Distance bounding protocols with void challenges for rfid
This presentation is the property of its rightful owner.
Sponsored Links
1 / 37

Distance Bounding Protocols with Void Challenges for RFID PowerPoint PPT Presentation


  • 64 Views
  • Uploaded on
  • Presentation posted in: General

Distance Bounding Protocols with Void Challenges for RFID. Jorge Munilla Fajardo Dpto. Ingeniería de Comunicaciones. E.T.S.I.Telecomunicación. Universidad de Málaga (Spain). SECTIONS. 1.- Attacks related to the location 2.- Definition of Distance Bounding Protocols

Download Presentation

Distance Bounding Protocols with Void Challenges for RFID

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Distance bounding protocols with void challenges for rfid

Distance Bounding Protocols with Void Challenges for RFID

Jorge Munilla Fajardo

Dpto. Ingeniería de Comunicaciones. E.T.S.I.Telecomunicación.

Universidad de Málaga (Spain)


Sections

SECTIONS

1.- Attacks related to the location

2.-Definition of Distance Bounding Protocols

3.- Proposed protocol for RFID: HKP (Hancke and Kuhn’s protocol)

4.- Modification of the HKP with void-challenges

5.-Novel low-cost proposal

Ingeniería de Comunicaciones, Universidad de Málaga


1 attacks related to the distance

1.- Attacks related to the distance

►Distance Fraud Attacks

►Relay Attacks or Mafia Fraud Attacks

►Terrorist Attacks

Characters:

Legitimate prover

Legitimate prover acting in a bad way

Adversary

Ingeniería de Comunicaciones, Universidad de Málaga


1 attacks related to the distance1

1.- Attacks related to the distance

►Distance Fraud Attacks

►Relay Attacks or Mafia Fraud Attacks

►Terrorist Attacks

Range

T-A

R-A

Ingeniería de Comunicaciones, Universidad de Málaga


1 attacks related to the distance2

1.- Attacks related to the distance

►Distance Fraud Attacks

►Relay Attacks or Mafia Fraud Attacks

►Terrorist Attacks

Range

T-A

R-A

Ingeniería de Comunicaciones, Universidad de Málaga


1 attacks related to the distance3

1.- Attacks related to the distance

►Distance Fraud Attacks

►Relay Attacks or Mafia Fraud Attacks

►Terrorist Attacks

Range

T-A

T-B

R-B

R-A

R-A

ATTACKER

Ingeniería de Comunicaciones, Universidad de Málaga


1 attacks related to the distance4

1.- Attacks related to the distance

►Distance Fraud Attacks

►Relay Attacks or Mafia Fraud Attacks

►Terrorist Attacks

Range

T-A

T-B

R-A

R-A

Legitimate user collaborates with the adversary giving him the necessary information to access to the system but only once.

Ingeniería de Comunicaciones, Universidad de Málaga


1 attacks related to the distance5

Range

Range

T-B

R-A

R-A

Range

The most worrying

R-A

ATTACKER

R-A

R-A

1.- Attacks related to the distance

Distance Fraud Attack

Mafia Fraud Attack

Terrorist Attack

Ingeniería de Comunicaciones, Universidad de Málaga


1 attacks related to the distance6

The most

worrying

These attacks are orthogonal to high level security protocols

SOLUTION: DISTANCE BOUNDING PROTOCOLS

1.- Attacks related to the distance

►Distance Fraud Attacks

►Relay Attacks or Mafia Fraud Attacks

►Terrorist Attacks

Ingeniería de Comunicaciones, Universidad de Málaga


2 distance bounding protocols

CRYPTOGRAPHIC PART

-Based on symmetric key

Received signal strength

Processing delay must be short and invariant

DISTANCE BOUNDING PART

Ultra-sound waves

Electromagnetic waves

Round-trip time

2.- Distance Bounding Protocols

PROVER

K

VERIFIER

K

Challenge

Start Timer

Compute

Response = f(challenge, K)

Response

Stop Timer

n times

Ingeniería de Comunicaciones, Universidad de Málaga


2 brand and chaum s protocol

2.- Brand and Chaum´s protocol

The first distance bounding protocols based on single-bits round trips

PROVER

K

VERIFIER

K

N1

Compute

H2n= f(K,N1,N2)

R0=H1||H2||…Hn

R1=Hn+1||Hn+2||…H2n

Compute

H2n= f(K,N1,N2)

