Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAR-SSI, 16/05/2014Cristina Onete CIDRE Keep your friends close with distance-bounding protocols.

Published byRosemary Norton Modified over 9 years ago

Similar presentations

Presentation on theme: "SAR-SSI, 16/05/2014Cristina Onete CIDRE Keep your friends close with distance-bounding protocols."— Presentation transcript:

1 SAR-SSI, 16/05/2014Cristina Onete CIDRE Keep your friends close with distance-bounding protocols

2  Cristina Onete || 16/05/2014 || 2 Meet the girl Marie-Claire Need authentication

3  Cristina Onete || 16/05/2014 || 3 Authentication 1 = Accept 0 = Reject ProverVerifier Adversary

4  Cristina Onete || 16/05/2014 || 4 PKES: Authentication

5  Cristina Onete || 16/05/2014 || 5 Authentication

6  Cristina Onete || 16/05/2014 || 6 Contents  Authentication & Distance Bounding Authentication protocols Relay attacks – mafia fraud  Constructing distance-bounding protocols Basic structure Privacy  Lessons learned Distance bounding protocols Distance & Mafia fraud Terrorist fraud resistance  Next steps

7  Authentication & Distance Bounding Part I:

8  Cristina Onete || 16/05/2014 || 8 Authentication 1 = Accept 0 = Reject ProverVerifier Adversary

9  Cristina Onete || 16/05/2014 || 9 Authentication (symmetric) K N P, MAC K (N P | N V ) NVNV Pick random N V Pick random N P Compute MAC K (N P | N V ) Verify MAC K (N P | N V ) Recall: MAC ensures EUF-CMA (unforgeability) Security: right partner sent MAC

10  Cristina Onete || 16/05/2014 || 10 Authentication (symmetric) N P, MAC K (N P | N V ) NVNV  Observe N 1 honest sessions learn N P, N V, MAC K (N P | N V )  N 2 times: Query P with N V learn pairs N P, MAC K (N P | N V ) for each N V  N 3 challenge sessions with V Verifier sends N V Adv has seen N V before: replay Adv has sent N V before

11  Cristina Onete || 16/05/2014 || 11 Relay Attacks (Mafia Fraud) [Des88] Leech Ghost NVNV NVNV NVNV N P MAC K (N P |N V ) N P, MAC K (N P |N V ) N P, MAC K (N P |N V ) Far-away Prover helps Adversary Works for Bluetooth, smartcards, Keeloq, PKES (cars)

12  Cristina Onete || 16/05/2014 || 12 Distance-Bounding Protocols if comm. speed & complexity are constant t max c r check r t t max  Distance-bounding idea: proximity = trust Use timer! c, r must be bits minimal processing

13  Cristina Onete || 16/05/2014 || 13 Distance-Bounding Protocols  Distance-bounding idea: use timer! if comm. speed & complexity are constant t max c r check r t t max Do proximity test N times for reliability c r

14  Cristina Onete || 16/05/2014 || 14 Distance-Bounding Properties  Mafia Fraud Resistance  Terrorist Fraud Resistance  Distance Fraud Resistance No relays! Help is one-time t max

15  Cristina Onete || 16/05/2014 || 15 Distance-Bounding Attacks  Mafia Fraud Resistance Marie-Claire has unique e-key to gym locker Marie-Claire is at party with Leech Ghost is at gym, wants to get into the locker  Terrorist Fraud Resistance Marie-Claire and Adv. are friends Marie-Claire wants to let Adv. to use her locker But Adv. shouldn’t enter again without permission  Distance Fraud Resistance Marie-Claire runs a red light, wants to prove she was at the gym, but she is far away

16  Distance-Bounding Protocols Part II:

17  Cristina Onete || 16/05/2014 || 17 Distance-Bounding Protocol  Basic structure round ……………… slow fast

18  Cristina Onete || 16/05/2014 || 18 Distance-Bounding Protocol  Authentication + distance upper-bounding N P MAC K (N P | N V ) NVNV Authentication K c r N times Distance check If r random, then no authentication random c

19  Cristina Onete || 16/05/2014 || 19 Distance-Bounding Protocol  Authentication + distance upper-bounding N P MAC K (N P | N V ) NVNV Authentication K c r = c N times Distance check Distance-fraud resistance: can’t guess c No authentication: no mafia-fraud resistance Link r to auth. string

