Page 1
PUBLIC-KEY DISTANCE BOUNDING AND ITS APPLICATION ON CONTACTLESS ACCESS
CONTROLHandan Kılınç
[email protected]
Presentation at FutureDB - Distance-bounding: past, present, future
*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 2
2
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
Page 3
3
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
Page 4
4
INTRODUCTIONDISTANCE BOUNDING
ProverVerifier
Page 5
4
INTRODUCTIONDISTANCE BOUNDING
The prover authenticatesand proves its proximity
ProverVerifier
Page 6
INTRODUCTION
Symmetric Distance Bounding: The prover and the verifier share a secret
Public-key Distance Bounding: The prover has its own secret/public key and the public-key of the verifier
5
Page 7
INTRODUCTIONPROBLEMS IN PUBLIC KEY DB
6
Slower than symmetric key operations
Limited computational resources on the devices
Page 8
INTRODUCTIONPROBLEMS IN PUBLIC KEY DB
6
Slower than symmetric key operations
Limited computational resources on the devices
Page 9
INTRODUCTIONPROBLEMS IN PUBLIC KEY DB
6
Slower than symmetric key operations
Limited computational resources on the devices
Page 10
INTRODUCTIONPROBLEMS IN PUBLIC KEY DB
6
Slower than symmetric key operations
Limited computational resources on the devices
Construct an efficient and secure public-key distance bounding
Page 11
STRONG PRIVACY IN DBHPVP*
7
We have provers P1, P2, P3,…, Pn and the adversary A A can corrupt the provers: learns the secret keys of the provers.
As a challenge, A picks two provers Pi, Pj
Challenger picks one of them as a virtual tag and gives the virtual
prover to A.
A can send messages to the virtual tag.
A can send messages to the verifier.
If A can recognize the virtual tag, then he wins the game.
* J. Hermans, A. Pashalidis, F. Vercauteren, and B. Preneel. A new RFID privacy model. In ESORICS, 2011
Page 12
STRONG PRIVACY IN DBHPVP*
7
We have provers P1, P2, P3,…, Pn and the adversary A A can corrupt the provers: learns the secret keys of the provers.
As a challenge, A picks two provers Pi, Pj
Challenger picks one of them as a virtual tag and gives the virtual
prover to A.
A can send messages to the virtual tag.
A can send messages to the verifier.
If A can recognize the virtual tag, then he wins the game.
A DB protocol is strong private if A wins the above game with negligible advantage.
* J. Hermans, A. Pashalidis, F. Vercauteren, and B. Preneel. A new RFID privacy model. In ESORICS, 2011
Page 13
AN OVERVIEW OF OUR PROTOCOL
8
Agree on a key s with using a key agreement (KA) protocol
Run a symmetric DB with s
Page 14
AN OVERVIEW OF OUR PROTOCOL
8
Agree on a key s with using a key agreement (KA) protocol
Run a symmetric DB with s
What kind of security properties do we need for the key agreement protocol to have MiM, DF and DH secure and strong private DB protocol?
Page 15
AN OVERVIEW OF OUR PROTOCOL
8
Agree on a key s with using a key agreement (KA) protocol
Run a symmetric DB with s
What kind of security properties do we need for the key agreement protocol to have MiM, DF and DH secure and strong private DB protocol?
KA Efficiency Security
MQV 2.5 No proof
HMQV 2.5 CK
KEA+ 3 CK
NAXOS 4 eCK
CMQV 3 eCK
Page 16
9
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
Page 17
AUTHENTICATED KEY AGREEMENTONE PASS
10
!"#,%"#,%"& !"#, %"#,%"&
*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016
Page 18
AUTHENTICATED KEY AGREEMENTONE PASS
10
! ← #(1&))(*+,, .+,, .+/,!)
!"#,%"#,%"& !"#, %"#,%"&
*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016
Page 19
AUTHENTICATED KEY AGREEMENTONE PASS
10
! ← #(1&))(*+,, .+,, .+/,!)