R0=H1||H2||…Hn

R1=Hn+1||Hn+2||…H2n

N2

For i=1 to n do:

C

Start Timer

R=R0i if C=0

R=R1iif C=1

R

Stop Timer

End for

S

Check S

S=MAC(K,C1||C2||..Cn)

Ingeniería de Comunicaciones, Universidad de Málaga


2 brand and chaum s protocol1

2.- Brand and Chaum´s protocol

The first distance bounding protocols based on single-bits round trips

PROVER

K

VERIFIER

K

N1

Compute

H2n= f(K, N1,N2)

R0=H1||H2||…Hn

R1=Hn+1||Hn+2||…H2n

Compute

H2n= f(K, N1,N2)

R0=H1||H2||…Hn

R1=Hn+1||Hn+2||…H2n

N2

For i=1 to n do:

C

Start Timer

R=R0i if C=0

R=R1i if C=1

R

Stop Timer

End for

S

Check S

S=MAC(K,C1||C2||..Cn)

Ingeniería de Comunicaciones, Universidad de Málaga


2 brand and chaum s protocol2

2.- Brand and Chaum´s protocol

The first distance bounding protocols based on single-bits round trips

PROVER

K

VERIFIER

K

N1

Compute

H2n= f(K, N1,N2)

R0=H1||H2||…Hn

R1=Hn+1||Hn+2||…H2n

Compute

H2n= f(K,N1,N2)

R0=H1||H2||…Hn

R1=Hn+1||Hn+2||…H2n

N2

For i=1 to n do:

C

Start Timer

R=R0i if C=0

R=R1i if C=1

R

Stop Timer

End for

S

Check S

S=MAC(K,C1||C2||..Cn)

Ingeniería de Comunicaciones, Universidad de Málaga


2 brand and chaum s protocol3

2.- Brand and Chaum´s protocol

The first distance bounding protocols based on single-bits round trips

PROVER

K

VERIFIER

K

N1

Compute

H2n= f(K, N1,N2)

R0=H1||H2||…Hn

R1=Hn+1||Hn+2||…H2n

Compute

H2n= f(K, N1,N2)

R0=H1||H2||…Hn

R1=Hn+1||Hn+2||…H2n

N2

For i=1 to n do:

C

Start Timer

R=R0i if C=0

R=R1i if C=1

R

Stop Timer

End for

S

Check S

S=MAC(K,C1||C2||..Cn||R1…)

Ingeniería de Comunicaciones, Universidad de Málaga


2 brand and chaum s protocol4

2.- Brand and Chaum´s protocol

The first distance bounding protocols based on single-bits round trips

PROVER

K

VERIFIER

K

N1

Compute

H2n= f(K, N1,N2)

R0=H1||H2||…Hn

R1=Hn+1||Hn+2||…H2n

Compute

H2n= f(K, N1,N2)

R0=H1||H2||…Hn

R1=Hn+1||Hn+2||…H2n

RELIABLE

Signal goes through

every layer

N2

For i=1 to n do:

C

Start Timer

UNRELIABLE

Signal doesn’t go through every layer

R=R0i if C=0

R=R1i if C=1

R

Stop Timer

End for

RELIABLE

Signal goes through

every layer

S

Check S

S=MAC(K,C1||C2||..Cn)

Ingeniería de Comunicaciones, Universidad de Málaga


3 hancke and kuhn s protocol

Removed

Due to unreliability of the channel

3.- Hancke and Kuhn’s protocol

PROVER

K

VERIFIER

K

N1

Compute

H2n= f(K, N1,N2)

R0=H1||H2||…Hn

R1=Hn+1||Hn+2||…H2n

Compute

H2n= f(K, N1,N2)

R0=H1||H2||…Hn

R1=Hn+1||Hn+2||…H2n

N2

For i=1 to n do:

C

Start Timer

R=R0i if C=0

R=R1i if C=1

R

Stop Timer

End for

S

Check S

S=MAC(K,C1||C2||..Cn)

Ingeniería de Comunicaciones, Universidad de Málaga


3 hancke and kuhn s protocol1

3.- Hancke and Kuhn’s protocol

PROVER

K

VERIFIER

K

N1

Compute

H2n= f(K, N1,N2)

R0=H1||H2||…Hn

R1=Hn+1||Hn+2||…H2n

Compute

H2n= f(K, N1,N2)

