Distance Bounding Protocols with Void Challenges for RFID Jorge Munilla Fajardo Dpto. Ingeniería de Comunicaciones. E.T.S.I.Telecomunicación. Universidad.

Slides:

Advertisements

Similar presentations

Wireless LAN RF Principles

Advertisements

Nick Feamster CS 4251 Computer Networking II Spring 2008

Doc.: IEEE /0111r0 Zhanji Wu, et. Al. December 2012 Submission A Physical-layer Network Coding Relay scheme for IEEE Date: Authors:

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

Secure Pre-Shared Key Authentication for IKE

1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.

Summary of Chapter II 1.Data Transmission. Step 1: what we have Analog signal Carry wave (carrier) Received singal ??

PRESENTED BY: FATIMA ALSALEH Credit Cards Fraud - skimmers -

PROF. MAULIK PATEL CED, GPERI Mobile Computing Gujarat Power Engineering and Research Institute 1 Prepared By: Prof. Maulik Patel Mobile Technologies.

RFID: OPPORTUNITIES and CHALLENGES Yize Chen. History In 1969, Mario Cardullo presented a RFID business plan to investors. The application areas include:

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Hidden Terminal Problem and Exposed Terminal Problem in Wireless MAC Protocols.

Ultra-Wideband Technology

12.1 Chapter 12 Multiple Access Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

ECE 4321: Computer Networks Chapter 3 Data Transmission.

1 FCC RFID Workshop RFID Discussions September 7, 2004 Kevin Powell, Symbol Technologies.

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Computer Communication & Networks Lecture # 06 Physical Layer: Analog Transmission Nadeem Majeed Choudhary

Timo Kasper Crete, Greece May 10, 2007 An Embedded System for Practical Security Analysis of Contactless Smartcards Timo Kasper, Dario Carluccio and Christof.

A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.

Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL

Yossef Oren, Dvir Schirman, and Avishai Wool: Tel Aviv University ESORICS 2013.

1 Remote Power Analysis of RFID Tags Joint work with Adi Shamir yossi.oren[at]weizmann.ac.il 28/Aug/06.

Wireless Networks: Signaling and Security William Tucker CEN 4516: Computer Networks FGCU: Fort Myers, FL: 09/05.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Personal Area Networks: Near- field intrabody communication By T.G Zimmerman.

Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Data Transmission Slide 1 Continuous & Discrete Signals.

Wireless and going mobile Browsing via low energy photons.

Spread Spectrum Steganography Nick Sterling Sarah Wahl Sarah Summers.

EEC-484/584 Computer Networks Lecture 7 Wenbing Zhao

CSE331: Introduction to Networks and Security Lecture 24 Fall 2002.

William Stallings Data and Computer Communications 7th Edition (Selected slides used for lectures at Bina Nusantara University) Data, Signal.

1. Outline 1. Background 1. Attacks on distance-bounding 2. Symmetric vs asymmetric protocol 3. Motivation: DBPK-Log 2. VSSDB 1. Building blocks 2. Protocol.

Indian Institute of Technology Hyderabad AM TRANSMITTER SHANTH IC SHANTHI TEJA S VIJAY SUSHRITH P SHIVA KUMAR.

IT-101 Section 001 Lecture #15 Introduction to Information Technology.

Physical-layer Identification of RFID Devices Authors: Boris Danev, Thomas S. Heyde-Benjamin, and Srdjan Capkun Presented by Zhitao Yang 1.

Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.

Effective Questioning in the classroom

Why to Apply Digital Transmission?

1 Business Telecommunications Data and Computer Communications Chapter 3 Data Transmission.

CE 4228 Data Communications and Networking

Physical Layer (2). Goal Physical layer design goal: send out bits as fast as possible with acceptable low error ratio Goal of this lecture – Review some.

COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.

Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,

AMMAR HAJ HAMAD IZZAT AL KUKHON SUPERVISOR : DR. LUAI MALHIS Self-Driven Car.

Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks Authors: Saar Drimer and Steven J. Murdoch Presented in: Usenix Security Symposium.

Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.

Lecture 11: Strong Passwords

Maryam Mehrnezhad Feng Hao Siamak F. Shahandashti Newcastle university, UK CryptoForma meeting, Belfast 4 May 2015 Tap-Tap and Pay (TTP): Preventing The.