!"#,%"#,%"& !"#, %"#,%"&
!
*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016
Page 20
AUTHENTICATED KEY AGREEMENTONE PASS
10
!(#$%,'$%,'$(, ))! ← #(1&))(*+,, .+,, .+/,!)
!"#,%"#,%"& !"#, %"#,%"&
!
*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016
Page 21
AUTHENTICATED KEY AGREEMENTONE PASS
10
!(#$%,'$%,'$(, ))! ← #(1&))(*+,, .+,, .+/,!)
!"#,%"#,%"& !"#, %"#,%"&
!
!!
*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016
Page 22
Decisional-Authenticated Key Agreement(D-AKA)
11
Challenger Adversary
Page 23
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
Challenger Adversary
Page 24
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)
!"#$%&4(.,.)5(./4,1/4, . , . )
Challenger Adversary
Page 25
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)
!"#$%&4(.,.)5(./4,1/4, . , . )
!"#
Challenger Adversary
Page 26
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)
!"#$%&4(.,.)5(./4,1/4, . , . )
!"#!, #$
Challenger Adversary
Page 27
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)
!"#$%&4(.,.)5(./4,1/4, . , . )
!",#, %&', %&(
!"#!, #$
Challenger Adversary
Page 28
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)
!"#$%&4(.,.)5(./4,1/4, . , . )
Itcanaccesstheoraclesexcept("#$,&)
!",#, %&', %&(
!"#!, #$
Challenger Adversary
Page 29
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)
!"#$%&4(.,.)5(./4,1/4, . , . )
Itcanaccesstheoraclesexcept("#$,&)
!"
!",#, %&', %&(
!"#!, #$
Challenger Adversary
Page 30
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)
!"#$%&4(.,.)5(./4,1/4, . , . )
Itcanaccesstheoraclesexcept("#$,&)
!" If!" = !Itwins
!",#, %&', %&(
!"#!, #$
Challenger Adversary
Page 31
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)
!"#$%&4(.,.)5(./4,1/4, . , . )
Itcanaccesstheoraclesexcept("#$,&)
!" If!" = !Itwins
!",#, %&', %&(
!"#!, #$
Challenger Adversary
A one-pass AKA is D-AKA secure if the adversary’s advantagewinning this game is negligible.
Page 32
D-AKA PRIVACY GAME
12
Challenger Adversary
Page 33
D-AKA PRIVACY GAME
12
Challenger Adversary
Generate !"#, %"# , !"&' ,%"&'
Page 34
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
Generate !"#, %"# , !"&' ,%"&'
Page 35
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'
Generate !"#, %"# , !"&' ,%"&'
Page 36
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'
Pick!"#$,&"#$
Generate !"#, %"# , !"&' ,%"&'
Page 37
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'!"#$,&"#$
Pick!"#$,&"#$
Generate !"#, %"# , !"&' ,%"&'
Page 38
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'!"#$,&"#$
Pick!"#$,&"#$
Generate !"#, %"# , !"&' ,%"&'
Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()
Page 39
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'!"#$,&"#$
!Pick!"#$,&"#$
Generate !"#, %"# , !"&' ,%"&'
Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()
Page 40
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'!"#$,&"#$
!Pick!"#$,&"#$
Generate !"#, %"# , !"&' ,%"&'
Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()
Page 41
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'!"#$,&"#$
!Pick!"#$,&"#$
!"
Generate !"#, %"# , !"&' ,%"&'
Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()
Page 42
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'!"#$,&"#$
!Pick!"#$,&"#$
!" If!" = !Itwins
Generate !"#, %"# , !"&' ,%"&'
Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()
Page 43
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'!"#$,&"#$
!Pick!"#$,&"#$
!" If!" = !Itwins
Generate !"#, %"# , !"&' ,%"&'
Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()
A one-pass AKA is D-AKA private if the adversary’s advantagewinning this game is negligible.