R0=H1||H2||…Hn

R1=Hn+1||Hn+2||…H2n

N2

For i=1 to n do:

C

Start Timer

R=R0i if C=0

R=R1i if C=1

UWB

Channel

R

Stop Timer

End for

Ingeniería de Comunicaciones, Universidad de Málaga


3 hancke and kuhn s protocol2

K,vo,v1 intermingled

(K=Dv1(v0))

3.- Hancke and Kuhn’s protocol

PROBLEMS:

►Vulnerable to Terrorist Attack

Ingeniería de Comunicaciones, Universidad de Málaga


Hancke and kuhn s protocol

K,vo,v1 intermingled

(K=Dv1(v0))

Higher number of rounds

Hancke and Kuhn’s protocol

PROBLEMS:

►Vulnerable to Terrorist Attack

►Adversary succeeds with probability ¾

Ingeniería de Comunicaciones, Universidad de Málaga


4 modification of the hkp with void challenges

Compute

H3n = f(K, N1,N2)

V0=H1||H2||…Hn

V1=Hn+1||Hn+2||…H2n

P=H2n+1||H2n+2||…H3n

Compute

H2n = f(K, N1,N2)

V0=H1||H2||…Hn

V1=Hn+1||Hn+2||…H2n

But a 2n+1 bitstring could be used.

C=0  H1, H2, H3 ...

C=1  Hn+1, Hn , Hn-1...

P

V

4.-Modification of the HKP with void challenges

Beside v0and v1, a third random bit-string is generated  P

P points out when the reader sends a challenge and when he doesn’t

Ingeniería de Comunicaciones, Universidad de Málaga


4 modification of the hkp with void challenges1

4.-Modification of the HKP with void challenges

Using this vector P, card is able to detect an adversary trying to get the responses in advance.

Ingeniería de Comunicaciones, Universidad de Málaga


4 modification of the hkp with void challenges2

4.-Modification of the HKP with void challenges

Analysis

Attacker has two possible strategies:

► Asking in advance (taking the risk the card uncovers him)

► Without asking in advance (trying to guess the challenges)

Ingeniería de Comunicaciones, Universidad de Málaga


4 modification of the hkp with void challenges3

4.-Modification of the HKP with void challenges

-Without asking in advance (trying to guess the challenges)

No advantages!? It coincides with the probability for the HKP

But this is true only in a noise-free environment, when the unreliability of the channel is taken into account this modified protocol presents better features than HKP

Ingeniería de Comunicaciones, Universidad de Málaga


4 modification of the hkp with void challenges4

4.-Modification of the HKP with void challenges

Anyway, in a noise-free environment if P is generated in the following way:

Compute

H4n = f(K, N1,N2)

V0=H1||H2||…Hn

V1=Hn+1||Hn+2||…H2n

P=f(H2n+1, H2n+2 )||f(H2n+3, H2n+4)||…f(H4n-1, H4n)

f(x1,x2) = 1 if x1x2=00, 01, 10

f(x1,x2) = 0 if x1x2=11

The probability for an interval to have a challenge

is three times higher than to be void

Ingeniería de Comunicaciones, Universidad de Málaga


4 modification of the hkp with void challenges5

Same probabilities with fewer rounds

4.-Modification of the HKP with void challenges

Analysis when P is generating making the probability for an interval to have a challenge is three times higher than to be void:

Ingeniería de Comunicaciones, Universidad de Málaga


Hancke and kuhn s protocol1

K,vo,v1 intermingled

(K=Dv1(v0))

Microwave links

&

Faster Logic

Hancke and Kuhn’s protocol

PROBLEMS:

►Vulnerable to Terrorist Attack

Void challenges

►Adversary succeeds with probability ¾

►Expensive

Sresolution =c/BW

Ingeniería de Comunicaciones, Universidad de Málaga


5 novel protocol with void challenges

We give up the idea of avoiding distance fraud attacks

We would need too much BW and fast logic

►It is carried out by a legitimate user

►To increase the range significantly are necessary sophisticated devices

Distance Fraud attack isn’t too worrying

5.- Novel protocol with void-challenges

►Reduced processing delay (short and invariant)

►Low cost solution: to modify as less as possible the ordinary cards.The complexity must fall on the reader

