Distance Bounding Protocols with Void Challenges for RFID Jorge Munilla Fajardo Dpto. Ingeniería de Comunicaciones.
Download ReportTranscript Distance Bounding Protocols with Void Challenges for RFID Jorge Munilla Fajardo Dpto. Ingeniería de Comunicaciones.
Distance Bounding Protocols with Void Challenges for RFID Jorge Munilla Fajardo Dpto. Ingeniería de Comunicaciones. E.T.S.I.Telecomunicación. Universidad de Málaga (Spain) SECTIONS 1.- Attacks related to the location 2.- Definition of Distance Bounding Protocols 3.- Proposed protocol for RFID: HKP (Hancke and Kuhn’s protocol) 4.- Modification of the HKP with void-challenges 5.- Novel low-cost proposal Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Characters: Legitimate prover Legitimate prover acting in a bad way Ingeniería de Comunicaciones, Universidad de Málaga Adversary 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Range T-A R-A Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Range T-A R-A Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Range T-A T-B R-B R-A R-A ATTACKER Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks ►Terrorist Attacks Range T-A T-B R-A R-A Legitimate user collaborates with the adversary giving him the necessary information to access to the system but only once. Ingeniería de Comunicaciones, Universidad de Málaga 1.- Attacks related to the distance Range R A Distance Fraud Attack The most worrying Range T B ATTACK ER R R -AA Mafia Fraud Attack Range R R -AA Ingeniería de Comunicaciones, Universidad de Málaga Terrorist Attack 1.- Attacks related to the distance ►Distance Fraud Attacks ►Relay Attacks or Mafia Fraud Attacks The most worrying ►Terrorist Attacks These attacks are orthogonal to high level security protocols SOLUTION: DISTANCE BOUNDING PROTOCOLS Ingeniería de Comunicaciones, Universidad de Málaga 2.- Distance Bounding Protocols VERIFIER K Challenge Start Timer PROVER K Compute Response Response = f(challenge, K) Stop Timer n times CRYPTOGRAPHIC PART -Based on symmetric key Received signal strength DISTANCE BOUNDING PART Ultra-sound waves Round-trip time Electromagnetic waves Ingeniería de Comunicaciones, Universidad de Málaga Processing delay must be short and invariant 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips VERIFIER K Compute H2n = f(K,N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n Start Timer Stop Timer PROVER K N1 N2 For i=1 to n do: C R Compute H2n = f(K,N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n R=R0i if C=0 R=R1i if C=1 End for Check S S Ingeniería de Comunicaciones, Universidad de Málaga S=MAC(K,C1||C2||..Cn) 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips PROVER VERIFIER K K Compute H2n = f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n Start Timer Stop Timer N1 N2 For i=1 to n do: C R Compute H2n = f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n R=R0i if C=0 R=R1i if C=1 End for Check S S Ingeniería de Comunicaciones, Universidad de Málaga S=MAC(K,C1||C2||..Cn) 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips PROVER VERIFIER K K Compute H2n = f(K,N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n psuccessatta 1 2 n Start Timer Stop Timer N1 N2 For i=1 to n do: C R Compute H2n = f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n R=R0i if C=0 R=R1i if C=1 End for Check S S Ingeniería de Comunicaciones, Universidad de Málaga S=MAC(K,C1||C2||..Cn) 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips PROVER VERIFIER K K Compute H2n = f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n Start Timer Stop Timer N1 N2 For i=1 to n do: C R Compute H2n = f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n R=R0i if C=0 R=R1i if C=1 End for Check S S Ingeniería de Comunicaciones, Universidad de Málaga S=MAC(K,C1||C2||..Cn||R1…) 2.- Brand and Chaum´s protocol The first distance bounding protocols based on single-bits round trips PROVER VERIFIER K K Compute H = f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n 2n Start Timer Stop Timer N1 N2 For i=1 to n do: C R Compute H2n = f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n RELIABLE Signal goes through every layer R=R0i if C=0 UNRELIABLE R=R1i if C=1 Signal doesn’t go through every layer End for Check S S S=MAC(K,C1||C2||..Cn) Ingeniería de Comunicaciones, Universidad de Málaga RELIABLE Signal goes through every layer 3.