Page 44
NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL
13
!"#, %"#,%"&!"&,%"&,%"#
Page 45
NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL
13
Publicparameter! orderof" and# ∈ !
!"# ∈ ℤ'("# = *+,-
!". ∈ ℤ'(". = *+,/
!"#, %"#,%"&!"&,%"&,%"#
Page 46
NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL
13
Publicparameter! orderof" and# ∈ !
!"# ∈ ℤ'("# = *+,-
!". ∈ ℤ'(". = *+,/
!"#, %"#,%"&!"&,%"&,%"#
Pick! ∈ 0,1 ℓ
' = )(+, ,-., ,-/,,-/012,!)
Page 47
NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL
13
Publicparameter! orderof" and# ∈ !
!"# ∈ ℤ'("# = *+,-
!". ∈ ℤ'(". = *+,/
!"#, %"#,%"&!"&,%"&,%"#
Pick! ∈ 0,1 ℓ
' = )(+, ,-., ,-/,,-/012,!)
!
Page 48
NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL
13
Publicparameter! orderof" and# ∈ !
!"# ∈ ℤ'("# = *+,-
!". ∈ ℤ'(". = *+,/
!"#, %"#,%"&!"&,%"&,%"#
Pick! ∈ 0,1 ℓ
' = )(+, ,-., ,-/,,-/012,!)! = #(%, '(),'(*,'()
+,- ,.)
!
Page 49
NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL
13
Publicparameter! orderof" and# ∈ !
!"# ∈ ℤ'("# = *+,-
!". ∈ ℤ'(". = *+,/
!"#, %"#,%"&!"&,%"&,%"#
Pick! ∈ 0,1 ℓ
' = )(+, ,-., ,-/,,-/012,!)! = #(%, '(),'(*,'()
+,- ,.)
!
Nonce-DH is D-AKA secure and private in the random oracle model assuming that Gap Diffie-Hellman problem is hard.
Page 50
NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL
13
Publicparameter! orderof" and# ∈ !
!"# ∈ ℤ'("# = *+,-
!". ∈ ℤ'(". = *+,/
!"#, %"#,%"&!"&,%"&,%"#
Pick! ∈ 0,1 ℓ
' = )(+, ,-., ,-/,,-/012,!)! = #(%, '(),'(*,'()
+,- ,.)
!
Nonce-DH is D-AKA secure and private in the random oracle model assuming that Gap Diffie-Hellman problem is hard.
KA Efficiency Security
MQV 2.5 No proof
HMQV 2.5 CK
KEA+ 3 CK
NAXOS 4 eCK
CMQV 3 eCK
Nonce-DH 1 D-AKA
Page 51
14
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
Page 52
EFF-PKDB
15
Verifier Prover!"#, %"#, %"&!"&, %"&
! ← #(1&)( = *((+,, .+,, .+/, !)
!, #$%! = #(!%&,(%&,(%),*)
symDB(!)
Out
Page 53
SECURITY OF EFF-PKDB
16
MiM Security: If symDB is multi-verifier OT-MiM secure and the key agreement protocol is D-AKA secure, the Eff-pkDB is MiM-secure.
DF Security: If symDB is DF-secure, then Eff-pkDB is DF-secure.
DH security: If symDB is OT-MiM-secure, OT-DH-secure and if the key agreement protocol is D-AKA secure then Eff-pkDB is DH-secure.
Page 54
STRONG PRIVATE VARIANT OF EFF-PKDB
17
! ← #(1&)( = *+,-./0 !, 2345 = 6(534, 234, 237, !)
(
!, 234 = #(,8./0 (()5 = 9 53:,23:,23;,!
234 isprivateoutput
Verifier Prover
symDB(5)
Out
534, 234, 237=(2370 ,237< )
Assuming the key agreement protocol is D-AKA-private and the cryptosystem is IND-CCA secure, then the variant of Eff-pkDB is strong private in HPVP model.
