Distance Bounding Protocols with Void Challenges for RFID - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

Distance Bounding Protocols with Void Challenges for RFID

Description:

Universidad de M laga (Spain) Ingenier a de Comunicaciones, Universidad de M laga ... de Comunicaciones, Universidad de M laga. 1.- Attacks related to the ... – PowerPoint PPT presentation

Number of Views:180
Avg rating:3.0/5.0
Slides: 38
Provided by: juk4
Category:

less

Transcript and Presenter's Notes

Title: Distance Bounding Protocols with Void Challenges for RFID


1
Distance Bounding Protocols with Void
Challenges for RFID
Jorge Munilla Fajardo Dpto. Ingeniería de
Comunicaciones. E.T.S.I.Telecomunicación.
Universidad de Málaga (Spain)
2
SECTIONS
1.- Attacks related to the location 2.-
Definition of Distance Bounding Protocols 3.-
Proposed protocol for RFID HKP (Hancke and
Kuhns protocol) 4.- Modification of the HKP
with void-challenges 5.- Novel low-cost proposal
Ingeniería de Comunicaciones, Universidad de
Málaga
3
1.- Attacks related to the distance
?Distance Fraud Attacks ?Relay Attacks or Mafia
Fraud Attacks ?Terrorist Attacks
Characters
Legitimate prover
Legitimate prover acting in a bad way
Adversary
Ingeniería de Comunicaciones, Universidad de
Málaga
4
1.- Attacks related to the distance
?Distance Fraud Attacks ?Relay Attacks or Mafia
Fraud Attacks ?Terrorist Attacks
Range
T-A
R-A
Ingeniería de Comunicaciones, Universidad de
Málaga
5
1.- Attacks related to the distance
?Distance Fraud Attacks ?Relay Attacks or Mafia
Fraud Attacks ?Terrorist Attacks
Range
T-A
R-A
Ingeniería de Comunicaciones, Universidad de
Málaga
6
1.- Attacks related to the distance
?Distance Fraud Attacks ?Relay Attacks or Mafia
Fraud Attacks ?Terrorist Attacks
Range
T-A
T-B
R-B
R-A
R-A
ATTACKER
Ingeniería de Comunicaciones, Universidad de
Málaga
7
1.- Attacks related to the distance
?Distance Fraud Attacks ?Relay Attacks or Mafia
Fraud Attacks ?Terrorist Attacks
Range
T-B
T-A
R-A
R-A
Legitimate user collaborates with the adversary
giving him the necessary information to access to
the system but only once.
Ingeniería de Comunicaciones, Universidad de
Málaga
8
1.- Attacks related to the distance
Distance Fraud Attack
Mafia Fraud Attack
Terrorist Attack
Ingeniería de Comunicaciones, Universidad de
Málaga
9
1.- Attacks related to the distance
?Distance Fraud Attacks ?Relay Attacks or Mafia
Fraud Attacks ?Terrorist Attacks
Ingeniería de Comunicaciones, Universidad de
Málaga
10
2.- Distance Bounding Protocols
PROVER K
VERIFIER K
Challenge
Start Timer
Compute Response f(challenge, K)
Response
Stop Timer
n times
Ingeniería de Comunicaciones, Universidad de
Málaga
11
2.- Brand and Chaums protocol
The first distance bounding protocols based on
single-bits round trips
PROVER K
VERIFIER K
N1
Compute H2n f(K,N1,N2) R0H1H2Hn R1Hn1H
n2H2n
Compute H2n f(K,N1,N2) R0H1H2Hn R1Hn1H
n2H2n
N2
For i1 to n do
C
Start Timer
RR0i if C0 RR1i if C1
R
Stop Timer
End for
S
SMAC(K,C1C2..Cn)
Check S
Ingeniería de Comunicaciones, Universidad de
Málaga
12
2.- Brand and Chaums protocol
The first distance bounding protocols based on
single-bits round trips
PROVER K
VERIFIER K
N1
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
N2
For i1 to n do
C
Start Timer
RR0i if C0 RR1i if C1
R
Stop Timer
End for
S
SMAC(K,C1C2..Cn)
Check S
Ingeniería de Comunicaciones, Universidad de
Málaga
13
2.- Brand and Chaums protocol
The first distance bounding protocols based on
single-bits round trips
PROVER K
VERIFIER K
N1
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
Compute H2n f(K,N1,N2) R0H1H2Hn R1Hn1H
n2H2n
N2
