Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distance Bounding Protocols with Void Challenges for RFID Jorge Munilla Fajardo Dpto. Ingeniería de Comunicaciones. E.T.S.I.Telecomunicación. Universidad.

Similar presentations


Presentation on theme: "Distance Bounding Protocols with Void Challenges for RFID Jorge Munilla Fajardo Dpto. Ingeniería de Comunicaciones. E.T.S.I.Telecomunicación. Universidad."— Presentation transcript:

1 Distance Bounding Protocols with Void Challenges for RFID Jorge Munilla Fajardo Dpto. Ingeniería de Comunicaciones. E.T.S.I.Telecomunicación. Universidad de Málaga (Spain)

2 Ingeniería de Comunicaciones, Universidad de Málaga SECTIONS 1.- Attacks related to the location 2.-  Definition of Distance Bounding Protocols 3.- Proposed protocol for RFID: HKP (Hancke and Kuhn’s protocol) 4.- Modification of the HKP with void-challenges 5.-  Novel low-cost proposal

3 Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Characters: Legitimate prover Legitimate prover acting in a bad way Adversary

4 Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Range R-A T-A

5 Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Range T-A R-A

6 Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Range R-A T-A R-A R-B T-B ATTACKER

7 Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Range R-A T-BT-A Legitimate user collaborates with the adversary giving him the necessary information to access to the system but only once.

8 Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance Range R-AR-A R-AR-A R-AR-A R-AR-A R-AR-A T-BT-B ATTACK ER Distance Fraud Attack Mafia Fraud Attack Terrorist Attack The most worrying

9 Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks The most worrying These attacks are orthogonal to high level security protocols SOLUTION: DISTANCE BOUNDING PROTOCOLS

10 Ingeniería de Comunicaciones, Universidad de Málaga 2.- Distance Bounding Protocols VERIFIER K PROVER K Start Timer Response Stop Timer Challenge Compute Response = f (challenge, K) CRYPTOGRAPHIC PART -Based on symmetric key DISTANCE BOUNDING PART n times Received signal strength Round-trip time Ultra-sound waves Electromagnetic waves Processing delay must be short and invariant

11 Ingeniería de Comunicaciones, Universidad de Málaga 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips VERIFIER K Start Timer N2 Stop Timer N1 Compute H 2n = f (K,N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n For i=1 to n do: R C Compute H 2n = f (K,N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n R=R 0i if C=0 R=R 1i if C=1 End for S S=MAC(K,C 1 ||C 2 ||..C n )Check S PROVER K

12 Ingeniería de Comunicaciones, Universidad de Málaga 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips VERIFIER K PROVER K Start Timer N2 Stop Timer N1 Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n For i=1 to n do: R C Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n R=R 0i if C=0 R=R 1i if C=1 End for S S=MAC(K,C 1 ||C 2 ||..C n )Check S

13 Ingeniería de Comunicaciones, Universidad de Málaga 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips VERIFIER K PROVER K N2 N1 Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n Compute H 2n = f (K,N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n S S=MAC(K,C 1 ||C 2 ||..C n )Check S Start Timer Stop Timer For i=1 to n do: R C R=R 0i if C=0 R=R 1i if C=1 End for

14 Ingeniería de Comunicaciones, Universidad de Málaga 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips VERIFIER K PROVER K S S=MAC(K,C 1 ||C 2 ||..C n ||R 1… )Check S Start Timer Stop Timer For i=1 to n do: R C R=R 0i if C=0 R=R 1i if C=1 End for N2 Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n N1

15 Ingeniería de Comunicaciones, Universidad de Málaga 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips Start Timer N2 Stop Timer N1 Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n For i=1 to n do: R C Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n R=R 0i if C=0 R=R 1i if C=1 End for S S=MAC(K,C 1 ||C 2 ||..C n )Check S PROVER K VERIFIER K UNRELIABLE Signal doesn’t go through every layer RELIABLE Signal goes through every layer RELIABLE Signal goes through every layer

