SAR-SSI, 16/05/2014Cristina Onete CIDRE Keep your friends close with distance-bounding protocols

 Cristina Onete || 16/05/2014 || 2 Meet the girl Marie-Claire Need authentication

 Cristina Onete || 16/05/2014 || 3 Authentication 1 = Accept 0 = Reject ProverVerifier Adversary

 Cristina Onete || 16/05/2014 || 4 PKES: Authentication

 Cristina Onete || 16/05/2014 || 5 Authentication

 Cristina Onete || 16/05/2014 || 6 Contents  Authentication & Distance Bounding Authentication protocols Relay attacks – mafia fraud  Constructing distance-bounding protocols Basic structure Privacy  Lessons learned Distance bounding protocols Distance & Mafia fraud Terrorist fraud resistance  Next steps

 Authentication & Distance Bounding Part I:

 Cristina Onete || 16/05/2014 || 8 Authentication 1 = Accept 0 = Reject ProverVerifier Adversary

 Cristina Onete || 16/05/2014 || 9 Authentication (symmetric) K N P, MAC K (N P | N V ) NVNV Pick random N V Pick random N P Compute MAC K (N P | N V ) Verify MAC K (N P | N V ) Recall: MAC ensures EUF-CMA (unforgeability) Security: right partner sent MAC

 Cristina Onete || 16/05/2014 || 10 Authentication (symmetric) N P, MAC K (N P | N V ) NVNV  Observe N 1 honest sessions learn N P, N V, MAC K (N P | N V )  N 2 times: Query P with N V learn pairs N P, MAC K (N P | N V ) for each N V  N 3 challenge sessions with V Verifier sends N V Adv has seen N V before: replay Adv has sent N V before

 Cristina Onete || 16/05/2014 || 11 Relay Attacks (Mafia Fraud) [Des88] Leech Ghost NVNV NVNV NVNV N P MAC K (N P |N V ) N P, MAC K (N P |N V ) N P, MAC K (N P |N V ) Far-away Prover helps Adversary Works for Bluetooth, smartcards, Keeloq, PKES (cars)

 Cristina Onete || 16/05/2014 || 12 Distance-Bounding Protocols if comm. speed & complexity are constant t max c r check r t t max  Distance-bounding idea: proximity = trust Use timer! c, r must be bits minimal processing

 Cristina Onete || 16/05/2014 || 13 Distance-Bounding Protocols  Distance-bounding idea: use timer! if comm. speed & complexity are constant t max c r check r t t max Do proximity test N times for reliability c r

 Cristina Onete || 16/05/2014 || 14 Distance-Bounding Properties  Mafia Fraud Resistance  Terrorist Fraud Resistance  Distance Fraud Resistance No relays! Help is one-time t max

 Cristina Onete || 16/05/2014 || 15 Distance-Bounding Attacks  Mafia Fraud Resistance Marie-Claire has unique e-key to gym locker Marie-Claire is at party with Leech Ghost is at gym, wants to get into the locker  Terrorist Fraud Resistance Marie-Claire and Adv. are friends Marie-Claire wants to let Adv. to use her locker But Adv. shouldn’t enter again without permission  Distance Fraud Resistance Marie-Claire runs a red light, wants to prove she was at the gym, but she is far away

 Distance-Bounding Protocols Part II:

 Cristina Onete || 16/05/2014 || 17 Distance-Bounding Protocol  Basic structure round ……………… slow fast

 Cristina Onete || 16/05/2014 || 18 Distance-Bounding Protocol  Authentication + distance upper-bounding N P MAC K (N P | N V ) NVNV Authentication K c r N times Distance check If r random, then no authentication random c

 Cristina Onete || 16/05/2014 || 19 Distance-Bounding Protocol  Authentication + distance upper-bounding N P MAC K (N P | N V ) NVNV Authentication K c r = c N times Distance check Distance-fraud resistance: can’t guess c No authentication: no mafia-fraud resistance Link r to auth. string

