Strong Privacy for RFID Systems from Plaintext-Aware ... strong privacy CANS 2012 1 / 32 Our Problem...

33
Strong Privacy for RFID Systems from Plaintext-Aware Encryption Khaled Ouafi and Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ supported by the ECRYPT project SV strong privacy CANS 2012 1 / 32

Transcript of Strong Privacy for RFID Systems from Plaintext-Aware ... strong privacy CANS 2012 1 / 32 Our Problem...

Strong Privacy for RFID Systems fromPlaintext-Aware Encryption

Khaled Ouafi and Serge Vaudenay

ÉCOLE POLYTECHNIQUEFÉDÉRALE DE LAUSANNE

http://lasec.epfl.ch/

supported by the ECRYPT project

SV strong privacy CANS 2012 1 / 32

Our Problem

Tag Systemwho’s there?�

-ZUKTHPFBVI

that’s tag ID=38925629

one system (may include several readers), many tags

tags: passive (no battery), limited capabilities, not tamper-proof

primary concern (industry driven): securityif System identifies tag ID, it must be tag ID

secondary concern (user driven): privacytags could only be identified/traced/linked by System

problem: formal model

SV strong privacy CANS 2012 2 / 32

A Typical Protocol

Tag Systemkey: S {. . . ,(ID,K ), . . .}

c=challenge←−−−−−−−−−−−−− pick ρ, c = Gen(ρ)r = Alg(S,c;coins)

r=response−−−−−−−−−−−−−→ find (ID,K ) s.t. Ver(K ,ρ, r)output: ID

stateless

2-round

SV strong privacy CANS 2012 3 / 32

1 Towards a Formal Model

2 Definitions and Results

3 Strong Privacy is Possible

SV strong privacy CANS 2012 4 / 32

1 Towards a Formal Model

2 Definitions and Results

3 Strong Privacy is Possible

SV strong privacy CANS 2012 5 / 32

ISO/IEC 9798-2 2-Pass Unilateral Authentication

Tag Systemstate: K {. . . ,(ID,K ), . . .}

a←−−−−−−−−−−−−− pick a

c = EncK (a)c−−−−−−−−−−−−−→ find (ID,K ) s.t. c = EncK (a)

output: ID

pro stateless, symmetric crypto

con replay attack −→ tag traceability

SV strong privacy CANS 2012 6 / 32

Variant

Tag Systemstate: K {. . . ,(ID,K ), . . .}

pick ba←−−−−−−−−−−−−− pick a

c = EncK (a,b)b,c−−−−−−−−−−−−−→ find (ID,K ) s.t. c = EncK (a,b)

output: ID

pro stateless, symmetric crypto, secure, weak privacy

con tag corruption −→ tag traceability

SV strong privacy CANS 2012 7 / 32

Evolution of Privacy Protocols

early: did not address corruption or result channel

OSK03: corruption at the end only (forward privacy)

ADO06: early corruption considered

JW06: result channel considered

Vau07: 2×4 matrix (result channel × corruption model)

SV strong privacy CANS 2012 8 / 32

1 Towards a Formal Model

2 Definitions and Results

3 Strong Privacy is Possible

SV strong privacy CANS 2012 9 / 32

RFID SchemeComponents:

System = (stateless) Reader securely connected� - (stateful) DatabaseSetupReader→ (KS,KP):generate keys (KS,KP), store in Reader, and empty databaseSetupTagKP

(ID)→ (K ,S):S is an initial state for tag ID(ID,data) is to be inserted in databaseProtocols:

Tag Reader Database(S) KS db

←−−− −−−→−−−→ output ←−−−

output: tag ID (if valid) or ⊥ (if not)

Functionality:correctness: identification under normal execution

SV strong privacy CANS 2012 10 / 32

Adversarial Model

Adversary

6ID1, ID2, ID3

CreateTag

� distr -

vtag1vtag2

vtag3

free tagsID1 ID2 ID3

+

3

vtag1 (ID2)

?

6

vtag2 (ID1)

s

k

vtag3 (ID3)

-� reader

SV strong privacy CANS 2012 11 / 32

Oracle Accesses

Adversary

+

vtag

Free

� -vtag,mes

mes′SendTag

k

s

distrvtag,bit

...(vtag, ID)

...DrawTag

?

6vtag state

Corrupt

6ID bit

CreateTag

s

k

bitπ

Result

-�π,mes

mes′SendReader

3

+

π

Launch

SV strong privacy CANS 2012 12 / 32

Security

Wining condition: one reader-protocol instance π identified ID but thistag did not have any matching conversation(i.e. same transcript and well interleaved messages).