Page 55
AN INSTANCE OF EFF-PKDBNONCE-DH+OTDB*
18
!"# ∈ ℤ'("# = *+,-
!"., ("., ("# !". ∈ ℤ'(". = *+,0
Publicparameter1 orderof2 and* ∈ 1
!"#, ("#,(".
Pick3 ∈ 0,1 ℓ
! = 7 *,("., ("#,("#+,0 ,3
8 = 3#⨁!
:; = 8<;=>?
3,(".
3#for@ = 0toA
B;:;Out
! = # $,&'(, &'),&'(*+, ,-
pick-) ∈ 0,1 12
3 = -)⨁!
starttimerendtimer
checkif∀6899: < 2= and8:iscorrect
* S. Vaudenay, Private and Secure Distance Bounding: Application to NFC Payment, FC 2015
Page 56
19
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
Page 57
COMPARISON
20
Protocol Security Privacy PK Operation Number of Computations
Brands-Chaum MiM, DF No privacy 1 commitment, 1 signature 1 EC multiplication, 2 hashing, 1 modular inversion, 1 random string selection
HPO (Hermans et al.)
MiM, DF Weak 4 EC multiplication, 2 random string selections, 2 mappings
PrivDB (Vaudenay)
MiM, DF, DH Strong 1 signature, 1 IND-CCA encryption 3 EC multiplication, 2 hashing, 2 random string selections, 1 symmetric key encryption, 1 modular inversion, 1mapping, 1 MAC
ProProx (Vaudenay) MiM, DF, DH, TF No Privacy n+1 commitment, n ZK proofs
eProProx (Vaudenay)
MiM, DF, DH, TF Strong 1 encryption, n+1 commitments, n ZK proofs
TREAD (Avoine et al.)
MiM, DF, DH, TF* Strong 1 signature, 1 IND-CCA encryption 3 EC multiplication, 2 hashing, 2 random string selections, 1 symmetric key encryption, 1 modular inversion, 1mapping, 1 MAC
Eff-pkDB MiM, DF, DH, (TF*)
No Privacy 1 D-AKA secure KA protocol 1 EC multiplication, 2 hashing, 1 random string selection,
Private Variant of Eff-pkDB
MiM, DF, DH, (TF*)
Strong 1 IND-CCA encryption, 1 D-AKA secure KA protocol
3 EC multiplication, 2 hashing, 2 random string selections, 1 symmetric key encryption, 1 MAC
*ECDSAforthesignatureschemeandECIESfortheIND-CCAsecureencryption scheme
Page 58
21
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
Page 59
INTRODUCTIONPREVIOUS WORKS
Smart Card Alliance: Defines the components (controller, database, reader and tag) and defines security in a informal way
PLAID*
OPACITY**
Privacy is an important issue in access control.
22
Based on establishing secret keyand mutual authentication
* C. A. governments Department of Human Services (DHS). Protocol for lightweight authentication of identity (PLAID), 2010.* * S. C. Alliance. Industry technical contributions: Opacity, 2013
Page 60
INTRODUCTIONTHE STRUCTURE (CONTROLLERS, READERS, TAGS)
23
Page 61
INTRODUCTIONTHE STRUCTURE (CONTROLLERS, READERS, TAGS)
23
Page 62
24
INTRODUCTION COMPOSITION WITH DB
TagReaderController
Page 63
24
INTRODUCTION COMPOSITION WITH DB
TagReaderControllerAn AC Protocol
Page 64
24
INTRODUCTION COMPOSITION WITH DB
TagReaderControllerAn AC Protocol
A DB protocol
Page 65
24
INTRODUCTION COMPOSITION WITH DB
TagReaderController
Is this natural
composition
secure and
private?
