Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identification Protocols

Published byEugeniusz Tomczyk Modified over 5 years ago

Similar presentations

Presentation on theme: "Identification Protocols"— Presentation transcript:

1 Identification Protocols
Network Security Design Fundamentals ET-IDA-082 Lecture-15 Physical Security Identification Protocols , v34 Prof. W. Adi

2 Popular Attack Scenarios Replacement/Substitution Attack
Legal Unit Intruder False Unit Customer Examples: - False mobile base station attack (GSM Mobile system) - False Internet host

3 Popular Attack Scenarios Tele-service attack: Channel Hijacking Attack
Legal Service Access Internet False Access Diverted/Hijacked channel Customer Machine

4 Popular Attack Scenarios Network unit replacement attack
Fake unit Illegal Monitor/Node

5 Popular Attack Scenarios Replacement Attack- Hardware patch
Manufacturer cheats! Attacker has successfully cloned the unit! Fake HW FCC cert Gateway in HW Gateway out TÜV cert Requirements Unit structure should be unclonable or clone-resistant! Unit should be unchangeable “Tamper-Proof”!

6 Two Basic Requirements for Solid Security
Identify and trust each other (Mutual-Authentication) Establish a secured link (secrecy) Internet False Access Machine

7 Contemporary State of the Art
Identify & Trust (Authentication) Physical Security Secured link (secrecy) - Physical uniqueness !! ? - Unclonable units !! ? - Electro-Mechanical identity (Mechatronic-Identity) !!? (Automobile, Production Machines, Robots ….) Relatively mature technology

8 International Mobile Equipment Identity Subscriber Identity Module
Practical GSM Security Gaps A5 Cipher Broken 1999 International Mobile Equipment Identity IMEI (non-secured) SIM (secured) Subscriber Identity Module Cloned for some standard function ( challenges. Berkeley Univ.) No collapse. System still solid!

9 GSM: Mobile Equipment Identification
Attacked serial number IMEI (International Mobile Equipment Identity) Identity request Manufacturer Identity Tamperproof hardware entity IMEI IMEI Open Identity System Software IMEI Identity IMEI (legal response) Jump (Soft-Patch) IMEI‘ (Fake response)!

10 Physically Unique Units Production
Common technique: Unique objects Fabricate equal objects inject un-removable and Provable Identity

11 Personalizing Physical Entities : One-Way Injection
Mechanical simulation Unique Provable Identity Module - tamperproof - un-removable Neutral objects Unique object One Way secret-key injection One-Way (One-time) Injection

12 Requirements on Physical Uniqueness in Production
Personalization requirements: Uniqueness - Unclonable, Clone-Resistant - Remotely and securely Identifiable - Low cost - Resilient security if cloned! (brake-one brake-all impossible!) 12

13 Why clone-resistant physical units?
Commercial-economic reasons (Cloning) Identity (Privacy) Know-How protection (IP-Cores) Medical Automotive units E-Money …. Smart-Home, -City, -Gouvernement, Consumer, IoT ..

14 DNA-like Physical Unclonable Functions (PUF‘s)
Bio-Inspired Provable Physical Identity Make use of born uniqueness properties (DNA like)

15 State of the Art: Unclonable Devices by: Analog Physical Unclonable Functions (PUFs)
Delay based Since 2000 many proposals optical PUF coating PUF Silicon PUF optical fiber PUF RF COA LC-PUF S-RAM PUF Arbiter PUF fluorescent PUF Unclonable DNA-Chain Optical Delay PUF Butterfly PUF diode breakdown PUF reconfigurable PUF acoustic PUF controlled PUF phosphor PUF ... Coating PUF (Capacity) So far all have “Reproducibility” problems! Analog functions!!! Born properties: Similar to the biological DNA

16 Best physical Identity: As the born DNA-like provable identification
Biological DNA Select Markers Chemical Extractor Chemical Markers Identification by matching markers Bio DNA: 248 combinations ≈3 · 1012 Physical Unclonable Functions PUFs offer DNA like Identification Techniques Ideal PUFs are: Born unpredictable and unclonable physical VLSI properties. In other words: PUFs are analogue non-linear, hard to model or to copy, unpredictable huge mapping in a semiconductor VLSI device Analogue Response PUF Unknown DNA like Mapping VLSI Discrete Extractor Discrete stimulation (select marker) Discrete Identification Response 16 16

17 PUFs inconsistency and aging difficulties
* R pdfR PUF challenge C response R Physical System - Same input =>Different response “noisy function” “complex interaction” Bad reproducibility due to : Operating conditions, quantization (Metastability) , Aging, … PUF x y fuzzy secret * Fuzzy Extractor K Crypto cryptographic key Fuzzy Extractors: Complex, Costly (Sign. Proc + ECC) * Source: Roel Maes, ESAT/COSIC, K.U.Leuven, BCRYPT Workshop:

18 Fuzzy Extractor for (PUFs)
Fuzzy Extractor: is used to correct errors in reproducing the PUF response by deploying error correcting codes /Helper Data Concept Enrolment process Helper Data (HD) C PUF R Helper Data Extractor Key One-Time-Process Reconstruction C PUF R’ Fuzzy Extractor Error Correction Key Helper Data (HD) Repeated Action NOTICE: Helper Data: need not to be secured!

