Covert Channels in Privacy-Preserving Identification Systems Daniel V. Bailey (RSA Labs) Dan Boneh (Stanford) Eu-Jin Goh (Stanford) Ari Juels (RSA Labs)

Slides:



Advertisements
Similar presentations
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Advertisements

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.
RFID and SECURITY All slides © 2008 RSA Laboratories.
Digital Signatures and Hash Functions. Digital Signatures.
Reusable Anonymous Return Channels
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
FIT3105 Smart card based authentication and identity management Lecture 4.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Identity Based Encryption
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
David Molnar, David Wagner - Authors Eric McCambridge - Presenter.
Computer Science Public Key Management Lecture 5.
All slides © 2006 RSA Laboratories. RFID (Radio-Frequency IDentication) takes many forms…
An Efficient Identity-based Cryptosystem for
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David.
Chapter 4: Intermediate Protocols
Cyrtographic Security Identity-based Encryption 1Dennis Kafura – CS5204 – Operating Systems.
Anonymous Identification in Ad Hoc Groups New York, NY, USAApril 6 th, 2004 Yevgeniy Dodis, Antonio Nicolosi, Victor Shoup
1 Architectural Support for Copy and Tamper Resistant Software David Lie, Chandu Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell and.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
RFID Privacy: An Overview of Problems and Proposed Solutions Maxim Kharlamov (mkha130, #13) S. Garfinkel, A. Juels, R. Pappu, “RFID Privacy: An Overview.
RFID Security: In the Shoulder and on the Loading Dock Ari Juels RSA Laboratories Joint work with D. Boneh, E.-J. Goh, J. Halamka, A. Stubblefield, B.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Cryptography Lecture 9 Stefan Dziembowski
Security Analysis of a Cryptographically- Enabled RFID Device Steve Bono, Matthew Green, Adam Stubblefield, Ari Juels, Avi Rubin, Michael Szydlo Usenix.
Shanti Bramhacharya and Nick McCarty. This paper deals with the vulnerability of RFIDs A Radio Frequency Identifier or RFID is a small device used to.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Linkability of Some Blind Signature Schemes Swee-Huay Heng 1, Wun-She Yap 1 Khoongming Khoo 2 1 Multimedia University, 2 DSO National Laboratories.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Digital Signatures, Message Digest and Authentication Week-9.
CS555Topic 251 Cryptography CS 555 Topic 25: Quantum Crpytography.
WISTP’08 ©LAM /05/2008 A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup Christer Andersson Markulf Kohlweiss.
Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.
Lecture 2: Introduction to Cryptography
Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
An Improved Efficient Secret Handshakes Scheme with Unlinkability Author: Jie Gu and Zhi Xue Source: IEEE Comm. Letters 15 (2) (2011) Presenter: Yu-Chi.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto Kyushu University, JAPAN.
Private key
Almost Entirely Correct Mixing With Applications to Voting Philippe Golle Dan Boneh Stanford University.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
1/18 Talking to Strangers: Authentication in Ad-Hoc Wireless Networks Dirk Balfanz 외 2 명 in Xerox Palo Alto Research Center Presentation: Lee Youn-ho.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
1 Secret Handshakes or Privacy-Preserving Interactive Authentication Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia,
What is in a name? Identity-based cryptography. How public-key crypto works When you use public key cryptography, you can publish a value (public key)
RFID Security: In the Shoulder and on the Loading Dock
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
Privacy for Public Transportation
CDK: Chapter 7 TvS: Chapter 9
Presentation transcript:

Covert Channels in Privacy-Preserving Identification Systems Daniel V. Bailey (RSA Labs) Dan Boneh (Stanford) Eu-Jin Goh (Stanford) Ari Juels (RSA Labs) © 2007 RSA Laboratories ACM CCS 31 October 2007

You are probably carrying a constellation of wireless identification devices right now

Proximity cards

Automobile ignition keys f RFID helps secure hundreds of millions of automobiles –Cryptographic challenge-response –Philips claims more than 90% reduction in car theft thanks to RFID! –(Some, e.g., Texas Instruments DST, are weak [Bono et al. ‘05])…

Credit cards RFID now offered in all major credit cards in U.S.… Some even broadcast your name in the clear! –See “Vulnerabilities in First-Generation RFID-Enabled Credit Cards” [Heydt-Benjamin et al. ’07]

Transit cards

Passports Dozens of countries issuing RFID-enabled passports Other identity documents, e.g., drivers’ licenses, to follow

Animals too… “Not Really Mad” Livestock Housepets The cat came back, the very next day… 50 million+

Human location tracking Schools Amusement parks Hospitals In the same vein: mobile phones with GPS…

??? Human-implantable RFID += VeriChip TM

Human-implantable RFID += VeriChip TM Excellent test bed for privacy and security concepts! Proposed for medical-patient identification Also proposed and used as an authenticator for physical access control, a “prosthetic biometric” –E.g., Mexican attorney general purportedly used for access to secure facility What kind of cryptography does it have? –None: It can be easily cloned [Halamka et al. ’06] So shouldn’t we add a challenge-response protocol? Cloning may actually be a good thing

Human-implantable RFID Physical coercion and attack –In 2005, a man in Malaysia had his fingertip cut off by thieves stealing his biometric- enabled Mercedes –What would happen if the VeriChip were used to access ATM machines and secure facilities? Perhaps better if tags can be cloned! Tags should not be used for authentication—only for identification

