Relay Attacks and Distance Bounding Protocols in RFID Environments - - PowerPoint PPT Presentation

Relay Attacks and Distance Bounding Protocols in RFID Environments

• Prof. Gildas Avoine

Universit´ e catholique de Louvain, Belgium Information Security Group

SUMMARY

RFID Background Relay Attacks Distance Bounding Protocols Conclusion

RFID BACKGROUND

RFID Background Relay Attacks Distance Bounding Protocols Conclusion

Definition and Architecture

Definition (RFID (Recommandation U.E. 2009)) [RFID] means the use of electromagnetic radiating waves or reactive field coupling in the radio frequency portion of the spectrum to communicate to or from a tag through a variety of modulation and encoding schemes to uniquely read the identity of a radio frequency tag or other data stored on it.

Reader T ag Reader T ag T ag T ag Back-end kystem

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 4/27

Basic RFID

www.aeroid.co.uk www.rfid-library.com www.flickr.com www.safetzone.com

Supply chain tracking.

• Track boxes, palettes, etc.

Libraries.

• Improve book borrowing and inventories.

Pet identification.

• Replace tattoos by electronic ones.
• ISO11784, ISO11785.

Localisation.

• Children in amusement parks, Elderly people.
• Counting cattle.

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 5/27

Evolved RFID

Credit: G. Avoine Credit: G. Avoine www.carthiefstoppers.com www.brusselnieuws.be blogs.e-rockford.com

Building access control.

• Eg. UCL, MIT.

Automobile ignition key.

• Eg. TI DST, Keeloq.

Public transportation.

• Eg. Brussels, Boston, Paris, ..., Thalys.

Payment.

• Eg. Visa, Baja Beach Club.

Electronic documents.

• Eg. ePassports.

Loyalty cards.

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 6/27

Tag Characteristics

cost power frequency communication standard calculation storage

active passive LF HF UHF meters dm cm UID 1 KB 40 KB no pwd sym crypto asym crypto EPC ISO14443 ISO15693 10 cents 50 cents euros

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 7/27

Tag Characteristics

cost power frequency communication standard calculation storage

Access control active passive LF HF UHF meters dm cm UID 1 KB 40 KB no pwd sym crypto asym crypto EPC ISO14443 ISO15693 10 cents 50 cents euros

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 7/27

Tag Characteristics

cost power frequency communication standard calculation storage

Access control Logistics active passive LF HF UHF meters dm cm UID 1 KB 40 KB no pwd sym crypto asym crypto EPC ISO14443 ISO15693 10 cents 50 cents euros

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 7/27

RELAY ATTACKS

RFID Background Relay Attacks Distance Bounding Protocols Conclusion

Variant of ISO 9798-2 Protocol 3

Verifier (secret k) Prover (secret k) Pick Na

Na

− − − − − − − − − →

Ek(Na,Nb)

← − − − − − − − − Pick Nb

Protocol secure under common assumptions on E, k, Na, and Nb.

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 9/27

Relay Attack

Verifier Prover

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27

Relay Attack

Verifier Prover Adversary

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27

Relay Attack

Verifier Prover Adversary

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27

Relay Attack

Verifier Prover Adversary Adversary

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27

Relay Attack

Verifier Prover Adversary Adversary

10000 km

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27

Relay Attack

Verifier Prover Adversary Adversary

10000 km

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27

Relay Attack

Definition and Do-Ability

Definition (Relay Attack) A relay attack is a form of man-in-the-middle where the adversary manipulates the communication by only relaying the verbatim messages between two parties.

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 11/27

Relay Attack

Definition and Do-Ability

Definition (Relay Attack) A relay attack is a form of man-in-the-middle where the adversary manipulates the communication by only relaying the verbatim messages between two parties. Reader starts a timer when sending a message.

• To avoid semi-open connections.
• The timer is not tight.

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 11/27

Relay Attack

Definition and Do-Ability

Definition (Relay Attack) A relay attack is a form of man-in-the-middle where the adversary manipulates the communication by only relaying the verbatim messages between two parties. Reader starts a timer when sending a message.

• To avoid semi-open connections.
• The timer is not tight.

Example: ISO 14443 “Proximity Cards”.

• Used in most secure applications.
• Standard on the low-layers (physical, collision-avoidance).
• Default timer is around 5 ms.

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 11/27

Relay Attack

Definition and Do-Ability

Definition (Relay Attack) A relay attack is a form of man-in-the-middle where the adversary manipulates the communication by only relaying the verbatim messages between two parties. Reader starts a timer when sending a message.

