prof. gildas avoine universit e catholique de louvain ... · universit e catholique de louvain,...
TRANSCRIPT
![Page 1: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/1.jpg)
Relay Attacks and Distance Bounding Protocolsin RFID Environments
Prof. Gildas Avoine
Universite catholique de Louvain, Belgium
Information Security Group
![Page 2: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/2.jpg)
SUMMARY
RFID Background
Relay Attacks
Distance Bounding Protocols
Conclusion
![Page 3: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/3.jpg)
RFID BACKGROUND
RFID Background
Relay Attacks
Distance Bounding Protocols
Conclusion
![Page 4: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/4.jpg)
Definition and Architecture
Definition (RFID (Recommandation U.E. 2009))
[RFID] means the use of electromagnetic radiating waves orreactive field coupling in the radio frequency portion of thespectrum to communicate to or from a tag through a variety ofmodulation and encoding schemes to uniquely read the identity ofa radio frequency tag or other data stored on it.
Reader
Tag
Reader
TagTag
TagBack-endSystem
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 4/27
![Page 5: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/5.jpg)
Basic RFID
www.aeroid.co.uk
www.rfid-library.com
www.flickr.com
www.safetzone.com
Supply chain tracking.
◦ Track boxes, palettes, etc.
Libraries.
◦ Improve book borrowing and inventories.
Pet identification.
◦ Replace tattoos by electronic ones.◦ ISO11784, ISO11785.
Localisation.
◦ Children in amusement parks, Elderly people.◦ Counting cattle.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 5/27
![Page 6: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/6.jpg)
Evolved RFID
Credit: G. Avoine Credit: G. Avoine
www.carthiefstoppers.com
www.brusselnieuws.be
blogs.e-rockford.com
Building access control.
◦ Eg. UCL, MIT.
Automobile ignition key.
◦ Eg. TI DST, Keeloq.
Public transportation.
◦ Eg. Brussels, Boston, Paris, ..., Thalys.
Payment.
◦ Eg. Visa, Baja Beach Club.
Electronic documents.
◦ Eg. ePassports.
Loyalty cards.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 6/27
![Page 7: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/7.jpg)
Tag Characteristics
cost
power frequency
communication
standard
calculation
storage
active
passiveLF
HF
UHF
metersdm
cm
UID 1 KB 40 KB
nopwd
sym cryptoasym cryptoEPC
ISO14443
ISO15693
10 cents
50 cents
euros
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 7/27
![Page 8: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/8.jpg)
Tag Characteristics
cost
power frequency
communication
standard
calculation
storage
Access control
active
passiveLF
HF
UHF
metersdm
cm
UID 1 KB 40 KB
nopwd
sym cryptoasym cryptoEPC
ISO14443
ISO15693
10 cents
50 cents
euros
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 7/27
![Page 9: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/9.jpg)
Tag Characteristics
cost
power frequency
communication
standard
calculation
storage
Access controlLogistics
active
passiveLF
HF
UHF
metersdm
cm
UID 1 KB 40 KB
nopwd
sym cryptoasym cryptoEPC
ISO14443
ISO15693
10 cents
50 cents
euros
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 7/27
![Page 10: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/10.jpg)
RELAY ATTACKS
RFID Background
Relay Attacks
Distance Bounding Protocols
Conclusion
![Page 11: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/11.jpg)
Variant of ISO 9798-2 Protocol 3
Verifier (secret k) Prover (secret k)
Pick NaNa−−−−−−−−−→
Ek (Na,Nb)←−−−−−−−− Pick Nb
Protocol secure under common assumptions on E , k , Na, and Nb.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 9/27
![Page 12: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/12.jpg)
Relay Attack
VerifierProver
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27
![Page 13: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/13.jpg)
Relay Attack
VerifierProver
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27
![Page 14: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/14.jpg)
Relay Attack
VerifierProver
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27
![Page 15: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/15.jpg)
Relay Attack
VerifierProver
AdversaryAdversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27
![Page 16: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/16.jpg)
Relay Attack
VerifierProver
AdversaryAdversary10000 km
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27
![Page 17: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/17.jpg)
Relay Attack
VerifierProver
AdversaryAdversary10000 km
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10/27
![Page 18: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/18.jpg)
Relay AttackDefinition and Do-Ability
Definition (Relay Attack)
A relay attack is a form of man-in-the-middle where the adversarymanipulates the communication by only relaying the verbatimmessages between two parties.