16 Ingeniería de Comunicaciones, Universidad de Málaga 3.- Hancke and Kuhn’s protocol VERIFIER K PROVER K Start Timer N2 Stop Timer N1 Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n For i=1 to n do: R C R=R 0i if C=0 R=R 1i if C=1 End for S S=MAC(K,C 1 ||C 2 ||..C n )Check S Removed Due to unreliability of the channel Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n

17 Ingeniería de Comunicaciones, Universidad de Málaga 3.- Hancke and Kuhn’s protocol VERIFIER K PROVER K Start Timer N2 Stop Timer N1 Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n For i=1 to n do: R C R=R 0i if C=0 R=R 1i if C=1 End for Compute H 2n = f (K, N1,N2) R 0 =H 1 ||H 2 ||…H n R 1 =H n+1 ||H n+2 ||…H 2n UWB Channel

18 Ingeniería de Comunicaciones, Universidad de Málaga 3.- Hancke and Kuhn’s protocol PROBLEMS: ►Vulnerable to Terrorist Attack (K=D v 1 (v 0 )) K,v o, v 1 intermingled

19 Ingeniería de Comunicaciones, Universidad de Málaga Hancke and Kuhn’s protocol PROBLEMS: ►Vulnerable to Terrorist Attack (K=D v 1 (v 0 )) K,v o, v 1 intermingled ►Adversary succeeds with probability ¾ Higher number of rounds

20 Ingeniería de Comunicaciones, Universidad de Málaga 4.-Modification of the HKP with void challenges Beside v 0 and v 1, a third random bit-string is generated  P P points out when the reader sends a challenge and when he doesn’t Compute H 2n = f (K, N1,N2) V 0 =H 1 ||H 2 ||…H n V 1 =H n+1 ||H n+2 ||…H 2n Compute H 3n = f (K, N1,N2) V 0 =H 1 ||H 2 ||…H n V 1 =H n+1 ||H n+2 ||…H 2n P=H 2n+1 ||H 2n+2 ||…H 3n But a 2n+1 bitstring could be used. P V C=0  H 1, H 2, H 3... C=1  H n+1, H n, H n-1...

21 Ingeniería de Comunicaciones, Universidad de Málaga 4.-Modification of the HKP with void challenges Using this vector P, card is able to detect an adversary trying to get the responses in advance.

22 Ingeniería de Comunicaciones, Universidad de Málaga 4.-Modification of the HKP with void challenges Analysis Attacker has two possible strategies: ► Asking in advance (taking the risk the card uncovers him) ► Without asking in advance (trying to guess the challenges)

23 Ingeniería de Comunicaciones, Universidad de Málaga 4.-Modification of the HKP with void challenges -Without asking in advance (trying to guess the challenges) No advantages!? It coincides with the probability for the HKP But this is true only in a noise-free environment, when the unreliability of the channel is taken into account this modified protocol presents better features than HKP

24 Ingeniería de Comunicaciones, Universidad de Málaga 4.-Modification of the HKP with void challenges Anyway, in a noise-free environment if P is generated in the following way: Compute H 4n = f (K, N1,N2) V 0 =H 1 ||H 2 ||…H n V 1 =H n+1 ||H n+2 ||…H 2n P=f(H 2n+1, H 2n+2 ) ||f(H 2n+3, H 2n+4 )||…f(H 4n-1, H 4n ) f(x1,x2) = 1 if x1x2=00, 01, 10 f(x1,x2) = 0 if x1x2=11 The probability for an interval to have a challenge is three times higher than to be void

25 Ingeniería de Comunicaciones, Universidad de Málaga 4.-Modification of the HKP with void challenges Analysis when P is generating making the probability for an interval to have a challenge is three times higher than to be void: Same probabilities with fewer rounds

26 Ingeniería de Comunicaciones, Universidad de Málaga Hancke and Kuhn’s protocol PROBLEMS: ►Vulnerable to Terrorist Attack (K=D v 1 (v 0 )) K,v o, v 1 intermingled ►Adversary succeeds with probability ¾ Void challenges ►Expensive S resolution =c/BW Microwave links & Faster Logic