• To avoid semi-open connections.
• The timer is not tight.

Example: ISO 14443 “Proximity Cards”.

• Used in most secure applications.
• Standard on the low-layers (physical, collision-avoidance).
• Default timer is around 5 ms.
• Prover can require more time, up to 4949 ms.

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 11/27

Practicability

Examples

Radio link over 50 meters (G. Hancke 05). With some ACR122 (A. Laurie 09). With NFC cell phones or over Internet (libNFC).

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 12/27

Practicability

Examples

Radio link over 50 meters (G. Hancke 05). With some ACR122 (A. Laurie 09). With NFC cell phones or over Internet (libNFC).

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 12/27

Practicability

Examples

Attacks by Francillon, Danev, Capkun (ETHZ) against passive keyless entry and start systems used in modern cars.

• 10 systems tested: no one resisted!

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 13/27

DISTANCE BOUNDING PROTOCOLS

RFID Background Relay Attacks Distance Bounding Protocols Conclusion

Protocol Aims in General Framework

Definition (Distance Checking) A distance bounding is a process whereby one party is assured:

1 Of the identity of a second party, 2 That the latter is present in the neighborhood of the verifying

party, at some point in the protocol.

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 15/27

Protocol Aims in General Framework

Definition (Distance Checking) A distance bounding is a process whereby one party is assured:

1 Of the identity of a second party, 2 That the latter is present in the neighborhood of the verifying

party, at some point in the protocol.

Reader Tag

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 15/27

Protocol Aims in General Framework

Definition (Distance Checking) A distance bounding is a process whereby one party is assured:

1 Of the identity of a second party, 2 That the latter is present in the neighborhood of the verifying

party, at some point in the protocol.

Reader Tag

Distance bounding does not avoid relay attacks.

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 15/27

No Fraud

Adversary Reader Tag Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 16/27

No Fraud

Adversary Reader Tag Reader Tag Adversary Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 16/27

Fraud

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27

Fraud

Adversary Reader Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27

Fraud

Adversary Reader Adversary Tag Reader Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27

Fraud

Adversary Reader Adversary Tag Reader Tag Reader Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27

Fraud

Adversary Reader Adversary Tag Reader Tag Reader Reader Adversary Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27

Fraud

Adversary Reader Adversary Tag Reader Tag Reader Reader Adversary Tag Reader Adversary Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27

Distance Bounding Based on the Speed of Light

Measure the round-trip-time (RTT) of a given message.

• Provide a bound on the distance.
• Idea introduced by Beth and Desmedt [Crypto90].

Tag Reader Neighborhood Computation

Msg must be authenticated

• Auth. is time-consuming

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 18/27

Distance Bounding Based on the Speed of Light

Measure the round-trip-time (RTT) of a given message.

• Provide a bound on the distance.
• Idea introduced by Beth and Desmedt [Crypto90].

Reader Neighborhood computation Accelerated Tag

Msg must be authenticated

• Auth. is time-consuming

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 18/27

Hancke and Kuhn’s Protocol

Description

Reader Tag (secret K) (secret K) Pick a random Na Pick a random Nb

Na

− − − − − − − →

Nb

← − − − − − − − h(K, Na, Nb) =

• v0

= 1 1 1 1 1 v1 = 1 1 1 1 1 Start of fast bit exchange for i = 1 to n Pick Ci ∈R {0, 1} Start Clock

Ci

− − − − − − − → Ri = v0

i , if Ci = 0

v1

i , if Ci = 1

Stop Clock

Ri

← − − − − − − − Check: △ti ≤ tmax Check: correctness of Ri End of fast bit exchange Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 19/27

Mafia Fraud

Definition (Mafia Fraud) A mafia fraud is an attack where an adversary defeats a distance bounding protocol using a man-in-the-middle (MITM) between the reader and an honest tag located outside the neighborhood.

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 20/27

Mafia Fraud

Definition (Mafia Fraud) A mafia fraud is an attack where an adversary defeats a distance bounding protocol using a man-in-the-middle (MITM) between the reader and an honest tag located outside the neighborhood. Mafia fraud: Desmedt, Goutier, Bengio [Crypto87]. Shamir about Fiat-Shamir protocol [Crypto86]: “I can go to a Mafia-owned store a million successive times and they still will not be able to misrepresent themselves as me.” (The NY Times, February 17, 1987, James Gleick). A.k.a., relay attack, chess grandmaster, wormhole problem, passive man-in-the-middle, middleman attack...