Reader starts a timer when sending a message.
◦ To avoid semi-open connections.
◦ The timer is not tight.
Example: ISO 14443 “Proximity Cards”.
◦ Used in most secure applications.
◦ Standard on the low-layers (physical, collision-avoidance).
◦ Default timer is around 5 ms.
◦ Prover can require more time, up to 4949 ms.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 11/27
![Page 19: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/19.jpg)
Relay AttackDefinition and Do-Ability
Definition (Relay Attack)
A relay attack is a form of man-in-the-middle where the adversarymanipulates the communication by only relaying the verbatimmessages between two parties.
Reader starts a timer when sending a message.
◦ To avoid semi-open connections.
◦ The timer is not tight.
Example: ISO 14443 “Proximity Cards”.
◦ Used in most secure applications.
◦ Standard on the low-layers (physical, collision-avoidance).
◦ Default timer is around 5 ms.
◦ Prover can require more time, up to 4949 ms.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 11/27
![Page 20: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/20.jpg)
Relay AttackDefinition and Do-Ability
Definition (Relay Attack)
A relay attack is a form of man-in-the-middle where the adversarymanipulates the communication by only relaying the verbatimmessages between two parties.
Reader starts a timer when sending a message.
◦ To avoid semi-open connections.
◦ The timer is not tight.
Example: ISO 14443 “Proximity Cards”.
◦ Used in most secure applications.
◦ Standard on the low-layers (physical, collision-avoidance).
◦ Default timer is around 5 ms.
◦ Prover can require more time, up to 4949 ms.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 11/27
![Page 21: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/21.jpg)
Relay AttackDefinition and Do-Ability
Definition (Relay Attack)
A relay attack is a form of man-in-the-middle where the adversarymanipulates the communication by only relaying the verbatimmessages between two parties.
Reader starts a timer when sending a message.
◦ To avoid semi-open connections.
◦ The timer is not tight.
Example: ISO 14443 “Proximity Cards”.
◦ Used in most secure applications.
◦ Standard on the low-layers (physical, collision-avoidance).
◦ Default timer is around 5 ms.
◦ Prover can require more time, up to 4949 ms.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 11/27
![Page 22: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/22.jpg)
PracticabilityExamples
Radio link over 50 meters (G. Hancke 05).
With some ACR122 (A. Laurie 09).
With NFC cell phones or over Internet (libNFC).
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 12/27
![Page 23: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/23.jpg)
PracticabilityExamples
Radio link over 50 meters (G. Hancke 05).
With some ACR122 (A. Laurie 09).
With NFC cell phones or over Internet (libNFC).
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 12/27
![Page 24: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/24.jpg)
PracticabilityExamples
Attacks by Francillon, Danev, Capkun (ETHZ) against passivekeyless entry and start systems used in modern cars.
◦ 10 systems tested: no one resisted!
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 13/27
![Page 25: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/25.jpg)
DISTANCE BOUNDING PROTOCOLS
RFID Background
Relay Attacks
Distance Bounding Protocols
Conclusion
![Page 26: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/26.jpg)
Protocol Aims in General Framework
Definition (Distance Checking)
A distance bounding is a process whereby one party is assured:
