1
Dec 21, 2015
1
Outline1. Background
1. Attacks on distance-bounding2. Symmetric vs asymmetric protocol3. Motivation: DBPK-Log
2. VSSDB1. Building blocks2. Protocol
3. Conclusion
2
Objective of distance-boundingAuthentication protocol + proximity testing
Verifier is trusted, prover is untrusted.
3
Range
Legitimate prover
Verifier
Possible applications
4
Wireless payment
Access control
Range
R-A
Distance fraudA malicious prover
want to cheat on the distance computed by the verifier.
Range
R-A
Prover is unaware that an attack is taking place.
Relay-Attack
Proxy
ATTACKER
Mafia fraudAn attacker relay the
communication through a proxy close to a legitimate prover.
Range
R-A
Relay-Attack
Collusion of users
Terrorist fraudA far away legitimate
prover colludes with an adversary located close to the verifier to enable him to authenticate only once.
Generic format of a DB protocol1. Initialization phase (1st lazy phase),2. Interactive phase (heart of the protocol),
3. Verification phase (2nd lazy phase).
8
c
R= F(c)
Ts
Distance =
ProverVerifier
Tp
Tr
Symmetric versus asymmetric protocolsSymmetric response function: secret shared
between the prover and verifier,R=fS(c).
Examples of symmetric protocols : Swiss Knife [Kim et al., ICSC 2008], SKI [Boreanu et al, ISC’13], [Gambs et al, AsiaCCS’13], …
Asymmetric response function: the verifier has not access to the prover’s secret.
Verification of the challenges uses homomorphic property of bit commitment.
Only one protocol in the litterature: [Bussard and Bagga, SEC 2005]
9
Bussard and Bagga protocol (B&B)
10
1. Initialization phase
Prover: •Selects k at random,•Computes e = x k⨁•Computes commitment :
• ai = commit(ki,ui)• bi = commit(ei,vi)
1. ai, bi
ProverVerifier
3. Final verification phase•Z=•ZKProof (x)[Z y]⋀3. ZKProof(x)[Z⋀Y]
2. Fast bit exchange phaseVerifier:•Sends bit challenge {0,1},•Prover replies with ki if 0 or ei if 1.
2. fast bit exchange phase
bi
m rounds
Y=F(x)
Deduce Z=commit(x,v)
ContributionsB&B-like distance bounding with better
resistance to terrorist attack,Introduction of mode during the fast phase,Security bounds formally proved.
11
VSSDB
12
Ingredients
13
(3,3) secret sharing scheme:secret is encrypted using two strings k, l into e,each bit of the secret is shared in three parts,
Verifiable secret sharing:each bit of the secret is verified separately,Homomorphic bit commitment [Brassard et al, 1988]:P, Q primes;N=P×Q and Jacobi(–1/N)= +1,S = –1 mod N,Commit(b,rand)= Sb × rand2 mod N,Commit(b,rand2)× Commit(b,rand2)= Commit(b⨁a,rand3)
Registration phaseProver Certification Authority (CA):
PrivKey={Sksign,x} kept secret.
Pubkey={Comi},PKSign sent to the verifier. {Comi}, Comi=Commit(xi,vi), vi=Hi(x).
14
Initialization phase
15
2. Prover computes session specific information.
1. Verifier replies with a nonce.
3. Prover computes fresh proof.
4. Verifier checks for the freshness of the proof.
Fast bit exchange
16
5. Verifier starts the clock.
5. Verifier stops the clock.
5. Prover replies as soon as possible.
Verification phase
17
1.Validity of the signature of the transcript,
2.Responses correspond to the commits,3.Commitments corresponds to the secret
key.
Security analysisDistance fraud
Binding of HBCommit,mode are chosen by the verifier.
Mafia fraudHiding of HBCommit,
Terrorist fraud ?GameTF [Fischlin et al., ACNS 2013].
18
GameTF securityDefinition: If an attacker succeeds in a
terrorist fraud then he can launch better mafia fraud attack.
Trapdoor in the prover:
19
Terrorist VSSDB
20
Security bounds
21
Conclusion and future work
We designed an asymmetric distance-bounding provably secure against distance, mafia and terrorist frauds.
Additional contribution: Introduction of mode in the response function to avoid response of more than one bit.
Future work: privacy-preservation, other secret sharing schemes.
22
23Contact: [email protected]
Attack of Bay and co-authors
2424
Initialization phase:Attacker:•Receives z form the malicious prover •Selects k and e at random,•Computes commitment (for the m-1 last rounds) :
• a’i = commit (ki)• b’i=commit (ei)
•Computes a’0 for k0 at random.
•b’0= a’0×∏ (a’i×b’i)2i-1× Z-1 mod N.
1. ai’, b’i
Attacker
Verifier
3. ZKProof
2. fast bit exchange phase
Final verification phase:The verification phase is relayed to the prover.
Y=F(S)
Deduce Z=F(S)
Prover
Z
Challenge-response phase:•The attacker wins if first challenge=0.
Opening function
25
Attacks on distance boundingDistance fraud
Range
R-A
T-A
Legitimate prover