- Hancke and Kuhn’s protocol VERIFIER K PROVER K N1 Compute H2n = f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n Start Timer Stop Timer For i=1 to n do: C R H2n = f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n R=R0i if C=0 R=R1i if C=1 End for Removed Due to unreliability of the channel N2 Compute Check S S Ingeniería de Comunicaciones, Universidad de Málaga S=MAC(K,C1||C2||..Cn) 3.- Hancke and Kuhn’s protocol VERIFIER K PROVER K N1 Compute H2n = f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n UWB Channel Start Timer Stop Timer N2 For i=1 to n do: C R End for Ingeniería de Comunicaciones, Universidad de Málaga Compute H2n = f(K, N1,N2) R0=H1||H2||…Hn R1=Hn+1||Hn+2||…H2n R=R0i if C=0 R=R1i if C=1 3.- Hancke and Kuhn’s protocol PROBLEMS: ►Vulnerable to Terrorist Attack Ingeniería de Comunicaciones, Universidad de Málaga K,vo,v1 intermingled (K=Dv1(v0)) Hancke and Kuhn’s protocol PROBLEMS: ►Vulnerable to Terrorist Attack K,vo,v1 intermingled ►Adversary succeeds with probability ¾ Ingeniería de Comunicaciones, Universidad de Málaga (K=Dv1(v0)) Higher number of rounds 4.-Modification of the HKP with void challenges Beside v0 and v1, a third random bit-string is generated P P points out when the reader sends a challenge and when he doesn’t Compute H3n = f(K, N1,N2) V0=H1||H2||…Hn V1=Hn+1||Hn+2||…H2n P=H2n+1||H2n+2||…H3n Compute H2n = f(K, N1,N2) V0=H1||H2||…Hn V1=Hn+1||Hn+2||…H2n But a 2n+1 bitstring could be used. C=0 H1, H2, H3 ... V P C=1 Hn+1, Hn , Hn-1... Ingeniería de Comunicaciones, Universidad de Málaga 4.-Modification of the HKP with void challenges Using this vector P, card is able to detect an adversary trying to get the responses in advance. Ingeniería de Comunicaciones, Universidad de Málaga 4.-Modification of the HKP with void challenges Analysis Attacker has two possible strategies: ► Asking in advance (taking the risk the card uncovers him) p adv1 1 n 2 ► Without asking in advance (trying to guess the challenges) 2 p no adv1 n 1 1 1 1 p(0) p(1) p(2) ...p(n) n 2 2 2 2 Ingeniería de Comunicaciones, Universidad de Málaga n 1 3 4 t 0 t 2 t n t n 4.-Modification of the HKP with void challenges -Without asking in advance (trying to guess the challenges) 2 p no adv1 n 1 1 1 1 p(0) p(1) p(2) ...p(n) n 2 2 2 2 n 1 3 4 t 0 t 2 t n t n No advantages!? It coincides with the probability for the HKP But this is true only in a noise-free environment, when the unreliability of the channel is taken into account this modified protocol presents better features than HKP Ingeniería de Comunicaciones, Universidad de Málaga 4.-Modification of the HKP with void challenges Anyway, in a noise-free environment if P is generated in the following way: Compute H4n = f(K, N1,N2) V0=H1||H2||…Hn V1=Hn+1||Hn+2||…H2n P=f(H2n+1, H2n+2 )||f(H2n+3, H2n+4)||…f(H4n-1, H4n) f(x1,x2) = 1 if x1x2=00, 01, 10 f(x1,x2) = 0 if x1x2=11 The probability for an interval to have a challenge is three times higher than to be void Ingeniería de Comunicaciones, Universidad de Málaga 4.-Modification of the HKP with void challenges Analysis when P is generating making the probability for an interval to have a challenge is three times higher than to be void: Same probabilities with fewer rounds Ingeniería de Comunicaciones, Universidad de Málaga Hancke and Kuhn’s protocol PROBLEMS: ►Vulnerable to Terrorist Attack K,vo,v1 intermingled ►Adversary succeeds with probability ¾ (K=Dv1(v0)) Void challenges Microwave links & Faster Logic ►Expensive Sresolution =c/BW Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Two targets ►Reduced processing delay (short and invariant) ►Low cost solution: to modify as less as possible the ordinary cards.The complexity must fall on the reader We give up the idea of avoiding distance fraud attacks We would need too much BW and fast logic ►It is carried