 Cristina Onete || 16/05/2014 || 20 Distance-Bounding Protocol N P Compute r = MAC K (N P | N V ) NVNV K cici riri N times Check r i and time Mafia-fraud resistance: from unforgeability Distance-fraud resistance: no, r predictable for Prover

 Cristina Onete || 16/05/2014 || 21 Distance-Bounding Protocol N P r 0 |r 1 = MAC K (N P | N V ) NVNV K cici ricirici N times Check r and time Mafia-fraud resistance: from unforgeability Distance-fraud: no guarantee on MAC output distribution

 Cristina Onete || 16/05/2014 || 22 Distance-Bounding Protocol N P r 0 |r 1 = MAC K (N P | N V ) NVNV K cici ricirici N times Check r and time Mafia-fraud resistance: from unforgeability Distance-fraud: no guarantee on MAC output distribution Distance-fraud: cannot choose clever nonce to get r 0 ≈ r 1

 Cristina Onete || 16/05/2014 || 23 Distance-Bounding Protocol N P r 0 |r 1 = PRF K (N P | N V ) NVNV K cici ricirici N times Check r and time Mafia-fraud resistance: from unforgeability Distance-fraud: from unpredictability of response Distance-fraud: cannot choose clever nonce to get r 0 ≈ r 1 [HK05]: [BMV12]: PR-ness alone not enough! [BMV13]: Stronger assumption on PRF

 Cristina Onete || 16/05/2014 || 24 Distance-Bounding Protocols N P r 0 = PRF K (N P | N V ) NVNV K,K’ cici ricirici N times r 1 = r 0 XOR K’  Defeat terrorist-fraud attacks Intuition: Sending r 0, r 1 reveals the key K’ Reality: Dependency enables key-learning attack

 Cristina Onete || 16/05/2014 || 25 Distance-Bounding Protocols N P r 0 = PRF K (N P | N V ) NVNV K,K’ cici ricirici r 1 = r 0 XOR K’  Key learning [AT09,DFK+11] t max ……………… rounds 1 to N-1 cNcN c N +1 r N c N +1 Accept: r N c N +1 = r N c N K’ N = 0 Repeat: learn K’ Next: query r 0, have r 1

 Cristina Onete || 16/05/2014 || 26 Distance-Bounding Protocols N P r 0 = PRF K (N P | N V ) NVNV K,K’ cici ricirici N times r 1 = r 0 XOR K’  Prevent adversary from flipping bits [KAK+08] PRF K (transcript) Mafia-fraud: near-optimal, final PRF prevents any flips Distance-fraud: while K’ pseudoran- dom, distance of r 0, r 1 optimal Terrorist-fraud: Yes, but the advantage the adversary has is only marginal

 Cristina Onete || 16/05/2014 || 27 Distance-Bounding Protocols N P r 0 = PRF K (N P | N V ) NVNV K,K’ cici ricirici N times r 1 = r 0 XOR K’  Prevent adversary from flipping bits [KAK+08] PRF K (transcript) Mafia-fraud: lower, final PRF allows some attacks. Distance-fraud: while K’ pseudoran- dom, distance of r 0, r 1 optimal Terrorist-fraud: It works: learning bits of K’ helps and can re- use transcript with 0 PRF K (T* (c i = 0))

 Cristina Onete || 16/05/2014 || 28 Distance-Bounding Protocols  Lessons learned so far Distance-fraud: unpredictable responses  Just echoing challenges works optimally  Reponses output by PRF, if no special nonces  Link responses by pseudorandom key Mafia-fraud: authenticating responses + no key-learning  Two strings output by PRF  Final transcript authentication works optimally  If linked responses, final authentication necessary Terrorist-fraud: relate responses by using extra key  Also give back-door for future authentication

 Cristina Onete || 16/05/2014 || 29 Distance-Bounding Protocols  Game-based privacy (untraceability) [V07] … DrawProver Always draw right or always draw left Prover 1Prover 2 Prover n Verifier Handle