19 Bio-Inspired Identification Protocol
DNA-Like Marker-Based Identification DNA-Like Marker-Based Identification DNA-like Identity chain Carrier/function P1 Ci Pi P2 Ri List generated and kept secret by the proving authority C2 – R2 R‘2 Secret Pair’s List C1 - R1 C2 - R2 Ci - Ri Up to  Same ? If max | C,R|  , Then unit is unclonable Tow-way Protocol: 1- send C2 to the object 2- Object responds with R2 if authentic - Cancel the pair C2 - R2 from the list and never use it again If C and R each having n-Bits, Max table size: 2n 2n (example: for n=128 impossible to store) , that is the unit is unclonable!

20 Identification module (Function)
Selected Physical Unclonable Functions PUFs Device Silicon PUF Intrinsic PUF Optical PUF Coating PUF Few promissing PUF´s Unique + Unclonable Response Challenge PUF Identification module (Function) Identification by checking challenge-response behavior Like DNA 20

21 … … Silicon PUF MUX Chain or Arbiter PUFs
Principle: Compare delay time in a chain. Each physical chips exhibits own different delay time behaviour which identifies it 1 1 1 1 Response Challenge 1 1 1 1 1 1 1 1 D D Q Q 1 if top path is faster, else 0 Rising Edge step G G 1 1 1 1 1 1 Source [8] 1. 21

22 Silicon PUF Ring Oscillator Design Procedure MUX 2467MHz counter
1 2 N 2467MHz counter 2519MHz Output >? 0 or 1 N oscillators counter 2453MHz Input Compare frequencies of two oscillators.The faster oscillator is randomly determined by manufacturing variations

23 Intrinsic PUF(I-PUF) S-RAM PUF Power up
S-RAM initial state after power on Is mostly the same. (re-production !!) However different from chip to chip Power up Source [8] 5.

24 SRAM PUF : Intra-Chip Variation
Intrinsic PUF(I-PUF) SRAM PUF : Intra-Chip Variation Principle: Read some memory area to identify physical units S-RAM initial state after power on is mostly the same. (re-production !!) However different from chip to chip Source [8] 24

25 Real-Field SRAM PUF in the Market
Microsemi SmartFusion®2 Techn. SRAM PUF K Gate Manufacturer secrets! Hard-Core PUF 16 kb RAM Xilinx FPGA: SRAM PUF many IP-Cores … SRAM, Delay-based, …

26 Optical PUF Challenge Response Laser beam Scattered/reflected beam
Principle: Difference in reflected and refracted ray of light on a surface Laser beam Challenge Scattered/reflected beam Response Source [8] 3. 26

27 Optical PUF Practical set-up relatively complex Laser Camera PUF
Source [8] 27

28 Possible Integrated PUF
Optical PUF Possible Integrated PUF Source [8] 28

29 Coating PUF dielectric coating material Capacity sensor grid Sensor
Principle: Different capacity sensed at by different sensors dielectric coating material Capacity sensor grid Capacity differences Sensor Sensor Active layers + lower metal layers Bulk top metal passivation 1 2 Source [8] 29

30 Coating PUF Source [8] 30

31 Possible attacks on PUFs
- Manufacturer cheats! Challenge Response Fake PUF Detectable ! Manufacturer has to be trustable! Tamper-Proof technology is required! 7. 31

32 State of the Art PUFs are however,
Still complex and costly to produce Sensitive to temperature and supply voltage etc. Have long-term reproducibility “Aging” issues ! (non-Consistent in the long term!) Still relatively limited real field use! 7. 32

33 Identification Mechanisms
Secret Key Mechanisms Public Key Mechanisms Required for every solid security system!

34 1. Secret-Key Identification Mechanisms
Require secret key agreement!

35 Challenge-Response Identification Mechanisms
Explicit Secret Key Signature Authenticity without Secrecy Prover A Verifier Ki Set up: Agree on a secret key Ki and a One-Way Function F RES=F(Ki , R) Who are you ? : Prove by using R that you know Ki Authentication Request Generate a random R (Challenge) I am A, and this is the proof : RES (Response) If RES = F(Ki , R) then accept ?

36 GSM Challenge-Response mapping COMP128 (SIM-Card identification)
Verifier‘s GSM-HLR Random Generator CH(t) SIM Card CH(t) RES‘ RES Ki H = Accept / Reject RES‘=RES? Ki H COMP128

37 Improved Symmetric Challenge-Response Identification Mechanism
(Standard usage in modern network protocols) Prover A Verifier Ki Set up: Agree on a secret key Ki and a One-Way Function F Who are you ? : Prove by using Rv that you know Ki Authentication Request Generate a random Rv (Challenge) Rv RES=F(Rt, Ki, Rv) Rt If RES = F(Ki, Rt, Rv) then accept ? I am A, and this is the proof : RES, Rt (Response)

38 2. Public-Key Identification Protocols
No secret key agreement is necessary!

