towards secure distance bounding
play

Towards Secure Distance Bounding Ioana Boureanu, Katerina - PowerPoint PPT Presentation

Jul 07, 2023 •168 likes •663 views

Towards Secure Distance Bounding Ioana Boureanu, Katerina Mitrokotsa, Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2013 distance bounding FSE 2013 1 / 48 1 Why Distance-Bounding? Towards a Secure

  1. Towards Secure Distance Bounding Ioana Boureanu, Katerina Mitrokotsa, Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2013 distance bounding FSE 2013 1 / 48

  2. 1 Why Distance-Bounding? Towards a Secure Protocol 2 The SKI Protocol 3 SV 2013 distance bounding FSE 2013 2 / 48

  3. 1 Why Distance-Bounding? Towards a Secure Protocol 2 The SKI Protocol 3 SV 2013 distance bounding FSE 2013 3 / 48

  4. Playing against two Chess Grandmasters chess grandmaster #1 malicious player ✲ malicious player chess grandmaster #2 ✛ SV 2013 distance bounding FSE 2013 4 / 48

  5. Relay Attacks a a a ✲ ✲ ✲ honest ✛ b b ✛ b honest ✛ prover verifier c c c ✲ ✲ ✲ adversary SV 2013 distance bounding FSE 2013 5 / 48

  6. A Nice Playground for Relay Attacks Wireless Car Locks wireless key car SV 2013 distance bounding FSE 2013 6 / 48

  7. A Nice Playground for Relay Attacks Corporate RFID Card for Access Control SV 2013 distance bounding FSE 2013 7 / 48

  8. A Nice Playground for Relay Attacks Contactless Credit Card Payment wireless credit card payment SV 2013 distance bounding FSE 2013 8 / 48

  9. The Brands-Chaum Protocol Distance-Bounding Protocols [Brands-Chaum EUROCRYPT 1993] Verifier Prover public key: y secret key: x initialization phase Commit ( m ) ← − − − − − − − − − − − − pick m distance bounding phase for i = 1 to n pick c i c i − − − − − − − − − − − − → start clock r i ← − − − − − − − − − − − − r i = m i ⊕ c i stop clock check timers termination phase open commitment check responses ← − − − − − − − − − − − − Sign x ( c , r ) ← − − − − − − − − − − − − check signature Out V − − − − − − − − − − − − → SV 2013 distance bounding FSE 2013 9 / 48

  10. The Speed of Light time error of 1 µ s = distance error of 300m SV 2013 distance bounding FSE 2013 10 / 48

  11. Distance Bounding interactive proof for proximity a verifier (honest) a prover (may be malicious) a secret to characterize the prover (may be symmetric) concurrency: many provers and verifiers around, plus malicious participants completeness : if the honest prover is close to the verifier, the verifier accepts soundness : if the verifier accept, then a close participant must hold the secret secure : when honestly run, the secret must not leak SV 2013 distance bounding FSE 2013 11 / 48

  12. Distance Fraud P ∗ ← → V � �� � far away a malicious prover P ∗ tries to prove that he is close to a verifier V SV 2013 distance bounding FSE 2013 12 / 48

  13. Mafia Fraud Major Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity and How to Overcome Them [Desmedt SECURICOM 1988] P ← → A ← → V � �� � far away an adversary A tries to prove that a prover P is close to a verifier V SV 2013 distance bounding FSE 2013 13 / 48

  14. Terrorist Fraud Major Security Problems with the “Unforgeable” (Feige)-Fiat-Shamir Proofs of Identity and How to Overcome Them [Desmedt SECURICOM 1988] P ∗ ← → A ← → V � �� � far away a malicious prover P ∗ helps an adversary A to prove that P ∗ is close to a verifier V without giving A another advantage SV 2013 distance bounding FSE 2013 14 / 48

  15. Impersonation Fraud An Efficient Distance Bounding RFID Authentication Protocol [Avoine-Tchamkerten ISC 2009] A ← → V an adversary A tries to prove that a prover P is close to a verifier V SV 2013 distance bounding FSE 2013 15 / 48

  16. Distance Hijacking Distance Hijacking Attacks on Distance Bounding Protocols [Cremers-Rasmussen-Schmidt- ˇ Capkun IEEE S&P 2012] P ∗ ← → P ′ ← → V � �� � far away a malicious prover P ∗ tries to prove that he is close to a verifier V by taking advantage of other provers P ′ SV 2013 distance bounding FSE 2013 16 / 48