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 20/27

Fraud (variants)

Definition (Distance Fraud) Given a distance bounding protocol, a distance fraud is an attack where a dishonest and lonely prover purports to be in the neighborhood of the verifier.

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 21/27

Fraud (variants)

Definition (Distance Fraud) Given a distance bounding protocol, a distance fraud is an attack where a dishonest and lonely prover purports to be in the neighborhood of the verifier. Definition (Terrorist Fraud) A terrorist fraud is an attack where an adversary defeats a distance bounding protocol using a man-in-the-middle (MITM) between the reader and a dishonest tag located outside of the neighborhood, such that the latter actively helps the adversary to maximize her attack success probability, without giving to her any advantage for future attacks.

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 21/27

Hancke and Kuhn’s Protocol

Description

Reader Tag (secret K) (secret K) Pick a random Na Pick a random Nb

Na

− − − − − − − →

Nb

← − − − − − − − h(K, Na, Nb) =

• v0

= 1 1 1 1 1 v1 = 1 1 1 1 1 Start of fast bit exchange for i = 1 to n Pick Ci ∈R {0, 1} Start Clock

Ci

− − − − − − − → Ri = v0

i , if Ci = 0

v1

i , if Ci = 1

Stop Clock

Ri

← − − − − − − − Check: △ti ≤ tmax Check: correctness of Ri End of fast bit exchange

Question

1 Mafia fraud: 2 Terrorist fraud: 3 Distance fraud:

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 22/27

Hancke and Kuhn’s Protocol

Description

Reader Tag (secret K) (secret K) Pick a random Na Pick a random Nb

Na

− − − − − − − →

Nb

← − − − − − − − h(K, Na, Nb) =

• v0

= 1 1 1 1 1 v1 = 1 1 1 1 1 Start of fast bit exchange for i = 1 to n Pick Ci ∈R {0, 1} Start Clock

Ci

− − − − − − − → Ri = v0

i , if Ci = 0

v1

i , if Ci = 1

Stop Clock

Ri

← − − − − − − − Check: △ti ≤ tmax Check: correctness of Ri End of fast bit exchange

Question

1 Mafia fraud:

3

4

n

2 Terrorist fraud: 1 3 Distance fraud:

3

4

n

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 22/27

Current Research Activities

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 23/27

Current Research Activities

Analysis framework. Extensive (fair) survey.

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 23/27

Current Research Activities

Analysis framework. Extensive (fair) survey.

White−box model Terrorist fraud Terrorist fraud Mafia fraud Mafia fraud Distance fraud Distance fraud Black−box model

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 23/27

Current Research Activities

Analysis framework. Extensive (fair) survey.

White−box model Terrorist fraud Terrorist fraud Mafia fraud Mafia fraud Distance fraud Distance fraud Black−box model

1e-16 1e-14 1e-12 1e-10 1e-08 1e-06 0.0001 0.01 1 1 10 100 1000 10000 100000 1e+06 Adversary success probability p: Number of runs Register length: n=20 n=40 n=60 n=80 n=128

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 23/27

CONCLUSION

RFID Background Relay Attacks Distance Bounding Protocols Conclusion

Conclusion

Theory is mature.

• First protocols analyzed with a pedestrian approach.
• Models nowadays exist.

Practice is still young.

• Propagation delays are much shorter than processing times.
• Considered time are nanoseconds.
• Some experiments succeeded (eg. ETHZ, CEA Leti).

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 25/27

Conclusion

Relay attacks are practicable. Mifare Plus contains a kind of distance bounding protocol. Mitigating the problem is perhaps enough.

• Adversary also induces some delays.
• Thwarting adversaries using commercial readers.
• Avoiding long-distance attacks.

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 26/27

Further Reading

• Y. Desmedt, C. Goutier, and S. Bengio. Special Uses and

Abuses of the Fiat-Shamir Passport Protocol. In CRYPTO’87,

• vol. 293 of LNCS, pp 21–39, Aug. 1988. Springer.
• S. Brands and D. Chaum. Distance-Bounding Protocols. In

EUROCRYPT’93, vol. 765 of LNCS, pp 344–359, May 1993. Springer.

• G. Hancke and M. Kuhn. An RFID Distance Bounding Protocol.

In SecureComm 2005, Sep. 2005. IEEE.

• G. Avoine, M. Bing¨
• l, S. Kardas, C. Lauradoux, and B. Martin.

A Framework for Analyzing RFID Distance Bounding Protocols. Journal of Computer Security, 2010.

Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 27/27