Strong Privacy for RFID Systems from Plaintext-Aware Encryption

Similar documents
RADIO Frequency Identification (RFID) technology [1], [2] enables wireless identification of objects

Mutual Authentication in RFID

Cryptography. Andreas Hülsing. 6 September 2016

CS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala

Message Authentication ( 消息认证 )

RFID Authentication: Security, Privacy and the Real World

Wide Strong Private RFID Identification based on Zero-Knowledge

Proofs for Key Establishment Protocols

On Privacy for RFID. Serge Vaudenay (B) EPFL, 1015 Lausanne, Switzerland

Information Security

Homework 3: Solution

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Lecture 15: Public Key Encryption: I

Security of Cryptosystems

Goals of Modern Cryptography

Brief Introduction to Provable Security

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY

Lecture 8 - Message Authentication Codes

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Code-Based Cryptography McEliece Cryptosystem

On Symmetric Encryption with Distinguishable Decryption Failures

Authenticated encryption

Computer Security CS 526

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model

Lecture 8: Cryptography in the presence of local/public randomness

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Applied Cryptography and Computer Security CSE 664 Spring 2018

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack

Generic Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model

Part II Bellare-Rogaway Model (Active Adversaries)

Computational Security, Stream and Block Cipher Functions

On the Security of Group-based Proxy Re-encryption Scheme

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

IND-CCA2 secure cryptosystems, Dan Bogdanov

Key Updates for RFID Distance-Bounding Protocols: Achieving Narrow-Destructive Privacy

CS 395T. Formal Model for Secure Key Exchange

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

Lecture 18 - Chosen Ciphertext Security

Hash Proof Systems and Password Protocols

Katz, Lindell Introduction to Modern Cryptrography

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Secure Multiparty Computation

An efficient and provably secure RFID grouping proof protocol

Encryption from the Diffie-Hellman assumption. Eike Kiltz

Security & Indistinguishability in the Presence of Traffic Analysis

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Public-Key Encryption

Lecture 3.4: Public Key Cryptography IV

Lightweight Privacy Preserving Authentication for RFID Using a Stream Cipher

Stateful Key Encapsulation Mechanism

ACTION: Breaking the Privacy Barrier for RFID Systems

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Distributed ID-based Signature Using Tamper-Resistant Module

A New RFID Privacy Model

Cryptography. Lecture 03

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Modeling Privacy for Off-Line RFID Systems

Modeling Privacy for Off-line RFID Systems

Foundations of Cryptography CS Shweta Agrawal

Part VI. Public-key cryptography

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

On the Security of a Certificateless Public-Key Encryption

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

1 Defining Message authentication

Applied Cryptography and Computer Security CSE 664 Spring 2017

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Modelling the Security of Key Exchange

MTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu

1 Achieving IND-CPA security

Lecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption

OAEP 3-Round A Generic and Secure Asymmetric Encryption Padding. Asiacrypt '04 Jeju Island - Korea

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

REMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM

Advanced Cryptography 1st Semester Symmetric Encryption

Block ciphers, stream ciphers

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Defining Encryption. Lecture 2. Simulation & Indistinguishability

1 A Tale of Two Lovers

Definitions and Notations

Feedback Week 4 - Problem Set

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Authenticated Encryption

Cryptography in Radio Frequency Identification and Fair Exchange Protocols

On RFID authentication protocols with widestrong

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Inductive Trace Properties for Computational Security

Auth. Key Exchange. Dan Boneh

Transcription:

Strong Privacy for RFID Systems from Plaintext-Aware Encryption Khaled Ouafi and Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ supported by the ECRYPT project SV strong privacy CANS 2012 1 / 32

Our Problem Tag who s there? ZUKTHPFBVI System that s tag ID=38925629 one system (may include several readers), many tags tags: passive (no battery), limited capabilities, not tamper-proof primary concern (industry driven): security if System identifies tag ID, it must be tag ID secondary concern (user driven): privacy tags could only be identified/traced/linked by System problem: formal model SV strong privacy CANS 2012 2 / 32

A Typical Protocol Tag System key: S {...,(ID,K ),...} r = Alg(S,c;coins) c=challenge r=response pick ρ, c = Gen(ρ) find (ID,K ) s.t. Ver(K,ρ,r) output: ID stateless 2-round SV strong privacy CANS 2012 3 / 32

1 Towards a Formal Model 2 Definitions and Results 3 Strong Privacy is Possible SV strong privacy CANS 2012 4 / 32

1 Towards a Formal Model 2 Definitions and Results 3 Strong Privacy is Possible SV strong privacy CANS 2012 5 / 32

ISO/IEC 9798-2 2-Pass Unilateral Authentication Tag System state: K {...,(ID,K ),...} a pick a c = Enc K (a) c find (ID,K ) s.t. c = Enc K (a) output: ID pro stateless, symmetric crypto con replay attack tag traceability SV strong privacy CANS 2012 6 / 32