1 Of the identity of a second party,
2 That the latter is present in the neighborhood of the verifyingparty, at some point in the protocol.
Reader
Tag
Distance bounding does not avoid relay attacks.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 15/27
![Page 27: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/27.jpg)
Protocol Aims in General Framework
Definition (Distance Checking)
A distance bounding is a process whereby one party is assured:
1 Of the identity of a second party,
2 That the latter is present in the neighborhood of the verifyingparty, at some point in the protocol.
Reader
Tag
Distance bounding does not avoid relay attacks.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 15/27
![Page 28: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/28.jpg)
Protocol Aims in General Framework
Definition (Distance Checking)
A distance bounding is a process whereby one party is assured:
1 Of the identity of a second party,
2 That the latter is present in the neighborhood of the verifyingparty, at some point in the protocol.
Reader
Tag
Distance bounding does not avoid relay attacks.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 15/27
![Page 29: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/29.jpg)
No Fraud
Adversary
Reader
Tag
Reader
Tag
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 16/27
![Page 30: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/30.jpg)
No Fraud
Adversary
Reader
Tag
Reader
Tag
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 16/27
![Page 31: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/31.jpg)
Fraud
Adversary
Reader
Adversary
Tag
Reader
Tag
Reader
Reader
Adversary Tag
Reader
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27
![Page 32: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/32.jpg)
Fraud
Adversary
Reader
Adversary
Tag
Reader
Tag
Reader
Reader
Adversary Tag
Reader
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27
![Page 33: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/33.jpg)
Fraud
Adversary
Reader
Adversary
Tag
Reader
Tag
Reader
Reader
Adversary Tag
Reader
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27
![Page 34: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/34.jpg)
Fraud
Adversary
Reader
Adversary
Tag
Reader
Tag
Reader
Reader
Adversary Tag
Reader
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27
![Page 35: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/35.jpg)
Fraud
Adversary
Reader
Adversary
Tag
Reader
Tag
Reader
Reader
Adversary
Tag
Reader
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27
![Page 36: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/36.jpg)
Fraud
Adversary
Reader
Adversary
Tag
Reader
Tag
Reader
Reader
Adversary Tag
Reader
Adversary
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17/27
![Page 37: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/37.jpg)
Distance Bounding Based on the Speed of Light
Measure the round-trip-time (RTT) of a given message.
◦ Provide a bound on the distance.
◦ Idea introduced by Beth and Desmedt [Crypto90].
TagReader
Neighborhood
Computation Msg must be authenticated
Auth. is time-consuming
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 18/27
![Page 38: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/38.jpg)
Distance Bounding Based on the Speed of Light
Measure the round-trip-time (RTT) of a given message.
◦ Provide a bound on the distance.
◦ Idea introduced by Beth and Desmedt [Crypto90].
Reader
Neighborhood
computation
Accelerated
Tag
Msg must be authenticated
Auth. is time-consuming
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 18/27
![Page 39: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/39.jpg)
Hancke and Kuhn’s ProtocolDescription
Reader Tag(secret K ) (secret K )
Pick a random Na Pick a random NbNa−−−−−−−→Nb←−−−−−−−
h(K ,Na,Nb) =
{v0 = 1 1 0 1 1 0 0 0 1 0
v1 = 0 1 1 1 1 0 0 1 0 0
Start of fast bit exchangefor i = 1 to n
Pick Ci ∈R {0, 1}Start Clock
Ci−−−−−−−→
Ri =
{v0i , if Ci = 0
v1i , if Ci = 1
Stop ClockRi←−−−−−−−
Check: 4ti ≤ tmax
Check: correctness of Ri
End of fast bit exchange
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 19/27
![Page 40: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/40.jpg)
Mafia Fraud
Definition (Mafia Fraud)
A mafia fraud is an attack where an adversary defeats a distancebounding protocol using a man-in-the-middle (MITM) between thereader and an honest tag located outside the neighborhood.
Mafia fraud: Desmedt, Goutier, Bengio [Crypto87].
Shamir about Fiat-Shamir protocol [Crypto86]: “I can go to aMafia-owned store a million successive times and they still willnot be able to misrepresent themselves as me.” (The NY Times,February 17, 1987, James Gleick).