For i1 to n do
C
Start Timer
RR0i if C0 RR1i if C1
R
Stop Timer
End for
S
SMAC(K,C1C2..Cn)
Check S
Ingeniería de Comunicaciones, Universidad de
Málaga
14
2.- Brand and Chaums protocol
The first distance bounding protocols based on
single-bits round trips
PROVER K
VERIFIER K
N1
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
N2
For i1 to n do
C
Start Timer
RR0i if C0 RR1i if C1
R
Stop Timer
End for
S
SMAC(K,C1C2..CnR1)
Check S
Ingeniería de Comunicaciones, Universidad de
Málaga
15
2.- Brand and Chaums protocol
The first distance bounding protocols based on
single-bits round trips
PROVER K
VERIFIER K
N1
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
RELIABLE Signal goes through every layer
N2
For i1 to n do
C
Start Timer
UNRELIABLE Signal doesnt go through every layer
RR0i if C0 RR1i if C1
R
Stop Timer
End for
RELIABLE Signal goes through every layer
S
SMAC(K,C1C2..Cn)
Check S
Ingeniería de Comunicaciones, Universidad de
Málaga
16
3.- Hancke and Kuhns protocol
PROVER K
VERIFIER K
N1
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
N2
For i1 to n do
C
Start Timer
RR0i if C0 RR1i if C1
R
Stop Timer
End for
S
SMAC(K,C1C2..Cn)
Check S
Ingeniería de Comunicaciones, Universidad de
Málaga
17
3.- Hancke and Kuhns protocol
PROVER K
VERIFIER K
N1
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
N2
For i1 to n do
C
Start Timer
RR0i if C0 RR1i if C1
UWB Channel
R
Stop Timer
End for
Ingeniería de Comunicaciones, Universidad de
Málaga
18
3.- Hancke and Kuhns protocol
PROBLEMS
?Vulnerable to Terrorist Attack
Ingeniería de Comunicaciones, Universidad de
Málaga
19
Hancke and Kuhns protocol
PROBLEMS
?Vulnerable to Terrorist Attack
?Adversary succeeds with probability ¾
Ingeniería de Comunicaciones, Universidad de
Málaga
20
4.-Modification of the HKP with void challenges
Beside v0 and v1, a third random bit-string is
generated ? P P points out when the reader sends
a challenge and when he doesnt
Ingeniería de Comunicaciones, Universidad de
Málaga
21
4.-Modification of the HKP with void challenges
Using this vector P, card is able to detect an
adversary trying to get the responses in advance.
Ingeniería de Comunicaciones, Universidad de
Málaga
22
4.-Modification of the HKP with void challenges
Analysis Attacker has two possible strategies
? Asking in advance (taking the risk the card
uncovers him)
? Without asking in advance (trying to guess the
challenges)
Ingeniería de Comunicaciones, Universidad de
Málaga
23
4.-Modification of the HKP with void challenges
-Without asking in advance (trying to guess the
challenges)
No advantages!? It coincides with the
probability for the HKP
But this is true only in a noise-free
environment, when the unreliability of the
channel is taken into account this modified
protocol presents better features than HKP
Ingeniería de Comunicaciones, Universidad de
Málaga
24
4.-Modification of the HKP with void challenges
Anyway, in a noise-free environment if P is
generated in the following way
Compute H4n f(K, N1,N2) V0H1H2Hn V1Hn1
Hn2H2n Pf(H2n1, H2n2 )f(H2n3,
H2n4)f(H4n-1, H4n)
f(x1,x2) 1 if x1x200, 01, 10 f(x1,x2) 0
if x1x211
The probability for an interval to have a
challenge is three times higher than to be void
Ingeniería de Comunicaciones, Universidad de
Málaga
25
4.-Modification of the HKP with void challenges
Analysis when P is generating making the
probability for an interval to have a challenge
is three times higher than to be void
Ingeniería de Comunicaciones, Universidad de
Málaga
26
Hancke and Kuhns protocol
PROBLEMS
?Vulnerable to Terrorist Attack
Void challenges
?Adversary succeeds with probability ¾
