1. Outline 1. Background 1. Attacks on distance-bounding 2. Symmetric vs asymmetric protocol 3. Motivation: DBPK-Log 2. VSSDB 1. Building blocks 2. Protocol.

1

Outline1. Background

1. Attacks on distance-bounding2. Symmetric vs asymmetric protocol3. Motivation: DBPK-Log

2. VSSDB1. Building blocks2. Protocol

3. Conclusion

2

Objective of distance-boundingAuthentication protocol + proximity testing

Verifier is trusted, prover is untrusted.

3

Range

Legitimate prover

Verifier

Possible applications

4

Wireless payment

Access control

Range

R-A

Distance fraudA malicious prover

want to cheat on the distance computed by the verifier.

Range

R-A

Prover is unaware that an attack is taking place.

Relay-Attack

Proxy

ATTACKER

Mafia fraudAn attacker relay the

communication through a proxy close to a legitimate prover.

Range

R-A

Relay-Attack

Collusion of users

Terrorist fraudA far away legitimate

prover colludes with an adversary located close to the verifier to enable him to authenticate only once.

Generic format of a DB protocol1. Initialization phase (1st lazy phase),2. Interactive phase (heart of the protocol),

3. Verification phase (2nd lazy phase).

8

c

R= F(c)

Ts

Distance =

ProverVerifier

Tp

Tr

Symmetric versus asymmetric protocolsSymmetric response function: secret shared

between the prover and verifier,R=fS(c).

Examples of symmetric protocols : Swiss Knife [Kim et al., ICSC 2008], SKI [Boreanu et al, ISC’13], [Gambs et al, AsiaCCS’13], …

Asymmetric response function: the verifier has not access to the prover’s secret.

Verification of the challenges uses homomorphic property of bit commitment.

Only one protocol in the litterature: [Bussard and Bagga, SEC 2005]

9

Bussard and Bagga protocol (B&B)

10

1. Initialization phase

Prover: •Selects k at random,•Computes e = x k⨁•Computes commitment :

• ai = commit(ki,ui)• bi = commit(ei,vi)

1. ai, bi

ProverVerifier

3. Final verification phase•Z=•ZKProof (x)[Z y]⋀3. ZKProof(x)[Z⋀Y]

2. Fast bit exchange phaseVerifier:•Sends bit challenge {0,1},•Prover replies with ki if 0 or ei if 1.

2. fast bit exchange phase

bi

m rounds

Y=F(x)

Deduce Z=commit(x,v)

ContributionsB&B-like distance bounding with better

resistance to terrorist attack,Introduction of mode during the fast phase,Security bounds formally proved.

11

VSSDB

12

Ingredients

13

(3,3) secret sharing scheme:secret is encrypted using two strings k, l into e,each bit of the secret is shared in three parts,

Verifiable secret sharing:each bit of the secret is verified separately,Homomorphic bit commitment [Brassard et al, 1988]:P, Q primes;N=P×Q and Jacobi(–1/N)= +1,S = –1 mod N,Commit(b,rand)= Sb × rand2 mod N,Commit(b,rand2)× Commit(b,rand2)= Commit(b⨁a,rand3)

Registration phaseProver Certification Authority (CA):

PrivKey={Sksign,x} kept secret.

Pubkey={Comi},PKSign sent to the verifier. {Comi}, Comi=Commit(xi,vi), vi=Hi(x).

14

Initialization phase

15

2. Prover computes session specific information.

1. Verifier replies with a nonce.

3. Prover computes fresh proof.

4. Verifier checks for the freshness of the proof.

Fast bit exchange

16

5. Verifier starts the clock.

5. Verifier stops the clock.

5. Prover replies as soon as possible.

Verification phase

17

1.Validity of the signature of the transcript,

2.Responses correspond to the commits,3.Commitments corresponds to the secret

key.

Security analysisDistance fraud

Binding of HBCommit,mode are chosen by the verifier.

Mafia fraudHiding of HBCommit,

Terrorist fraud ?GameTF [Fischlin et al., ACNS 2013].

18

GameTF securityDefinition: If an attacker succeeds in a

terrorist fraud then he can launch better mafia fraud attack.

Trapdoor in the prover:

19

Terrorist VSSDB

20

Security bounds

21

Conclusion and future work

We designed an asymmetric distance-bounding provably secure against distance, mafia and terrorist frauds.

Additional contribution: Introduction of mode in the response function to avoid response of more than one bit.

Future work: privacy-preservation, other secret sharing schemes.

22

23Contact: [email protected]

Attack of Bay and co-authors

2424

Initialization phase:Attacker:•Receives z form the malicious prover •Selects k and e at random,•Computes commitment (for the m-1 last rounds) :

• a’i = commit (ki)• b’i=commit (ei)

•Computes a’0 for k0 at random.

•b’0= a’0×∏ (a’i×b’i)2i-1× Z-1 mod N.

1. ai’, b’i

Attacker

Verifier

3. ZKProof

2. fast bit exchange phase

Final verification phase:The verification phase is relayed to the prover.

Y=F(S)

Deduce Z=F(S)

Prover

Z

Challenge-response phase:•The attacker wins if first challenge=0.

Opening function

25

Attacks on distance boundingDistance fraud

Range

R-A

T-A

Legitimate prover