An AC Protocol
A DB protocol
Page 66
25
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
Page 67
ACCESS CONTROLCONTACTLESS AC PROTOCOL
Controller and Database Reader Tag
Page 68
ACCESS CONTROLCONTACTLESS AC PROTOCOL
Controller and Database Reader Tag
GenC ! (skC , pkC) GenT ! (skT1 , pkT1)
(skT2 , pkT2)
(skTk , pkTk)
…
Page 69
ACCESS CONTROLCONTACTLESS AC PROTOCOL
Controller and Database Reader Tag
GenC ! (skC , pkC)
C(skC , pkC , DataB,B) T (skT , pkT , pkC , req)R(locR)
GenT ! (skT1 , pkT1)
(skT2 , pkT2)
(skTk , pkTk)
…
Page 70
ACCESS CONTROLCONTACTLESS AC PROTOCOL
Controller and Database Reader Tag
GenC ! (skC , pkC)
C(skC , pkC , DataB,B) T (skT , pkT , pkC , req)R(locR)
OutROutC
GenT ! (skT1 , pkT1)
(skT2 , pkT2)
(skTk , pkTk)
…
POutC = (pkT , locR, req)
Page 71
ACCESS CONTROLCONTACTLESS AC PROTOCOL
Controller and Database Reader Tag
GenC ! (skC , pkC)
C(skC , pkC , DataB,B) T (skT , pkT , pkC , req)R(locR)
OutROutC
GenT ! (skT1 , pkT1)
(skT2 , pkT2)
(skTk , pkTk)
…
DataB = {(pk1, locRi , reqx), (pk2, locRj , reqy), ..., (pkk, locRi , reqx)}POutC = (pkT , locR, req)
Page 72
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Page 73
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Tags are honest
Page 74
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Secure and authenticatedTags are honest
Page 75
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Secure and authenticatedTags are honest
Create DatabaseCreate fake tags
Page 76
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Secure and authenticatedTags are honest
Activate(req)
Create DatabaseCreate fake tags
Page 77
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Secure and authenticatedTags are honest
Activate(req)
req
Create DatabaseCreate fake tags
Page 78
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Secure and authenticatedTags are honest
Activate(req)
req
Move(loc’)
Create DatabaseCreate fake tags
Page 79
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Secure and authenticatedTags are honest
Activate(req)
req
Move(loc’)
Create DatabaseCreate fake tags
Page 80
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Secure and authenticatedTags are honest
Activate(req)
req
Move(loc’)
Terminate
Create DatabaseCreate fake tags
Page 81
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Secure and authenticatedTags are honest
Activate(req)
req
Move(loc’)
Terminate
Create DatabaseCreate fake tags
It can intercept, observe, replace the messages between readers and tagsIt can create may instances of each party
Page 82
28
ACCESS CONTROLAC-GAME
GenC ! pkC , skCGenT ! {pkTi
, skTi}
Page 83
28
ACCESS CONTROLAC-GAME
GenC ! pkC , skC{pkTi
}, pkCGenT ! {pkTi
, skTi}
Page 84
28
ACCESS CONTROLAC-GAME
GenC ! pkC , skC Create fake tags {s̃kT , p̃kT }{pkTi}, pkC
GenT ! {pkTi, skTi}
Create DataB
Page 85
28
ACCESS CONTROLAC-GAME
GenC ! pkC , skC Create fake tags {s̃kT , p̃kT }{pkTi}, pkC
GenT ! {pkTi, skTi}
DataB Create DataB
Page 86
29
ACCESS CONTROLAC-GAME
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
Page 87
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
Page 88
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
POutC = (pk, loc, req)
Page 89
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
POutC = (pk, loc, req)
Adversary wins if one of the conditions are satisfied:
Page 90
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
POutC = (pk, loc, req)
POutC = (pk, loc, req) /2 DataB
Adversary wins if one of the conditions are satisfied:
Page 91
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
POutC = (pk, loc, req)
POutC = (pk, loc, req) /2 DataB
(MiM)pk is honest tag’s key and
no close honest tag
Adversary wins if one of the conditions are satisfied:
Page 92
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
T
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
POutC = (pk, loc, req)
POutC = (pk, loc, req) /2 DataB
(MiM)pk is honest tag’s key and
no close honest tag
Adversary wins if one of the conditions are satisfied:
Page 93
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
TT̃