20  Cristina Onete || 16/05/2014 || 20 Distance-Bounding Protocol N P Compute r = MAC K (N P | N V ) NVNV K cici riri N times Check r i and time Mafia-fraud resistance: from unforgeability Distance-fraud resistance: no, r predictable for Prover

21  Cristina Onete || 16/05/2014 || 21 Distance-Bounding Protocol N P r 0 |r 1 = MAC K (N P | N V ) NVNV K cici ricirici N times Check r and time Mafia-fraud resistance: from unforgeability Distance-fraud: no guarantee on MAC output distribution

22  Cristina Onete || 16/05/2014 || 22 Distance-Bounding Protocol N P r 0 |r 1 = MAC K (N P | N V ) NVNV K cici ricirici N times Check r and time Mafia-fraud resistance: from unforgeability Distance-fraud: no guarantee on MAC output distribution Distance-fraud: cannot choose clever nonce to get r 0 ≈ r 1

23  Cristina Onete || 16/05/2014 || 23 Distance-Bounding Protocol N P r 0 |r 1 = PRF K (N P | N V ) NVNV K cici ricirici N times Check r and time Mafia-fraud resistance: from unforgeability Distance-fraud: from unpredictability of response Distance-fraud: cannot choose clever nonce to get r 0 ≈ r 1 [HK05]: [BMV12]: PR-ness alone not enough! [BMV13]: Stronger assumption on PRF

24  Cristina Onete || 16/05/2014 || 24 Distance-Bounding Protocols N P r 0 = PRF K (N P | N V ) NVNV K,K’ cici ricirici N times r 1 = r 0 XOR K’  Defeat terrorist-fraud attacks Intuition: Sending r 0, r 1 reveals the key K’ Reality: Dependency enables key-learning attack

25  Cristina Onete || 16/05/2014 || 25 Distance-Bounding Protocols N P r 0 = PRF K (N P | N V ) NVNV K,K’ cici ricirici r 1 = r 0 XOR K’  Key learning [AT09,DFK+11] t max ……………… rounds 1 to N-1 cNcN c N +1 r N c N +1 Accept: r N c N +1 = r N c N K’ N = 0 Repeat: learn K’ Next: query r 0, have r 1

26  Cristina Onete || 16/05/2014 || 26 Distance-Bounding Protocols N P r 0 = PRF K (N P | N V ) NVNV K,K’ cici ricirici N times r 1 = r 0 XOR K’  Prevent adversary from flipping bits [KAK+08] PRF K (transcript) Mafia-fraud: near-optimal, final PRF prevents any flips Distance-fraud: while K’ pseudoran- dom, distance of r 0, r 1 optimal Terrorist-fraud: Yes, but the advantage the adversary has is only marginal

27  Cristina Onete || 16/05/2014 || 27 Distance-Bounding Protocols N P r 0 = PRF K (N P | N V ) NVNV K,K’ cici ricirici N times r 1 = r 0 XOR K’  Prevent adversary from flipping bits [KAK+08] PRF K (transcript) Mafia-fraud: lower, final PRF allows some attacks. Distance-fraud: while K’ pseudoran- dom, distance of r 0, r 1 optimal Terrorist-fraud: It works: learning bits of K’ helps and can re- use transcript with 0 PRF K (T* (c i = 0))

28  Cristina Onete || 16/05/2014 || 28 Distance-Bounding Protocols  Lessons learned so far Distance-fraud: unpredictable responses  Just echoing challenges works optimally  Reponses output by PRF, if no special nonces  Link responses by pseudorandom key Mafia-fraud: authenticating responses + no key-learning  Two strings output by PRF  Final transcript authentication works optimally  If linked responses, final authentication necessary Terrorist-fraud: relate responses by using extra key  Also give back-door for future authentication

29  Cristina Onete || 16/05/2014 || 29 Distance-Bounding Protocols  Game-based privacy (untraceability) [V07] … DrawProver Always draw right or always draw left Prover 1Prover 2 Prover n Verifier Handle

30  Cristina Onete || 16/05/2014 || 30 Privacy in Authentication Prover 1 Verifier Prover 2 Prover n … Handle DrawProver Corrupt Key Left/right  Game-based privacy (untraceability) [V07]

31  Cristina Onete || 16/05/2014 || 31 Distance-Bounding Protocols  Forward privacy: Once a key is corrupted, can you distinguish past sessions?  Strong privacy: no rules for corruption  Requires key updates  No privacy guaranteed for future sessions  The most we can get with symmetric authentication  Needs public key crypto: key agreement  Idea of [HPO13]: combine strongly private authen- tication with distance bounding  Responses: pseudo-random truncation of DH key  Authenticate transcript in final authentication string