A.k.a., relay attack, chess grandmaster, wormhole problem,passive man-in-the-middle, middleman attack...
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 20/27
![Page 41: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/41.jpg)
Mafia Fraud
Definition (Mafia Fraud)
A mafia fraud is an attack where an adversary defeats a distancebounding protocol using a man-in-the-middle (MITM) between thereader and an honest tag located outside the neighborhood.
Mafia fraud: Desmedt, Goutier, Bengio [Crypto87].
Shamir about Fiat-Shamir protocol [Crypto86]: “I can go to aMafia-owned store a million successive times and they still willnot be able to misrepresent themselves as me.” (The NY Times,February 17, 1987, James Gleick).
A.k.a., relay attack, chess grandmaster, wormhole problem,passive man-in-the-middle, middleman attack...
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 20/27
![Page 42: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/42.jpg)
Fraud (variants)
Definition (Distance Fraud)
Given a distance bounding protocol, a distance fraud is an attackwhere a dishonest and lonely prover purports to be in theneighborhood of the verifier.
Definition (Terrorist Fraud)
A terrorist fraud is an attack where an adversary defeats a distancebounding protocol using a man-in-the-middle (MITM) between thereader and a dishonest tag located outside of the neighborhood,such that the latter actively helps the adversary to maximize herattack success probability, without giving to her any advantage forfuture attacks.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 21/27
![Page 43: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/43.jpg)
Fraud (variants)
Definition (Distance Fraud)
Given a distance bounding protocol, a distance fraud is an attackwhere a dishonest and lonely prover purports to be in theneighborhood of the verifier.
Definition (Terrorist Fraud)
A terrorist fraud is an attack where an adversary defeats a distancebounding protocol using a man-in-the-middle (MITM) between thereader and a dishonest tag located outside of the neighborhood,such that the latter actively helps the adversary to maximize herattack success probability, without giving to her any advantage forfuture attacks.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 21/27
![Page 44: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/44.jpg)
Hancke and Kuhn’s ProtocolDescription
Reader Tag(secret K ) (secret K )
Pick a random Na Pick a random NbNa−−−−−−−→Nb←−−−−−−−
h(K ,Na,Nb) =
{v0 = 1 1 0 1 1 0 0 0 1 0
v1 = 0 1 1 1 1 0 0 1 0 0
Start of fast bit exchangefor i = 1 to n
Pick Ci ∈R {0, 1}Start Clock
Ci−−−−−−−→
Ri =
{v0i , if Ci = 0
v1i , if Ci = 1
Stop ClockRi←−−−−−−−
Check: 4ti ≤ tmax
Check: correctness of Ri
End of fast bit exchange
Question
1 Mafia fraud:
(34
)n
2 Terrorist fraud:
1
3 Distance fraud:
(34
)n
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 22/27
![Page 45: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/45.jpg)
Hancke and Kuhn’s ProtocolDescription
Reader Tag(secret K ) (secret K )
Pick a random Na Pick a random NbNa−−−−−−−→Nb←−−−−−−−
h(K ,Na,Nb) =
{v0 = 1 1 0 1 1 0 0 0 1 0
v1 = 0 1 1 1 1 0 0 1 0 0
Start of fast bit exchangefor i = 1 to n
Pick Ci ∈R {0, 1}Start Clock
Ci−−−−−−−→
Ri =
{v0i , if Ci = 0
v1i , if Ci = 1
Stop ClockRi←−−−−−−−
Check: 4ti ≤ tmax
Check: correctness of Ri
End of fast bit exchange
Question
1 Mafia fraud:(34
)n2 Terrorist fraud: 1
3 Distance fraud:(34
)nGildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 22/27
![Page 46: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/46.jpg)
Current Research Activities
Analysis framework.
Extensive (fair) survey.