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
POutC = (pk, loc, req)
POutC = (pk, loc, req) /2 DataB
(MiM)pk is honest tag’s key and
no close honest tag
Adversary wins if one of the conditions are satisfied:
Page 94
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
POutC = (pk, loc, req)
POutC = (pk, loc, req) /2 DataB
(MiM)pk is honest tag’s key and
no close honest tag
(DH)
pk is fake tag’s key andno close fake tag
Adversary wins if one of the conditions are satisfied:
Page 95
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
T̃
POutC = (pk, loc, req)
POutC = (pk, loc, req) /2 DataB
(MiM)pk is honest tag’s key and
no close honest tag
(DH)
pk is fake tag’s key andno close fake tag
Adversary wins if one of the conditions are satisfied:
Page 96
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
T̃
T
POutC = (pk, loc, req)
POutC = (pk, loc, req) /2 DataB
(MiM)pk is honest tag’s key and
no close honest tag
(DH)
pk is fake tag’s key andno close fake tag
Adversary wins if one of the conditions are satisfied:
Page 97
30
ACCESS CONTROLPRIVACY
Page 98
30
ACCESS CONTROLPRIVACY
pick b 2 {`, r}
Page 99
30
ACCESS CONTROLPRIVACY
Adversary can pair tags
Draw(Ti, Tj)
pick b 2 {`, r}
Page 100
30
ACCESS CONTROLPRIVACY
Adversary can pair tags
Draw(Ti, Tj) Pair(3,4)
Pair(5,8)
Pair(1,7)
Pair(2,9)Pair(6,6)
pick b 2 {`, r}
Page 101
30
ACCESS CONTROLPRIVACY
Adversary can pair tags
Draw(Ti, Tj) Pair(3,4)
Pair(5,8)
Pair(1,7)
Pair(2,9)Pair(6,6)
Pair(5,8)
pick b 2 {`, r}
Page 102
30
ACCESS CONTROLPRIVACY
Adversary can pair tags
Draw(Ti, Tj) Pair(3,4)
Pair(5,8)
Pair(1,7)
Pair(2,9)Pair(6,6)
Pair(5,8) simulate T8
simulate T5
else
if b = r
pick b 2 {`, r}
Page 103
30
ACCESS CONTROLPRIVACY
Adversary can pair tags
Draw(Ti, Tj) Pair(3,4)
Pair(5,8)
Pair(1,7)
Pair(2,9)Pair(6,6)
Pair(5,8) simulate T8
simulate T5
else
if b = r
pick b 2 {`, r}
b0
Page 104
30
ACCESS CONTROLPRIVACY
Adversary can pair tags
Draw(Ti, Tj) Pair(3,4)
Pair(5,8)
Pair(1,7)
Pair(2,9)Pair(6,6)
Pair(5,8) simulate T8
simulate T5
else
if b = r
pick b 2 {`, r}
b0
Adversary wins if b0 = b
Page 105
30
ACCESS CONTROLPRIVACY
Adversary can pair tags
Draw(Ti, Tj)
• and are at the same location• and have the same access privilegesTi Tj
Ti Tj
Pair(3,4)
Pair(5,8)
Pair(1,7)
Pair(2,9)Pair(6,6)
Pair(5,8) simulate T8
simulate T5
else
if b = r
pick b 2 {`, r}
b0
Adversary wins if b0 = b
Page 106
31
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
Page 107
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
Page 108
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req
Page 109
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req, locR req
Page 110
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req, locR req
run V (skC , pkC) run P (skT , pkT )
Page 111
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req, locR req
run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )
Page 112
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req, locR req
run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )
output Out, pk
Page 113
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req, locR req
run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )
output Out, pk
if (pk, locR, req) 2 DataB
OutC = Out
Page 114
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req, locR req
run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )
output Out, pk
if (pk, locR, req) 2 DataB
OutC = Out
POut = (pk, locR, req)
else OutC = 0
Page 115
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req, locR req
run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )
output Out, pk
if (pk, locR, req) 2 DataB
OutC = Out
POut = (pk, locR, req)
else OutC = 0
OutC
Page 116
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req, locR req
run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )
output Out, pk
if (pk, locR, req) 2 DataB
OutC = Out
POut = (pk, locR, req)
else OutC = 0
OutCOutC
Page 117
33
AC WITH DBSECURITY AND PRIVACY OF OUR FRAMEWORK
Assuming that the DB protocol is MiM-secure and DH-secure, then an AC protocol with using this DB protocol with our framework is a secure AC protocol.