Secure Pairing of Wireless Devices by Multiple Antenna Diversity Liang Cai University of California, Davis Joint work with Kai Zeng, Hao Chen, Prasant.

Practical Attacks on a Proximity Card Jonathan Westhues June

Submitted By: A.Anjaneyulu INTRODUCTION Near Field Communication (NFC) is based on a short-range wireless connectivity, designed for.

Modulation and Data Transfer February 21, References gy-Article.asp?ArtNum=2

Physical-layer Identification of UHF RFID Tags Authors: Davide Zanetti, Boris Danev and Srdjan Capkun Presented by Zhitao Yang 1.

Chapter 6: Errors, Error Detection, and Error Control Data Communications and Computer Networks: A Business User’s Approach Third Edition.

How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium, 2006 * Presented by Justin Miller.

Security in Near Field Communication Strengths and Weaknesses

Focus On Bluetooth Security Presented by Kanij Fatema Sharme.

Hoda Jannati School of Computer Science

1 st semester 1436/  When a signal is transmitted over a communication channel, it is subjected to different types of impairments because of imperfect.

Review. Layers Physical layer – sending bits from one place to another, ensuring an okay BER Data link layer – encapsulate information bits into frames,

Encoding How is information represented?. Way of looking at techniques Data Medium Digital Analog Digital Analog NRZ Manchester Differential Manchester.

Chapter 7 Channel organization. Group members  Bilal Ahmed  Mehmal javed  Faisal khan janjua  Harris bashir.

Data Communications and Computer Networks Chapter 1 Network Architecture Models Logical and physical connections.

Innovative Intrusion-Resilient, DDoS-Resistant Authentication System (IDAS) System Yanjun Zhao.

Embedded system security

Computer Networks Chapter 5 – Analog Transmission.

Introduction to electronic communication systems

Mobile Computing Lecture Materials By Bintang Eka Putera.

Presentation transcript:

Distance Bounding Protocols with Void Challenges for RFID Jorge Munilla Fajardo Dpto. Ingeniería de Comunicaciones. E.T.S.I.Telecomunicación. Universidad de Málaga (Spain)

Ingeniería de Comunicaciones, Universidad de Málaga SECTIONS 1.- Attacks related to the location 2.-  Definition of Distance Bounding Protocols 3.- Proposed protocol for RFID: HKP (Hancke and Kuhn’s protocol) 4.- Modification of the HKP with void-challenges 5.-  Novel low-cost proposal

Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Characters: Legitimate prover Legitimate prover acting in a bad way Adversary

Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Range R-A T-A

Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Range T-A R-A

Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Range R-A T-A R-A R-B T-B ATTACKER

Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Range R-A T-BT-A Legitimate user collaborates with the adversary giving him the necessary information to access to the system but only once.

Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance Range R-AR-A R-AR-A R-AR-A R-AR-A R-AR-A T-BT-B ATTACK ER Distance Fraud Attack Mafia Fraud Attack Terrorist Attack The most worrying

Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks The most worrying These attacks are orthogonal to high level security protocols SOLUTION: DISTANCE BOUNDING PROTOCOLS

Ingeniería de Comunicaciones, Universidad de Málaga 2.- Distance Bounding Protocols VERIFIER K PROVER K Start Timer Response Stop Timer Challenge Compute Response = f (challenge, K) CRYPTOGRAPHIC PART -Based on symmetric key DISTANCE BOUNDING PART n times Received signal strength Round-trip time Ultra-sound waves Electromagnetic waves Processing delay must be short and invariant

Ingeniería de Comunicaciones, Universidad de Málaga 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips VERIFIER K Start Timer N2 Stop Timer N1 Compute H 2n = f (K,N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n For i=1 to n do: R C Compute H 2n = f (K,N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n R=R 0i if C=0 R=R 1i if C=1 End for S S=MAC(K,C 1 ||C 2 ||..C n )Check S PROVER K

Ingeniería de Comunicaciones, Universidad de Málaga 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips VERIFIER K PROVER K Start Timer N2 Stop Timer N1 Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n For i=1 to n do: R C Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n R=R 0i if C=0 R=R 1i if C=1 End for S S=MAC(K,C 1 ||C 2 ||..C n )Check S