  17. A General Threat Model distance fraud : P ( x ) far from all V ( x ) ’s want to make one V ( x ) accept (interaction with other P ( x ′ ) and V ( x ′ ) possible anywhere) → also captures distance hijacking man-in-the-middle : learning phase : A interacts with many P ’s and V ’s attack phase : P ( x ) ’s far away from V ( x ) ’s, A interacts with them and possible P ( x ′ ) ’s and V ( x ′ ) ’s A wants to make one V ( x ) accept → also captures impersonation collusion fraud : P ( x ) far from all V ( x ) ’s interacts with A and makes one V ( x ) accept, but View ( A ) does not give any advantage to mount a man-in-the-middle attack SV 2013 distance bounding FSE 2013 17 / 48

  18. Known Protocols and Security Results success probability of best known “regular” attacks (TF with no tolerance to noise + no malicious PRF) Protocol Success Probability Distance-Fraud MiM Collusion-Fraud ( 1 / 2 ) n ( 1 / 2 ) n Brands & Chaum 1 ( 1 / 2 ) n Bussard & Bagga 1 1 ˇ ( 1 / 2 ) n ( 1 / 2 ) n Capkun et al. 1 ( 3 / 4 ) n ( 3 / 4 ) n Hancke & Kuhn 1 ( 3 / 4 ) ν ( 3 / 4 ) n Reid et al. 1 ( 1 / 2 ) n ( 1 / 2 ) n Singel´ ee & Preneel 1 ( 3 / 4 ) ν ( 3 / 4 ) n Tu & Piramuthu 1 ( 3 / 4 ) n ( 3 / 5 ) n Munilla & Peinado 1 ( 3 / 4 ) n ( 1 / 2 ) n ( 3 / 4 ) ν Swiss-Knife ( 7 / 8 ) n ( 1 / 2 ) n Kim & Avoine 1 ( 1 / 2 ) n 1 / k Nikov & Vauclair 1 ( 3 / 4 ) n ( 2 / 3 ) n ( 2 / 3 ) ν Avoine et al. SV 2013 distance bounding FSE 2013 18 / 48

  19. 1 Why Distance-Bounding? Towards a Secure Protocol 2 The SKI Protocol 3 SV 2013 distance bounding FSE 2013 19 / 48

  20. The Hancke-Kuhn Protocol An RFID Distance-Bounding Protocol [Hancke-Kuhn SECURECOMM 2005] Verifier Prover secret: x secret: x initialization phase N V − − − − − − − − − − − − → pick N V N P ← − − − − − − − − − − − − pick N P a 1 � a 2 = f x ( N P , N V ) a 1 � a 2 = f x ( N P , N V ) distance bounding phase for i = 1 to n pick c i ∈ { 1 , 2 } c i − − − − − − − − − − − − → start clock � if c i = 1 a 1 , i r i ← − − − − − − − − − − − − r i = stop clock if c i = 2 a 2 , i check responses Out V − − − − − − − − − − − − → check timers SV 2013 distance bounding FSE 2013 20 / 48

  21. A Terrorist Fraud against The Hancke-Kuhn Protocol Verifier Adversary Malicious Prover secret: x secret: x initialization phase N V N V − − − − − − − − − − − − → − − − − − − − − − − − − → pick N V pick N P N P , a 1 , a 2 N P a 1 � a 2 = f x ( N P , N V ) ← − − − − − − − − − − − − ← − − − − − − − − − − − − a 1 � a 2 = f x ( N P , N V ) distance bounding phase for i = 1 to n pick c i ∈ { 1 , 2 } c i − − − − − − − − − − − − → start clock r i stop clock ← − − − − − − − − − − − − r i = a c i , i check responses Out V check timers − − − − − − − − − − − − → SV 2013 distance bounding FSE 2013 21 / 48

  22. The Reid et al. Protocol (DBENC) Detecting Relay Attacks with Timing-based Protocols [Reid-Nieto-Tang-Senadji ASIACCS 2007] Verifier Prover secret: x secret: x initialization phase N V − − − − − − − − − − − − → pick N V pick N P N P a 1 = f x ( N P , N V ) ← − − − − − − − − − − − − a 1 = f x ( N P , N V ) a 2 = a 1 ⊕ x a 2 = a 1 ⊕ x distance bounding phase for i = 1 to n pick c i ∈ { 1 , 2 } c i − − − − − − − − − − − − → start clock r i ← − − − − − − − − − − − − r i = a c i , i stop clock check responses Out V − − − − − − − − − − − − → check timers resist to terrorist fraud: if a 1 and a 2 leak, then x as well! SV 2013 distance bounding FSE 2013 22 / 48

