1 / 37

Distance Bounding Protocols with Void Challenges for RFID

Distance Bounding Protocols with Void Challenges for RFID. Jorge Munilla Fajardo Dpto. Ingeniería de Comunicaciones. E.T.S.I.Telecomunicación. Universidad de Málaga (Spain). SECTIONS. 1.- Attacks related to the location 2.- Definition of Distance Bounding Protocols

baris
Télécharger la présentation

Distance Bounding Protocols with Void Challenges for RFID

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distance Bounding Protocols with Void Challenges for RFID Jorge Munilla Fajardo Dpto. Ingeniería de Comunicaciones. E.T.S.I.Telecomunicación. Universidad de Málaga (Spain)

  2. SECTIONS 1.- Attacks related to the location 2.-Definition of Distance Bounding Protocols 3.- Proposed protocol for RFID: HKP (Hancke and Kuhn’s protocol) 4.- Modification of the HKP with void-challenges 5.-Novel low-cost proposal Ingeniería de Comunicaciones, Universidad de Málaga

  3. 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Characters: Legitimate prover Legitimate prover acting in a bad way Adversary Ingeniería de Comunicaciones, Universidad de Málaga

  4. 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Range T-A R-A Ingeniería de Comunicaciones, Universidad de Málaga

  5. 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Range T-A R-A Ingeniería de Comunicaciones, Universidad de Málaga

  6. 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Range T-A T-B R-B R-A R-A ATTACKER Ingeniería de Comunicaciones, Universidad de Málaga

  7. 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Range T-A T-B R-A R-A Legitimate user collaborates with the adversary giving him the necessary information to access to the system but only once. Ingeniería de Comunicaciones, Universidad de Málaga

  8. Range Range T-B R-A R-A Range The most worrying R-A ATTACKER R-A R-A 1.- Attacks related to the distance Distance Fraud Attack Mafia Fraud Attack Terrorist Attack Ingeniería de Comunicaciones, Universidad de Málaga

  9. The most worrying These attacks are orthogonal to high level security protocols SOLUTION: DISTANCE BOUNDING PROTOCOLS 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Ingeniería de Comunicaciones, Universidad de Málaga

  10. CRYPTOGRAPHIC PART -Based on symmetric key Received signal strength Processing delay must be short and invariant DISTANCE BOUNDING PART Ultra-sound waves Electromagnetic waves Round-trip time 2.- Distance Bounding Protocols PROVER K VERIFIER K Challenge Start Timer Compute Response = f(challenge, K) Response Stop Timer n times Ingeniería de Comunicaciones, Universidad de Málaga

  11. 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips PROVER K VERIFIER K N1 Compute H2n= f(K,N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n Compute H2n= f(K,N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n N2 For i=1 to n do: C Start Timer R=R0i if C=0 R=R1iif C=1 R Stop Timer End for S Check S S=MAC(K,C1||C2||..Cn) Ingeniería de Comunicaciones, Universidad de Málaga

  12. 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips PROVER K VERIFIER K N1 Compute H2n= f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n Compute H2n= f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n N2 For i=1 to n do: C Start Timer R=R0i if C=0 R=R1i if C=1 R Stop Timer End for S Check S S=MAC(K,C1||C2||..Cn) Ingeniería de Comunicaciones, Universidad de Málaga

  13. 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips PROVER K VERIFIER K N1 Compute H2n= f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n Compute H2n= f(K,N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n N2 For i=1 to n do: C Start Timer R=R0i if C=0 R=R1i if C=1 R Stop Timer End for S Check S S=MAC(K,C1||C2||..Cn) Ingeniería de Comunicaciones, Universidad de Málaga

  14. 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips PROVER K VERIFIER K N1 Compute H2n= f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n Compute H2n= f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n N2 For i=1 to n do: C Start Timer R=R0i if C=0 R=R1i if C=1 R Stop Timer End for S Check S S=MAC(K,C1||C2||..Cn||R1…) Ingeniería de Comunicaciones, Universidad de Málaga

  15. 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips PROVER K VERIFIER K N1 Compute H2n= f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n Compute H2n= f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n RELIABLE Signal goes through every layer N2 For i=1 to n do: C Start Timer UNRELIABLE Signal doesn’t go through every layer R=R0i if C=0 R=R1i if C=1 R Stop Timer End for RELIABLE Signal goes through every layer S Check S S=MAC(K,C1||C2||..Cn) Ingeniería de Comunicaciones, Universidad de Málaga