SECURITY
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 118
33
AC WITH DBSECURITY AND PRIVACY OF OUR FRAMEWORK
Assuming that the DB protocol is MiM-secure and DH-secure, then an AC protocol with using this DB protocol with our framework is a secure AC protocol.
Assuming that the DB protocol is private DB, then an AC
protocol with our framework is private AC protocol when DataB is trivial.
SECURITY
PRIVACY
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 119
33
AC WITH DBSECURITY AND PRIVACY OF OUR FRAMEWORK
Assuming that the DB protocol is MiM-secure and DH-secure, then an AC protocol with using this DB protocol with our framework is a secure AC protocol.
Assuming that the DB protocol is private DB, then an AC
protocol with our framework is private AC protocol when DataB is trivial.
SECURITY
PRIVACY
empty or contains all possible triplets
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 120
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 121
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
V 0(skV , pkV ) P 0(skP , pkP , pkV )
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 122
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
V 0(skV , pkV ) P 0(skP , pkP , pkV )
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 123
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
V 0(skV , pkV ) P 0(skP , pkP , pkV )flag
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 124
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0 if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
V 0(skV , pkV ) P 0(skP , pkP , pkV )flag
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 125
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )flag
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 126
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 127
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 128
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 129
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
DataB = {(pk1, locR, req), (pk2, locR, req)}
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 130
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
pk1 is odd pk2 is even
DataB = {(pk1, locR, req), (pk2, locR, req)}
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 131
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
Pair(1,2) pk1 is odd pk2 is even
DataB = {(pk1, locR, req), (pk2, locR, req)}
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 132
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
Pair(1,2) pk1 is odd pk2 is even
DataB = {(pk1, locR, req), (pk2, locR, req)}R T
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 133
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
Pair(1,2) pk1 is odd pk2 is even
DataB = {(pk1, locR, req), (pk2, locR, req)}R T
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 134
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
Pair(1,2) pk1 is odd pk2 is even
DataB = {(pk1, locR, req), (pk2, locR, req)}Rflag = 1flag = 0
T
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 135
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
Pair(1,2) pk1 is odd pk2 is even
DataB = {(pk1, locR, req), (pk2, locR, req)}ROutR
flag = 1flag = 0T
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 136
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
Pair(1,2) pk1 is odd pk2 is even
DataB = {(pk1, locR, req), (pk2, locR, req)}ROutR
flag = 1flag = 0T
if OutR = 1output b0 = `
elseoutput b0 = r
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
Page 137
35
AC WITH DBEFF-AC (AN INSTANTIATION OF OUR FRAMEWORK)
Page 138
36
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
Page 139
37
CONCLUSION
We define an integrated security model for AC including identification, access control, and distance bounding.
We give a framework that clarifies how to use a secure DB to construct a secure AC in our new security model.
We show that the same framework can be used to achieve privacy in AC with restrictions on the database of AC system.
Page 140
37
CONCLUSION
We define an integrated security model for AC including identification, access control, and distance bounding.
We give a framework that clarifies how to use a secure DB to construct a secure AC in our new security model.
We show that the same framework can be used to achieve privacy in AC with restrictions on the database of AC system.
*’Secure Contactless Payment’ will appear in ACISP 2018
Page 141
EFF-PKDB WITH SIM-TF
38