 Cristina Onete || 16/05/2014 || 30 Privacy in Authentication Prover 1 Verifier Prover 2 Prover n … Handle DrawProver Corrupt Key Left/right  Game-based privacy (untraceability) [V07]

 Cristina Onete || 16/05/2014 || 31 Distance-Bounding Protocols  Forward privacy: Once a key is corrupted, can you distinguish past sessions?  Strong privacy: no rules for corruption  Requires key updates  No privacy guaranteed for future sessions  The most we can get with symmetric authentication  Needs public key crypto: key agreement  Idea of [HPO13]: combine strongly private authen- tication with distance bounding  Responses: pseudo-random truncation of DH key  Authenticate transcript in final authentication string

 Cristina Onete || 16/05/2014 || 32 Symmetric key  Public key Nonce exchange K cici ricirici N rnds Compute r 0, r 1 using K Sign K (transcript) Nonce exchange k, X= kP cici ricirici N rnds r 0, r 1 : eph. DH Authentication of ID & challenges y, Y= yP

 Cristina Onete || 16/05/2014 || 33 MIM-Private DB ([HPO13])  Auth. + relay: adapt/compose auth. and prox. check r 1 P, r3Pr3P Random r 1, r 2 Random c, r, r 3 Compute r 0 |r 1 = xcoord {r 1 r 3 P} 2n r2Pr2P cici ricirici e = c|r s s = k+er 1 +r 2 +d d = xcoord [r 1 yP]; Check: (s-d)P – e R 1 -R 2 == kP? n times DH tuple

 Cristina Onete || 16/05/2014 || 34 MIM-Private DB ([HPO13])  Auth. + relay: adapt/compose auth. and prox. check r 1 P, r3Pr3P Random r 1, r 2 Random c, r, r 3 Compute r 0 |r 1 = xcoord {r 1 r 3 P} 2n r2Pr2P cici ricirici e = c|r s s = k+er 1 +r 2 +d d = xcoord [r 1 yP]; Check: (s-d)P – e R 1 -R 2 == kP? Mafia fraud n times

 Cristina Onete || 16/05/2014 || 35 MIM-Private DB ([HPO13])  Auth. + relay: adapt/compose auth. and prox. check r 1 P, r3Pr3P Random r 1, r 2 Random c, r, r 3 Compute r 0 |r 1 = xcoord {r 1 r 3 P} 2n r2Pr2P cici ricirici e = c|r s s = k+er 1 +r 2 +d d = xcoord [r 1 yP]; Check: (s-d)P – e R 1 -R 2 == kP? Dist. fraud n times

 Cristina Onete || 16/05/2014 || 36 MIM-Private DB ([HPO13])  Auth. + relay: adapt/compose auth. and prox. check r 1 P, r3Pr3P Random r 1, r 2 Random c, r, r 3 Compute r 0 |r 1 = xcoord {r 1 r 3 P} 2n r2Pr2P cici ricirici e = c|r s s = k+er 1 +r 2 +d d = xcoord [r 1 yP]; Check: (s-d)P – e R 1 -R 2 == kP? Privacy Impersonation n times

 Cristina Onete || 16/05/2014 || 37 Privacy in Distance Bounding  Intuitively: not just MIM adversary, but also honest- but curious/malicious verifier  Change model to allow this  Construction:  Group signatures: overkill, no need for opening or group structure  Accumulators: would have worked, but use pairings. Our scheme uses DDH assumption  Core idea: a kind of ring signatures with infrastruc- ture provided by external entity (Server)  BB use of NIZK scheme  AsiaCCS 2014 [GOR14]: how about insider privacy?  Secure, fully anonymous, deniable w.r.t. Server

 Cristina Onete || 16/05/2014 || 38 Lessons Learned Distance-bounding  Responses must be unpredictable to Prover: large Hamming distance, no cheating input  Responses must authenticate Prover, add final authentication at the end  Privacy: private authentication, randomized proximity check response Questions for future  Are privacy and terrorist-fraud resistance compatible?  Can generic privacy be achieved by composition of private authentication and proximity check?

CIDRE Thanks!