out by a legitimate user Distance Fraud attack isn’t too worrying ►To increase the range significantly are necessary sophisticated devices Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Two targets ►Reduced processing delay (short and invariant) ►Low cost solution: modify as less as possible the ordinary cards.The complexity must fall on the reader We give up the idea of avoiding distance fraud attacks We would need too much BW and fast logic We focus on avoiding the most worrying attacks Relay attacks The idea will be to detect the delay introduced by the attacker's devices Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Two targets ►Reduced processing delay (short and invariant) ►Low cost solution: modify as less as possible the ordinary cards.The complexity must fall on the reader We give up the idea of avoiding distance fraud attacks We would need too much BW and fast logic We focus on avoiding the most worrying attacks Relay attacks How to modify this protocol to make it resistant to terrorist attacks Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges RFID-14443a - FEATURES: ►Carrier: 13.56MHz ►Inductive coupling: to supply energy and communication Up to 10cm ►Passive: no batteries, energy from the reader. ►Communication:106 kbps (fc/128). ►From Reader to Card: a 100% ASK modulation with Modified Miller Code 2-3μs ►From Card to Reader: Load Modulation. Subcarrier 847Khz (fc/16).Manchester Coding Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges V0 -points out when the reader sends the challenge Two bit-string are generated: V1 -points out which must be the card’s response ►Reader to the card communication: ►Card to the reader communication: Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Example for: V0=001010011 and V1=1001 ► We take advantage of the characteristics of the communication based on inductive coupling Reader monitories directly the amplitude of the carrier (no side band) to detect the state of the card. ► Processing delay is zero because the card doesn’t have to compute anything. It knows beforehand the next state. Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Reader monitories directly the amplitude of the carrier (no side band) ► The key point is: how fast the reader can detect the state of the card. ► The longer is the distance worse is the inductive coupling and more difficult will be to detect the state Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Resistant against terrorist attack ►K, V0, V1 are intermingled ►To avoid a eavesdropper could know the key K: the reader randomly leaves without sending some challenges eavesdropper loses this information. Clearly, the number of intervals (rounds) has to be increased Ingeniería de Comunicaciones, Universidad de Málaga 5.- Novel protocol with void-challenges Security Analysis ► Vulnerable to distance fraud attack ►Resistant to relay attacks and terrorist attacks The complexity of the attacks this protocol is able to detect depends on the time the reader needs to distinguish the state of the card. It will depend on the distance between the card and the reader but 1μs could be enough. Simple attacks are easily detected (Hancke’s attack introduces 15-20μs) Furthermore, to improve the system only the reader has to be modified. Much cheaper than if the cards had to be modified Ingeniería de Comunicaciones, Universidad de Málaga 6.-CONCLUSIONS ► Attacks related to the location The most worrying is the mafia fraud attack. ►Distance Bounding protocol are the only solution against them. Tightly integrated in the physical layer. ►Hancke and Kuhn’s protocol for RFID. ►Vulnerable to terrorist attack K, v0 and v1 Intermingled. ►High number of rounds Use of void challenges. ►Expensive Use of the novel distance bounding protocol to detect simple relay attacks (1μs). The complexity falls on the reader. Ingeniería de Comunicaciones, Universidad de Málaga DISTANCE BOUNDING PROTOCOLS WITH VOID CHALLENGES FOR RFID Jorge Munilla. e-mail:[email protected] THANK YOU FOR YOUR ATTENTION Dpto. Ingeniería de Comunicaciones UNIVERSIDAD DE MÁLAGA