Presentation is loading. Please wait.

Presentation is loading. Please wait.

1. Outline 1. Background 1. Attacks on distance-bounding 2. Symmetric vs asymmetric protocol 3. Motivation: DBPK-Log 2. VSSDB 1. Building blocks 2. Protocol.

Published byGerald Higgins Modified over 9 years ago

Similar presentations

Presentation on theme: "1. Outline 1. Background 1. Attacks on distance-bounding 2. Symmetric vs asymmetric protocol 3. Motivation: DBPK-Log 2. VSSDB 1. Building blocks 2. Protocol."— Presentation transcript:

1 1

2 Outline 1. Background 1. Attacks on distance-bounding 2. Symmetric vs asymmetric protocol 3. Motivation: DBPK-Log 2. VSSDB 1. Building blocks 2. Protocol 3. Conclusion 2

3 Objective of distance-bounding Authentication protocol + proximity testing Verifier is trusted, prover is untrusted. 3 Range Legitimate prover Verifier

4 Possible applications 4 Wireless payment Access control

5 Range R-A Distance fraud A malicious prover want to cheat on the distance computed by the verifier.

6 Range R-A Prover is unaware that an attack is taking place. Relay- Attack Proxy ATTACKER Mafia fraud An attacker relay the communication through a proxy close to a legitimate prover.

7 Range R-A Relay- Attack Collusion of users Terrorist fraud A far away legitimate prover colludes with an adversary located close to the verifier to enable him to authenticate only once.

8 Generic format of a DB protocol 1. Initialization phase (1 st lazy phase), 2. Interactive phase (heart of the protocol), 3. Verification phase (2 nd lazy phase). 8 c R= F(c) TsTs Distance = Prover Verifier TpTp TrTr

9 Symmetric versus asymmetric protocols Symmetric response function: secret shared between the prover and verifier, R=f S (c). Examples of symmetric protocols : Swiss Knife [Kim et al., ICSC 2008], SKI [Boreanu et al, ISC’13], [Gambs et al, AsiaCCS’13], … Asymmetric response function: the verifier has not access to the prover’s secret. Verification of the challenges uses homomorphic property of bit commitment. Only one protocol in the litterature: [Bussard and Bagga, SEC 2005] 9

10 Bussard and Bagga protocol (B&B) 10 1. Initialization phase Prover: Selects k at random, Computes e = x k Computes commitment : a i = commit(k i,u i ) b i = commit(e i,v i ) 1. a i, b i Prover Verifier 3. Final verification phase Z= ZKProof (x)[Z ⋀ y] 3. ZKProof(x)[Z ⋀ Y] 2. Fast bit exchange phase Verifier: Sends bit challenge {0,1}, Prover replies with k i if 0 or e i if 1. 2. fast bit exchange phase b i m rounds Y=F(x) Deduce Z=commit(x,v)

11 Contributions B&B-like distance bounding with better resistance to terrorist attack, Introduction of mode during the fast phase, Security bounds formally proved. 11

12 VSSDB 12

13 Ingredients 13 (3,3) secret sharing scheme: secret is encrypted using two strings k, l into e, each bit of the secret is shared in three parts, Verifiable secret sharing: each bit of the secret is verified separately, Homomorphic bit commitment [Brassard et al, 1988]: P, Q primes; N=P×Q and Jacobi(–1/N)= +1, S = –1 mod N, Commit(b,rand)= S b × rand 2 mod N, Commit(b,rand 2 )× Commit(b,rand 2 )= Commit(ba,rand 3 )

14 Registration phase Prover  Certification Authority (CA): Priv Key ={Sk sign,x} kept secret. Pub key ={Com i },PK Sign sent to the verifier. {Com i }, Com i =Commit(x i,v i ), v i =H i (x). 14

15 Initialization phase 15 2. Prover computes session specific information. 1. Verifier replies with a nonce. 3. Prover computes fresh proof. 4. Verifier checks for the freshness of the proof.

16 Fast bit exchange 16 5. Verifier starts the clock. 5. Verifier stops the clock. 5. Prover replies as soon as possible.

17 Verification phase 17 1.Validity of the signature of the transcript, 2.Responses correspond to the commits, 3.Commitments corresponds to the secret key.

18 Security analysis Distance fraud Binding of HBCommit, mode are chosen by the verifier. Mafia fraud Hiding of HBCommit, Terrorist fraud ? GameTF [Fischlin et al., ACNS 2013]. 18

19 GameTF security Definition: If an attacker succeeds in a terrorist fraud then he can launch better mafia fraud attack. Trapdoor in the prover: 19

20 Terrorist VSSDB 20

21 Security bounds 21

22 Conclusion and future work We designed an asymmetric distance-bounding provably secure against distance, mafia and terrorist frauds. Additional contribution: Introduction of mode in the response function to avoid response of more than one bit. Future work: privacy-preservation, other secret sharing schemes. 22

23 23 Contact: mtraore@laas.fr

24 Attack of Bay and co-authors 24 Initialization phase: Attacker: Receives z form the malicious prover Selects k and e at random, Computes commitment (for the m-1 last rounds) : a’ i = commit (k i ) b’ i =commit (e i ) Computes a’ 0 for k 0 at random. b’ 0 = a’ 0 ×∏ (a’ i ×b’ i ) 2 i-1 × Z -1 mod N. 1. a i ’, b’ i Attacker Verifier 3. ZKProof 2. fast bit exchange phase Final verification phase: The verification phase is relayed to the prover. Y=F(S) Deduce Z=F(S) Prover Z Challenge-response phase: The attacker wins if first challenge=0.

25 Opening function 25

26 Attacks on distance bounding Distance fraud Range R-A T-A Legitimate prover

Download ppt "1. Outline 1. Background 1. Attacks on distance-bounding 2. Symmetric vs asymmetric protocol 3. Motivation: DBPK-Log 2. VSSDB 1. Building blocks 2. Protocol."

Similar presentations

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
Digital Signatures and applications Math 7290CryptographySu07.

Digital Signatures and applications Math 7290CryptographySu07.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Buyer-Seller Watermarking (BSW) Protocols Geong Sen Poh 31 Oct 2006.

Buyer-Seller Watermarking (BSW) Protocols Geong Sen Poh 31 Oct 2006.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

Similar presentations

Ads by Google