27 Distance Fraud attack isn’t too worrying ►It is carried out by a legitimate user ►To increase the range significantly are necessary sophisticated devices Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Two targets ►Reduced processing delay (short and invariant) ►Low cost solution: to modify as less as possible the ordinary cards.The complexity must fall on the reader We give up the idea of avoiding distance fraud attacks  We would need too much BW and fast logic

28 Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges We focus on avoiding the most worrying attacks  Relay attacks The idea will be to detect the delay introduced by the attacker's devices Two targets ►Reduced processing delay (short and invariant) ►Low cost solution: modify as less as possible the ordinary cards.The complexity must fall on the reader We give up the idea of avoiding distance fraud attacks  We would need too much BW and fast logic

29 Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges How to modify this protocol to make it resistant to terrorist attacks Two targets ►Reduced processing delay (short and invariant) ►Low cost solution: modify as less as possible the ordinary cards.The complexity must fall on the reader We give up the idea of avoiding distance fraud attacks  We would need too much BW and fast logic We focus on avoiding the most worrying attacks  Relay attacks

30 Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges RFID-14443a - FEATURES: ►Carrier: 13.56MHz ►Inductive coupling: to supply energy and communication  Up to 10cm ►Passive: no batteries, energy from the reader. ►Communication:106 kbps ( f c /128). ►From Card to Reader: Load Modulation. Subcarrier 847Khz ( f c /16). Manchester Coding ►From Reader to Card: a 100% ASK modulation with Modified Miller Code 2-3μs

31 Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Two bit-string are generated: V 0 -points out when the reader sends the challenge V 1 -points out which must be the card’s response ►Reader to the card communication:►Card to the reader communication:

32 Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Example for: V 0 = and V 1 =1001 ► We take advantage of the characteristics of the communication based on inductive coupling  Reader monitories directly the amplitude of the carrier (no side band) to detect the state of the card. ► Processing delay is zero because the card doesn’t have to compute anything. It knows beforehand the next state.

33 Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Reader monitories directly the amplitude of the carrier (no side band) ► The key point is: how fast the reader can detect the state of the card. ► The longer is the distance worse is the inductive coupling and more difficult will be to detect the state

34 Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Resistant against terrorist attack ►K, V 0, V 1 are intermingled ►To avoid a eavesdropper could know the key K : the reader randomly leaves without sending some challenges  eavesdropper loses this information. Clearly, the number of intervals (rounds) has to be increased

35 Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Security Analysis ► Vulnerable to distance fraud attack ►Resistant to relay attacks and terrorist attacks The complexity of the attacks this protocol is able to detect depends on the time the reader needs to distinguish the state of the card. It will depend on the distance between the card and the reader but 1μs could be enough. Simple attacks are easily detected (Hancke’s attack introduces 15-20μs) Furthermore, to improve the system only the reader has to be modified. Much cheaper than if the cards had to be modified

36 Ingeniería de Comunicaciones, Universidad de Málaga 6.-CONCLUSIONS ► Attacks related to the location  The most worrying is the mafia fraud attack. ►Distance Bounding protocol are the only solution against them. Tightly integrated in the physical layer. ►Hancke and Kuhn’s protocol for RFID. ►Vulnerable to terrorist attack  K, v0 and v1 Intermingled. ►High number of rounds  Use of void challenges. ►Expensive  Use of the novel distance bounding protocol to detect simple relay attacks (1μs). The complexity falls on the reader.

37 THANK YOU FOR YOUR ATTENTION DISTANCE BOUNDING PROTOCOLS WITH VOID CHALLENGES FOR RFID Dpto. Ingeniería de Comunicaciones UNIVERSIDAD DE MÁLAGA Jorge Munilla.


Download ppt "Distance Bounding Protocols with Void Challenges for RFID Jorge Munilla Fajardo Dpto. Ingeniería de Comunicaciones. E.T.S.I.Telecomunicación. Universidad."

Similar presentations


Ads by Google