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2012 distance bounding CIoT 2012 1 / 39 Introduction to Distance-Bounding 1 Some Insecurity Case

600 views • 39 slides
An optimal distance-bounding protocol Rolando Trujillo-Rasua University of luxembourg (joint

An optimal distance-bounding protocol Rolando Trujillo-Rasua University of luxembourg (joint

An optimal distance-bounding protocol Rolando Trujillo-Rasua University of luxembourg (joint work with Sjouke Mauw and Jorge Toro-Pozo) Euro S&P and RFIDSec, 2016 Distance Bounding protocols 1 Beating a grand master: is this a relay

926 views • 67 slides
Distance Bounding for RFID Prof. Gildas Avoine Universit e catholique de Louvain, Belgium

Distance Bounding for RFID Prof. Gildas Avoine Universit e catholique de Louvain, Belgium

Distance Bounding for RFID Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY Relay Attacks Distance Bounding Protocols Discussion RELAY ATTACKS Relay Attacks Distance Bounding Protocols

330 views • 28 slides
Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY RFID Background Relay Attacks Distance Bounding Protocols Conclusion

666 views • 53 slides
Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain,

Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain,

Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain, Belgium Workshop on Cryptography for the Internet of Things November 20 21, 2012, Antwerp, Belgium SUMMARY Relay Attacks Distance Bounding

349 views • 21 slides
Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work

Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work

Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work with: Joint work with: Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Distance Bounding 2

370 views • 16 slides
Security Analysis of Distance Bounding Protocols Agnes BRELURUT, Pascal LAFOURCADE, David GERAULT

Security Analysis of Distance Bounding Protocols Agnes BRELURUT, Pascal LAFOURCADE, David GERAULT

Security Analysis of Distance Bounding Protocols Agnes BRELURUT, Pascal LAFOURCADE, David GERAULT LIMOS, Universit dAuvergne, France September 17th 2015 BRELURUT, LAFOURCADE, GERAULT (LIMOS, France) Security Analysis of Distance Bounding

704 views • 42 slides
An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and Memory Requirement Gildas Avoine 1 and Aslan Tchamkerten 2 1 Universit e catholique de Louvain, Louvain-la-Neuve, Belgium 2 Telecom ParisTech,

335 views • 31 slides
A class of precomputation-based distance-bounding protocols Jorge Toro-Pozo University of

A class of precomputation-based distance-bounding protocols Jorge Toro-Pozo University of

Introduction Lookup-based protocols Properties and security analysis Conclusions A class of precomputation-based distance-bounding protocols Jorge Toro-Pozo University of Luxembourg (joint work with Sjouke Mauw and Rolando Trujillo-Rasua,

685 views • 54 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY RFID Background Relay Attacks Countermeasures and Evolved Frauds

633 views • 40 slides
Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and

Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and

Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and Spoofing Detec:on Usable Authen:ca:on (2FA) Security of Blockchains / Cryptocurrencies Trusted Compu:ng Secure Proximi mity / Distance Measureme

589 views • 30 slides
Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE

Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE

Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2014 distance-bounding SDTA 14 1 / 42 Relay Attacks 1 Distance-Bounding Protocols 2 3 Asymmetric DB Protocols

1.02k views • 42 slides
Markov Chains and Coupling In this class we will consider the problem of bounding the time taken

Markov Chains and Coupling In this class we will consider the problem of bounding the time taken

Markov Chains and Coupling In this class we will consider the problem of bounding the time taken by a Markov chain to reach the stationary distribution. We will do so using the coupling technique , which helps bound the distance between two

315 views • 4 slides
Hierarchical Bounding Volume October 11, 2005 () Hierarchical Bounding Volume October 11, 2005

Hierarchical Bounding Volume October 11, 2005 () Hierarchical Bounding Volume October 11, 2005

Hierarchical Bounding Volume October 11, 2005 () Hierarchical Bounding Volume October 11, 2005 1 / 15 Outline Introduction to hierarchical bounding volume (HBV) Tree generation Other optimization issues () Hierarchical Bounding Volume

