too RFID-oriented? ◦ Probably yes. No cryptographic operation performed during the fast phase. Restrictive assumption: 1-bit challenges and responses Avoid a final signature. Which is the best protocol without the 2 last assumptions? Gildas Avoine Distance Bounding for RFID 19

  20. Current Research Activities Are there existing models/frameworks? Definition Definition In a white-box model, the In a black-box model, the prover has full access to the prover cannot observe or implementation of the tamper with the execution of algorithm and a complete the algorithm. control over the execution environment. Definition (Pre-ask strategy) The adversary relays the first slow phase. She then executes the fast phase with the prover before the verifier starts the fast phase. Afterward, she performs the fast phase with the legitimate verifier. Gildas Avoine Distance Bounding for RFID 20

  21. Theoretical model Are there some other attack scenarios? Gildas Avoine Distance Bounding for RFID 21

  22. Prover Model Computing Capabilities of the Prover In the white-box model, restricting the computation capabilities of the prover within one protocol execution is required. 1 0.01 0.0001 Adversary success probability 1e-06 1e-08 1e-10 1e-12 Register length: n=20 1e-14 n=40 n=60 n=80 n=128 1e-16 1 10 100 1000 10000 100000 1e+06 p: Number of runs Gildas Avoine Distance Bounding for RFID 22

  23. Hancke and Kuhn’s Protocol Reader Tag (secret K ) (secret K ) Pick a random N a Pick a random N b N a − − − − − − − → N b ← − − − − − − − � v 0 = 1 1 0 1 1 0 0 0 1 0 h ( K , N a , N b ) = v 1 = 0 1 1 1 1 0 0 1 0 0 Start of fast bit exchange for i = 1 to n Pick C i ∈ R { 0 , 1 } C i Start Clock − − − − − − − → � v 0 i , if C i = 0 R i = v 1 i , if C i = 1 Question R i Stop Clock ← − − − − − − − � 3 � n 1 Mafia fraud: Check: △ t i ≤ t max 4 Check: correctness of R i 2 Terrorist fraud: 1 End of fast bit exchange � 3 � n 3 Distance fraud: 4 Gildas Avoine Distance Bounding for RFID 23

  24. Prover Model – Circle Analysis Distance Between Verifier and Prover In some distance bounding protocols, each response bit depends on some previous challenges during the fast phase. Receiving the previous challenges depends on how far the prover is away from the verifier. Gildas Avoine Distance Bounding for RFID 24

  25. Pretty Poor Proofs Proofs are “given an attack scenario”. Gildas Avoine Distance Bounding for RFID 25

  26. Assumptions realistic Are there other questionable assumptions? Propagation delays are much shorter than processing times. Adversary also induces some delays. Thwarting adversaries using commercial readers. Consider a new distance? Gildas Avoine Distance Bounding for RFID 26

  27. Suggested Directions Theory is not mature yet. Do not introduce tons of new protocols. Be less RFID-focused. Provide less scenario-oriented proofs. Think about a new distance. Gildas Avoine Distance Bounding for RFID 27

  28. Further Reading [1] Y. Desmedt, C. Goutier, and S. Bengio. Special Uses and Abuses of the Fiat-Shamir Passport Protocol. CRYPTO’87. [2] T. Beth and Y. Desmedt. Identification Tokens - or: Solving the Chess Grandmaster Problem. CRYPTO ’90. [3] G. Hancke and M. Kuhn. An RFID Distance Bounding Protocol. SecureComm 2005. [4] G. Hancke. Practical Attacks on Proximity Identification Systems. IEEE Symposium on Security and Privacy, 2006. [5] G. Avoine, M. Bing¨ ol, S. Kardas, C. Lauradoux, and B. Martin. A Framework for Analyzing RFID Distance Bounding Protocols. Journal of Computer Security, 2010. [6] A. Francillon, B. Danev, and S. ˇ Capkun. Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars. Network and Distributed System Security Symposium, 2011. Gildas Avoine Distance Bounding for RFID 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY RFID Background Relay Attacks Distance Bounding Protocols Conclusion

666 views • 53 slides
Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY RFID Background Relay Attacks Countermeasures and Evolved Frauds

633 views • 40 slides
An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and Memory Requirement Gildas Avoine 1 and Aslan Tchamkerten 2 1 Universit e catholique de Louvain, Louvain-la-Neuve, Belgium 2 Telecom ParisTech,

335 views • 31 slides
On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2012 distance bounding CIoT 2012 1 / 39 Introduction to Distance-Bounding 1 Some Insecurity Case

600 views • 39 slides
Towards Secure Distance Bounding Ioana Boureanu, Katerina Mitrokotsa, Serge Vaudenay COLE

Towards Secure Distance Bounding Ioana Boureanu, Katerina Mitrokotsa, Serge Vaudenay COLE

Towards Secure Distance Bounding Ioana Boureanu, Katerina Mitrokotsa, Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2013 distance bounding FSE 2013 1 / 48 1 Why Distance-Bounding? Towards a Secure

663 views • 48 slides
An optimal distance-bounding protocol Rolando Trujillo-Rasua University of luxembourg (joint

An optimal distance-bounding protocol Rolando Trujillo-Rasua University of luxembourg (joint

An optimal distance-bounding protocol Rolando Trujillo-Rasua University of luxembourg (joint work with Sjouke Mauw and Jorge Toro-Pozo) Euro S&P and RFIDSec, 2016 Distance Bounding protocols 1 Beating a grand master: is this a relay

926 views • 67 slides
Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain,

Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain,

Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain, Belgium Workshop on Cryptography for the Internet of Things November 20 21, 2012, Antwerp, Belgium SUMMARY Relay Attacks Distance Bounding