Cloneability + privacy Privacy means no linkability or information about identities If a tag can be cloned, does that mean it can’t provide privacy? –Surprisingly, no! A very simple scheme allows for simultaneous cloneability and privacy

Cloneability + privacy Homomorphic public-key cryptosystem (e.g., El Gamal) Private / public key pair (SK, PK) Randomized scheme: C = E PK,r [m] Semantic security: Adversary cannot distinguish C = E PK,r [“Alice”] from C’*= E PK,s [“Bob”] Re-encryption property: Given C only, can produce randomized C* = E PK,s [m], without knowing m

Cloneability + privacy The scheme: When read, tag chooses fresh r and outputs C = E PK,r [“name”] Then: Reader with SK can decrypt name Semantic Security: Adversary cannot distinguish among tags, i.e., infringe privacy Re-encryption property: Adversary can clone a tag: records C and outputs randomized C*

The covert-channel problem Suppose there is an identification / authentication system… Authorized Employees Only Who’s there? E[“Alice”] It’s Alice!

The covert-channel problem Suppose there is an identification / authentication system… Authorized Employees Only Who’s there? E[“Alice” + ?] Alice has low blood pressure and high blood-alcohol Alice recently passed a casino’s RFID reader. Mercury switch indicates that Alice napped on job

How can we assure Alice of no covert channels? Outputs must be deterministic –Randomness always leaves room for covert emissions Could give Alice a secret key to check that outputs are formatted correctly –E.g., PRNG seed for device But we don’t want Alice (or a third party) to have to manage sensitive keying material! Can we enable Alice to verify covert-freeness publicly, i.e., without exposing secret keys? Simultaneous publicly verifiable covert-freeness and privacy are impossible!

Here’s why… Suppose there were a public CC detector… X18 Ultra CC-Detector TM A1A1 A2A2 No CC Yes, CC!

Here’s a covert channel! 1.Create identity for user “Bob” Bob could be fictitious Just need output sequence B 1, B 2, … 2.Alice’s chip does following: If no nap, output A 1, A 2, A 3, etc. with Alice’s identity If Alice has taken a nap, then flip to Bob’s identity, i.e., output A 1, A 2 … B 1, B 2

Suppose we detect this covert channel X18 Ultra CC-Detector TM A1A1 A2A2 No CC B1B1 Yes, CC

Now if there really is a user Bob, we have a problem... X18 Ultra CC-Detector TM A1A1 A2A2 No CC

Alice followed by Bob yields “Yes” X18 Ultra CC-Detector TM A1A1 B1B1 Yes, CC

BobAlice Privacy is broken: We can distinguish between identities! X18 Ultra CC-Detector TM Yes X18 Ultra CC-Detector TM No

So public CC-verifiability + privacy is impossible Now let’s show how to achieve it anyway… Idea: –Weaken privacy definition to eliminate localized privacy, e.g., privacy across pairwise values –Allow localized CC-checking, e.g., pairwise –Localized privacy is least important type of privacy Now we can do spot CC-checking… A1A1 A2A2 A3A3 A4A4 A5A5 A6A6 A7A7 A8A8 A9A9 X18 Ultra CC-Detector TM yes / no

So public CC-verifiability + privacy is impossible Now let’s show how to achieve it anyway… Idea: –Weaken privacy definition to exclude localized privacy, e.g., privacy across pairwise values –Allow localized CC-checking, e.g., pairwise –Localized privacy is least important type of privacy Now we can do spot CC-checking… A1A1 A2A2 A3A3 A4A4 A5A5 A6A6 A7A7 B1B1 B2B2 X18 Ultra CC-Detector TM yes / no

So public CC-verifiability + privacy is impossible Now let’s show how to achieve it anyway… Idea: –Weaken privacy definition to exclude localized privacy, e.g., privacy across pairwise values –Allow localized CC-checking, e.g., pairwise –Localized privacy is least important type of privacy Now we can do spot CC-checking… A1A1 A2A2 A3A3 A4A4 A5A5 A6A6 A7A7 A8A8 A9A9 ???

Still a challenge Construct a deterministic sequence whose values are: –Unlinkable (except pairwise) –Publicly, pairwise verifiable Basic ideas of our solution 1.General unlinkability via exponent squaring: –A 1 = h r, A 2 = h r, A 3 = h r, A 4 = h r, etc Verifiability via use of group with bilinear map e: –Pairwise check: e(A 2,A 2 ) = e(h,A 3 ) = e(h,h) r 8

Improving efficiency A 1 = h r, A 2 = h r, A 3 = h r, A 4 = h r, etc Determining identity is not efficient –Every tag must use separate value r known to reader –Reader must compute sequence for every tag Use composite-order bilinear maps [BGN ’05] –Reader secret g; public h (different subgroups) –Each tag has identifier e(g,g) d for unique d – At time i, tag with identifier d outputs g d A i – Reader computes e(g, g d A i ) = e(g, g d ) = e(g, g) d = tag ID – (With g and h in different subgroups, we can make h-base disappear)

More to do… In paper, we also demonstrate k-wise-checkable constructions and other access structures But there are still some problems: 1.Non-standard hardness assumption l -BDHS (Bilinear Diffie-Hellman Squaring) 2.We only address covert channels in known communication layer What if tag takes secret input? (Record transactions?) Timing or power side-channels? 3.Tag is no longer cloneable! 4

Much more to do… The number of implantable cardiac defibrillators (ICDs) alone is set to exceed 250,000 per year in the U.S. ICDs emit measurements and permit reprogramming Those constellations of wireless devices are moving into the body…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.