Variant Tag System state: K {...,(ID,K ),...} pick b a pick a c = Enc K (a,b) b,c find (ID,K ) s.t. c = Enc K (a,b) output: ID pro stateless, symmetric crypto, secure, weak privacy con tag corruption tag traceability SV strong privacy CANS 2012 7 / 32

Evolution of Privacy Protocols early: did not address corruption or result channel OSK03: corruption at the end only (forward privacy) ADO06: early corruption considered JW06: result channel considered Vau07: 2 4 matrix (result channel corruption model) SV strong privacy CANS 2012 8 / 32

1 Towards a Formal Model 2 Definitions and Results 3 Strong Privacy is Possible SV strong privacy CANS 2012 9 / 32

RFID Scheme Components: System = (stateless) Reader securely connected (stateful) Database SetupReader (K S,K P ): generate keys (K S,K P ), store in Reader, and empty database SetupTag KP (ID) (K,S): S is an initial state for tag ID (ID, data) is to be inserted in database Protocols: Functionality: Tag Reader Database (S) K S db output output: tag ID (if valid) or (if not) correctness: identification under normal execution SV strong privacy CANS 2012 10 / 32

Adversarial Model ID 1,ID 2,ID 3 CreateTag free tags ID 1 ID 2 ID 3 distr vtag 3 Adversary reader vtag 1 (ID 2 ) vtag 2 (ID 1 ) vtag 3 (ID 3 ) SV strong privacy CANS 2012 11 / 32

Oracle Accesses DrawTag. (vtag, ID). distr vtag, bit CreateTag ID bit π Launch SendTag vtag, mes mes vtag Adversary vtag state π,mes mes π bit SendReader Free Corrupt Result SV strong privacy CANS 2012 12 / 32

Security Wining condition: one reader-protocol instance π identified ID but this tag did not have any matching conversation (i.e. same transcript and well interleaved messages). Definition An RFID scheme is secure if for any polynomially bounded adversary the probability of success is negligible. SV strong privacy CANS 2012 13 / 32

Privacy Adversary A CrTag, Free, Corrupt Launch, Send, Result DrawTag table true/false Wining condition: the adversary outputs true Problem: there are trivial wining adversaries (e.g. an adversary who always answers true) SV strong privacy CANS 2012 14 / 32

Blinders CrTag, Free, Corrupt A B Launch, Send, Result DrawTag table true/false Definition A blinder is an interface between the adversary and the oracles that passively looks at communications to CreateTag, DrawTag, Free, and Corrupt queries simulates the oracles Launch, SendReader, SendTag, and Result SV strong privacy CANS 2012 15 / 32

Privacy CrTag, Free, Corrupt A Launch, Send, Result DrawTag table B A true/false true/false Definition An RFID scheme protects privacy if for any polynomially bounded A there exists a polynomially bounded blinder B such that Pr[A wins] Pr[A B wins] is negligible. SV strong privacy CANS 2012 16 / 32

Privacy Models corrupt (strong) destructive corrupt (destructive) final corrupt (forward) no corrupt (weak) reader output no reader output (narrow) strong destructive forward weak narrow strong narrow narrow destructive forward narrow weak SV strong privacy CANS 2012 17 / 32

Challenge-Response RFID Scheme Tag System state: K {...,(ID,K ),...} pick b a pick a c = F K (a,b) b,c find (ID,K ) s.t. c = F K (a,b) output: ID Theorem Assuming that F is a pseudorandom function, this RFID scheme is correct secure weak private no forward privacy: trace tag by corrupting it in the future SV strong privacy CANS 2012 18 / 32

Narrow-Weak Privacy Implies One-Way Function Theorem An RFID scheme that is correct narrow-weak private can be transformed into a one-way function. no privacy without any crypto! Proof idea: 1 the function mapping the initial states and random coins to the protocol transcript must be one-way (otherwise compute new states and identify in future sessions) SV strong privacy CANS 2012 19 / 32

Modified OSK Tag System state: S {...,(ID,K ),...} a pick a c = F(S,a) c find (ID, K ) s.t. replace S by G(S) c = F(G i (K ),a) and i < t replace K by G i (K ) output: ID Theorem Assuming that F and G are random oracles, this RFID scheme is correct secure narrow-destructive private no privacy with a side channel: DoS [JW 2006] SV strong privacy CANS 2012 20 / 32

Public-Key-Based RFID Scheme Tag state: K P,ID,K c = Enc KP (ID K a) a c System secret key: K S {...,(ID,K ),...} pick a Dec KS (c) = ID K a check a, (ID,K ) output: ID Theorem Assuming that Enc/Dec is an IND-CCA public-key cryptosystem, this RFID scheme is correct secure narrow-strong and forward private SV strong privacy CANS 2012 21 / 32