32  Cristina Onete || 16/05/2014 || 32 Symmetric key  Public key Nonce exchange K cici ricirici N rnds Compute r 0, r 1 using K Sign K (transcript) Nonce exchange k, X= kP cici ricirici N rnds r 0, r 1 : eph. DH Authentication of ID & challenges y, Y= yP

33  Cristina Onete || 16/05/2014 || 33 MIM-Private DB ([HPO13])  Auth. + relay: adapt/compose auth. and prox. check r 1 P, r3Pr3P Random r 1, r 2 Random c, r, r 3 Compute r 0 |r 1 = xcoord {r 1 r 3 P} 2n r2Pr2P cici ricirici e = c|r s s = k+er 1 +r 2 +d d = xcoord [r 1 yP]; Check: (s-d)P – e R 1 -R 2 == kP? n times DH tuple

34  Cristina Onete || 16/05/2014 || 34 MIM-Private DB ([HPO13])  Auth. + relay: adapt/compose auth. and prox. check r 1 P, r3Pr3P Random r 1, r 2 Random c, r, r 3 Compute r 0 |r 1 = xcoord {r 1 r 3 P} 2n r2Pr2P cici ricirici e = c|r s s = k+er 1 +r 2 +d d = xcoord [r 1 yP]; Check: (s-d)P – e R 1 -R 2 == kP? Mafia fraud n times

35  Cristina Onete || 16/05/2014 || 35 MIM-Private DB ([HPO13])  Auth. + relay: adapt/compose auth. and prox. check r 1 P, r3Pr3P Random r 1, r 2 Random c, r, r 3 Compute r 0 |r 1 = xcoord {r 1 r 3 P} 2n r2Pr2P cici ricirici e = c|r s s = k+er 1 +r 2 +d d = xcoord [r 1 yP]; Check: (s-d)P – e R 1 -R 2 == kP? Dist. fraud n times

36  Cristina Onete || 16/05/2014 || 36 MIM-Private DB ([HPO13])  Auth. + relay: adapt/compose auth. and prox. check r 1 P, r3Pr3P Random r 1, r 2 Random c, r, r 3 Compute r 0 |r 1 = xcoord {r 1 r 3 P} 2n r2Pr2P cici ricirici e = c|r s s = k+er 1 +r 2 +d d = xcoord [r 1 yP]; Check: (s-d)P – e R 1 -R 2 == kP? Privacy Impersonation n times

37  Cristina Onete || 16/05/2014 || 37 Privacy in Distance Bounding  Intuitively: not just MIM adversary, but also honest- but curious/malicious verifier  Change model to allow this  Construction:  Group signatures: overkill, no need for opening or group structure  Accumulators: would have worked, but use pairings. Our scheme uses DDH assumption  Core idea: a kind of ring signatures with infrastruc- ture provided by external entity (Server)  BB use of NIZK scheme  AsiaCCS 2014 [GOR14]: how about insider privacy?  Secure, fully anonymous, deniable w.r.t. Server

38  Cristina Onete || 16/05/2014 || 38 Lessons Learned Distance-bounding  Responses must be unpredictable to Prover: large Hamming distance, no cheating input  Responses must authenticate Prover, add final authentication at the end  Privacy: private authentication, randomized proximity check response Questions for future  Are privacy and terrorist-fraud resistance compatible?  Can generic privacy be achieved by composition of private authentication and proximity check?

39 CIDRE Thanks!

Download ppt "SAR-SSI, 16/05/2014Cristina Onete CIDRE Keep your friends close with distance-bounding protocols."

Similar presentations

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.

Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Rennes, 23/10/2014 Cristina Onete Key-Exchange Protocols. Diffie-Hellman, Active Attacks, and TLS/SSL.

Rennes, 23/10/2014 Cristina Onete Key-Exchange Protocols. Diffie-Hellman, Active Attacks, and TLS/SSL.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Position Based Cryptography* Nishanth Chandran Vipul Goyal Ryan Moriarty Rafail Ostrovsky UCLA CRYPTO ‘09.

Position Based Cryptography* Nishanth Chandran Vipul Goyal Ryan Moriarty Rafail Ostrovsky UCLA CRYPTO ‘09.

Similar presentations

Ads by Google