DefinitionAn RFID scheme is secure if for any polynomially bounded adversarythe probability of success is negligible.

SV strong privacy CANS 2012 13 / 32

Privacy Adversary

A

-�

-�

-�

CrTag, Free, Corrupt

Launch, Send, Result

DrawTag

?

?true/false

table�

Wining condition: the adversary outputs true

Problem: there are trivial wining adversaries(e.g. an adversary who always answers true)

SV strong privacy CANS 2012 14 / 32

Blinders

A

-�

-�

-�

B

-�

-�

CrTag, Free, Corrupt

Launch, Send, Result

DrawTag

?

?true/false

table�

DefinitionA blinder is an interface between the adversary and the oracles that

passively looks at communications to CreateTag, DrawTag, Free,and Corrupt queries

simulates the oracles Launch, SendReader, SendTag, and Result

SV strong privacy CANS 2012 15 / 32

Privacy

A

-�

-�

-�

CrTag, Free, Corrupt

Launch, Send, Result

DrawTag

?

?true/false

table�

AB

-�

-�

-�

-�

-�

?

?true/false

-

Definition

An RFID scheme protects privacy if for any polynomially bounded Athere exists a polynomially bounded blinder B such thatPr[A wins]−Pr[AB wins] is negligible.

SV strong privacy CANS 2012 16 / 32

Privacy Models

no readeroutput

(narrow)

readeroutput

corrupt(strong)

destructivecorrupt

(destructive)

finalcorrupt

(forward)

nocorrupt(weak)

strong destructive forward weak

narrowstrong

narrowdestructive

narrowforward

narrowweak

⇒ ⇒ ⇒

⇒ ⇒ ⇒

⇓ ⇓ ⇓ ⇓

SV strong privacy CANS 2012 17 / 32

Challenge-Response RFID Scheme

Tag Systemstate: K {. . . ,(ID,K ), . . .}

pick ba←−−−−−−−−−−−−− pick a

c = FK (a,b)b,c−−−−−−−−−−−−−→ find (ID,K ) s.t. c = FK (a,b)

output: ID

TheoremAssuming that F is a pseudorandom function, this RFID scheme is

correct

secure

weak private⇓

no forward privacy: trace tag by corrupting it in the future

SV strong privacy CANS 2012 18 / 32

Narrow-Weak Privacy Implies One-Way Function

TheoremAn RFID scheme that is

correct

narrow-weak private⇓

can be transformed into a one-way function.

no privacy without any crypto!

Proof idea:1 the function mapping the initial states and random coins to the

protocol transcript must be one-way (otherwise compute newstates and identify in future sessions)

SV strong privacy CANS 2012 19 / 32

Modified OSK

Tag Systemstate: S {. . . ,(ID,K ), . . .}

a←−−−−−−−−−−−−− pick a

c = F(S,a)c−−−−−−−−−−−−−→ find (ID,K ) s.t.

replace S by G(S) c = F(Gi(K ),a) and i < treplace K by Gi(K )

output: ID

TheoremAssuming that F and G are random oracles, this RFID scheme is

correct

secure

narrow-destructive private⇓

no privacy with a side channel: DoS [JW 2006]

SV strong privacy CANS 2012 20 / 32

Public-Key-Based RFID Scheme

Tag Systemstate: KP , ID,K secret key: KS

{. . . ,(ID,K ), . . .}a←−−−−−−−−−−−−− pick a

c = EncKP (ID‖K‖a)c−−−−−−−−−−−−−→ DecKS(c) = ID‖K‖a

check a, (ID,K )output: ID

TheoremAssuming that Enc/Dec is an IND-CCA public-key cryptosystem, thisRFID scheme is

correct

secure

narrow-strong and forward private⇓

SV strong privacy CANS 2012 21 / 32

Narrow-Strong Privacy Implies Public-Key Cryptography

TheoremAn RFID scheme that is

correct

narrow-strong private⇓

can be transformed into a secure key agreement protocol.

no narrow-strong privacy without public-key crypto!

Proof idea:1 Alice creates two legitimate tags 0 and 1, sends their states to

Bob, and simulate the system for Bob2 Bob flips a bit b and simulate tag b to Alice3 Alice identifies b which is an agreed key bit

SV strong privacy CANS 2012 22 / 32

Caveat: Not Destructive Private

1: CreateTag(0)2: vtag0← DrawTag(0)3: S0← Corrupt(vtag0)4: (·,S1)← SetupTagKP

(1)5: flip a coin b ∈ {0,1}6: π← Launch7: simulate a tag of state Sb with

reader instance π8: x ← Result(π)9: if T (x) = b then

10: output true11: else12: output false13: end if

We have Pr[A wins]≈ 1.

A blinder who computes x translatesinto an IND-CPA adversary againstthe public-key cryptosystem, thusPr[AB wins]≈ 1

2 for any B.

Hence, A is a significant destructiveadversary.

SV strong privacy CANS 2012 23 / 32

Strong Privacy is Infeasible

TheoremAn RFID scheme cannot be

correct

narrow-strong and destructive private⇓

at the same time.

no strong privacy!

SV strong privacy CANS 2012 24 / 32

Results about Privacy Models (2007 Version)

no readeroutput

readeroutput

corruptdestructive

corruptfinal

corruptno

corrupt

impossible ??

equiv toPK-crypto

doable withPK-crypto

doablein ROM

doable withPRF

equiv toPRF

⇒ ⇒

⇒ ⇒ ⇒

⇓ ⇓ ⇓

possible: (PRF) (ROM) (PKC)

impossible: (w/o KA)

SV strong privacy CANS 2012 25 / 32

1 Towards a Formal Model

2 Definitions and Results

3 Strong Privacy is Possible

SV strong privacy CANS 2012 26 / 32

Impossibility Proof

take the following adver-sary (for destructive pri-vacy)

1: (·,S0)← SetupTagKP(0)

2: CreateTag(1)3: vtag← DrawTag(1)4: S1← Corrupt(vtag) (destroy it)5: flip a coin b ∈ {0,1}6: π← Launch7: simulate tag of state Sb with π8: x ← Result(π)9: output 1x=b

a blinder B for this advesary getsS1, simulate reader interacting withb = 0 or 1 and can guess b

B defines an adversary(for narrow-strong pri-vacy)

1: create tag 0 and tag 12: draw both tags3: corrupt both tags and get their

states S0 and S1

4: free both tags5: draw a random tag: vtag ←

DrawTag(0 or 1)6: simulate B with input KP , S1,

and interacting with vtag and getbit x

7: output 1T (vtag)=x

SV strong privacy CANS 2012 27 / 32

Ng-Susilo-Mu-Safavi-Naini 2008

not strong private because the adversary asks questions forwhich he knows the answer but the blinder cannot guess it

notion of “wise” adversary (cannot ask question for which heknows the answer)

we take a different approach:

we let the blinder be able to read the adversary’s thoughts

SV strong privacy CANS 2012 28 / 32

New Blinders

A

-�

-�

-�

B

-�

-�

CrTag, Free, Corrupt

Launch, Send, Result

DrawTag

?

?true/false

table�

DefinitionA blinder is an interface between the adversary and the oracles that

passively looks at communications to CreateTag, DrawTag, Free,and Corrupt queries

simulates the oracles Launch, SendReader, SendTag, and Result

see the adverary’s random coins

SV strong privacy CANS 2012 29 / 32

Public-Key-Based RFID Scheme

Tag Systemstate: KP , ID,K secret key: KS

{. . . ,(ID,K ), . . .}a←−−−−−−−−−−−−− pick a

c = EncKP (ID‖K‖a)c−−−−−−−−−−−−−→ DecKS(c) = ID‖K‖a

check a, (ID,K )output: ID

TheoremAssuming that Enc/Dec is a PA2+IND-CPA public-key cryptosystem,this RFID scheme is

correct

secure

strong private⇓

SV strong privacy CANS 2012 30 / 32

PA2 Trick

PA2 means for all valid ciphertexts form the adversary, either it isreused or the adversary must know the plaintext(Bellare-Palacio 2004)

know the plaintext =⇒ blinder can get it be reading his thoughts

PA2 needed because the blinder must simulate Result bydecrypting ciphertexts forged by the adversary (they could bebased on corrupted states)

SV strong privacy CANS 2012 31 / 32

Conclusion

no readeroutput

readeroutput

corruptfinal

corruptno

corrupt

doable withPA-crypto

equiv toPK-crypto

doable withPK-crypto

doablein ROM

doable withPRF

equiv toPRF

⇒ ⇒

⇒ ⇒

⇓ ⇓ ⇓

we have a good framework to study privacystrong privacy is possible, but only with PK-cryptosome open problems

forward privacy based on PRF (or ROM)?narrow-forward privacy based on PRF (no ROM)?separation with a concurrent model based on indistinguishability

SV strong privacy CANS 2012 32 / 32

Q & A