Ingeniería de Comunicaciones, Universidad de Málaga 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips VERIFIER K PROVER K N2 N1 Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n Compute H 2n = f (K,N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n S S=MAC(K,C 1 ||C 2 ||..C n )Check S Start Timer Stop Timer For i=1 to n do: R C R=R 0i if C=0 R=R 1i if C=1 End for

Ingeniería de Comunicaciones, Universidad de Málaga 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips VERIFIER K PROVER K S S=MAC(K,C 1 ||C 2 ||..C n ||R 1… )Check S Start Timer Stop Timer For i=1 to n do: R C R=R 0i if C=0 R=R 1i if C=1 End for N2 Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n N1

Ingeniería de Comunicaciones, Universidad de Málaga 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips Start Timer N2 Stop Timer N1 Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n For i=1 to n do: R C Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n R=R 0i if C=0 R=R 1i if C=1 End for S S=MAC(K,C 1 ||C 2 ||..C n )Check S PROVER K VERIFIER K UNRELIABLE Signal doesn’t go through every layer RELIABLE Signal goes through every layer RELIABLE Signal goes through every layer

Ingeniería de Comunicaciones, Universidad de Málaga 3.- Hancke and Kuhn’s protocol VERIFIER K PROVER K Start Timer N2 Stop Timer N1 Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n For i=1 to n do: R C R=R 0i if C=0 R=R 1i if C=1 End for S S=MAC(K,C 1 ||C 2 ||..C n )Check S Removed Due to unreliability of the channel Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n

Ingeniería de Comunicaciones, Universidad de Málaga 3.- Hancke and Kuhn’s protocol VERIFIER K PROVER K Start Timer N2 Stop Timer N1 Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n For i=1 to n do: R C R=R 0i if C=0 R=R 1i if C=1 End for Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n UWB Channel

Ingeniería de Comunicaciones, Universidad de Málaga 3.- Hancke and Kuhn’s protocol PROBLEMS: ►Vulnerable to Terrorist Attack (K=D v 1 (v 0 )) K,v o, v 1 intermingled

Ingeniería de Comunicaciones, Universidad de Málaga Hancke and Kuhn’s protocol PROBLEMS: ►Vulnerable to Terrorist Attack (K=D v 1 (v 0 )) K,v o, v 1 intermingled ►Adversary succeeds with probability ¾ Higher number of rounds

Ingeniería de Comunicaciones, Universidad de Málaga 4.-Modification of the HKP with void challenges Beside v 0 and v 1, a third random bit-string is generated  P P points out when the reader sends a challenge and when he doesn’t Compute H 2n = f (K, N1,N2) V 0 =H 1 ||H 2 ||…H n V 1 =H n+1 ||H n+2 ||…H 2n Compute H 3n = f (K, N1,N2) V 0 =H 1 ||H 2 ||…H n V 1 =H n+1 ||H n+2 ||…H 2n P=H 2n+1 ||H 2n+2 ||…H 3n But a 2n+1 bitstring could be used. P V C=0  H 1, H 2, H 3... C=1  H n+1, H n, H n-1...

Ingeniería de Comunicaciones, Universidad de Málaga 4.-Modification of the HKP with void challenges Using this vector P, card is able to detect an adversary trying to get the responses in advance.

Ingeniería de Comunicaciones, Universidad de Málaga 4.-Modification of the HKP with void challenges Analysis Attacker has two possible strategies: ► Asking in advance (taking the risk the card uncovers him) ► Without asking in advance (trying to guess the challenges)

Ingeniería de Comunicaciones, Universidad de Málaga 4.-Modification of the HKP with void challenges -Without asking in advance (trying to guess the challenges) No advantages!? It coincides with the probability for the HKP But this is true only in a noise-free environment, when the unreliability of the channel is taken into account this modified protocol presents better features than HKP

Ingeniería de Comunicaciones, Universidad de Málaga 4.-Modification of the HKP with void challenges Anyway, in a noise-free environment if P is generated in the following way: Compute H 4n = f (K, N1,N2) V 0 =H 1 ||H 2 ||…H n V 1 =H n+1 ||H n+2 ||…H 2n P=f(H 2n+1, H 2n+2 ) ||f(H 2n+3, H 2n+4 )||…f(H 4n-1, H 4n ) f(x1,x2) = 1 if x1x2=00, 01, 10 f(x1,x2) = 0 if x1x2=11 The probability for an interval to have a challenge is three times higher than to be void