350 views • 16 slides
Computer Graphics MTAT.03.015 Raimond Tunnel The Road So Far... Bounding Box With bounding

Computer Graphics MTAT.03.015 Raimond Tunnel The Road So Far... Bounding Box With bounding

Computer Graphics MTAT.03.015 Raimond Tunnel The Road So Far... Bounding Box With bounding boxes you can detect collisions between boxes. Our hangar just happens to be a box. The chopper is not a box, but the collision

718 views • 25 slides
Telescopic slides 701 Technical information for telescopic slides Construction: Telescopic

Telescopic slides 701 Technical information for telescopic slides Construction: Telescopic

Telescopic slides 701 Technical information for telescopic slides Construction: Telescopic slides consist of two or more ball-bearing supported guide rails mounted one inside another that can be pulled out like a telescope. The load rating of

530 views • 13 slides
Cleantech San Diego: 2018 Legislative Review AB 2127 & SB 1000 AB 2127 (Ting) Electric

Cleantech San Diego: 2018 Legislative Review AB 2127 & SB 1000 AB 2127 (Ting) Electric

Cleantech San Diego: 2018 Legislative Review AB 2127 & SB 1000 AB 2127 (Ting) Electric Vehicle Charging Infrastructure Assessment Codifies as a biennial requirement the Energy Commission statewide assessment of u the EV charging

359 views • 5 slides
NDN: an Orchestrated Microservice Architecture for Named Data Networking Xavier MARCHAL,

NDN: an Orchestrated Microservice Architecture for Named Data Networking Xavier MARCHAL,

NDN: an Orchestrated Microservice Architecture for Named Data Networking Xavier MARCHAL, Thibault CHOLEZ, Olivier FESTOR LORIA, UMR 7503 (University of Lorraine, CNRS, INRIA) Vandoeuvre-les-Nancy, F-54506, France September 22, 2018

786 views • 21 slides
Design CPAD 2019 Dec. 8-10, 2019 Cesar Gonzalez Renteria (LBNL) on behalf of the RD53

Design CPAD 2019 Dec. 8-10, 2019 Cesar Gonzalez Renteria (LBNL) on behalf of the RD53

RD53 Status and the Role of Verification in Digital Design CPAD 2019 Dec. 8-10, 2019 Cesar Gonzalez Renteria (LBNL) on behalf of the RD53 Collaboration 1 Outline Introduction RD53 Collaboration What is the mission of the

644 views • 46 slides
ECON2915 Economic Growth Lecture 4 : Human capital. Productivity measurement. Andreas Moxnes

ECON2915 Economic Growth Lecture 4 : Human capital. Productivity measurement. Andreas Moxnes

ECON2915 Economic Growth Lecture 4 : Human capital. Productivity measurement. Andreas Moxnes University of Oslo Fall 2016 1 / 40 Human capital and income So far: Workers assumed to be identical over time and across countries. How can

531 views • 41 slides
Refining the conformational ensembles of flexible proteins using simulation-guided spectroscopy

Refining the conformational ensembles of flexible proteins using simulation-guided spectroscopy

Refining the conformational ensembles of flexible proteins using simulation-guided spectroscopy Jennifer M. Hays Blue Waters Symposium June 3 2018 Acknowledgements Columbus Lab Kasson Lab Linda Columbus, PhD Peter Kasson, MD,

421 views • 18 slides
Security&StabilityAdvisory Commi5ee Ac6vi6es,Outreach,and

Security&StabilityAdvisory Commi5ee Ac6vi6es,Outreach,and

Security&StabilityAdvisory Commi5ee Ac6vi6es,Outreach,and Collabora6on SanFrancisco,California March2011 Agenda 1. Introduc6on:PatrikFltstrm,

406 views • 7 slides
Real Estate Readiness: A Workshop Series for Arts and Culture Nonprofits Movimiento de Arte y

Real Estate Readiness: A Workshop Series for Arts and Culture Nonprofits Movimiento de Arte y

Real Estate Readiness: A Workshop Series for Arts and Culture Nonprofits Movimiento de Arte y Cultura Latino Americana in downtown San Jose Stephaney Kipple Presented by : Andrea Papanastassiou The Northern California Community Loan Fund Jack

888 views • 54 slides

More recommend