  16. Removed Due to unreliability of the channel 3.- Hancke and Kuhn’s protocol PROVER K VERIFIER K N1 Compute H2n= f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n Compute H2n= f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n N2 For i=1 to n do: C Start Timer R=R0i if C=0 R=R1i if C=1 R Stop Timer End for S Check S S=MAC(K,C1||C2||..Cn) Ingeniería de Comunicaciones, Universidad de Málaga

  17. 3.- Hancke and Kuhn’s protocol PROVER K VERIFIER K N1 Compute H2n= f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n Compute H2n= f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n N2 For i=1 to n do: C Start Timer R=R0i if C=0 R=R1i if C=1 UWB Channel R Stop Timer End for Ingeniería de Comunicaciones, Universidad de Málaga

  18. K,vo,v1 intermingled (K=Dv1(v0)) 3.- Hancke and Kuhn’s protocol PROBLEMS: ►Vulnerable to Terrorist Attack Ingeniería de Comunicaciones, Universidad de Málaga

  19. K,vo,v1 intermingled (K=Dv1(v0)) Higher number of rounds Hancke and Kuhn’s protocol PROBLEMS: ►Vulnerable to Terrorist Attack ►Adversary succeeds with probability ¾ Ingeniería de Comunicaciones, Universidad de Málaga

  20. Compute H3n = f(K, N1,N2) V0=H1||H2||…Hn V1=Hn+1||Hn+2||…H2n P=H2n+1||H2n+2||…H3n Compute H2n = f(K, N1,N2) V0=H1||H2||…Hn V1=Hn+1||Hn+2||…H2n But a 2n+1 bitstring could be used. C=0  H1, H2, H3 ... C=1  Hn+1, Hn , Hn-1... P V 4.-Modification of the HKP with void challenges Beside v0and v1, a third random bit-string is generated  P P points out when the reader sends a challenge and when he doesn’t Ingeniería de Comunicaciones, Universidad de Málaga

  21. 4.-Modification of the HKP with void challenges Using this vector P, card is able to detect an adversary trying to get the responses in advance. Ingeniería de Comunicaciones, Universidad de Málaga

  22. 4.-Modification of the HKP with void challenges Analysis Attacker has two possible strategies: ► Asking in advance (taking the risk the card uncovers him) ► Without asking in advance (trying to guess the challenges) Ingeniería de Comunicaciones, Universidad de Málaga

  23. 4.-Modification of the HKP with void challenges -Without asking in advance (trying to guess the challenges) No advantages!? It coincides with the probability for the HKP But this is true only in a noise-free environment, when the unreliability of the channel is taken into account this modified protocol presents better features than HKP Ingeniería de Comunicaciones, Universidad de Málaga

  24. 4.-Modification of the HKP with void challenges Anyway, in a noise-free environment if P is generated in the following way: Compute H4n = f(K, N1,N2) V0=H1||H2||…Hn V1=Hn+1||Hn+2||…H2n P=f(H2n+1, H2n+2 )||f(H2n+3, H2n+4)||…f(H4n-1, H4n) f(x1,x2) = 1 if x1x2=00, 01, 10 f(x1,x2) = 0 if x1x2=11 The probability for an interval to have a challenge is three times higher than to be void Ingeniería de Comunicaciones, Universidad de Málaga

  25. Same probabilities with fewer rounds 4.-Modification of the HKP with void challenges Analysis when P is generating making the probability for an interval to have a challenge is three times higher than to be void: Ingeniería de Comunicaciones, Universidad de Málaga

  26. K,vo,v1 intermingled (K=Dv1(v0)) Microwave links & Faster Logic Hancke and Kuhn’s protocol PROBLEMS: ►Vulnerable to Terrorist Attack Void challenges ►Adversary succeeds with probability ¾ ►Expensive Sresolution =c/BW Ingeniería de Comunicaciones, Universidad de Málaga

  27. We give up the idea of avoiding distance fraud attacks We would need too much BW and fast logic ►It is carried out by a legitimate user ►To increase the range significantly are necessary sophisticated devices Distance Fraud attack isn’t too worrying 5.- Novel protocol with void-challenges ►Reduced processing delay (short and invariant) ►Low cost solution: to modify as less as possible the ordinary cards.The complexity must fall on the reader Two targets Ingeniería de Comunicaciones, Universidad de Málaga