White−box model
Terrorist fraud Terrorist fraud
Mafia fraud Mafia fraud
Distance fraudDistance fraud
Black−box model
1e-16
1e-14
1e-12
1e-10
1e-08
1e-06
0.0001
0.01
1
1 10 100 1000 10000 100000 1e+06
Adv
ersa
ry s
ucce
ss p
roba
bilit
y
p: Number of runs
Register length: n=20n=40n=60n=80
n=128
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 23/27
![Page 47: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/47.jpg)
Current Research Activities
Analysis framework.
Extensive (fair) survey.
White−box model
Terrorist fraud Terrorist fraud
Mafia fraud Mafia fraud
Distance fraudDistance fraud
Black−box model
1e-16
1e-14
1e-12
1e-10
1e-08
1e-06
0.0001
0.01
1
1 10 100 1000 10000 100000 1e+06
Adv
ersa
ry s
ucce
ss p
roba
bilit
y
p: Number of runs
Register length: n=20n=40n=60n=80
n=128
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 23/27
![Page 48: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/48.jpg)
Current Research Activities
Analysis framework.
Extensive (fair) survey.
White−box model
Terrorist fraud Terrorist fraud
Mafia fraud Mafia fraud
Distance fraudDistance fraud
Black−box model
1e-16
1e-14
1e-12
1e-10
1e-08
1e-06
0.0001
0.01
1
1 10 100 1000 10000 100000 1e+06
Adv
ersa
ry s
ucce
ss p
roba
bilit
y
p: Number of runs
Register length: n=20n=40n=60n=80
n=128
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 23/27
![Page 49: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/49.jpg)
Current Research Activities
Analysis framework.
Extensive (fair) survey.
White−box model
Terrorist fraud Terrorist fraud
Mafia fraud Mafia fraud
Distance fraudDistance fraud
Black−box model
1e-16
1e-14
1e-12
1e-10
1e-08
1e-06
0.0001
0.01
1
1 10 100 1000 10000 100000 1e+06
Adv
ersa
ry s
ucce
ss p
roba
bilit
y
p: Number of runs
Register length: n=20n=40n=60n=80
n=128
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 23/27
![Page 50: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/50.jpg)
CONCLUSION
RFID Background
Relay Attacks
Distance Bounding Protocols
Conclusion
![Page 51: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/51.jpg)
Conclusion
Theory is mature.
◦ First protocols analyzed with a pedestrian approach.
◦ Models nowadays exist.
Practice is still young.
◦ Propagation delays are much shorter than processing times.
◦ Considered time are nanoseconds.
◦ Some experiments succeeded (eg. ETHZ, CEA Leti).
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 25/27
![Page 52: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/52.jpg)
Conclusion
Relay attacks are practicable.
Mifare Plus contains a kind of distance bounding protocol.
Mitigating the problem is perhaps enough.
◦ Adversary also induces some delays.
◦ Thwarting adversaries using commercial readers.
◦ Avoiding long-distance attacks.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 26/27
![Page 53: Prof. Gildas Avoine Universit e catholique de Louvain ... · Universit e catholique de Louvain, Belgium Information Security Group. ... Gildas Avoine Relay Attacks and Distance Bounding](https://reader031.vdocuments.net/reader031/viewer/2022021819/5acb5a637f8b9aa3298e62bf/html5/thumbnails/53.jpg)
Further Reading
Y. Desmedt, C. Goutier, and S. Bengio. Special Uses andAbuses of the Fiat-Shamir Passport Protocol. In CRYPTO’87,vol. 293 of LNCS, pp 21–39, Aug. 1988. Springer.
S. Brands and D. Chaum. Distance-Bounding Protocols. InEUROCRYPT’93, vol. 765 of LNCS, pp 344–359, May 1993.Springer.
G. Hancke and M. Kuhn. An RFID Distance Bounding Protocol.In SecureComm 2005, Sep. 2005. IEEE.
G. Avoine, M. Bingol, S. Kardas, C. Lauradoux, and B. Martin.A Framework for Analyzing RFID Distance Bounding Protocols.Journal of Computer Security, 2010.
Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 27/27