Ingeniería de Comunicaciones, Universidad de Málaga 4.-Modification of the HKP with void challenges Analysis when P is generating making the probability for an interval to have a challenge is three times higher than to be void: Same probabilities with fewer rounds

Ingeniería de Comunicaciones, Universidad de Málaga Hancke and Kuhn’s protocol PROBLEMS: ►Vulnerable to Terrorist Attack (K=D v 1 (v 0 )) K,v o, v 1 intermingled ►Adversary succeeds with probability ¾ Void challenges ►Expensive S resolution =c/BW Microwave links & Faster Logic

Distance Fraud attack isn’t too worrying ►It is carried out by a legitimate user ►To increase the range significantly are necessary sophisticated devices Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Two targets ►Reduced processing delay (short and invariant) ►Low cost solution: to modify as less as possible the ordinary cards.The complexity must fall on the reader We give up the idea of avoiding distance fraud attacks  We would need too much BW and fast logic

Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges We focus on avoiding the most worrying attacks  Relay attacks The idea will be to detect the delay introduced by the attacker's devices Two targets ►Reduced processing delay (short and invariant) ►Low cost solution: modify as less as possible the ordinary cards.The complexity must fall on the reader We give up the idea of avoiding distance fraud attacks  We would need too much BW and fast logic

Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges How to modify this protocol to make it resistant to terrorist attacks Two targets ►Reduced processing delay (short and invariant) ►Low cost solution: modify as less as possible the ordinary cards.The complexity must fall on the reader We give up the idea of avoiding distance fraud attacks  We would need too much BW and fast logic We focus on avoiding the most worrying attacks  Relay attacks

Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges RFID-14443a - FEATURES: ►Carrier: 13.56MHz ►Inductive coupling: to supply energy and communication  Up to 10cm ►Passive: no batteries, energy from the reader. ►Communication:106 kbps ( f c /128). ►From Card to Reader: Load Modulation. Subcarrier 847Khz ( f c /16). Manchester Coding ►From Reader to Card: a 100% ASK modulation with Modified Miller Code 2-3μs

Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Two bit-string are generated: V 0 -points out when the reader sends the challenge V 1 -points out which must be the card’s response ►Reader to the card communication:►Card to the reader communication:

Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Example for: V 0 = and V 1 =1001 ► We take advantage of the characteristics of the communication based on inductive coupling  Reader monitories directly the amplitude of the carrier (no side band) to detect the state of the card. ► Processing delay is zero because the card doesn’t have to compute anything. It knows beforehand the next state.

Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Reader monitories directly the amplitude of the carrier (no side band) ► The key point is: how fast the reader can detect the state of the card. ► The longer is the distance worse is the inductive coupling and more difficult will be to detect the state

Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Resistant against terrorist attack ►K, V 0, V 1 are intermingled ►To avoid a eavesdropper could know the key K : the reader randomly leaves without sending some challenges  eavesdropper loses this information. Clearly, the number of intervals (rounds) has to be increased

Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Security Analysis ► Vulnerable to distance fraud attack ►Resistant to relay attacks and terrorist attacks The complexity of the attacks this protocol is able to detect depends on the time the reader needs to distinguish the state of the card. It will depend on the distance between the card and the reader but 1μs could be enough. Simple attacks are easily detected (Hancke’s attack introduces 15-20μs) Furthermore, to improve the system only the reader has to be modified. Much cheaper than if the cards had to be modified

Ingeniería de Comunicaciones, Universidad de Málaga 6.-CONCLUSIONS ► Attacks related to the location  The most worrying is the mafia fraud attack. ►Distance Bounding protocol are the only solution against them. Tightly integrated in the physical layer. ►Hancke and Kuhn’s protocol for RFID. ►Vulnerable to terrorist attack  K, v0 and v1 Intermingled. ►High number of rounds  Use of void challenges. ►Expensive  Use of the novel distance bounding protocol to detect simple relay attacks (1μs). The complexity falls on the reader.

THANK YOU FOR YOUR ATTENTION DISTANCE BOUNDING PROTOCOLS WITH VOID CHALLENGES FOR RFID Dpto. Ingeniería de Comunicaciones UNIVERSIDAD DE MÁLAGA Jorge Munilla.