Narrow-Strong Privacy Implies Public-Key Cryptography Theorem An RFID scheme that is correct narrow-strong private can be transformed into a secure key agreement protocol. no narrow-strong privacy without public-key crypto! Proof idea: 1 Alice creates two legitimate tags 0 and 1, sends their states to Bob, and simulate the system for Bob 2 Bob flips a bit b and simulate tag b to Alice 3 Alice identifies b which is an agreed key bit SV strong privacy CANS 2012 22 / 32

Caveat: Not Destructive Private 1: CreateTag(0) 2: vtag 0 DrawTag(0) 3: S 0 Corrupt(vtag 0 ) 4: (,S 1 ) SetupTag KP (1) 5: flip a coin b {0,1} 6: π Launch 7: simulate a tag of state S b with reader instance π 8: x Result(π) 9: if T (x) = b then 10: output true 11: else 12: output false 13: end if We have Pr[A wins] 1. A blinder who computes x translates into an IND-CPA adversary against the public-key cryptosystem, thus Pr[A B wins] 1 for any B. 2 Hence, A is a significant destructive adversary. SV strong privacy CANS 2012 23 / 32

Strong Privacy is Infeasible Theorem An RFID scheme cannot be correct narrow-strong and destructive private at the same time. no strong privacy! SV strong privacy CANS 2012 24 / 32

Results about Privacy Models (2007 Version) corrupt destructive corrupt final corrupt no corrupt reader output impossible?? doable with doable with PK-crypto PRF no reader output equiv to doable PK-crypto in ROM equiv to PRF possible: (PRF) (ROM) (PKC) impossible: (w/o KA) SV strong privacy CANS 2012 25 / 32

1 Towards a Formal Model 2 Definitions and Results 3 Strong Privacy is Possible SV strong privacy CANS 2012 26 / 32

Impossibility Proof take the following adversary (for destructive privacy) 1: (,S 0 ) SetupTag KP (0) 2: CreateTag(1) 3: vtag DrawTag(1) 4: S 1 Corrupt(vtag) (destroy it) 5: flip a coin b {0,1} 6: π Launch 7: simulate tag of state S b with π 8: x Result(π) 9: output 1 x=b a blinder B for this advesary gets S 1, simulate reader interacting with b = 0 or 1 and can guess b B defines an adversary (for narrow-strong privacy) 1: create tag 0 and tag 1 2: draw both tags 3: corrupt both tags and get their states S 0 and S 1 4: free both tags 5: draw a random tag: vtag DrawTag(0 or 1) 6: simulate B with input K P, S 1, and interacting with vtag and get bit x 7: output 1 T (vtag)=x SV strong privacy CANS 2012 27 / 32

Ng-Susilo-Mu-Safavi-Naini 2008 not strong private because the adversary asks questions for which he knows the answer but the blinder cannot guess it notion of wise adversary (cannot ask question for which he knows the answer) we take a different approach: we let the blinder be able to read the adversary s thoughts SV strong privacy CANS 2012 28 / 32

New Blinders CrTag, Free, Corrupt A B Launch, Send, Result DrawTag table true/false Definition A blinder is an interface between the adversary and the oracles that passively looks at communications to CreateTag, DrawTag, Free, and Corrupt queries simulates the oracles Launch, SendReader, SendTag, and Result see the adverary s random coins SV strong privacy CANS 2012 29 / 32

Public-Key-Based RFID Scheme Tag state: K P,ID,K c = Enc KP (ID K a) a c System secret key: K S {...,(ID,K ),...} pick a Dec KS (c) = ID K a check a, (ID,K ) output: ID Theorem Assuming that Enc/Dec is a PA2+IND-CPA public-key cryptosystem, this RFID scheme is correct secure strong private SV strong privacy CANS 2012 30 / 32

PA2 Trick PA2 means for all valid ciphertexts form the adversary, either it is reused or the adversary must know the plaintext (Bellare-Palacio 2004) know the plaintext = blinder can get it be reading his thoughts PA2 needed because the blinder must simulate Result by decrypting ciphertexts forged by the adversary (they could be based on corrupted states) SV strong privacy CANS 2012 31 / 32

Conclusion corrupt final corrupt no corrupt reader output doable with doable with doable with PA-crypto PK-crypto PRF no reader output equiv to PK-crypto doable in ROM equiv to PRF we have a good framework to study privacy strong privacy is possible, but only with PK-crypto some open problems forward privacy based on PRF (or ROM)? narrow-forward privacy based on PRF (no ROM)? separation with a concurrent model based on indistinguishability SV strong privacy CANS 2012 32 / 32

Q & A

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback