Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum...
Transcript of Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum...
![Page 1: Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum (Fiat-Shamir) Yes Brands and Chaum (Schnorr) Yes Brands and Chaum (signature) Yes](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f72556b2fc27e33863938e3/html5/thumbnails/1.jpg)
Distance Hijacking Attacks onDistance Bounding Protocols
Cas CremersETH Zurich
Kasper Rasmussen, Benedikt Schmidt, Srdjan CapkunKasper Rasmussen, Benedikt Schmidt, Srdjan CapkunJoint work with:Joint work with:
![Page 2: Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum (Fiat-Shamir) Yes Brands and Chaum (Schnorr) Yes Brands and Chaum (signature) Yes](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f72556b2fc27e33863938e3/html5/thumbnails/2.jpg)
2
Distance Bounding
![Page 3: Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum (Fiat-Shamir) Yes Brands and Chaum (Schnorr) Yes Brands and Chaum (signature) Yes](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f72556b2fc27e33863938e3/html5/thumbnails/3.jpg)
3
Distance Bounding Protocols
● Objective: ensure proximity
● Protocol with two roles: Prover and Verifier
● Verifier obtains an upper bound on the distance to the prover
● Guarantee also holds if the prover is malicious
![Page 4: Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum (Fiat-Shamir) Yes Brands and Chaum (Schnorr) Yes Brands and Chaum (signature) Yes](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f72556b2fc27e33863938e3/html5/thumbnails/4.jpg)
4
Distance bounding for network access
![Page 5: Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum (Fiat-Shamir) Yes Brands and Chaum (Schnorr) Yes Brands and Chaum (signature) Yes](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f72556b2fc27e33863938e3/html5/thumbnails/5.jpg)
5
Phase 2:Fast response phase
Phase 3:Finalize
Phase 1:Setup
Brands and Chaum protocol (1993)
ProverVerifier
nv
nv xor np
fresh np
fresh nv
Verify commitand signature
Measureresponse time
commit(np)
np, sign(P, <nv, nv xor np>)
![Page 6: Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum (Fiat-Shamir) Yes Brands and Chaum (Schnorr) Yes Brands and Chaum (signature) Yes](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f72556b2fc27e33863938e3/html5/thumbnails/6.jpg)
6
Threats considered in protocol proposals
Mafia Fraud● External attacker modifies
distance of honest prover
Distance Fraud● Dishonest prover modifies
his own distance
Terrorist Fraud● Dishonest prover collaborates
with closer attacker to modify his distance
![Page 7: Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum (Fiat-Shamir) Yes Brands and Chaum (Schnorr) Yes Brands and Chaum (signature) Yes](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f72556b2fc27e33863938e3/html5/thumbnails/7.jpg)
7
What about other honest provers?
![Page 8: Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum (Fiat-Shamir) Yes Brands and Chaum (Schnorr) Yes Brands and Chaum (signature) Yes](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f72556b2fc27e33863938e3/html5/thumbnails/8.jpg)
8
Phase 2:Fast response phase
Distance Hijacking attack on B&C
Honest P'V
nv
nv xor np
fresh np
fresh nv
Verify commitand signature
Measureresponse time
commit(np)
Dishonest P
np, sign(P,<nv, nv xor np>)
![Page 9: Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum (Fiat-Shamir) Yes Brands and Chaum (Schnorr) Yes Brands and Chaum (signature) Yes](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f72556b2fc27e33863938e3/html5/thumbnails/9.jpg)
9
Distance Hijacking
A Distance Hijacking attack is an attack in which a dishonest prover P exploits one or more honest parties to provide a verifier V with false information about the distance between P and V.
![Page 10: Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum (Fiat-Shamir) Yes Brands and Chaum (Schnorr) Yes Brands and Chaum (signature) Yes](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f72556b2fc27e33863938e3/html5/thumbnails/10.jpg)
10
Scope
About half of the investigated protocols vulnerable● Brands and Chaum
based designs usually vulnerable
● Hancke & Kuhn based designs seem okay
Protocol DH-attack?
Brands and Chaum (Fiat-Shamir) Yes
Brands and Chaum (Schnorr) Yes
Brands and Chaum (signature) Yes
Bussard and Bagga -
CRCS Yes
Hancke and Kuhn -
Hitomi -
KA2 -
Kuhn, Luecken, Tippenhauer Yes
MAD Yes
Meadows et al for F(..) = <NV,NP xor P> Yes
Munilla and Peinado -
Noise resilient MAD Yes
Poulidor -
Reid et al. -
Swiss-knife -
Tree -
WSBC+DB Yes
WSBC+DB Noent Yes
![Page 11: Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum (Fiat-Shamir) Yes Brands and Chaum (Schnorr) Yes Brands and Chaum (signature) Yes](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f72556b2fc27e33863938e3/html5/thumbnails/11.jpg)
11
Fixing the problem
● Secure channel (TLS) does not help here● Cannot use cryptography during fast response● Protocols that use secure channels in the other
phases may still be vulnerable
● Fixes logically bind fast response to other phases● Involve identity in response● Bind identity to nonce in Phase 1● Fixes do not require additional cryptography
Phase 2:Fast response phase
Phase 3:Finalize
Phase 1:Setup
![Page 12: Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum (Fiat-Shamir) Yes Brands and Chaum (Schnorr) Yes Brands and Chaum (signature) Yes](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f72556b2fc27e33863938e3/html5/thumbnails/12.jpg)
12
Formal model
● We extended Basin et al. [TPHOLs'09]
● Hybrid symbolic model● Also captures bit-level overshadowing attacks
– adversary flips some bits of an unknown message● Formalization in Isabelle/HOL
● Used to show that our fixes prevent the found attacks
(Details in the paper; theory files publicly available)
![Page 13: Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum (Fiat-Shamir) Yes Brands and Chaum (Schnorr) Yes Brands and Chaum (signature) Yes](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f72556b2fc27e33863938e3/html5/thumbnails/13.jpg)
13
Multiple protocols
Interaction between protocols with similar fast response hardware can lead to attacks● Similar to "chosen protocol" or "multi-protocol" attacks"● ALL protocols vulnerable
GOOD protocolBAD prot.
Honest P' card with bad protocol
Server runs good protocol Attacker uses P cardwith good protocol
![Page 14: Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum (Fiat-Shamir) Yes Brands and Chaum (Schnorr) Yes Brands and Chaum (signature) Yes](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f72556b2fc27e33863938e3/html5/thumbnails/14.jpg)
14
Are all attacks now covered?
Mafia Fraud
Terrorist Fraud
Distance Fraud
Distance Hijacking
![Page 15: Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum (Fiat-Shamir) Yes Brands and Chaum (Schnorr) Yes Brands and Chaum (signature) Yes](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f72556b2fc27e33863938e3/html5/thumbnails/15.jpg)
15
Restructuring attacks on DB protocols
Assume an attack trace where V computes incorrect distance for P
External Distance Fraud(~ mafia fraud)
Lone Distance Fraud(~ distance fraud)
Assisted Distance Fraud(~ terrorist fraud)
Distance Hijacking
Is P honest?Yes
No
Is only P involvedin the attack?
Yes
No
Is one of the otherinvolved parties honest?
No
Yes
A Distance Hijacking attack is an attack in which a dishonest prover P exploits one or more honest parties to provide a verifier V with false information about the distance between P and V.
![Page 16: Distance Hijacking Attacks on Distance Bounding Protocols · Protocol DH-attack? Brands and Chaum (Fiat-Shamir) Yes Brands and Chaum (Schnorr) Yes Brands and Chaum (signature) Yes](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f72556b2fc27e33863938e3/html5/thumbnails/16.jpg)
16
Conclusions
● Many protocols vulnerable to Distance Hijacking ● Fixes do not introduce significant overhead● Just-in-time: distance bounding implementations starting
to be produced
● Distance Hijacking is a relevant threat in many cases
● Cannot afford to ignore multiple provers/verifiers during analysis
● Interaction between different DB-protocols still possible...