39 Identification Protocols/Mechanisms
Zero- Knowledge Iterative Proof (ZKIP) Authenticity without Secrecy Prover Verifier Who are you ? Authentication Request I am A, and this is the proof This protocol can be repeated many times for higher security ! The proof is called a Zero-Knowledge proof if: Prover reveals no secrets (whatever) to the verifier !

40 Fiat-Shamir Proof-of-Identity Protocol (1986)
A Zero-Knowledge proof protocol ! m = p1 p2 p1 p2 are secrets which no body should know Security relies on the Factoring Problem ! public directory m is RSA type modulus xa = secret key of A ya = xa2 in Zm (mod m) Verifier Prover A A chooses a unit r, gcd(m,r)=1 in Zm and computes S = r 2 ( I am user A, S ) randomly choose b b = 1 or 0 b xa S ya If t2 = S . Yab = r2 . (Xa) 2b then A is authentic (A knows xa ) t t = r. xab A can cheat if he stores earlier verification with the same b sequence!! Prob. of a successful attack after k trials = 2-k

41 Example: Fiat-Shamir Proof-of-Identity Protocol (1986)
A Zero-Knowledge proof protocol ! m = p1 p2 = 35 p1 p2 are secrets which no body should know Security relies on the Factoring Problem ! public directory m= is RSA type modulus xa = secret key of A=8 ya = xa2 = in Zm (mod m) Prover A Verifier A chooses a unit r=11 , gcd (11,35)=1 in Zm and computes S = r 2 = 112 = 16 ( I am user A, S=16 ) randomly choose b b = 1 or 0 xa b=1 S ya If t2 = S . yab = 182 = 16 X 291 9 = 9 then A is authentic (A knows xa ) t =18 t = r. xab = 11 X 8 = 18 Prob. of a successful attack after k trials = 2-k

42 Omura Proof-of-Identity Protocol
public directory Security relies on the Discrete Log. Problem !  is a primitive element in GF(p)  Xa = ya ya = public key of A Verifier Prover A xa Randomly choose k compute R =  k Who are you?, R R I am user A, R Xa R Xa check R Xa = yak =  k. Xa R Xa =  k. Xa Is not Zero knowledge if verifier cheats !

43 Example: Omura Proof-of-Identity Protocol
public directory = 2 is a primitive element in GF( 83 ) ya = public key of A  Xa = 211 = 56 = ya Verifier Prover A xa Randomly choose k=40 compute R =  k =41 Who are you?, R=41 R=41 I am user A, RXa = 40 check R Xa = yak 40 = 5640 40 = (211)40=40 => User is authentic R Xa = 4111 = (240)11 = 2440 mod 82 = 40

44 Schnorr’s Identification/signature Scheme
Open Directory (as DH public directory) GF(p), Element α has order q such that q is prime which divides p-1 is the public key of A having secret key xA< q User A sings a hash value H(M|r) for a message message M: Similarity to ElGamal Signature Prover A verifier - A proves that he knows xA - A good ans strong hash function is required

Download ppt "Identification Protocols"

Similar presentations

Trusted Design In FPGAs

Trusted Design In FPGAs
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.

GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
Security with Noisy Data Boris Škorić TU Eindhoven Ei/Ψ anniversary, 24 April 2009 1.

Security with Noisy Data Boris Škorić TU Eindhoven Ei/Ψ anniversary, 24 April
Physical Unclonable Functions and Applications

Physical Unclonable Functions and Applications
Physical Unclonable Functions

Physical Unclonable Functions
Fuzzy extractor based on universal hashes

Fuzzy extractor based on universal hashes
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Information Security for Managers (Master MIS)

Information Security for Managers (Master MIS)
Bit Error Probability Evaluation of RO PUFs Qinglong Zhang, Zongbin Liu, Cunqing Ma and Jiwu Jing Institute of Information Engineering, CAS, Beijing, China.

Bit Error Probability Evaluation of RO PUFs Qinglong Zhang, Zongbin Liu, Cunqing Ma and Jiwu Jing Institute of Information Engineering, CAS, Beijing, China.
1 UCR Hardware Security Primitives with focus on PUFs Slide credit: Srini Devedas and others.

1 UCR Hardware Security Primitives with focus on PUFs Slide credit: Srini Devedas and others.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.

Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Cryptography and Network Security (CS435) Part Eight (Key Management)

Cryptography and Network Security (CS435) Part Eight (Key Management)
Presented by: Suparita Parakarn 50-7038-103-2 Kinzang Wangdi 51-7018-007-8 Research Report Presentation Computer Network Security.

Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.

Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Similar presentations

Ads by Google