Distance Hijacking Attacks on Distance Bounding Protocols Cas - - PowerPoint PPT Presentation

▶

Nov 27, 2022 196 likes •370 views

Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work with: Joint work with: Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Distance Bounding 2

SLIDE 1

Distance Hijacking Attacks on Distance Bounding Protocols

Cas Cremers

ETH Zurich

Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun

Joint work with: Joint work with:

SLIDE 2

Distance Bounding

SLIDE 3

Distance Bounding Protocols

Objective: ensure proximity
Protocol with two roles: Prover and Verifier
Verifier obtains an upper bound on the

distance to the prover

Guarantee also holds if the prover is malicious

SLIDE 4

Distance bounding for network access

SLIDE 5

Phase 2: Fast response phase Phase 3: Finalize Phase 1: Setup

Brands and Chaum protocol (1993)

Prover Verifier nv nv xor np fresh np fresh nv Verify commit and signature Measure response time commit(np) np, sign(P, <nv, nv xor np>)

SLIDE 6

Threats considered in protocol proposals

Mafia Fraud

External attacker modifies

distance of honest prover

Distance Fraud

Dishonest prover modifies

his own distance

Terrorist Fraud

Dishonest prover collaborates

with closer attacker to modify his distance

SLIDE 7

What about other honest provers?

SLIDE 8

Phase 2: Fast response phase

Distance Hijacking attack on B&C

Honest P' V nv nv xor np fresh np fresh nv Verify commit and signature Measure response time commit(np) Dishonest P np, sign(P,<nv, nv xor np>)

SLIDE 9

Distance Hijacking

A Distance Hijacking attack is an attack in which a dishonest prover P exploits one or more honest parties to provide a verifier V with false information about the distance between P and V.

SLIDE 10

Scope

About half of the investigated protocols vulnerable

Brands and Chaum

based designs usually vulnerable

Hancke & Kuhn based

designs seem okay

Protocol DH-attack? Brands and Chaum (Fiat-Shamir) Yes Brands and Chaum (Schnorr) Yes Brands and Chaum (signature) Yes Bussard and Bagga

CRCS

Yes Hancke and Kuhn

Hitomi
KA2
Kuhn, Luecken, Tippenhauer

Yes MAD Yes Meadows et al for F(..) = <NV,NP xor P> Yes Munilla and Peinado

Noise resilient MAD

Yes Poulidor

Reid et al.
Swiss-knife
Tree
WSBC+DB

Yes WSBC+DB Noent Yes

SLIDE 11

Fixing the problem

Secure channel (TLS) does not help here
Cannot use cryptography during fast response
Protocols that use secure channels in the other

phases may still be vulnerable

Fixes logically bind fast

response to other phases

Involve identity in response
Bind identity to nonce in Phase 1
Fixes do not require additional cryptography

Phase 2: Fast response phase Phase 3: Finalize Phase 1: Setup

SLIDE 12

Formal model

We extended Basin et al. [TPHOLs'09]
Hybrid symbolic model
Also captures bit-level overshadowing attacks

– adversary flips some bits of an unknown message

Formalization in Isabelle/HOL
Used to show that our fixes prevent the found

attacks

(Details in the paper; theory files publicly available)

SLIDE 13

Multiple protocols

Interaction between protocols with similar fast response hardware can lead to attacks

Similar to "chosen protocol" or "multi-protocol" attacks"
ALL protocols vulnerable

GOOD protocol BAD prot. Honest P' card with bad protocol Server runs good protocol Attacker uses P card with good protocol

SLIDE 14

Are all attacks now covered?

Mafia Fraud

Terrorist Fraud

Distance Fraud

Distance Hijacking

SLIDE 15

Restructuring attacks on DB protocols

Assume an attack trace where V computes incorrect distance for P

External Distance Fraud (~ mafia fraud) Lone Distance Fraud (~ distance fraud) Assisted Distance Fraud (~ terrorist fraud) Distance Hijacking

Is P honest? Yes No Is only P involved in the attack? Yes No Is one of the other involved parties honest? No Yes

A Distance Hijacking attack is an attack in which a dishonest prover P exploits one or more honest parties to provide a verifier V with false information about the distance between P and V.

SLIDE 16

Conclusions

Many protocols vulnerable to Distance Hijacking
Fixes do not introduce significant overhead
Just-in-time: distance bounding implementations starting

to be produced

Distance Hijacking is a relevant threat in many cases
Cannot afford to ignore multiple

provers/verifiers during analysis

Interaction between different

Distance Hijacking Attacks on Distance Bounding Protocols

Cas Cremers

Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun

Distance Bounding

Distance Bounding Protocols

distance to the prover

Distance bounding for network access

Brands and Chaum protocol (1993)

Threats considered in protocol proposals

Mafia Fraud

distance of honest prover

Distance Fraud

his own distance

Terrorist Fraud

with closer attacker to modify his distance

What about other honest provers?

Distance Hijacking attack on B&C

Distance Hijacking

A Distance Hijacking attack is an attack in which a dishonest prover P exploits one or more honest parties to provide a verifier V with false information about the distance between P and V.

Scope

About half of the investigated protocols vulnerable

based designs usually vulnerable

designs seem okay

Fixing the problem

phases may still be vulnerable

response to other phases

Formal model

attacks

(Details in the paper; theory files publicly available)

Multiple protocols

Interaction between protocols with similar fast response hardware can lead to attacks

Are all attacks now covered?

Distance Fraud

Restructuring attacks on DB protocols

Assume an attack trace where V computes incorrect distance for P

A Distance Hijacking attack is an attack in which a dishonest prover P exploits one or more honest parties to provide a verifier V with false information about the distance between P and V.

Conclusions

to be produced

provers/verifiers during analysis

DB-protocols still possible...