349 views • 21 slides
Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work

Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work

Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work with: Joint work with: Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Distance Bounding 2

370 views • 16 slides
Security Analysis of Distance Bounding Protocols Agnes BRELURUT, Pascal LAFOURCADE, David GERAULT

Security Analysis of Distance Bounding Protocols Agnes BRELURUT, Pascal LAFOURCADE, David GERAULT

Security Analysis of Distance Bounding Protocols Agnes BRELURUT, Pascal LAFOURCADE, David GERAULT LIMOS, Universit dAuvergne, France September 17th 2015 BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding

704 views • 42 slides
A class of precomputation-based distance-bounding protocols Jorge Toro-Pozo University of

A class of precomputation-based distance-bounding protocols Jorge Toro-Pozo University of

Introduction Lookup-based protocols Properties and security analysis Conclusions A class of precomputation-based distance-bounding protocols Jorge Toro-Pozo University of Luxembourg (joint work with Sjouke Mauw and Rolando Trujillo-Rasua,

685 views • 54 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

March 2, 2014 Monte Jade's RFID Seminar Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight RFID 4. Current Airport RFID Deployments 5. Atlanta International Airport Activity with IATA RFID

912 views • 35 slides
Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE

Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE

Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2014 distance-bounding SDTA 14 1 / 42 Relay Attacks 1 Distance-Bounding Protocols 2 3 Asymmetric DB Protocols

1.02k views • 42 slides
IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing Tag Oslo, 28 November 2007 IntelliSense RFID Workshop IntelliSense RFID RESEARCH PROJECT FOR TECHNOLOGY DEVELOPMENT WITHIN THE FIELDS OF RFID

788 views • 13 slides
The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio Frequency Identification Modern RFID Applications VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips

628 views • 29 slides
TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown &

TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown &

TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown & Blaine McDonnell Using RFID for Model Railroad Operations What is RFID? How does RFID Work? RFID Frequencies and Type of Tags

853 views • 25 slides
How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for

How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for

1 How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for funding this work, and for not reviewing these slides in advance. PRESERVE, ending 2015.06.30, was a European project Preparing Secure

491 views • 32 slides
Zooms for Effects Dominique Duval Udine, September 11., 2009 IFIP W.G.1.3. meeting Outline

Zooms for Effects Dominique Duval Udine, September 11., 2009 IFIP W.G.1.3. meeting Outline

Zooms for Effects Dominique Duval Udine, September 11., 2009 IFIP W.G.1.3. meeting Outline Introduction Diagrammatic logics Parameterization Sequential product Conclusion Motivations Wanted. A framework for the semantics of effects.

599 views • 30 slides
Towards a formally verified obfuscating compiler Sandrine Blazy joint work with Roberto Giacobazzi

Towards a formally verified obfuscating compiler Sandrine Blazy joint work with Roberto Giacobazzi

Towards a formally verified obfuscating compiler Sandrine Blazy joint work with Roberto Giacobazzi and Alix Trieu IFIP WG 1.9/2.15, 2015-07-16 1 Background: verifying a compiler Compiler + proof that the compiler does not introduce bugs

553 views • 24 slides
An investigation of phishing awareness and education over time: When and how to best remind users?

An investigation of phishing awareness and education over time: When and how to best remind users?

An investigation of phishing awareness and education over time: When and how to best remind users? Benjamin Reinheimer, Lukas Aldag, Peter Mayer, Mattia Mossano, Reyhan Duezguen, Bettina Lofthouse, Tatiana von Landesberger, Melanie Volkamer

175 views • 6 slides
Query Privacy in Sensing-as-a-Service Platforms Ruben Rios David Nu nez Javier Lopez

Query Privacy in Sensing-as-a-Service Platforms Ruben Rios David Nu nez Javier Lopez

Query Privacy in Sensing-as-a-Service Platforms Ruben Rios David Nu nez Javier Lopez Network, Information and Computer Security Lab Department of Computer Science University of Malaga {ruben,dnunez,jlm}@lcc.uma.es IFIP SEC 2017 May 29,

415 views • 26 slides
Approximate Graph Embeddings in the Cloud 2 5 3 AC B 2 2 2 2 D 0 3 1 Highlights of

Approximate Graph Embeddings in the Cloud 2 5 3 AC B 2 2 2 2 D 0 3 1 Highlights of

Approximate Graph Embeddings in the Cloud 2 5 3 AC B 2 2 2 2 D 0 3 1 Highlights of Algorithms 2018 Matthias Rost Technische Universitt Berlin, Internet Network Architectures Stefan Schmid Universitt Wien, Communication

329 views • 22 slides
Better Lemmas with Lambda Extraction Mathias Preiner, Aina Niemetz and Armin Biere Institute for

Better Lemmas with Lambda Extraction Mathias Preiner, Aina Niemetz and Armin Biere Institute for

Better Lemmas with Lambda Extraction Mathias Preiner, Aina Niemetz and Armin Biere Institute for Formal Models and Verification (FMV) Johannes Kepler University, Linz, Austria http://fmv.jku.at/ FMCAD 2015 September 27-30, 2015 Austin, Texas,

787 views • 22 slides
CNSM 2013: Awards, Future, Closing CNSM 2013: The 9th Conference on Network and Service

CNSM 2013: Awards, Future, Closing CNSM 2013: The 9th Conference on Network and Service

CNSM 2013: Awards, Future, Closing CNSM 2013: The 9th Conference on Network and Service Management October 14-18, 2013, Zrich, Switzerland CNSM 2013 Pictures Take a look at: http://www.cnsm-conf.org/2013/pics Directly linked

311 views • 12 slides

More recommend