?Expensive
Sresolution c/BW
Ingeniería de Comunicaciones, Universidad de
Málaga
27
5.- Novel protocol with void-challenges
?Reduced processing delay (short and
invariant) ?Low cost solution to modify as less
as possible the ordinary cards.The complexity
must fall on the reader
Two targets
Ingeniería de Comunicaciones, Universidad de
Málaga
28
5.- Novel protocol with void-challenges
?Reduced processing delay (short and
invariant) ?Low cost solution modify as less as
possible the ordinary cards.The complexity must
fall on the reader
Two targets
Ingeniería de Comunicaciones, Universidad de
Málaga
29
5.- Novel protocol with void-challenges
?Reduced processing delay (short and
invariant) ?Low cost solution modify as less as
possible the ordinary cards.The complexity must
fall on the reader
Two targets
Ingeniería de Comunicaciones, Universidad de
Málaga
30
5.- Novel protocol with void-challenges
RFID-14443a - FEATURES ?Carrier
13.56MHz ?Inductive coupling to supply energy
and communication ? Up to 10cm ?Passive no
batteries, energy from the reader. ?Communication
106 kbps (fc/128).
Ingeniería de Comunicaciones, Universidad de
Málaga
31
5.- Novel protocol with void-challenges
V0 -points out when the reader sends the challenge
Two bit-string are generated
V1 -points out which must be the cards response
?Reader to the card communication
?Card to the reader communication
Ingeniería de Comunicaciones, Universidad de
Málaga
32
5.- Novel protocol with void-challenges
Example for V0001010011 and V11001
Ingeniería de Comunicaciones, Universidad de
Málaga
33
5.- Novel protocol with void-challenges
Reader monitories directly the amplitude of the
carrier (no side band)
? The key point is how fast the reader can
detect the state of the card.
? The longer is the distance worse is the
inductive coupling and more difficult will be to
detect the state
Ingeniería de Comunicaciones, Universidad de
Málaga
34
5.- Novel protocol with void-challenges
Resistant against terrorist attack
?K, V0, V1 are intermingled
?To avoid a eavesdropper could know the key K
the reader randomly leaves without sending some
challenges ? eavesdropper loses this information.
Ingeniería de Comunicaciones, Universidad de
Málaga
35
5.- Novel protocol with void-challenges
Security Analysis
? Vulnerable to distance fraud attack
?Resistant to relay attacks and terrorist attacks
The complexity of the attacks this protocol is
able to detect depends on the time the reader
needs to distinguish the state of the card. It
will depend on the distance between the card and
the reader but 1µs could be enough.
Simple attacks are easily detected (Hanckes
attack introduces 15-20µs)
Furthermore, to improve the system only the
reader has to be modified. Much cheaper than if
the cards had to be modified
Ingeniería de Comunicaciones, Universidad de
Málaga
36
6.-CONCLUSIONS
? Attacks related to the location ? The most
worrying is the mafia fraud attack. ?Distance
Bounding protocol are the only solution against
them. Tightly integrated in the physical
layer. ?Hancke and Kuhns protocol for
RFID. ?Vulnerable to terrorist attack ? K, v0 and
v1 Intermingled. ?High number of rounds ? Use of
void challenges. ?Expensive ? Use of the novel
distance bounding protocol to detect simple relay
attacks (1µs). The complexity falls on the reader.
Ingeniería de Comunicaciones, Universidad de
Málaga
37
THANK YOU FOR YOUR ATTENTION
DISTANCE BOUNDING PROTOCOLS WITH VOID CHALLENGES
FOR RFID
Jorge Munilla. e-mailmunilla_at_ic.uma.es
Dpto. Ingeniería de Comunicaciones
UNIVERSIDAD DE MÁLAGA
Write a Comment
User Comments (0)
About PowerShow.com