Two targets

Ingeniería de Comunicaciones, Universidad de Málaga


5 novel protocol with void challenges1

We give up the idea of avoiding distance fraud attacks

We would need too much BW and fast logic

We focus on avoiding the most worrying attacks  Relay attacks

The idea will be to detect the delay introduced by the attacker's devices

5.- Novel protocol with void-challenges

►Reduced processing delay (short and invariant)

►Low cost solution: modify as less as possible the ordinary cards.The complexity must fall on the reader

Two targets

Ingeniería de Comunicaciones, Universidad de Málaga


5 novel protocol with void challenges2

We give up the idea of avoiding distance fraud attacks

We would need too much BW and fast logic

We focus on avoiding the most worrying attacks  Relay attacks

How to modify this protocol to make it resistant to terrorist attacks

5.- Novel protocol with void-challenges

►Reduced processing delay (short and invariant)

►Low cost solution: modify as less as possible the ordinary cards.The complexity must fall on the reader

Two targets

Ingeniería de Comunicaciones, Universidad de Málaga


5 novel protocol with void challenges3

►From Reader to Card: a 100% ASK modulation with Modified Miller Code

2-3μs

►From Card to Reader: Load Modulation. Subcarrier 847Khz (fc/16).Manchester Coding

5.- Novel protocol with void-challenges

RFID-14443a - FEATURES:

►Carrier: 13.56MHz

►Inductive coupling: to supply energy and communication  Up to 10cm

►Passive: no batteries, energy from the reader.

►Communication:106 kbps (fc/128).

Ingeniería de Comunicaciones, Universidad de Málaga


5 novel protocol with void challenges4

5.- Novel protocol with void-challenges

V0 -points out when the reader sends the challenge

Two bit-string are generated:

V1 -points out which must be the card’s response

►Reader to the card communication:

►Card to the reader communication:

Ingeniería de Comunicaciones, Universidad de Málaga


5 novel protocol with void challenges5

► We take advantage of the characteristics of the communication based on inductive coupling  Reader monitories directly the amplitude of the carrier (no side band) to detect the state of the card.

► Processing delay is zero because the card doesn’t have to compute anything. It knows beforehand the next state.

5.- Novel protocol with void-challenges

Example for: V0=001010011 and V1=1001

Ingeniería de Comunicaciones, Universidad de Málaga


5 novel protocol with void challenges6

5.- Novel protocol with void-challenges

Reader monitories directly the amplitude of the carrier (no side band)

►The key point is: how fast the reader can detect the state of the card.

►The longer is the distance worse is the inductive coupling and more difficult will be to detect the state

Ingeniería de Comunicaciones, Universidad de Málaga


5 novel protocol with void challenges7

Clearly, the number of intervals (rounds) has to be increased

5.- Novel protocol with void-challenges

Resistant against terrorist attack

►K, V0, V1 are intermingled

►To avoid a eavesdropper could know the key K: the reader randomly leaves without sending some challenges  eavesdropper loses this information.

Ingeniería de Comunicaciones, Universidad de Málaga


5 novel protocol with void challenges8

5.- Novel protocol with void-challenges

Security Analysis

► Vulnerable to distance fraud attack

►Resistant to relay attacks and terrorist attacks

The complexity of the attacks this protocol is able to detect depends on the time the reader needs to distinguish the state of the card. It will depend on the distance between the card and the reader but 1μs could be enough.

Simple attacks are easily detected (Hancke’s attack introduces 15-20μs)

Furthermore, to improve the system only the reader has to be modified.

Much cheaper than if the cards had to be modified

Ingeniería de Comunicaciones, Universidad de Málaga


6 conclusions

6.-CONCLUSIONS

► Attacks related to the location  The most worrying is the mafia fraud attack.

►Distance Bounding protocol are the only solution against them. Tightly integrated in the physical layer.

►Hancke and Kuhn’s protocol for RFID.

►Vulnerable to terrorist attack  K, v0 and v1 Intermingled.

►High number of rounds  Use of void challenges.

►Expensive  Use of the novel distance bounding protocol to detect simple relay attacks (1μs). The complexity falls on the reader.

Ingeniería de Comunicaciones, Universidad de Málaga


Thank you for your attention

THANK YOU FOR YOUR ATTENTION

DISTANCE BOUNDING PROTOCOLS

WITH VOID CHALLENGES FOR RFID

Jorge Munilla. e-mail:[email protected]

Dpto. Ingeniería de Comunicaciones

UNIVERSIDAD DE MÁLAGA


  • Login