  28. We give up the idea of avoiding distance fraud attacks We would need too much BW and fast logic We focus on avoiding the most worrying attacks  Relay attacks The idea will be to detect the delay introduced by the attacker's devices 5.- Novel protocol with void-challenges ►Reduced processing delay (short and invariant) ►Low cost solution: modify as less as possible the ordinary cards.The complexity must fall on the reader Two targets Ingeniería de Comunicaciones, Universidad de Málaga

  29. We give up the idea of avoiding distance fraud attacks We would need too much BW and fast logic We focus on avoiding the most worrying attacks  Relay attacks How to modify this protocol to make it resistant to terrorist attacks 5.- Novel protocol with void-challenges ►Reduced processing delay (short and invariant) ►Low cost solution: modify as less as possible the ordinary cards.The complexity must fall on the reader Two targets Ingeniería de Comunicaciones, Universidad de Málaga

  30. ►From Reader to Card: a 100% ASK modulation with Modified Miller Code 2-3μs ►From Card to Reader: Load Modulation. Subcarrier 847Khz (fc/16).Manchester Coding 5.- Novel protocol with void-challenges RFID-14443a - FEATURES: ►Carrier: 13.56MHz ►Inductive coupling: to supply energy and communication  Up to 10cm ►Passive: no batteries, energy from the reader. ►Communication:106 kbps (fc/128). Ingeniería de Comunicaciones, Universidad de Málaga

  31. 5.- Novel protocol with void-challenges V0 -points out when the reader sends the challenge Two bit-string are generated: V1 -points out which must be the card’s response ►Reader to the card communication: ►Card to the reader communication: Ingeniería de Comunicaciones, Universidad de Málaga

  32. ► We take advantage of the characteristics of the communication based on inductive coupling  Reader monitories directly the amplitude of the carrier (no side band) to detect the state of the card. ► Processing delay is zero because the card doesn’t have to compute anything. It knows beforehand the next state. 5.- Novel protocol with void-challenges Example for: V0=001010011 and V1=1001 Ingeniería de Comunicaciones, Universidad de Málaga

  33. 5.- Novel protocol with void-challenges Reader monitories directly the amplitude of the carrier (no side band) ►The key point is: how fast the reader can detect the state of the card. ►The longer is the distance worse is the inductive coupling and more difficult will be to detect the state Ingeniería de Comunicaciones, Universidad de Málaga

  34. Clearly, the number of intervals (rounds) has to be increased 5.- Novel protocol with void-challenges Resistant against terrorist attack ►K, V0, V1 are intermingled ►To avoid a eavesdropper could know the key K: the reader randomly leaves without sending some challenges  eavesdropper loses this information. Ingeniería de Comunicaciones, Universidad de Málaga

  35. 5.- Novel protocol with void-challenges Security Analysis ► Vulnerable to distance fraud attack ►Resistant to relay attacks and terrorist attacks The complexity of the attacks this protocol is able to detect depends on the time the reader needs to distinguish the state of the card. It will depend on the distance between the card and the reader but 1μs could be enough. Simple attacks are easily detected (Hancke’s attack introduces 15-20μs) Furthermore, to improve the system only the reader has to be modified. Much cheaper than if the cards had to be modified Ingeniería de Comunicaciones, Universidad de Málaga

  36. 6.-CONCLUSIONS ► Attacks related to the location  The most worrying is the mafia fraud attack. ►Distance Bounding protocol are the only solution against them. Tightly integrated in the physical layer. ►Hancke and Kuhn’s protocol for RFID. ►Vulnerable to terrorist attack  K, v0 and v1 Intermingled. ►High number of rounds  Use of void challenges. ►Expensive  Use of the novel distance bounding protocol to detect simple relay attacks (1μs). The complexity falls on the reader. Ingeniería de Comunicaciones, Universidad de Málaga

  37. THANK YOU FOR YOUR ATTENTION DISTANCE BOUNDING PROTOCOLS WITH VOID CHALLENGES FOR RFID Jorge Munilla. e-mail:munilla@ic.uma.es Dpto. Ingeniería de Comunicaciones UNIVERSIDAD DE MÁLAGA

More Related